Merge pull request #55 from hardening-io/single_prompt_params

Add SINGLE and PROMPT parameters.
dev-sec · Dec 25, 2015 · 9be0b35 · 9be0b35
2 parents d377b2b + 13d056a
commit 9be0b35
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -28,3 +28,8 @@ os_security_suid_sgid_remove_from_unknown: false
 
 # remove packages with known issues
 os_security_packages_clean: true
+
+# Allow interactive startup (rhel, centos)
+os_security_init_prompt: true
+# Require root password for single user mode. (rhel, centos)
+os_security_init_single: false
diff --git a/templates/rhel_sysconfig_init.j2 b/templates/rhel_sysconfig_init.j2
@@ -18,14 +18,14 @@ SETCOLOR_WARNING="echo -en \\033[0;33m"
 # terminal sequence to reset to the default color.
 SETCOLOR_NORMAL="echo -en \\033[0;39m"
 # Set to anything other than 'no' to allow hotkey interactive startup...
-PROMPT=yes
+PROMPT={{ 'yes' if os_security_init_prompt else 'no' }}
 # Set to 'yes' to allow probing for devices with swap signatures
 AUTOSWAP=no
 # What ttys should gettys be started on?
 ACTIVE_CONSOLES=/dev/tty[1-6]
 # Set to '/sbin/sulogin' to prompt for password on single-user mode
 # Set to '/sbin/sushell' otherwise
-SINGLE=/sbin/sushell
+SINGLE={{ '/sbin/sulogin' if os_security_init_single else '/sbin/sushell' }}
 
 # NSA 2.2.4.1 Set Daemon umask
 umask 027