Further improvements, first push

roles/ansible-os-hardening/tasks/main.yml

@@ -1,3 +1,7 @@
+---
+- name: add the OS specific variables
+  include_vars: "{{ ansible_os_family }}.yml"
+
 - name: create sane limits.conf
   template: src='limits.conf.j2' dest='/etc/security/limits.d/10.hardcore.conf' owner=root group=root mode=0440
   when: os_security_kernel_enable_core_dump
@@ -52,39 +56,201 @@
   file: dest='/bin/su' owner=root group=root mode
   when: security_users_allow|default(None) != None 
 
+- name: update pam on Debian systems
+  command: 'pam-auth-update --package'
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: update pam on Redhat systems
+  command: 'authconfig --update'
+  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+
+- name: remove pam ccreds on Debian systems
+  apt: name='{{os_packages_pam_ccreds}}' state=absent
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: remove pam ccreds on Redhat systems
+  yum: name='{{os_packages_pam_ccreds}}' state=absent
+  when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux'
+
+- name: remove pam_cracklib, because it does not play nice with passwdqc
+  apt: name='{{os_packages_pam_cracklib}}' state=absent
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
+
+- name: install the package for strong password checking
+  apt: name='{{os_packages_pam_passwdqc}}' state='installed'
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
+
+- name: configure passwdqc
+  template: src='pam_passwdqd.j2' mode=0640 owner=root group=root dest='{{passwdqc_path}}'
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and os_auth_pam_passwdqc_enable
+
+- name: remove passwdqc
+  apt: name='{{os_packages_pam_passwdqc}}' state='absent'
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable
+
+- name: install tally2
+  apt: name='libpam-modules' state=installed
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
+
+- name: configure tally2
+  template: src='pam_tally2.j2' dest='{{tally2_path}}' mode=0640 owner=root group=root
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries > 0
+
+- name: delete tally2 when retries is 0
+  file: path='{{tally2_path}}' state=absent
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu') and not os_auth_pam_passwdqc_enable and os_auth_retries == 0
+
 - name: update pam
   command: 'pam-auth-update --package'
+  when: (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
 
-- name: remove pam ccreds
-  apt: name=
+- name: remove pam_cracklib, because it does not play nice with passwdqc
+  yum: name='{{os_packages_pam_cracklib}}' state=absent
+  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable
 
-- name: Define restriction levels for announcing the local source IP
-  sysctl: name='net.ipv4.conf.all.arp_announce' value=1 sysctl_set=yes state=present reload=yes
+- name: install the package for strong password checking
+  yum: name='{{os_packages_pam_passwdqc}}' state='installed'
+  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and os_auth_pam_passwdqc_enable
+
+- name: remove passwdqc
+  yum: name='{{os_packages_pam_passwdqc}}' state='absent'
+  when: (ansible_distribution == 'RedHat' or ansible_distribution == 'Oracle Linux') and not os_auth_pam_passwdqc_enable
+
+- name: configure passwdqc and tally via central system-auth confic
+  template: src='rhel_system_auth.j2' dest='/etc/pam.d/system-auth-ac' mode=0640 owner=root group=root
+
+- name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
+  template: src='rhel_libuser.conf.j2' dest='/etc/libuser.conf' mode=0640 owner=root group=root
+
+- name: Only enable IP traffic forwarding, if required.
+  sysctl: name='net.ipv4.ip_forward' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Only enable IP traffic forwarding, if required.
+  sysctl: name='net.ipv4.ip_forward' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_network_forwarding
+
+- name: Only enable IP traffic forwarding, if required.
+  sysctl: name='net.ipv6.conf.all.forwarding' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Only enable IP traffic forwarding, if required.
+  sysctl: name='net.ipv6.conf.all.forwarding' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_network_forwarding and os_network_ipv6_enable
+
+- name: Enable RFC-recommended source validation feature.
+  sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Enable RFC-recommended source validation feature.
+  sysctl: name='net.ipv4.conf.default.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
+  sysctl: name='net.ipv4.icmp_echo_ignore_broadcasts' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: There is no reason to accept bogus error responses from ICMP, so ignore them instead.
+  sysctl: name='net.ipv4.icmp_ignore_bogus_error_responses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Limit the amount of traffic the system uses for ICMP.
+  sysctl: name='net.ipv4.icmp_ratelimit' value=100 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply
+  sysctl: name='net.ipv4.icmp_ratemask' value=88089 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Disable or Enable IPv6 as it is needed.
+  sysctl: name='net.ipv6.conf.all.disable_ipv6' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Disable or Enable IPv6 as it is needed.
+  sysctl: name='net.ipv6.conf.all.disable_ipv6' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_network_ipv6_enable
+
+- name: Protect against wrapping sequence numbers at gigabit speeds
+  sysctl: name='net.ipv4.tcp_timestamps' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name:  Define restriction level for announcing the local source IP
+  sysctl: name='net.ipv4.conf.all.arp_ignore' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name:  Define restriction level for announcing the local source IP
+  sysctl: name='net.ipv4.conf.all.arp_ignore' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_network_arp_restricted
+
+- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses 
+  sysctl: name='net.ipv4.conf.all.arp_announce' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses 
+  sysctl: name='net.ipv4.conf.all.arp_announce' value=2 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_network_arp_restricted
 
