From baa5db7768a284590d691b876f0c69e7650be70c Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@betacloud-solutions.de>
Date: Fri, 27 Oct 2017 09:57:45 +0200
Subject: [PATCH] Make check of package checksums configurable

Change-Id: I9ac64d7995223a20b956d0a1b83bd1a60e556c03
---
 defaults/main.yml                                    |  1 +
 doc/metadata/rhel7/V-71855.rst                       | 12 +++++++++++-
 ...ackage-checksums-by-default-3543840512c348d6.yaml |  7 +++++++
 tasks/rhel7stig/apt.yml                              |  5 +++++
 tasks/rhel7stig/rpm.yml                              |  2 ++
 tasks/rhel7stig/zypper.yml                           |  2 ++
 6 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 08182fdd..bb964cb4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -299,6 +299,7 @@ security_package_clean_on_remove: no                         # V-71987
 security_rhel7_automatic_package_updates: no                 # V-71999
 # Install packages for multi-factor authentication.
 security_install_multifactor_auth_packages: yes              # V-72417
+security_check_package_checksums: no                         # V-71855
 
 ## RPM (rpm)
 # Enable GPG checks for packages and repository data.
diff --git a/doc/metadata/rhel7/V-71855.rst b/doc/metadata/rhel7/V-71855.rst
index aa0e2ed1..59564082 100644
--- a/doc/metadata/rhel7/V-71855.rst
+++ b/doc/metadata/rhel7/V-71855.rst
@@ -1,6 +1,6 @@
 ---
 id: V-71855
-status: implemented
+status: opt-in
 tag: packages
 ---
 
@@ -15,3 +15,13 @@ system administration practices.
 
 Configuration files may appear in the list as well, but these are often less
 concerning since some of these files are adjusted by the security role itself.
+
+Generating and validating checksums of all files installed by packages consume a
+significant amount of disk I/O and could impact the performance of a production system.
+It can also delay the playbook's completion. Therefore, the check is disabled by default.
+
+Deployers can enable the check by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_check_package_checksums: yes
diff --git a/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml b/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml
new file mode 100644
index 00000000..f32f2de1
--- /dev/null
+++ b/releasenotes/notes/disable-check-of-package-checksums-by-default-3543840512c348d6.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Generating and validating checksums for all files installed by packages is now
+    disabled by default. The check causes delays in playbook runs and it can
+    consume a significant amount of CPU and I/O resources. Deployers can re-enable
+    the check by setting ``security_check_package_checksums`` to ``yes``.
diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml
index 84163749..ecc7c688 100644
--- a/tasks/rhel7stig/apt.yml
+++ b/tasks/rhel7stig/apt.yml
@@ -17,12 +17,14 @@
   apt:
     name: debsums
     state: installed
+  when: security_check_package_checksums | bool
 
 - name: Gather debsums report
   shell: "debsums > {{ temp_dir }}/debsums.txt"
   changed_when: False
   failed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
 
 - name: V-71855 - Get files with invalid checksums (apt)
@@ -30,6 +32,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'debian'
   tags:
@@ -40,6 +43,7 @@
   set_fact:
     invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
   when:
+    - security_check_package_checksums | bool
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined
   tags:
@@ -54,6 +58,7 @@
       they have not been modified by an unauthorized user:
       {{ invalid_checksum_files_violations }}
   when:
+    - security_check_package_checksums | bool
     - ansible_os_family | lower == 'debian'
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined
diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml
index 61b56014..f86c6968 100644
--- a/tasks/rhel7stig/rpm.yml
+++ b/tasks/rhel7stig/rpm.yml
@@ -29,6 +29,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'redhat'
   tags:
@@ -47,6 +48,7 @@
         {{ filename }}
       {% endfor %}
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - ansible_os_family | lower == 'redhat'
     - invalid_checksum_files is defined
diff --git a/tasks/rhel7stig/zypper.yml b/tasks/rhel7stig/zypper.yml
index c71e1ce4..bae858d0 100644
--- a/tasks/rhel7stig/zypper.yml
+++ b/tasks/rhel7stig/zypper.yml
@@ -30,6 +30,7 @@
   register: invalid_checksum_files
   changed_when: False
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
   tags:
     - rpm
@@ -47,6 +48,7 @@
         {{ filename }}
       {% endfor %}
   when:
+    - security_check_package_checksums | bool
     - not check_mode | bool
     - invalid_checksum_files is defined
     - invalid_checksum_files.stdout is defined