/home/zuul/src/opendev.org/openstack/ansible-hardening/vars/main.yml
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## Common variables for all distributions
# This file contains variables that apply to all distributions that the
# security role supports. Distribution-specific variables should be placed in:
#
#   - vars/redhat.yml
#   - vars/ubuntu.yml

## grub custom configuration
grub_custom_file: /etc/grub.d/40_custom
## grub main linux configuration
grub_linux_file: /etc/grub.d/10_linux

## auditd configuration
auditd_config:
  - parameter: disk_full_action
    value: "{{ security_rhel7_auditd_disk_full_action }}"
    config: /etc/audisp/audisp-remote.conf
  - parameter: network_failure_action
    value: "{{ security_rhel7_auditd_network_failure_action }}"
    config: /etc/audisp/audisp-remote.conf
  - parameter: space_left
    value: "{{ security_rhel7_auditd_space_left }}"
    config: /etc/audit/auditd.conf
  - parameter: space_left_action
    value: "{{ security_rhel7_auditd_space_left_action }}"
    config: /etc/audit/auditd.conf
  - parameter: action_mail_acct
    value: "{{ security_rhel7_auditd_action_mail_acct }}"
    config: /etc/audit/auditd.conf

## auditd rules
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
# for various commands and syscalls.
#
# Each dictionary has this structure:
#
#   command: the command/syscall to audit (required)
#   stig_id: the number/ID from the STIG (required)
#   arch_specific: 'yes' if the rule depends on the architecture type,
#                  otherwise 'no' (required)
#   path: the path to the command (optional, default is '/usr/bin')
#   distro: restrict deployment to a single Linux distribution (optional,
#           should be equal to 'ansible_os_family | lower', such as 'redhat'
#           or 'ubuntu')
#
audited_commands:
  - command: chsh
    stig_id: V-72167
    arch_specific: no
  - command: chage
    stig_id: V-72155
    arch_specific: no
  - command: chcon
    stig_id: V-72139
    arch_specific: no
  - command: chmod
    stig_id: V-72105
    arch_specific: yes
  - command: chown
    stig_id: V-72097
    arch_specific: yes
  - command: creat
    stig_id: V-72123
    arch_specific: yes
  - command: crontab
    stig_id: V-72183
    arch_specific: no
  - command: delete_module
    stig_id: V-72189
    arch_specific: yes
  - command: fchmod
    stig_id: V-72107
    arch_specific: yes
  - command: fchmodat
    stig_id: V-72109
    arch_specific: yes
  - command: fchown
    stig_id: V-72099
    arch_specific: yes
  - command: fchownat
    stig_id: V-72103
    arch_specific: yes
  - command: fremovexattr
    stig_id: V-72119
    arch_specific: yes
  - command: fsetxattr
    stig_id: V-72113
    arch_specific: yes
  - command: ftruncate
    stig_id: V-72133
    arch_specific: yes
  - command: init_module
    stig_id: V-72187
    arch_specific: yes
  - command: gpasswd
    stig_id: V-72153
    arch_specific: no
  - command: lchown
    stig_id: V-72101
    arch_specific: yes
  - command: lremovexattr
    stig_id: V-72121
    arch_specific: yes
  - command: lsetxattr
    stig_id: V-72115
    arch_specific: yes
  - command: mount
    path: /bin
    stig_id: V-72171
    arch_specific: no
  - command: newgrp
    stig_id: V-72165
    arch_specific: no
  - command: open
    stig_id: V-72125
    arch_specific: yes
  - command: openat
    stig_id: V-72127
    arch_specific: yes
  - command: open_by_handle_at
    stig_id: V-72129
    arch_specific: yes
  - command: pam_timestamp_check
    path: /sbin
    stig_id: V-72185
    arch_specific: no
  - command: passwd
    stig_id: V-72149
    arch_specific: no
  - command: postdrop
    path: /usr/sbin
    stig_id: V-72175
    arch_specific: no
  - command: postqueue
    path: /usr/sbin
    stig_id: V-72177
    arch_specific: no
  - command: removexattr
    stig_id: V-72117
    arch_specific: yes
  - command: rename
    stig_id: V-72199
    arch_specific: yes
  - command: renameat
    stig_id: V-72201
    arch_specific: yes
  - command: restorecon
    path: /usr/sbin
    stig_id: V-72141
    arch_specific: no
  - command: rmdir
    stig_id: V-72203
    arch_specific: yes
  - command: semanage
    path: /usr/sbin
    stig_id: V-72135
    arch_specific: no
  - command: setsebool
    path: /usr/sbin
    stig_id: V-72137
    arch_specific: no
  - command: setxattr
    stig_id: V-72111
    arch_specific: yes
  - command: ssh-keysign
    path: "{{ ssh_keysign_path }}"
    stig_id: V-72179
    arch_specific: no
  - command: su
    path: /bin
    stig_id: V-72159
    arch_specific: no
  - command: sudo
    stig_id: V-72161
    arch_specific: no
  - command: sudoedit
    path: /bin
    stig_id: V-72169
    arch_specific: no
  - command: truncate
    stig_id: V-72131
    arch_specific: yes
  - command: umount
    path: /bin
    stig_id: V-72173
    arch_specific: no
  - command: unix_chkpwd
    path: /sbin
    stig_id: V-72151
    arch_specific: no
  - command: unlink
    stig_id: V-72205
    arch_specific: yes
  - command: unlinkat
    stig_id: V-72207
    arch_specific: yes
  - command: userhelper
    path: /usr/sbin
    stig_id: V-72157
    arch_specific: no

