V-3865{6,7}: Samba

Implements: blueprint security-hardening

Change-Id: I260cb84e543cad201e281f70adfcb181f54645be

doc/source/developer-notes/V-38656.rst

@@ -0,0 +1,4 @@
+Although the ``samba`` server isn't installed by Ubuntu or openstack-ansible
+by default, the Ansible tasks will check to see if the package is installed
+and the configuration file will be adjusted. If adjustments are made, the
+service will be restarted.

doc/source/developer-notes/V-38657.rst

@@ -0,0 +1,5 @@
+**Exception**
+
+Ubuntu and openstack-ansible do not currently configure any samba share mounts
+by default. However, deployers are urged to follow this STIG if they ever
+mount samba shares within their infrastructure.

handlers/main.yml

@@ -34,6 +34,11 @@
     name: rsyslog
     state: restarted
 
+- name: restart samba
+  service:
+    name: smbd
+    state: restarted
+
 - name: restart ssh
   service:
     name: ssh

tasks/misc.yml

@@ -109,6 +109,28 @@
    - cat3
    - V-38624
 
+- name: Check if samba is installed (for V-38656)
+  stat:
+    path: /etc/samba/smb.conf
+  register: v38656_result
+  changed_when: false
+  tags:
+    - cat3
+    - V-38656
+
+- name: V-38656 - System must use SMB client signing
+  lineinfile:
+    dest: /etc/samba/smb.conf
+    regexp: "^(;)?client signing"
+    line: "client signing = mandatory"
+    insertafter: "############ Misc ############"
+  when: v38656_result.stat.exists == True
+  notify:
+    - restart samba
+  tags:
+    - cat3
+    - V-38656
+
 - name: V-38675 - Process core dump must be disabled
   lineinfile:
     dest: /etc/security/limits.d/V-38675-coredump.conf