diff --git a/doc/metadata/rhel7/RHEL-07-020940.rst b/doc/metadata/rhel7/RHEL-07-020940.rst index 5e9c1b4c..57c17c27 100644 --- a/doc/metadata/rhel7/RHEL-07-020940.rst +++ b/doc/metadata/rhel7/RHEL-07-020940.rst @@ -1,7 +1,19 @@ --- id: RHEL-07-020940 -status: not implemented -tag: misc +status: implemented - red hat only +tag: lsm --- -This STIG requirement is not yet implemented. +The tasks in the security role examine the SELinux contexts on each device file +found on the system. Any devices without appropriate labels are printed in +the Ansible output. + +Deployers should investigate the unlabeled devices and ensure that the correct +labels are applied for the class of device. + +.. note:: + + This change applies only to CentOS or Red Hat Enterprise Linux systems + since they rely on SELinux as their default Linux Security Module (LSM). + Ubuntu systems use AppArmor, which uses policy files rather than labels + applied to individual files. diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index e30a4898..53f470ed 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -51,3 +51,33 @@ - high - RHEL-07-020210 - RHEL-07-020211 + +# NOTE(mhayden): Ansible's find module doesn't support searching for files +# based on SELinux contexts yet. +- name: Check for unlabeled device files + command: "find /dev -context '*unlabeled_t*'" + register: unlabeled_devices + changed_when: False + check_mode: no + when: + - ansible_os_family == 'RedHat' + tags: + - lsm + - medium + - RHEL-07-020940 + +- name: RHEL-07-020940 - All system device files must be correctly labeled to prevent unauthorized modification. + debug: + msg: | + Devices were found without SELinux labels: + {% for device in unlabeled_devices.stdout_lines %} + {{ device }} + {% endfor %} + when: + - ansible_os_family == 'RedHat' + - unlabeled_devices.stdout is defined + - unlabeled_devices.stdout | length > 0 + tags: + - lsm + - medium + - RHEL-07-020940