Add CentOS 7 and Ubuntu 16.04 support

This patch adds initial support for CentOS 7 and Ubuntu 16.04 to the security role. Documentation and tests still need updates in subsequent patches. Release notes are included. Change-Id: Iae936bb307a5938651c55e703d68d39a7716d178
2016-05-13 14:57:28 -05:00 · 2016-05-13 14:57:28 -05:00 · 22c4c21583
parent fa2800419e
commit 22c4c21583
19 changed files with 623 additions and 98 deletions
--- a/doc/source/developer-notes/V-38633.rst
+++ b/doc/source/developer-notes/V-38633.rst
@ -8,5 +8,3 @@ by adjusting the following Ansible variable:
 .. code-block:: yaml
    security_max_log_file: 6
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -46,7 +46,7 @@
 - name: restart ssh
  service:
-    name: ssh
+    name: "{{ ssh_service }}"
    state: restarted
 - name: restart vsftpd
--- a/meta/main.yml
+++ b/meta/main.yml
@ -6,9 +6,13 @@ galaxy_info:
  license: Apache
  min_ansible_version: 1.8.3
  platforms:
  - name: EL
    versions:
    - 7
  - name: Ubuntu
    versions:
    - trusty
    - xenial
  categories:
  - cloud
  - security
--- a/other-requirements.txt
+++ b/other-requirements.txt
@ -14,7 +14,13 @@
 # TODO(odyssey4me) remove this once https://review.openstack.org/288634 has merged
 # and the disk images are rebuilt and redeployed.
 curl
 wget
 # Requirements for Paramiko 2.0
-libssl-dev
+libssl-dev        [platform:dpkg]
-libffi-dev
+libffi-dev        [platform:dpkg]
 libffi-devel      [platform:rpm]
 openssl-devel     [platform:rpm]
 # For selinux
 libselinux-python [platform:rpm]
--- a/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml
+++ b/releasenotes/notes/support-for-centos-xenial-2b89c318cc3df4b0.yaml
@ -0,0 +1,5 @@
 ---
 features:
  - The openstack-ansible-security role supports the application of the Red
    Hat Enterprise Linux 6 STIG configurations to systems running CentOS 7 and
    Ubuntu 16.04 LTS.
--- a/tasks/apt.yml
+++ b/tasks/apt.yml
@ -13,6 +13,23 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
 #when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
 #in 1.9.x or we move to 2.0 (if tested working)
 - name: Check apt last update file
  stat:
    path: /var/cache/apt
  register: apt_cache_stat
  tags:
    - auditd-apt-packages
 - name: Update apt if needed
  apt:
    update_cache: yes
  when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
  tags:
    - auditd-apt-packages
 # Notes for V-38476 ###########################################################
 #
 # These GPG keys are valid as of Ubuntu 14.04 in late 2015, but they could
@ -29,7 +46,7 @@
    msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys"
  when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
  tags:
-    - apt
+    - package
    - cat1
    - V-38476
@ -48,7 +65,7 @@
  failed_when: False
  always_run: True
  tags:
-    - auth
+    - package
    - cat1
    - V-38462
@ -57,7 +74,7 @@
    msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
  when: "v38462_result.rc == 0"
  tags:
-    - auth
+    - package
    - cat1
    - V-38462
@ -67,7 +84,7 @@
    state: present
  when: security_unattended_upgrades_enabled | bool
  tags:
-    - apt
+    - package
    - cat2
    - V-38481
@ -77,7 +94,7 @@
    dest: /etc/apt/apt.conf.d/20auto-upgrades
  when: security_unattended_upgrades_enabled | bool
  tags:
-    - apt
+    - package
    - cat2
    - V-38481
@ -90,6 +107,6 @@
    - security_unattended_upgrades_enabled | bool
    - security_unattended_upgrades_notifications | bool
  tags:
-    - apt
+    - package
    - cat2
    - V-38481
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -13,27 +13,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#TODO(evrardjp): Replace the next 2 tasks by a standard apt with cache
