Disable usb-storage module [+Docs]

This patch disables the usb-storage module by default. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I2fdc1854506972a33c81ca25ea08467a6f49cad2
2016-11-29 14:53:00 -06:00
parent 04ff6e1c89
commit aacea9495f
3 changed files with 25 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -536,7 +536,7 @@ security_sshd_enable_strict_modes: yes                       # RHEL-07-040680
 # Disallow Kerberos authentication.
 security_sshd_disable_kerberos_auth: yes                     # RHEL-07-040670

-## sysctl settings (kernel)
+## Kernel settings (kernel)
 # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
 # immediately and by default on new interfaces.
 security_disallow_source_routed_packet_forward_ipv4: yes     # RHEL-07-040350 / RHEL-07-040351
@@ -548,3 +548,5 @@ security_disallow_echoes_broadcast_address: yes              # RHEL-07-040380
 security_disallow_icmp_redirects: yes                        # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
 # Disallow IP forwarding.
 security_disallow_ip_forwarding: no                          # RHEL-07-040730
+# Disable USB storage support.
+security_rhel7_disable_usb_storage: yes                      # RHEL-07-020160
--- a/doc/metadata/rhel7/RHEL-07-020160.rst
+++ b/doc/metadata/rhel7/RHEL-07-020160.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-020160
-status: not implemented
-tag: misc
+status: opt-in
+tag: kernel
 ---

-This STIG requirement is not yet implemented.
+The tasks in the security role disable the ``usb-storage`` module and the
+change is applied the next time the server is rebooted.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_usb_storage: no
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@@ -13,6 +13,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: RHEL-07-020160 - USB mass storage must be disabled.
+  lineinfile:
+    dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf
+    line: install usb-storage /bin/true
+    create: yes
+  when:
+    - security_rhel7_disable_usb_storage | bool
+  tags:
+    - kernel
+    - medium
+    - RHEL-07-020160
+
 - name: Set sysctl configurations
  sysctl:
    name: "{{ item.name }}"