Disable repo GPG checks by default

Enable repo GPG checks causes some CentOS systems to become unable to
retrieve yum metadata. It also causes the security gate jobs to balloon
out to 12 minutes (normally 3-4 mins).

Closes-Bug: 1641729
Change-Id: I229b471bbd9fbe39776b9022671b03da0a659163

defaults/main.yml

@@ -449,9 +449,10 @@ security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
 security_package_clean_on_remove: no                         # RHEL-07-020200
 
 ## RPM (rpm)
-# Enable GPG checks for remotely and locally installed packages. This includes
-# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
-security_enable_gpgcheck: yes                                # RHEL-07-020150
+# Enable GPG checks for packages and repository data.
+security_enable_gpgcheck_packages: yes                       # RHEL-07-020150
+security_enable_gpgcheck_packages_local: yes                 # RHEL-07-020151
+security_enable_gpgcheck_repo: no                            # RHEL-07-020152
 
 ## ssh server (sshd)
 # Disallow logins from users with empty/null passwords.

doc/metadata/rhel7/RHEL-07-020150.rst

@@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the
 ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
 with ``yum``.
 
-Deployers can opt-out of this change by setting the following Ansible variable:
-
-.. code-block:: yaml
-
-    security_enable_gpgcheck: no
-
-Note that setting this variable also affects two other STIG configurations:
-
-* :ref:`stig-RHEL-07-020151`
-* :ref:`stig-RHEL-07-020152`
+Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the
+``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0``
+in ``/etc/yum.conf`` on CentOS systems.

doc/metadata/rhel7/RHEL-07-020151.rst

@@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in
 the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
 locally with ``yum``.
 
-Deployers can opt-out of this change by setting the following Ansible variable:
-
-.. code-block:: yaml
-
-    security_enable_gpgcheck: no
-
-Note that setting this variable also affects two other STIG configurations:
-
-* :ref:`stig-RHEL-07-020150`
-* :ref:`stig-RHEL-07-020152`
+Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the
+``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in
+``/etc/yum.conf`` on CentOS systems.

doc/metadata/rhel7/RHEL-07-020152.rst

@@ -4,20 +4,18 @@ status: implemented
 tag: packages
 ---
 
-On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string
-anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``.
-If the string is found, a warning is printed on the console.
+The STIG requires that repository XML files are verified during ``yum`` runs.
 
-On CentOS 7 systems, the tasks set the ``repo_gpgcheck`` option to ``1`` in the
-``/etc/yum.conf`` file. This enables GPG checks for all repository metadata.
+.. warning::
 
-Deployers can opt-out of this change by setting the following Ansible variable:
+    This setting is disabled by default because it can cause issues with CentOS
+    systems and prevent them from retrieving repository information. Deployers
+    who choose to enable this setting should test it thoroughly on
+    non-production environments before applying it to production systems.
+
+Deployers can override this default and opt in for the change by setting the
+following Ansible variable:
 
 .. code-block:: yaml
 
-    security_enable_gpgcheck: no
-
-Note that setting this variable also affects two other STIG configurations:
-
-* :ref:`stig-RHEL-07-020150`
-* :ref:`stig-RHEL-07-020151`
+    security_enable_gpgcheck_repo: yes

tasks/rhel7stig/apt.yml

@@ -72,11 +72,12 @@
 - name: RHEL-07-020150 - Package management tool must verify authenticity of packages
   debug:
     msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
-  when: "gpgcheck_result.rc == 0"
+  when:
+    - security_enable_gpgcheck_packages | bool
+    - gpgcheck_result.rc == 0
   tags:
     - high
     - RHEL-07-020150
-    - RHEL-07-020152
 
 - name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages
   lineinfile:
@@ -85,7 +86,7 @@
     line: "#no-debsig"
     state: present
   when:
-    - security_enable_gpgcheck | bool
+    - security_enable_gpgcheck_packages_local | bool
   tags:
     - high
     - RHEL-07-020151

tasks/rhel7stig/rpm.yml

@@ -60,19 +60,13 @@
     - high
     - RHEL-07-010020
 
-# This covers RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
 - name: RHEL-07-020150 - Require digital signatures for all packages
   lineinfile:
     dest: /etc/yum.conf
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
     state: present
-  with_items:
-    - { regexp: "^gpgcheck.*", line: "gpgcheck=1" }
-    - { regexp: "^localpkg_gpgcheck.*", line: "localpkg_gpgcheck=1" }
-    - { regexp: "^repo_gpgcheck.*", line: "repo_gpgcheck=1" }
-  when:
-    - security_enable_gpgcheck | bool
+  with_items: "{{ rpm_gpgchecks | default([]) }}"
   tags:
     - rpm
     - high

vars/redhat.yml

@@ -113,3 +113,11 @@ stig_packages_rhel7:
       - ypserv
     state: absent
     enabled: "{{ security_rhel7_remove_ypserv }}"
+
+rpm_gpgchecks:
+  - regexp: "^gpgcheck.*"
+    line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}"
+  - regexp: "^localpkg_gpgcheck.*"
+    line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}"
+  - regexp: "^repo_gpgcheck.*"
+    line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"