155 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			155 lines
		
	
	
		
			4.4 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| # Copyright 2016, Rackspace US, Inc.
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the "License");
 | |
| # you may not use this file except in compliance with the License.
 | |
| # You may obtain a copy of the License at
 | |
| #
 | |
| #     http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an "AS IS" BASIS,
 | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| # See the License for the specific language governing permissions and
 | |
| # limitations under the License.
 | |
| 
 | |
| ## Variables for CentOS 7 and Red Hat Enterprise Linux 7
 | |
| # The following variables apply only to CentOS 7 and Red Hat Enterprise Linux 7
 | |
| # and deployers should not override them.
 | |
| #
 | |
| # For more details, see 'vars/main.yml'.
 | |
| 
 | |
| # Configuration file paths
 | |
| pam_auth_file: /etc/pam.d/system-auth
 | |
| pam_password_file: /etc/pam.d/password-auth
 | |
| vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 | |
| grub_conf_file: /boot/grub2/grub.cfg
 | |
| aide_cron_job_path: /etc/cron.d/aide
 | |
| aide_database_file: /var/lib/aide/aide.db.gz
 | |
| chrony_conf_file: /etc/chrony.conf
 | |
| 
 | |
| # Service names
 | |
| cron_service: crond
 | |
| ssh_service: sshd
 | |
| chrony_service: chronyd
 | |
| clamav_service: 'clamd@scan'
 | |
| 
 | |
| # Commands
 | |
| grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
 | |
| ssh_keysign_path: /usr/libexec/openssh
 | |
| 
 | |
| # RHEL 6 STIG: Packages to add/remove
 | |
| stig_packages:
 | |
|   - packages:
 | |
|       - audit
 | |
|       - audispd-plugins
 | |
|       - aide
 | |
|       - chrony
 | |
|       - logrotate
 | |
|       - postfix
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: True
 | |
|   - packages:
 | |
|       - libselinux-python
 | |
|       - policycoreutils-python
 | |
|       - selinux-policy
 | |
|       - selinux-policy-targeted
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: "{{ security_enable_linux_security_module }}"
 | |
|   - packages:
 | |
|       - yum-cron
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: "{{ security_unattended_upgrades_enabled }}"
 | |
|   - packages:
 | |
|       - xinetd
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_xinetd }}"
 | |
|   - packages:
 | |
|       - ypserv
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_ypserv }}"
 | |
|   - packages:
 | |
|       - tftp-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_tftp_server }}"
 | |
|   - packages:
 | |
|       - openldap-servers
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_ldap_server }}"
 | |
|   - packages:
 | |
|       - sendmail
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_sendmail }}"
 | |
|   - packages:
 | |
|       - xorg-x11-server-Xorg
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_xorg }}"
 | |
|   - packages:
 | |
|       - rsh-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_rsh_server }}"
 | |
|   - packages:
 | |
|       - telnet-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_remove_telnet_server }}"
 | |
| 
 | |
| # RHEL 7 STIG: Packages to add/remove
 | |
| stig_packages_rhel7:
 | |
|   - packages:
 | |
|       - openssh-clients
 | |
|       - openssh-server
 | |
|       - screen
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: True
 | |
|   - packages:
 | |
|       - libselinux-python
 | |
|       - policycoreutils-python
 | |
|       - selinux-policy
 | |
|       - selinux-policy-targeted
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: "{{ security_rhel7_enable_linux_security_module }}"
 | |
|   - packages:
 | |
|       - clamav
 | |
|       - clamav-data
 | |
|       - clamav-devel
 | |
|       - clamav-filesystem
 | |
|       - clamav-lib
 | |
|       - clamav-scanner-systemd
 | |
|       - clamav-server-systemd
 | |
|       - clamav-server
 | |
|       - clamav-update
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: "{{ security_enable_virus_scanner }}"
 | |
|   - packages:
 | |
|       - firewalld
 | |
|     state: "{{ security_package_state }}"
 | |
|     enabled: "{{ security_enable_firewalld }}"
 | |
|   - packages:
 | |
|       - rsh-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_rhel7_remove_rsh_server }}"
 | |
|   - packages:
 | |
|       - telnet-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_rhel7_remove_telnet_server }}"
 | |
|   - packages:
 | |
|       - tftp-server
 | |
|     state: absent
 | |
|     enabled: "{{ security_rhel7_remove_tftp_server }}"
 | |
|   - packages:
 | |
|       - xorg-x11-server-Xorg
 | |
|     state: absent
 | |
|     enabled: "{{ security_rhel7_remove_xorg }}"
 | |
|   - packages:
 | |
|       - ypserv
 | |
|     state: absent
 | |
|     enabled: "{{ security_rhel7_remove_ypserv }}"
 | |
| 
 | |
| rpm_gpgchecks:
 | |
|   - regexp: "^gpgcheck.*"
 | |
|     line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
 | |
|   - regexp: "^localpkg_gpgcheck.*"
 | |
|     line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
 | |
|   - regexp: "^repo_gpgcheck.*"
 | |
|     line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"
 | 
