openstack/ansible-hardening
Code Issues Proposed changes
d2e1d2ee56
ansible-hardening/vars/debian.yml
Dmitriy Rabotyagov 180fc448eb Make possible to avoid aide installation 
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.

Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
2021-02-02 14:12:10 +00:00

117 lines
3.4 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Variables for Ubuntu and Debian
# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04
# (xenial), and Debian 8 (jessie). Deployers should not need to override these
# variables.
#
# For more details, see 'vars/main.yml'.
# Maximum age of the apt cache before a refresh is required
cache_timeout: 600
# Configuration file paths
pam_auth_file: /etc/pam.d/common-auth
pam_password_file: /etc/pam.d/common-password
pam_postlogin_file: /etc/pam.d/login
vsftpd_conf_file: /etc/vsftpd.conf
grub_conf_file: /boot/grub/grub.cfg
grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
aide_cron_job_path: /etc/cron.daily/aide
aide_database_file: /var/lib/aide/aide.db
aide_database_out_file: /var/lib/aide/aide.db.new
chrony_conf_file: /etc/chrony/chrony.conf
chrony_key_file: /etc/chrony/chrony.keys
daemon_init_params_file: /etc/init.d/rc
# Service name
cron_service: cron
ssh_service: ssh
chrony_service: chrony
clamav_service: clamav-daemon
# Commands
grub_update_cmd: "/usr/sbin/update-grub"
ssh_keysign_path: /usr/lib/openssh
# Other configuration
security_interactive_user_minimum_uid: 500
# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
- packages:
- auditd
- audispd-plugins
- libpwquality-common
- openssh-client
- openssh-server
- screen
state: "{{ security_package_state }}"
enabled: True
- packages:
- aide
- aide-common
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_aide }}"
- packages:
- apparmor
- apparmor-profiles
- apparmor-utils
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_linux_security_module }}"
- packages:
- chrony
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_chrony }}"
- packages:
- clamav
- clamav-daemon
- clamav-freshclam
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- firewalld
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- unattended-upgrades
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages:
- libpam-pwquality
state: "{{ security_package_state }}"
enabled: "{{ security_pwquality_apply_rules }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_rhel7_remove_rsh_server }}"
- packages:
- telnetd
state: absent
enabled: "{{ security_rhel7_remove_telnet_server }}"
- packages:
- tftpd
state: absent
enabled: "{{ security_rhel7_remove_tftp_server }}"
- packages:
- xorg-xserver
state: absent
enabled: "{{ security_rhel7_remove_xorg }}"
- packages:
- nis
state: absent
enabled: "{{ security_rhel7_remove_ypserv }}"
View Git Blame Copy Permalink