Disable the netconsole service (if present)

This patch checks for the netconsole service on a host and disables the service, if the service is installed. The service will be stopped immediately if it is found to be running. Documentation and release notes are included. Closes-bug: 1584194 Change-Id: If779af67c2a66e7b56d170f1f12744aef75ff27b
2016-05-20 15:41:10 -05:00
parent 9d42c5accc
commit 3107e7cc9d
4 changed files with 30 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -156,6 +156,7 @@ security_disable_atd: yes                         # V-38640
 security_disable_autofs: yes                      # V-38437
 security_disable_avahi: yes                       # V-31618
 security_disable_bluetooth: yes                   # V-38691
+security_disable_netconsole: yes                  # v-38672
 security_disable_qpidd: yes                       # V-38648
 security_disable_rsh: yes                         # V-38594
 security_disable_ypbind: yes                      # V-38604
--- a/doc/source/developer-notes/V-38672.rst
+++ b/doc/source/developer-notes/V-38672.rst
@@ -1,2 +1,10 @@
 Ubuntu doesn't provide the netconsole package and the daemon isn't included
-in any other Ubuntu packages. Therefore, no action is required for this STIG.
+in any other Ubuntu packages.
+
+In CentOS, the ``netconsole`` daemon will be stopped and disabled if it is
+found to be installed. Deployers can opt-out of this change by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_netconsole: no
--- a/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml
+++ b/releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml
@@ -0,0 +1,7 @@
+fixes:
+  - |
+    An Ansible task was added to disable the ``netconsole`` service on CentOS
+    systems if the service is installed on the system.
+
+    Deployers can opt-out of this change by setting
+    ``security_disable_netconsole`` to ``no``.
--- a/tasks/services.yml
+++ b/tasks/services.yml
@@ -261,6 +261,19 @@
    - cat2
    - V-38671

+- name: V-38672 - netconsole must be disabled
+  service:
+    name: netconsole
+    state: stopped
+    enabled: no
+  when:
+    - security_disable_netconsole | bool
+    - "'netconsole' in services_installed.stdout"
+  tags:
+    - services
+    - cat3
+    - V-38672
+
 - name: V-38676 - The X windows package must not be installed (apt)
  apt:
    name: "{{ xserver_pkg }}"