add "when" statements in hardening.yml(#453) (#455)

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <[email protected]>

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <[email protected]>

* add "when" statements in hardening.yml(#453)

Signed-off-by: jqiuyin <[email protected]>

roles/os_hardening/README.md

@@ -193,6 +193,48 @@ We know that this is the case on Raspberry Pi.
 - `os_ignore_home_folder_users`
   - Default: `lost+found`
   - Description: specify user home folders in `/home` that shouldn't be chmodded to 700
+- `os_cron_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring cron.
+- `os_limits_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring limits.
+- `os_login_defs_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring login_defs.
+- `os_minimize_access_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring minimize_access.
+- `os_pam_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring pam.
+- `os_modprobe_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring modprobe.
+- `os_profile_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring profile.
+- `os_securetty_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring securetty.
+- `os_sysctl_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring sysctl.
+- `os_user_accounts_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring user_accounts.
+- `os_rhosts_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring rhosts.
+- `os_yum_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring yum.
+- `os_apt_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring apt.
+- `os_selinux_enabled`
+  - Default: `true`
+  - Description: Set to false to disable installing and configuring selinux.
 - `os_sha_crypt_min_rounds`
   - Default: `640000`
   - Description: Define the number of minimum SHA rounds. With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users. The values must be inside the 1000-999999999 range.

roles/os_hardening/defaults/main.yml

@@ -322,6 +322,48 @@ os_selinux_policy: targeted
 # Mount options for proc in /etc/fstab.
 proc_mnt_options: 'rw,nosuid,nodev,noexec,relatime,hidepid={{ hidepid_option }}'
 
+# Set to false to disable installing and configuring cron.
+os_cron_enabled: true
+
+# Set to false to disable installing and configuring limits.
+os_limits_enabled: true
+
+# Set to false to disable installing and configuring login_defs.
+os_login_defs_enabled: true
+
+# Set to false to disable installing and configuring minimize_access.
+os_minimize_access_enabled: true
+
+# Set to false to disable installing and configuring pam.
+os_pam_enabled: true
+
+# Set to false to disable installing and configuring modprobe.
+os_modprobe_enabled: true
+
+# Set to false to disable installing and configuring profile.
+os_profile_enabled: true
+
+# Set to false to disable installing and configuring securetty.
+os_securetty_enabled: true
+
+# Set to false to disable installing and configuring sysctl.
+os_sysctl_enabled: true
+
+# Set to false to disable installing and configuring user_accounts.
+os_user_accounts_enabled: true
+
+# Set to false to disable installing and configuring rhosts.
+os_rhosts_enabled: true
+
+# Set to false to disable installing and configuring yum.
+os_yum_enabled: true
+
+# Set to false to disable installing and configuring apt.
+os_apt_enabled: true
+
+# Set to false to disable installing and configuring selinux.
+os_selinux_enabled: true
+
 # Define the number of SHA rounds.
 # With a lot of rounds brute forcing the password is more difficult. But note also that it more CPU resources will be needed to authenticate users.
 # The values must be inside the 1000-999999999 range.

roles/os_hardening/tasks/hardening.yml

@@ -28,49 +28,66 @@
 
 - import_tasks: cron.yml
   tags: cron
+  when: os_cron_enabled | bool
 
 - import_tasks: limits.yml
   tags: limits
+  when: os_limits_enabled | bool
 
 - import_tasks: login_defs.yml
   tags: login_defs
+  when: os_login_defs_enabled | bool
 
 - import_tasks: minimize_access.yml
   tags: minimize_access
+  when: os_minimize_access_enabled | bool
 
 - import_tasks: pam.yml
   tags: pam
+  when: os_pam_enabled | bool
 
 - import_tasks: modprobe.yml
   tags: modprobe
+  when: os_modprobe_enabled | bool
 
 - import_tasks: profile.yml
   tags: profile
+  when: os_profile_enabled | bool
 
 - import_tasks: securetty.yml
   tags: securetty
+  when: os_securetty_enabled | bool
 
 - import_tasks: suid_sgid.yml
   when: os_security_suid_sgid_enforce  | bool
   tags: suid_sgid
 
 - import_tasks: sysctl.yml
   tags: sysctl
+  when: os_sysctl_enabled | bool
 
 - import_tasks: user_accounts.yml
   tags: user_accounts
+  when: os_user_accounts_enabled | bool
 
 - import_tasks: rhosts.yml
   tags: rhosts
+  when: os_rhosts_enabled | bool
 
 - import_tasks: yum.yml
-  when: ansible_facts.os_family == 'RedHat'
   tags: yum
+  when:
+    - ansible_facts.os_family == 'RedHat'
+    - os_yum_enabled | bool
 
 - import_tasks: apt.yml
-  when: ansible_facts.os_family == 'Debian'
   tags: apt
+  when:
+    - ansible_facts.os_family == 'Debian'
+    - os_apt_enabled | bool
 
 - import_tasks: selinux.yml
   tags: selinux
-  when: ansible_facts.selinux.status == 'enabled'
+  when:
+    - ansible_facts.selinux.status == 'enabled'
+    - os_selinux_enabled | bool