Merge "Disable ctrl-alt-del key sequence [+Docs]"

defaults/main.yml

@@ -515,6 +515,8 @@ security_rhel7_enable_linux_security_module: yes             # RHEL-07-020210 /
 security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810
+# Disable ctrl-alt-delete key sequence on the console.
+security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these

doc/metadata/rhel7/RHEL-07-020220.rst

@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-020220
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role disable the control-alt-delete key sequence by
+masking its systemd service unit.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_ctrl_alt_delete: no

handlers/main.yml

@@ -86,3 +86,7 @@
 
 - name: dconf update
   command: dconf update
+
+- name: reload systemd
+  systemd:
+    daemon-reload: yes

tasks/rhel7stig/misc.yml

@@ -35,6 +35,28 @@
     - misc
     - RHEL-07-020161
 
+# This returns an exit code of 0 if it's running, 3 if it's masked.
+- name: Check if ctrl-alt-del.target is already masked
+  command: systemctl status ctrl-alt-del.target
+  register: cad_mask_check
+  check_mode: no
+  changed_when: False
+  failed_when: cad_mask_check.rc not in [0,3]
+  tags:
+    - always
+
+- name: RHEL-07-020220 - The x86 Ctrl-Alt-Delete key sequence must be disabled
+  command: systemctl mask ctrl-alt-del.target
+  when:
+    - security_rhel7_disable_ctrl_alt_delete | bool
+    - cad_mask_check.rc != 3
+  notify:
+    - reload systemd
+  tags:
+    - high
+    - misc
+    - RHEL-07-020220
+
 - name: Check if ClamAV is installed
   stat:
     path: /usr/bin/clamdscan