Remove packages according to STIG

This patch removes packages per the requirements of these STIGs:

* RHEL-07-040500
* RHEL-07-020010
* RHEL-07-020000
* RHEL-07-021910
* RHEL-07-040560

Implements: blueprint security-rhel7-stig
Change-Id: I52459d54c578c4e14392bf647268a2237f8df24a

defaults/main.yml

@@ -398,6 +398,15 @@ security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
 # Disable timed gdm logins for guests
 security_disable_gdm_timed_login: yes                        # RHEL-07-010431
 
+## Packages (packages)
+# Remove packages from the system as required by the STIG. Set any of these
+# to 'no' to skip their removal.
+security_rhel7_remove_rsh_server: yes                        # RHEL-07-020000
+security_rhel7_remove_telnet_server: yes                     # RHEL-07-021910
+security_rhel7_remove_tftp_server: yes                       # RHEL-07-040500
+security_rhel7_remove_xorg: yes                              # RHEL-07-040560
+security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
+
 ## ssh server (sshd)
 # Prevent users from logging in over ssh if they have an empty password.
 security_sshd_disallow_empty_password: yes                   # RHEL-07-010270

doc/metadata/rhel7/RHEL-07-020000.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-020000
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+The role will remove the ``rsh-server`` package from the system if it is
+installed. Deployers can opt-out of this change by setting the following
+Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_rsh_server: no

doc/metadata/rhel7/RHEL-07-020010.rst

@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-020010
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+The role will remove the NIS server package package from the system if it is
+installed. The package name differs between Linux distributions:
+
+* CentOS: ``ypserv``
+* Ubuntu: ``nis``
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_ypserv: no

doc/metadata/rhel7/RHEL-07-021910.rst

@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-021910
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+The role will remove the telnet server package package from the system if it is
+installed. The package name differs between Linux distributions:
+
+* CentOS: ``telnet-server``
+* Ubuntu: ``telnetd``
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_telnet_server: no

doc/metadata/rhel7/RHEL-07-040500.rst

@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-040500
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+The role will remove the TFTP server package package from the system if it is
+installed. The package name differs between Linux distributions:
+
+* CentOS: ``tftp-server``
+* Ubuntu: ``tftpd``
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_tftp_server: no

doc/metadata/rhel7/RHEL-07-040560.rst

@@ -1,7 +1,17 @@
 ---
 id: RHEL-07-040560
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+The role will remove the xorg server package package from the system if it is
+installed. The package name differs between Linux distributions:
+
+* CentOS: ``xorg-x11-server-Xorg``
+* Ubuntu: ``xorg-xserver``
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_xorg: no

tasks/rhel6stig/apt.yml

@@ -102,7 +102,7 @@
     - cat2
     - V-38481
 
-- name: Install required packages
+- name: Add or remove packages based on STIG requirements
   apt:
     name: |
       {%- set pkg_list = [] %}

tasks/rhel7stig/main.yml

@@ -60,6 +60,10 @@
   tags:
     - graphical
 
+- include: packages.yml
+  tags:
+    - packages
+
 - include: rpm.yml
   when:
     - ansible_os_family | lower == 'redhat'

tasks/rhel7stig/packages.yml

@@ -0,0 +1,62 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Add or remove packages based on STIG requirements (dpkg)
+  apt:
+    name: |
+      {%- set pkg_list = [] %}
+      {%- for package_dict in item[1] %}
+      {%- if pkg_list.extend(package_dict.packages) %}{% endif %}
+      {%- endfor %}
+      {{ pkg_list }}
+    state: "{{ item[0] }}"
+  when:
+    - ansible_os_family | lower == 'debian'
+  with_items:
+    - "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
+  tags:
+    - cat1
+    - auth
+    - packages
+    - services
+    - RHEL-07-021910
+    - RHEL-07-020000
+    - RHEL-08-020010
+    - RHEL-07-040500
+    - RHEL-07-040560
+
+- name: Add or remove packages based on STIG requirements (rpm)
+  yum:
+    name: |
+      {%- set pkg_list = [] %}
+      {%- for package_dict in item[1] %}
+      {%- if pkg_list.extend(package_dict.packages) %}{% endif %}
+      {%- endfor %}
+      {{ pkg_list }}
+    state: "{{ item[0] }}"
+  when:
+    - ansible_os_family | lower == 'redhat'
+  with_items:
+    - "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
+  tags:
+    - cat1
+    - auth
+    - packages
+    - services
+    - RHEL-07-021910
+    - RHEL-07-020000
+    - RHEL-08-020010
+    - RHEL-07-040500
+    - RHEL-07-040560

vars/redhat.yml

@@ -30,7 +30,7 @@ chrony_service: chronyd
 # Commands
 grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
 
-# Packages to add or remove
+# RHEL 6 STIG: Packages to add/remove
 stig_packages:
   - packages:
       - audit
@@ -83,3 +83,26 @@ stig_packages:
       - telnet-server
     state: absent
     enabled: "{{ security_remove_telnet_server }}"
+
+# RHEL 7 STIG: Packages to add/remove
+stig_packages_rhel7:
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_rsh_server }}"
+  - packages:
+      - telnet-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_telnet_server }}"
+  - packages:
+      - tftp-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_tftp_server }}"
+  - packages:
+      - xorg-x11-server-Xorg
+    state: absent
+    enabled: "{{ security_rhel7_remove_xorg }}"
+  - packages:
+      - ypserv
+    state: absent
+    enabled: "{{ security_rhel7_remove_ypserv }}"

vars/ubuntu.yml

@@ -33,7 +33,7 @@ chrony_service: chrony
 # Commands
 grub_update_cmd: "update-grub"
 
-# Packages to add or remove
+# RHEL 6 STIG: Packages to add/remove
 stig_packages:
   - packages:
       - auditd
@@ -87,3 +87,26 @@ stig_packages:
       - telnetd
     state: absent
     enabled: "{{ security_remove_telnet_server }}"
+
+# RHEL 7 STIG: Packages to add/remove
+stig_packages_rhel7:
+  - packages:
+      - rsh-server
+    state: absent
+    enabled: "{{ security_rhel7_remove_rsh_server }}"
+  - packages:
+      - telnetd
+    state: absent
+    enabled: "{{ security_rhel7_remove_telnet_server }}"
+  - packages:
+      - tftpd
+    state: absent
+    enabled: "{{ security_rhel7_remove_tftp_server }}"
+  - packages:
+      - xorg-xserver
+    state: absent
+    enabled: "{{ security_rhel7_remove_xorg }}"
+  - packages:
+      - nis
+    state: absent
+    enabled: "{{ security_rhel7_remove_ypserv }}"