public-health-ch/ansible/roles/dev-sec.os-hardening/defaults/main.yml

os_desktop_enable: false
os_env_extra_user_paths: []
os_env_umask: '027'
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_retries: 5
os_auth_lockout_time: 600 # 10min
os_auth_timeout: 60
os_auth_allow_homeless: false
os_auth_pam_passwdqc_enable: true
os_auth_pam_passwdqc_options: 'min=disabled,disabled,16,12,8' # used in RHEL6
os_auth_pam_pwquality_options: 'try_first_pass retry=3 type=' # used in RHEL7
os_auth_root_ttys: [console, tty1, tty2, tty3, tty4, tty5, tty6]
os_auth_uid_min: 1000
os_auth_gid_min: 1000
os_auth_sys_uid_min: 100
os_auth_sys_uid_max: 999
os_auth_sys_gid_min: 100
os_auth_sys_gid_max: 999

os_chfn_restrict: ''
# may contain: change_user
os_security_users_allow: []
# specify system accounts those login should not be disabled and password not changed
os_ignore_users: ['vagrant']
os_security_kernel_enable_module_loading: true
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_enforce: true
# user-defined blacklist and whitelist
os_security_suid_sgid_blacklist: []
os_security_suid_sgid_whitelist: []
# if this is true, remove any suid/sgid bits from files that were not in the whitelist
os_security_suid_sgid_remove_from_unknown: false

# remove packages with known issues
os_security_packages_clean: true
os_security_packages_list: ['xinetd','inetd','ypserv','telnet-server','rsh-server','rsync']

# Allow interactive startup (rhel, centos)
os_security_init_prompt: true
# Require root password for single user mode. (rhel, centos)
os_security_init_single: false

# Apply ufw defaults
ufw_manage_defaults: true

# Empty variable disables IPT_SYSCTL in /etc/default/ufw
# by default in Ubuntu it set to: /etc/ufw/sysctl.conf
# CAUTION
# if you enable it - it'll overwrite /etc/sysctl.conf file, managed by hardening framework
ufw_ipt_sysctl: ''

# Default ufw variables
ufw_default_input_policy: 'DROP'
ufw_default_output_policy: 'ACCEPT'
ufw_default_forward_policy: 'DROP'
ufw_default_application_policy: 'SKIP'
ufw_manage_builtins: 'no'
ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'

# CAUTION
# If you want to overwrite sysctl-variables,
# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.

sysctl_config:
  # Disable IPv4 traffic forwarding.
  net.ipv4.ip_forward: 0

  # Disable IPv6 traffic forwarding.
  net.ipv6.conf.all.forwarding: 0

  # ignore RAs on Ipv6.
  net.ipv6.conf.all.accept_ra: 0
  net.ipv6.conf.default.accept_ra: 0

  # Enable RFC-recommended source validation feature.
  net.ipv4.conf.all.rp_filter: 1
  net.ipv4.conf.default.rp_filter: 1

  # Reduce the surface on SMURF attacks.
  # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
  net.ipv4.icmp_echo_ignore_broadcasts: 1

  # There is no reason to accept bogus error responses from ICMP, so ignore them instead.
  net.ipv4.icmp_ignore_bogus_error_responses: 1

  # Limit the amount of traffic the system uses for ICMP.
  net.ipv4.icmp_ratelimit: 100

  # Adjust the ICMP ratelimit to include ping, dst unreachable,
  # source quench, ime exceed, param problem, timestamp reply, information reply
  net.ipv4.icmp_ratemask: 88089

  # Disable IPv6
  net.ipv6.conf.all.disable_ipv6: 1

  # Protect against wrapping sequence numbers at gigabit speeds
  net.ipv4.tcp_timestamps: 0

  # Define restriction level for announcing the local source IP
  net.ipv4.conf.all.arp_ignore: 1

  # Define mode for sending replies in response to
  # received ARP requests that resolve local target IP addresses
  net.ipv4.conf.all.arp_announce: 2

  # RFC 1337 fix F1
  net.ipv4.tcp_rfc1337: 1

# CAUTION
# If you want to overwrite sysctl-variables,
# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.

sysctl_rhel_config:
  # ExecShield protection against buffer overflows
  kernel.exec-shield: 1
  # Syncookies is used to prevent SYN-flooding attacks.
  net.ipv4.tcp_syncookies: 1