samdoran · samdoran · Aug 6, 2016 · Jul 27, 2016 · Jul 28, 2016 · Jul 28, 2016
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -24,3 +24,8 @@ rhel7stig_tftp_required: no
 # RHEL-07-040580 Set the SNMP community string to this from the default of
 # public or private
 rhel7stig_snmp_community: Endgam3Ladyb0g
+
+# RHEL-07-040730 The system must not be performing packet forwarding unless the
+# system is a router. This variable is used in tasks that should not be run
+# if the OS is run as a router. (must override to yes)
+rhel7stig_system_is_router: no
diff --git a/tasks/audit-cat2.yml b/tasks/audit-cat2.yml
@@ -1,9 +1,9 @@
 - name: "MEDIUM | RHEL-07-040640 | AUDIT | The SSH public host key files must have mode 0644 or less permissive."
-  command: find / -name '*ssh_host*key'
+  command: find / -name '*.pub'
   failed_when: no
   changed_when: no
   ignore_errors: yes
-  register: rhel_07_040650_audit
+  register: rhel_07_040640_audit
   tags:
       - cat2
       - high
@@ -12,7 +12,12 @@
       - always
 
 - name: "MEDIUM | RHEL-07-040650 | AUDIT | The SSH private host key files must have mode 0600 or less permissive."
-  command: find / -name '*ssh_host*key'
+  find:
+      paths: /
+      recurse: yes
+      file_type: file
+      patterns: '*ssh_host*key'
+      hidden: true
   failed_when: no
   changed_when: no
   ignore_errors: yes

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -1440,9 +1440,9 @@
 
 - name: "MEDIUM | RHEL-07-040640 | PATCH | The SSH public host key files must have mode 0644 or less permissive."
   file:
-    dest: "{{ item }}"
-    mode: 0644
-    state: file
+     dest: "{{ item }}"
+     mode: 0644
+     state: file
   with_items: "{{ rhel_07_040640_audit.stdout_lines }}"
   tags:
       - cat2
@@ -1452,10 +1452,10 @@
 
 - name: "MEDIUM | RHEL-07-040650 | PATCH | The SSH private host key files must have mode 0600 or less permissive."
   file:
-    dest: "{{ item }}"
-    mode: 0600
-    state: file
-  with_items: "{{ rhel_07_040650_audit.stdout_lines }}"
+     dest: "{{ item }}"
+     mode: 0600
+     state: file
+  with_items: "{{ rhel_07_040650_audit.files | map(attribute='path') | list }}"
   tags:
       - cat2
       - medium
@@ -1524,6 +1524,7 @@
       regexp: (?i)^#?compression
       line: Compression no
       validate: sshd -t -f %s
+  ignore_errors: yes
   notify: restart ssh
   tags:
       - cat2
@@ -1537,6 +1538,8 @@
       name: net.ipv4.ip_forward
       present: yes
       value: 0
+  ignore_errors: yes
+  when: not rhel7stig_system_is_router
   tags:
       - cat2
       - medium
@@ -1562,6 +1565,18 @@
       - RHEL-07-040810
       - firewalld
 
+- name: "MEDIUM | RHEL-07-040810 | PATCH | The system must use a local firewall."
+  service:
+      name: firewalld
+      state: started
+      enabled: yes
+  tags:
+      - cat2
+      - medium
+      - patch
+      - RHEL-07-040810
+      - firewalld
+
 - name: "MEDIUM | RHEL-07-040820 | PATCH | The system's access control program must be configured to grant or deny system access to specific hosts and services."
   command: "true"
   tags:
@@ -1583,6 +1598,7 @@
       name: net.ipv6.conf.all.accept_source_route
       present: yes
       value: 0
+  ignore_errors: yes
   tags:
       - cat2
       - medium