Set permissions on sshd host keys [+Docs]

This patch adds tasks to set permissions on sshd public/private host key
files.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I45480882035a4682a2ef5036a1663eddccc953c5

doc/metadata/rhel7/RHEL-07-040640.rst

@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040640
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The permissions on ssh public host keys is set to ``0644``. If the existing
+permissions are more restrictive than ``0644``, the tasks do not make changes
+to the files.

doc/metadata/rhel7/RHEL-07-040650.rst

@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040650
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The permissions on ssh private host keys is set to ``0600``. If the existing
+permissions are more restrictive than ``0600``, the tasks do not make changes
+to the files.

tasks/rhel7stig/sshd.yml

@@ -85,3 +85,25 @@
     - medium
     - sshd
     - RHEL-07-040261
+
+- name: Public host key files must have mode 0644 or less
+  file:
+    path: "{{ item }}"
+    mode: "u-xX,g-wxs,o-wxt"
+  with_fileglob:
+    - /etc/ssh/*.pub
+  tags:
+    - medium
+    - sshd
+    - RHEL-07-040640
+
+- name: Private host key files must have mode 0600 or less
+  file:
+    path: "{{ item }}"
+    mode: "u-xX,g-rwxs,o-rwxt"
+  with_fileglob:
+    - /etc/ssh/*_key
+  tags:
+    - medium
+    - sshd
+    - RHEL-07-040650