/home/zuul/src/opendev.org/openstack/ansible-hardening/defaults/main.yml
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## STIG version selection
# The RHEL 7 STIG content first appeared in the Ocata release and is compatible
# with the following operating systems:
#
#  * CentOS 7
#  * Debian Jessie
#  * Fedora 27
#  * openSUSE Leap 42.x
#  * SUSE Linux Enterprise 12
#  * Ubuntu 16.04 Xenial LTS
#
# Valid options: rhel7
stig_version: rhel7

## APT Cache Options
# This variable is used across multiple OpenStack-Ansible roles to handle the
# apt cache updates as efficiently as possible.
cache_timeout: 600

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
security_package_state: present

## EPEL
# Set the following variable to `no` to prevent the EPEL repository from being
# installed by the role. This may prevent certain packages from installing,
# such as ClamAV.
security_epel_install_repository: yes
#
# Some deployers install a customized EPEL package that redirects servers to
# their internal EPEL mirrors. Provide the name of the EPEL repository package
# (epel-release by default on CentOS) or a URL to an EPEL release RPM file.
security_epel_release_package: epel-release

###############################################################################
#  ____  _   _ _____ _       _____   ____ _____ ___ ____
# |  _ \| | | | ____| |     |___  | / ___|_   _|_ _/ ___|
# | |_) | |_| |  _| | |        / /  \___ \ | |  | | |  _
# |  _ <|  _  | |___| |___    / /    ___) || |  | | |_| |
# |_| \_\_| |_|_____|_____|  /_/    |____/ |_| |___\____|
#
# The following options are specific to the RHEL 7 STIG. For details on each
# option, refer to the ansible-hardening documentation:
#
#   https://docs.openstack.org/ansible-hardening/latest/domains.html
#
###############################################################################

## Accounts (accounts)
# Set minimum password lifetime to 1 day for interactive accounts.
security_set_minimum_password_lifetime: no                   # V-71927
security_set_maximum_password_lifetime: no                   # V-71931

## AIDE (aide)
# Initialize the AIDE database immediately (may take time).
security_rhel7_initialize_aide: no                           # V-71973

# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
security_aide_exclude_dirs:
  - /openstack
  - /opt
  - /run
  - /var

