openstack/ansible-hardening
Code Issues Proposed changes
9d7f0ad471
ansible-hardening/vars/redhat-9.yml
Dmitriy Rabotyagov db5c6f2d66 Fix linters and metadata 
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
2023-07-17 14:25:21 +02:00

131 lines
4.0 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## Variables for CentOS 7, Red Hat Enterprise Linux 7 and Fedora 27.
# The following variables apply only to CentOS 7, Red Hat Enterprise Linux 7
# and Fedora 27. Deployers should not override these.
#
# For more details, see 'vars/main.yml'.
# Configuration file paths
pam_auth_file: /etc/pam.d/system-auth
pam_password_file: /etc/pam.d/password-auth
pam_postlogin_file: /etc/pam.d/postlogin
vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
grub_conf_file: /boot/grub2/grub.cfg
grub_conf_file_efi: "/boot/efi/EFI/{{ ansible_facts['distribution'] | lower | replace(' ', '') }}/grub.cfg"
aide_cron_job_path: /etc/cron.d/aide
aide_database_file: /var/lib/aide/aide.db.gz
aide_database_out_file: /var/lib/aide/aide.db.new.gz
chrony_conf_file: /etc/chrony.conf
chrony_key_file: /etc/chrony.keys
daemon_init_params_file: /etc/init.d/functions
pkg_mgr_config: /etc/dnf/dnf.conf
# Service names
cron_service: crond
ssh_service: sshd
chrony_service: chronyd
clamav_service: 'clamd@scan'
# Clamav paparms
clamav_service_details:
user: clamscan
group: virusgroup
socket_path: /run/clamd.scan/clamd.sock
mode: "0710"
# Commands
grub_update_cmd: "/usr/sbin/grub2-mkconfig -o {{ grub_config_file_boot }}"
ssh_keysign_path: /usr/libexec/openssh
# Other configuration
security_interactive_user_minimum_uid: 1000
# RHEL 7 STIG: Packages to add/remove
stig_packages_rhel7:
- packages:
- audispd-plugins
- audit
- dracut-fips
- dracut-fips-aesni
- openssh-clients
- openssh-server
state: "{{ security_package_state }}"
enabled: True
- packages:
- aide
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_aide }}"
- packages:
- python3-libselinux
- policycoreutils-python-utils
- selinux-policy
- selinux-policy-targeted
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_linux_security_module }}"
- packages:
- chrony
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_enable_chrony }}"
- packages:
- clamav
- clamav-data
- clamav-devel
- clamav-filesystem
- clamav-lib
- clamav-scanner-systemd
- clamav-server-systemd
- clamav-server
- clamav-update
state: "{{ security_package_state }}"
enabled: "{{ security_enable_virus_scanner }}"
- packages:
- firewalld
state: "{{ security_package_state }}"
enabled: "{{ security_enable_firewalld }}"
- packages:
- dnf-automatic
state: "{{ security_package_state }}"
enabled: "{{ security_rhel7_automatic_package_updates }}"
- packages:
- rsh-server
state: absent
enabled: "{{ security_rhel7_remove_rsh_server }}"
- packages:
- telnet-server
state: absent
enabled: "{{ security_rhel7_remove_telnet_server }}"
- packages:
- tftp-server
state: absent
enabled: "{{ security_rhel7_remove_tftp_server }}"
- packages:
- xorg-x11-server-Xorg
state: absent
enabled: "{{ security_rhel7_remove_xorg }}"
- packages:
- ypserv
state: absent
enabled: "{{ security_rhel7_remove_ypserv }}"
rpm_gpgchecks:
- regexp: "^gpgcheck.*"
line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
- regexp: "^localpkg_gpgcheck.*"
line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
- regexp: "^repo_gpgcheck.*"
line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"
View Git Blame Copy Permalink