---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

## STIG version selection
# The RHEL 7 STIG content first appeared in the Ocata release and is compatible
# with the following operating systems:
#
#  * CentOS 8
#  * Debian Buster
#  * Fedora 27
#  * Ubuntu Bionic
#  * Ubuntu Focal
#
# Valid options: rhel7
stig_version: rhel7

## APT Cache Options
# This variable is used across multiple OpenStack-Ansible roles to handle the
# apt cache updates as efficiently as possible.
cache_timeout: 600

# Set the package install state for distribution packages
# Options are 'present' and 'latest'
security_package_state: present

## EPEL
# Set the following variable to `no` to prevent the EPEL repository from being
# installed by the role. This may prevent certain packages from installing,
# such as ClamAV.
security_epel_install_repository: true
#
# Some deployers install a customized EPEL package that redirects servers to
# their internal EPEL mirrors. Provide the name of the EPEL repository package
# (epel-release by default on CentOS) or a URL to an EPEL release RPM file.
security_epel_release_package: epel-release

###############################################################################
#  ____  _   _ _____ _       _____   ____ _____ ___ ____
# |  _ \| | | | ____| |     |___  | / ___|_   _|_ _/ ___|
# | |_) | |_| |  _| | |        / /  \___ \ | |  | | |  _
# |  _ <|  _  | |___| |___    / /    ___) || |  | | |_| |
# |_| \_\_| |_|_____|_____|  /_/    |____/ |_| |___\____|
#
# The following options are specific to the RHEL 7 STIG. For details on each
# option, refer to the ansible-hardening documentation:
#
#   https://docs.openstack.org/ansible-hardening/latest/domains.html
#
###############################################################################

## Accounts (accounts)
# Set minimum password lifetime to 1 day for interactive accounts.
security_set_minimum_password_lifetime: false # V-71927
security_set_maximum_password_lifetime: false # V-71931

## AIDE (aide)
# Initialize the AIDE database immediately (may take time).
security_rhel7_initialize_aide: false # V-71973
security_rhel7_enable_aide: true

# The default Ubuntu configuration for AIDE will cause it to wander into some
# terrible places on the system, such as /var/lib/lxc and images in /opt.
# The following three default exclusions are highly recommended for AIDE to
# work properly, but additional exclusions can be added to this list if needed.
security_aide_exclude_dirs:
  - /openstack
  - /opt
  - /run
  - /var

## Audit daemon (auditd)
# Send audit records to a different system using audisp.
# security_audisp_remote_server: '10.0.21.1'                  # V-72083
# Encrypt audit records when they are transmitted over the network.
# security_audisp_enable_krb5: yes                            # V-72085
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # V-72081
# Set the action to take when the disk is full or network events cannot be sent.
security_rhel7_auditd_disk_full_action: syslog # V-72087
security_rhel7_auditd_network_failure_action: syslog # V-72087
# Size of remaining disk space (in MB) that triggers alerts.
security_rhel7_auditd_space_left: >- # V-72089
  {{ (ansible_facts['mounts'] | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}
# Action to take when the space_left threshold is reached.
security_rhel7_auditd_space_left_action: email # V-72091
# Send auditd email alerts to this user.
security_rhel7_auditd_action_mail_acct: root # V-72093
# Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: true # V-72167
security_rhel7_audit_chage: true # V-72155
security_rhel7_audit_chcon: true # V-72139
security_rhel7_audit_chmod: false # V-72105
security_rhel7_audit_chown: false # V-72097
security_rhel7_audit_creat: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72123
security_rhel7_audit_crontab: true # V-72183
security_rhel7_audit_delete_module: true # V-72189
security_rhel7_audit_fchmod: false # V-72107
security_rhel7_audit_fchmodat: false # V-72109
security_rhel7_audit_fchown: false # V-72099
security_rhel7_audit_fchownat: false # V-72103
security_rhel7_audit_fremovexattr: false # V-72119
security_rhel7_audit_fsetxattr: false # V-72113
security_rhel7_audit_ftruncate: true # V-72133
security_rhel7_audit_init_module: true # V-72187
security_rhel7_audit_gpasswd: true # V-72153
security_rhel7_audit_lchown: false # V-72101
security_rhel7_audit_lremovexattr: false # V-72121
security_rhel7_audit_lsetxattr: false # V-72115
security_rhel7_audit_mount: true # V-72171
security_rhel7_audit_newgrp: true # V-72165
security_rhel7_audit_open: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72125
security_rhel7_audit_openat: true # V-72127
security_rhel7_audit_open_by_handle_at: true # V-72129
security_rhel7_audit_pam_timestamp_check: true # V-72185
security_rhel7_audit_passwd: true # V-72149
security_rhel7_audit_postdrop: true # V-72175
security_rhel7_audit_postqueue: true # V-72177
security_rhel7_audit_removexattr: false # V-72117
security_rhel7_audit_rename: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72199
security_rhel7_audit_renameat: true # V-72201
security_rhel7_audit_restorecon: true # V-72141
security_rhel7_audit_rmdir: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72203
security_rhel7_audit_semanage: true # V-72135
security_rhel7_audit_setsebool: true # V-72137
security_rhel7_audit_setxattr: false # V-72111
security_rhel7_audit_ssh_keysign: true # V-72179
security_rhel7_audit_su: true # V-72159
security_rhel7_audit_sudo: true # V-72161
security_rhel7_audit_sudoedit: true # V-72169
security_rhel7_audit_truncate: true # V-72131
security_rhel7_audit_umount: true # V-72173
security_rhel7_audit_unix_chkpwd: true # V-72151
security_rhel7_audit_unlink: "{{ (ansible_facts['architecture'] == 'aarch64') | ternary('no', 'yes') }}" # V-72205
security_rhel7_audit_unlinkat: true # V-72207
security_rhel7_audit_userhelper: true # V-72157
# Add audit rules for other events.
security_rhel7_audit_account_access: true # V-72143
security_rhel7_audit_sudo_config_changes: true # V-72163
security_rhel7_audit_insmod: true # V-72191
security_rhel7_audit_rmmod: true # V-72193
security_rhel7_audit_modprobe: true # V-72195
security_rhel7_audit_account_actions: true # V-72197

