f422da8599
Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
103 lines
3.1 KiB
YAML
103 lines
3.1 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
# Copyright 2017, SUSE LINUX GmbH
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Variables for openSUSE
|
|
#
|
|
# For more details, see 'vars/main.yml'.
|
|
|
|
# Configuration file paths
|
|
pam_auth_file: /etc/pam.d/common-auth
|
|
pam_password_file: /etc/pam.d/common-password
|
|
pam_postlogin_file: /etc/pam.d/login
|
|
vsftpd_conf_file: /etc/vsftpd.conf
|
|
grub_conf_file: /boot/grub2/grub.cfg
|
|
# NOTE(hwoarang) SUSE seems to be using the ID field from /etc/os-release to
|
|
# create the EFI distro directory. Since this information is not available on
|
|
# Ansible, we have to improvise a bit...
|
|
grub_conf_file_efi: "{% set os_id = ansible_distribution.split(' ')[0].lower() %}/boot/efi/EFI/{{ (os_id == 'opensuse') | ternary('opensuse','sles') }}/grub.cfg"
|
|
grub_defaults_file: /etc/default/grub
|
|
aide_cron_job_path: /etc/cron.daily/aide
|
|
aide_database_file: /var/lib/aide/aide.db
|
|
aide_database_out_file: /var/lib/aide/aide.db.new
|
|
chrony_conf_file: /etc/chrony.conf
|
|
daemon_init_params_file: /etc/rc.status
|
|
pkg_mgr_config: /etc/zypp/zypp.conf
|
|
|
|
# Service names
|
|
cron_service: crond
|
|
ssh_service: sshd
|
|
chrony_service: chronyd
|
|
clamav_service: 'clamd'
|
|
|
|
# Commands
|
|
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
|
|
ssh_keysign_path: /usr/lib/ssh
|
|
|
|
# Other configuration
|
|
security_interactive_user_minimum_uid: 1000
|
|
|
|
# RHEL 7 STIG: Packages to add/remove
|
|
stig_packages_rhel7:
|
|
- packages:
|
|
- audit-audispd-plugins
|
|
- audit
|
|
- aide
|
|
- dracut-fips
|
|
- openssh
|
|
- screen
|
|
state: "{{ security_package_state }}"
|
|
enabled: True
|
|
- packages:
|
|
- apparmor-parser
|
|
- apparmor-profiles
|
|
- apparmor-utils
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_rhel7_enable_linux_security_module }}"
|
|
- packages:
|
|
- chrony
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_rhel7_enable_chrony }}"
|
|
- packages:
|
|
- clamav
|
|
- clamav-database
|
|
- monitoring-plugins-clamav
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_enable_virus_scanner }}"
|
|
- packages:
|
|
- firewalld
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_enable_firewalld }}"
|
|
- packages:
|
|
- rsh-server
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_rsh_server }}"
|
|
- packages:
|
|
- telnet-server
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_telnet_server }}"
|
|
- packages:
|
|
- tftp
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_tftp_server }}"
|
|
- packages:
|
|
- xorg-x11-server
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_xorg }}"
|
|
- packages:
|
|
- ypserv
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_ypserv }}"
|