From 85cad87c9598ce481a93d9789c3f97c4864de1ca Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 15:13:50 -0500
Subject: [PATCH] V-3867{4,6}: X windows

Implements: blueprint security-hardening

Change-Id: I9b8fce8e4ce174be5f341d74649829ad1253cfb3
---
 defaults/main.yml                      |  1 +
 doc/source/developer-notes/V-38674.rst |  4 ++++
 doc/source/developer-notes/V-38676.rst |  8 ++++++++
 tasks/misc.yml                         | 16 ++++++++++++++++
 tasks/services.yml                     | 10 ++++++++++
 5 files changed, 39 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38674.rst
 create mode 100644 doc/source/developer-notes/V-38676.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 9d71a1ce..722b3a4a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -50,6 +50,7 @@ remove_services:
   telnet_server: yes                              # V-38587
   tftp-server: yes                                # V-38606
   xinetd: yes                                     # V-38584
+  xorg: yes                                       # v-38676
   ypserv: yes                                     # V-38603
 
 ## Additional rules for auditd
diff --git a/doc/source/developer-notes/V-38674.rst b/doc/source/developer-notes/V-38674.rst
new file mode 100644
index 00000000..299f42b8
--- /dev/null
+++ b/doc/source/developer-notes/V-38674.rst
@@ -0,0 +1,4 @@
+Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should
+be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
+correct runlevel is set. If the verification fails, an error will be printed
+and the playbook will fail.
diff --git a/doc/source/developer-notes/V-38676.rst b/doc/source/developer-notes/V-38676.rst
new file mode 100644
index 00000000..d9bde368
--- /dev/null
+++ b/doc/source/developer-notes/V-38676.rst
@@ -0,0 +1,8 @@
+Neither Ubuntu nor openstack-ansible install the X windows server by default.
+The ansible tasks will remove the ``xserver-xorg`` package if it is present.
+
+To opt-out of the change, set the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+    remove_services['xorg']: no
diff --git a/tasks/misc.yml b/tasks/misc.yml
index 49cdb771..3b1085e2 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -153,3 +153,19 @@
   tags:
    - cat3
    - V-38702
+
+- name: Check for default runlevel (for V-38674)
+  shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
+  register: v38674_result
+  changed_when: False
+  tags:
+    - cat2
+    - V-38674
+
+- name: V-38674 - X Windows must not be enabled
+  fail:
+    msg: "FAILED: Default runlevel should be 2 (no X windows)"
+  when: v38674_result.rc != 0
+  tags:
+    - cat2
+    - V-38674
diff --git a/tasks/services.yml b/tasks/services.yml
index 2077f10c..18767866 100644
--- a/tasks/services.yml
+++ b/tasks/services.yml
@@ -138,3 +138,13 @@
     - services
     - cat2
     - V-38671
+
+- name: V-38676 - The X windows package must not be installed
+  apt:
+    name: xserver-xorg
+    state: absent
+  when: remove_services['xorg'] | bool
+  tags:
+    - services
+    - cat3
+    - V-38676