Make check of package checksums configurable

Change-Id: I9ac64d7995223a20b956d0a1b83bd1a60e556c03

defaults/main.yml

@@ -299,6 +299,7 @@ security_package_clean_on_remove: no                         # V-71987
 security_rhel7_automatic_package_updates: no                 # V-71999
 # Install packages for multi-factor authentication.
 security_install_multifactor_auth_packages: yes              # V-72417
+security_check_package_checksums: no                         # V-71855
 
 ## RPM (rpm)
 # Enable GPG checks for packages and repository data.

doc/metadata/rhel7/V-71855.rst

@@ -1,6 +1,6 @@
 ---
 id: V-71855
-status: implemented
+status: opt-in
 tag: packages
 ---
 
@@ -15,3 +15,13 @@ system administration practices.
 
 Configuration files may appear in the list as well, but these are often less
 concerning since some of these files are adjusted by the security role itself.
+
+Generating and validating checksums of all files installed by packages consume a
+significant amount of disk I/O and could impact the performance of a production system.
+It can also delay the playbook's completion. Therefore, the check is disabled by default.
+
+Deployers can enable the check by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_check_package_checksums: yes

releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml

@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Generating and validating checksums for all files installed by packages is now
+    disabled by default. The check causes delays in playbook runs and it can
+    consume a significant amount of CPU and I/O resources. Deployers can re-enable
+    the check by setting ``security_check_package_checksums`` to ``yes``.

tasks/rhel7stig/apt.yml

@@ -17,12 +17,14 @@
   apt:
     name: debsums
     state: installed
+  when: security_check_package_checksums | bool
 
 - name: Gather debsums report
   shell: "debsums > {{ temp_dir }}/debsums.txt"
   changed_when: False
   failed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
 
 - name: V-71855 - Get files with invalid checksums (apt)
@@ -30,6 +32,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'debian'
   tags:
@@ -40,6 +43,7 @@
   set_fact:
     invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
   when:
+    - security_check_package_checksums | bool
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined
   tags:
@@ -54,6 +58,7 @@
       they have not been modified by an unauthorized user:
       {{ invalid_checksum_files_violations }}
   when:
+    - security_check_package_checksums | bool
     - ansible_os_family | lower == 'debian'
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined

tasks/rhel7stig/rpm.yml

@@ -29,6 +29,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'redhat'
   tags:
@@ -47,6 +48,7 @@
         {{ filename }}
       {% endfor %}
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'redhat'
     - invalid_checksum_files is defined

tasks/rhel7stig/zypper.yml

@@ -30,6 +30,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
   tags:
     - rpm
@@ -47,6 +48,7 @@
         {{ filename }}
       {% endfor %}
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined