Setting default runlevel/target to non-graphical

This patch disables the graphical interface on a system to meet the STIG's
requirements. This was only a check previously. Deployers have the option
to opt out of this change if they *really* need a graphical interface.

Documentation updates and a release note are included.

Change-Id: Ia4c4853f7c9b66c6e1ac91c46fb8e7d48c80a408

defaults/main.yml

@@ -178,6 +178,10 @@ security_remove_tftp_server: yes                  # V-38606
 security_remove_xinetd: yes                       # V-38584
 security_remove_xorg: yes                         # v-38676
 security_remove_ypserv: yes                       # V-38603
+#
+# The STIG does not allow the system to run a graphical interface. Set this
+# variable to 'no' if you need a graphical interface on the server.
+security_disable_x_windows: yes                   # V-38674
 
 ## SSH configuration
 # The following configuration items will adjust how the ssh daemon is

doc/source/developer-notes/V-38674.rst

@@ -1,10 +1,26 @@
-Ubuntu 14.04 sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it
+In Ubuntu 14.04, the upstart init system looks for the default runlevel in the
-should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
+``/etc/init/rc-sysinit.conf`` file. The tasks in the security role will ensure
-correct runlevel is set.
+that the ``DEFAULT_RUNLEVEL`` environment variable is set to ``2``, which is a
+non-graphical runlevel.
 
-For operating systems that use systemd, such as Ubuntu 16.04 and CentOS 7, the
+In Ubuntu 16.04 and CentOS 7, systemd handles various targets, which are
-Ansible tasks will verify that the ``graphical.target`` is not loaded by
+similar to runlevels from earlier init systems. There are two targets that are
-default.
+important for this STIG:
 
-If any of these verifications fails, an error will be printed and the playbook
+* ``graphical.target``: similar to runlevel 5 from earlier init systems
-will fail.
+* ``multi-user.target``: similar to runlevel 2 or 3 from earlier init systems
+
+The tasks in the security role will ensure that the default target is the
+``multi-user.target``, which provides a text-based system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_x_windows: no
+
+.. note::
+
+    This change will not take effect until the server is rebooted. Changing a
+    runlevel on an actively running system can cause certain services to stop,
+    start, or restart.

releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml

@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The security role now has tasks that will disable the graphical interface
+    on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and
+    CentOS 7). These changes take effect after a reboot.
+
+    Deployers that need a graphical interface will need to set the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+        security_disable_x_windows: no

tasks/misc.yml

@@ -373,42 +373,25 @@
    - cat3
    - V-38702
 
-- name: Check for default runlevel (for V-38674)
+- name: V-38674 - X Windows must not be enabled (upstart)
-  shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
+  lineinfile:
-  register: v38674_result
+    dest: /etc/init/rc-sysinit.conf
-  changed_when: False
+    regexp: "^env DEFAULT_RUNLEVEL"
-  always_run: True
+    line: "env DEFAULT_RUNLEVEL=2"
-  when: not systemd_running | bool
-  tags:
-    - cat2
-    - V-38674
-
-- name: V-38674 - X Windows must not be enabled
-  fail:
-    msg: "Default runlevel should be 2 (no X windows)"
   when:
+    - security_disable_x_windows | bool
     - not systemd_running | bool
-    - v38674_result.rc != 0
   tags:
     - cat2
     - V-38674
 
-- name: Check if systemd is configured to load the graphical target
+- name: V-38674 - X Windows must not be enabled (systemd)
-  shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'"
+  shell: "systemctl set-default multi-user.target"
-  register: v38674_result
+  register: systemctl_default_target
-  always_run: True
+  changed_when: "'Created symlink' in systemctl_default_target.stdout"
-  failed_when: v38674_result.rc > 1
-  when: systemd_running | bool
-  tags:
-    - cat2
-    - V-38674
-
-- name: V-38674 - X Windows must not be enabled
-  fail:
-    msg: "Graphical target must not be enabled in systemd."
   when:
+    - security_disable_x_windows | bool
     - systemd_running | bool
-    - v38674_result.rc == 0
   tags:
     - cat2
     - V-38674

tox.ini

@@ -105,9 +105,7 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    V-38674: OpenStack infra images have graphical target
+# NOTE(mhayden):    V-38574: OpenStack infra images have non-standard pam
-#                   enabled, so it must be skipped.
-#                   V-38574: OpenStack infra images have non-standard pam
 #                   configurations that don't match a standard CentOS 7 server
 #                   or cloud image. It must be skipped.
 commands =
@@ -116,7 +114,7 @@ commands =
               {homedir}/.ansible/plugins
     ansible-playbook -i {toxinidir}/tests/inventory \
                      -e "rolename={toxinidir}" \
-                     --skip-tag V-38462,V-38574,V-38674 \
+                     --skip-tag V-38462,V-38574 \
                      {toxinidir}/tests/test.yml