From e4d3ea4749411d3617ae28d94d7f0e94196aac6e Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 31 Oct 2016 12:59:18 -0500
Subject: [PATCH] Add RHEL-07-010430 and RHEL-07-010431

This patch disables automatic and timed logins in gdm only if gdm
is installed and configured.

Implements: blueprint security-rhel7-stig
Change-Id: I34c1f91deb20441d8ca577f38d44c30c05718205
---
 defaults/main.yml                     |  6 ++++
 doc/metadata/rhel7/RHEL-07-010430.rst | 15 +++++++--
 doc/metadata/rhel7/RHEL-07-010431.rst | 14 +++++++--
 tasks/rhel7stig/graphical.yml         | 44 +++++++++++++++++++++++++++
 tasks/rhel7stig/main.yml              |  4 +++
 5 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 tasks/rhel7stig/graphical.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index bd9e1167..8a472b00 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -390,6 +390,12 @@ security_disallow_blank_password_login: yes                  # RHEL-07-010260
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                           # RHEL-07-010010
 
+## Graphical interfaces (graphical)
+# Disable automatic gdm logins
+security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
+# Disable timed gdm logins for guests
+security_disable_gdm_timed_login: yes                        # RHEL-07-010431
+
 ## ssh server (sshd)
 # Prevent users from logging in over ssh if they have an empty password.
 security_sshd_disallow_empty_password: yes                   # RHEL-07-010270
diff --git a/doc/metadata/rhel7/RHEL-07-010430.rst b/doc/metadata/rhel7/RHEL-07-010430.rst
index 00440da2..ee6d1382 100644
--- a/doc/metadata/rhel7/RHEL-07-010430.rst
+++ b/doc/metadata/rhel7/RHEL-07-010430.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-010430
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+If ``AutomaticLoginEnable=true`` exists in the gdm configuration file,
+``/etc/gdm/custom.conf``, the configuration will removed. This disallows
+automatic logins for gdm and requires a user to complete the username and
+password prompts.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_gdm_automatic_login: no
diff --git a/doc/metadata/rhel7/RHEL-07-010431.rst b/doc/metadata/rhel7/RHEL-07-010431.rst
index 8473ecf7..03896edb 100644
--- a/doc/metadata/rhel7/RHEL-07-010431.rst
+++ b/doc/metadata/rhel7/RHEL-07-010431.rst
@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010431
-status: not implemented
-tag: misc
+status: implemented
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+If ``TimedLoginEnable=true`` exists in the gdm configuration file,
+``/etc/gdm/custom.conf``, the configuration will removed. This disallows timed
+logins for guest users in gdm.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_gdm_timed_login: no
diff --git a/tasks/rhel7stig/graphical.yml b/tasks/rhel7stig/graphical.yml
new file mode 100644
index 00000000..87e85f9c
--- /dev/null
+++ b/tasks/rhel7stig/graphical.yml
@@ -0,0 +1,44 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if gdm is installed and configured
+  stat:
+    path: /etc/gdm/custom.conf
+  register: RHEL_07_010430_gdm_conf
+  always_run: True
+
+- name: RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
+  lineinfile:
+    path: /etc/gdm/custom.conf
+    line: "^AutomaticLoginEnable=true"
+    state: absent
+  when:
+    - RHEL_07_010430_gdm_conf.stat.exists
+    - security_disable_gdm_automatic_login | bool
+  tags:
+    - high
+    - RHEL-07-010430
+
+- name: RHEL-07-010431 - The operating system must not allow guest logon to the system.
+  lineinfile:
+    path: /etc/gdm/custom.conf
+    line: "^TimedLoginEnable=true"
+    state: absent
+  when:
+    - RHEL_07_010430_gdm_conf.stat.exists
+    - security_disable_gdm_timed_login | bool
+  tags:
+    - high
+    - RHEL-07-010431
diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml
index 3a9a94c5..33a96a0c 100644
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@@ -56,6 +56,10 @@
   tags:
     - file_perms
 
+- include: graphical.yml
+  tags:
+    - graphical
+
 - include: rpm.yml
   when:
     - ansible_os_family | lower == 'redhat'