From 2d407a539942b3e95800f5cf8183395d50bf2aba Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 8 Nov 2017 07:28:47 -0600
Subject: [PATCH] Add scaffolding for contrib tasks

This patch adds the basic scaffolding for developer-contributed
hardening standards that are outside the scope of the Security
Technical Implementation Guide (STIG). Deployers have the option
to deploy these hardening standards as well.

Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
---
 defaults/main.yml          | 26 +++++++++++++++++++++++++
 doc/source/contrib.rst     | 39 ++++++++++++++++++++++++++++++++++++++
 doc/source/domains.rst     |  4 ++--
 doc/source/index.rst       |  1 +
 tasks/contrib/main.yml     | 18 ++++++++++++++++++
 tasks/main.yml             |  4 ++++
 tasks/rhel7stig/kernel.yml |  1 +
 tests/test.yml             |  2 ++
 vars/main.yml              |  3 +++
 9 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 doc/source/contrib.rst
 create mode 100644 tasks/contrib/main.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index c66fdbe0..b360c955 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -367,3 +367,29 @@ security_disable_kdump: yes                                  # V-72057
 security_rhel7_disable_dccp: yes                             # V-77821
 # Enable Address Space Layout Randomization (ASLR).
 security_enable_aslr: yes                                    # V-77825
+
+###############################################################################
+#   ____            _        _ _
+#  / ___|___  _ __ | |_ _ __(_) |__
+# | |   / _ \| '_ \| __| '__| | '_ \
+# | |__| (_) | | | | |_| |  | | |_) |
+#  \____\___/|_| |_|\__|_|  |_|_.__/
+#
+#
+# The following configurations apply to tasks that are contributed by
+# ansible-hardening developers and may not be part of a hardening standard
+# or compliance program. For more information on the 'contrib' tasks, review
+# the documentation:
+#
+#   https://docs.openstack.org/ansible-hardening/latest/contrib.html
+#
+###############################################################################
+
+# To enable the contrib tasks, set this variable to 'yes'.
+security_contrib_enabled: no
+
+# Disable IPv6.
+# DANGER: This option causes IPv6 networking to be disabled for the ENTIRE
+# DANGER: SYSTEM. This will cause downtime for any services that depend on
+# DANGER: IPv6 network connectivity.
+security_contrib_disable_ipv6: no                            # C-00001
diff --git a/doc/source/contrib.rst b/doc/source/contrib.rst
new file mode 100644
index 00000000..ca4fb7de
--- /dev/null
+++ b/doc/source/contrib.rst
@@ -0,0 +1,39 @@
+Additional hardening configurations
+===================================
+
+Although the Security Technical Implementation Guide (STIG) contains a very
+comprehensive set of security configurations, some ansible-hardening
+contributors want to add extra security configurations to the role. The
+*contrib* portion of the ansible-hardening role is designed to implement those
+configurations as an optional set of tasks.
+
+The *contrib* hardening configurations are disabled by default, but they can
+be enabled by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_contrib_enabled: yes
+
+The individual tasks are controlled by Ansible variables in
+``defaults/main.yml`` that begin with ``security_contrib_``.
+
+Kernel
+------
+
+C-00001 - Disable IPv6
+~~~~~~~~~~~~~~~~~~~~~~
+
+Some systems do not require IPv6 connectivity and the presence of link local
+IPv6 addresses can present an additional attack surface for lateral movement.
+Deployers can set the following variable to disable IPv6 on all network
+interfaces:
+
+.. code-block:: yaml
+
+    security_contrib_disable_ipv6: yes
+
+.. warning::
+
+    Deployers should test this change in a test environment before applying it
+    in a production deployment. Applying this change to a production system
+    that relies on IPv6 connectivity will cause unexpected downtime.
diff --git a/doc/source/domains.rst b/doc/source/domains.rst
index 0a05c331..07d6bda2 100644
--- a/doc/source/domains.rst
+++ b/doc/source/domains.rst
@@ -1,7 +1,7 @@
 .. _hardening-domains-label:
 
-Hardening Domains
-=================
+Hardening Domains (RHEL 7 STIG)
+===============================
 
 The STIG divides its hardening requirements into severity levels, but the
 security role divides the requirements into system domains to make them easier
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 5564f115..8801d186 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -58,6 +58,7 @@ releases is found within the *Releases* section below.
    faq.rst
    domains.rst
    controls-rhel7.rst
+   contrib.rst
    developer-guide.rst
 
 Releases
diff --git a/tasks/contrib/main.yml b/tasks/contrib/main.yml
new file mode 100644
index 00000000..e3ebea63
--- /dev/null
+++ b/tasks/contrib/main.yml
@@ -0,0 +1,18 @@
+---
+# Copyright 2017, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Notify the deployer that contrib tasks are enabled
+  debug:
+    msg: "The contrib tasks are enabled."
diff --git a/tasks/main.yml b/tasks/main.yml
index ac02466e..8ecfede7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -53,3 +53,7 @@
       - always
 
   - include: "{{ stig_version }}stig/main.yml"
+
+  - include: contrib/main.yml
+    when:
+      - security_contrib_enabled | bool
diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml
index c5123127..23e0c814 100644
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@@ -46,6 +46,7 @@
     - V-72293
     - V-72309
     - V-72319
+    - C-00001
 
 - name: Check kdump service
   command: systemctl status kdump
diff --git a/tests/test.yml b/tests/test.yml
index 44706e09..b7f03d2f 100644
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -61,3 +61,5 @@
     # this role without causing disruptions on the system.
     security_enable_virus_scanner: no
     security_run_virus_scanner_update: no
+    # Enable the contrib tasks.
+    security_contrib_enabled: yes
diff --git a/vars/main.yml b/vars/main.yml
index aa0a8701..08e7edee 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -344,3 +344,6 @@ sysctl_settings_rhel7:
   - name: kernel.randomize_va_space
     value: 2
     enabled: "{{ security_enable_aslr | bool }}"
+  - name: net.ipv6.conf.all.disable_ipv6
+    value: 1
+    enabled: "{{ (security_contrib_enabled | bool) and (security_contrib_disable_ipv6 | bool) }}"