From f9a3a1606e3ec4c36990da1617bab12df05e9a33 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 30 Nov 2016 16:13:03 -0600 Subject: [PATCH] Check for two nameservers [+Docs] This patch adds tasks to verify that two or more nameservers are configured on each server in `/etc/resolv.conf`. If not, a warning is printed in a debug message. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I60a75be3fb3af031464f9a9defe8b2434dad7f56 --- doc/metadata/rhel7/RHEL-07-040320.rst | 5 +++-- tasks/rhel7stig/misc.yml | 25 +++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-040320.rst b/doc/metadata/rhel7/RHEL-07-040320.rst index b3129658..1686ae53 100644 --- a/doc/metadata/rhel7/RHEL-07-040320.rst +++ b/doc/metadata/rhel7/RHEL-07-040320.rst @@ -1,7 +1,8 @@ --- id: RHEL-07-040320 -status: not implemented +status: implemented tag: misc --- -This STIG requirement is not yet implemented. +If a server has fewer than two nameservers configured in ``/etc/resolv.conf``, +a warning is printed in the Ansible output. diff --git a/tasks/rhel7stig/misc.yml b/tasks/rhel7stig/misc.yml index 187e3577..07721af1 100644 --- a/tasks/rhel7stig/misc.yml +++ b/tasks/rhel7stig/misc.yml @@ -170,3 +170,28 @@ - medium - misc - RHEL-07-040250 + +# Linting checks need to be skipped because this command doesn't create any +# files. +- name: Count nameserver entries in /etc/resolv.conf + command: grep nameserver /etc/resolv.conf + register: nameserver_check + check_mode: no + changed_when: False + failed_when: False + tags: + - always + - skip_ansible_lint + +- name: RHEL-07-040320 - For systems using DNS resolution, at least two name servers must be configured. + debug: + msg: | + Two or more nameservers must be configured in /etc/resolv.conf. + Nameservers found: {{ nameserver_check.stdout_lines | length }} + when: + - nameserver_check is defined + - nameserver_check.stdout_lines | length < 2 + tags: + - low + - misc + - RHEL-07-040320