From 40ca9cf990ebcf0c6bc8fd7e29bf3769400deeba Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 30 Nov 2016 12:49:38 -0600
Subject: [PATCH] Disable ctrl-alt-del key sequence [+Docs]

This patch masks the systemd unit that controls the C-A-D key sequence.

Implements: blueprint security-rhel7-stig
Change-Id: I9bd01641fd8787fab90921e360e5933953871d51
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-020220.rst | 11 +++++++++--
 handlers/main.yml                     |  4 ++++
 tasks/rhel7stig/misc.yml              | 22 ++++++++++++++++++++++
 4 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 27d663b3..3a3c8215 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -505,6 +505,8 @@ security_enable_graphical_login_message_text: >
 security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810
+# Disable ctrl-alt-delete key sequence on the console.
+security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
diff --git a/doc/metadata/rhel7/RHEL-07-020220.rst b/doc/metadata/rhel7/RHEL-07-020220.rst
index d8bb9432..572fc3c2 100644
--- a/doc/metadata/rhel7/RHEL-07-020220.rst
+++ b/doc/metadata/rhel7/RHEL-07-020220.rst
@@ -1,7 +1,14 @@
 ---
 id: RHEL-07-020220
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role disable the control-alt-delete key sequence by
+masking its systemd service unit.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_disable_ctrl_alt_delete: no
diff --git a/handlers/main.yml b/handlers/main.yml
index 112df6d4..2f164012 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -86,3 +86,7 @@
 
 - name: dconf update
   command: dconf update
+
+- name: reload systemd
+  systemd:
+    daemon-reload: yes
diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml
index 6d405928..eebd4ad4 100644
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@@ -35,6 +35,28 @@
     - misc
     - RHEL-07-020161
 
+# This returns an exit code of 0 if it's running, 3 if it's masked.
+- name: Check if ctrl-alt-del.target is already masked
+  command: systemctl status ctrl-alt-del.target
+  register: cad_mask_check
+  check_mode: no
+  changed_when: False
+  failed_when: cad_mask_check.rc not in [0,3]
+  tags:
+    - always
+
+- name: RHEL-07-020220 - The x86 Ctrl-Alt-Delete key sequence must be disabled
+  command: systemctl mask ctrl-alt-del.target
+  when:
+    - security_rhel7_disable_ctrl_alt_delete | bool
+    - cad_mask_check.rc != 3
+  notify:
+    - reload systemd
+  tags:
+    - high
+    - misc
+    - RHEL-07-020220
+
 - name: Check if ClamAV is installed
   stat:
     path: /usr/bin/clamdscan