container.vanilla.inputs.yml

# This file specifies the attributes for the configurable controls
# used in the RHEL 7 DISA STIG.

# Controls that are known to consistently have long run times can be disabled with this attribute
disable_slow_controls: false

# Accounts of known managed users (Array)
user_accounts: ["ec2-user"]

# System accounts that support approved system activities. (Array)
known_system_accounts:
  [
    "root",
    "bin",
    "daemon",
    "adm",
    "lp",
    "sync",
    "shutdown",
    "halt",
    "mail",
    "operator",
    "nobody",
    "systemd-bus-proxy",
    "ec2-user",
  ]

#  You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
#  By using this IS (which includes any device attached to this IS), you consent to the following conditions:
#    - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
#    - At any time, the USG may inspect and seize data stored on this IS.
#    - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
#    - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
#    - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

# V-71861
# whitespace is ignored
banner_message_text_gui:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

# V-71863
# whitespace is ignored
banner_message_text_cli:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

# V-72225
# whitespace is ignored
banner_message_text_ral:
  "You are accessing a U.S. Government (USG) Information System (IS) that is \
  provided for USG-authorized use only. By using this IS (which includes any \
  device attached to this IS), you consent to the following conditions: -The USG \
  routinely intercepts and monitors communications on this IS for purposes \
  including, but not limited to, penetration testing, COMSEC monitoring, network \
  operations and defense, personnel misconduct (PM), law enforcement (LE), and \
  counterintelligence (CI) investigations. -At any time, the USG may inspect and \
  seize data stored on this IS. -Communications using, or data stored on, this \
  IS are not private, are subject to routine monitoring, interception, and \
  search, and may be disclosed or used for any USG-authorized purpose. -This IS \
  includes security measures (e.g., authentication and access controls) to \
  protect USG interests--not for your personal benefit or privacy. \
  -Notwithstanding the above, using this IS does not constitute consent to PM, \
  LE or CI investigative searching or monitoring of the content of privileged \
  communications, or work product, related to personal representation or \
  services by attorneys, psychotherapists, or clergy, and their assistants. Such \
  communications and work product are private and confidential. See User \
  Agreement for details."

# V-71911
# minimum number of characters that must be different from previous password
difok: 8

# V-71933
# number of reuse generations
min_reuse_generations: 5

# (number of characters)
pass_min_len: 15

# V-71941
# (number of days)
days_of_inactivity: 0

# V-71943
# number of unsuccessful attempts
unsuccessful_attempts: 3
# interval of time in which the consecutive failed logon
# attempts must occur in order for the account to be locked out
# (time in seconds)
fail_interval: 900
# minimum amount of time account must be locked out after failed logins.
# this attribute should never be set greater than 604800.
# (time in seconds)
lockout_time: 604800

# V-71973
# name of tool
file_integrity_tool: "aide"

# V-72223
# (time in seconds)
system_activity_timeout: 600

# V-71965, V-72417, V-72433
# (enabled or disabled)
smart_card_enabled: false

# V-72011, V-72015, V-72017, V-72019, V-72021, V-72023, V-72025
# V-72027, V-72029, V-72031, V-72033, V-72035, V-72037, V-72059
# Users exempt from home directory-based controls in array
# format
exempt_home_users: []

# V-71961
# main grub boot config file
grub_main_cfg: "/boot/grub2/grub.cfg"

# grub boot config files
grub_user_boot_files: ["/boot/grub2/user.cfg"]

# efi boot config files
efi_user_boot_files: ["/boot/efi/EFI/redhat/user.cfg"]

# main efi boot config file
efi_main_cfg: "/boot/efi/EFI/redhat/grub.cfg"

# these shells do not allow a user to login
non_interactive_shells:
  [
    "/sbin/nologin",
    "/sbin/halt",
    "/sbin/shutdown",
    "/bin/false",
    "/bin/sync",
    "/bin/true",
  ]

# V-72059
# randomize virtual address space kernel parameter
randomize_va_space: 2

# V-72043
# file systems that don't correspond to removable media
non_removable_media_fs: ["xfs", "ext4", "swap", "tmpfs"]

allow_container_openssh_server: true