## Authentication (auth)
# Check if sudoers has the NOPASSWD rule enabled
security_sudoers_nopasswd_check_enable: true

# Disallow logins from accounts with blank/null passwords via PAM.
security_disallow_blank_password_login: true # V-71937
# Apply password quality rules.
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
# the password quality rules. Each rule can be disabled with a value of 'no'.
security_pwquality_apply_rules: false
security_pwquality_require_uppercase: true # V-71903
security_pwquality_require_lowercase: true # V-71905
security_pwquality_require_numeric: true # V-71907
security_pwquality_require_special: true # V-71909
security_pwquality_require_characters_changed: true # V-71911
security_pwquality_require_character_classes_changed: true # V-71913
security_pwquality_limit_repeated_characters: true # V-71915
security_pwquality_limit_repeated_character_classes: true # V-71917
security_pwquality_require_minimum_password_length: false # V-71935
# Use pwquality when passwords are changed or established.
security_enable_pwquality_password_set: false # V-73159
# Ensure passwords are stored using SHA512.
security_password_encrypt_method: SHA512 # V-71921
# Ensure user/group admin utilities only store encrypted passwords.
security_libuser_crypt_style_sha512: true # V-71923
# Set a minimum/maximum lifetime limit for user passwords.
# security_password_min_lifetime_days: 1                      # V-71925
# security_password_max_lifetime_days: 60                     # V-71929
# Set a delay (in seconds) between failed login attempts.
security_shadow_utils_fail_delay: 4 # V-71951
# Set a umask for all authenticated users.
# security_shadow_utils_umask: '077'                         # V-71995
# Create home directories for new users by default.
security_shadow_utils_create_home: true # V-72013
# How many old user password to remember to prevent password re-use.
# security_password_remember_password: 5                      # V-71933
# Disable user accounts if the password expires.
security_disable_account_if_password_expires: false # V-71941
# Lock user accounts with excessive login failures. See documentation.
security_pam_faillock_enable: false # V-71945 / V-71943 / RHEL-07-010373
security_pam_faillock_interval: 900
security_pam_faillock_attempts: 3
security_pam_faillock_deny_root: true # RHEL-07-010373
security_pam_faillock_unlock_time: 604800 # V-71943
# Limit the number of concurrent connections per account.
# security_rhel7_concurrent_session_limit: 10                 # V-72217
# Remove .shosts and shosts.equiv files.
security_rhel7_remove_shosts_files: false # V-72277
# Exclude these directories from the shosts files find
security_rhel7_remove_shosts_exclude_dirs:
  - "/sys"
  - "/proc"
  - "/dev"
## File permissions (file_perms)
# Reset file permissions and ownership for files installed via RPM packages.
security_reset_perm_ownership: false # V-71849
# Search for files/directories owned by invalid users or groups.
security_search_for_invalid_owner: false # V-72007
security_search_for_invalid_group_owner: false # V-72009
# Set user/group owners on each home directory and set mode to 0750.
security_set_home_directory_permissions_and_owners: false # V-72017 / V-72019 / V-72021
# Find all world-writable directories and display them.
security_find_world_writable_dirs: false # V-72047

