--- # Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 26. # The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7 # and Fedora 26. Deployers should not override these. # # For more details, see 'vars/main.yml'. # Configuration file paths pam_auth_file: /etc/pam.d/system-auth pam_password_file: /etc/pam.d/password-auth pam_postlogin_file: /etc/pam.d/postlogin vsftpd_conf_file: /etc/vsftpd/vsftpd.conf grub_conf_file: /boot/grub2/grub.cfg grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_distribution | lower | replace(' ', '') }}/grub.cfg" aide_cron_job_path: /etc/cron.d/aide aide_database_file: /var/lib/aide/aide.db.gz aide_database_out_file: /var/lib/aide/aide.db.new.gz chrony_conf_file: /etc/chrony.conf chrony_key_file: /etc/chrony.keys daemon_init_params_file: /etc/init.d/functions pkg_mgr_config: "{{ (ansible_pkg_mgr == 'yum') | ternary('/etc/yum.conf', '/etc/dnf/dnf.conf') }}" # Service names cron_service: crond ssh_service: sshd chrony_service: chronyd clamav_service: 'clamd@scan' # Commands grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}" ssh_keysign_path: /usr/libexec/openssh # Other configuration security_interactive_user_minimum_uid: 1000 # RHEL 7 STIG: Packages to add/remove stig_packages_rhel7: - packages: - audispd-plugins - audit - aide - dracut-fips - dracut-fips-aesni - openssh-clients - openssh-server - screen state: "{{ security_package_state }}" enabled: True - packages: - libselinux-python - policycoreutils-python - selinux-policy - selinux-policy-targeted state: "{{ security_package_state }}" enabled: "{{ security_rhel7_enable_linux_security_module }}" - packages: - chrony state: "{{ security_package_state }}" enabled: "{{ security_rhel7_enable_chrony }}" - packages: - clamav - clamav-data - clamav-devel - clamav-filesystem - clamav-lib - clamav-scanner-systemd - clamav-server-systemd - clamav-server - clamav-update state: "{{ security_package_state }}" enabled: "{{ security_enable_virus_scanner }}" - packages: - firewalld state: "{{ security_package_state }}" enabled: "{{ security_enable_firewalld }}" - packages: - "{{ (ansible_pkg_mgr == 'yum') | ternary('yum-cron', 'dnf-automatic') }}" state: "{{ security_package_state }}" enabled: "{{ security_rhel7_automatic_package_updates }}" - packages: - rsh-server state: absent enabled: "{{ security_rhel7_remove_rsh_server }}" - packages: - telnet-server state: absent enabled: "{{ security_rhel7_remove_telnet_server }}" - packages: - tftp-server state: absent enabled: "{{ security_rhel7_remove_tftp_server }}" - packages: - xorg-x11-server-Xorg state: absent enabled: "{{ security_rhel7_remove_xorg }}" - packages: - ypserv state: absent enabled: "{{ security_rhel7_remove_ypserv }}" rpm_gpgchecks: - regexp: "^gpgcheck.*" line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}" - regexp: "^localpkg_gpgcheck.*" line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}" - regexp: "^repo_gpgcheck.*" line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"