40 lines
1.2 KiB
YAML
40 lines
1.2 KiB
YAML
---
|
|
# Update apt metadata only when stale (seconds)
|
|
debian_baseline_apt_cache_valid_time: 3600
|
|
|
|
# Core host hardening packages
|
|
debian_baseline_packages:
|
|
- unattended-upgrades
|
|
- apt-listchanges
|
|
- fail2ban
|
|
- needrestart
|
|
- sudo
|
|
- ca-certificates
|
|
|
|
# SSH hardening controls
|
|
debian_baseline_ssh_permit_root_login: "no"
|
|
debian_baseline_ssh_password_authentication: "no"
|
|
debian_baseline_ssh_pubkey_authentication: "yes"
|
|
debian_baseline_ssh_x11_forwarding: "no"
|
|
debian_baseline_ssh_max_auth_tries: 3
|
|
debian_baseline_ssh_client_alive_interval: 300
|
|
debian_baseline_ssh_client_alive_count_max: 2
|
|
debian_baseline_ssh_allow_users: []
|
|
|
|
# unattended-upgrades controls
|
|
debian_baseline_enable_unattended_upgrades: true
|
|
debian_baseline_unattended_auto_upgrade: "1"
|
|
debian_baseline_unattended_update_lists: "1"
|
|
|
|
# Kernel and network hardening sysctls
|
|
debian_baseline_sysctl_settings:
|
|
net.ipv4.conf.all.accept_redirects: "0"
|
|
net.ipv4.conf.default.accept_redirects: "0"
|
|
net.ipv4.conf.all.send_redirects: "0"
|
|
net.ipv4.conf.default.send_redirects: "0"
|
|
net.ipv4.conf.all.log_martians: "1"
|
|
net.ipv4.conf.default.log_martians: "1"
|
|
net.ipv4.tcp_syncookies: "1"
|
|
net.ipv6.conf.all.accept_redirects: "0"
|
|
net.ipv6.conf.default.accept_redirects: "0"
|