defaults/main.yml

---
rhel7stig_cat1_patch: yes
rhel7stig_cat2_patch: yes
rhel7stig_cat3_patch: yes

# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question.  In the future this might mean that the remediation
# may fail in some cases.
rhel7stig_complexity_high: no

# Show "changed" for complex items not remediated per complexity-high setting
# to make them stand out.  "changed" items on a second run of the role would
# indicate items requiring manual review.
rhel7stig_audit_complex: yes

# We've defined disruption-high to indicate items that are likely to cause
# disruption in a normal workflow.  These items can be remediated automatically
# but are disabled by default to avoid disruption.
rhel7stig_disruption_high: no

# Show "changed" for disruptive items not remediated per disruption-high
# setting to make them stand out.
rhel7stig_audit_disruptive: yes

rhel7stig_skip_for_travis: false

rhel7stig_workaround_for_disa_benchmark: true
rhel7stig_workaround_for_ssg_benchmark: true

# tweak role to run in a chroot, such as in kickstart %post script
rhel7stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"

# tweak role to run in a non-privileged container
rhel7stig_system_is_container: no

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
# in order for the variables below to take effect.
# CAT 1 rules
rhel_07_010010: true
rhel_07_010020: true
rhel_07_010290: false
rhel_07_010300: true
rhel_07_010440: true
rhel_07_010450: true
rhel_07_010480: false
rhel_07_010482: false
rhel_07_010490: false
rhel_07_010491: false
rhel_07_020000: true
rhel_07_020010: true
rhel_07_020050: true
rhel_07_020060: true
rhel_07_020210: true
rhel_07_020220: true
rhel_07_020230: true
# Not an automated task
rhel_07_020250: true
rhel_07_020310: true
rhel_07_021350: true
rhel_07_021710: true
rhel_07_030000: true
rhel_07_032000: true
rhel_07_040390: true
rhel_07_040540: true
rhel_07_040550: true
rhel_07_040690: true
rhel_07_040700: true
rhel_07_040710: true
rhel_07_040800: true
# CAT 2 rules
rhel_07_010030: true
rhel_07_010040: true
rhel_07_010050: true
rhel_07_010060: true
rhel_07_010061: true
rhel_07_010070: true
rhel_07_010081: true
rhel_07_010082: true
rhel_07_010090: true
rhel_07_010100: true
rhel_07_010101: true
rhel_07_010110: true
rhel_07_010119: false
rhel_07_010120: true
rhel_07_010130: true
rhel_07_010140: true
rhel_07_010150: true
rhel_07_010160: true
rhel_07_010170: true
rhel_07_010180: true
rhel_07_010190: true
rhel_07_010200: true
rhel_07_010210: true
rhel_07_010220: true
rhel_07_010230: true
rhel_07_010240: true
rhel_07_010250: true
rhel_07_010260: true
rhel_07_010270: false
rhel_07_010280: true
rhel_07_010310: true
rhel_07_010320: false
rhel_07_010330: false
rhel_07_010340: false
rhel_07_010350: true
rhel_07_010430: true
rhel_07_010460: true
rhel_07_010470: true
rhel_07_010481: true
rhel_07_010500: true
rhel_07_020020: true
rhel_07_020030: true
# Send AIDE reports as mail notifications - Disabled by default as this is a non-ideal way to do notifications
rhel_07_020040: "{{ rhel7stig_disruption_high }}"
rhel_07_020100: true
rhel_07_020101: true
rhel_07_020110: true
rhel_07_020240: true
rhel_07_020260: true
rhel_07_020270: true
rhel_07_020320: false
rhel_07_020330: true
rhel_07_020600: true
rhel_07_020610: true
rhel_07_020620: true
rhel_07_020630: true
rhel_07_020640: true
rhel_07_020650: true
