Fix tags

Each task must be tagged, rather than the include statements. Tasks
get skipped unnecessarily when this is broken.

Change-Id: I7e2850bff4d001f2c57c9d186485f012c547e16a

tasks/rhel7stig/auth.yml

@@ -25,6 +25,7 @@
     - ansible_os_family == 'Debian'
     - security_disallow_blank_password_login | bool
   tags:
+    - auth
     - high
     - RHEL-07-010260
 
@@ -43,5 +44,6 @@
     - ansible_os_family == 'RedHat'
     - security_disallow_blank_password_login | bool
   tags:
+    - auth
     - high
     - RHEL-07-010260

tasks/rhel7stig/file_perms.yml

@@ -24,6 +24,7 @@
     - ansible_os_family | lower == 'redhat'
     - security_reset_perm_ownership | bool
   tags:
+    - file_perms
     - high
     - RHEL-07-010010
 
@@ -41,6 +42,7 @@
     - rhel_07_010010_packages is defined
     - rhel_07_010010_packages.stdout_lines | length > 0
   tags:
+    - file_perms
     - high
     - RHEL-07-010010
     # don't trigger ANSIBLE0013

tasks/rhel7stig/graphical.yml

@@ -28,6 +28,7 @@
     - RHEL_07_010430_gdm_conf.stat.exists
     - security_disable_gdm_automatic_login | bool
   tags:
+    - graphical
     - high
     - RHEL-07-010430
 
@@ -40,5 +41,6 @@
     - RHEL_07_010430_gdm_conf.stat.exists
     - security_disable_gdm_timed_login | bool
   tags:
+    - graphical
     - high
     - RHEL-07-010431

tasks/rhel7stig/main.yml

@@ -27,52 +27,23 @@
   when:
     - not check_mode | bool
 
-# Multiple tasks will need the output of RPM verification, so let's do the
-# lookup one time and then grep over the output in subsequent tasks.
-- name: Verify all installed RPM packages
-  shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
-  args:
-    warn: no
-  failed_when: False
-  changed_when: False
-  when:
-    - not check_mode | bool
-    - ansible_os_family | lower == 'redhat'
-  tags:
-    - always
-    - skip_ansible_lint
-
+# Package managers are managed first since the changes in these tasks will
+# affect the remainder of the tasks in the role.
 - include: apt.yml
-  when:
-    - ansible_os_family | lower == 'debian'
-  tags:
-    - apt
-
-- include: auth.yml
-  tags:
-    - auth
-
-- include: file_perms.yml
-  tags:
-    - file_perms
-
-- include: graphical.yml
-  tags:
-    - graphical
-
-- include: packages.yml
-  tags:
-    - packages
+  when: ansible_os_family | lower == 'debian'
 
 - include: rpm.yml
-  when:
-    - ansible_os_family | lower == 'redhat'
-  tags:
-    - rpm
+  when: ansible_os_family | lower == 'redhat'
 
+# The bulk of the security changes are applied in these tasks. The tasks in
+# each file are tagged with the same name (for example, tasks in `auth.yml`
+# are tagged with `auth`). Also, the tag name matches up with the "STIG
+# Controls by Tag" section of the role documentation.
+- include: auth.yml
+- include: file_perms.yml
+- include: graphical.yml
+- include: packages.yml
 - include: sshd.yml
-  tags:
-    - sshd
 
 - name: Remove the temporary directory
   file:

tasks/rhel7stig/rpm.yml

@@ -13,6 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Multiple tasks will need the output of RPM verification, so let's do the
+# lookup one time and then grep over the output in subsequent tasks.
+- name: Verify all installed RPM packages
+  shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
+  args:
+    warn: no
+  failed_when: False
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - always
+    - skip_ansible_lint
+
 - name: RHEL-07-010020 - Get files with invalid checksums (rpm)
   shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
   register: rhel_07_010020_files
@@ -21,6 +36,7 @@
     - not check_mode | bool
     - ansible_os_family | lower == 'redhat'
   tags:
+    - rpm
     - high
     - RHEL-07-010020
 
@@ -40,6 +56,7 @@
     - rhel_07_010020_files is defined
     - rhel_07_010020_files.stdout is defined
   tags:
+    - rpm
     - high
     - RHEL-07-010020
 
@@ -57,6 +74,7 @@
   when:
     - security_enable_gpgcheck | bool
   tags:
+    - rpm
     - high
     - RHEL-07-020150
     - RHEL-07-020151

tasks/rhel7stig/sshd.yml

@@ -58,5 +58,6 @@
   notify:
     - restart ssh
   tags:
+    - sshd
     - high
     - RHEL-07-010270