GPG verification for packages

This patch adds the GPG verification requirements for packages from
the following STIGs:

  * RHEL-07-020150
  * RHEL-07-020151
  * RHEL-07-020152

The implementation for CentOS is much more robust due to some shortcomings
with apt on Ubuntu.

Implements: blueprint security-rhel7-stig
Change-Id: Ia125d6386a0d33f7c9d8c7a6de1c6d949018f671

defaults/main.yml

@@ -407,6 +407,11 @@ security_rhel7_remove_tftp_server: yes                       # RHEL-07-040500
 security_rhel7_remove_xorg: yes                              # RHEL-07-040560
 security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
 
+## RPM (rpm)
+# Enable GPG checks for remotely and locally installed packages. This includes
+# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
+security_enable_gpgcheck: yes                                # RHEL-07-020150
+
 ## ssh server (sshd)
 # Prevent users from logging in over ssh if they have an empty password.
 security_sshd_disallow_empty_password: yes                   # RHEL-07-010270

doc/metadata/rhel7/RHEL-07-020150.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-020150
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string
+anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``.
+If the string is found, a warning is printed on the console.
+
+On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the
+``/etc/yum.conf`` file. This enables GPG checks for all packages installed
+with ``yum``.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_gpgcheck: no
+
+Note that setting this variable also affects two other STIG configurations:
+
+* :ref:`stig-RHEL-07-020151`
+* :ref:`stig-RHEL-07-020152`

doc/metadata/rhel7/RHEL-07-020151.rst

@@ -1,7 +1,24 @@
 ---
 id: RHEL-07-020151
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+On Ubuntu systems, the tasks comment out the ``no-debsig`` configuration line
+in ``/etc/dpkg/dpkg.cfg``.  This causes ``dpkg`` to verify GPG signatures for
+all packages that are installed locally.
+
+On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in
+the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed
+locally with ``yum``.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_gpgcheck: no
+
+Note that setting this variable also affects two other STIG configurations:
+
+* :ref:`stig-RHEL-07-020150`
+* :ref:`stig-RHEL-07-020152`

doc/metadata/rhel7/RHEL-07-020152.rst

@@ -1,7 +1,23 @@
 ---
 id: RHEL-07-020152
-status: not implemented
-tag: misc
+status: implemented
+tag: packages
 ---
 
-This STIG requirement is not yet implemented.
+On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string
+anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``.
+If the string is found, a warning is printed on the console.
+
+On CentOS 7 systems, the tasks set the ``repo_gpgcheck`` option to ``1`` in the
+``/etc/yum.conf`` file. This enables GPG checks for all repository metadata.
+
+Deployers can opt-out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_gpgcheck: no
+
+Note that setting this variable also affects two other STIG configurations:
+
+* :ref:`stig-RHEL-07-020150`
+* :ref:`stig-RHEL-07-020151`

tasks/rhel7stig/apt.yml

@@ -60,3 +60,32 @@
   tags:
     - high
     - RHEL-07-010020
+
+# See the documentation for RHEL-07-020150 for more details on this check.
+- name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
+  command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
+  register: gpgcheck_result
+  changed_when: False
+  failed_when: False
+  always_run: True
+
+- name: RHEL-07-020150 - Package management tool must verify authenticity of packages
+  debug:
+    msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
+  when: "gpgcheck_result.rc == 0"
+  tags:
+    - high
+    - RHEL-07-020150
+    - RHEL-07-020152
+
+- name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages
+  lineinfile:
+    dest: /etc/dpkg/dpkg.cfg
+    regexp: "^(#)?no-debsig"
+    line: "#no-debsig"
+    state: present
+  when:
+    - security_enable_gpgcheck | bool
+  tags:
+    - high
+    - RHEL-07-020151

tasks/rhel7stig/rpm.yml

@@ -42,3 +42,22 @@
   tags:
     - high
     - RHEL-07-010020
+
+# This covers RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152.
+- name: RHEL-07-020150 - Require digital signatures for all packages
+  lineinfile:
+    dest: /etc/yum.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  with_items:
+    - { regexp: "^gpgcheck.*", line: "gpgcheck=1" }
+    - { regexp: "^localpkg_gpgcheck.*", line: "localpkg_gpgcheck=1" }
+    - { regexp: "^repo_gpgcheck.*", line: "repo_gpgcheck=1" }
+  when:
+    - security_enable_gpgcheck | bool
+  tags:
+    - high
+    - RHEL-07-020150
+    - RHEL-07-020151
+    - RHEL-07-020152