4c792445d4
This patch creates a common.yml variables file to hold variables that apply to all distributions supported by the role. It also adds comments into the existing vars file to instruct developers and deployers about the proper location for variables. Implements: blueprint security-rhel7-stig Change-Id: Idad1cbfe0c6992a6333c4740080764a3ac776628
231 lines
6.3 KiB
YAML
231 lines
6.3 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Common variables for all distributions
|
|
# This file contains variables that apply to all distributions that the
|
|
# security role supports. Distribution-specific variables should be placed in:
|
|
#
|
|
# - vars/redhat.yml
|
|
# - vars/ubuntu.yml
|
|
|
|
## auditd rules
|
|
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
|
|
# for various commands and syscalls.
|
|
#
|
|
# Each dictionary has this structure:
|
|
#
|
|
# command: the command/syscall to audit (required)
|
|
# stig_id: the number/ID from the STIG (required)
|
|
# arch_specific: 'yes' if the rule depends on the architecture type,
|
|
# otherwise 'no' (required)
|
|
# path: the path to the command (optional, default is '/usr/bin')
|
|
# distro: restrict deployment to a single Linux distribution (optional,
|
|
# should be equal to 'ansible_os_family | lower', such as 'redhat'
|
|
# or 'ubuntu')
|
|
#
|
|
audited_commands:
|
|
- command: chsh
|
|
stig_id: RHEL-07-030525
|
|
arch_specific: no
|
|
- command: chage
|
|
stig_id: RHEL-07-030513
|
|
arch_specific: no
|
|
- command: chcon
|
|
stig_id: RHEL-07-030443
|
|
arch_specific: no
|
|
- command: chmod
|
|
stig_id: RHEL-07-030390
|
|
arch_specific: yes
|
|
- command: chown
|
|
stig_id: RHEL-07-030380
|
|
arch_specific: yes
|
|
- command: creat
|
|
stig_id: RHEL-07-030420
|
|
arch_specific: yes
|
|
- command: crontab
|
|
stig_id: RHEL-07-030561
|
|
arch_specific: no
|
|
- command: delete_module
|
|
stig_id: RHEL-07-030671
|
|
arch_specific: yes
|
|
- command: fchmod
|
|
stig_id: RHEL-07-030391
|
|
arch_specific: yes
|
|
- command: fchmodat
|
|
stig_id: RHEL-07-030392
|
|
arch_specific: yes
|
|
- command: fchown
|
|
stig_id: RHEL-07-030381
|
|
arch_specific: yes
|
|
- command: fchownat
|
|
stig_id: RHEL-07-030383
|
|
arch_specific: yes
|
|
- command: fremovexattr
|
|
stig_id: RHEL-07-030404
|
|
arch_specific: yes
|
|
- command: fsetxattr
|
|
stig_id: RHEL-07-030401
|
|
arch_specific: yes
|
|
- command: ftruncate
|
|
stig_id: RHEL-07-030425
|
|
arch_specific: yes
|
|
- command: init_module
|
|
stig_id: RHEL-07-030670
|
|
arch_specific: yes
|
|
- command: gpasswd
|
|
stig_id: RHEL-07-030512
|
|
arch_specific: no
|
|
- command: lchown
|
|
stig_id: RHEL-07-030382
|
|
arch_specific: yes
|
|
- command: lremovexattr
|
|
stig_id: RHEL-07-030405
|
|
arch_specific: yes
|
|
- command: lsetxattr
|
|
stig_id: RHEL-07-030402
|
|
arch_specific: yes
|
|
- command: mount
|
|
path: /bin
|
|
stig_id: RHEL-07-030530
|
|
arch_specific: no
|
|
- command: newgrp
|
|
stig_id: RHEL-07-030524
|
|
arch_specific: no
|
|
- command: open
|
|
stig_id: RHEL-07-030421
|
|
arch_specific: yes
|
|
- command: openat
|
|
stig_id: RHEL-07-030422
|
|
arch_specific: yes
|
|
- command: open_by_handle_at
|
|
stig_id: RHEL-07-030423
|
|
arch_specific: yes
|
|
