---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## Variables for Ubuntu and Debian
# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04
# (xenial), and Debian 8 (jessie). Deployers should not need to override these
# variables.
#
# For more details, see 'vars/main.yml'.

# Maximum age of the apt cache before a refresh is required
cache_timeout: 600

# Configuration file paths
pam_auth_file: /etc/pam.d/common-auth
pam_password_file: /etc/pam.d/common-password
pam_postlogin_file: /etc/pam.d/login
vsftpd_conf_file: /etc/vsftpd.conf
grub_conf_file: /boot/grub/grub.cfg
grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new
chrony_conf_file: /etc/chrony/chrony.conf
chrony_key_file: /etc/chrony/chrony.keys
daemon_init_params_file: /etc/init.d/rc

# Service name
cron_service: cron
ssh_service: ssh
chrony_service: chrony
clamav_service: clamav-daemon

# Commands
grub_update_cmd: "/usr/sbin/update-grub"
ssh_keysign_path: /usr/lib/openssh

# Other configuration
security_interactive_user_minimum_uid: 500

# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
  - packages:
      - auditd
      - audispd-plugins
      - libpwquality-common
      - openssh-client
      - openssh-server
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - aide
      - aide-common
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_aide }}"
  - packages:
      - apparmor
      - apparmor-profiles
      - apparmor-utils
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_linux_security_module }}"
  - packages:
      - chrony
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_chrony }}"
  - packages:
      - clamav
      - clamav-daemon
      - clamav-freshclam
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_virus_scanner }}"
  - packages:
      - firewalld
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_firewalld }}"
  - packages:
      - unattended-upgrades
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_automatic_package_updates }}"
  - packages:
      - libpam-pwquality
    state: "{{ security_package_state }}"
    enabled: "{{ security_pwquality_apply_rules }}"
  - packages:
      - rsh-server
    state: absent
    enabled: "{{ security_rhel7_remove_rsh_server }}"
  - packages:
      - telnetd
    state: absent
    enabled: "{{ security_rhel7_remove_telnet_server }}"
  - packages:
      - tftpd
    state: absent
    enabled: "{{ security_rhel7_remove_tftp_server }}"
  - packages:
      - xorg-xserver
    state: absent
    enabled: "{{ security_rhel7_remove_xorg }}"
  - packages:
      - nis
    state: absent
    enabled: "{{ security_rhel7_remove_ypserv }}"