ansible-hardening/vars/redhat.yml

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 25.
# The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
# and Fedora 25. Deployers should not override these.
#
# For more details, see 'vars/main.yml'.

# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
grub_defaults_file: /etc/sysconfig/grub
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"

# Service names
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'

# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
ssh_keysign_path: /usr/libexec/openssh

# Other configuration
security_interactive_user_minimum_uid: 1000

# RHEL 6 STIG: Packages to add/remove
stig_packages:
  - packages:
      - audit
      - audispd-plugins
      - aide
      - chrony
      - logrotate
      - postfix
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - esc
      - pam_pkcs11
      - authconfig
    state: "{{ security_package_state }}"
    enabled: "{{ security_install_multifactor_auth_packages }}"
  - packages:
      - libselinux-python
      - policycoreutils-python
      - selinux-policy
      - selinux-policy-targeted
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_linux_security_module }}"
  - packages:
      - yum-cron
    state: "{{ security_package_state }}"
    enabled: "{{ security_unattended_upgrades_enabled }}"
  - packages:
      - xinetd
    state: absent
    enabled: "{{ security_remove_xinetd }}"
  - packages:
      - ypserv
    state: absent
    enabled: "{{ security_remove_ypserv }}"
  - packages:
      - tftp-server
    state: absent
    enabled: "{{ security_remove_tftp_server }}"
  - packages:
      - openldap-servers
    state: absent
    enabled: "{{ security_remove_ldap_server }}"
  - packages:
      - sendmail
    state: absent
    enabled: "{{ security_remove_sendmail }}"
  - packages:
      - xorg-x11-server-Xorg
    state: absent
    enabled: "{{ security_remove_xorg }}"
  - packages:
      - rsh-server
    state: absent
    enabled: "{{ security_remove_rsh_server }}"
  - packages:
      - telnet-server
    state: absent
    enabled: "{{ security_remove_telnet_server }}"

# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
  - packages:
      - audispd-plugins
      - audit
      - aide
      - dracut-fips
      - dracut-fips-aesni
      - openssh-clients
      - openssh-server
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - libselinux-python
      - policycoreutils-python
      - selinux-policy
      - selinux-policy-targeted
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_linux_security_module }}"
  - packages:
      - chrony
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_enable_chrony }}"
  - packages:
      - clamav
      - clamav-data
      - clamav-devel
      - clamav-filesystem
      - clamav-lib
      - clamav-scanner-systemd
      - clamav-server-systemd
      - clamav-server
      - clamav-update
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_virus_scanner }}"
  - packages:
      - firewalld
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_firewalld }}"
  - packages:
      - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
    state: "{{ security_package_state }}"
    enabled: "{{ security_rhel7_automatic_package_updates }}"
  - packages:
      - rsh-server
    state: absent
    enabled: "{{ security_rhel7_remove_rsh_server }}"
  - packages:
      - telnet-server
    state: absent
    enabled: "{{ security_rhel7_remove_telnet_server }}"
  - packages:
      - tftp-server
    state: absent
    enabled: "{{ security_rhel7_remove_tftp_server }}"
  - packages:
      - xorg-x11-server-Xorg
    state: absent
    enabled: "{{ security_rhel7_remove_xorg }}"
  - packages:
      - ypserv
    state: absent
    enabled: "{{ security_rhel7_remove_ypserv }}"

rpm_gpgchecks:
  - regexp: "^gpgcheck.*"
    line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
  - regexp: "^localpkg_gpgcheck.*"
    line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
  - regexp: "^repo_gpgcheck.*"
    line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"