diff --git a/defaults/main.yml b/defaults/main.yml index 71d6d626..b7fadb4b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,9 +449,10 @@ security_rhel7_remove_ypserv: yes # RHEL-07-020010 security_package_clean_on_remove: no # RHEL-07-020200 ## RPM (rpm) -# Enable GPG checks for remotely and locally installed packages. This includes -# RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152. -security_enable_gpgcheck: yes # RHEL-07-020150 +# Enable GPG checks for packages and repository data. +security_enable_gpgcheck_packages: yes # RHEL-07-020150 +security_enable_gpgcheck_packages_local: yes # RHEL-07-020151 +security_enable_gpgcheck_repo: no # RHEL-07-020152 ## ssh server (sshd) # Disallow logins from users with empty/null passwords. diff --git a/doc/metadata/rhel7/RHEL-07-020150.rst b/doc/metadata/rhel7/RHEL-07-020150.rst index ae8f6494..d6d3b89a 100644 --- a/doc/metadata/rhel7/RHEL-07-020150.rst +++ b/doc/metadata/rhel7/RHEL-07-020150.rst @@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed with ``yum``. -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020151` -* :ref:`stig-RHEL-07-020152` +Setting ``security_enable_gpgcheck_packages`` to ``no`` will skip the +``AllowUnauthenticated`` string check on Ubuntu and it will set ``gpgcheck=0`` +in ``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/RHEL-07-020151.rst b/doc/metadata/rhel7/RHEL-07-020151.rst index fb16792d..09684f37 100644 --- a/doc/metadata/rhel7/RHEL-07-020151.rst +++ b/doc/metadata/rhel7/RHEL-07-020151.rst @@ -12,13 +12,6 @@ On CentOS 7 systems, the tasks set the ``localpkg_gpgcheck`` option to ``1`` in the ``/etc/yum.conf`` file. This enables GPG checks for all packages installed locally with ``yum``. -Deployers can opt-out of this change by setting the following Ansible variable: - -.. code-block:: yaml - - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020150` -* :ref:`stig-RHEL-07-020152` +Setting ``security_enable_gpgcheck_packages_local`` to ``no`` will skip the +``no-debsig`` adjustment on Ubuntu and it will set ``local_gpgcheck=0`` in +``/etc/yum.conf`` on CentOS systems. diff --git a/doc/metadata/rhel7/RHEL-07-020152.rst b/doc/metadata/rhel7/RHEL-07-020152.rst index 912d2f0e..4fa7c750 100644 --- a/doc/metadata/rhel7/RHEL-07-020152.rst +++ b/doc/metadata/rhel7/RHEL-07-020152.rst @@ -4,20 +4,18 @@ status: implemented tag: packages --- -On Ubuntu systems, the tasks check for the ``AllowUnauthenticated`` string -anywhere in the apt configuration files found within ``/etc/apt/apt.conf.d/``. -If the string is found, a warning is printed on the console. +The STIG requires that repository XML files are verified during ``yum`` runs. -On CentOS 7 systems, the tasks set the ``repo_gpgcheck`` option to ``1`` in the -``/etc/yum.conf`` file. This enables GPG checks for all repository metadata. +.. warning:: -Deployers can opt-out of this change by setting the following Ansible variable: + This setting is disabled by default because it can cause issues with CentOS + systems and prevent them from retrieving repository information. Deployers + who choose to enable this setting should test it thoroughly on + non-production environments before applying it to production systems. + +Deployers can override this default and opt in for the change by setting the +following Ansible variable: .. code-block:: yaml - security_enable_gpgcheck: no - -Note that setting this variable also affects two other STIG configurations: - -* :ref:`stig-RHEL-07-020150` -* :ref:`stig-RHEL-07-020151` + security_enable_gpgcheck_repo: yes diff --git a/tasks/rhel7stig/apt.yml b/tasks/rhel7stig/apt.yml index 842230eb..567371e4 100644 --- a/tasks/rhel7stig/apt.yml +++ b/tasks/rhel7stig/apt.yml @@ -72,11 +72,12 @@ - name: RHEL-07-020150 - Package management tool must verify authenticity of packages debug: msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified." - when: "gpgcheck_result.rc == 0" + when: + - security_enable_gpgcheck_packages | bool + - gpgcheck_result.rc == 0 tags: - high - RHEL-07-020150 - - RHEL-07-020152 - name: RHEL-07-020151 - Package management tool must verify authenticity of locally-installed packages lineinfile: @@ -85,7 +86,7 @@ line: "#no-debsig" state: present when: - - security_enable_gpgcheck | bool + - security_enable_gpgcheck_packages_local | bool tags: - high - RHEL-07-020151 diff --git a/tasks/rhel7stig/rpm.yml b/tasks/rhel7stig/rpm.yml index 1565c97f..bde9b8b2 100644 --- a/tasks/rhel7stig/rpm.yml +++ b/tasks/rhel7stig/rpm.yml @@ -60,19 +60,13 @@ - high - RHEL-07-010020 -# This covers RHEL-07-020150, RHEL-07-020151, and RHEL-07-020152. - name: RHEL-07-020150 - Require digital signatures for all packages lineinfile: dest: /etc/yum.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - with_items: - - { regexp: "^gpgcheck.*", line: "gpgcheck=1" } - - { regexp: "^localpkg_gpgcheck.*", line: "localpkg_gpgcheck=1" } - - { regexp: "^repo_gpgcheck.*", line: "repo_gpgcheck=1" } - when: - - security_enable_gpgcheck | bool + with_items: "{{ rpm_gpgchecks | default([]) }}" tags: - rpm - high diff --git a/vars/redhat.yml b/vars/redhat.yml index 1e715428..b28118bb 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -113,3 +113,11 @@ stig_packages_rhel7: - ypserv state: absent enabled: "{{ security_rhel7_remove_ypserv }}" + +rpm_gpgchecks: + - regexp: "^gpgcheck.*" + line: "gpgcheck={{ security_enable_gpgcheck_packages | bool | ternary('1', 0) }}" + - regexp: "^localpkg_gpgcheck.*" + line: "localpkg_gpgcheck={{ security_enable_gpgcheck_packages_local | bool | ternary('1', 0) }}" + - regexp: "^repo_gpgcheck.*" + line: "repo_gpgcheck={{ security_enable_gpgcheck_repo | bool | ternary('1', 0) }}"