remove execshield sysctl-parameter on rhel7

.travis.yml

@@ -55,7 +55,7 @@ script:
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --skip-tags "sysctl"'
 
    # Verify role
-  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 package-01 package-02 package-03 package-04 package-05 package-06'
+  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 os-09 os-10 package-01 package-02 package-03 package-04 package-05 package-06 package-09'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

defaults/main.yml

@@ -22,7 +22,7 @@ os_chfn_restrict: ''
 # may contain: change_user
 os_security_users_allow: []
 # specify system accounts those login should not be disabled and password not changed
-os_ignore_users: ['vagrant']
+os_ignore_users: ['vagrant', 'kitchen']
 os_security_kernel_enable_module_loading: true
 os_security_kernel_enable_core_dump: false
 os_security_suid_sgid_enforce: true
@@ -182,9 +182,3 @@ sysctl_config:
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite:
-
-sysctl_rhel_config:
-  # ExecShield protection against buffer overflows | sysctl-33
-  kernel.exec-shield: 1
-  # Syncookies is used to prevent SYN-flooding attacks. | sysctl-11
-  net.ipv4.tcp_syncookies: 1

tasks/main.yml

@@ -1,6 +1,11 @@
 ---
-- name: add the OS specific variables
-  include_vars: '{{ ansible_os_family }}.yml'
+- name: Set OS dependent variables
+  include_vars: "{{ item }}"
+  with_first_found:
+   - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_distribution }}.yml'
+   - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml'
+   - '{{ ansible_os_family }}.yml'
   tags: always
 
 - include: limits.yml

vars/RedHat-7.yml

@@ -0,0 +1,18 @@
+---
+os_packages_pam_ccreds: 'pam_ccreds'
+os_packages_pam_passwdqc: 'pam_passwdqc'
+os_packages_pam_cracklib: 'pam_cracklib'
+os_nologin_shell_path: '/sbin/nologin'
+
+# Different distros use different standards for /etc/shadow perms, e.g.
+# RHEL derivatives use root:root 0600, whereas Debian-based use root:shadow 0640.
+# You must provide key/value pairs for owner, group, and mode if overriding.
+os_shadow_perms:
+  owner: root
+  group: root
+  mode: "0600"
+
+sysctl_rhel_config:
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
+

vars/RedHat.yml

@@ -11,7 +11,14 @@ os_shadow_perms:
   group: root
   mode: '0600'
 
+sysctl_rhel_config:
+  # ExecShield protection against buffer overflows
+  kernel.exec-shield: 1
+  # Syncookies is used to prevent SYN-flooding attacks.
+  net.ipv4.tcp_syncookies: 1
+
 os_passwd_perms:
   owner: root
   group: root
   mode: '0644'
+