From 1cafaf8cce7c36a1dd568e746d60fb5528285ce2 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Thu, 3 May 2018 00:19:10 -0500
Subject: [PATCH] Add option to skip sudoers NOPASSWD check

This change adds the option `security_sudoers_nopasswd_check_enable`
when running check "V-71947". This change allows users to skip this
check via ansible extra variable instead of having to skip tags. While
this change has a functional benifit in some environments, it is being
done with the primary intention of providing a better experience to
deploying running clouds where services like cloud-init may be present.

Change-Id: I0d0c95534ace0b00fa64c2f243ad91ce5844d85a
Closes-Bug: #1741225
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 defaults/main.yml              | 3 +++
 doc/metadata/rhel7/V-71947.rst | 6 ++++++
 tasks/rhel7stig/auth.yml       | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 178b882a..458eaaf7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -153,6 +153,9 @@ security_rhel7_audit_modprobe: yes                           # V-72195
 security_rhel7_audit_account_actions: yes                    # V-72197
 
 ## Authentication (auth)
+# Check if sudoers has the NOPASSWD rule enabled
+security_sudoers_nopasswd_check_enable: yes
+
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # V-71937
 # Apply password quality rules.
diff --git a/doc/metadata/rhel7/V-71947.rst b/doc/metadata/rhel7/V-71947.rst
index bda50cf5..f4a19224 100644
--- a/doc/metadata/rhel7/V-71947.rst
+++ b/doc/metadata/rhel7/V-71947.rst
@@ -10,3 +10,9 @@ cannot perform interactive authentication. Automated edits from Ansible tasks
 might cause authentication disruptions on some hosts, and deployers are urged
 to carefully review each use of the ``NOPASSWD`` directive in their ``sudo``
 configuration files.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_sudoers_nopasswd_check_enable: no
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index 4888b9cf..f337d311 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -111,6 +111,8 @@
   shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
   register: sudoers_nopasswd_check
   changed_when: False
+  when:
+    - security_sudoers_nopasswd_check_enable | bool
   tags:
     - auth
     - medium