458e0e4c90
The password quality adjustments only work if libpam-pwquality is installed on Ubuntu. This patch installs the package if `security_pwquality_apply_rules` is set to `yes`. Closes-Bug: 1702526 Change-Id: Ic1a21b12138f57d4d54bfbdc6804a195573baf52
170 lines
4.6 KiB
YAML
170 lines
4.6 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Variables for Ubuntu and Debian
|
|
# The following variables apply only to Ubuntu 14.04 (trusty), Ubuntu 16.04
|
|
# (xenial), and Debian 8 (jessie). Deployers should not need to override these
|
|
# variables.
|
|
#
|
|
# For more details, see 'vars/main.yml'.
|
|
|
|
# Maximum age of the apt cache before a refresh is required
|
|
cache_timeout: 600
|
|
|
|
# Configuration file paths
|
|
pam_auth_file: /etc/pam.d/common-auth
|
|
pam_password_file: /etc/pam.d/common-password
|
|
pam_postlogin_file: /etc/pam.d/login
|
|
vsftpd_conf_file: /etc/vsftpd.conf
|
|
grub_conf_file: /boot/grub/grub.cfg
|
|
grub_conf_file_efi: /boot/efi/EFI/ubuntu/grub.cfg
|
|
grub_defaults_file: /etc/default/grub
|
|
aide_cron_job_path: /etc/cron.daily/aide
|
|
aide_database_file: /var/lib/aide/aide.db
|
|
aide_database_out_file: /var/lib/aide/aide.db.new
|
|
chrony_conf_file: /etc/chrony/chrony.conf
|
|
daemon_init_params_file: /etc/init.d/rc
|
|
|
|
# Service name
|
|
cron_service: cron
|
|
ssh_service: ssh
|
|
chrony_service: chrony
|
|
clamav_service: clamav-daemon
|
|
|
|
# Commands
|
|
grub_update_cmd: "/usr/sbin/update-grub"
|
|
ssh_keysign_path: /usr/lib/openssh
|
|
|
|
# Other configuration
|
|
security_interactive_user_minimum_uid: 500
|
|
|
|
# RHEL 6 STIG: Packages to add/remove
|
|
stig_packages:
|
|
- packages:
|
|
- auditd
|
|
- audispd-plugins
|
|
- aide
|
|
- aide-common
|
|
- chrony
|
|
- debsums
|
|
- logrotate
|
|
- postfix
|
|
state: "{{ security_package_state }}"
|
|
enabled: True
|
|
- packages:
|
|
- apparmor
|
|
- apparmor-profiles
|
|
- apparmor-utils
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_enable_linux_security_module }}"
|
|
- packages:
|
|
- fail2ban
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_install_fail2ban }}"
|
|
- packages:
|
|
- xinetd
|
|
state: absent
|
|
enabled: "{{ security_remove_xinetd }}"
|
|
- packages:
|
|
- nis
|
|
state: absent
|
|
enabled: "{{ security_remove_ypserv }}"
|
|
- packages:
|
|
- tftpd
|
|
state: absent
|
|
enabled: "{{ security_remove_tftp_server }}"
|
|
- packages:
|
|
- slapd
|
|
state: absent
|
|
enabled: "{{ security_remove_ldap_server }}"
|
|
- packages:
|
|
- sendmail
|
|
state: absent
|
|
enabled: "{{ security_remove_sendmail }}"
|
|
- packages:
|
|
- xorg-xserver
|
|
state: absent
|
|
enabled: "{{ security_remove_xorg }}"
|
|
- packages:
|
|
- rsh-server
|
|
state: absent
|
|
enabled: "{{ security_remove_rsh_server }}"
|
|
- packages:
|
|
- telnetd
|
|
state: absent
|
|
enabled: "{{ security_remove_telnet_server }}"
|
|
|
|
# RHEL 7 STIG: Packages to add/remove
|
|
stig_packages_rhel7:
|
|
- packages:
|
|
- auditd
|
|
- audispd-plugins
|
|
- aide
|
|
- aide-common
|
|
- libpwquality-common
|
|
- openssh-client
|
|
- openssh-server
|
|
- screen
|
|
state: "{{ security_package_state }}"
|
|
enabled: True
|
|
- packages:
|
|
- apparmor
|
|
- apparmor-profiles
|
|
- apparmor-utils
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_rhel7_enable_linux_security_module }}"
|
|
- packages:
|
|
- chrony
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_rhel7_enable_chrony }}"
|
|
- packages:
|
|
- clamav
|
|
- clamav-daemon
|
|
- clamav-freshclam
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_enable_virus_scanner }}"
|
|
- packages:
|
|
- firewalld
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_enable_firewalld }}"
|
|
- packages:
|
|
- unattended-upgrades
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_rhel7_automatic_package_updates }}"
|
|
- packages:
|
|
- libpam-pwquality
|
|
state: "{{ security_package_state }}"
|
|
enabled: "{{ security_pwquality_apply_rules }}"
|
|
- packages:
|
|
- rsh-server
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_rsh_server }}"
|
|
- packages:
|
|
- telnetd
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_telnet_server }}"
|
|
- packages:
|
|
- tftpd
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_tftp_server }}"
|
|
- packages:
|
|
- xorg-xserver
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_xorg }}"
|
|
- packages:
|
|
- nis
|
|
state: absent
|
|
enabled: "{{ security_rhel7_remove_ypserv }}"
|