f422da8599
Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
24 lines
749 B
ReStructuredText
24 lines
749 B
ReStructuredText
---
|
|
id: V-72273
|
|
status: opt-in
|
|
tag: misc
|
|
---
|
|
|
|
The STIG requires that a firewall is configured on each server. This might be
|
|
disruptive to some environments since the default firewall policy for
|
|
``firewalld`` is very restrictive. Therefore, the tasks in the security role
|
|
do not install or enable the ``firewalld`` daemon by default.
|
|
|
|
Deployers can opt in for this change by setting the following Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_enable_firewalld: yes
|
|
|
|
.. warning::
|
|
|
|
Deployers must pre-configure ``firewalld`` or copy over a working XML file
|
|
in ``/etc/firewalld/zones/`` from another server. The default firewalld
|
|
restrictions on Ubuntu, CentOS, Red Hat Enterprise Linux and openSUSE Leap
|
|
are highly restrictive.
|