Merge "Disable the netconsole service (if present)"

defaults/main.yml

@@ -156,6 +156,7 @@ security_disable_atd: yes                         # V-38640
 security_disable_autofs: yes                      # V-38437
 security_disable_avahi: yes                       # V-31618
 security_disable_bluetooth: yes                   # V-38691
+security_disable_netconsole: yes                  # v-38672
 security_disable_qpidd: yes                       # V-38648
 security_disable_rdisc: yes                       # V-38650
 security_disable_rsh: yes                         # V-38594

doc/source/developer-notes/V-38672.rst

@@ -1,2 +1,10 @@
 Ubuntu doesn't provide the netconsole package and the daemon isn't included
-in any other Ubuntu packages. Therefore, no action is required for this STIG.
+in any other Ubuntu packages.
+
+In CentOS, the ``netconsole`` daemon will be stopped and disabled if it is
+found to be installed. Deployers can opt-out of this change by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_netconsole: no

releasenotes/notes/disable-netconsole-service-915bb33449b4012c.yaml

@@ -0,0 +1,7 @@
+fixes:
+  - |
+    An Ansible task was added to disable the ``netconsole`` service on CentOS
+    systems if the service is installed on the system.
+
+    Deployers can opt-out of this change by setting
+    ``security_disable_netconsole`` to ``no``.

tasks/services.yml

@@ -274,6 +274,19 @@
     - cat2
     - V-38671
 
+- name: V-38672 - netconsole must be disabled
+  service:
+    name: netconsole
+    state: stopped
+    enabled: no
+  when:
+    - security_disable_netconsole | bool
+    - "'netconsole' in services_installed.stdout"
+  tags:
+    - services
+    - cat3
+    - V-38672
+
 - name: V-38676 - The X windows package must not be installed (apt)
   apt:
     name: "{{ xserver_pkg }}"