From 0e05d2ea6c5e742790dc8499ec601900cba5fdff Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 5 Dec 2016 11:44:10 -0600
Subject: [PATCH] Search for unlabeled device files [+Docs]

This patch adds tasks to search for device files without SELinux labels and
prints a list of those devices in the Ansible output.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ic870f91ead4e89189efb8ad93674798063c97ba8
---
 doc/metadata/rhel7/RHEL-07-020940.rst | 18 +++++++++++++---
 tasks/rhel7stig/lsm.yml               | 30 +++++++++++++++++++++++++++
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/doc/metadata/rhel7/RHEL-07-020940.rst b/doc/metadata/rhel7/RHEL-07-020940.rst
index 5e9c1b4c..57c17c27 100644
--- a/doc/metadata/rhel7/RHEL-07-020940.rst
+++ b/doc/metadata/rhel7/RHEL-07-020940.rst
@@ -1,7 +1,19 @@
 ---
 id: RHEL-07-020940
-status: not implemented
-tag: misc
+status: implemented - red hat only
+tag: lsm
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role examine the SELinux contexts on each device file
+found on the system. Any devices without appropriate labels are printed in
+the Ansible output.
+
+Deployers should investigate the unlabeled devices and ensure that the correct
+labels are applied for the class of device.
+
+.. note::
+
+    This change applies only to CentOS or Red Hat Enterprise Linux systems
+    since they rely on SELinux as their default Linux Security Module (LSM).
+    Ubuntu systems use AppArmor, which uses policy files rather than labels
+    applied to individual files.
diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml
index e30a4898..53f470ed 100644
--- a/tasks/rhel7stig/lsm.yml
+++ b/tasks/rhel7stig/lsm.yml
@@ -51,3 +51,33 @@
     - high
     - RHEL-07-020210
     - RHEL-07-020211
+
+# NOTE(mhayden): Ansible's find module doesn't support searching for files
+# based on SELinux contexts yet.
+- name: Check for unlabeled device files
+  command: "find /dev -context '*unlabeled_t*'"
+  register: unlabeled_devices
+  changed_when: False
+  check_mode: no
+  when:
+    - ansible_os_family == 'RedHat'
+  tags:
+    - lsm
+    - medium
+    - RHEL-07-020940
+
+- name: RHEL-07-020940 - All system device files must be correctly labeled to prevent unauthorized modification.
+  debug:
+    msg: |
+      Devices were found without SELinux labels:
+      {% for device in unlabeled_devices.stdout_lines %}
+      {{ device }}
+      {% endfor %}
+  when:
+    - ansible_os_family == 'RedHat'
+    - unlabeled_devices.stdout is defined
+    - unlabeled_devices.stdout | length > 0
+  tags:
+    - lsm
+    - medium
+    - RHEL-07-020940