Update to RHEL 7 STIG V1R3

This patch updates the tasks to match the changes in Version 1,
Release 3 of the RHEL 7 STIG. It adds four new configurations:

  - V-77819 (docs only, manual intervention req'd)
  - V-77821 (disabling DCCP, implemented)
  - V-77823 (docs only, manual intervention req'd)
  - V-77825 (enabling ASLR, implemented)

Closes-Bug: 1729344
Change-Id: I009fb31139e654f839d94781baf3d392c6613f46

defaults/main.yml

@@ -363,3 +363,7 @@ security_disallow_ip_forwarding: no                          # V-72309
 security_rhel7_disable_usb_storage: yes                      # V-71983
 # Disable kdump.
 security_disable_kdump: yes                                  # V-72057
+# Disable Datagram Congestion Control Protocol (DCCP).
+security_rhel7_disable_dccp: yes                             # V-77821
+# Enable Address Space Layout Randomization (ASLR).
+security_enable_aslr: yes                                    # V-77825

doc/metadata/rhel7/V-77819.rst

@@ -0,0 +1,13 @@
+---
+id: V-77819
+status: exception - manual intervention
+tag: misc
+---
+
+The STIG requires that multifactor authentication is used for graphical user
+logon, but this change requires custom configuration based on the
+authentication solution that is used.
+
+Deployers should review the available options, such as traditional
+smartcards, USB devices (such as Yubikeys), or software token systems, and
+use one of these solutions on each system.

doc/metadata/rhel7/V-77821.rst

@@ -0,0 +1,14 @@
+---
+id: V-77821
+status: implemented
+tag: kernel
+---
+
+The ansible-hardening role disables the DCCP kernel module by default. Each
+system must be rebooted to fully apply the change.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_dccp: no

doc/metadata/rhel7/V-77823.rst

@@ -0,0 +1,13 @@
+---
+id: V-77823
+status: exception - manual intervention
+tag: auth
+---
+
+Modifying sensitive systemd unit files directly or via overrides could cause
+a system to have issues during the boot process. The role does not make any
+adjustments to the ``rescue.service`` because this service is critical during
+emergencies.
+
+All of the distributions supported by the role already require authentication
+for single user mode.

doc/metadata/rhel7/V-77825.rst

@@ -0,0 +1,18 @@
+---
+id: V-77825
+status: implemented
+tag: kernel
+---
+
+Most modern systems enable Address Space Layout Randomization (ASLR) by
+default (with a setting of ``2``), and the role ensures that the secure
+default is maintained.
+
+Deployers can opt out of the change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_enable_aslr: no
+
+For more details on the ASLR settings, review the
+`sysctl documentation <https://www.kernel.org/doc/Documentation/sysctl/kernel.txt>`_.

doc/source/_exts/metadata-docs-rhel7.py

@@ -28,7 +28,7 @@ import yaml
 SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
 METADATA_DIR = "{0}/../../metadata".format(SCRIPT_DIR)
 DOC_SOURCE_DIR = "{0}/..".format(SCRIPT_DIR)
-XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R2_Manual-xccdf.xml'
+XCCDF_FILE = 'U_Red_Hat_Enterprise_Linux_7_STIG_V1R3_Manual-xccdf.xml'
 XCCDF_NAMESPACE = {'x': 'http://checklists.nist.gov/xccdf/1.1'}
 
 

releasenotes/notes/rhel7-stig-v1r3-update-c533ed40ba609ccf.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    The tasks within the ansible-hardening role are now based on Version 1,
+    Release 3 of the Red Hat Enteprise Linux Security Technical Implementation
+    Guide.
+  - |
+    The ``sysctl`` parameter ``kernel.randomize_va_space`` is now set to
+    ``2`` by default. This matches the default of most modern Linux
+    distributions and it ensures that Address Space Layout Randomization
+    (ASLR) is enabled.
+  - |
+    The Datagram Congestion Control Protocol (DCCP) kernel module is now
+    disabled by default, but a reboot is required to make the change
+    effective.

tasks/rhel7stig/kernel.yml

@@ -95,3 +95,15 @@
     - high
     - misc
     - V-72067
+
+- name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
+  lineinfile:
+    dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
+    line: install dccp /bin/true
+    create: yes
+  when:
+    - security_rhel7_disable_dccp | bool
+  tags:
+    - kernel
+    - medium
+    - V-77821

vars/main.yml

@@ -253,9 +253,9 @@ password_quality_rhel7:
     description: "Password must have at least four character classes changed"
     enabled: "{{ security_pwquality_require_character_classes_changed }}"
   - parameter: maxrepeat
-    value: 4
+    value: 3
     stig_id: V-71915
-    description: "Password must have at most four characters repeated consecutively"
+    description: "Password must have at most three characters repeated consecutively"
     enabled: "{{ security_pwquality_limit_repeated_characters }}"
   - parameter: maxclassrepeat
     value: 4
@@ -341,3 +341,6 @@ sysctl_settings_rhel7:
   - name: net.ipv4.conf.default.accept_redirects
     value: 0
     enabled: "{{ security_disallow_icmp_redirects | bool }}"
+  - name: kernel.randomize_va_space
+    value: 2
+    enabled: "{{ security_enable_aslr | bool }}"