## Audit daemon (auditd)
# Send audit records to a different system using audisp.
#security_audisp_remote_server: '10.0.21.1'                  # V-72083
# Encrypt audit records when they are transmitted over the network.
#security_audisp_enable_krb5: yes                            # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1                         # V-72081
# Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog               # V-72087
security_rhel7_auditd_network_failure_action: syslog         # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email               # V-72091
# Send auditd email alerts to this user.
security_rhel7_auditd_action_mail_acct: root                 # V-72093
# Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: yes                               # V-72167
security_rhel7_audit_chage: yes                              # V-72155
security_rhel7_audit_chcon: yes                              # V-72139
security_rhel7_audit_chmod: no                               # V-72105
security_rhel7_audit_chown: no                               # V-72097
security_rhel7_audit_creat: yes                              # V-72123
security_rhel7_audit_crontab: yes                            # V-72183
security_rhel7_audit_delete_module: yes                      # V-72189
security_rhel7_audit_fchmod: no                              # V-72107
security_rhel7_audit_fchmodat: no                            # V-72109
security_rhel7_audit_fchown: no                              # V-72099
security_rhel7_audit_fchownat: no                            # V-72103
security_rhel7_audit_fremovexattr: no                        # V-72119
security_rhel7_audit_fsetxattr: no                           # V-72113
security_rhel7_audit_ftruncate: yes                          # V-72133
security_rhel7_audit_init_module: yes                        # V-72187
security_rhel7_audit_gpasswd: yes                            # V-72153
security_rhel7_audit_lchown: no                              # V-72101
security_rhel7_audit_lremovexattr: no                        # V-72121
security_rhel7_audit_lsetxattr: no                           # V-72115
security_rhel7_audit_mount: yes                              # V-72171
security_rhel7_audit_newgrp: yes                             # V-72165
security_rhel7_audit_open: yes                               # V-72125
security_rhel7_audit_openat: yes                             # V-72127
security_rhel7_audit_open_by_handle_at: yes                  # V-72129
security_rhel7_audit_pam_timestamp_check: yes                # V-72185
security_rhel7_audit_passwd: yes                             # V-72149
security_rhel7_audit_postdrop: yes                           # V-72175
security_rhel7_audit_postqueue: yes                          # V-72177
security_rhel7_audit_removexattr: no                         # V-72117
security_rhel7_audit_rename: yes                             # V-72199
security_rhel7_audit_renameat: yes                           # V-72201
security_rhel7_audit_restorecon: yes                         # V-72141
security_rhel7_audit_rmdir: yes                              # V-72203
security_rhel7_audit_semanage: yes                           # V-72135
security_rhel7_audit_setsebool: yes                          # V-72137
security_rhel7_audit_setxattr: no                            # V-72111
security_rhel7_audit_ssh_keysign: yes                        # V-72179
security_rhel7_audit_su: yes                                 # V-72159
security_rhel7_audit_sudo: yes                               # V-72161
security_rhel7_audit_sudoedit: yes                           # V-72169
security_rhel7_audit_truncate: yes                           # V-72131
security_rhel7_audit_umount: yes                             # V-72173
security_rhel7_audit_unix_chkpwd: yes                        # V-72151
security_rhel7_audit_unlink: yes                             # V-72205
security_rhel7_audit_unlinkat: yes                           # V-72207
security_rhel7_audit_userhelper: yes                         # V-72157
# Add audit rules for other events.
security_rhel7_audit_account_access: yes                     # V-72143
security_rhel7_audit_sudo_config_changes: yes                # V-72163
security_rhel7_audit_insmod: yes                             # V-72191
security_rhel7_audit_rmmod: yes                              # V-72193
security_rhel7_audit_modprobe: yes                           # V-72195
security_rhel7_audit_account_actions: yes                    # V-72197

## Authentication (auth)
# Check if sudoers has the NOPASSWD rule enabled
security_sudoers_nopasswd_check_enable: yes

# Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: yes                  # V-71937
# Apply password quality rules.
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
# the password quality rules. Each rule can be disabled with a value of 'no'.
security_pwquality_apply_rules: no
security_pwquality_require_uppercase: yes                    # V-71903
security_pwquality_require_lowercase: yes                    # V-71905
security_pwquality_require_numeric: yes                      # V-71907
security_pwquality_require_special: yes                      # V-71909
security_pwquality_require_characters_changed: yes           # V-71911
security_pwquality_require_character_classes_changed: yes    # V-71913
security_pwquality_limit_repeated_characters: yes            # V-71915
security_pwquality_limit_repeated_character_classes: yes     # V-71917
security_pwquality_require_minimum_password_length: no       # V-71935
# Use pwquality when passwords are changed or established.
security_enable_pwquality_password_set: no                   # V-73159
# Ensure passwords are stored using SHA512.
security_password_encrypt_method: SHA512                     # V-71921
# Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: yes                     # V-71923
# Set a minimum/maximum lifetime limit for user passwords.
#security_password_min_lifetime_days: 1                      # V-71925
#security_password_max_lifetime_days: 60                     # V-71929
# Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4                          # V-71951
# Set a umask for all authenticated users.
# security_shadow_utils_umask: '077'                         # V-71995
# Create home directories for new users by default.
security_shadow_utils_create_home: yes                       # V-72013
# How many old user password to remember to prevent password re-use.
#security_password_remember_password: 5                      # V-71933
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: no             # V-71941
# Lock user accounts with excessive login failures. See documentation.
security_pam_faillock_enable: no                             # V-71945 / V-71943 / RHEL-07-010373
security_pam_faillock_interval: 900
security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: yes                         # RHEL-07-010373
security_pam_faillock_unlock_time: 604800                    # V-71943
# Limit the number of concurrent connections per account.
#security_rhel7_concurrent_session_limit: 10                 # V-72217
# Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: no                       # V-72277

## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: no                            # V-71849
# Search for files/directories owned by invalid users or groups.
security_search_for_invalid_owner: no                        # V-72007
security_search_for_invalid_group_owner: no                  # V-72009
# Set user/group owners on each home directory and set mode to 0750.
security_set_home_directory_permissions_and_owners: no       # V-72017 / V-72019 / V-72021
# Find all world-writable directories and display them.
security_find_world_writable_dirs: no                        # V-72047

## Graphical interfaces (graphical)
# Disable automatic gdm logins
security_disable_gdm_automatic_login: yes                    # V-71953
# Disable timed gdm logins for guests
security_disable_gdm_timed_login: yes                        # V-71955
# Enable session locking for graphical logins.
security_lock_session: no                                    # V-71891
# Set a timer (in seconds) when an inactive session is locked.
security_lock_session_inactive_delay: 900                    # V-71893
# Prevent users from modifying session lock settings.
security_lock_session_override_user: yes                     # RHEL-07-010071
# Lock a session (start screensaver) when a session is inactive.
security_lock_session_when_inactive: yes                     # V-71893
# Time after screensaver starts when user login is required.
security_lock_session_screensaver_lock_delay: 5              # V-71901
# Enable a login banner and set the text for the banner.
security_enable_graphical_login_message: yes                 # V-71859
security_enable_graphical_login_message_text: >
    You are accessing a secured system and your actions will be logged along
    with identifying information. Disconnect immediately if you are not an
    authorized user of this system.

## Linux Security Module (lsm)
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
security_rhel7_enable_linux_security_module: yes             # V-71989 / V-71991

## Miscellaneous (misc)
# Disable the autofs service.
security_rhel7_disable_autofs: yes                           # V-71985
# Enable virus scanning with clamav
security_enable_virus_scanner: no                            # V-72213
# Run the virus scanner update during the deployment (if scanner is deployed)
security_run_virus_scanner_update: yes
# Disable ctrl-alt-delete key sequence on the console.
security_rhel7_disable_ctrl_alt_delete: yes                  # V-71993
# Install and enable firewalld for iptables management.
security_enable_firewalld: no                                # V-72273
# Rate limit TCP connections to 25/min and burstable to 100.
security_enable_firewalld_rate_limit: no                     # V-72271
security_enable_firewalld_rate_limit_per_minute: 25
security_enable_firewalld_rate_limit_burst: 100
# Update the grub configuration.
security_enable_grub_update: yes
# Require authentication in GRUB to boot into single-user or maintenance modes.
security_require_grub_authentication: no                     # V-71961 / V-71963
# The default password for grub authentication is 'secrete'.
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
# Set session timeout.
security_rhel7_session_timeout: 600                          # V-72223
# Enable chrony for NTP time synchronization.
security_rhel7_enable_chrony: yes                            # V-72269
# Use the following NTP servers.
security_ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
  - 3.pool.ntp.org
# NTP server options.
security_ntp_server_options: iburst
# Configure Chrony to synchronize the hardware clock
security_ntp_sync_rtc: false
# Chrony limits access to clients that are on certain subnets.  Adjust the
# following subnets here to limit client access to chrony servers.
security_allowed_ntp_subnets:
  - 10/8
  - 192.168/16
  - 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: yes
# Restrict mail relaying.
security_rhel7_restrict_mail_relaying: yes                   # V-72297
# Deploy a login banner.                                     # V-72225 / V-71863
security_login_banner_text: |
  ------------------------------------------------------------------------------
  * WARNING                                                                    *
  * You are accessing a secured system and your actions will be logged along   *
  * with identifying information. Disconnect immediately if you are not an     *
  * authorized user of this system.                                            *
  ------------------------------------------------------------------------------


## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these
# to 'no' to skip their removal.
security_rhel7_remove_rsh_server: yes                        # V-71967
security_rhel7_remove_telnet_server: yes                     # V-72077
security_rhel7_remove_tftp_server: yes                       # V-72301
security_rhel7_remove_xorg: yes                              # V-72307
security_rhel7_remove_ypserv: yes                            # V-71969
# Automatically remove dependencies when removing packages.
security_package_clean_on_remove: no                         # V-71987
# Automatically update packages.
security_rhel7_automatic_package_updates: no                 # V-71999
# Install packages for multi-factor authentication.
security_install_multifactor_auth_packages: yes              # V-72417
security_check_package_checksums: no                         # V-71855