+- name: V-38631/38632 - The operating system must produce audit records (install auditd with apt)
 #when https://github.com/ansible/ansible-modules-core/pull/1517 is merged
 #in 1.9.x or we move to 2.0 (if tested working)
 - name: Check apt last update file
  stat:
    path: /var/cache/apt
  register: apt_cache_stat
  tags:
    - auditd-apt-packages
 - name: Update apt if needed
  apt:
-    update_cache: yes
+    name: "{{ auditd_pkg }}"
  when: "ansible_date_time.epoch|float - apt_cache_stat.stat.mtime > {{cache_timeout}}"
  tags:
    - auditd-apt-packages
 - name: V-38631/38632 - The operating system must produce audit records (install auditd)
  apt:
    name: auditd
    state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - auditd
    - cat2
    - V-38632
    - V-38631
 - name: V-38631/38632 - The operating system must produce audit records (install auditd with yum)
  yum:
    name: "{{ auditd_pkg }}"
    state: present
  when: ansible_pkg_mgr == 'yum'
  tags:
    - auditd
    - cat2
@ -104,6 +99,7 @@
  apt:
    name: debsums
    state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - auditd
    - cat2
@ -117,6 +113,7 @@
  register: v38637_result
  changed_when: False
  failed_when: "'not installed' in v38637_result.stdout"
  when: ansible_pkg_mgr == 'apt'
  tags:
    - auditd
    - cat2
@ -125,7 +122,31 @@
 - name: V-38637 - Contents of auditd package must be verified
  fail:
    msg: "FAILED: Could not verify that files from auditd package are unaltered"
-  when: not check_mode and v38637_result.rc == 2
+  when:
    - not check_mode
    - ansible_pkg_mgr == 'apt'
    - v38637_result.rc == 2
  tags:
    - auditd
    - cat2
    - V-38637
 - name: Check audit package contents for alterations with rpm (for V-38637)
  shell: rpmverify audit audit-libs | grep -v audit.conf | wc -l
  register: v38637_result
  when: ansible_pkg_mgr == 'yum'
  tags:
    - auditd
    - cat2
    - V-38637
 - name: V-38637 - Contents of auditd package must be verified
  fail:
    msg: "FAILED: Could not verify that files from auditd package are unaltered"
  when:
    - not check_mode
    - ansible_pkg_mgr == 'yum'
    - v38637_result.stdout != "0"
  tags:
    - auditd
    - cat2
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -104,7 +104,7 @@
 # /etc/pam.d/common-auth
 - name: V-38497 - The system must not have accounts configured with blank or null passwords.
  lineinfile:
-    dest: /etc/pam.d/common-auth
+    dest: "{{ pam_auth_file }}"
    state: present
    regexp: "^(.*)nullok_secure(.*)$"
    line: '\1\2'
@ -191,21 +191,49 @@
    - cat2
    - V-38501
- name: V-38591 - Remove rshd
+- name: V-38591 - Remove rshd with apt
  apt:
    name: rsh-server
    state: absent
-  when: security_remove_rsh_server | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_rsh_server | bool
  tags:
    - auth
    - cat1
    - V-38591
- name: V-38587 - Remove telnet-server
+- name: V-38591 - Remove rshd with yum
-  apt:
+  yum:
-    name: telnetd
+    name: rsh-server
    state: absent
-  when: security_remove_telnet_server | bool
+  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_rsh_server | bool
  tags:
    - auth
    - cat1
    - V-38591
 - name: V-38587 - Remove telnet-server with apt
  apt:
    name: "{{ telnet_server_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_telnet_server | bool
  tags:
    - auth
    - cat1
    - V-38587
 - name: V-38587 - Remove telnet-server with yum
  yum:
    name: "{{ telnet_server_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_telnet_server | bool
  tags:
