Disable autofs [+Docs]

This patch disables the autofs server if it is present
on the system. Docs are included.

Implements: blueprint security-rhel7-stig
Change-Id: Ic8c2fe80cadc6a80a06852466e8f8267c17227b7

defaults/main.yml

@@ -501,6 +501,8 @@ security_enable_graphical_login_message_text: >
     authorized user of this system.
 
 ## Miscellaneous (misc)
+# Disable the autofs service.
+security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810
 

doc/metadata/rhel7/RHEL-07-020161.rst

@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-020161
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The ``autofs`` service is stopped and disabled if it is found on the system.
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_autofs: no

tasks/rhel7stig/misc.yml

@@ -13,6 +13,28 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+- name: Check autofs service
+  command: systemctl status autofs
+  register: autofs_check
+  failed_when: autofs_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: RHEL-07-020161 - File system automounter must be disabled unless required.
+  service:
+    name: autofs
+    state: stopped
+    enabled: no
+  when:
+    - "'not-found' not in autofs_check.stdout"
+    - security_rhel7_disable_autofs | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-020161
+
 - name: Check if ClamAV is installed
   stat:
     path: /usr/bin/clamdscan