V-38682: Disable bluetooth modules

Change-Id: Ic59306c7722560fd1051cae0f74c1cc2660ac2cb
2015-10-09 15:42:57 -05:00 · 2015-10-09 15:42:57 -05:00 · 7a3fd19766
parent a8475db423
commit 7a3fd19766
4 changed files with 24 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -169,6 +169,7 @@ num_logs: 5                                       # V-38636
 # Set these booleans to 'yes' to disable the kernel module (following the
 # STIG requirements). Set the boolean to 'no' to ensure no changes are made.
 disable_module:
+  bluetooth: yes                                  # V-38682
  dccp: yes                                       # V-38514
  rds: yes                                        # V-38516
  sctp: yes                                       # V-38515
--- a/doc/source/developer-notes/V-38682.rst
+++ b/doc/source/developer-notes/V-38682.rst
@ -0,0 +1,9 @@
+The Ansible task will disable the bluetooth kernel modules to meet the STIG
+requirements. To opt-out of this change, adjust the following Ansible variable
+to ``no``:
+
+.. code-block:: yaml
+
+    disable_bluetooth_module: no
+
+**NOTE:** The module will be disabled on the next system reboot.
--- a/files/V-38682-modprobe.conf
+++ b/files/V-38682-modprobe.conf
@ -0,0 +1,4 @@
+# File managed by openstack-ansible-security
+# Fixes RHEL 6 STIG V-38682
+install net-pf-31 /bin/true
+install bluetooth /bin/true
--- a/tasks/kernel.yml
+++ b/tasks/kernel.yml
@ -148,3 +148,13 @@
    - kernel
    - cat2
    - V-38517
+
+- name: V-38682 - Disable bluetooth module
+  copy:
+    src: V-38682-modprobe.conf
+    dest: /etc/modprobe.d/disable-bluetooth.conf
+  when: disable_module['bluetooth'] | bool
+  tags:
+    - kernel
+    - cat2
+    - V-38682