From f92f29d1341402e233b8b8cfe0099906b8fdf4d2 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Dec 2016 07:44:11 -0600
Subject: [PATCH] Set permissions on sshd host keys [+Docs]

This patch adds tasks to set permissions on sshd public/private host key
files.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I45480882035a4682a2ef5036a1663eddccc953c5
---
 doc/metadata/rhel7/RHEL-07-040640.rst |  8 +++++---
 doc/metadata/rhel7/RHEL-07-040650.rst |  8 +++++---
 tasks/rhel7stig/sshd.yml              | 22 ++++++++++++++++++++++
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/doc/metadata/rhel7/RHEL-07-040640.rst b/doc/metadata/rhel7/RHEL-07-040640.rst
index 744d0eda..8b0a92f8 100644
--- a/doc/metadata/rhel7/RHEL-07-040640.rst
+++ b/doc/metadata/rhel7/RHEL-07-040640.rst
@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040640
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The permissions on ssh public host keys is set to ``0644``. If the existing
+permissions are more restrictive than ``0644``, the tasks do not make changes
+to the files.
diff --git a/doc/metadata/rhel7/RHEL-07-040650.rst b/doc/metadata/rhel7/RHEL-07-040650.rst
index aaae64a2..fe84d740 100644
--- a/doc/metadata/rhel7/RHEL-07-040650.rst
+++ b/doc/metadata/rhel7/RHEL-07-040650.rst
@@ -1,7 +1,9 @@
 ---
 id: RHEL-07-040650
-status: not implemented
-tag: misc
+status: implemented
+tag: sshd
 ---
 
-This STIG requirement is not yet implemented.
+The permissions on ssh private host keys is set to ``0600``. If the existing
+permissions are more restrictive than ``0600``, the tasks do not make changes
+to the files.
diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
index b5f4fad9..c48ad361 100644
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -85,3 +85,25 @@
     - medium
     - sshd
     - RHEL-07-040261
+
+- name: Public host key files must have mode 0644 or less
+  file:
+    path: "{{ item }}"
+    mode: "u-xX,g-wxs,o-wxt"
+  with_fileglob:
+    - /etc/ssh/*.pub
+  tags:
+    - medium
+    - sshd
+    - RHEL-07-040640
+
+- name: Private host key files must have mode 0600 or less
+  file:
+    path: "{{ item }}"
+    mode: "u-xX,g-rwxs,o-rwxt"
+  with_fileglob:
+    - /etc/ssh/*_key
+  tags:
+    - medium
+    - sshd
+    - RHEL-07-040650