---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check if CentOS 7 GPG keys are installed (for V-38476)
  command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
  register: v38476_result
  changed_when: v38476_result | failed
  failed_when: False
  check_mode: no
  when:
    - ansible_distribution == 'CentOS'
  tags:
    - package
    - cat1
    - V-38476
    - skip_ansible_lint

- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (CentOS)
  fail:
    msg: "Missing CentOS 7 GPG keys"
  when:
    - ansible_distribution == 'CentOS'
    - v38476_result | failed
  tags:
    - package
    - cat1
    - V-38476

- name: Check if Red Hat Enterprise Linux 7 GPG keys are installed (for V-38476)
  command: "rpm -qi {{ item }}"
  register: v38476_result
  changed_when: v38476_result | failed
  failed_when: False
  check_mode: no
  with_items:
    - gpg-pubkey-fd431d51-4ae0493b
    - gpg-pubkey-2fa658e0-45700c69
  when:
    - ansible_distribution == 'RedHat'
  tags:
    - package
    - cat1
    - V-38476
    - skip_ansible_lint

- name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. (Red Hat Enteprise Linux)
  fail:
    msg: "Missing Red Hat Enterprise Linux 7 GPG keys"
  when:
    - ansible_distribution == 'RedHat'
    - v38476_result | failed
  tags:
    - package
    - cat1
    - V-38476

- name: Search for yum repositories with GPG checks disabled
  command: grep -r "gpgcheck=0" /etc/yum.repos.d/
  register: v38462_result
  changed_when: False
  failed_when: False
  check_mode: no
  tags:
    - package
    - cat1
    - V-38462

- name: V-38462 - Package management tool must verify authenticity of packages
  fail:
    msg: "Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
  when: "v38462_result.rc == 0"
  tags:
    - package
    - cat1
    - V-38462

- name: V-38481 - System security patches and updates must be installed and up-to-date
  lineinfile:
    dest: /etc/yum/yum-cron.conf
    regexp: "^apply_updates"
    line: "apply_updates = yes"
    state: present
  when: security_unattended_upgrades_enabled | bool
  tags:
    - package
    - cat2
    - V-38481

- name: Add or remove packages based on STIG requirements
  yum:
    name: |
      {%- set pkg_list = [] %}
      {%- for package_dict in item[1] %}
      {%- if pkg_list.extend(package_dict.packages) %}{% endif %}
      {%- endfor %}
      {{ pkg_list }}
    state: "{{ item[0] }}"
  with_items:
    - "{{ stig_packages | selectattr('enabled') | groupby('state') }}"
  tags:
    - cat1
    - auth
    - services
    - V-38439 # install: aide, aide-common
    - V-38481 # install: yum-cron
    - V-38620 # install: chrony
    - V-38624 # install: logrotate
    - V-38631 # install: auditd_pkg
    - V-38632 # install: auditd_pkg
    - V-38669 # install: postfix
    - V-51337 # install: SELinux
    - V-38583 # remove: xinetd
    - V-38587 # remove: telnet-server
    - V-38591 # remove: rsh-server
    - V-38603 # remove: ypserv
    - V-38606 # remove: tftp-server
    - V-38627 # remove: openldap-servers
    - V-38671 # remove: sendmail