Setting default runlevel/target to non-graphical

This patch disables the graphical interface on a system to meet the STIG's requirements. This was only a check previously. Deployers have the option to opt out of this change if they *really* need a graphical interface. Documentation updates and a release note are included. Change-Id: Ia4c4853f7c9b66c6e1ac91c46fb8e7d48c80a408
2016-05-27 08:22:07 -05:00 · 2016-05-27 08:22:07 -05:00 · 65a7bc44dc
commit 65a7bc44dc
parent 09a60bf13c
5 changed files with 54 additions and 40 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -178,6 +178,10 @@ security_remove_tftp_server: yes                  # V-38606
 security_remove_xinetd: yes                       # V-38584
 security_remove_xorg: yes                         # v-38676
 security_remove_ypserv: yes                       # V-38603
+#
+# The STIG does not allow the system to run a graphical interface. Set this
+# variable to 'no' if you need a graphical interface on the server.
+security_disable_x_windows: yes                   # V-38674

 ## SSH configuration
 # The following configuration items will adjust how the ssh daemon is
--- a/doc/source/developer-notes/V-38674.rst
+++ b/doc/source/developer-notes/V-38674.rst
@ -1,10 +1,26 @@
-Ubuntu 14.04 sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it
-should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the
-correct runlevel is set.
+In Ubuntu 14.04, the upstart init system looks for the default runlevel in the
+``/etc/init/rc-sysinit.conf`` file. The tasks in the security role will ensure
+that the ``DEFAULT_RUNLEVEL`` environment variable is set to ``2``, which is a
+non-graphical runlevel.

-For operating systems that use systemd, such as Ubuntu 16.04 and CentOS 7, the
-Ansible tasks will verify that the ``graphical.target`` is not loaded by
-default.
+In Ubuntu 16.04 and CentOS 7, systemd handles various targets, which are
+similar to runlevels from earlier init systems. There are two targets that are
+important for this STIG:

-If any of these verifications fails, an error will be printed and the playbook
-will fail.
+* ``graphical.target``: similar to runlevel 5 from earlier init systems
+* ``multi-user.target``: similar to runlevel 2 or 3 from earlier init systems
+
+The tasks in the security role will ensure that the default target is the
+``multi-user.target``, which provides a text-based system.
+
+Deployers can opt out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_x_windows: no
+
+.. note::
+
+    This change will not take effect until the server is rebooted. Changing a
+    runlevel on an actively running system can cause certain services to stop,
+    start, or restart.
--- a/releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml
+++ b/releasenotes/notes/disable-graphical-interface-5db89cd1bef7e12d.yaml
@ -0,0 +1,13 @@
+---
+features:
+  - |
+    The security role now has tasks that will disable the graphical interface
+    on a server using upstart (Ubuntu 14.04) or systemd (Ubuntu 16.04 and
+    CentOS 7). These changes take effect after a reboot.
+
+    Deployers that need a graphical interface will need to set the following
+    Ansible variable:
+
+    .. code-block:: yaml
+
+        security_disable_x_windows: no
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -373,42 +373,25 @@
   - cat3
   - V-38702

- name: Check for default runlevel (for V-38674)
-  shell: "grep 'DEFAULT_RUNLEVEL=2' /etc/init/rc-sysinit.conf"
-  register: v38674_result
-  changed_when: False
-  always_run: True
-  when: not systemd_running | bool
-  tags:
-    - cat2
-    - V-38674
-
- name: V-38674 - X Windows must not be enabled
-  fail:
-    msg: "Default runlevel should be 2 (no X windows)"
+- name: V-38674 - X Windows must not be enabled (upstart)
+  lineinfile:
+    dest: /etc/init/rc-sysinit.conf
+    regexp: "^env DEFAULT_RUNLEVEL"
+    line: "env DEFAULT_RUNLEVEL=2"
  when:
+    - security_disable_x_windows | bool
    - not systemd_running | bool
-    - v38674_result.rc != 0
  tags:
    - cat2
    - V-38674

- name: Check if systemd is configured to load the graphical target
-  shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'"
-  register: v38674_result
-  always_run: True
-  failed_when: v38674_result.rc > 1
-  when: systemd_running | bool
-  tags:
-    - cat2
-    - V-38674
-
- name: V-38674 - X Windows must not be enabled
-  fail:
-    msg: "Graphical target must not be enabled in systemd."
+- name: V-38674 - X Windows must not be enabled (systemd)
+  shell: "systemctl set-default multi-user.target"
+  register: systemctl_default_target
+  changed_when: "'Created symlink' in systemctl_default_target.stdout"
  when:
+    - security_disable_x_windows | bool
    - systemd_running | bool
-    - v38674_result.rc == 0
  tags:
    - cat2
    - V-38674
--- a/tox.ini
+++ b/tox.ini
@ -105,9 +105,7 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    V-38674: OpenStack infra images have graphical target
-#                   enabled, so it must be skipped.
-#                   V-38574: OpenStack infra images have non-standard pam
+# NOTE(mhayden):    V-38574: OpenStack infra images have non-standard pam
 #                   configurations that don't match a standard CentOS 7 server
 #                   or cloud image. It must be skipped.
 commands =
@ -116,7 +114,7 @@ commands =
              {homedir}/.ansible/plugins
    ansible-playbook -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
-                     --skip-tag V-38462,V-38574,V-38674 \
+                     --skip-tag V-38462,V-38574 \
                     {toxinidir}/tests/test.yml