---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check autofs service
  command: systemctl status autofs
  register: autofs_check
  failed_when: autofs_check.rc not in [0,3]
  changed_when: False
  check_mode: no
  tags:
    - always

- name: RHEL-07-020161 - File system automounter must be disabled unless required.
  service:
    name: autofs
    state: stopped
    enabled: no
  when:
    - "'not-found' not in autofs_check.stdout"
    - security_rhel7_disable_autofs | bool
  tags:
    - medium
    - misc
    - RHEL-07-020161

# This returns an exit code of 0 if it's running, 3 if it's masked.
- name: Check if ctrl-alt-del.target is already masked
  command: systemctl status ctrl-alt-del.target
  register: cad_mask_check
  check_mode: no
  changed_when: False
  failed_when: cad_mask_check.rc not in [0,3]
  tags:
    - always

- name: RHEL-07-020220 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  command: systemctl mask ctrl-alt-del.target
  when:
    - security_rhel7_disable_ctrl_alt_delete | bool
    - cad_mask_check.rc != 3
  notify:
    - reload systemd
  tags:
    - high
    - misc
    - RHEL-07-020220

- name: Check if ClamAV is installed
  stat:
    path: /usr/bin/clamdscan
  register: clamav_install_check
  changed_when: False
  tags:
    - always

- name: Remove 'Example' line from ClamAV configuration files
  lineinfile:
    dest: "{{ item }}"
    regexp: "^Example"
    state: absent
  with_items:
    - /etc/freshclam.conf
    - /etc/clamd.d/scan.conf
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_os_family | lower == 'redhat'
  notify:
    - restart clamav
  tags:
    - misc
    - RHEL-07-030810

- name: Set ClamAV server type as socket
  lineinfile:
    dest: /etc/clamd.d/scan.conf
    regexp: "^(#)?LocalSocket (.*)$"
    line: 'LocalSocket \2'
    backrefs: yes
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_os_family | lower == 'redhat'
  notify:
    - restart clamav
  tags:
    - misc
    - RHEL-07-030810

- name: Allow automatic freshclam updates
  lineinfile:
    dest: /etc/sysconfig/freshclam
    regexp: "^FRESHCLAM_DELAY"
    state: absent
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
    - ansible_os_family | lower == 'redhat'
  notify:
    - restart clamav
  tags:
    - misc
    - RHEL-07-030810

- name: Update ClamAV database
  command: freshclam
  changed_when: False
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
  tags:
    - misc
    - RHEL-07-030810

- name: Ensure ClamAV is running
  service:
    name: "{{ clamav_service }}"
    state: started
    enabled: yes
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
  tags:
    - misc
    - RHEL-07-030810

# Returns 0 if installed, 3 if not installed
- name: Check firewalld status
  command: systemctl status firewalld
  register: firewalld_status_check
  failed_when: firewalld_status_check.rc not in [0,3]
  changed_when: False
  check_mode: no
  tags:
    - always

- name: Ensure firewalld is running and enabled
  service:
    name: firewalld
    state: started
    enabled: yes
  when:
    - firewalld_status_check.rc != 3
    - security_enable_firewalld | bool
  tags:
    - medium
    - misc
    - RHEL-07-040290

- name: Limit new TCP connections to 25/minute and allow bursting to 100
  command: "firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{ security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT"
  register: add_rate_limit_firewalld_rule
  changed_when: "'ALREADY_ENABLED' not in add_rate_limit_firewalld_rule.stdout"
  when:
    - firewalld_status_check.rc != 3
    - security_enable_firewalld_rate_limit | bool
  tags:
    - medium
    - misc
    - RHEL-07-040250

# Linting checks need to be skipped because this command doesn't create any
# files.
- name: Count nameserver entries in /etc/resolv.conf
  command: grep nameserver /etc/resolv.conf
  register: nameserver_check
  check_mode: no
  changed_when: False
  failed_when: False
  tags:
    - always
    - skip_ansible_lint

- name: RHEL-07-040320 - For systems using DNS resolution, at least two name servers must be configured.
  debug:
    msg: |
      Two or more nameservers must be configured in /etc/resolv.conf.
      Nameservers found: {{ nameserver_check.stdout_lines | length }}
  when:
    - nameserver_check is defined
    - nameserver_check.stdout_lines | length < 2
  tags:
    - low
    - misc
    - RHEL-07-040320