-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathmain.yml
292 lines (256 loc) · 9.24 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
---
# defaults file for tomcat-stig/
# These settings will enable/disable entire STIG categoriees
# true=enabled/false=disabled
tcat_cat1_patch: true
tcat_cat2_patch: true
tcat_cat3_patch: true
tcat_skip_for_travis: false
# tweak role to run in a chroot, such as in kickstart %post script
tcat_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
# This toggle will install the needed packages for your web server
# true will install packages and false will skip package install
tcat_automate_install: true
# There are tasks that ask if you to be on the latest version. This togle will upgrade to the latest packages
# true will upgrade and false will will NOT upgrade
tcat_automate_package_upgrades: true
# We've defined disruption-high to indicate items that are likely to cause
# disruption in a normal workflow. These items can be remediated automatically
# but are disabled by default to avoid disruption.
# ture = will run disruptive tasks, false = skip disruptive tasks
tcat_disruption_high: true
# There are tasks that need a referrence to where interactive/non-system user account GUID's start
# The value below is the GUID start point for interactive/non-system users. Default in linux is 1000
tcat_non_privileged_uid: 1000
# This is the toggle to use to enable/disable the need for the privilaged attribute in the context.xml
tcat_privileged_context_need: false
# This is the Variables for the tomcat home path. This is gathered from the tomcat.service config
catalina_home_dir: "{{ catalina_find_home_dir.stdout }}"
# This will allow the role to install Tomcat 9 before running the role, or just run the role against a host
# tcat_install set to true will install Tomcat 9 before running, set to false will skip installing tasks
tcat_install: true
# CAT1 Rules
TCAT_AS_000060: true
TCAT_AS_000630: true
TCAT_AS_000690: false
TCAT_AS_000720: true
TCAT_AS_000750: false
TCAT_AS_001440: false
TCAT_AS_001450: false
TCAT_AS_001490: false
TCAT_AS_001500: false
# CAT2 Rules
TCAT_AS_000020: true
TCAT_AS_000040: true
TCAT_AS_000050: true
TCAT_AS_000070: true
TCAT_AS_000080: true
TCAT_AS_000090: true
TCAT_AS_000100: true
TCAT_AS_000110: true
TCAT_AS_000160: true
TCAT_AS_000170: true
TCAT_AS_000180: true
TCAT_AS_000190: true
TCAT_AS_000210: true
TCAT_AS_000220: true
TCAT_AS_000230: true
TCAT_AS_000240: true
TCAT_AS_000250: true
TCAT_AS_000270: true
TCAT_AS_000280: true
TCAT_AS_000290: true
TCAT_AS_000300: true
TCAT_AS_000310: true
TCAT_AS_000360: true
TCAT_AS_000361: true
TCAT_AS_000370: true
TCAT_AS_000371: true
TCAT_AS_000380: true
TCAT_AS_000390: true
TCAT_AS_000400: true
TCAT_AS_000410: true
TCAT_AS_000450: true
TCAT_AS_000470: true
TCAT_AS_000490: true
TCAT_AS_000500: true
TCAT_AS_000530: true
TCAT_AS_000540: true
TCAT_AS_000590: true
TCAT_AS_000600: true
TCAT_AS_000610: true
TCAT_AS_000680: true
TCAT_AS_000700: true
TCAT_AS_000710: true
TCAT_AS_000780: true
TCAT_AS_000790: true
TCAT_AS_000800: true
TCAT_AS_000860: true
TCAT_AS_000920: true
TCAT_AS_000940: true
TCAT_AS_000970: true
TCAT_AS_001020: true
TCAT_AS_001030: true
TCAT_AS_001050: true
TCAT_AS_001060: true
TCAT_AS_001070: true
TCAT_AS_001200: true
TCAT_AS_001220: true
TCAT_AS_001230: true
TCAT_AS_001240: true
TCAT_AS_001250: true
TCAT_AS_001280: true
TCAT_AS_001290: true
TCAT_AS_001300: true
TCAT_AS_001320: true
TCAT_AS_001330: true
TCAT_AS_001380: true
TCAT_AS_001390: true
TCAT_AS_001430: true
TCAT_AS_001460: true
TCAT_AS_001470: true
TCAT_AS_001480: true
TCAT_AS_001550: true
TCAT_AS_001560: true
TCAT_AS_001570: true
TCAT_AS_001580: true
TCAT_AS_001590: true
TCAT_AS_001592: true
TCAT_AS_001594: true
TCAT_AS_001596: true
TCAT_AS_001600: true
TCAT_AS_001610: true
TCAT_AS_001680: true
TCAT_AS_001690: true
TCAT_AS_001700: true
# CAT3 Rules
TCAT_AS_000010: true
TCAT_AS_000030: true
TCAT_AS_000140: true
TCAT_AS_000260: true
TCAT_AS_000480: true
TCAT_AS_000510: true
TCAT_AS_000520: true
TCAT_AS_000550: true
TCAT_AS_000560: true
TCAT_AS_000570: true
TCAT_AS_000580: true
TCAT_AS_000810: true
TCAT_AS_000820: true
TCAT_AS_000840: false
TCAT_AS_000930: true
TCAT_AS_000950: false
TCAT_AS_001040: true
TCAT_AS_001080: true
TCAT_AS_001260: true
TCAT_AS_001270: true
TCAT_AS_001640: true
TCAT_AS_001660: true
TCAT_AS_001670: true
TCAT_AS_001710: true
TCAT_AS_001720: true
TCAT_AS_001730: true
# Install Tomcat Variables
# Below are the variables needed to install Tomcat via automation
# Java is required for Tomcat
java_version: 'jdk-11.0.5+10'
java_install_dir: '/opt/java'
# Java home path for RedHat systmes. The task that sets this has an automated toggle for RedHat vs Ubuntu
# this is only used when RedHat based systems are detected
tomcat_java_home_rh: "/usr/lib/jvm/jre"
#Java home path for Ubuntu systems. The task that sets this has an automated toggle for RedHat vs Ubuntu
# This is only used when Ubuntu systems are detected
tomcat_java_home_ub: "/usr/lib/jvm/java-8-openjdk-amd64/jre"
tomcat_redis_filename: apache-tomcat-9.0.40.tar.gz
tomcat_user: tomcat
tomcat_group: tomcat
tomcat_archive_name: "apache-tomcat-9.0.40"
tomcat_archive_name_ext: ".tar.gz"
tomcat_archive_url: "https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.40/bin/"
tomcat_home_path: "/opt/tomcat"
tomcat_archive_install_path: "{{tomcat_home_path}}/{{tomcat_archive_name}}"
tomcat_install_link: "{{tomcat_home_path}}/current"
tomcat_roles:
- manager-gui
- manager-script
- manager-jmx
- manager-status
tomcat_users: []
# System variables not related to installing Tomcat
# Directory to store files downloaded for Java installation on the remote box
tomcat_download_dir: "{{ x_ansible_download_dir | default(ansible_env.HOME + '/.ansible/tmp/downloads') }}"
