This role can be fully customized to fit your specific environment. In fact for most users it is recommended that they customize/tweak the role variables before applying across their envirnoment.
It is recommended that you tailor this roles tasks for your environment by using the comprehensive set of variables defined in defaults/main.yml
. There are several ways to override default role variables in Ansible. We cover the recommended techniques below.
The easiest way to tailor this role to your environment is by using group_vars
:
NEED CONTENT
insert example for group_vars tailoring
The role has a large number of variables that allow the deployer to control the execution of specific tasks (on/off) as well as the configuration or settings for the tasks and the controls they implement. For example the deployer can choose to enable or disable tasks by severity/category cat1 | high, cat2 | medium, cat3 | low. The deployer can also set things like whether any GUI related tasks should run or tailor specific STIG settings like the logon banner text or password complexity settings. We don't cover all the variables in this section but we do cover some of the major ones. Generally the variables that control specific tasks or control configurations are detailed in the controls documentation <stig_controls_label>
.
These variables allow enabling/disabling cat1, cat2, or cat3 rules in bulk. Disabling these will take precedence over individual task variables but enabling them will not. i.e. If the rhel7stig_cat3_patch
variable is set to no
then all cat3 tasks will be skipped regardless of their individual settings <individual_rule_vars>
. However if the cat3 variable is enabled individual tasks could still be skipped if their variable is disabled.
rhel7stig_cat1_patch: yes
rhel7stig_cat2_patch: yes
rhel7stig_cat3_patch: yes
There are several variables that control the execution or behavior of tasks that the implementers of this role have deemed to be too complex or risky to automatically remediate. These rules have tasks that audit the system and will optionally report changed
and will report back (via debug statements) if the system would fail the check. The deployer can use this information to manually remediate the finding. The execution and reporting behavior of these tasks is controlled by two variables:
# Controls execution of these tasks
rhel7stig_complexity_high: no
# Controls whether the tasks reports changed or not
rhel7stig_audit_complex: yes
These varaibles are similar to the complex task variables. They control the execution or behavior of tasks that perform automated remediation but are shown to be potentially disruptive to systems when used in production environments. The risk of automated remediation of with these tasks is high. These rules have tasks that audit the system and will optionally report changed
and will report back (via debug statements) if the system would fail the check. The deployer can use this information to manually remediate the finding. The execution and reporting behavior of these tasks is controlled by two variables:
# Controls execution of these tasks
rhel7stig_disruption_high: no
# Controls whether the tasks reports changed or not
rhel7stig_audit_disruptive: yes
These variables allow the deployer to specify that services are required by the system to perform its mission. Except for ssh
, it is important to note that having these services installed and enabled are deviations from the STIG benchmark and should have corresponding documentation approved by the system owner or other signing authority.
rhel7stig_ssh_required: yes
rhel7stig_vsftpd_required: no
rhel7stig_tftp_required: no
rhel7stig_autofs_required: no
rhel7stig_kdump_required: no
rhel7stig_ipsec_required: no
This variable enables or disables all tasks related to GUI packages. i.e. These generally would only apply to a system with the GNOME
package installed. This is not to say that KDE
, XFCE
, or one of the many other desktop systems would not need to have similar controls in place, but the STIG currently only covers GNOME
settings.
rhel7stig_gui: no
These variables enable or disable individual rules or more specifically tasks or blocks of tasks that enforce individual STIG rules. Each STIG item with an ID following the format RHEL-07-###### (ex. RHEL-07-010010) will have a corresponding variable in the below format. For more information on each rule and its default state please see the controls documentation <stig_controls_label>
.
rhel_07_######: true