Enable FIPS [+Docs]

This patch installs `dracut-fips` and checks to see if the deployer has FIPS
enabled at boot time. Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I9a6da4dc753fbfc3949f0c78e53af3bb5e3083ef

doc/metadata/rhel7/RHEL-07-021280.rst

@@ -1,7 +1,23 @@
 ---
 id: RHEL-07-021280
-status: not implemented
+status: implemented - red hat only
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the Ansible role install the ``dracut-fips`` and
+``dracut-fips-aesni`` packages and check to see if FIPS is enabled on the
+system. If it is not enabled, a warning message is printed in the Ansible
+output.
+
+Enabling FIPS at boot time requires additional manual configuration. Refer to
+`Chapter 7. Federal Standards and Regulations`_ in the Red Hat documentation
+for more details. Section 7.1.1 contains the steps required for updating
+the bootloader configuration and regenerating the initramfs.
+
+.. _Chapter 7. Federal Standards and Regulations : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/chap-Federal_Standards_and_Regulations.html
+
+.. note::
+
+    This change only applies to CentOS and Red Hat Enterprise Linux. Ubuntu
+    does not use dracut by default and the process for enabling the FIPS
+    functionality at boot time is more complex.

tasks/rhel7stig/kernel.yml

@@ -67,3 +67,27 @@
     - kernel
     - medium
     - RHEL-07-021230
+
+- name: Check if FIPS is enabled
+  command: cat /proc/sys/crypto/fips_enabled
+  register: fips_check
+  changed_when: False
+  check_mode: no
+  when:
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - always
+
+- name: Print a warning if FIPS isn't enabled
+  debug:
+    msg: >
+      FIPS is not enabled at boot time on this server.
+      The STIG requires FIPS to be enabled at boot time.
+  when:
+    - ansible_os_family | lower == 'redhat'
+    - fips_check is defined
+    - fips_check.stdout == '0'
+  tags:
+    - high
+    - misc
+    - RHEL-07-021280

tasks/rhel7stig/packages.yml

@@ -30,9 +30,10 @@
     - packages
     - services
     - RHEL-07-010072
-    - RHEL-07-021910
     - RHEL-07-020000
-    - RHEL-08-020010
+    - RHEL-07-020010
+    - RHEL-07-021280
+    - RHEL-07-021910
     - RHEL-07-030810
     - RHEL-07-040260
     - RHEL-07-040500

vars/redhat.yml

@@ -102,6 +102,8 @@ stig_packages_rhel7:
       - audispd-plugins
       - audit
       - aide
+      - dracut-fips
+      - dracut-fips-aesni
       - openssh-clients
       - openssh-server
       - screen