Enable firewalld [+Docs]

This patch allows deployers to opt-in for firewalld. The firewalld package is installed and the service is enabled when `security_enable_firewalld` is set to `yes`. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I641a8c7e468ed1b7908d2b62296fa309de6979b5
2016-11-30 13:00:22 -06:00 · 2016-11-30 13:00:22 -06:00 · c777f734ac
commit c777f734ac
parent 40ca9cf990
6 changed files with 52 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -507,6 +507,8 @@ security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 security_enable_virus_scanner: no                            # RHEL-07-030810
 # Disable ctrl-alt-delete key sequence on the console.
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
+# Install and enable firewalld for iptables management.
+security_enable_firewalld: no                                # RHEL-07-040290

 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
--- a/doc/metadata/rhel7/RHEL-07-040290.rst
+++ b/doc/metadata/rhel7/RHEL-07-040290.rst
@ -1,7 +1,23 @@
 ---
 id: RHEL-07-040290
-status: not implemented
+status: opt-in
 tag: misc
 ---

-This STIG requirement is not yet implemented.
+The STIG requires that a firewall is configured on each server. This might be
+disruptive to some environments since the default firewall policy for
+``firewalld`` is very restrictive.  Therefore, the tasks in the security role
+do not install or enable the ``firewalld`` daemon by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_firewalld: yes
+
+.. warning::
+
+    Deployers must pre-configure ``firewalld`` or copy over a working XML file
+    in ``/etc/firewalld/zones/`` from another server.  The default firewalld
+    restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly
+    restrictive.
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@ -135,3 +135,26 @@
  tags:
    - misc
    - RHEL-07-030810
+
+# Returns 0 if installed, 3 if not installed
+- name: Check firewalld status
+  command: systemctl status firewalld
+  register: firewalld_status_check
+  failed_when: firewalld_status_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: Ensure firewalld is running and enabled
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  when:
+    - firewalld_status_check.rc != 3
+    - security_enable_firewalld | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040290
--- a/tests/test.yml
+++ b/tests/test.yml
@ -83,3 +83,4 @@
    security_enable_virus_scanner: yes
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
+    security_enable_firewalld: yes
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -113,6 +113,10 @@ stig_packages_rhel7:
      - clamav-update
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
  - packages:
      - rsh-server
    state: absent
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -112,6 +112,10 @@ stig_packages_rhel7:
      - clamav-freshclam
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
  - packages:
      - rsh-server
    state: absent