mono-infrastructure/ansible/playbooks/vars/RedHat.yml
2020-12-14 00:06:29 -07:00

161 lines
3.4 KiB
YAML

# Variables for our common module for RedHat
---
bin_su: /usr/bin/su
bin_sudo: /usr/bin/sudo
# grub variables
grub_boot_options: audit=1
grub_config_path_link: /etc/grub2.cfg
grub_config_path_efi: /etc/grub2-efi.cfg
ipatype: client
# Removing TFTP for now because there will likely be tftp/pxe servers
remove_packages:
- nc
- wireshark
- prelink
- talk
- talk-server
- rsh
- lftp
# security limits
limits:
- {domain: '*', limit_type: hard, limit_item: core, value: 0}
# sysctl settings
sysctl_config:
net.ipv4.ip_forward: 0
net.ipv4.conf.all.rp_filter: 1
net.ipv4.conf.default.rp_filter: 1
net.ipv4.conf.all.accept_source_route: 0
net.ipv4.conf.default.accept_source_route: 0
net.ipv4.conf.all.log_martians: 1
net.ipv4.conf.default.log_martians: 1
net.ipv4.icmp_echo_ignore_broadcasts: 1
net.ipv4.icmp_ignore_bogus_error_responses: 1
net.ipv4.tcp_syncookies: 1
net.ipv4.conf.all.accept_redirects: 0
net.ipv4.conf.default.accept_redirects: 0
net.ipv4.conf.all.send_redirects: 0
net.ipv4.conf.default.send_redirects: 0
net.ipv4.conf.all.secure_redirects: 0
net.ipv4.conf.default.secure_redirects: 0
net.ipv6.conf.all.accept_redirects: 0
net.ipv6.conf.default.accept_redirects: 0
net.ipv6.conf.all.forwarding: 0
net.ipv6.conf.all.accept_ra: 0
net.ipv6.conf.default.accept_ra: 0
net.ipv6.conf.all.accept_source_route: 0
net.ipv6.conf.default.accept_source_route: 0
kernel.randomize_va_space: 2
fs.suid_dumpable: 0
# login.defs
login_umask: 077
login_create_home: "yes"
login_encrypt_method: SHA512
login_md5_crypt_enab: "no"
login_max_days: 84
login_min_days: 7
login_min_len: 14
login_warn_age: 7
login_dcredit: -1
login_lcredit: -1
login_ucredit: -1
login_ocredit: -1
login_cron_directories:
- /etc/cron.hourly
- /etc/cron.daily
- /etc/cron.weekly
- /etc/cron.monthly
- /etc/cron.d
login_cron_allows:
- /etc/cron.allow
- /etc/at.allow
login_cron_denies:
- /etc/cron.deny
- /etc/at.deny
# modprobe
modprobe_unused_filesystems:
- dccp
- sctp
- bluetooth
- freevxfs
- cramfs
- jffs2
- hfs
- hfsplus
- squashfs
- udf
- tipc
- usb_storage
- vfat
# auditd
audit_package: audit
audit_auid: 1000
audit_buffer: 8192
audit_identity_list:
- /etc/group
- /etc/passwd
- /etc/gshadow
- /etc/shadow
- /etc/security/opasswd
audit_logins:
- /var/log/faillog
- /var/log/lastlog
- /var/log/tallylog
- /var/log/faillock/
- /var/log/wtmp
- /var/log/btmp
audit_session:
- /var/run/utmp
audit_suid_list:
- /usr/libexec/sssd/proxy_child
- /usr/libexec/sssd/ldap_child
- /usr/libexec/sssd/krb5_child
- /usr/libexec/sssd/selinux_child
- /usr/libexec/dbus-1/dbus-daemon-launch-helper
- /usr/libexec/utempter/utempter
- /usr/libexec/openssh/ssh-keysign
- /usr/lib/polkit-1/polkit-agent-helper-1
- /usr/sbin/usernetctl
- /usr/sbin/postqueue
- /usr/sbin/unix_chkpwd
- /usr/sbin/postdrop
- /usr/sbin/pam_timestamp_check
- /usr/sbin/netreport
- /usr/sbin/mount.nfs
- /usr/bin/su
- /usr/bin/ksu
- /usr/bin/write
- /usr/bin/newgrp
- /usr/bin/chage
- /usr/bin/mount
- /usr/bin/ssh-agent
- /usr/bin/sudo
- /usr/bin/passwd
- /usr/bin/gpasswd
- /usr/bin/at
- /usr/bin/wall
- /usr/bin/chsh
- /usr/bin/locate
- /usr/bin/chfn
- /usr/bin/umount
- /usr/bin/crontab
- /usr/bin/pkexec
disable_svc:
- cups
- nfs-server
- avahi-daemon
enable_svc:
- postfix
syslog_packages:
- rsyslog