Enable automatic package updates [+Docs]

This patch allows a deployer to optionally enable automatic package updates. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I79d38971ea847096e7f20f0912363deaf5028a74
2016-12-02 15:01:17 -06:00 · 2016-12-02 15:01:17 -06:00 · e5db8521d9
commit e5db8521d9
parent 505a4a9eb0
6 changed files with 53 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -559,6 +559,8 @@ security_rhel7_remove_xorg: yes                              # RHEL-07-040560
 security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
 # Automatically remove dependencies when removing packages.
 security_package_clean_on_remove: no                         # RHEL-07-020200
+# Automatically update packages.
+security_rhel7_automatic_package_updates: no                 # RHEL-07-020250

 ## RPM (rpm)
 # Enable GPG checks for packages and repository data.
--- a/doc/metadata/rhel7/RHEL-07-020250.rst
+++ b/doc/metadata/rhel7/RHEL-07-020250.rst
@ -1,7 +1,20 @@
 ---
 id: RHEL-07-020250
-status: not implemented
-tag: misc
+status: opt-in
+tag: packages
 ---

-This STIG requirement is not yet implemented.
+Although the STIG requires that security patches and updates are applied when
+they are made available, this might be disruptive to some systems. Therefore,
+the tasks in the security role will not configure automatic updates by default.
+
+Deployers can opt in for automatic package updates by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_automatic_package_updates: yes
+
+When enabled, the tasks install and configure ``yum-cron`` on CentOS and Red
+Hat Enterprise Linux.  On Ubuntu systems, the ``unattended-upgrades`` package
+is installed and configured.
--- a/tasks/rhel7stig/packages.yml
+++ b/tasks/rhel7stig/packages.yml
@ -66,3 +66,29 @@
    - low
    - packages
    - RHEL-07-020200
+
+- name: RHEL-07-020250 - System security patches and updates must be installed and up to date. (yum)
+  lineinfile:
+    dest: /etc/yum/yum-cron.conf
+    regexp: "^apply_updates"
+    line: "apply_updates = yes"
+    state: present
+  when:
+    - ansible_os_family | lower == 'redhat'
+    - security_rhel7_automatic_package_updates | bool
+  tags:
+    - packages
+    - medium
+    - RHEL-07-020250
+
+- name: RHEL-07-020250 - System security patches and updates must be installed and up to date. (apt)
+  copy:
+    src: 20auto-upgrades
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
+  when:
+    - ansible_os_family | lower == 'ubuntu'
+    - security_rhel7_automatic_package_updates | bool
+  tags:
+    - packages
+    - cat2
+    - RHEL-07-020250
--- a/tests/test.yml
+++ b/tests/test.yml
@ -87,3 +87,4 @@
    security_password_remember_password: 5
    security_disable_account_if_password_expires: yes
    security_rhel7_initialize_aide: yes
+    security_rhel7_automatic_package_updates: yes
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -127,6 +127,10 @@ stig_packages_rhel7:
      - firewalld
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_firewalld }}"
+  - packages:
+      - yum-cron
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_automatic_package_updates }}"
  - packages:
      - rsh-server
    state: absent
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -124,6 +124,10 @@ stig_packages_rhel7:
      - firewalld
    state: "{{ security_package_state }}"
    enabled: "{{ security_enable_firewalld }}"
+  - packages:
+      - unattended-upgrades
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_automatic_package_updates }}"
  - packages:
      - rsh-server
    state: absent