167 lines
3.4 KiB
YAML
167 lines
3.4 KiB
YAML
# Variables for our common module for RedHat
|
|
---
|
|
|
|
el_distro_name:
|
|
- CentOS
|
|
- Rocky
|
|
|
|
bin_su: /usr/bin/su
|
|
bin_sudo: /usr/bin/sudo
|
|
|
|
# grub variables
|
|
grub_boot_options: audit=1
|
|
grub_config_path_link: /etc/grub2.cfg
|
|
grub_config_path_efi: /etc/grub2-efi.cfg
|
|
|
|
ipatype: client
|
|
|
|
# Removing TFTP for now because there will likely be tftp/pxe servers
|
|
remove_packages:
|
|
- nc
|
|
- wireshark
|
|
- prelink
|
|
- talk
|
|
- talk-server
|
|
- rsh
|
|
- lftp
|
|
|
|
# security limits
|
|
limits:
|
|
- {domain: '*', limit_type: hard, limit_item: core, value: 0}
|
|
|
|
# sysctl settings
|
|
sysctl_config:
|
|
net.ipv4.ip_forward: 0
|
|
net.ipv4.conf.all.rp_filter: 1
|
|
net.ipv4.conf.default.rp_filter: 1
|
|
net.ipv4.conf.all.accept_source_route: 0
|
|
net.ipv4.conf.default.accept_source_route: 0
|
|
net.ipv4.conf.all.log_martians: 1
|
|
net.ipv4.conf.default.log_martians: 1
|
|
net.ipv4.icmp_echo_ignore_broadcasts: 1
|
|
net.ipv4.icmp_ignore_bogus_error_responses: 1
|
|
net.ipv4.tcp_syncookies: 1
|
|
net.ipv4.conf.all.accept_redirects: 0
|
|
net.ipv4.conf.default.accept_redirects: 0
|
|
net.ipv4.conf.all.send_redirects: 0
|
|
net.ipv4.conf.default.send_redirects: 0
|
|
net.ipv4.conf.all.secure_redirects: 0
|
|
net.ipv4.conf.default.secure_redirects: 0
|
|
net.ipv6.conf.all.accept_redirects: 0
|
|
net.ipv6.conf.default.accept_redirects: 0
|
|
net.ipv6.conf.all.forwarding: 0
|
|
net.ipv6.conf.all.accept_ra: 0
|
|
net.ipv6.conf.default.accept_ra: 0
|
|
net.ipv6.conf.all.accept_source_route: 0
|
|
net.ipv6.conf.default.accept_source_route: 0
|
|
kernel.randomize_va_space: 2
|
|
fs.suid_dumpable: 0
|
|
|
|
# login.defs
|
|
login_umask: 077
|
|
login_create_home: "yes"
|
|
login_encrypt_method: SHA512
|
|
login_md5_crypt_enab: "no"
|
|
login_max_days: 84
|
|
login_min_days: 7
|
|
login_min_len: 14
|
|
login_warn_age: 7
|
|
login_dcredit: -1
|
|
login_lcredit: -1
|
|
login_ucredit: -1
|
|
login_ocredit: -1
|
|
login_cron_directories:
|
|
- /etc/cron.hourly
|
|
- /etc/cron.daily
|
|
- /etc/cron.weekly
|
|
- /etc/cron.monthly
|
|
- /etc/cron.d
|
|
login_cron_allows:
|
|
- /etc/cron.allow
|
|
- /etc/at.allow
|
|
login_cron_denies:
|
|
- /etc/cron.deny
|
|
- /etc/at.deny
|
|
|
|
# modprobe
|
|
modprobe_unused_filesystems:
|
|
- dccp
|
|
- sctp
|
|
- bluetooth
|
|
- freevxfs
|
|
- cramfs
|
|
- jffs2
|
|
- hfs
|
|
- hfsplus
|
|
- squashfs
|
|
- udf
|
|
- tipc
|
|
- usb_storage
|
|
- vfat
|
|
|
|
# auditd
|
|
audit_package: audit
|
|
audit_auid: 1000
|
|
audit_buffer: 8192
|
|
audit_identity_list:
|
|
- /etc/group
|
|
- /etc/passwd
|
|
- /etc/gshadow
|
|
- /etc/shadow
|
|
- /etc/security/opasswd
|
|
audit_logins:
|
|
- /var/log/faillog
|
|
- /var/log/lastlog
|
|
- /var/log/tallylog
|
|
- /var/log/faillock/
|
|
- /var/log/wtmp
|
|
- /var/log/btmp
|
|
audit_session:
|
|
- /var/run/utmp
|
|
audit_suid_list:
|
|
- /usr/libexec/sssd/proxy_child
|
|
- /usr/libexec/sssd/ldap_child
|
|
- /usr/libexec/sssd/krb5_child
|
|
- /usr/libexec/sssd/selinux_child
|
|
- /usr/libexec/dbus-1/dbus-daemon-launch-helper
|
|
- /usr/libexec/utempter/utempter
|
|
- /usr/libexec/openssh/ssh-keysign
|
|
- /usr/lib/polkit-1/polkit-agent-helper-1
|
|
- /usr/sbin/usernetctl
|
|
- /usr/sbin/postqueue
|
|
- /usr/sbin/unix_chkpwd
|
|
- /usr/sbin/postdrop
|
|
- /usr/sbin/pam_timestamp_check
|
|
- /usr/sbin/netreport
|
|
- /usr/sbin/mount.nfs
|
|
- /usr/bin/su
|
|
- /usr/bin/ksu
|
|
- /usr/bin/write
|
|
- /usr/bin/newgrp
|
|
- /usr/bin/chage
|
|
- /usr/bin/mount
|
|
- /usr/bin/ssh-agent
|
|
- /usr/bin/sudo
|
|
- /usr/bin/passwd
|
|
- /usr/bin/gpasswd
|
|
- /usr/bin/at
|
|
- /usr/bin/wall
|
|
- /usr/bin/chsh
|
|
- /usr/bin/locate
|
|
- /usr/bin/chfn
|
|
- /usr/bin/umount
|
|
- /usr/bin/crontab
|
|
- /usr/bin/pkexec
|
|
|
|
disable_svc:
|
|
- cups
|
|
- nfs-server
|
|
- avahi-daemon
|
|
|
|
enable_svc:
|
|
- postfix
|
|
|
|
syslog_packages:
|
|
- rsyslog
|
|
...
|