# Variables for our common module for RedHat --- el_distro_name: - CentOS - Rocky - RedHat bin_su: /usr/bin/su bin_sudo: /usr/bin/sudo # grub variables grub_boot_options: audit=1 grub_config_path_link: /etc/grub2.cfg grub_config_path_efi: /etc/grub2-efi.cfg ipatype: client remove_packages: - avahi - cups - dhcp-server - dnsmasq - dovecot - ftp - gdm - lftp - nc - prelink - rsh - samba - talk - talk-server - telnet-server - tftp - tftp-server - vsftpd - wireshark - xorg-x11-server-common # security limits limits: - {domain: '*', limit_type: hard, limit_item: core, value: 0} # sysctl settings sysctl_config: net.ipv4.ip_forward: 0 net.ipv4.conf.all.rp_filter: 1 net.ipv4.conf.default.rp_filter: 1 net.ipv4.conf.all.accept_source_route: 0 net.ipv4.conf.default.accept_source_route: 0 net.ipv4.conf.all.log_martians: 1 net.ipv4.conf.default.log_martians: 1 net.ipv4.icmp_echo_ignore_broadcasts: 1 net.ipv4.icmp_ignore_bogus_error_responses: 1 net.ipv4.tcp_syncookies: 1 net.ipv4.conf.all.accept_redirects: 0 net.ipv4.conf.default.accept_redirects: 0 net.ipv4.conf.all.send_redirects: 0 net.ipv4.conf.default.send_redirects: 0 net.ipv4.conf.all.secure_redirects: 0 net.ipv4.conf.default.secure_redirects: 0 net.ipv6.conf.all.accept_redirects: 0 net.ipv6.conf.default.accept_redirects: 0 net.ipv6.conf.all.forwarding: 0 net.ipv6.conf.all.accept_ra: 0 net.ipv6.conf.default.accept_ra: 0 net.ipv6.conf.all.accept_source_route: 0 net.ipv6.conf.default.accept_source_route: 0 kernel.randomize_va_space: 2 fs.suid_dumpable: 0 # login.defs login_umask: 077 login_create_home: "yes" login_encrypt_method: SHA512 login_md5_crypt_enab: "no" login_max_days: 84 login_min_days: 7 login_min_len: 14 login_warn_age: 7 login_dcredit: -1 login_lcredit: -1 login_ucredit: -1 login_ocredit: -1 login_cron_directories: - /etc/cron.hourly - /etc/cron.daily - /etc/cron.weekly - /etc/cron.monthly - /etc/cron.d login_cron_allows: - /etc/cron.allow - /etc/at.allow login_cron_denies: - /etc/cron.deny - /etc/at.deny # modprobe modprobe_unused_filesystems: - cramfs - freevxfs - hfs - hfsplus - jffs2 - squashfs - udf - usb_storage # auditd audit_package: audit audit_auid: 1000 audit_buffer: 8192 audit_identity_list: - /etc/group - /etc/passwd - /etc/gshadow - /etc/shadow - /etc/security/opasswd audit_logins: - /var/log/faillock - /var/log/lastlog - /var/log/wtmp - /var/log/btmp audit_session: - /var/run/utmp # audit_suid_list: # - /usr/libexec/sssd/proxy_child # - /usr/libexec/sssd/ldap_child # - /usr/libexec/sssd/krb5_child # - /usr/libexec/sssd/selinux_child # - /usr/libexec/dbus-1/dbus-daemon-launch-helper # - /usr/libexec/utempter/utempter # - /usr/libexec/openssh/ssh-keysign # - /usr/lib/polkit-1/polkit-agent-helper-1 # - /usr/sbin/usernetctl # - /usr/sbin/postqueue # - /usr/sbin/unix_chkpwd # - /usr/sbin/postdrop # - /usr/sbin/pam_timestamp_check # - /usr/sbin/netreport # - /usr/sbin/mount.nfs # - /usr/bin/su # - /usr/bin/ksu # - /usr/bin/write # - /usr/bin/newgrp # - /usr/bin/chage # - /usr/bin/mount # - /usr/bin/ssh-agent # - /usr/bin/sudo # - /usr/bin/passwd # - /usr/bin/gpasswd # - /usr/bin/at # - /usr/bin/wall # - /usr/bin/chsh # - /usr/bin/locate # - /usr/bin/chfn # - /usr/bin/umount # - /usr/bin/crontab # - /usr/bin/pkexec disable_svc: - cups - nfs-server - avahi-daemon enable_svc: - postfix syslog_packages: - rsyslog ...