From 27be343296f875640548500f68323bdc82c44a16 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 13:42:25 -0500
Subject: [PATCH] V-3865{6,7}: Samba

Implements: blueprint security-hardening

Change-Id: I260cb84e543cad201e281f70adfcb181f54645be
---
 doc/source/developer-notes/V-38656.rst |  4 ++++
 doc/source/developer-notes/V-38657.rst |  5 +++++
 handlers/main.yml                      |  5 +++++
 tasks/misc.yml                         | 22 ++++++++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38656.rst
 create mode 100644 doc/source/developer-notes/V-38657.rst

diff --git a/doc/source/developer-notes/V-38656.rst b/doc/source/developer-notes/V-38656.rst
new file mode 100644
index 00000000..df8c1c32
--- /dev/null
+++ b/doc/source/developer-notes/V-38656.rst
@@ -0,0 +1,4 @@
+Although the ``samba`` server isn't installed by Ubuntu or openstack-ansible
+by default, the Ansible tasks will check to see if the package is installed
+and the configuration file will be adjusted. If adjustments are made, the
+service will be restarted.
diff --git a/doc/source/developer-notes/V-38657.rst b/doc/source/developer-notes/V-38657.rst
new file mode 100644
index 00000000..00401a5a
--- /dev/null
+++ b/doc/source/developer-notes/V-38657.rst
@@ -0,0 +1,5 @@
+**Exception**
+
+Ubuntu and openstack-ansible do not currently configure any samba share mounts
+by default. However, deployers are urged to follow this STIG if they ever
+mount samba shares within their infrastructure.
diff --git a/handlers/main.yml b/handlers/main.yml
index 6c6c548f..fb06cd0d 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -34,6 +34,11 @@
     name: rsyslog
     state: restarted
 
+- name: restart samba
+  service:
+    name: smbd
+    state: restarted
+
 - name: restart ssh
   service:
     name: ssh
diff --git a/tasks/misc.yml b/tasks/misc.yml
index 62eb04f4..a37b2dc2 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -109,6 +109,28 @@
    - cat3
    - V-38624
 
+- name: Check if samba is installed (for V-38656)
+  stat:
+    path: /etc/samba/smb.conf
+  register: v38656_result
+  changed_when: false
+  tags:
+    - cat3
+    - V-38656
+
+- name: V-38656 - System must use SMB client signing
+  lineinfile:
+    dest: /etc/samba/smb.conf
+    regexp: "^(;)?client signing"
+    line: "client signing = mandatory"
+    insertafter: "############ Misc ############"
+  when: v38656_result.stat.exists == True
+  notify:
+    - restart samba
+  tags:
+    - cat3
+    - V-38656
+
 - name: V-38675 - Process core dump must be disabled
   lineinfile:
     dest: /etc/security/limits.d/V-38675-coredump.conf