Add whitelist option for yum repository files

Files in this whitelist should not be altered.

Currently this is only relevant for enforcing the gpg check.

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>

molecule/os_hardening/converge.yml

@@ -27,6 +27,7 @@
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
     os_filesystem_whitelist: []
     os_ctrlaltdel_disabled: true
+    os_yum_repo_file_whitelist: ['foo.repo']
     sysctl_config:
       net.ipv4.ip_forward: 0
       net.ipv6.conf.all.forwarding: 0

molecule/os_hardening/prepare.yml

@@ -54,3 +54,7 @@
     - name: create recursing symlink to test minimize access
       shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
       changed_when: false
+
+    - name: include YUM prepare tasks
+      include: prepare_yum.yml
+      when: ansible_facts.os_family == 'RedHat'

molecule/os_hardening/prepare_yum.yml

@@ -0,0 +1,16 @@
+---
+- name: create 'foo' repository
+  yum_repository:
+    name: foo
+    description: mandatory description
+    baseurl: file:///mandatory-url
+    enabled: false
+    gpgcheck: false
+
+- name: create 'bar' repository
+  yum_repository:
+    name: bar
+    description: mandatory description
+    baseurl: file:///mandatory-url
+    enabled: false
+    gpgcheck: false

molecule/os_hardening/verify.yml

@@ -41,6 +41,10 @@
       include: verify_pam.yml
       when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
 
+    - name: include YUM tests
+      include: verify_yum.yml
+      when: ansible_facts.os_family == 'RedHat'
+
     - name: download cinc-auditor
       get_url:
         url: https://omnitruck.cinc.sh/install.sh

molecule/os_hardening/verify_yum.yml

@@ -0,0 +1,8 @@
+---
+- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
+  command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
+  changed_when: false
+
+- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
+  command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
+  changed_when: false

roles/os_hardening/README.md

@@ -265,6 +265,9 @@ We know that this is the case on Raspberry Pi.
 - `os_yum_enabled`
   - Default: `true`
   - Description: Set to false to disable installing and configuring yum.
+- `os_yum_repo_file_whitelist`
+  - Default: `[]`
+  - Description: List of yum repository files under /etc/yum.repos.d/ which should not be altered.
 - `os_apt_enabled`
   - Default: `true`
   - Description: Set to false to disable installing and configuring apt.

roles/os_hardening/defaults/main.yml

@@ -380,6 +380,9 @@ os_rhosts_enabled: true
 # Set to false to disable installing and configuring yum.
 os_yum_enabled: true
 
+# List of yum repository files under /etc/yum.repos.d/ which should not be altered.
+os_yum_repo_file_whitelist: []
+
 # Set to false to disable installing and configuring apt.
 os_apt_enabled: true
 

roles/os_hardening/tasks/yum.yml

@@ -9,7 +9,7 @@
     - 'CentOS-Vault'
   when: os_security_packages_clean | bool
 
-- name: Get yum-repository-files
+- name: Get yum repository files
   find:
     paths: '/etc/yum.repos.d'
     patterns: '*.repo'
@@ -18,14 +18,14 @@
 # for the 'default([])' see here:
 # https://github.com/dev-sec/ansible-os-hardening/issues/99 and
 # https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
-- name: Activate gpg-check for yum-repository-files
+- name: Activate gpg-check for yum repository files
   replace:
-    path: '{{ item.path }}'
+    path: '{{ item }}'
     regexp: '^\s*gpgcheck.*'
     replace: 'gpgcheck=1'
     mode: '0644'
   with_items:
-    - '{{ yum_repos.files | default([]) }}'
+    - "{{ yum_repos.files | default([]) | map(attribute='path') | difference(os_yum_repo_file_whitelist | map('regex_replace', '^', '/etc/yum.repos.d/') | list) }}"
 
 # failed_when is needed because by default replace module will fail if the file doesn't exists.
 # status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.