## RPM (rpm)
# Enable GPG checks for packages and repository data.
security_enable_gpgcheck_packages: yes                       # V-71977
security_enable_gpgcheck_packages_local: yes                 # V-71979
security_enable_gpgcheck_repo: no                            # V-71981

## ssh server (sshd)
# Ensure sshd is running and enabled at boot time.
security_enable_sshd: yes                                    # V-72235
# Disallow logins from users with empty/null passwords.
security_sshd_disallow_empty_password: yes                   # V-71939 / RHEL-07-010440
# Disallow users from overriding the ssh environment variables.
security_sshd_disallow_environment_override: yes             # V-71957
# Disallow host based authentication.
security_sshd_disallow_host_based_auth: yes                  # V-71959
# Set a list of allowed ssh ciphers.
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
# Specify a text file to be displayed as the banner/MOTD for all sessions.
security_sshd_banner_file: /etc/motd                         # V-71861 / V-72225
# Set the interval for max session length and the number of intervals to allow.
security_sshd_client_alive_interval: 600                     # V-72237
security_sshd_client_alive_count_max: 0                      # V-72241
# Print the last login for a user when they log in over ssh.
security_sshd_print_last_log: yes                            # V-72245
# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
security_sshd_permit_root_login: no                          # V-72247
# Disallow authentication using known hosts authentication.
security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
# Disallow rhosts authentication.
security_sshd_disallow_rhosts_auth: yes                      # V-72243
# Enable X11 forwarding.
security_sshd_enable_x11_forwarding: yes                     # V-72303
# Set the allowed ssh protocols.
security_sshd_protocol: 2                                    # V-72251
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'    # V-72253
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
security_sshd_disallow_gssapi: yes                           # V-72259
# Disallow compression or delay after login.
security_sshd_compression: 'delayed'                         # V-72267
# Require privilege separation at every opportunity.
security_sshd_enable_privilege_separation: yes               # V-72265
# Require strict mode checking of home directory configuration files.
security_sshd_enable_strict_modes: yes                       # V-72263
# Disallow Kerberos authentication.
security_sshd_disable_kerberos_auth: yes                     # V-72261

## Kernel settings (kernel)
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
# immediately and by default on new interfaces.
security_disallow_source_routed_packet_forward_ipv4: yes     # V-72283 / V-72285
security_disallow_source_routed_packet_forward_ipv6: yes     # V-72319
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
security_disallow_echoes_broadcast_address: yes              # V-72287
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
# new interfaces.
security_disallow_icmp_redirects: yes                        # V-73175 / V-72289 / V-72291 / V-72293
# Disallow IP forwarding.
security_disallow_ip_forwarding: no                          # V-72309
# Disable USB storage support.
security_rhel7_disable_usb_storage: yes                      # V-71983
# Disable kdump.
security_disable_kdump: yes                                  # V-72057
# Disable Datagram Congestion Control Protocol (DCCP).
security_rhel7_disable_dccp: yes                             # V-77821
# Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: yes                                    # V-77825

###############################################################################
#   ____            _        _ _
#  / ___|___  _ __ | |_ _ __(_) |__
# | |   / _ \| '_ \| __| '__| | '_ \
# | |__| (_) | | | | |_| |  | | |_) |
#  \____\___/|_| |_|\__|_|  |_|_.__/
#
#
# The following configurations apply to tasks that are contributed by
# ansible-hardening developers and may not be part of a hardening standard
# or compliance program. For more information on the 'contrib' tasks, review
# the documentation:
#
#   https://docs.openstack.org/ansible-hardening/latest/contrib.html
#
###############################################################################

# To enable the contrib tasks, set this variable to 'yes'.
security_contrib_enabled: no

# Disable IPv6.
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
# DANGER: SYSTEM. This will cause downtime for any services that depend on
# DANGER: IPv6 network connectivity.
security_contrib_disable_ipv6: no                            # C-00001