From a1425befeb4519d6fd6c914bec3c4ee14c717bf6 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 27 Jul 2015 20:47:23 +0000 Subject: [PATCH] Separate system-vars from editable vars. Fix #34 --- roles/ansible-os-hardening/defaults/main.yml | 30 +++++++++++++++++++ roles/ansible-os-hardening/vars/main.yml | 31 -------------------- 2 files changed, 30 insertions(+), 31 deletions(-) create mode 100644 roles/ansible-os-hardening/defaults/main.yml diff --git a/roles/ansible-os-hardening/defaults/main.yml b/roles/ansible-os-hardening/defaults/main.yml new file mode 100644 index 00000000..bae945ba --- /dev/null +++ b/roles/ansible-os-hardening/defaults/main.yml @@ -0,0 +1,30 @@ +os_desktop_enable: false +os_env_extra_user_paths: [] +os_env_umask: '027' +os_auth_pw_max_age: 60 +os_auth_pw_min_age: 7 # discourage password cycling +os_auth_retries: 5 +os_auth_lockout_time: 600 # 10min +os_auth_timeout: 60 +os_auth_allow_homeless: false +os_auth_pam_passwdqc_enable: true +os_auth_pam_passwdqc_options: 'disabled,disabled,16,12,8' +os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6] +os_auth_uid_min: 1000 +os_auth_gid_min: 1000 +os_chfn_restrict: '' +# may contain: change_user +os_security_users_allow: [] +# specify system accounts those login should not be disabled and password not changed +os_ignore_users: ['vagrant'] +os_security_kernel_enable_module_loading: true +os_security_kernel_enable_core_dump: false +os_security_suid_sgid_enforce: true +# user-defined blacklist and whitelist +os_security_suid_sgid_blacklist: [] +os_security_suid_sgid_whitelist: [] +# if this is true, remove any suid/sgid bits from files that were not in the whitelist +os_security_suid_sgid_remove_from_unknown: false + +# remove packages with known issues +os_security_packages_clean: true diff --git a/roles/ansible-os-hardening/vars/main.yml b/roles/ansible-os-hardening/vars/main.yml index f77b67d5..bc0500ed 100644 --- a/roles/ansible-os-hardening/vars/main.yml +++ b/roles/ansible-os-hardening/vars/main.yml @@ -1,34 +1,3 @@ -os_desktop_enable: false -os_env_extra_user_paths: [] -os_env_umask: '027' -os_auth_pw_max_age: 60 -os_auth_pw_min_age: 7 # discourage password cycling -os_auth_retries: 5 -os_auth_lockout_time: 600 # 10min -os_auth_timeout: 60 -os_auth_allow_homeless: false -os_auth_pam_passwdqc_enable: true -os_auth_pam_passwdqc_options: 'disabled,disabled,16,12,8' -os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6] -os_auth_uid_min: 1000 -os_auth_gid_min: 1000 -os_chfn_restrict: '' -# may contain: change_user -os_security_users_allow: [] -# specify system accounts those login should not be disabled and password not changed -os_ignore_users: ['vagrant'] -os_security_kernel_enable_module_loading: true -os_security_kernel_enable_core_dump: false -os_security_suid_sgid_enforce: true -# user-defined blacklist and whitelist -os_security_suid_sgid_blacklist: [] -os_security_suid_sgid_whitelist: [] -# if this is true, remove any suid/sgid bits from files that were not in the whitelist -os_security_suid_sgid_remove_from_unknown: false - -# remove packages with known issues -os_security_packages_clean: true - # SYSTEM CONFIGURATION # ==================== # These are not meant to be modified by the user