From c777f734ac9e4c1d1ed0401f3cbd92c1e7cd44f3 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 30 Nov 2016 13:00:22 -0600
Subject: [PATCH] Enable firewalld [+Docs]

This patch allows deployers to opt-in for firewalld. The firewalld package
is installed and the service is enabled when `security_enable_firewalld` is
set to `yes`.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I641a8c7e468ed1b7908d2b62296fa309de6979b5
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-040290.rst | 20 ++++++++++++++++++--
 tasks/rhel7stig/misc.yml              | 23 +++++++++++++++++++++++
 tests/test.yml                        |  1 +
 vars/redhat.yml                       |  4 ++++
 vars/ubuntu.yml                       |  4 ++++
 6 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 3a3c8215..6b764814 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -507,6 +507,8 @@ security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 security_enable_virus_scanner: no                            # RHEL-07-030810
 # Disable ctrl-alt-delete key sequence on the console.
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
+# Install and enable firewalld for iptables management.
+security_enable_firewalld: no                                # RHEL-07-040290
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
diff --git a/doc/metadata/rhel7/RHEL-07-040290.rst b/doc/metadata/rhel7/RHEL-07-040290.rst
index d033f825..1fe4d5dd 100644
--- a/doc/metadata/rhel7/RHEL-07-040290.rst
+++ b/doc/metadata/rhel7/RHEL-07-040290.rst
@@ -1,7 +1,23 @@
 ---
 id: RHEL-07-040290
-status: not implemented
+status: opt-in
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The STIG requires that a firewall is configured on each server. This might be
+disruptive to some environments since the default firewall policy for
+``firewalld`` is very restrictive.  Therefore, the tasks in the security role
+do not install or enable the ``firewalld`` daemon by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_firewalld: yes
+
+.. warning::
+
+    Deployers must pre-configure ``firewalld`` or copy over a working XML file
+    in ``/etc/firewalld/zones/`` from another server.  The default firewalld
+    restrictions on Ubuntu, CentOS and Red Hat Enterprise Linux are highly
+    restrictive.
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index eebd4ad4..8443fec7 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -135,3 +135,26 @@
   tags:
     - misc
     - RHEL-07-030810
+
+# Returns 0 if installed, 3 if not installed
+- name: Check firewalld status
+  command: systemctl status firewalld
+  register: firewalld_status_check
+  failed_when: firewalld_status_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - always
+
+- name: Ensure firewalld is running and enabled
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  when:
+    - firewalld_status_check.rc != 3
+    - security_enable_firewalld | bool
+  tags:
+    - medium
+    - misc
+    - RHEL-07-040290
diff --git a/tests/test.yml b/tests/test.yml
index 38bb531d..e5fe6476 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -83,3 +83,4 @@
     security_enable_virus_scanner: yes
     security_search_for_invalid_owner: yes
     security_search_for_invalid_group_owner: yes
+    security_enable_firewalld: yes
diff --git a/vars/redhat.yml b/vars/redhat.yml
index 4db127ce..ff397531 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -113,6 +113,10 @@ stig_packages_rhel7:
       - clamav-update
     state: "{{ security_package_state }}"
     enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
   - packages:
       - rsh-server
     state: absent
diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml
index 43a11cf6..feda61a6 100644
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@@ -112,6 +112,10 @@ stig_packages_rhel7:
       - clamav-freshclam
     state: "{{ security_package_state }}"
     enabled: "{{ security_enable_virus_scanner }}"
+  - packages:
+      - firewalld
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_enable_firewalld }}"
   - packages:
       - rsh-server
     state: absent