Add option to skip sudoers NOPASSWD check

This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.

Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -153,6 +153,9 @@ security_rhel7_audit_modprobe: yes                           # V-72195
 security_rhel7_audit_account_actions: yes                    # V-72197
 
 ## Authentication (auth)
+# Check if sudoers has the NOPASSWD rule enabled
+security_sudoers_nopasswd_check_enable: yes
+
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # V-71937
 # Apply password quality rules.

doc/metadata/rhel7/V-71947.rst

@@ -10,3 +10,9 @@ cannot perform interactive authentication. Automated edits from Ansible tasks
 might cause authentication disruptions on some hosts, and deployers are urged
 to carefully review each use of the ``NOPASSWD`` directive in their ``sudo``
 configuration files.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_sudoers_nopasswd_check_enable: no

tasks/rhel7stig/auth.yml

@@ -111,6 +111,8 @@
   shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
   register: sudoers_nopasswd_check
   changed_when: False
+  when:
+    - security_sudoers_nopasswd_check_enable | bool
   tags:
     - auth
     - medium