## Graphical interfaces (graphical)
# Disable automatic gdm logins
security_disable_gdm_automatic_login: true # V-71953
# Disable timed gdm logins for guests
security_disable_gdm_timed_login: true # V-71955
# Enable session locking for graphical logins.
security_lock_session: false # V-71891
# Set a timer (in seconds) when an inactive session is locked.
security_lock_session_inactive_delay: 900 # V-71893
# Prevent users from modifying session lock settings.
security_lock_session_override_user: true # RHEL-07-010071
# Lock a session (start screensaver) when a session is inactive.
security_lock_session_when_inactive: true # V-71893
# Time after screensaver starts when user login is required.
security_lock_session_screensaver_lock_delay: 5 # V-71901
# Enable a login banner and set the text for the banner.
security_enable_graphical_login_message: true # V-71859
security_enable_graphical_login_message_text: >
  You are accessing a secured system and your actions will be logged along
  with identifying information. Disconnect immediately if you are not an
  authorized user of this system.

## Linux Security Module (lsm)
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
security_rhel7_enable_linux_security_module: true # V-71989 / V-71991

## Miscellaneous (misc)
# Disable the autofs service.
security_rhel7_disable_autofs: true # V-71985
# Enable virus scanning with clamav
security_enable_virus_scanner: false # V-72213
# Run the virus scanner update during the deployment (if scanner is deployed)
security_run_virus_scanner_update: true
# Disable ctrl-alt-delete key sequence on the console.
security_rhel7_disable_ctrl_alt_delete: true # V-71993
# Install and enable firewalld for iptables management.
security_enable_firewalld: false # V-72273
# Rate limit TCP connections to 25/min and burstable to 100.
security_enable_firewalld_rate_limit: false # V-72271
security_enable_firewalld_rate_limit_per_minute: 25
security_enable_firewalld_rate_limit_burst: 100
# Update the grub configuration.
security_enable_grub_update: true
# Require authentication in GRUB to boot into single-user or maintenance modes.
security_require_grub_authentication: false # V-71961 / V-71963
# The default password for grub authentication is 'secrete'.
security_grub_password_hash:
  grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B # noqa: yaml[line-length]
# Set session timeout.
security_rhel7_session_timeout: 600 # V-72223
# Enable chrony for NTP time synchronization.
security_rhel7_enable_chrony: true # V-72269
# Use the following NTP servers.
security_ntp_servers:
  - 0.pool.ntp.org
  - 1.pool.ntp.org
  - 2.pool.ntp.org
  - 3.pool.ntp.org
# NTP server options.
security_ntp_server_options: iburst
# Configure Chrony to synchronize the hardware clock
security_ntp_sync_rtc: false
# Chrony limits access to clients that are on certain subnets.  Adjust the
# following subnets here to limit client access to chrony servers.
security_allowed_ntp_subnets:
  - 10/8
  - 192.168/16
  - 172.16/12
# Listen for NTP requests only on local interfaces.
security_ntp_bind_local_interfaces_only: true
# Restrict mail relaying.
security_rhel7_restrict_mail_relaying: true # V-72297
# Deploy a login banner.                                     # V-72225 / V-71863
security_login_banner_text: |
  ------------------------------------------------------------------------------
  * WARNING                                                                    *
  * You are accessing a secured system and your actions will be logged along   *
  * with identifying information. Disconnect immediately if you are not an     *
  * authorized user of this system.                                            *
  ------------------------------------------------------------------------------


## Packages (packages)
# Remove packages from the system as required by the STIG. Set any of these
# to 'no' to skip their removal.
security_rhel7_remove_rsh_server: true # V-71967
security_rhel7_remove_telnet_server: true # V-72077
security_rhel7_remove_tftp_server: true # V-72301
security_rhel7_remove_xorg: true # V-72307
security_rhel7_remove_ypserv: true # V-71969
# Automatically remove dependencies when removing packages.
security_package_clean_on_remove: false # V-71987
# Automatically update packages.
security_rhel7_automatic_package_updates: false # V-71999
# Install packages for multi-factor authentication.
security_install_multifactor_auth_packages: true # V-72417
security_check_package_checksums: false # V-71855

