Enable sshd [+Docs]

Change-Id: Icd669e4d933eb20e139b11d8edf8596fb4dcf586

defaults/main.yml

@@ -522,6 +522,8 @@ security_enable_gpgcheck_packages_local: yes                 # RHEL-07-020151
 security_enable_gpgcheck_repo: no                            # RHEL-07-020152
 
 ## ssh server (sshd)
+# Ensure sshd is running and enabled at boot time.
+security_enable_sshd: yes                                    # RHEL-07-040261
 # Disallow logins from users with empty/null passwords.
 security_sshd_disallow_empty_password: yes                   # RHEL-07-010270 / RHEL-07-010440
 # Disallow users from overriding the ssh environment variables.

doc/metadata/rhel7/RHEL-07-040261.rst

@@ -1,7 +1,23 @@
 ---
 id: RHEL-07-040261
-status: not implemented
+status: implemented
-tag: misc
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The STIG has a requirement that the ``sshd`` daemon is running and enabled at
+boot time. The tasks in the security role ensure that these requirements are
+met.
+
+Some deployers may not have ``sshd`` enabled on highly specialized systems and
+those deployers should opt out of this change by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_enable_sshd: no
+
+.. note::
+
+    Setting ``security_enable_sshd`` to ``no`` causes the tasks to ignore the
+    state of the service entirely. A setting of ``no`` does not stop or alter
+    the ``sshd`` service.

tasks/rhel7stig/sshd.yml

@@ -72,3 +72,15 @@
     - RHEL-07-040700
     - RHEL-07-040670
     - RHEL-07-040680
+
+- name: Ensure sshd is running and enabled
+  service:
+    name: "{{ ssh_service }}"
+    state: started
+    enabled: yes
+  when:
+    - security_enable_sshd | bool
+  tags:
+    - medium
+    - sshd
+    - RHEL-07-040261