# Variables for our common module for RedHat
---

el_distro_name:
  - CentOS
  - Rocky

bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo

# grub variables
grub_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg

ipatype: client

# Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages:
  - nc
  - wireshark
  - prelink
  - talk
  - talk-server
  - rsh
  - lftp

# security limits
limits:
  - {domain: '*', limit_type: hard, limit_item: core, value: 0}

# sysctl settings
sysctl_config:
  net.ipv4.ip_forward: 0
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.default.accept_source_route: 0
  net.ipv4.conf.all.log_martians: 1
  net.ipv4.conf.default.log_martians: 1
  net.ipv4.icmp_echo_ignore_broadcasts: 1
  net.ipv4.icmp_ignore_bogus_error_responses: 1
  net.ipv4.tcp_syncookies: 1
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.default.accept_redirects: 0
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0
  net.ipv4.conf.all.secure_redirects: 0
  net.ipv4.conf.default.secure_redirects: 0
  net.ipv6.conf.all.accept_redirects: 0
  net.ipv6.conf.default.accept_redirects: 0
  net.ipv6.conf.all.forwarding: 0
  net.ipv6.conf.all.accept_ra: 0
  net.ipv6.conf.default.accept_ra: 0
  net.ipv6.conf.all.accept_source_route: 0
  net.ipv6.conf.default.accept_source_route: 0
  kernel.randomize_va_space: 2
  fs.suid_dumpable: 0

# login.defs
login_umask: 077
login_create_home: "yes"
login_encrypt_method: SHA512
login_md5_crypt_enab: "no"
login_max_days: 84
login_min_days: 7
login_min_len: 14
login_warn_age: 7
login_dcredit: -1
login_lcredit: -1
login_ucredit: -1
login_ocredit: -1
login_cron_directories:
  - /etc/cron.hourly
  - /etc/cron.daily
  - /etc/cron.weekly
  - /etc/cron.monthly
  - /etc/cron.d
login_cron_allows:
  - /etc/cron.allow
  - /etc/at.allow
login_cron_denies:
  - /etc/cron.deny
  - /etc/at.deny

# modprobe
modprobe_unused_filesystems:
  - dccp
  - sctp
  - bluetooth
  - freevxfs
  - cramfs
  - jffs2
  - hfs
  - hfsplus
  - squashfs
  - udf
  - tipc
  - usb_storage
  - vfat

# auditd
audit_package: audit
audit_auid: 1000
audit_buffer: 8192
audit_identity_list:
  - /etc/group
  - /etc/passwd
  - /etc/gshadow
  - /etc/shadow
  - /etc/security/opasswd
audit_logins:
  - /var/log/faillog
  - /var/log/lastlog
  - /var/log/tallylog
  - /var/log/faillock/
  - /var/log/wtmp
  - /var/log/btmp
audit_session:
  - /var/run/utmp
audit_suid_list:
  - /usr/libexec/sssd/proxy_child
  - /usr/libexec/sssd/ldap_child
  - /usr/libexec/sssd/krb5_child
  - /usr/libexec/sssd/selinux_child
  - /usr/libexec/dbus-1/dbus-daemon-launch-helper
  - /usr/libexec/utempter/utempter
  - /usr/libexec/openssh/ssh-keysign
  - /usr/lib/polkit-1/polkit-agent-helper-1
  - /usr/sbin/usernetctl
  - /usr/sbin/postqueue
  - /usr/sbin/unix_chkpwd
  - /usr/sbin/postdrop
  - /usr/sbin/pam_timestamp_check
  - /usr/sbin/netreport
  - /usr/sbin/mount.nfs
  - /usr/bin/su
  - /usr/bin/ksu
  - /usr/bin/write
  - /usr/bin/newgrp
  - /usr/bin/chage
  - /usr/bin/mount
  - /usr/bin/ssh-agent
  - /usr/bin/sudo
  - /usr/bin/passwd
  - /usr/bin/gpasswd
  - /usr/bin/at
  - /usr/bin/wall
  - /usr/bin/chsh
  - /usr/bin/locate
  - /usr/bin/chfn
  - /usr/bin/umount
  - /usr/bin/crontab
  - /usr/bin/pkexec

disable_svc:
  - cups
  - nfs-server
  - avahi-daemon

enable_svc:
  - postfix

syslog_packages:
  - rsyslog
...