Disable the rdisc service (if present)

This patch checks for the rdisc service on a host and disables the service,
if the service is installed. The service will be stopped immediately if it
is found to be running.

Documentation and release notes are included.

Closes-bug: 1584191

Change-Id: Ieeb2d25ecf1920448701c33d4ea623d3f65becf6

defaults/main.yml

@@ -157,6 +157,7 @@ security_disable_autofs: yes                      # V-38437
 security_disable_avahi: yes                       # V-31618
 security_disable_bluetooth: yes                   # V-38691
 security_disable_qpidd: yes                       # V-38648
+security_disable_rdisc: yes                       # V-38650
 security_disable_rsh: yes                         # V-38594
 security_disable_ypbind: yes                      # V-38604
 security_disable_xinetd: yes                      # V-38582

doc/source/developer-notes/V-38650.rst

@@ -1,4 +1,8 @@
-**Special case**
-
 Ubuntu doesn't provide packages containing the ``rdisc`` service at this time.
-Therefore, no action is taken for this STIG.
+
+In CentOS, the ``rdisc`` service will be stopped and disabled if it is present
+on the system. To opt-out of this change, set the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_rdisc: no

releasenotes/notes/disabling-rdisc-centos-75115b3509941bfa.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    An Ansible was added to disable the ``rdisc`` service on CentOS systems if
+    the service is installed on the system.
+
+    Deployers can opt-out of this change by setting ``security_disable_rdisc``
+    to ``no``.

tasks/services.yml

@@ -237,6 +237,19 @@
     - cat3
     - V-38627
 
+- name: V-38650 - rdisc must be disabled
+  service:
+    name: rdisc
+    state: stopped
+    enabled: no
+  when:
+    - security_disable_rdisc | bool
+    - "'rdisc' in services_installed.stdout"
+  tags:
+    - services
+    - cat3
+    - V-38650
+
 - name: V-38671 - Remove sendmail with apt
   apt:
     name: sendmail