---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## Common variables for all distributions
# This file contains variables that apply to all distributions that the
# security role supports. Distribution-specific variables should be placed in:
#
#   - vars/redhat.yml
#   - vars/ubuntu.yml

## auditd rules
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
# for various commands and syscalls.
#
# Each dictionary has this structure:
#
#   command: the command/syscall to audit (required)
#   stig_id: the number/ID from the STIG (required)
#   arch_specific: 'yes' if the rule depends on the architecture type,
#                  otherwise 'no' (required)
#   path: the path to the command (optional, default is '/usr/bin')
#   distro: restrict deployment to a single Linux distribution (optional,
#           should be equal to 'ansible_os_family | lower', such as 'redhat'
#           or 'ubuntu')
#
audited_commands:
  - command: chsh
    stig_id: RHEL-07-030525
    arch_specific: no
  - command: chage
    stig_id: RHEL-07-030513
    arch_specific: no
  - command: chcon
    stig_id: RHEL-07-030443
    arch_specific: no
  - command: chmod
    stig_id: RHEL-07-030390
    arch_specific: yes
  - command: chown
    stig_id: RHEL-07-030380
    arch_specific: yes
  - command: creat
    stig_id: RHEL-07-030420
    arch_specific: yes
  - command: crontab
    stig_id: RHEL-07-030561
    arch_specific: no
  - command: delete_module
    stig_id: RHEL-07-030671
    arch_specific: yes
  - command: fchmod
    stig_id: RHEL-07-030391
    arch_specific: yes
  - command: fchmodat
    stig_id: RHEL-07-030392
    arch_specific: yes
  - command: fchown
    stig_id: RHEL-07-030381
    arch_specific: yes
  - command: fchownat
    stig_id: RHEL-07-030383
    arch_specific: yes
  - command: fremovexattr
    stig_id: RHEL-07-030404
    arch_specific: yes
  - command: fsetxattr
    stig_id: RHEL-07-030401
    arch_specific: yes
  - command: ftruncate
    stig_id: RHEL-07-030425
    arch_specific: yes
  - command: init_module
    stig_id: RHEL-07-030670
    arch_specific: yes
  - command: gpasswd
    stig_id: RHEL-07-030512
    arch_specific: no
  - command: lchown
    stig_id: RHEL-07-030382
    arch_specific: yes
  - command: lremovexattr
    stig_id: RHEL-07-030405
    arch_specific: yes
  - command: lsetxattr
    stig_id: RHEL-07-030402
    arch_specific: yes
  - command: mount
    path: /bin
    stig_id: RHEL-07-030530
    arch_specific: no
  - command: newgrp
    stig_id: RHEL-07-030524
    arch_specific: no
  - command: open
    stig_id: RHEL-07-030421
    arch_specific: yes
  - command: openat
    stig_id: RHEL-07-030422
    arch_specific: yes
  - command: open_by_handle_at
    stig_id: RHEL-07-030423
    arch_specific: yes
  - command: pam_timestamp_check
    path: /sbin
    stig_id: RHEL-07-030630
    arch_specific: no
  - command: passwd
    stig_id: RHEL-07-030510
    arch_specific: no
  - command: postdrop
    path: /usr/sbin
    stig_id: RHEL-07-030540
    arch_specific: no
  - command: postqueue
    path: /usr/sbin
    stig_id: RHEL-07-030541
    arch_specific: no
  - command: pt_chown
    path: /usr/libexec
    stig_id: RHEL-07-030560
    arch_specific: no
    distro: redhat
  - command: removexattr
    stig_id: RHEL-07-030403
    arch_specific: yes
  - command: rename
    stig_id: RHEL-07-030750
    arch_specific: yes
  - command: renameat
    stig_id: RHEL-07-030751
    arch_specific: yes
  - command: restorecon
    path: /usr/sbin
    stig_id: RHEL-07-030444
    arch_specific: no
  - command: rmdir
    stig_id: RHEL-07-030752
    arch_specific: yes
  - command: semanage
    path: /usr/sbin
    stig_id: RHEL-07-030441
    arch_specific: no
  - command: setsebool
    path: /usr/sbin
    stig_id: RHEL-07-030442
    arch_specific: no
  - command: setxattr
    stig_id: RHEL-07-030400
    arch_specific: yes
  - command: ssh-keysign
    path: "{{ ssh_keysign_path }}"
    stig_id: RHEL-07-030550
    arch_specific: no
  - command: su
    path: /bin
    stig_id: RHEL-07-030521
    arch_specific: no
  - command: sudo
    stig_id: RHEL-07-030522
    arch_specific: no
  - command: sudoedit
    path: /bin
    stig_id: RHEL-07-030526
    arch_specific: no
  - command: truncate
    stig_id: RHEL-07-030424
    arch_specific: yes
  - command: umount
    path: /bin
    stig_id: RHEL-07-030531
    arch_specific: no
  - command: unix_chkpwd
    path: /sbin
    stig_id: RHEL-07-030511
    arch_specific: no
  - command: unlink
    stig_id: RHEL-07-030753
    arch_specific: yes
  - command: unlinkat
    stig_id: RHEL-07-030754
    arch_specific: yes
  - command: userhelper
    path: /usr/sbin
    stig_id: RHEL-07-030514
    arch_specific: no

## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
# requirements.
#
# Each dictionary has this structure:
#
#   parameter: the pwquality parameter to set
#   value: the value of the parameter
#   stig_id: the STIG id number
#   description: description of the control from the STIG
#   enabled: whether the change should be applied
#
password_quality_rhel7:
  - parameter: ucredit
    value: -1
    stig_id: RHEL-07-010090
    description: "Password must contain at least one upper-case character"
    enabled: "{{ security_pwquality_require_uppercase }}"
  - parameter: lcredit
    value: -1
    stig_id: RHEL-07-010100
    description: "Password must contain at least one lower-case character"
    enabled: "{{ security_pwquality_require_lowercase }}"
  - parameter: dcredit
    value: -1
    stig_id: RHEL-07-010110
    description: "Password must contain at least one numeric character"
    enabled: "{{ security_pwquality_require_numeric }}"
  - parameter: ocredit
    value: -1
    stig_id: RHEL-07-010120
    description: "Password must contain at least one special character"
    enabled: "{{ security_pwquality_require_special }}"
  - parameter: difok
    value: 8
    stig_id: RHEL-07-010130
    description: "Password must have at least eight characters changed"
    enabled: "{{ security_pwquality_require_characters_changed }}"
  - parameter: minclass
    value: 4
    stig_id: RHEL-07-010140
    description: "Password must have at least four character classes changed"
    enabled: "{{ security_pwquality_require_character_classes_changed }}"
  - parameter: maxrepeat
    value: 4
    stig_id: RHEL-07-010150
    description: "Password must have at most four characters repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_characters }}"
  - parameter: maxclassrepeat
    value: 4
    stig_id: RHEL-07-010160
    description: "Password must have at most four characters in the same character class repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
  - parameter: minlen
    value: 15
    stig_id: RHEL-07-010250
    description: "Passwords must be a minimum of 15 characters in length"
    enabled: "{{ security_pwquality_require_minimum_password_length }}"

## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
#   parameter: the parameter to set
#   value: the value for the parameter
#   stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
  - parameter: ENCRYPT_METHOD
    value: "{{ security_password_encrypt_method | default('') }}"
    stig_id: RHEL-07-010180
  - parameter: PASS_MIN_DAYS
    value: "{{ security_password_min_lifetime_days | default('') }}"
    stig_id: RHEL-07-010200
  - parameter: PASS_MAX_DAYS
    value: "{{ security_password_max_lifetime_days | default('') }}"
    stig_id: RHEL-07-010220
  - parameter: FAIL_DELAY
    value: "{{ security_shadow_utils_fail_delay | default('') }}"
    stig_id: RHEL-07-010420
  - parameter: UMASK
    value: "{{ security_shadow_utils_umask | default('') }}"
    stig_id: RHEL-07-020230
  - parameter: CREATE_HOME
    value: "{{ security_shadow_utils_create_home | default('') }}"
    stig_id: RHEL-07-020630

## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
# configurations on hosts.
#
# Each dictionary has this structure:
#
#   name: the sysctl configuration name
#   value: the value to set for the sysctl configuration
#   enabled: whether the variable should be set or not
#
sysctl_settings_rhel7:
  - name: net.ipv4.conf.all.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
  - name: net.ipv4.conf.default.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
  - name: net.ipv4.icmp_echo_ignore_broadcasts
    value: 1
    enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
  - name: net.ipv4.conf.all.send_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
  - name: net.ipv4.conf.default.send_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
  - name: net.ipv4.ip_forward
    value: 0
    enabled: "{{ security_disallow_ip_forwarding | bool }}"
  - name: net.ipv6.conf.all.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"