Merge "Enable SELinux/AppArmor [+Docs]"

defaults/main.yml

@@ -500,6 +500,10 @@ security_enable_graphical_login_message_text: >
     with identifying information. Disconnect immediately if you are not an
     authorized user of this system.
 
+## Linux Security Module (lsm)
+# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
+security_rhel7_enable_linux_security_module: yes             # RHEL-07-020210 / RHEL-07-020211
+
 ## Miscellaneous (misc)
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810

doc/metadata/rhel7/RHEL-07-020210.rst

@@ -1,7 +1,29 @@
 ---
 id: RHEL-07-020210
-status: not implemented
-tag: misc
+status: implemented
+tag: lsm
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role enable the appropriate Linux Security Module
+(LSM) for the operating system.
+
+For Ubuntu systems, AppArmor is installed and enabled.  This change takes
+effect immediately.
+
+For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in
+enforcing mode) and its user tools are automatically installed. If SELinux is
+not in enforcing mode already, a reboot is required to enable SELinux and
+relabel the filesystem.
+
+.. warning::
+
+    Relabeling a filesystem takes time and the server must be offline for the
+    relabeling to complete. Filesystems with large amounts of files and
+    filesystems on slow disks will cause the relabeling process to take more
+    time.
+
+Deployers can opt out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_rhel7_enable_linux_security_module: no

doc/metadata/rhel7/RHEL-07-020211.rst

@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-020211
-status: not implemented
+status: implemented
 tag: misc
 ---
 
-This STIG requirement is not yet implemented.
+The SELinux targeted policy is enabled on CentOS 7 and Red Hat systems.
+AppArmor only has one set of policies, so this change has no effect on Ubuntu
+systems running AppArmor.
+
+For more information on this change and how to opt out, refer to
+:ref:`stig-RHEL-07-020210`.

tasks/rhel7stig/lsm.yml

@@ -0,0 +1,53 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure AppArmor is running
+  service:
+    name: apparmor
+    state: started
+    enabled: yes
+  when:
+    - ansible_os_family == "Debian"
+    - security_rhel7_enable_linux_security_module | bool
+    - not check_mode
+  tags:
+    - high
+    - RHEL-07-020210
+
+- name: Ensure SELinux is in enforcing mode on the next reboot
+  selinux:
+    state: enforcing
+    policy: targeted
+  register: selinux_status_change
+  when:
+    - ansible_os_family == "RedHat"
+    - security_rhel7_enable_linux_security_module | bool
+  tags:
+    - high
+    - RHEL-07-020210
+    - RHEL-07-020211
+
+- name: Relabel files on next boot if SELinux mode changed
+  file:
+    path: /.autorelabel
+    state: touch
+  when:
+    - ansible_os_family == "RedHat"
+    - security_rhel7_enable_linux_security_module | bool
+    - selinux_status_change | changed
+  tags:
+    - high
+    - RHEL-07-020210
+    - RHEL-07-020211

tasks/rhel7stig/main.yml

@@ -48,6 +48,7 @@
 - include: file_perms.yml
 - include: graphical.yml
 - include: kernel.yml
+- include: lsm.yml
 - include: misc.yml
 - include: sshd.yml
 

vars/redhat.yml

@@ -101,6 +101,13 @@ stig_packages_rhel7:
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - libselinux-python
+      - policycoreutils-python
+      - selinux-policy
+      - selinux-policy-targeted
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_linux_security_module }}"
   - packages:
       - clamav
       - clamav-data

vars/ubuntu.yml

@@ -106,6 +106,12 @@ stig_packages_rhel7:
       - screen
     state: "{{ security_package_state }}"
     enabled: True
+  - packages:
+      - apparmor
+      - apparmor-profiles
+      - apparmor-utils
+    state: "{{ security_package_state }}"
+    enabled: "{{ security_rhel7_enable_linux_security_module }}"
   - packages:
       - clamav
       - clamav-daemon