    - auth
    - cat1
@ -261,7 +289,7 @@
 # SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
 # hashing algorithm as well.
 - name: Check password hashing algorithm used by PAM (for V-38574)
-  shell: "grep '^\\s*password.*pam_unix.*sha512' /etc/pam.d/common-password"
+  shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
  register: v38574_result
  changed_when: False
  failed_when: False
--- a/tasks/console.yml
+++ b/tasks/console.yml
@ -19,6 +19,15 @@
    regexp: '^(#)?exec shutdown -r now "Control-Alt-Delete pressed"'
    line: '#exec shutdown -r now "Control-Alt-Delete pressed"'
    state: present
  when: not systemd_running | bool
  tags:
    - console
    - cat1
    - V-38668
 - name: V-38668 - The x86 Ctrl-Alt-Delete key sequence must be disabled
  command: systemctl mask ctrl-alt-del.target
  when: systemd_running | bool
  tags:
    - console
    - cat1
--- a/tasks/mail.yml
+++ b/tasks/mail.yml
@ -13,10 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix)
+- name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with apt)
  apt:
    name: postfix
    state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - mail
    - cat3
    - V-38669
 - name: V-38669 - The postfix service must be enabled for mail delivery (install postfix with yum)
  yum:
    name: postfix
    state: present
  when: ansible_pkg_mgr == 'yum'
  tags:
    - mail
    - cat3
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -13,15 +13,42 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-  - name: Verify if we're using check mode
+  - name: Gather variables for each operating system
    include_vars: "{{ item }}"
    with_first_found:
      - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
      - "{{ ansible_distribution | lower }}.yml"
      - "{{ ansible_os_family | lower }}.yml"
    tags:
      - always
  - name: Check if we're in check/audit mode
    command: /bin/true
    register: noop_result
-  - name: Set a fact if we're in check mode
+  - name: Check to see if systemd is in use
    command: systemctl status
    register: systemd_check
    failed_when: False
    always_run: True
  - name: Set facts
    set_fact:
      check_mode: "{{ noop_result | skipped }}"
      systemd_running: "{{ systemd_check | success }}"
  - include: apt.yml
    when: ansible_pkg_mgr == 'apt'
    tag:
      - apt
      - package
  - include: rpm.yml
    when: ansible_pkg_mgr == 'yum' or ansible_pkg_mgr == 'dnf'
    tag:
      - package
      - rpm
  - include: auditd.yml
  - include: auth.yml
  - include: boot.yml
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@ -13,10 +13,20 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
- name: V-38489 - Install AIDE
+- name: V-38489 - Install AIDE (with apt)
  apt:
      name: aide
      state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat2
    - V-38489
 - name: V-38489 - Install AIDE (with yum)
  yum:
      name: aide
      state: present
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat2
    - V-38489
@ -76,10 +86,20 @@
    - cat2
    - V-38619
- name: V-38620 - Synchronize system clock (installing chrony)
+- name: V-38620 - Synchronize system clock (installing chrony with apt)
  apt:
    name: chrony
    state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat2
    - V-38620
 - name: V-38620 - Synchronize system clock (installing chrony with yum)
  yum:
    name: chrony
    state: present
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat2
    - V-38620
@ -117,10 +137,20 @@
 # The openstack-ansible project will configure logs to be rotated weekly and
 # compressed with each run. We won't change the interval here, but we will
 # ensure that logrotate is installed (to meet the STIG requirement).
- name: V-38624 - System logs must be rotated daily (install logrotate)
+- name: V-38624 - System logs must be rotated daily (install logrotate with apt)
  apt:
    name: logrotate
    state: present
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat3
    - V-38624
 - name: V-38624 - System logs must be rotated daily (install logrotate with yum)
  yum:
    name: logrotate
    state: present
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat3
    - V-38624
@ -138,7 +168,7 @@
    msg: "FAILED: Cron job for logrotate is missing"
  when:
    - not check_mode
-    - v38624_result.stat.exists == False
+    - not v38624_result.stat.exists | bool
  tags:
   - cat3
   - V-38624
@ -158,32 +188,53 @@
    regexp: "^(;)?client signing"
    line: "client signing = mandatory"
    insertafter: "############ Misc ############"
-  when: v38656_result.stat.exists == True
+  when: v38656_result.stat.exists | bool
  notify:
    - restart samba
  tags:
    - cat3
    - V-38656
- name: Check if SNMP daemon is installed (for V-38660)
+- name: Check if SNMP daemon is installed using dpkg (for V-38660)
  shell: "dpkg --status snmpd | grep \"^Status:.*ok installed\""
-  register: v38660_snmpd_installed
+  register: v38660_snmpd_apt
  changed_when: False
  failed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat2
    - V-38660
 - name: Check if SNMP daemon is installed using rpm (for V-38660)
  shell: "rpm -qi net-snmp"
  register: v38660_snmpd_rpm
  changed_when: False
  failed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat2
    - V-38660
 - name: Set fact for SNMP being installed
  set_fact:
    snmpd_installed: True
  when: |
    (v38660_snmpd_apt.rc is defined and v38660_snmpd_apt.rc == 0) or
    (v38660_snmpd_rpm.rc is defined and v38660_snmpd_rpm.rc == 0)
 # We shouldn't get any output from this grep since it looks for configuration
 # lines for the SNMP v1 and v2c protocols.
 - name: Check for insecure SNMP protocols (for V-38660)
  shell: "egrep 'v1|v2c|com2sec|community' /etc/snmp/snmpd.conf | grep -v '^\\s*#'"
  register: v38660_result
  when: v38660_snmpd_installed.rc == 0
  changed_when: False
  failed_when: False
  always_run: True
  when:
    - snmpd_installed is defined
    - snmpd_installed | bool
  tags:
    - cat2
    - V-38660
@ -193,7 +244,8 @@
    msg: "FAILED: Insecure SNMP configuration found -- use SNMPv3 only"
  when:
    - not check_mode
-    - v38660_snmpd_installed.rc == 0
+    - snmpd_installed is defined
    - snmpd_installed | bool
    - v38660_result.rc == 0
  tags:
    - cat2
@ -219,23 +271,46 @@
    - cat3
    - V-38684
- name: Check if vsftpd installed (for V-38599 and V-38702)
+- name: Check if vsftpd installed using dpkg (for V-38599 and V-38702)
  shell: "dpkg --status vsftpd | grep \"^Status:.*ok installed\""
-  register: v38599_result
+  register: v38599_vsftpd_apt
  changed_when: False
  failed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat2
    - cat3
    - V-38599
    - V-38702
 - name: Check if vsftpd installed using rpm (for V-38599 and V-38702)
  shell: "rpm -qi vsftpd"
  register: v38599_vsftpd_rpm
  changed_when: False
  failed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat2
    - cat3
    - V-38599
    - V-38702
 - name: Set fact for vsftpd being installed
  set_fact:
    vsftpd_installed: True
  when: |
    (v38599_vsftpd_apt.rc is defined and v38599_vsftpd_apt.rc == 0) or
    (v38599_vsftpd_rpm.rc is defined and v38599_vsftpd_rpm.rc == 0)
 - name: Copy login banner (for V-38599)
  copy:
    src: login_banner.txt
    dest: /etc/issue.net
-  when: v38599_result.rc == 0
+  when:
    - vsftpd_installed is defined
    - vsftpd_installed | bool
  notify:
    - restart vsftpd
  tags:
@ -244,10 +319,12 @@
 - name: V-38599 - Set warning banner for FTPS/FTP logins
  lineinfile:
-    dest: /etc/vsftpd/vsftpd.conf
+    dest: "{{ vsftpd_conf_file }}"
    regexp: "^(#)?banner_file"
    line: "banner_file=/etc/issue.net"
-  when: v38599_result.rc == 0
+  when:
    - vsftpd_installed is defined
    - vsftpd_installed | bool
  notify:
    - restart vsftpd
  tags:
@ -256,10 +333,12 @@
 - name: V-38702 - Enable xferlog
  lineinfile:
-    dest: /etc/vsftpd.conf
+    dest: "{{ vsftpd_conf_file }}"
    regexp: "^(#)?xferlog_enable"
    line: "xferlog_enable=YES"
-  when: v38599_result.rc == 0
+  when:
    - vsftpd_installed is defined
    - vsftpd_installed | bool
  notify:
    - restart vsftpd
  tags:
@ -268,10 +347,12 @@
 - name: V-38702 - Disable xferlog_std_format
  lineinfile:
-    dest: /etc/vsftpd.conf
+    dest: "{{ vsftpd_conf_file }}"
    regexp: "^(#)?xferlog_std_format"
    line: "xferlog_std_format=NO"
-  when: v38599_result.rc == 0
+  when:
    - vsftpd_installed is defined
    - vsftpd_installed | bool
  notify:
    - restart vsftpd
  tags:
@ -280,10 +361,12 @@
 - name: V-38702 - Enable log_ftp_protocol
  lineinfile:
-    dest: /etc/vsftpd.conf
+    dest: "{{ vsftpd_conf_file }}"
    regexp: "^(#)?log_ftp_protocol"
    line: "log_ftp_protocol=YES"
-  when: v38599_result.rc == 0
+  when:
    - vsftpd_installed is defined
    - vsftpd_installed | bool
  notify:
    - restart vsftpd
  tags:
@ -295,6 +378,7 @@
  register: v38674_result
  changed_when: False
  always_run: True
  when: not systemd_running | bool
  tags:
    - cat2
    - V-38674
@ -302,7 +386,29 @@
 - name: V-38674 - X Windows must not be enabled
  fail:
    msg: "FAILED: Default runlevel should be 2 (no X windows)"
-  when: v38674_result.rc != 0
+  when:
    - not systemd_running | bool
    - v38674_result.rc != 0
  tags:
    - cat2
    - V-38674
 - name: Check if systemd is configured to load the graphical target
  shell: "systemctl list-units --type=target | grep '^graphical.target.*loaded active active'"
  register: v38674_result
  always_run: True
  failed_when: v38674_result.rc > 1
  when: systemd_running | bool
  tags:
    - cat2
    - V-38674
 - name: V-38674 - X Windows must not be enabled
  fail:
    msg: "FAILED: Graphical target must not be enabled in systemd."
  when:
    - systemd_running | bool
    - v38674_result.rc == 0
  tags:
    - cat2
    - V-38674
@ -312,6 +418,7 @@
  register: v51337_result
  changed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'apt'
  tags:
    - cat2
    - V-51337
@ -319,7 +426,30 @@
 - name: V-51337 - The system must use a Linux Security Module at boot time
  fail:
    msg: "FAILED: AppArmor isn't enabled"
-  when: "'apparmor module is loaded' not in v51337_result.stdout"
+  when:
    - ansible_pkg_mgr == 'apt'
    - "'apparmor module is loaded' not in v51337_result.stdout"
  tags:
    - cat2
    - V-51337
 - name: Check if SELinux is enforcing (for V-51337)
  command: getenforce
  register: v51337_result
  changed_when: False
  always_run: True
  when: ansible_pkg_mgr == 'yum'
  tags:
    - cat2
    - V-51337
 - name: V-51337 - The system must use a Linux Security Module at boot time
  fail:
    msg: "FAILED: SELinux is not in enforcing mode."
  when:
    - ansible_pkg_mgr == 'yum'
    - "'Enforcing' not in v51337_result.stdout"
  tags:
    - cat2
    - V-51337
--- a/tasks/nfsd.yml
+++ b/tasks/nfsd.yml
@ -29,6 +29,7 @@
  shell: grep all_squash /etc/exports
  register: v38460_result
  changed_when: v38460_result.rc == 0
  failed_when: False
  when: exports.stat.exists
  tags:
    - nfs
@ -49,6 +50,7 @@
  shell: grep insecure_locks /etc/exports
  register: v38677_result
  changed_when: v38677_result.rc == 0
  failed_when: False
  when: exports.stat.exists
  tags:
    - nfs
--- a/tasks/rpm.yml
+++ b/tasks/rpm.yml
@ -0,0 +1,76 @@
 ---
 # Copyright 2015, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 - name: Check if CentOS 7 GPG keys are installed (for V-38476)
  command: rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
  register: v38476_result
  changed_when: "v38476_result.rc != 0"
  failed_when: False
  always_run: True
  tags:
    - package
    - cat1
    - V-38476
 - name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
  fail:
    msg: "FAILED: Missing CentOS 7 GPG keys"
  when: "v38476_result.rc != 0"
  tags:
    - package
    - cat1
    - V-38476
 - name: Search for yum repositories with GPG checks disabled
  command: grep -r "gpgcheck=0" /etc/yum.repos.d/
  register: v38462_result
  changed_when: False
  failed_when: False
  always_run: True
  tags:
    - package
    - cat1
    - V-38462
 - name: V-38462 - Package management tool must verify authenticity of packages
  fail:
    msg: "FAILED: Ensure all repo files in /etc/yum.repos.d/ have 'gpgcheck=1' set."
  when: "v38462_result.rc == 0"
  tags:
    - package
    - cat1
    - V-38462
 - name: V-38481 - Install yum-cron for automatic updates
  yum:
    name: yum-cron
    state: installed
  when: security_unattended_upgrades_enabled | bool
  tags:
    - package
    - cat2
    - V-38481
 - name: V-38481 - System security patches and updates must be installed and up-to-date
  lineinfile:
    dest: /etc/yum/yum-cron.conf
    regexp: "^apply_updates"
    line: "apply_updates = yes"
    state: present
  when: security_unattended_upgrades_enabled | bool
  tags:
    - package
    - cat2
    - V-38481
--- a/tasks/services.yml
+++ b/tasks/services.yml
@ -13,9 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
- name: Generate list of sysv_services
+- name: Generate list of services_installed
  shell: "find /etc/init.d/ -printf '%f\n'"
-  register: sysv_services
+  register: sysv_services_installed
  changed_when: false
  always_run: True
  tags:
@ -24,12 +24,29 @@
    - cat2
    - cat3
 - name: Generate a list of systemd service unit files
  shell: "systemctl list-units --type=service --no-legend | awk '{print $1}'"
  register: systemd_services_installed
  changed_when: false
  always_run: True
  tags:
    - services
    - cat1
    - cat2
    - cat3
 - name: Register which services are installed depending on platform
  set_fact:
    services_installed: "{{ (systemd_running | bool) | ternary (systemd_services_installed, sysv_services_installed)}}"
 - name: V-38437 - Automated file system mounting tools must be disabled
  service:
    name: autofs
    state: stopped
    enabled: no
-  when: security_disable_autofs | bool and 'autofs' in sysv_services.stdout
+  when:
    - security_disable_autofs | bool
    - "'autofs' in services_installed.stdout"
  tags:
    - services
    - cat3
@ -40,7 +57,9 @@
    name: abrtd
    state: stopped
    enabled: no
-  when: security_disable_abrtd | bool and 'abrtd' in sysv_services.stdout
+  when:
    - security_disable_abrtd | bool
    - "'abrtd' in services_installed.stdout"
  tags:
    - services
    - cat3
@ -51,7 +70,9 @@
    name: atd
    state: stopped
    enabled: no
-  when: security_disable_atd | bool and 'atd' in sysv_services.stdout
+  when:
    - security_disable_atd | bool
    - "'atd' in services_installed.stdout"
  tags:
    - services
    - cat3
@ -62,7 +83,9 @@
    name: qpidd
    state: stopped
    enabled: no
-  when: security_disable_qpidd | bool and 'qpidd' in sysv_services.stdout
+  when:
    - security_disable_qpidd | bool
    - "'qpidd' in services_installed.stdout"
  tags:
    - services
    - cat3
@ -73,7 +96,9 @@
    name: bluetooth
    state: stopped
    enabled: no
-  when: security_disable_bluetooth | bool and 'bluetooth' in sysv_services.stdout
+  when:
    - security_disable_bluetooth | bool
    - "'bluetooth' in services_installed.stdout"
  tags:
    - services
    - cat2
@ -84,28 +109,58 @@
    name: xinetd
    state: stopped
    enabled: no
-  when: security_disable_xinetd | bool and 'xinetd' in sysv_services.stdout
+  when:
    - security_disable_xinetd | bool
    - "'xinetd' in services_installed.stdout"
  tags:
    - services
    - cat2
    - V-38582
- name: V-38584 - xinetd must be uninstalled if not in use
+- name: V-38584 - xinetd must be uninstalled if not in use (apt)
  apt:
    name: xinetd
    state: absent
-  when: security_remove_xinetd | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_xinetd | bool
  tags:
    - services
    - cat3
    - V-38584
 - name: V-38584 - xinetd must be uninstalled if not in use (yum)
  yum:
    name: xinetd
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_xinetd | bool
  tags:
    - services
    - cat3
    - V-38584
 # Ubuntu's equivalent of Red Hat's ypserv package is 'nis'
- name: V-38603 - Remove ypserv (nis) package
+- name: V-38603 - Remove ypserv package with apt
  apt:
-    name: nis
+    name: "{{ ypserv_pkg }}"
    state: absent
-  when: security_remove_ypserv | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_ypserv | bool
  tags:
    - services
    - cat2
    - V-38603
 - name: V-38603 - Remove ypserv package with yum
  yum:
    name: "{{ ypserv_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_ypserv | bool
  tags:
    - services
    - cat2
@ -113,7 +168,7 @@
 - name: V-38605 - The cron service must be running
  service:
-    name: cron
+    name: "{{ cron_service }}"
    state: started
    enabled: yes
  tags:
@ -121,11 +176,25 @@
    - cat2
    - V-38605
- name: V-38606 - The tftp-server package must not be installed unless required
+- name: V-38606 - The tftp-server package must not be installed unless required (apt)
  apt:
-    name: tftpd
+    name: "{{ tftp_pkg }}"
    state: absent
-  when: security_remove_tftp_server | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_tftp_server | bool
  tags:
    - services
    - cat2
    - V-38606
 - name: V-38606 - The tftp-server package must not be installed unless required (yum)
  yum:
    name: "{{ tftp_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_tftp_server | bool
  tags:
    - services
    - cat2
@ -136,37 +205,81 @@
    name: avahi-daemon
    state: stopped
    enabled: no
-  when: security_disable_avahi | bool and 'avahi' in sysv_services.stdout
+  when:
    - security_disable_avahi | bool
    - "'avahi' in services_installed.stdout"
  tags:
    - services
    - cat3
    - V-38618
- name: V-38627 - Remove LDAP servers unless required
+- name: V-38627 - Remove LDAP servers unless required (apt)
  apt:
-    name: slapd
+    name: "{{ ldap_server_pkg }}"
    state: absent
-  when: security_remove_ldap_server | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_ldap_server | bool
  tags:
    - services
    - cat3
    - V-38627
- name: V-38671 - Remove sendmail
+- name: V-38627 - Remove LDAP servers unless required (yum)
  yum:
    name: "{{ ldap_server_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_ldap_server | bool
  tags:
    - services
    - cat3
    - V-38627
 - name: V-38671 - Remove sendmail with apt
  apt:
    name: sendmail
    state: absent
-  when: security_remove_sendmail | bool
+  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_sendmail | bool
  tags:
    - services
    - cat2
    - V-38671
- name: V-38676 - The X windows package must not be installed
+- name: V-38671 - Remove sendmail with yum
-  apt:
+  yum:
-    name: xserver-xorg
+    name: sendmail
    state: absent
-  when: security_remove_xorg | bool
+  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_sendmail | bool
  tags:
    - services
    - cat2
    - V-38671
 - name: V-38676 - The X windows package must not be installed (apt)
  apt:
    name: "{{ xserver_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'apt'
    - security_remove_xorg | bool
  tags:
    - services
    - cat3
    - V-38676
 - name: V-38676 - The X windows package must not be installed (yum)
  yum:
    name: "{{ xserver_pkg }}"
    state: absent
  when:
    - ansible_pkg_mgr == 'yum'
    - security_remove_xorg | bool
  tags:
    - services
    - cat3
--- a/tests/test.yml
+++ b/tests/test.yml
@ -19,26 +19,32 @@
    - name: Ensure apt cache is updated before testing
      apt:
        update_cache: yes
      when: ansible_pkg_mgr == 'apt'
  post_tasks:
    - name: Stat 20auto-upgrades file
      stat:
        path: /etc/apt/apt.conf.d/20auto-upgrades
      register: auto_upgrades_file
      when: ansible_pkg_mgr == 'apt'
    - name: Slurp contents of 50unattended-upgrades file
