ansible-ops-management/vars/RedHat.yml

# Variables for our common module for RedHat
---

el_distro_name:
  - CentOS
  - Rocky
  - RedHat

bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo

# grub variables
grub_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg

mount_options_var_tmp: "defaults,nodev,nosuid,noexec"
mount_options_tmp: "defaults,nodev,nosuid,noexec"
mount_options_dev_shm: "defaults,nodev,nosuid,noexec"
mount_options_var_log: "defaults,nodev,nosuid,noexec"
mount_options_var_log_audit: "defaults,nodev,nosuid,noexec"
mount_options_home: "defaults,nodev,nosuid"
mount_options_var: "defaults,nodev,nosuid"

ipatype: client

remove_packages:
  - avahi
  - cups
  - dhcp-server
  - dnsmasq
  - dovecot
  - ftp
  - gdm
  - lftp
  - nc
  - prelink
  - rsh
  - samba
  - talk
  - talk-server
  - telnet-server
  - tftp
  - tftp-server
  - vsftpd
  - wireshark
  - xorg-x11-server-common

# security limits
limits:
  - {domain: '*', limit_type: hard, limit_item: core, value: 0}

# sysctl settings
sysctl_config:
  net.ipv4.ip_forward: 0
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.default.accept_source_route: 0
  net.ipv4.conf.all.log_martians: 1
  net.ipv4.conf.default.log_martians: 1
  net.ipv4.icmp_echo_ignore_broadcasts: 1
  net.ipv4.icmp_ignore_bogus_error_responses: 1
  net.ipv4.tcp_syncookies: 1
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.default.accept_redirects: 0
  net.ipv4.conf.all.send_redirects: 0
  net.ipv4.conf.default.send_redirects: 0
  net.ipv4.conf.all.secure_redirects: 0
  net.ipv4.conf.default.secure_redirects: 0
  net.ipv6.conf.all.accept_redirects: 0
  net.ipv6.conf.default.accept_redirects: 0
  net.ipv6.conf.all.forwarding: 0
  net.ipv6.conf.all.accept_ra: 0
  net.ipv6.conf.default.accept_ra: 0
  net.ipv6.conf.all.accept_source_route: 0
  net.ipv6.conf.default.accept_source_route: 0
  kernel.randomize_va_space: 2
  fs.suid_dumpable: 0

# login.defs
login_umask: 077
login_create_home: "yes"
login_encrypt_method: SHA512
login_md5_crypt_enab: "no"
login_max_days: 84
login_min_days: 7
login_min_len: 14
login_warn_age: 7
login_dcredit: -1
login_lcredit: -1
login_ucredit: -1
login_ocredit: -1
login_cron_directories:
  - /etc/cron.hourly
  - /etc/cron.daily
  - /etc/cron.weekly
  - /etc/cron.monthly
  - /etc/cron.d
login_cron_allows:
  - /etc/cron.allow
  - /etc/at.allow
login_cron_denies:
  - /etc/cron.deny
  - /etc/at.deny

# modprobe
modprobe_unused_filesystems:
  - cramfs
  - freevxfs
  - hfs
  - hfsplus
  - jffs2
  - squashfs
  - udf
  - usb_storage

# auditd
audit_package: audit
audit_auid: 1000
audit_buffer: 8192
audit_identity_list:
  - /etc/group
  - /etc/passwd
  - /etc/gshadow
  - /etc/shadow
  - /etc/security/opasswd
audit_logins:
  - /var/log/faillock
  - /var/log/lastlog
  - /var/log/wtmp
  - /var/log/btmp
audit_session:
  - /var/run/utmp
# audit_suid_list:
#   - /usr/libexec/sssd/proxy_child
#   - /usr/libexec/sssd/ldap_child
#   - /usr/libexec/sssd/krb5_child
#   - /usr/libexec/sssd/selinux_child
#   - /usr/libexec/dbus-1/dbus-daemon-launch-helper
#   - /usr/libexec/utempter/utempter
#   - /usr/libexec/openssh/ssh-keysign
#   - /usr/lib/polkit-1/polkit-agent-helper-1
#   - /usr/sbin/usernetctl
#   - /usr/sbin/postqueue
#   - /usr/sbin/unix_chkpwd
#   - /usr/sbin/postdrop
#   - /usr/sbin/pam_timestamp_check
#   - /usr/sbin/netreport
#   - /usr/sbin/mount.nfs
#   - /usr/bin/su
#   - /usr/bin/ksu
#   - /usr/bin/write
#   - /usr/bin/newgrp
#   - /usr/bin/chage
#   - /usr/bin/mount
#   - /usr/bin/ssh-agent
#   - /usr/bin/sudo
#   - /usr/bin/passwd
#   - /usr/bin/gpasswd
#   - /usr/bin/at
#   - /usr/bin/wall
#   - /usr/bin/chsh
#   - /usr/bin/locate
#   - /usr/bin/chfn
#   - /usr/bin/umount
#   - /usr/bin/crontab
#   - /usr/bin/pkexec

disable_svc:
  - cups
  - nfs-server
  - avahi-daemon

enable_svc:
  - postfix

syslog_packages:
  - rsyslog

faillock_deny_times: '5'
faillock_fail_interval: '900'
faillock_unlock_time: '900'
...