Merge "Remove .shosts/shosts.equiv files [+Docs]"

2016-12-09 03:51:29 +00:00 · 2016-12-09 03:51:29 +00:00 · 52d8ec6f2a
commit 52d8ec6f2a
parent 1dbae8a946 af84a277ae
4 changed files with 44 additions and 6 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -507,6 +507,8 @@ security_pam_faillock_deny_root: yes                         # RHEL-07-010373
 security_pam_faillock_unlock_time: 604800                    # RHEL-07-010372
 # Limit the number of concurrent connections per account.
 #security_rhel7_concurrent_session_limit: 10                 # RHEL-07-040010
+# Remove .shosts and shosts.equiv files.
+security_rhel7_remove_shosts_files: yes                      # RHEL-07-040330

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
--- a/doc/metadata/rhel7/RHEL-07-040330.rst
+++ b/doc/metadata/rhel7/RHEL-07-040330.rst
@ -1,7 +1,14 @@
 ---
 id: RHEL-07-040330
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+The tasks in the security role examine the filesystem for any ``.shosts`` or
+``shosts.equiv`` files. If they are found, they are deleted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_remove_shosts_files: no
--- a/doc/metadata/rhel7/RHEL-07-040331.rst
+++ b/doc/metadata/rhel7/RHEL-07-040331.rst
@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040331
-status: not implemented
-tag: misc
+status: implemented
+tag: auth
 ---

-This STIG requirement is not yet implemented.
+This control is implemented by the tasks for another control:
+
+* :ref:`stig-RHEL-07-040330`
--- a/tasks/rhel7stig/auth.yml
+++ b/tasks/rhel7stig/auth.yml
@ -465,3 +465,30 @@
    - low
    - auth
    - RHEL-07-040300
+
+- name: Check for .shosts or shosts.equiv files
+  find:
+    paths: /
+    recurse: yes
+    hidden: yes
+    patterns: '.shosts,shosts.equiv'
+  register: shosts_find
+  when:
+    - security_rhel7_remove_shosts_files | bool
+  tags:
+    - always
+
+- name: Remove .shosts or shosts.equiv files
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  with_items: "{{ shosts_find.files }}"
+  when:
+    - security_rhel7_remove_shosts_files | bool
+    - shosts_find is defined
+    - shosts_find.files is defined
+  tags:
+    - high
+    - auth
+    - RHEL-07-040330
+    - RHEL-07-040331