tb3088/group_vars::RedHat7.yaml

## group_vars::all.yaml
---
apply_cat1: yes
apply_cat2: yes
apply_cat3: no

package:
  update_all: no

bootloader:
  password: ""

login_banner: |
  !! NOTICE - This is a PRIVATE computing system !!
  All activity is monitored and any unauthorized access will be reported
  to the authorities. Disconnect now if you do not agree to these terms.

#ssh:

#password:
#  length:
#  age:
#    min:
#    max:
#  reuse:
#pam:
#  unix:
#  cracklib:
#  auth:
#    sufficient:

selinux:
  policy: minimal
  state: permissive

## group_vars::RedHat7.yaml
---
rhel7stig_cat1: "{{ apply_cat1 }}"
rhel7stig_cat2: "{{ apply_cat2 }}"
rhel7stig_cat3: "{{ apply_cat3 }}"
rhel7stig_logon_banner: "{{ login_banner }}"
rhel7stig_update_all_packages: "{{ not package is defined or package.update_all }}"
rhel7stig_bootloader_password: "{{ not bootloader is defined or bootloader.password }}"
# !disable 'exec' on NFS
rhel_07_021021: false

rhel_07_020210: "{{ not selinux is defined or selinux.state | default('disabled', true) != 'disabled' }}"
rhel_07_020220: "{{ rhel_07_020220 }}"

## site.yaml
---
- hosts: all
  tasks:
    - set_fact:
        # useful? accessed via ansible_local.<fact>
        basedir: "{{ playbook_dir }}"
        # TODO can't pass this in via '--extra-vars "factory_basedir=<path>' from Packer
        # because it's retarded and doesn't process --extra_vars et. al. as a Template
        factory_basedir: lookup('env', 'FACTORY_BASEDIR')
    - setup: filter=ansible_local
    - group_by:
        key: "{{ansible_facts.os_family}}{{ansible_facts.distribution_major_version}}"
        parents:
          - ansible_facts.distribution
          # distro == osfamily causes duplicate parent, WHEN conditional not supported
          #- ansible_facts.os_family

- hosts: RedHat6
  gather_facts: false
  become: yes
  tasks:
    - import_role:
        name: RHEL6-STIG

- hosts: RedHat7
  gather_facts: false
  become: yes
  tasks:
    - import_role:
        name: RHEL7-STIG
	---
	apply_cat1: yes
	apply_cat2: yes
	apply_cat3: no

	package:
	update_all: no

	bootloader:
	password: ""

	login_banner: \|
	!! NOTICE - This is a PRIVATE computing system !!
	All activity is monitored and any unauthorized access will be reported
	to the authorities. Disconnect now if you do not agree to these terms.

	#ssh:

	#password:
	# length:
	# age:
	# min:
	# max:
	# reuse:
	#pam:
	# unix:
	# cracklib:
	# auth:
	# sufficient:

	selinux:
	policy: minimal
	state: permissive
	---
	rhel7stig_cat1: "{{ apply_cat1 }}"
	rhel7stig_cat2: "{{ apply_cat2 }}"
	rhel7stig_cat3: "{{ apply_cat3 }}"
	rhel7stig_logon_banner: "{{ login_banner }}"
	rhel7stig_update_all_packages: "{{ not package is defined or package.update_all }}"
	rhel7stig_bootloader_password: "{{ not bootloader is defined or bootloader.password }}"
	# !disable 'exec' on NFS
	rhel_07_021021: false

	rhel_07_020210: "{{ not selinux is defined or selinux.state \| default('disabled', true) != 'disabled' }}"
	rhel_07_020220: "{{ rhel_07_020220 }}"
	---
	- hosts: all
	tasks:
	- set_fact:
	# useful? accessed via ansible_local.<fact>
	basedir: "{{ playbook_dir }}"
	# TODO can't pass this in via '--extra-vars "factory_basedir=<path>' from Packer
	# because it's retarded and doesn't process --extra_vars et. al. as a Template
	factory_basedir: lookup('env', 'FACTORY_BASEDIR')
	- setup: filter=ansible_local
	- group_by:
	key: "{{ansible_facts.os_family}}{{ansible_facts.distribution_major_version}}"
	parents:
	- ansible_facts.distribution
	# distro == osfamily causes duplicate parent, WHEN conditional not supported
	#- ansible_facts.os_family

	- hosts: RedHat6
	gather_facts: false
	become: yes
	tasks:
	- import_role:
	name: RHEL6-STIG

	- hosts: RedHat7
	gather_facts: false
	become: yes
	tasks:
	- import_role:
	name: RHEL7-STIG