From aacea9495ff753971e0a47e394b6f01bb68a2b12 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 29 Nov 2016 14:53:00 -0600 Subject: [PATCH] Disable usb-storage module [+Docs] This patch disables the usb-storage module by default. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I2fdc1854506972a33c81ca25ea08467a6f49cad2 --- defaults/main.yml | 4 +++- doc/metadata/rhel7/RHEL-07-020160.rst | 13 ++++++++++--- tasks/rhel7stig/kernel.yml | 12 ++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0a876a62..4d57d579 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -536,7 +536,7 @@ security_sshd_enable_strict_modes: yes # RHEL-07-040680 # Disallow Kerberos authentication. security_sshd_disable_kerberos_auth: yes # RHEL-07-040670 -## sysctl settings (kernel) +## Kernel settings (kernel) # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces # immediately and by default on new interfaces. security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351 @@ -548,3 +548,5 @@ security_disallow_echoes_broadcast_address: yes # RHEL-07-040380 security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421 # Disallow IP forwarding. security_disallow_ip_forwarding: no # RHEL-07-040730 +# Disable USB storage support. +security_rhel7_disable_usb_storage: yes # RHEL-07-020160 diff --git a/doc/metadata/rhel7/RHEL-07-020160.rst b/doc/metadata/rhel7/RHEL-07-020160.rst index 4a4d4d88..8e4a9072 100644 --- a/doc/metadata/rhel7/RHEL-07-020160.rst +++ b/doc/metadata/rhel7/RHEL-07-020160.rst @@ -1,7 +1,14 @@ --- id: RHEL-07-020160 -status: not implemented -tag: misc +status: opt-in +tag: kernel --- -This STIG requirement is not yet implemented. +The tasks in the security role disable the ``usb-storage`` module and the +change is applied the next time the server is rebooted. + +Deployers can opt out of this change by setting the following Ansible variable: + +.. code-block:: yaml + + security_rhel7_disable_usb_storage: no diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml index d52fdf35..a3f7c732 100644 --- a/tasks/rhel7stig/kernel.yml +++ b/tasks/rhel7stig/kernel.yml @@ -13,6 +13,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: RHEL-07-020160 - USB mass storage must be disabled. + lineinfile: + dest: /etc/modprobe.d/openstack-ansible-security-disable-usb-storage.conf + line: install usb-storage /bin/true + create: yes + when: + - security_rhel7_disable_usb_storage | bool + tags: + - kernel + - medium + - RHEL-07-020160 + - name: Set sysctl configurations sysctl: name: "{{ item.name }}"