## Password quality settings
# This variable is used in main/rhel7stig/auth.yml to set password quality
# requirements.
#
# Each dictionary has this structure:
#
#   parameter: the pwquality parameter to set
#   value: the value of the parameter
#   stig_id: the STIG id number
#   description: description of the control from the STIG
#   enabled: whether the change should be applied
#
password_quality_rhel7:
  - parameter: ucredit
    value: -1
    stig_id: V-71903
    description: "Password must contain at least one upper-case character"
    enabled: "{{ security_pwquality_require_uppercase }}"
  - parameter: lcredit
    value: -1
    stig_id: V-71905
    description: "Password must contain at least one lower-case character"
    enabled: "{{ security_pwquality_require_lowercase }}"
  - parameter: dcredit
    value: -1
    stig_id: V-71907
    description: "Password must contain at least one numeric character"
    enabled: "{{ security_pwquality_require_numeric }}"
  - parameter: ocredit
    value: -1
    stig_id: V-71909
    description: "Password must contain at least one special character"
    enabled: "{{ security_pwquality_require_special }}"
  - parameter: difok
    value: 8
    stig_id: V-71911
    description: "Password must have at least eight characters changed"
    enabled: "{{ security_pwquality_require_characters_changed }}"
  - parameter: minclass
    value: 4
    stig_id: V-71913
    description: "Password must have at least four character classes changed"
    enabled: "{{ security_pwquality_require_character_classes_changed }}"
  - parameter: maxrepeat
    value: 3
    stig_id: V-71915
    description: "Password must have at most three characters repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_characters }}"
  - parameter: maxclassrepeat
    value: 4
    stig_id: V-71917
    description: "Password must have at most four characters in the same character class repeated consecutively"
    enabled: "{{ security_pwquality_limit_repeated_character_classes }}"
  - parameter: minlen
    value: 15
    stig_id: V-71935
    description: "Passwords must be a minimum of 15 characters in length"
    enabled: "{{ security_pwquality_require_minimum_password_length }}"

## shadow-utils settings
# This variable is used in main/rhel7stig/auth.yml to set shadow file-related
# configurations in /etc/login.defs.
#
# Each dictionary has this structure:
#
#   parameter: the parameter to set
#   value: the value for the parameter
#   stig_id: the STIG ID number for the requirement
#
shadow_utils_rhel7:
  - parameter: ENCRYPT_METHOD
    value: "{{ security_password_encrypt_method | default('') }}"
    stig_id: V-71921
    ansible_os_family: all
  - parameter: PASS_MIN_DAYS
    value: "{{ security_password_min_lifetime_days | default('') }}"
    stig_id: V-71925
    ansible_os_family: all
  - parameter: PASS_MAX_DAYS
    value: "{{ security_password_max_lifetime_days | default('') }}"
    stig_id: V-71929
    ansible_os_family: all
  - parameter: FAIL_DELAY
    value: "{{ security_shadow_utils_fail_delay | default('') }}"
    stig_id: V-71951
    ansible_os_family: RedHat
  - parameter: UMASK
    value: "{{ security_shadow_utils_umask | default('') }}"
    stig_id: V-71995
    ansible_os_family: all
  - parameter: CREATE_HOME
    value: "{{ security_shadow_utils_create_home | default('') }}"
    stig_id: V-72013
    ansible_os_family: all

## sysctl settings
# This variable is used in main/rhel7stig/kernel.yml to set sysctl
# configurations on hosts.
#
# Each dictionary has this structure:
#
#   name: the sysctl configuration name
#   value: the value to set for the sysctl configuration
#   enabled: yes or no
#     - 'yes' (ensure the variable is set)
#     - 'no' (the role will not alter the configuration)
#
sysctl_settings_rhel7:
  - name: net.ipv4.conf.all.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool }}"
  - name: net.ipv4.conf.default.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv4 | bool}}"
  - name: net.ipv4.icmp_echo_ignore_broadcasts
    value: 1
    enabled: "{{ security_disallow_echoes_broadcast_address | bool }}"
  - name: net.ipv4.conf.all.send_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
  - name: net.ipv4.conf.default.send_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
  - name: net.ipv4.ip_forward
    value: 0
    enabled: "{{ security_disallow_ip_forwarding | bool }}"
  - name: net.ipv6.conf.all.accept_source_route
    value: 0
    enabled: "{{ security_disallow_source_routed_packet_forward_ipv6 | bool }}"
  - name: net.ipv4.conf.default.accept_redirects
    value: 0
    enabled: "{{ security_disallow_icmp_redirects | bool }}"
  - name: kernel.randomize_va_space
    value: 2
    enabled: "{{ security_enable_aslr | bool }}"
  - name: net.ipv6.conf.all.disable_ipv6
    value: 1
    enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"