 - name: RFC 1337 fix F1
-  sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes
+  sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: Syncookies is used to prevent SYN-flooding attacks.
+  sysctl: name='net.ipv4.tcp_syncookies' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- sysctl: name='net.ipv4.conf.all.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv4.conf.default.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
 
 - name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
-  sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes
+  sysctl: name='net.ipv4.conf.all.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
 
-- sysctl: name=net.ipv4.icmp_ratelimit value=100 sysctl_set=yes state=present reload=yes
-- sysctl: name=net.ipv4.icmp_ratemask value=88089 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.tcp_timestamps value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.all.arp_ignore value=1 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.default.accept_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.all.accept_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.all.secure_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.default.secure_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.all.send_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv4.conf.all.send_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.all.disable_ipv6 value=1 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.accept_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.all.accept_redirects value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.router_solicitations value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.accept_ra_rtr_pref value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.accept_ra_pinfo value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.accept_ra_defrtr value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.autoconf value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.max_addresses value=1 sysctl_set=yes state=present reload=yes
-#- sysctl: name=kernel.sysrq value=0 sysctl_set=yes state=present reload=yes
-#- sysctl: name=net.ipv6.conf.default.dad_transmits value=0 sysctl_set=yes state=present reload=yes
+- name: Accepting source route can lead to malicious networking behavior, so disable it if not needed.
+  sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+# Accepting redirects can lead to malicious networking behavior, so disable
+# it if not needed.
+- sysctl: name='net.ipv4.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv4.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv4.conf.all.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv4.conf.default.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+# For non-routers: don't send redirects, these settings are 0
+- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: log martian packets
+  sysctl: name='net.ipv4.conf.all.log_martians' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+# ipv6 config
+# NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
+- sysctl: name='net.ipv6.conf.default.router_solicitations' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.accept_ra_rtr_pref' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.accept_ra_pinfo' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.accept_ra_defrtr' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.autoconf' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.dad_transmits' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+- sysctl: name='net.ipv6.conf.default.max_addresses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+
+# This settings controls how the kernel behaves towards module changes at
+# runtime. Setting to 1 will disable module loading at runtime.
+# Setting it to 0 is actually never supported.
+- name: This settings controls how the kernel behaves towards module changes at runtime.
+  sysctl: name='kernel.modules_disabled' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: not os_security_kernel_enable_module_loading
+
+# Magic Sysrq should be disabled, but can also be set to a safe value if so
+# desired for physical machines. It can allow a safe reboot if the system hangs
+# and is a 'cleaner' alternative to hitting the reset button.
+# The following values are permitted:
+#
+# * **0**   - disable sysrq
+# * **1**   - enable sysrq completely
+# * **>1**  - bitmask of enabled sysrq functions:
+# * **2**   - control of console logging level
+# * **4**   - control of keyboard (SAK, unraw)
+# * **8**   - debugging dumps of processes etc.
+# * **16**  - sync command
+# * **32**  - remount read-only
+# * **64**  - signalling of processes (term, kill, oom-kill)
+# * **128** - reboot/poweroff
+# * **256** - nicing of all RT tasks
+- sysctl: name='kernel.sysrq' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- sysctl: name='kernel.sysrq' value='{{ os_security_kernel_secure_sysrq }}' sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_security_kernel_enable_sysrq
+
+- name: Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
+  sysctl: name='fs.suid_dumpable' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+
+- name: # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
+  sysctl: name='fs.suid_dumpable' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes
+  when: os_security_kernel_enable_core_dump

