Add RHEL-07-010430 and RHEL-07-010431

This patch disables automatic and timed logins in gdm only if gdm
is installed and configured.

Implements: blueprint security-rhel7-stig
Change-Id: I34c1f91deb20441d8ca577f38d44c30c05718205

defaults/main.yml

@@ -390,6 +390,12 @@ security_disallow_blank_password_login: yes                  # RHEL-07-010260
 # Reset file permissions and ownership for files installed via RPM packages.
 security_reset_perm_ownership: yes                           # RHEL-07-010010
 
+## Graphical interfaces (graphical)
+# Disable automatic gdm logins
+security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
+# Disable timed gdm logins for guests
+security_disable_gdm_timed_login: yes                        # RHEL-07-010431
+
 ## ssh server (sshd)
 # Prevent users from logging in over ssh if they have an empty password.
 security_sshd_disallow_empty_password: yes                   # RHEL-07-010270

doc/metadata/rhel7/RHEL-07-010430.rst

@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-010430
-status: not implemented
+status: implemented
-tag: misc
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+If ``AutomaticLoginEnable=true`` exists in the gdm configuration file,
+``/etc/gdm/custom.conf``, the configuration will removed. This disallows
+automatic logins for gdm and requires a user to complete the username and
+password prompts.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_gdm_automatic_login: no

doc/metadata/rhel7/RHEL-07-010431.rst

@@ -1,7 +1,15 @@
 ---
 id: RHEL-07-010431
-status: not implemented
+status: implemented
-tag: misc
+tag: graphical
 ---
 
-This STIG requirement is not yet implemented.
+If ``TimedLoginEnable=true`` exists in the gdm configuration file,
+``/etc/gdm/custom.conf``, the configuration will removed. This disallows timed
+logins for guest users in gdm.
+
+Deployers can opt-out of this change by setting an Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_gdm_timed_login: no

tasks/rhel7stig/graphical.yml

@@ -0,0 +1,44 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Check if gdm is installed and configured
+  stat:
+    path: /etc/gdm/custom.conf
+  register: RHEL_07_010430_gdm_conf
+  always_run: True
+
+- name: RHEL-07-010430 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
+  lineinfile:
+    path: /etc/gdm/custom.conf
+    line: "^AutomaticLoginEnable=true"
+    state: absent
+  when:
+    - RHEL_07_010430_gdm_conf.stat.exists
+    - security_disable_gdm_automatic_login | bool
+  tags:
+    - high
+    - RHEL-07-010430
+
+- name: RHEL-07-010431 - The operating system must not allow guest logon to the system.
+  lineinfile:
+    path: /etc/gdm/custom.conf
+    line: "^TimedLoginEnable=true"
+    state: absent
+  when:
+    - RHEL_07_010430_gdm_conf.stat.exists
+    - security_disable_gdm_timed_login | bool
+  tags:
+    - high
+    - RHEL-07-010431

tasks/rhel7stig/main.yml

@@ -56,6 +56,10 @@
   tags:
     - file_perms
 
+- include: graphical.yml
+  tags:
+    - graphical
+
 - include: rpm.yml
   when:
     - ansible_os_family | lower == 'redhat'