remove execshield on rhel7

defaults/main.yml

@@ -183,12 +183,6 @@ sysctl_config:
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:
 
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows | sysctl-33
-  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks. | sysctl-11
-  net.ipv4.tcp_syncookies: 1
-
 # disable unused filesystems
 os_unused_filesystems:
   - "cramfs"
@@ -199,3 +193,4 @@ os_unused_filesystems:
   - "squashfs"
   - "udf"
   - "vfat"
+

tasks/main.yml

@@ -1,6 +1,11 @@
 ---
-- name: add the OS specific variables
-  include_vars: '{{ ansible_os_family }}.yml'
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_distribution }}.yml'
+   - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_os_family }}.yml'
   tags: always
 
 - include: limits.yml

vars/RedHat-7.yml

@@ -0,0 +1,18 @@
+---
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: "0600"
+
+sysctl_rhel_config:
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
+

vars/RedHat.yml

@@ -10,3 +10,9 @@ os_shadow_perms:
   owner: root
   group: root
   mode: '0600'
+
+sysctl_rhel_config:
+  # ExecShield protection against buffer overflows
+  kernel.exec-shield: 1
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1