roles/ansible-os-hardening/templates/login.defs.j2

@@ -125,11 +125,11 @@ LOGIN_TIMEOUT		{{os_auth_timeout}}
 
 # Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-{{ if chfn_restrict }}
-CHFN_RESTRICT		{{ chfn_restrict }}
-{{ endif }}
+{% if os_chfn_restrict %}
+CHFN_RESTRICT		{{ os_chfn_restrict }}
+{% endif %}
 # Should login be allowed if we can't cd to the home directory?
-DEFAULT_HOME	{{ if os_auth_allow_homeless -}}yes{{ else -}}no{{ endif }}
+DEFAULT_HOME	{% if os_auth_allow_homeless -%}yes{% else -%}no{% endif %}
 
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by

roles/ansible-os-hardening/templates/pam_passwdqd.j2

@@ -0,0 +1,7 @@
+passwdqc.erbName: passwdqc password strength enforcement
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Password-Type: Primary
+Password:
+  requisite     pam_passwdqc.so {{os_auth_pam_passwdqc_options}}

roles/ansible-os-hardening/templates/pam_tally2.j2

@@ -0,0 +1,10 @@
+Name: tally2 lockout after failed attempts enforcement
+Default: yes
+Priority: 1024
+Conflicts: cracklib
+Auth-Type: Primary
+Auth-Initial:
+  required      pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}}
+Account-Type: Primary
+Account-Initial:
+  required      pam_tally2.so

