ansible-hardening/tasks/rhel6stig/services.yml

---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Generate list of services_installed
  command: "find /etc/init.d/ -printf '%f\n'"
  register: sysv_services_installed
  changed_when: false
  check_mode: no
  tags:
    - services
    - cat1
    - cat2
    - cat3

- name: Generate a list of systemd service unit files
  shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
  register: systemd_services_installed
  changed_when: false
  check_mode: no
  tags:
    - services
    - cat1
    - cat2
    - cat3

- name: Register which services are installed depending on platform
  set_fact:
    services_installed: "{{ (ansible_service_mgr == 'systemd') | ternary (systemd_services_installed, sysv_services_installed)}}"

- name: V-38437 - Automated file system mounting tools must be disabled
  service:
    name: autofs
    state: stopped
    enabled: no
  when:
    - security_disable_autofs | bool
    - "'autofs' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38437

- name: V-38640 - The abrt service must be disabled
  service:
    name: abrtd
    state: stopped
    enabled: no
  when:
    - security_disable_abrtd | bool
    - "'abrtd' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38640

- name: V-38641 - The atd service must be disabled
  service:
    name: atd
    state: stopped
    enabled: no
  when:
    - security_disable_atd | bool
    - "'atd' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38641

- name: V-38648 - The qpidd service must be disabled
  service:
    name: qpidd
    state: stopped
    enabled: no
  when:
    - security_disable_qpidd | bool
    - "'qpidd' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38648

- name: V-38691 - The bluetooth service must be disabled
  service:
    name: bluetooth
    state: stopped
    enabled: no
  when:
    - security_disable_bluetooth | bool
    - "'bluetooth' in services_installed.stdout"
  tags:
    - services
    - cat2
    - V-38691

- name: V-38582 - xinetd must be disabled if not in use
  service:
    name: xinetd
    state: stopped
    enabled: no
  when:
    - security_disable_xinetd | bool
    - "'xinetd' in services_installed.stdout"
  tags:
    - services
    - cat2
    - V-38582

- name: V-38605 - The cron service must be running
  service:
    name: "{{ cron_service }}"
    state: started
    enabled: yes
  tags:
    - services
    - cat2
    - V-38605

- name: V-38618 - avahi must be disabled
  service:
    name: avahi-daemon
    state: stopped
    enabled: no
  when:
    - security_disable_avahi | bool
    - "'avahi' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38618

- name: V-38650 - rdisc must be disabled
  service:
    name: rdisc
    state: stopped
    enabled: no
  when:
    - security_disable_rdisc | bool
    - "'rdisc' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38650

- name: V-38672 - netconsole must be disabled
  service:
    name: netconsole
    state: stopped
    enabled: no
  when:
    - security_disable_netconsole | bool
    - "'netconsole' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38672