ansible-hardening/vars/redhat.yml

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
chrony_conf_file: /etc/chrony.conf

# Service names
cron_service: crond
ssh_service: sshd
chrony_service: chronyd

# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"

# RHEL 6 STIG: Packages to add/remove
stig_packages:
  - packages:
      - audit
      - audispd-plugins
      - aide
      - chrony
      - logrotate
      - postfix
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - libselinux-python
      - policycoreutils-python
      - selinux-policy
      - selinux-policy-targeted
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_linux_security_module }}"
  - packages:
      - yum-cron
    state: "{{ security_package_state }}"
    enabled: "{{ security_unattended_upgrades_enabled }}"
  - packages:
      - xinetd
    state: absent
    enabled: "{{ security_remove_xinetd }}"
  - packages:
      - ypserv
    state: absent
    enabled: "{{ security_remove_ypserv }}"
  - packages:
      - tftp-server
    state: absent
    enabled: "{{ security_remove_tftp_server }}"
  - packages:
      - openldap-servers
    state: absent
    enabled: "{{ security_remove_ldap_server }}"
  - packages:
      - sendmail
    state: absent
    enabled: "{{ security_remove_sendmail }}"
  - packages:
      - xorg-x11-server-Xorg
    state: absent
    enabled: "{{ security_remove_xorg }}"
  - packages:
      - rsh-server
    state: absent
    enabled: "{{ security_remove_rsh_server }}"
  - packages:
      - telnet-server
    state: absent
    enabled: "{{ security_remove_telnet_server }}"

# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
  - packages:
      - openssh-client
      - openssh-server
      - screen
    state: "{{ security_package_state }}"
    enabled: True
  - packages:
      - rsh-server
    state: absent
    enabled: "{{ security_rhel7_remove_rsh_server }}"
  - packages:
      - telnet-server
    state: absent
    enabled: "{{ security_rhel7_remove_telnet_server }}"
  - packages:
      - tftp-server
    state: absent
    enabled: "{{ security_rhel7_remove_tftp_server }}"
  - packages:
      - xorg-x11-server-Xorg
    state: absent
    enabled: "{{ security_rhel7_remove_xorg }}"
  - packages:
      - ypserv
    state: absent
    enabled: "{{ security_rhel7_remove_ypserv }}"