Check for cackey/coolkey values [+Docs]

This patch adds a verification step to ensure cackey/coolkey are used for PKI-based authentication. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ie077a33bb0e63384fa8038098ece30e1326e2c35
2016-12-06 12:51:58 -06:00 · 2016-12-06 12:51:58 -06:00 · 404175da27
commit 404175da27
parent 4bee87be1d
2 changed files with 32 additions and 3 deletions
--- a/doc/metadata/rhel7/RHEL-07-040040.rst
+++ b/doc/metadata/rhel7/RHEL-07-040040.rst
@ -1,7 +1,12 @@
 ---
 id: RHEL-07-040040
-status: not implemented
-tag: misc
+status: verification only
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+The tasks in the security role check for ``cackey`` or ``coolkey`` as
+acceptable values for ``use_pkcs11_module`` in
+``/etc/pam_pkcs11/pam_pkcs11.conf``. If neither are found, a message is printed
+in the Ansible output.
+
+This change only applies to systems that use PKI-based authentication.
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -420,3 +420,27 @@
    - medium
    - auth
    - RHEL-07-040030
+
+- name: Check for cackey or coolkey in the PAM PKCS11 auth configuration
+  shell: 'egrep "use_pkcs11_module = (cackey|coolkey)" /etc/pam_pkcs11/pam_pkcs11.conf'
+  register: pkcs11_key_check
+  changed_when: False
+  failed_when: False
+  check_mode: no
+  when:
+    - pkcs11_conf_check.stat.exists
+  tags:
+    - always
+
+- name: RHEL-07-040040 - Must use cackey/cookey for PKCS 11 auth
+  debug:
+    msg: >
+      PKI-based authentication attempts must use cackey or coolkey.
+      Review the documentation for RHEL-07-040040.
+  when:
+    - pkcs11_conf_check.stat.exists
+    - pkcs11_key_check.stdout.rc != 0
+  tags:
+    - medium
+    - auth
+    - RHEL-07-040040