roles/ansible-os-hardening/templates/rhel_libuser.conf.j2

@@ -0,0 +1,90 @@
+# See libuser.conf(5) for more information.
+
+# {{ ansible_managed }}
+
+# Do not modify the default module list if you care about unattended calls
+# to programs (i.e., scripts) working!
+
+[import]
+# Data from these files is used when libuser.conf does not define a value.
+# The mapping is documented in the man page.
+login_defs = /etc/login.defs
+default_useradd = /etc/default/useradd
+
+[defaults]
+# The default (/usr/lib*/libuser) is usually correct
+# moduledir = /your/custom/directory
+
+# The following variables are usually imported:
+# skeleton = /etc/skel
+# mailspooldir = /var/mail
+
+# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
+crypt_style = sha512
+
+modules = files shadow
+create_modules = files shadow
+# modules = files shadow ldap
+# create_modules = ldap
+
+[userdefaults]
+LU_USERNAME = %n
+# LU_UIDNUMBER = 500
+LU_GIDNUMBER = %u
+# LU_USERPASSWORD = !!
+# LU_GECOS = %n
+# LU_HOMEDIRECTORY = /home/%n
+# LU_LOGINSHELL = /bin/bash
+
+# LU_SHADOWNAME = %n
+# LU_SHADOWPASSWORD = !!
+# LU_SHADOWLASTCHANGE = %d
+# LU_SHADOWMIN = 0
+# LU_SHADOWMAX = 99999
+# LU_SHADOWWARNING = 7
+# LU_SHADOWINACTIVE = -1
+# LU_SHADOWEXPIRE = -1
+# LU_SHADOWFLAG = -1
+
+[groupdefaults]
+LU_GROUPNAME = %n
+# LU_GIDNUMBER = 500
+# LU_GROUPPASSWORD = !!
+# LU_MEMBERUID =
+# LU_ADMINISTRATORUID =
+
+[files]
+# This is useful for the case where some master files are used to
+# populate a different NSS mechanism which this workstation uses.
+# directory = /etc
+
+[shadow]
+# This is useful for the case where some master files are used to
+# populate a different NSS mechanism which this workstation uses.
+# directory = /etc
+
+[ldap]
+# Setting these is always necessary.
+# server = ldap
+# basedn = dc=example,dc=com
+
+# Setting these is rarely necessary, since it's usually correct.
+# userBranch = ou=People
+# groupBranch = ou=Group
+
+# Set only if your administrative user uses simple bind operations to
+# connect to the server.
+# binddn = cn=Manager,dc=example,dc=com
+
+# Set this only if the default user (as determined by SASL) is incorrect
+# for SASL bind operations.  Usually, it's correct, so you'll rarely need
+# to set these.
+# user = Manager
+# authuser = Manager
+
+[sasl]
+# Set these only if your sasldb is only used by a particular application, and
+# in a particular domain.  The default (all applications, all domains) is
+# probably correct for most installations.
+# appname = imap
+# domain = EXAMPLE.COM

roles/ansible-os-hardening/templates/rhel_system_auth.j2

@@ -0,0 +1,35 @@
+# {{ ansible_managed }}
+#---
+
+#%PAM-1.0
+{% if os_auth_retries > 0 %}
+auth        required      pam_tally2.so deny={{os_auth_retries}} onerr=fail unlock_time={{os_auth_lockout_time}}
+{% endif %}
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        required      pam_deny.so
+
+{% if os_auth_retries > 0 %}
+account     required      pam_tally2.so
+{% endif %}
+account     required      pam_unix.so
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     required      pam_permit.so
+
+{% if os_auth_pam_passwdqc_enable %}
+password    requisite     pam_passwdqc.so {{os_auth_pam_passwdqc_options}}
+{% else %}
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+{% endif %}
+
+# NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
+# NSA 2.3.3.6 Limit Password Reuse
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so

roles/ansible-os-hardening/vars/Debian.yml

@@ -1,3 +1,5 @@
-os_packages_pam_ccreds:  'libpam-ccreds'
-os_packages_pam_passwdqc:  'libpam-passwdqc'
-os_packages_pam_cracklib:  'libpam-cracklib'
+os_packages_pam_ccreds: 'libpam-ccreds'
+os_packages_pam_passwdqc: 'libpam-passwdqc'
+os_packages_pam_cracklib: 'libpam-cracklib'
+passwdqc_path: '/usr/share/pam-configs/passwdqc'
+tally2_path: '/usr/share/pam-configs/tally2'

roles/ansible-os-hardening/vars/main.yml

@@ -5,7 +5,7 @@
 os_desktop_enable:  false
 os_network_forwarding: false
 os_network_ipv6_enable: false
-os_network_arp_restricted:  true
+os_network_arp_restricted: true 
 os_env_extra_user_paths:  []
 os_env_umask:  '027'
 os_env_root_path:  '/'
@@ -20,6 +20,7 @@ os_auth_pam_passwdqc_options: 'disabled,disabled,16,12,8'
 os_auth_root_ttys:  '%w(console tty1 tty2 tty3 tty4 tty5 tty6)'
 os_auth_uid_min:  1000
 os_auth_gid_min:  1000
+os_chfn_restrict: ''
 # may contain: change_user
 os_security_users_allow:  []
 os_security_kernel_enable_module_loading:  true