remove execshield on rhel7

dev-sec · Apr 21, 2017 · dbd66c0 · dbd66c0
1 parent 7fdd7b4
commit dbd66c0
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 12 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -106,13 +106,3 @@ sysctl_config:
 
   # RFC 1337 fix F1
   net.ipv4.tcp_rfc1337: 1
-
-# CAUTION
-# If you want to overwrite sysctl-variables,
-# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
-
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows
-  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks.
-  net.ipv4.tcp_syncookies: 1
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,6 +1,11 @@
 ---
-- name: add the OS specific variables
-  include_vars: "{{ ansible_os_family }}.yml"
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_distribution }}.yml"
+   - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+   - "{{ ansible_os_family }}.yml"
   tags: always
 
 - include: limits.yml

diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml
@@ -0,0 +1,22 @@
+---
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: "0600"
+
+# CAUTION
+# If you want to overwrite sysctl-variables,
+# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
+
+sysctl_rhel_config:
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
+
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
@@ -10,3 +10,13 @@ os_shadow_perms:
   owner: root
   group: root
   mode: "0600"
+
+# CAUTION
+# If you want to overwrite sysctl-variables,
+# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
+
+sysctl_rhel_config:
+  # ExecShield protection against buffer overflows
+  kernel.exec-shield: 1
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1