From 27c6b93d04c4be05f254b2c0f86d171eb1b59167 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=9A=AF=E8=9A=93?= <943571574@qq.com>
Date: Thu, 1 Jul 2021 17:25:14 +0800
Subject: [PATCH] add "when" statements in hardening.yml(#453) (#455)

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <943571574@qq.com>

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <943571574@qq.com>

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <943571574@qq.com>
---
 roles/os_hardening/README.md           | 42 ++++++++++++++++++++++++++
 roles/os_hardening/defaults/main.yml   | 42 ++++++++++++++++++++++++++
 roles/os_hardening/tasks/hardening.yml | 23 ++++++++++++--
 3 files changed, 104 insertions(+), 3 deletions(-)

diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md
index be8dc3fc..20c3c4bf 100644
--- a/roles/os_hardening/README.md
+++ b/roles/os_hardening/README.md
@@ -193,6 +193,48 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+- `os_cron_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring cron.
+- `os_limits_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring limits.
+- `os_login_defs_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring login_defs.
+- `os_minimize_access_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring minimize_access.
+- `os_pam_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring pam.
+- `os_modprobe_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring modprobe.
+- `os_profile_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring profile.
+- `os_securetty_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring securetty.
+- `os_sysctl_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring sysctl.
+- `os_user_accounts_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring user_accounts.
+- `os_rhosts_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring rhosts.
+- `os_yum_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring yum.
+- `os_apt_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring apt.
+- `os_selinux_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring selinux.
 - `os_sha_crypt_min_rounds`
   - Default: `640000`
   - Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
index c54e00af..2e7c2781 100644
--- a/roles/os_hardening/defaults/main.yml
+++ b/roles/os_hardening/defaults/main.yml
@@ -322,6 +322,48 @@ os_selinux_policy: targeted
 # Mount options for proc in /etc/fstab.
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
 
+# Set to false to disable installing and configuring cron.
+os_cron_enabled: true
+
+# Set to false to disable installing and configuring limits.
+os_limits_enabled: true
+
+# Set to false to disable installing and configuring login_defs.
+os_login_defs_enabled: true
+
+# Set to false to disable installing and configuring minimize_access.
+os_minimize_access_enabled: true
+
+# Set to false to disable installing and configuring pam.
+os_pam_enabled: true
+
+# Set to false to disable installing and configuring modprobe.
+os_modprobe_enabled: true
+
+# Set to false to disable installing and configuring profile.
+os_profile_enabled: true
+
+# Set to false to disable installing and configuring securetty.
+os_securetty_enabled: true
+
+# Set to false to disable installing and configuring sysctl.
+os_sysctl_enabled: true
+
+# Set to false to disable installing and configuring user_accounts.
+os_user_accounts_enabled: true
+
+# Set to false to disable installing and configuring rhosts.
+os_rhosts_enabled: true
+
+# Set to false to disable installing and configuring yum.
+os_yum_enabled: true
+
+# Set to false to disable installing and configuring apt.
+os_apt_enabled: true
+
+# Set to false to disable installing and configuring selinux.
+os_selinux_enabled: true
+
 # Define the number of SHA rounds.
 # With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users.
 # The values must be inside the 1000-999999999 range.
diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml
index cafd96e5..0688c778 100644
--- a/roles/os_hardening/tasks/hardening.yml
+++ b/roles/os_hardening/tasks/hardening.yml
@@ -28,27 +28,35 @@
 
 - import_tasks: cron.yml
   tags: cron
+  when: os_cron_enabled | bool
 
 - import_tasks: limits.yml
   tags: limits
+  when: os_limits_enabled | bool
 
 - import_tasks: login_defs.yml
   tags: login_defs
+  when: os_login_defs_enabled | bool
 
 - import_tasks: minimize_access.yml
   tags: minimize_access
+  when: os_minimize_access_enabled | bool
 
 - import_tasks: pam.yml
   tags: pam
+  when: os_pam_enabled | bool
 
 - import_tasks: modprobe.yml
   tags: modprobe
+  when: os_modprobe_enabled | bool
 
 - import_tasks: profile.yml
   tags: profile
+  when: os_profile_enabled | bool
 
 - import_tasks: securetty.yml
   tags: securetty
+  when: os_securetty_enabled | bool
 
 - import_tasks: suid_sgid.yml
   when: os_security_suid_sgid_enforce  | bool
@@ -56,21 +64,30 @@
 
 - import_tasks: sysctl.yml
   tags: sysctl
+  when: os_sysctl_enabled | bool
 
 - import_tasks: user_accounts.yml
   tags: user_accounts
+  when: os_user_accounts_enabled | bool
 
 - import_tasks: rhosts.yml
   tags: rhosts
+  when: os_rhosts_enabled | bool
 
 - import_tasks: yum.yml
-  when: ansible_facts.os_family == 'RedHat'
   tags: yum
+  when:
+    - ansible_facts.os_family == 'RedHat'
+    - os_yum_enabled | bool
 
 - import_tasks: apt.yml
-  when: ansible_facts.os_family == 'Debian'
   tags: apt
+  when:
+    - ansible_facts.os_family == 'Debian'
+    - os_apt_enabled | bool
 
 - import_tasks: selinux.yml
   tags: selinux
-  when: ansible_facts.selinux.status == 'enabled'
+  when:
+    - ansible_facts.selinux.status == 'enabled'
+    - os_selinux_enabled | bool