Ensure separate filesystems exist [+Docs]

This STIG has requirements for separate filesystems for some mounts, but this
can only be done during the initial provisioning process.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I70b6e929b54648bfa7af62005a7d9ab2f397db22

doc/metadata/rhel7/RHEL-07-021240.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-021240
-status: not implemented
+status: exception - initial provisioning
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Deployers should consider using filesystem mounts for home directories during
+the initial server provisioning process. Adding filesystem mounts after a
+system is provisioned might lead to downtime.
+
+The tasks in the security role do not take action on filesystem mounts. If the
+server does not mount ``/home`` as a separate filesystem, a warning is printed
+in the Ansible output.

doc/metadata/rhel7/RHEL-07-021250.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-021250
-status: not implemented
+status: exception - initial provisioning
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Deployers should consider using filesystem mounts for ``/var`` during
+the initial server provisioning process. Adding filesystem mounts after a
+system is provisioned might lead to downtime.
+
+The tasks in the security role do not take action on filesystem mounts. If the
+server does not mount ``/var`` as a separate filesystem, a warning is printed
+in the Ansible output.

doc/metadata/rhel7/RHEL-07-021260.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-021260
-status: not implemented
+status: exception - initial provisioning
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Deployers should consider using filesystem mounts for ``/var/log/audit`` during
+the initial server provisioning process. Adding filesystem mounts after a
+system is provisioned might lead to downtime.
+
+The tasks in the security role do not take action on filesystem mounts. If the
+server does not mount ``/var/log/audit`` as a separate filesystem, a warning is
+printed in the Ansible output.

doc/metadata/rhel7/RHEL-07-021270.rst

@@ -1,7 +1,13 @@
 ---
 id: RHEL-07-021270
-status: not implemented
+status: exception - initial provisioning
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+Deployers should consider using filesystem mounts for ``/tmp`` during
+the initial server provisioning process. Adding filesystem mounts after a
+system is provisioned might lead to downtime.
+
+The tasks in the security role do not take action on filesystem mounts. If the
+server does not mount ``/tmp`` as a separate filesystem, a warning is
+printed in the Ansible output.

tasks/rhel7stig/misc.yml

@@ -57,6 +57,54 @@
     - misc
     - RHEL-07-020220
 
+- name: Check for /home on mounted filesystem
+  debug:
+    msg: |
+      The STIG requires that /home is on its own filesystem, but this system
+      does not appear to be following the requirement.
+  when:
+    - "{{ ansible_mounts | selectattr('mount', 'equalto', '/home') | list | length == 0 }}"
+  tags:
+    - low
+    - misc
+    - RHEL-07-021240
+
+- name: Check for /var on mounted filesystem
+  debug:
+    msg: |
+      The STIG requires that /var is on its own filesystem, but this system
+      does not appear to be following the requirement.
+  when:
+    - "{{ ansible_mounts | selectattr('mount', 'equalto', '/var') | list | length == 0 }}"
+  tags:
+    - low
+    - misc
+    - RHEL-07-021250
+
+- name: Check for /var/log/audit on mounted filesystem
+  debug:
+    msg: |
+      The STIG requires that /var/log/audit is on its own filesystem, but this system
+      does not appear to be following the requirement.
+  when:
+    - "{{ ansible_mounts | selectattr('mount', 'equalto', '/var/log/audit') | list | length == 0 }}"
+  tags:
+    - low
+    - misc
+    - RHEL-07-021260
+
+- name: Check for /tmp on mounted filesystem
+  debug:
+    msg: |
+      The STIG requires that /tmp is on its own filesystem, but this system
+      does not appear to be following the requirement.
+  when:
+    - "{{ ansible_mounts | selectattr('mount', 'equalto', '/tmp') | list | length == 0 }}"
+  tags:
+    - low
+    - misc
+    - RHEL-07-021270
+
 - name: Check if ClamAV is installed
   stat:
     path: /usr/bin/clamdscan