openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/vars/redhat.yml
Major Hayden 4c792445d4 Move common variables to common.yml 
This patch creates a common.yml variables file to hold variables
that apply to all distributions supported by the role. It also adds
comments into the existing vars file to instruct developers and
deployers about the proper location for variables.

Implements: blueprint security-rhel7-stig
Change-Id: Idad1cbfe0c6992a6333c4740080764a3ac776628
2016-11-20 17:11:12 +00:00

144 lines
4.0 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Variables for CentOS 7 and Red Hat Enterprise Linux 7
# The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7
# and deployers should not override them.
#
# For more details, see 'vars/main.yml'.
# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
chrony_conf_file: /etc/chrony.conf
# Service names
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
# Commands
grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
ssh_keysign_path: /usr/libexec/openssh
# RHEL 6 STIG: Packages to add/remove
stig_packages:
- packages:
- audit
- audispd-plugins
- aide
- chrony
- logrotate
- postfix
state: "{{ security_package_state }}"
enabled: True
- packages:
- libselinux-python
- policycoreutils-python
- selinux-policy
- selinux-policy-targeted
state: "{{ security_package_state }}"
enabled: "{{ security_enable_linux_security_module }}"
- packages:
- yum-cron
state: "{{ security_package_state }}"
enabled: "{{ security_unattended_upgrades_enabled }}"
- packages:
- xinetd
state: absent
enabled: "{{ security_remove_xinetd }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_remove_ypserv }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_remove_tftp_server }}"
- packages:
- openldap-servers
state: absent
enabled: "{{ security_remove_ldap_server }}"
- packages:
- sendmail
state: absent
enabled: "{{ security_remove_sendmail }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_remove_xorg }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_remove_telnet_server }}"
# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
- packages:
- openssh-clients
- openssh-server
- screen
state: "{{ security_package_state }}"
enabled: True
- packages:
- clamav
- clamav-data
- clamav-devel
- clamav-filesystem
- clamav-lib
- clamav-scanner-systemd
- clamav-server-systemd
- clamav-server
- clamav-update
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_rhel7_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_rhel7_remove_telnet_server }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_rhel7_remove_tftp_server }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_rhel7_remove_xorg }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_rhel7_remove_ypserv }}"
rpm_gpgchecks:
- regexp: "^gpgcheck.*"
line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
- regexp: "^localpkg_gpgcheck.*"
line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
- regexp: "^repo_gpgcheck.*"
line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"
View Git Blame Copy Permalink