rhel_07_020660: true
rhel_07_020670: true
rhel_07_020680: true
rhel_07_020690: true
rhel_07_020700: true
rhel_07_020710: true
rhel_07_020720: true
rhel_07_020730: true
rhel_07_020900: true
rhel_07_021000: true
rhel_07_021010: true
rhel_07_021020: true
rhel_07_021021: true
rhel_07_021030: true
rhel_07_021040: true
rhel_07_021100: true
rhel_07_021110: true
rhel_07_021120: true
rhel_07_021300: true
rhel_07_021620: true
rhel_07_021700: true
rhel_07_030010: true
rhel_07_030200: true
# if you set 030300 to 'true' ensure you define rhel7stig_audisp_remote_server
rhel_07_030300: "{{ rhel7stig_audisp_remote_server is defined }}"
rhel_07_030310: true
rhel_07_030320: true
rhel_07_030321: true
rhel_07_030330: true
rhel_07_030340: true
rhel_07_030350: true
rhel_07_030360: true
rhel_07_030370: true
rhel_07_030380: true
rhel_07_030390: true
rhel_07_030400: true
rhel_07_030410: true
rhel_07_030420: true
rhel_07_030430: true
rhel_07_030440: true
rhel_07_030450: true
rhel_07_030460: true
rhel_07_030470: true
rhel_07_030480: true
rhel_07_030490: true
rhel_07_030500: true
rhel_07_030510: true
rhel_07_030520: true
rhel_07_030530: true
rhel_07_030540: true
rhel_07_030550: true
rhel_07_030560: true
rhel_07_030570: true
rhel_07_030580: true
rhel_07_030590: true
rhel_07_030610: true
rhel_07_030620: true
rhel_07_030630: true
rhel_07_030640: true
rhel_07_030650: true
rhel_07_030660: true
rhel_07_030670: true
rhel_07_030680: true
rhel_07_030690: true
rhel_07_030700: true
rhel_07_030710: true
rhel_07_030720: true
rhel_07_030740: true
rhel_07_030750: true
rhel_07_030760: true
rhel_07_030770: true
rhel_07_030780: true
rhel_07_030790: true
rhel_07_030800: true
rhel_07_030810: true
rhel_07_030819: true
rhel_07_030820: true
rhel_07_030821: true
rhel_07_030830: true
rhel_07_030840: true
rhel_07_030870: true
rhel_07_030871: true
rhel_07_030872: true
rhel_07_030873: true
rhel_07_030874: true
rhel_07_030880: true
rhel_07_030890: true
rhel_07_030900: true
rhel_07_030910: true
rhel_07_030920: true
rhel_07_031000: true
rhel_07_031010: true
rhel_07_040100: true
rhel_07_040110: true
rhel_07_040160: true
rhel_07_040170: true
rhel_07_040180: true
rhel_07_040190: true
rhel_07_040200: true
rhel_07_040201: true
rhel_07_040300: true
rhel_07_040310: true
rhel_07_040320: true
rhel_07_040330: true
rhel_07_040340: true
rhel_07_040350: true
rhel_07_040360: true
rhel_07_040370: true
rhel_07_040380: true
rhel_07_040400: true
rhel_07_040410: true
rhel_07_040420: true
rhel_07_040430: true
rhel_07_040440: true
rhel_07_040450: true
rhel_07_040460: true
rhel_07_040470: true
rhel_07_040500: true
rhel_07_040510: false
rhel_07_040520: false
rhel_07_040610: true
rhel_07_040620: true
rhel_07_040630: true
rhel_07_040640: true
rhel_07_040641: true
rhel_07_040650: true
rhel_07_040660: true
rhel_07_040670: true
rhel_07_040680: true
rhel_07_040720: true
rhel_07_040730: true
rhel_07_040740: true
rhel_07_040750: true
rhel_07_040810: true
rhel_07_040820: true
rhel_07_040830: true
rhel_07_041001: true
rhel_07_041002: true
rhel_07_041003: true
rhel_07_041010: true
# CAT 3 rules
rhel_07_020200: true
rhel_07_020300: true
rhel_07_021022: true
rhel_07_021023: true
rhel_07_021024: true
rhel_07_021310: true
rhel_07_021320: true
rhel_07_021330: true
rhel_07_021340: true
rhel_07_021600: true
rhel_07_021610: true
rhel_07_040000: true
rhel_07_040530: true
rhel_07_040600: true