      slurp:
        src: /etc/apt/apt.conf.d/50unattended-upgrades
      register: unattended_upgrades_file_encoded
      when: ansible_pkg_mgr == 'apt'
    - name: Decode slurp'd 50-unattended-upgrades file
      set_fact:
        unattended_upgrades_file: "{{ unattended_upgrades_file_encoded.content | b64decode }}"
      when: ansible_pkg_mgr == 'apt'
    - name: Ensure auto updates has been enabled
      assert:
        that:
          - auto_upgrades_file.stat.exists
      when: ansible_pkg_mgr == 'apt'
    - name: Ensure that auto update notifications has been enabled
      assert:
        that:
          - "'\nUnattended-Upgrade::Mail \"root\";\n' in unattended_upgrades_file"
      when: ansible_pkg_mgr == 'apt'
  roles:
    - role: "{{ rolename }}"
  vars:
--- a/tox.ini
+++ b/tox.ini
@ -13,6 +13,7 @@ passenv =
    HOME
 whitelist_externals =
    bash
    cat
    git
    rm
 setenv =
@ -91,6 +92,7 @@ commands =
                     --syntax-check \
                     --list-tasks \
                     -e "rolename={toxinidir}" \
                     -t ssh \
                     {toxinidir}/tests/test.yml
@ -103,16 +105,21 @@ commands =
 # NOTE(odyssey4me): We have to skip V-38462 as openstack-infra are now building
 #                   images with apt config Apt::Get::AllowUnauthenticated set
 #                   to true.
-# NOTE(mhayden):    Some infra images don't have AppArmor enabled, so V-51337
+# NOTE(mhayden):    V-51337: OpenStack infra images don't have AppArmor
-#                   must be skipped.
+#                   enabled, so it must be skipped.
 #                   V-38674: OpenStack infra images have graphical target
 #                   enabled, so it must be skipped.
 #                   V-38574: OpenStack infra images have non-standard pam
 #                   configurations that don't match a standard CentOS 7 server
 #                   or cloud image. It must be skipped.
 commands =
    rm -rf {homedir}/.ansible
    git clone https://git.openstack.org/openstack/openstack-ansible-plugins \
              {homedir}/.ansible/plugins
    ansible-playbook -i {toxinidir}/tests/inventory \
                     -e "rolename={toxinidir}" \
-                     {toxinidir}/tests/test.yml \
+                     --skip-tag V-38462,V-51337,V-38574,V-38674 \
-                     --skip-tag V-38462,V-51337
+                     {toxinidir}/tests/test.yml
 [testenv:linters]
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -0,0 +1,31 @@
 ---
 # Copyright 2016, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Configuration file paths
 pam_auth_file: /etc/pam.d/system-auth
 pam_password_file: /etc/pam.d/password-auth-ac
 vsftpd_conf_file: /etc/vsftpd/vsftpd.conf
 # Package names
 auditd_pkg: audit
 ldap_server_pkg: openldap-servers
 telnet_server_pkg: telnet-server
 tftp_pkg: tftp-server
 xserver_pkg: xorg-x11-server-Xorg
 ypserv_pkg: ypserv
 # Service names
 cron_service: crond
 ssh_service: sshd
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -0,0 +1,34 @@
 ---
 # Copyright 2016, Rackspace US, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # Maximum age of the apt cache before a refresh is required
 cache_timeout: 600
 # Configuration file paths
 pam_auth_file: /etc/pam.d/common-auth
 pam_password_file: /etc/pam.d/common-password
 vsftpd_conf_file: /etc/vsftpd.conf
 # Package names
 auditd_pkg: auditd
 ldap_server_pkg: slapd
 telnet_server_pkg: telnetd
 tftp_pkg: tftpd
 xserver_pkg: xorg-xserver
 ypserv_pkg: nis
 # Service name
 cron_service: cron
 ssh_service: ssh
`@ -8,5 +8,3 @@ by adjusting the following Ansible variable:`
	`.. code-block:: yaml`	`.. code-block:: yaml`

	`security_max_log_file: 6`	`security_max_log_file: 6`