Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
ansible-collection-hardening/roles/os_hardening/vars/Debian.yml
Sebastian Gumprich bb588bd777
linting (#603) 
* linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* change line length issues

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* replace yes with true in tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add exception for task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove trailing whitespace

* add back deleted params

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back deleted params

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 12:40:27 +01:00

90 lines
2.1 KiB
YAML
Raw Blame History

---
os_packages_pam_ccreds: libpam-ccreds
os_nologin_shell_path: /usr/sbin/nologin
# Different distros use different standards for /etc/shadow perms, e.g.
# RHEL derivatives use root:root 0000, whereas Debian-based use root:shadow 0640.
# You must provide key/value pairs for owner, group, and mode if overriding.
os_shadow_perms:
owner: root
group: shadow
mode: "0640"
os_passwd_perms:
owner: root
group: root
mode: "0644"
os_env_umask: "027"
os_auth_uid_min: 1000
os_auth_uid_max: 60000
os_auth_gid_min: 1000
os_auth_gid_max: 60000
os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 999
os_auth_sub_uid_min: 100000
os_auth_sub_uid_max: 600100000
os_auth_sub_uid_count: 65536
os_auth_sub_gid_min: 100000
os_auth_sub_gid_max: 600100000
os_auth_sub_gid_count: 65536
os_mnt_boot_dir_mode: '0700'
os_mnt_boot_group: 'root'
os_mnt_boot_owner: 'root'
os_mnt_dev_dir_mode: '0755'
os_mnt_dev_group: 'root'
os_mnt_dev_owner: 'root'
os_mnt_dev_shm_dir_mode: '1777'
os_mnt_dev_shm_group: 'root'
os_mnt_dev_shm_owner: 'root'
os_mnt_home_dir_mode: '0755'
os_mnt_home_group: 'root'
os_mnt_home_owner: 'root'
os_mnt_run_dir_mode: '0755'
os_mnt_run_group: 'root'
os_mnt_run_owner: 'root'
os_mnt_tmp_dir_mode: '1777'
os_mnt_tmp_group: 'root'
os_mnt_tmp_owner: 'root'
os_mnt_var_dir_mode: '0755'
os_mnt_var_group: 'root'
os_mnt_var_owner: 'root'
os_mnt_var_log_dir_mode: '0755'
os_mnt_var_log_group: 'root'
os_mnt_var_log_owner: 'root'
os_mnt_var_log_audit_dir_mode: '0700'
os_mnt_var_log_audit_group: 'root'
os_mnt_var_log_audit_owner: 'root'
os_mnt_var_tmp_dir_mode: '1777'
os_mnt_var_tmp_group: 'root'
os_mnt_var_tmp_owner: 'root'
# defaults for useradd
os_useradd_mail_dir: /var/mail
modprobe_package: kmod
auditd_package: auditd
tally2_path: /usr/share/pam-configs/tally2
passwdqc_path: /usr/share/pam-configs/passwdqc
hidepid_option: "2" # allowed values: 0, 1, 2
sysctl_custom_config:
# Mitigation of vulnerability CVE-2021-33909
kernel.unprivileged_userns_clone: 0
# Mitigation of vulnerability CVE-2021-33910
kernel.unprivileged_bpf_disabled: 1
Reference in a new issue View git blame Copy permalink