- command: pam_timestamp_check
|
|
path: /sbin
|
|
stig_id: RHEL-07-030630
|
|
arch_specific: no
|
|
- command: passwd
|
|
stig_id: RHEL-07-030510
|
|
arch_specific: no
|
|
- command: postdrop
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030540
|
|
arch_specific: no
|
|
- command: postqueue
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030541
|
|
arch_specific: no
|
|
- command: pt_chown
|
|
path: /usr/libexec
|
|
stig_id: RHEL-07-030560
|
|
arch_specific: no
|
|
distro: redhat
|
|
- command: removexattr
|
|
stig_id: RHEL-07-030403
|
|
arch_specific: yes
|
|
- command: rename
|
|
stig_id: RHEL-07-030750
|
|
arch_specific: yes
|
|
- command: renameat
|
|
stig_id: RHEL-07-030751
|
|
arch_specific: yes
|
|
- command: restorecon
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030444
|
|
arch_specific: no
|
|
- command: rmdir
|
|
stig_id: RHEL-07-030752
|
|
arch_specific: yes
|
|
- command: semanage
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030441
|
|
arch_specific: no
|
|
- command: setsebool
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030442
|
|
arch_specific: no
|
|
- command: setxattr
|
|
stig_id: RHEL-07-030400
|
|
arch_specific: yes
|
|
- command: ssh-keysign
|
|
path: "{{ ssh_keysign_path }}"
|
|
stig_id: RHEL-07-030550
|
|
arch_specific: no
|
|
- command: su
|
|
path: /bin
|
|
stig_id: RHEL-07-030521
|
|
arch_specific: no
|
|
- command: sudo
|
|
stig_id: RHEL-07-030522
|
|
arch_specific: no
|
|
- command: sudoedit
|
|
path: /bin
|
|
stig_id: RHEL-07-030526
|
|
arch_specific: no
|
|
- command: truncate
|
|
stig_id: RHEL-07-030424
|
|
arch_specific: yes
|
|
- command: umount
|
|
path: /bin
|
|
stig_id: RHEL-07-030531
|
|
arch_specific: no
|
|
- command: unix_chkpwd
|
|
path: /sbin
|
|
stig_id: RHEL-07-030511
|
|
arch_specific: no
|
|
- command: unlink
|
|
stig_id: RHEL-07-030753
|
|
arch_specific: yes
|
|
- command: unlinkat
|
|
stig_id: RHEL-07-030754
|
|
arch_specific: yes
|
|
- command: userhelper
|
|
path: /usr/sbin
|
|
stig_id: RHEL-07-030514
|
|
arch_specific: no
|
|
|
|
## sysctl settings
|
|
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
|
|
# configurations on hosts.
|
|
#
|
|
# Each dictionary has this structure:
|
|
#
|
|
# name: the sysctl configuration name
|
|
# value: the value to set for the sysctl configuration
|
|
# enabled: whether the variable should be set or not
|
|
#
|
|
sysctl_settings_rhel7:
|
|
- name: net.ipv4.conf.all.accept_source_route
|
|
value: 0
|
|
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
|
|
- name: net.ipv4.conf.default.accept_source_route
|
|
value: 0
|
|
enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
|
|
- name: net.ipv4.icmp_echo_ignore_broadcasts
|
|
value: 1
|
|
enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
|
|
- name: net.ipv4.conf.all.send_redirects
|
|
value: 0
|
|
enabled: "{{ security_disallow_icmp_redirects | bool }}"
|
|
- name: net.ipv4.conf.default.send_redirects
|
|
value: 0
|
|
enabled: "{{ security_disallow_icmp_redirects | bool }}"
|
|
- name: net.ipv4.ip_forward
|
|
value: 0
|
|
enabled: "{{ security_disallow_ip_forwarding | bool }}"
|
|
- name: net.ipv6.conf.all.accept_source_route
|
|
value: 0
|
|
enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"
|