From 3107e7cc9d637ceb592eae807a38769a7b4994c6 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 20 May 2016 15:41:10 -0500
Subject: [PATCH] Disable the netconsole service (if present)

This patch checks for the netconsole service on a host and disables the
service, if the service is installed. The service will be stopped
immediately if it is found to be running.

Documentation and release notes are included.

Closes-bug: 1584194

Change-Id: If779af67c2a66e7b56d170f1f12744aef75ff27b
---
 defaults/main.yml                                   |  1 +
 doc/source/developer-notes/V-38672.rst              | 10 +++++++++-
 ...disable-netconsole-service-915bb33449b4012c.yaml |  7 +++++++
 tasks/services.yml                                  | 13 +++++++++++++
 4 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 311db9ac..5f893fc5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -156,6 +156,7 @@ security_disable_atd: yes                         # V-38640
 security_disable_autofs: yes                      # V-38437
 security_disable_avahi: yes                       # V-31618
 security_disable_bluetooth: yes                   # V-38691
+security_disable_netconsole: yes                  # v-38672
 security_disable_qpidd: yes                       # V-38648
 security_disable_rsh: yes                         # V-38594
 security_disable_ypbind: yes                      # V-38604
diff --git a/doc/source/developer-notes/V-38672.rst b/doc/source/developer-notes/V-38672.rst
index b5667d6b..6a038be5 100644
--- a/doc/source/developer-notes/V-38672.rst
+++ b/doc/source/developer-notes/V-38672.rst
@@ -1,2 +1,10 @@
 Ubuntu doesn't provide the netconsole package and the daemon isn't included
-in any other Ubuntu packages. Therefore, no action is required for this STIG.
+in any other Ubuntu packages.
+
+In CentOS, the ``netconsole`` daemon will be stopped and disabled if it is
+found to be installed. Deployers can opt-out of this change by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_netconsole: no
diff --git a/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml
new file mode 100644
index 00000000..406ca5aa
--- /dev/null
+++ b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml
@@ -0,0 +1,7 @@
+fixes:
+  - |
+    An Ansible task was added to disable the ``netconsole`` service on CentOS
+    systems if the service is installed on the system.
+
+    Deployers can opt-out of this change by setting
+    ``security_disable_netconsole`` to ``no``.
diff --git a/tasks/services.yml b/tasks/services.yml
index 8dcedc38..19e84472 100644
--- a/tasks/services.yml
+++ b/tasks/services.yml
@@ -261,6 +261,19 @@
     - cat2
     - V-38671
 
+- name: V-38672 - netconsole must be disabled
+  service:
+    name: netconsole
+    state: stopped
+    enabled: no
+  when:
+    - security_disable_netconsole | bool
+    - "'netconsole' in services_installed.stdout"
+  tags:
+    - services
+    - cat3
+    - V-38672
+
 - name: V-38676 - The X windows package must not be installed (apt)
   apt:
     name: "{{ xserver_pkg }}"