## RPM (rpm)
# Enable GPG checks for packages and repository data.
security_enable_gpgcheck_packages: true # V-71977
security_enable_gpgcheck_packages_local: true # V-71979
security_enable_gpgcheck_repo: false # V-71981

## ssh server (sshd)
# Ensure sshd is running and enabled at boot time.
security_enable_sshd: true # V-72235
# Disallow logins from users with empty/null passwords.
security_sshd_disallow_empty_password: true # V-71939 / RHEL-07-010440
# Disallow users from overriding the ssh environment variables.
security_sshd_disallow_environment_override: true # V-71957
# Disallow host based authentication.
security_sshd_disallow_host_based_auth: true # V-71959
# Set a list of allowed ssh ciphers.
security_sshd_cipher_list: "aes128-ctr,aes192-ctr,aes256-ctr" # V-72221
# Specify a text file to be displayed as the banner/MOTD for all sessions.
security_sshd_banner_file: /etc/motd # V-71861 / V-72225
# Disable dynamic MOTD banner that is provided by /run/motd.dynamic
security_sshd_dynamic_banner_disable: true
# Set the interval for max session length and the number of intervals to allow.
security_sshd_client_alive_interval: 600 # V-72237
security_sshd_client_alive_count_max: 0 # V-72241
# Print the last login for a user when they log in over ssh.
security_sshd_print_last_log: true # V-72245
# Permit direct root logins ('yes', 'no', 'without-password', 'prohibit-password', 'forced-commands-only')
security_sshd_permit_root_login: false # V-72247
# Disallow authentication using known hosts authentication.
security_sshd_disallow_known_hosts_auth: true # V-72249 / V-72239
# Disallow rhosts authentication.
security_sshd_disallow_rhosts_auth: true # V-72243
# Enable X11 forwarding.
security_sshd_enable_x11_forwarding: true # V-72303
# Set the allowed ssh protocols.
security_sshd_protocol: 2 # V-72251
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
security_sshd_allowed_macs: "hmac-sha2-256,hmac-sha2-512" # V-72253
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
security_sshd_disallow_gssapi: true # V-72259
# Disallow compression or delay after login.
security_sshd_compression: "delayed" # V-72267
# Require privilege separation at every opportunity.
security_sshd_enable_privilege_separation: false # V-72265
# Require strict mode checking of home directory configuration files.
security_sshd_enable_strict_modes: true # V-72263
# Disallow Kerberos authentication.
security_sshd_disable_kerberos_auth: true # V-72261
# Disallow GSSAPI authentication.
security_sshd_disable_gssapi_auth: true # V-204598

## Kernel settings (kernel)
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
# immediately and by default on new interfaces.
security_disallow_source_routed_packet_forward_ipv4: true # V-72283 / V-72285
security_disallow_source_routed_packet_forward_ipv6: true # V-72319
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
security_disallow_echoes_broadcast_address: true # V-72287
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
# new interfaces.
security_disallow_icmp_redirects: true # V-73175 / V-72289 / V-72291 / V-72293
# Disallow IP forwarding.
security_disallow_ip_forwarding: false # V-72309
# Disable USB storage support.
security_rhel7_disable_usb_storage: true # V-71983
# Disable kdump.
security_disable_kdump: true # V-72057
# Disable Datagram Congestion Control Protocol (DCCP).
security_rhel7_disable_dccp: true # V-77821
# Enable Address Space Layout Randomization (ASLR).
security_enable_aslr: true # V-77825

###############################################################################
#   ____            _        _ _
#  / ___|___  _ __ | |_ _ __(_) |__
# | |   / _ \| '_ \| __| '__| | '_ \
# | |__| (_) | | | | |_| |  | | |_) |
#  \____\___/|_| |_|\__|_|  |_|_.__/
#
#
# The following configurations apply to tasks that are contributed by
# ansible-hardening developers and may not be part of a hardening standard
# or compliance program. For more information on the 'contrib' tasks, review
# the documentation:
#
#   https://docs.openstack.org/ansible-hardening/latest/contrib.html
#
###############################################################################

# To enable the contrib tasks, set this variable to 'yes'.
security_contrib_enabled: false

# Disable IPv6.
# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
# DANGER: SYSTEM. This will cause downtime for any services that depend on
# DANGER: IPv6 network connectivity.
security_contrib_disable_ipv6: false # C-00001

security_sysctl_file: "{{ openstack_sysctl_file | default('/etc/sysctl.conf') }}"