V-3867{4,6}: X windows

Implements: blueprint security-hardening

Change-Id: I9b8fce8e4ce174be5f341d74649829ad1253cfb3

defaults/main.yml

@@ -50,6 +50,7 @@ remove_services:
   telnet_server: yes                              # V-38587
   tftp-server: yes                                # V-38606
   xinetd: yes                                     # V-38584
+  xorg: yes                                       # v-38676
   ypserv: yes                                     # V-38603
 
 ## Additional rules for auditd

doc/source/developer-notes/V-38674.rst

@@ -0,0 +1,4 @@
+Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should
+be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
+correct runlevel is set. If the verification fails, an error will be printed
+and the playbook will fail.

doc/source/developer-notes/V-38676.rst

@@ -0,0 +1,8 @@
+Neither Ubuntu nor openstack-ansible install the X windows server by default.
+The ansible tasks will remove the ``xserver-xorg`` package if it is present.
+
+To opt-out of the change, set the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+    remove_services['xorg']: no

tasks/misc.yml

@@ -153,3 +153,19 @@
   tags:
    - cat3
    - V-38702
+
+- name: Check for default runlevel (for V-38674)
+  shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
+  register: v38674_result
+  changed_when: False
+  tags:
+    - cat2
+    - V-38674
+
+- name: V-38674 - X Windows must not be enabled
+  fail:
+    msg: "FAILED: Default runlevel should be 2 (no X windows)"
+  when: v38674_result.rc != 0
+  tags:
+    - cat2
+    - V-38674

tasks/services.yml

@@ -138,3 +138,13 @@
     - services
     - cat2
     - V-38671
+
+- name: V-38676 - The X windows package must not be installed
+  apt:
+    name: xserver-xorg
+    state: absent
+  when: remove_services['xorg'] | bool
+  tags:
+    - services
+    - cat3
+    - V-38676