# Whether or not to run tasks related to auditing/patching the desktop environment
rhel7stig_gui: no

# RHEL-07-020250
# This is a check for a "supported release"
# These are the minimum supported releases.
# (Red Hat has support for older versions if you pay extra for it.)
rhel7stig_min_supported_os_ver:
    RedHat: "7.6"
    CentOS: "7.6.1810"

# RHEL-07-040740
# If system is not router, run tasks that disable router functions.
rhel7stig_system_is_router: no

# RHEL-07-032000
# Install and enable a DOD-approved AV program. ClamAV and McAfee (nails)
# are the currently approved applications. This variable is used in two separate
# tasks that will install the package and start and enable the service.

# Only set this to true if you have a valid
# antivirus solution in your repositories, else it will fail every time.
rhel7stig_antivirus_required: no

rhel7stig_av_package:
    package:
        - clamav
        - clamav-scanner
        - clamav-server
    service: clamav-daemon

rhel7stig_time_service: ntpd
rhel7stig_time_service_configs:
    chronyd:
        conf: /etc/chrony.conf
        block: |
          server 0.rhel.pool.ntp.org iburst maxpoll 10
          server 1.rhel.pool.ntp.org iburst maxpoll 10
          server 2.rhel.pool.ntp.org iburst maxpoll 10
          server 3.rhel.pool.ntp.org iburst maxpoll 10
    ntpd:
        conf: /etc/ntp.conf
        lines:
            - regexp: ^#?maxpoll
              line: maxpoll 10

rhel7stig_firewall_service: firewalld

# RHEL-07-031010
rhel7stig_system_is_log_aggregator: false

# RHEL-07-040300
# RHEL-07-040310
# Install and enable ssh on networked systems
rhel7stig_ssh_required: yes

# RHEL-07-040490
# If not required, remove vsftpd.
rhel7stig_vsftpd_required: no

# RHEL-07-040500
# If not required, remove tftp
rhel7stig_tftp_required: no

# Service configuration booleans set true to keep service
rhel7stig_autofs_required: false
rhel7stig_kdump_required: false

# RHEL-07-040580
# Set the SNMP community string to this from the default of public or private
rhel7stig_snmp_community: Endgam3Ladyb0g

# RHEL-07-010480 and RHEL-07-010490
# Password protect the boot loader
rhel7stig_bootloader_password: 'Boot1tUp!'
rhel7stig_bootloader_password_hash: "{{ rhel7stig_bootloader_password | grub2_hash(salt='KeokpkECTJeoDhEA5XtiLQ') }}"
rhel7stig_boot_superuser: root
rhel7stig_boot_password_config:
    - regexp: ^set superusers
      line: 'set superusers="{{rhel7stig_boot_superuser}}"'

    - regexp: ^password_pbkdf2 {{rhel7stig_boot_superuser}}
      line: password_pbkdf2 {{rhel7stig_boot_superuser}} {{ rhel7stig_bootloader_password_hash }}

# AIDE settings
# Set to false for fire and forget mode
rhel7stig_wait_for_aide_init: true
rhel7stig_aide_handler: "{{ (rhel7stig_wait_for_aide_init) | ternary('init aide and wait','init aide') }}"

