From 81807a1d83b45bc9ba82afc69083a43f2720da51 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 6 Dec 2016 14:36:20 -0600 Subject: [PATCH] Check for promiscuous interfaces [+Docs] This patch adds tasks to check for interfaces that are in promiscuous mode. If any are found, a warning is printed. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ia5344a298ddd34d98b00d1a3b14e40883fc4e69f --- doc/metadata/rhel7/RHEL-07-040470.rst | 6 ++++-- tasks/rhel7stig/misc.yml | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-040470.rst b/doc/metadata/rhel7/RHEL-07-040470.rst index 421f10eb..16f60d4e 100644 --- a/doc/metadata/rhel7/RHEL-07-040470.rst +++ b/doc/metadata/rhel7/RHEL-07-040470.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-040470 -status: not implemented +status: verification only tag: misc --- -This STIG requirement is not yet implemented. +All interfaces are examined to ensure they are not in promiscuous mode. A +warning message is printed in the Ansible output if any promiscuous interfaces +are found. diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 07721af1..60f005b9 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -195,3 +195,24 @@ - low - misc - RHEL-07-040320 + +- name: Check for interfaces in promiscuous mode + shell: "ip link | grep -i promisc" + register: promiscuous_interface_check + changed_when: False + failed_when: False + check_mode: no + tags: + - always + +- name: RHEL-07-040470 - Network interfaces must not be in promiscuous mode. + debug: + msg: > + One or more network interfaces were found to be in promiscuous mode. + Review all interfaces and disable promiscuous mode. + when: + - promiscuous_interface_check.rc == 0 + tags: + - medium + - misc + - RHEL-07-040470