diff --git a/defaults/main.yml b/defaults/main.yml
index 9d189305..ea15d66b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -381,3 +381,7 @@ security_unattended_upgrades_notifications: false
 #  the development work is complete.
 #
 ###############################################################################
+
+## File permissions (file_perms)
+# Reset file permissions and ownership for files installed via RPM packages.
+security_reset_perm_ownership: yes                # RHEL-07-010010
diff --git a/doc/metadata/rhel7/RHEL-07-010010.rst b/doc/metadata/rhel7/RHEL-07-010010.rst
index f6397058..101244a5 100644
--- a/doc/metadata/rhel7/RHEL-07-010010.rst
+++ b/doc/metadata/rhel7/RHEL-07-010010.rst
@@ -1,7 +1,21 @@
 ---
 id: RHEL-07-010010
-status: not implemented
-tag: misc
+status: implemented - red hat
+tag: file_perms
 ---
 
-This STIG requirement is not yet implemented.
+.. note::
+
+    Ubuntu's ``debsums`` command does not support verification of permissions
+    and ownership for files that were installed by packages. This STIG
+    requirement will be skipped on Ubuntu.
+
+The STIG requires that all files owned by an installed package must have their
+permissions, user ownership, and group ownership set back to the vendor
+defaults.
+
+Deployers may opt-out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+   security_reset_perm_ownership: no
diff --git a/tasks/rhel7stig/file_perms.yml b/tasks/rhel7stig/file_perms.yml
new file mode 100644
index 00000000..95ddb39d
--- /dev/null
+++ b/tasks/rhel7stig/file_perms.yml
@@ -0,0 +1,44 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: RHEL-07-010010 - Get packages with incorrect file permissions or ownership
+  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  args:
+    warn: no
+  register: rhel_07_010010_packages
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+    - security_reset_perm_ownership | bool
+  tags:
+    - high
+    - RHEL-07-010010
+
+- name: RHEL-07-010010 - Reset file permissions/ownership to vendor values
+  shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`"
+  args:
+    warn: no
+  with_nested:
+    - ['--setperms', '--setugids']
+    - "{{ rhel_07_010010_packages.stdout_lines | default([]) }}"
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+    - rhel_07_010010_packages is defined
+    - rhel_07_010010_packages.stdout_lines | length > 0
+  tags:
+    - high
+    - RHEL-07-010010
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index 5bf7e92e..db9b55b4 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -13,6 +13,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Not yet implemented
-  debug:
-    msg: "The RHEL 7 STIG is not yet implemented."
+- name: Create temporary directory to hold any temporary files
+  command: "mktemp -d"
+  register: mktemp_result
+  changed_when: False
+  when:
+    - not check_mode | bool
+
+- name: Set a fact for the temporary directory
+  set_fact:
+    temp_dir: "{{ mktemp_result.stdout }}"
+  changed_when: False
+  when:
+    - not check_mode | bool
+
+# Multiple tasks will need the output of RPM verification, so let's do the
+# lookup one time and then grep over the output in subsequent tasks.
+- name: Verify all installed RPM packages
+  shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt"
+  args:
+    warn: no
+  failed_when: False
+  changed_when: False
+  when:
+    - not check_mode | bool
+    - ansible_os_family | lower == 'redhat'
+  tags:
+    - always
+    - skip_ansible_lint
+
+- include: file_perms.yml
+  tags:
+    - file_perms
+
+- name: Remove the temporary directory
+  file:
+    path: "{{ temp_dir }}"
+    state: absent
+  changed_when: False
+  when:
+    - not check_mode | bool