# Set to false to not overwrite an existing AIDE DB
rhel7stig_overwrite_aide_db: true

# AIDE database file locations
rhel7stig_aide_temp_db_file: /var/lib/aide/aide.db.new.gz
rhel7stig_aide_db_file: /var/lib/aide/aide.db.gz

rhel7stig_aide_cron:
    user: root
    cron_file: aide
    job: '/usr/sbin/aide --check'
    special_time: daily
    # Disable the notification check rule to disable mailing notifications
    notify_by_mail: "{{rhel_07_020040}}"
    notify_cmd: ' | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root'

rhel7stig_cron_special_disable: "{{
        rhel7stig_workaround_for_disa_benchmark or
        rhel7stig_workaround_for_ssg_benchmark or
        false }}"

rhel7stig_aide_conf:
    file: /etc/aide.conf

# Set maximum number of simultaneous system logins (RHEL-07-040000)
rhel7stig_maxlogins: 10

rhel7stig_logon_banner: "{{ rhel7stig_workaround_for_disa_benchmark | ternary(
        rhel7stig_logon_banner_nice | regex_replace('(?s)(?<!\\n)\\n(?!(\n|$))', ' '),
        rhel7stig_logon_banner_nice) }}"
rhel7stig_logon_banner_nice: |
    You are accessing a U.S. Government (USG) Information System (IS) that is
    provided for USG-authorized use only.

    By using this IS (which includes any device attached to this IS), you consent
    to the following conditions:

    -The USG routinely intercepts and monitors communications on this IS for
    purposes including, but not limited to, penetration testing, COMSEC monitoring,
    network operations and defense, personnel misconduct (PM), law enforcement
    (LE), and counterintelligence (CI) investigations.

    -At any time, the USG may inspect and seize data stored on this IS.

    -Communications using, or data stored on, this IS are not private, are subject
    to routine monitoring, interception, and search, and may be disclosed or used
    for any USG-authorized purpose.

    -This IS includes security measures (e.g., authentication and access controls)
    to protect USG interests--not for your personal benefit or privacy.

    -Notwithstanding the above, using this IS does not constitute consent to PM, LE
    or CI investigative searching or monitoring of the content of privileged
    communications, or work product, related to personal representation or services
    by attorneys, psychotherapists, or clergy, and their assistants. Such
    communications and work product are private and confidential. See User
    Agreement for details.

# Password complexity settings
rhel7stig_password_complexity:
    ucredit: -1
    lcredit: -1
    dcredit: -1
    ocredit: -1
    difok: 8
    minclass: 4
    maxrepeat: 3
    maxclassrepeat: 4
    minlen: 15

# RHEL-07-040160
# Session timeout setting file (TMOUT setting can be set in multiple files)
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_shell_session_timeout:
    file: /etc/profile.d/tmout.sh
    timeout: 600

# RHEL-07-040320 | All network connections associated with SSH traffic must
# terminate at the end of the session or after 10 minutes of inactivity, except
# to fulfill documented and validated mission requirements.
# Timeout value is in seconds. (60 seconds * 10 = 600)
rhel7stig_ssh_session_timeout: 600

# RHEL-07-020260
# Configure regular automatic package updates using yum-cron
# update_cmd options:
# default                            = yum upgrade
# security                           = yum --security upgrade
# security-severity:Critical         = yum --sec-severity=Critical upgrade
# minimal                            = yum --bugfix upgrade-minimal
# minimal-security                   = yum --security upgrade-minimal
# minimal-security-severity:Critical =  --sec-severity=Critical upgrade-minimal
rhel7stig_auto_package_updates_enabled: no
rhel7stig_auto_package_updates:
    enabled: "{{ rhel7stig_auto_package_updates_enabled }}"
    update_cmd: "minimal-security"
    frequency: daily

# RHEL-07-020270
# If vsftpd is required, remove 'ftp' from rhel7stig_unnecessary_accounts.
#
# By default, files owned by removed users will be retained, but this may
# trigger RHEL-07-020320 (all files and directories must have a valid owner).
# Set rhel7stig_remove_unnecessary_user_files to yes to remove old files,
# but this could remove files you intended to keep. And it's probably best to
# avoid removing 'dbus', 'nobody', 'systemd-network', and 'polkitd', as they all
# have home directories of '/' by default.
rhel7stig_unnecessary_accounts:
    - ftp
    - games
rhel7stig_remove_unnecessary_user_files: no