# Location Tomcat installations packages can be found on the local box
# local packages will be uses in preference to downloading new packages.
tomcat_local_archive_dir: '{{ playbook_dir }}/files'
# Wether to use installation packages in the local archive (if available)
tomcat_use_local_archive: false
# # File name for the Tomcat redistributable installation file
# tomcat_redis_filename: apache-tomcat-8.5.54.tar.gz
# CAT1 Variables
# TCAT-AS-000060/TCAT-AS-000720
# tcat_default_storepass is the default keystore password. This can be converted to a vault password
tcat_default_storepass: "password1"
# Control TCAT-AS-000690
# These settings are for the Realm JNDIRealm settings. Make sure to replace localhost with LDAP server ip
tcat_jndi_realm:
connection_url: "ldaps://localhost:686"
user_pattern: "uid={0},ou=people,dc=myunit,dc=mil"
role_base: "ou=groups,dc=myunit,dc=mil"
role_name: "cn"
role_search: "(uniqueMember={0})"
# CAT2 Variables
# Control TCAT-AS-000050, TCAT-AS-001290
# These are the settings for hte AccessLogValve
tcat_access_log_valve:
prefix: "localhost_access_log"
suffix: ".txt"
pattern: "%h %l %u %t "%r" %s %b"
# Control TCAT-AS-000170
# The variable routable_ip_proxy: toggles if your proxy is using a routable IP address or an RFC 1918 Class B address space. If you are set this value to true
# The variable remoteipvalve_proxy_addresses are the internal proxy addresses if you are using the routable IP or RFC 1918 address space mentioned above
tcat_routable_ip_proxy: false
tcat_remoteipvalve_proxy_addresses: "172.16.0.10|172.16.0.11"
# Control TCAT-AS-000600
# The setting below is to disable the config injection that is not needed if manager and host-manager applications have been removed
tcat_manager_host_manager_removed: false
# Control TCAT-AS-000780
# The setting below enables the task if JMXRemote is used and set's the host IP if it is enabled
# jmx_management: true means you are using JMX management, false means you are not and the IP configured below will not be set.
tcat_jmx_management: false
tcat_jmxremote_host: 192.168.0.150
# Control TCAT-AS-000790
# This setting enables RemoteAddrValve
tcat_remote_addr_valve: false
tcat_remoteaddrvalve_value: 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1
# Control TCAT-AS-000790
# This setting enables RemoteCIDRValve
tcat_remote_cidr_valve: false
tcat_remotecidrvalve_value: 127.0.0.1, ::1,192.168.1.0/24
# Control TCA-AS-000800
# This is the list of IP addresses that are used in connectors that are behind proxies
tcat_connect_proxy_address:
- 127.0.0.1
# Control TCAT-AS-001020
# These are the values for the Realm Lockout values
# lockoutrealm_failurecount is the number of failed attempts for lockout
# lockoutrealm_lockouttime is the duration of the lockout
tcat_lockoutrealm_failurecount: "5"
tcat_lockoutrealm_lockouttime: "600"
# Control TCAT-AS-0001460
# tcat_clustering_enabled will set the simpleTcpCluster in server.xml
tcat_clustering_enabled: true
# Control TCAT-AS_001570
# This is the needed loop for adding the values to all host sections
tcat_big_access_log_valve:
- { attribute: className, value: "org.apache.catalina.valves.AccessLogValve" }
- { attribute: directory, value: "logs" }
- { attribute: prefix, value: "{{ tcat_access_log_valve.prefix }}" }
- { attribute: suffix, value: "{{ tcat_access_log_valve.suffix }}" }
- { attribute: pattern, value: "{{ tcat_access_log_valve.pattern }}" }
# CAT3 Variables
# Control TCAT-AS-000010
# tcat_max_active_sessions is the number of simultanious active sessions allowed.
tcat_max_active_sessions: "10"
# TCAT-AS-001730
# tcat_listen_address is the address the network interface the connector will listen on
tcat_listen_address: "192.168.0.145"