ansible-hardening/vars/redhat.yml
Major Hayden 0c0767b3f1
Queens doc updates + removal of RHEL 6 STIG
This patch begins the teardown of the RHEL 6 STIG content from the
ansible-hardening repository. It will still be maintained in
Pike and earlier branches.

This patch also updates the ansible-hardening documentation for the
Queens release and notes that Pike is the latest stable version.

Closes-Bug: 1715745
Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540
2017-09-12 08:19:54 -06:00

122 lines
3.9 KiB
YAML

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 26.
# The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
# and Fedora 26. Deployers should not override these.
#
# For more details, see 'vars/main.yml'.
# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg"
grub_defaults_file: /etc/sysconfig/grub
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}"
# Service names
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
ssh_keysign_path: /usr/libexec/openssh
# Other configuration
security_interactive_user_minimum_uid: 1000
# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
- packages:
- audispd-plugins
- audit
- aide
- dracut-fips
- dracut-fips-aesni
- openssh-clients
- openssh-server
- screen
state: "{{ security_package_state }}"
enabled: True
- packages:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_linux_security_module }}"
- packages:
- chrony
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_chrony }}"
- packages:
- clamav
- clamav-data
- clamav-devel
- clamav-filesystem
- clamav-lib
- clamav-scanner-systemd
- clamav-server-systemd
- clamav-server
- clamav-update
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- firewalld
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}"
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_rhel7_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_rhel7_remove_telnet_server }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_rhel7_remove_tftp_server }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_rhel7_remove_xorg }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_rhel7_remove_ypserv }}"
rpm_gpgchecks:
- regexp: "^gpgcheck.*"
line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
- regexp: "^localpkg_gpgcheck.*"
line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
- regexp: "^repo_gpgcheck.*"
line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"