# RHEL-07-010270
# pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations.
rhel7stig_pam_pwhistory:
    remember: 5
    retries: 3

# RHEL-07-010320
# RHEL-07-010330
# pam_faillock settings - accounts must be locked for max time period after 3 unsuccessful attempts within 15 minutes.
rhel7stig_pam_faillock:
    attempts: 3
    interval: 900
    unlock_time: 900
    fail_for_root: yes

# RHEL-07-030320 and RHEL-07-030321
rhel7stig_audisp_disk_full_action: syslog
rhel7stig_audisp_network_failure_action: syslog

# RHEL-07-040670
# Network interface promiscuous mode setting will be disabled unless set to true
rhel7stig_net_promisc_mode_required: no

# /etc/login.defs settings
# RHEL-07-010210
# RHEL-07-010230
# RHEL-07-010250
# RHEL-07-010430
# RHEL-07-020240
# RHEL-07-020610
rhel7stig_login_defaults:
    encrypt_method: SHA512
    pass_min_days: 1
    pass_max_days: 60
    fail_delay_secs: 4
    umask: '077'
    create_home: 'yes'

# RHEL-07-030300 uncomment and set the value to a remote IP address that can receive audit logs
# rhel7stig_audisp_remote_server: 10.10.10.10

# RHEL-07-030330: set this to 25% of the free space in /var/log/audit (measured in megabytes)
rhel7stig_auditd_space_left: "{{ ( ansible_mounts | json_query(rhel7stig_audit_disk_size_query) | int / 4 / 1024 / 1024 ) | int + 1 }}"
rhel7stig_audit_disk_size_query: "[?mount=='{{ rhel7stig_audit_part }}'].size_total | [0]"

# RHEL-07-030350
rhel7stig_auditd_mail_acct: root

# RHEL-07-020630
rhel7stig_homedir_mode: g-w,o-rwx

# RHEL-07-031000
# rhel7stig_log_aggregation_server: logagg.example.com

# RHEL-07-040180
# Whether the system should be using LDAP for authentication
rhel7stig_auth_settings:
    use_ldap: no
    use_sssd: no

# RHEL-07-040820
rhel7stig_ipsec_required: no

# RHEL-07-010340
# Setting to enable or disable fixes that depend on password-based authentication
# i.e. if users authenticate with a means other than passwords (pubkey)
# and will not know or use passwords then this should be 'no'
rhel7stig_using_password_auth: yes

rhel7stig_availability_override: false
# auditd_failure_flag
# 2    Tells your system to perform an immediate shutdown without
#      flushing any pending data to disk when the limits of your
#      audit system are exceeded. Because this shutdown is not a clean shutdown.
#      restrict the use of -f 2 to only the most security conscious environments
# 1    System continues to run, issues a warning and audit stops.
#      Use this for any other setup to avoid loss of data or data corruption.
rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, 2) }}"

rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"

rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"

rhel7stig_machine_uses_uefi: "{{ rhel_07_sys_firmware_efi.stat.exists }}"
rhel7stig_grub_cfg_path: "{{ rhel7stig_machine_uses_uefi | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"
rhel7stig_grub_cfg_path_invalid: "{{ (not rhel7stig_machine_uses_uefi) | ternary('/boot/efi/EFI/' ~ (ansible_distribution | lower) ~ '/grub.cfg', '/boot/grub2/grub.cfg') }}"

rhel7stig_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

rhel7stig_local_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_local_mounts_query) }}"
rhel7stig_local_mounts_query: "[?starts_with(device, '/dev/')].mount"

rhel7stig_nfs_mounts: "{{ ansible_mounts | to_json | from_json | json_query(rhel7stig_nfs_mounts_query) }}"
rhel7stig_nfs_mounts_query: "[?starts_with(fstype, 'nfs')].mount"