From af84a277ae555974264fd218b3a23e49d99e7431 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 6 Dec 2016 14:52:02 -0600
Subject: [PATCH] Remove .shosts/shosts.equiv files [+Docs]

This patch removes `.shosts` and `shosts.equiv` files from the system, if they
exist.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I379db0d2704ab3ca91808406051885d10a8ea321
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-040330.rst | 13 ++++++++++---
 doc/metadata/rhel7/RHEL-07-040331.rst |  8 +++++---
 tasks/rhel7stig/auth.yml              | 27 +++++++++++++++++++++++++++
 4 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 6f12206b..2d49becd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -501,6 +501,8 @@ security_pam_faillock_deny_root: yes                         # RHEL-07-010373
 security_pam_faillock_unlock_time: 604800                    # RHEL-07-010372
 # Limit the number of concurrent connections per account.
 #security_rhel7_concurrent_session_limit: 10                 # RHEL-07-040010
+# Remove .shosts and shosts.equiv files.
+security_rhel7_remove_shosts_files: yes                      # RHEL-07-040330
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
diff --git a/doc/metadata/rhel7/RHEL-07-040330.rst b/doc/metadata/rhel7/RHEL-07-040330.rst
index c8b56b42..220484d4 100644
--- a/doc/metadata/rhel7/RHEL-07-040330.rst
+++ b/doc/metadata/rhel7/RHEL-07-040330.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040330
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role examine the filesystem for any ``.shosts`` or
+``shosts.equiv`` files. If they are found, they are deleted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_shosts_files: no
diff --git a/doc/metadata/rhel7/RHEL-07-040331.rst b/doc/metadata/rhel7/RHEL-07-040331.rst
index e12d6631..246aa284 100644
--- a/doc/metadata/rhel7/RHEL-07-040331.rst
+++ b/doc/metadata/rhel7/RHEL-07-040331.rst
@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040331
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---
 
-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control:
+
+* :ref:`stig-RHEL-07-040330`
diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml
index b69495d0..77168819 100644
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@@ -465,3 +465,30 @@
     - low
     - auth
     - RHEL-07-040300
+
+- name: Check for .shosts or shosts.equiv files
+  find:
+    paths: /
+    recurse: yes
+    hidden: yes
+    patterns: '.shosts,shosts.equiv'
+  register: shosts_find
+  when:
+    - security_rhel7_remove_shosts_files | bool
+  tags:
+    - always
+
+- name: Remove .shosts or shosts.equiv files
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  with_items: "{{ shosts_find.files }}"
+  when:
+    - security_rhel7_remove_shosts_files | bool
+    - shosts_find is defined
+    - shosts_find.files is defined
+  tags:
+    - high
+    - auth
+    - RHEL-07-040330
+    - RHEL-07-040331