From 421d3d746cb7a2ba894f204ff879632678462263 Mon Sep 17 00:00:00 2001
From: jspringer <springer254@gmail.com>
Date: Mon, 1 Aug 2016 13:55:01 -0500
Subject: [PATCH] Made some slight changes.

Created the audit for 040180, 040181, and 04182. Need to get with you to
figure out how we want to handle LDAP key files.
---
 README.md            | 10 +++++++---
 handlers/main.yml    |  5 +++++
 tasks/audit-cat2.yml | 21 +++++++++++++++++++++
 tasks/fix-cat2.yml   | 27 +++++++++++++++++++++++----
 4 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index be783ef..7ee44d1 100644
--- a/README.md
+++ b/README.md
@@ -14,9 +14,13 @@ Role Variables
 
 | Name              | Default Value       | Description          |
 |-------------------|---------------------|----------------------|
-| `rhel7stig_cat1_patch` | True | Correct CAT I findings |
-| `rhel7stig_cat2_patch` | False | Correct CAT II findings |
-| `rhel7stig_cat3_patch` | False | Correct CAT III findings |
+| `rhel7stig_cat1_audit` | True  | Audit for CAT I findings      |
+| `rhel7stig_cat2_audit` | False | Audit for CAT II findings     |
+| `rhel7stig_cat3_audit` | False | Audit for CAT III findings    |
+| `rhel7stig_cat1_patch` | True  | Correct CAT I findings        |
+| `rhel7stig_cat2_patch` | False | Correct CAT II findings       |
+| `rhel7stig_cat3_patch` | False | Correct CAT III findings      |
+
 
 Dependencies
 ------------
diff --git a/handlers/main.yml b/handlers/main.yml
index ae35921..7d7ef96 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,3 +13,8 @@
   service:
       name: snmpd
       state: restarted
+
+- name: restart ntpd
+  service:
+      name: ntpd
+      state: restarted
diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml
index 8eb2009..425ee91 100644
--- a/tasks/audit-cat2.yml
+++ b/tasks/audit-cat2.yml
@@ -47,3 +47,24 @@
       - RHEL-07-040230
       - always
       - pki
+
+- name: "MEDIUM | RHEL-07-040210 | AUDIT | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
+  stat:
+      path: /etc/ntp.conf
+  register: rhel_07_040210_audit
+  tags:
+      - cat2
+      - medium
+      - audit
+      - RHEL-07-040210
+      - ntp
+
+- name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
+  command: grep -i useldapauth /etc/sysconfig/authconfig
+  register: rhel_07_040180_audit
+  tags:
+      - cat2
+      - medium
+      - patch
+      - RHEL-07-040180
+      - ldap
diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
index 61d39c3..a757ad1 100644
--- a/tasks/fix-cat2.yml
+++ b/tasks/fix-cat2.yml
@@ -1227,6 +1227,7 @@
 
 - name: "MEDIUM | RHEL-07-040180 | PATCH | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
   command: "true"
+  when: '"yes" in "{{ rhel_07_040180_audit.stdout_lines }}"'
   tags:
       - cat2
       - medium
@@ -1250,28 +1251,46 @@
       - RHEL-07-040182
 
 - name: "MEDIUM | RHEL-07-040190 | PATCH | All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."
-  command: "true"
+  lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: ^#?ClientAliveInterval
+      line: ClientAliveInterval 600
+      validate: sshd -t -f %s
+  notify: restart ssh
   tags:
       - cat2
       - medium
       - patch
       - RHEL-07-040190
+      - ssh
 
 - name: "MEDIUM | RHEL-07-040191 | PATCH | All network connections associated with SSH traffic must terminate after a period of inactivity."
-  command: "true"
+  lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: ^#?ClientAliveCountMax
+      line: ClientAliveCountMax 0
+      validate: sshd -t -f %s
+  notify: restart ssh
   tags:
       - cat2
       - medium
       - patch
       - RHEL-07-040191
+      - ssh
 
 - name: "MEDIUM | RHEL-07-040210 | PATCH | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
-  command: "true"
+  lineinfile:
+      dest: /etc/ntp.conf
+      regexp: ^#?maxpoll
+      line: maxpoll 10
+  notify: restart ntpd
+  when: rhel_07_040210_audit.stat.exists
   tags:
       - cat2
       - medium
       - patch
       - RHEL-07-040210
+      - ntp
 
 - name: "MEDIUM | RHEL-07-040230 | PATCH | The operating system, if using PKI-based authentication, must implement a local cache of revocation data to certificate validation in case of the inability to access revocation information via the network."
   lineinfile:
@@ -1288,7 +1307,7 @@
 
       -   regexp: '^#?enableOCSP'
           line: 'enableOCSP="true"'
-          
+
       -   regexp: '^#?ocspCacheSize'
           line: 'ocspCacheSize="50"'
   tags: