From 0c0767b3f1c244d00281f5daf27491730fdcb2a1 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 12 Sep 2017 08:19:54 -0600 Subject: [PATCH] Queens doc updates + removal of RHEL 6 STIG This patch begins the teardown of the RHEL 6 STIG content from the ansible-hardening repository. It will still be maintained in Pike and earlier branches. This patch also updates the ansible-hardening documentation for the Queens release and notes that Pike is the latest stable version. Closes-Bug: 1715745 Change-Id: Iaae52c97a35d82dd807ef78a1a6593ce3aa33540 --- README.md | 2 - defaults/main.yml | 356 +- .../U_RedHat_6_V1R12_Manual-xccdf.xml | 3168 ----------------- doc/metadata/import-existing-notes.py | 61 - doc/metadata/rhel6/V-38437.rst | 12 - doc/metadata/rhel6/V-38438.rst | 19 - doc/metadata/rhel6/V-38439.rst | 9 - doc/metadata/rhel6/V-38443.rst | 8 - doc/metadata/rhel6/V-38444.rst | 8 - doc/metadata/rhel6/V-38445.rst | 9 - doc/metadata/rhel6/V-38446.rst | 12 - doc/metadata/rhel6/V-38447.rst | 24 - doc/metadata/rhel6/V-38448.rst | 8 - doc/metadata/rhel6/V-38449.rst | 8 - doc/metadata/rhel6/V-38450.rst | 7 - doc/metadata/rhel6/V-38451.rst | 7 - doc/metadata/rhel6/V-38452.rst | 24 - doc/metadata/rhel6/V-38453.rst | 11 - doc/metadata/rhel6/V-38454.rst | 24 - doc/metadata/rhel6/V-38455.rst | 12 - doc/metadata/rhel6/V-38456.rst | 12 - doc/metadata/rhel6/V-38457.rst | 7 - doc/metadata/rhel6/V-38458.rst | 8 - doc/metadata/rhel6/V-38459.rst | 8 - doc/metadata/rhel6/V-38460.rst | 10 - doc/metadata/rhel6/V-38461.rst | 8 - doc/metadata/rhel6/V-38462.rst | 23 - doc/metadata/rhel6/V-38463.rst | 12 - doc/metadata/rhel6/V-38464.rst | 26 - doc/metadata/rhel6/V-38465.rst | 9 - doc/metadata/rhel6/V-38466.rst | 9 - doc/metadata/rhel6/V-38467.rst | 8 - doc/metadata/rhel6/V-38468.rst | 27 - doc/metadata/rhel6/V-38469.rst | 9 - doc/metadata/rhel6/V-38470.rst | 28 - doc/metadata/rhel6/V-38471.rst | 10 - doc/metadata/rhel6/V-38472.rst | 9 - doc/metadata/rhel6/V-38473.rst | 8 - doc/metadata/rhel6/V-38474.rst | 8 - doc/metadata/rhel6/V-38475.rst | 15 - doc/metadata/rhel6/V-38476.rst | 13 - doc/metadata/rhel6/V-38477.rst | 12 - doc/metadata/rhel6/V-38478.rst | 10 - doc/metadata/rhel6/V-38479.rst | 12 - doc/metadata/rhel6/V-38480.rst | 14 - doc/metadata/rhel6/V-38481.rst | 32 - doc/metadata/rhel6/V-38482.rst | 14 - doc/metadata/rhel6/V-38483.rst | 9 - doc/metadata/rhel6/V-38484.rst | 9 - doc/metadata/rhel6/V-38486.rst | 9 - doc/metadata/rhel6/V-38487.rst | 9 - doc/metadata/rhel6/V-38488.rst | 9 - doc/metadata/rhel6/V-38489.rst | 8 - doc/metadata/rhel6/V-38490.rst | 15 - doc/metadata/rhel6/V-38491.rst | 12 - doc/metadata/rhel6/V-38492.rst | 14 - doc/metadata/rhel6/V-38493.rst | 9 - doc/metadata/rhel6/V-38494.rst | 11 - doc/metadata/rhel6/V-38495.rst | 8 - doc/metadata/rhel6/V-38496.rst | 17 - doc/metadata/rhel6/V-38497.rst | 28 - doc/metadata/rhel6/V-38498.rst | 14 - doc/metadata/rhel6/V-38499.rst | 8 - doc/metadata/rhel6/V-38500.rst | 13 - doc/metadata/rhel6/V-38501.rst | 43 - doc/metadata/rhel6/V-38502.rst | 8 - doc/metadata/rhel6/V-38503.rst | 8 - doc/metadata/rhel6/V-38504.rst | 14 - doc/metadata/rhel6/V-38511.rst | 9 - doc/metadata/rhel6/V-38512.rst | 14 - doc/metadata/rhel6/V-38513.rst | 14 - doc/metadata/rhel6/V-38514.rst | 18 - doc/metadata/rhel6/V-38515.rst | 14 - doc/metadata/rhel6/V-38516.rst | 18 - doc/metadata/rhel6/V-38517.rst | 16 - doc/metadata/rhel6/V-38518.rst | 12 - doc/metadata/rhel6/V-38519.rst | 12 - doc/metadata/rhel6/V-38520.rst | 12 - doc/metadata/rhel6/V-38521.rst | 12 - doc/metadata/rhel6/V-38522.rst | 7 - doc/metadata/rhel6/V-38523.rst | 17 - doc/metadata/rhel6/V-38524.rst | 15 - doc/metadata/rhel6/V-38525.rst | 7 - doc/metadata/rhel6/V-38526.rst | 16 - doc/metadata/rhel6/V-38527.rst | 8 - doc/metadata/rhel6/V-38528.rst | 26 - doc/metadata/rhel6/V-38529.rst | 17 - doc/metadata/rhel6/V-38530.rst | 8 - doc/metadata/rhel6/V-38531.rst | 7 - doc/metadata/rhel6/V-38532.rst | 17 - doc/metadata/rhel6/V-38533.rst | 17 - doc/metadata/rhel6/V-38534.rst | 9 - doc/metadata/rhel6/V-38535.rst | 9 - doc/metadata/rhel6/V-38536.rst | 7 - doc/metadata/rhel6/V-38537.rst | 9 - doc/metadata/rhel6/V-38538.rst | 7 - doc/metadata/rhel6/V-38539.rst | 27 - doc/metadata/rhel6/V-38540.rst | 7 - doc/metadata/rhel6/V-38541.rst | 17 - doc/metadata/rhel6/V-38542.rst | 17 - doc/metadata/rhel6/V-38543.rst | 17 - doc/metadata/rhel6/V-38544.rst | 17 - doc/metadata/rhel6/V-38545.rst | 16 - doc/metadata/rhel6/V-38546.rst | 18 - doc/metadata/rhel6/V-38547.rst | 17 - doc/metadata/rhel6/V-38548.rst | 19 - doc/metadata/rhel6/V-38549.rst | 10 - doc/metadata/rhel6/V-38550.rst | 17 - doc/metadata/rhel6/V-38551.rst | 22 - doc/metadata/rhel6/V-38552.rst | 16 - doc/metadata/rhel6/V-38553.rst | 10 - doc/metadata/rhel6/V-38554.rst | 16 - doc/metadata/rhel6/V-38555.rst | 10 - doc/metadata/rhel6/V-38556.rst | 16 - doc/metadata/rhel6/V-38557.rst | 16 - doc/metadata/rhel6/V-38558.rst | 16 - doc/metadata/rhel6/V-38559.rst | 16 - doc/metadata/rhel6/V-38560.rst | 10 - doc/metadata/rhel6/V-38561.rst | 16 - doc/metadata/rhel6/V-38563.rst | 9 - doc/metadata/rhel6/V-38565.rst | 16 - doc/metadata/rhel6/V-38566.rst | 16 - doc/metadata/rhel6/V-38567.rst | 10 - doc/metadata/rhel6/V-38568.rst | 7 - doc/metadata/rhel6/V-38569.rst | 14 - doc/metadata/rhel6/V-38570.rst | 14 - doc/metadata/rhel6/V-38571.rst | 14 - doc/metadata/rhel6/V-38572.rst | 14 - doc/metadata/rhel6/V-38573.rst | 43 - doc/metadata/rhel6/V-38574.rst | 21 - doc/metadata/rhel6/V-38575.rst | 17 - doc/metadata/rhel6/V-38576.rst | 21 - doc/metadata/rhel6/V-38577.rst | 26 - doc/metadata/rhel6/V-38578.rst | 7 - doc/metadata/rhel6/V-38579.rst | 15 - doc/metadata/rhel6/V-38580.rst | 8 - doc/metadata/rhel6/V-38581.rst | 7 - doc/metadata/rhel6/V-38582.rst | 15 - doc/metadata/rhel6/V-38583.rst | 13 - doc/metadata/rhel6/V-38584.rst | 13 - doc/metadata/rhel6/V-38585.rst | 10 - doc/metadata/rhel6/V-38586.rst | 11 - doc/metadata/rhel6/V-38587.rst | 13 - doc/metadata/rhel6/V-38588.rst | 9 - doc/metadata/rhel6/V-38589.rst | 10 - doc/metadata/rhel6/V-38590.rst | 12 - doc/metadata/rhel6/V-38591.rst | 13 - doc/metadata/rhel6/V-38592.rst | 13 - doc/metadata/rhel6/V-38593.rst | 8 - doc/metadata/rhel6/V-38594.rst | 9 - doc/metadata/rhel6/V-38595.rst | 8 - doc/metadata/rhel6/V-38596.rst | 9 - doc/metadata/rhel6/V-38597.rst | 13 - doc/metadata/rhel6/V-38598.rst | 12 - doc/metadata/rhel6/V-38599.rst | 9 - doc/metadata/rhel6/V-38600.rst | 10 - doc/metadata/rhel6/V-38601.rst | 8 - doc/metadata/rhel6/V-38602.rst | 13 - doc/metadata/rhel6/V-38603.rst | 18 - doc/metadata/rhel6/V-38604.rst | 7 - doc/metadata/rhel6/V-38605.rst | 10 - doc/metadata/rhel6/V-38606.rst | 20 - doc/metadata/rhel6/V-38607.rst | 8 - doc/metadata/rhel6/V-38608.rst | 15 - doc/metadata/rhel6/V-38609.rst | 7 - doc/metadata/rhel6/V-38610.rst | 14 - doc/metadata/rhel6/V-38611.rst | 9 - doc/metadata/rhel6/V-38612.rst | 8 - doc/metadata/rhel6/V-38613.rst | 21 - doc/metadata/rhel6/V-38614.rst | 7 - doc/metadata/rhel6/V-38615.rst | 9 - doc/metadata/rhel6/V-38616.rst | 8 - doc/metadata/rhel6/V-38617.rst | 8 - doc/metadata/rhel6/V-38618.rst | 7 - doc/metadata/rhel6/V-38619.rst | 8 - doc/metadata/rhel6/V-38620.rst | 34 - doc/metadata/rhel6/V-38621.rst | 12 - doc/metadata/rhel6/V-38622.rst | 25 - doc/metadata/rhel6/V-38623.rst | 14 - doc/metadata/rhel6/V-38624.rst | 11 - doc/metadata/rhel6/V-38625.rst | 13 - doc/metadata/rhel6/V-38626.rst | 13 - doc/metadata/rhel6/V-38627.rst | 14 - doc/metadata/rhel6/V-38628.rst | 7 - doc/metadata/rhel6/V-38629.rst | 9 - doc/metadata/rhel6/V-38630.rst | 9 - doc/metadata/rhel6/V-38631.rst | 7 - doc/metadata/rhel6/V-38632.rst | 9 - doc/metadata/rhel6/V-38633.rst | 17 - doc/metadata/rhel6/V-38634.rst | 14 - doc/metadata/rhel6/V-38635.rst | 9 - doc/metadata/rhel6/V-38636.rst | 16 - doc/metadata/rhel6/V-38637.rst | 14 - doc/metadata/rhel6/V-38638.rst | 9 - doc/metadata/rhel6/V-38639.rst | 9 - doc/metadata/rhel6/V-38640.rst | 13 - doc/metadata/rhel6/V-38641.rst | 13 - doc/metadata/rhel6/V-38642.rst | 11 - doc/metadata/rhel6/V-38643.rst | 23 - doc/metadata/rhel6/V-38644.rst | 8 - doc/metadata/rhel6/V-38645.rst | 13 - doc/metadata/rhel6/V-38646.rst | 9 - doc/metadata/rhel6/V-38647.rst | 13 - doc/metadata/rhel6/V-38648.rst | 17 - doc/metadata/rhel6/V-38649.rst | 13 - doc/metadata/rhel6/V-38650.rst | 14 - doc/metadata/rhel6/V-38651.rst | 9 - doc/metadata/rhel6/V-38652.rst | 11 - doc/metadata/rhel6/V-38653.rst | 9 - doc/metadata/rhel6/V-38654.rst | 11 - doc/metadata/rhel6/V-38655.rst | 13 - doc/metadata/rhel6/V-38656.rst | 9 - doc/metadata/rhel6/V-38657.rst | 8 - doc/metadata/rhel6/V-38658.rst | 10 - doc/metadata/rhel6/V-38659.rst | 15 - doc/metadata/rhel6/V-38660.rst | 21 - doc/metadata/rhel6/V-38661.rst | 15 - doc/metadata/rhel6/V-38662.rst | 15 - doc/metadata/rhel6/V-38663.rst | 11 - doc/metadata/rhel6/V-38664.rst | 9 - doc/metadata/rhel6/V-38665.rst | 9 - doc/metadata/rhel6/V-38666.rst | 18 - doc/metadata/rhel6/V-38667.rst | 10 - doc/metadata/rhel6/V-38668.rst | 13 - doc/metadata/rhel6/V-38669.rst | 10 - doc/metadata/rhel6/V-38670.rst | 12 - doc/metadata/rhel6/V-38671.rst | 12 - doc/metadata/rhel6/V-38672.rst | 16 - doc/metadata/rhel6/V-38673.rst | 8 - doc/metadata/rhel6/V-38674.rst | 32 - doc/metadata/rhel6/V-38675.rst | 15 - doc/metadata/rhel6/V-38676.rst | 13 - doc/metadata/rhel6/V-38677.rst | 9 - doc/metadata/rhel6/V-38678.rst | 14 - doc/metadata/rhel6/V-38679.rst | 9 - doc/metadata/rhel6/V-38680.rst | 12 - doc/metadata/rhel6/V-38681.rst | 17 - doc/metadata/rhel6/V-38682.rst | 15 - doc/metadata/rhel6/V-38683.rst | 18 - doc/metadata/rhel6/V-38684.rst | 15 - doc/metadata/rhel6/V-38685.rst | 10 - doc/metadata/rhel6/V-38686.rst | 14 - doc/metadata/rhel6/V-38687.rst | 8 - doc/metadata/rhel6/V-38688.rst | 9 - doc/metadata/rhel6/V-38689.rst | 9 - doc/metadata/rhel6/V-38690.rst | 10 - doc/metadata/rhel6/V-38691.rst | 14 - doc/metadata/rhel6/V-38692.rst | 16 - doc/metadata/rhel6/V-38693.rst | 14 - doc/metadata/rhel6/V-38694.rst | 16 - doc/metadata/rhel6/V-38695.rst | 12 - doc/metadata/rhel6/V-38696.rst | 11 - doc/metadata/rhel6/V-38697.rst | 14 - doc/metadata/rhel6/V-38698.rst | 11 - doc/metadata/rhel6/V-38699.rst | 20 - doc/metadata/rhel6/V-38700.rst | 11 - doc/metadata/rhel6/V-38701.rst | 10 - doc/metadata/rhel6/V-38702.rst | 10 - doc/metadata/rhel6/V-43150.rst | 9 - doc/metadata/rhel6/V-51337.rst | 45 - doc/metadata/rhel6/V-51363.rst | 13 - doc/metadata/rhel6/V-51369.rst | 14 - doc/metadata/rhel6/V-51379.rst | 14 - doc/metadata/rhel6/V-51391.rst | 16 - doc/metadata/rhel6/V-51875.rst | 9 - doc/metadata/rhel6/V-54381.rst | 24 - doc/metadata/rhel6/V-57569.rst | 10 - doc/metadata/rhel6/V-58901.rst | 28 - doc/metadata/template_all.j2 | 24 - doc/metadata/template_doc.j2 | 16 - doc/metadata/template_toc.j2 | 31 - doc/source/_exts/metadata-docs.py | 216 -- doc/source/conf.py | 1 - doc/source/controls.rst | 46 - doc/source/faq.rst | 1 - doc/source/index.rst | 48 +- tasks/rhel6stig/aide.yml | 94 - tasks/rhel6stig/apt.yml | 129 - tasks/rhel6stig/auditd.yml | 290 -- tasks/rhel6stig/auth.yml | 408 --- tasks/rhel6stig/boot.yml | 66 - tasks/rhel6stig/console.yml | 61 - tasks/rhel6stig/file_perms.yml | 188 - tasks/rhel6stig/kernel.yml | 222 -- tasks/rhel6stig/lsm.yml | 52 - tasks/rhel6stig/mail.yml | 72 - tasks/rhel6stig/main.yml | 49 - tasks/rhel6stig/misc.yml | 339 -- tasks/rhel6stig/nfsd.yml | 74 - tasks/rhel6stig/rpm.yml | 125 - tasks/rhel6stig/services.yml | 167 - tasks/rhel6stig/sshd.yml | 234 -- tests/test.yml | 40 - tox.ini | 11 - vars/debian.yml | 56 - vars/redhat.yml | 61 - 296 files changed, 40 insertions(+), 10173 deletions(-) delete mode 100644 doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml delete mode 100644 doc/metadata/import-existing-notes.py delete mode 100644 doc/metadata/rhel6/V-38437.rst delete mode 100644 doc/metadata/rhel6/V-38438.rst delete mode 100644 doc/metadata/rhel6/V-38439.rst delete mode 100644 doc/metadata/rhel6/V-38443.rst delete mode 100644 doc/metadata/rhel6/V-38444.rst delete mode 100644 doc/metadata/rhel6/V-38445.rst delete mode 100644 doc/metadata/rhel6/V-38446.rst delete mode 100644 doc/metadata/rhel6/V-38447.rst delete mode 100644 doc/metadata/rhel6/V-38448.rst delete mode 100644 doc/metadata/rhel6/V-38449.rst delete mode 100644 doc/metadata/rhel6/V-38450.rst delete mode 100644 doc/metadata/rhel6/V-38451.rst delete mode 100644 doc/metadata/rhel6/V-38452.rst delete mode 100644 doc/metadata/rhel6/V-38453.rst delete mode 100644 doc/metadata/rhel6/V-38454.rst delete mode 100644 doc/metadata/rhel6/V-38455.rst delete mode 100644 doc/metadata/rhel6/V-38456.rst delete mode 100644 doc/metadata/rhel6/V-38457.rst delete mode 100644 doc/metadata/rhel6/V-38458.rst delete mode 100644 doc/metadata/rhel6/V-38459.rst delete mode 100644 doc/metadata/rhel6/V-38460.rst delete mode 100644 doc/metadata/rhel6/V-38461.rst delete mode 100644 doc/metadata/rhel6/V-38462.rst delete mode 100644 doc/metadata/rhel6/V-38463.rst delete mode 100644 doc/metadata/rhel6/V-38464.rst delete mode 100644 doc/metadata/rhel6/V-38465.rst delete mode 100644 doc/metadata/rhel6/V-38466.rst delete mode 100644 doc/metadata/rhel6/V-38467.rst delete mode 100644 doc/metadata/rhel6/V-38468.rst delete mode 100644 doc/metadata/rhel6/V-38469.rst delete mode 100644 doc/metadata/rhel6/V-38470.rst delete mode 100644 doc/metadata/rhel6/V-38471.rst delete mode 100644 doc/metadata/rhel6/V-38472.rst delete mode 100644 doc/metadata/rhel6/V-38473.rst delete mode 100644 doc/metadata/rhel6/V-38474.rst delete mode 100644 doc/metadata/rhel6/V-38475.rst delete mode 100644 doc/metadata/rhel6/V-38476.rst delete mode 100644 doc/metadata/rhel6/V-38477.rst delete mode 100644 doc/metadata/rhel6/V-38478.rst delete mode 100644 doc/metadata/rhel6/V-38479.rst delete mode 100644 doc/metadata/rhel6/V-38480.rst delete mode 100644 doc/metadata/rhel6/V-38481.rst delete mode 100644 doc/metadata/rhel6/V-38482.rst delete mode 100644 doc/metadata/rhel6/V-38483.rst delete mode 100644 doc/metadata/rhel6/V-38484.rst delete mode 100644 doc/metadata/rhel6/V-38486.rst delete mode 100644 doc/metadata/rhel6/V-38487.rst delete mode 100644 doc/metadata/rhel6/V-38488.rst delete mode 100644 doc/metadata/rhel6/V-38489.rst delete mode 100644 doc/metadata/rhel6/V-38490.rst delete mode 100644 doc/metadata/rhel6/V-38491.rst delete mode 100644 doc/metadata/rhel6/V-38492.rst delete mode 100644 doc/metadata/rhel6/V-38493.rst delete mode 100644 doc/metadata/rhel6/V-38494.rst delete mode 100644 doc/metadata/rhel6/V-38495.rst delete mode 100644 doc/metadata/rhel6/V-38496.rst delete mode 100644 doc/metadata/rhel6/V-38497.rst delete mode 100644 doc/metadata/rhel6/V-38498.rst delete mode 100644 doc/metadata/rhel6/V-38499.rst delete mode 100644 doc/metadata/rhel6/V-38500.rst delete mode 100644 doc/metadata/rhel6/V-38501.rst delete mode 100644 doc/metadata/rhel6/V-38502.rst delete mode 100644 doc/metadata/rhel6/V-38503.rst delete mode 100644 doc/metadata/rhel6/V-38504.rst delete mode 100644 doc/metadata/rhel6/V-38511.rst delete mode 100644 doc/metadata/rhel6/V-38512.rst delete mode 100644 doc/metadata/rhel6/V-38513.rst delete mode 100644 doc/metadata/rhel6/V-38514.rst delete mode 100644 doc/metadata/rhel6/V-38515.rst delete mode 100644 doc/metadata/rhel6/V-38516.rst delete mode 100644 doc/metadata/rhel6/V-38517.rst delete mode 100644 doc/metadata/rhel6/V-38518.rst delete mode 100644 doc/metadata/rhel6/V-38519.rst delete mode 100644 doc/metadata/rhel6/V-38520.rst delete mode 100644 doc/metadata/rhel6/V-38521.rst delete mode 100644 doc/metadata/rhel6/V-38522.rst delete mode 100644 doc/metadata/rhel6/V-38523.rst delete mode 100644 doc/metadata/rhel6/V-38524.rst delete mode 100644 doc/metadata/rhel6/V-38525.rst delete mode 100644 doc/metadata/rhel6/V-38526.rst delete mode 100644 doc/metadata/rhel6/V-38527.rst delete mode 100644 doc/metadata/rhel6/V-38528.rst delete mode 100644 doc/metadata/rhel6/V-38529.rst delete mode 100644 doc/metadata/rhel6/V-38530.rst delete mode 100644 doc/metadata/rhel6/V-38531.rst delete mode 100644 doc/metadata/rhel6/V-38532.rst delete mode 100644 doc/metadata/rhel6/V-38533.rst delete mode 100644 doc/metadata/rhel6/V-38534.rst delete mode 100644 doc/metadata/rhel6/V-38535.rst delete mode 100644 doc/metadata/rhel6/V-38536.rst delete mode 100644 doc/metadata/rhel6/V-38537.rst delete mode 100644 doc/metadata/rhel6/V-38538.rst delete mode 100644 doc/metadata/rhel6/V-38539.rst delete mode 100644 doc/metadata/rhel6/V-38540.rst delete mode 100644 doc/metadata/rhel6/V-38541.rst delete mode 100644 doc/metadata/rhel6/V-38542.rst delete mode 100644 doc/metadata/rhel6/V-38543.rst delete mode 100644 doc/metadata/rhel6/V-38544.rst delete mode 100644 doc/metadata/rhel6/V-38545.rst delete mode 100644 doc/metadata/rhel6/V-38546.rst delete mode 100644 doc/metadata/rhel6/V-38547.rst delete mode 100644 doc/metadata/rhel6/V-38548.rst delete mode 100644 doc/metadata/rhel6/V-38549.rst delete mode 100644 doc/metadata/rhel6/V-38550.rst delete mode 100644 doc/metadata/rhel6/V-38551.rst delete mode 100644 doc/metadata/rhel6/V-38552.rst delete mode 100644 doc/metadata/rhel6/V-38553.rst delete mode 100644 doc/metadata/rhel6/V-38554.rst delete mode 100644 doc/metadata/rhel6/V-38555.rst delete mode 100644 doc/metadata/rhel6/V-38556.rst delete mode 100644 doc/metadata/rhel6/V-38557.rst delete mode 100644 doc/metadata/rhel6/V-38558.rst delete mode 100644 doc/metadata/rhel6/V-38559.rst delete mode 100644 doc/metadata/rhel6/V-38560.rst delete mode 100644 doc/metadata/rhel6/V-38561.rst delete mode 100644 doc/metadata/rhel6/V-38563.rst delete mode 100644 doc/metadata/rhel6/V-38565.rst delete mode 100644 doc/metadata/rhel6/V-38566.rst delete mode 100644 doc/metadata/rhel6/V-38567.rst delete mode 100644 doc/metadata/rhel6/V-38568.rst delete mode 100644 doc/metadata/rhel6/V-38569.rst delete mode 100644 doc/metadata/rhel6/V-38570.rst delete mode 100644 doc/metadata/rhel6/V-38571.rst delete mode 100644 doc/metadata/rhel6/V-38572.rst delete mode 100644 doc/metadata/rhel6/V-38573.rst delete mode 100644 doc/metadata/rhel6/V-38574.rst delete mode 100644 doc/metadata/rhel6/V-38575.rst delete mode 100644 doc/metadata/rhel6/V-38576.rst delete mode 100644 doc/metadata/rhel6/V-38577.rst delete mode 100644 doc/metadata/rhel6/V-38578.rst delete mode 100644 doc/metadata/rhel6/V-38579.rst delete mode 100644 doc/metadata/rhel6/V-38580.rst delete mode 100644 doc/metadata/rhel6/V-38581.rst delete mode 100644 doc/metadata/rhel6/V-38582.rst delete mode 100644 doc/metadata/rhel6/V-38583.rst delete mode 100644 doc/metadata/rhel6/V-38584.rst delete mode 100644 doc/metadata/rhel6/V-38585.rst delete mode 100644 doc/metadata/rhel6/V-38586.rst delete mode 100644 doc/metadata/rhel6/V-38587.rst delete mode 100644 doc/metadata/rhel6/V-38588.rst delete mode 100644 doc/metadata/rhel6/V-38589.rst delete mode 100644 doc/metadata/rhel6/V-38590.rst delete mode 100644 doc/metadata/rhel6/V-38591.rst delete mode 100644 doc/metadata/rhel6/V-38592.rst delete mode 100644 doc/metadata/rhel6/V-38593.rst delete mode 100644 doc/metadata/rhel6/V-38594.rst delete mode 100644 doc/metadata/rhel6/V-38595.rst delete mode 100644 doc/metadata/rhel6/V-38596.rst delete mode 100644 doc/metadata/rhel6/V-38597.rst delete mode 100644 doc/metadata/rhel6/V-38598.rst delete mode 100644 doc/metadata/rhel6/V-38599.rst delete mode 100644 doc/metadata/rhel6/V-38600.rst delete mode 100644 doc/metadata/rhel6/V-38601.rst delete mode 100644 doc/metadata/rhel6/V-38602.rst delete mode 100644 doc/metadata/rhel6/V-38603.rst delete mode 100644 doc/metadata/rhel6/V-38604.rst delete mode 100644 doc/metadata/rhel6/V-38605.rst delete mode 100644 doc/metadata/rhel6/V-38606.rst delete mode 100644 doc/metadata/rhel6/V-38607.rst delete mode 100644 doc/metadata/rhel6/V-38608.rst delete mode 100644 doc/metadata/rhel6/V-38609.rst delete mode 100644 doc/metadata/rhel6/V-38610.rst delete mode 100644 doc/metadata/rhel6/V-38611.rst delete mode 100644 doc/metadata/rhel6/V-38612.rst delete mode 100644 doc/metadata/rhel6/V-38613.rst delete mode 100644 doc/metadata/rhel6/V-38614.rst delete mode 100644 doc/metadata/rhel6/V-38615.rst delete mode 100644 doc/metadata/rhel6/V-38616.rst delete mode 100644 doc/metadata/rhel6/V-38617.rst delete mode 100644 doc/metadata/rhel6/V-38618.rst delete mode 100644 doc/metadata/rhel6/V-38619.rst delete mode 100644 doc/metadata/rhel6/V-38620.rst delete mode 100644 doc/metadata/rhel6/V-38621.rst delete mode 100644 doc/metadata/rhel6/V-38622.rst delete mode 100644 doc/metadata/rhel6/V-38623.rst delete mode 100644 doc/metadata/rhel6/V-38624.rst delete mode 100644 doc/metadata/rhel6/V-38625.rst delete mode 100644 doc/metadata/rhel6/V-38626.rst delete mode 100644 doc/metadata/rhel6/V-38627.rst delete mode 100644 doc/metadata/rhel6/V-38628.rst delete mode 100644 doc/metadata/rhel6/V-38629.rst delete mode 100644 doc/metadata/rhel6/V-38630.rst delete mode 100644 doc/metadata/rhel6/V-38631.rst delete mode 100644 doc/metadata/rhel6/V-38632.rst delete mode 100644 doc/metadata/rhel6/V-38633.rst delete mode 100644 doc/metadata/rhel6/V-38634.rst delete mode 100644 doc/metadata/rhel6/V-38635.rst delete mode 100644 doc/metadata/rhel6/V-38636.rst delete mode 100644 doc/metadata/rhel6/V-38637.rst delete mode 100644 doc/metadata/rhel6/V-38638.rst delete mode 100644 doc/metadata/rhel6/V-38639.rst delete mode 100644 doc/metadata/rhel6/V-38640.rst delete mode 100644 doc/metadata/rhel6/V-38641.rst delete mode 100644 doc/metadata/rhel6/V-38642.rst delete mode 100644 doc/metadata/rhel6/V-38643.rst delete mode 100644 doc/metadata/rhel6/V-38644.rst delete mode 100644 doc/metadata/rhel6/V-38645.rst delete mode 100644 doc/metadata/rhel6/V-38646.rst delete mode 100644 doc/metadata/rhel6/V-38647.rst delete mode 100644 doc/metadata/rhel6/V-38648.rst delete mode 100644 doc/metadata/rhel6/V-38649.rst delete mode 100644 doc/metadata/rhel6/V-38650.rst delete mode 100644 doc/metadata/rhel6/V-38651.rst delete mode 100644 doc/metadata/rhel6/V-38652.rst delete mode 100644 doc/metadata/rhel6/V-38653.rst delete mode 100644 doc/metadata/rhel6/V-38654.rst delete mode 100644 doc/metadata/rhel6/V-38655.rst delete mode 100644 doc/metadata/rhel6/V-38656.rst delete mode 100644 doc/metadata/rhel6/V-38657.rst delete mode 100644 doc/metadata/rhel6/V-38658.rst delete mode 100644 doc/metadata/rhel6/V-38659.rst delete mode 100644 doc/metadata/rhel6/V-38660.rst delete mode 100644 doc/metadata/rhel6/V-38661.rst delete mode 100644 doc/metadata/rhel6/V-38662.rst delete mode 100644 doc/metadata/rhel6/V-38663.rst delete mode 100644 doc/metadata/rhel6/V-38664.rst delete mode 100644 doc/metadata/rhel6/V-38665.rst delete mode 100644 doc/metadata/rhel6/V-38666.rst delete mode 100644 doc/metadata/rhel6/V-38667.rst delete mode 100644 doc/metadata/rhel6/V-38668.rst delete mode 100644 doc/metadata/rhel6/V-38669.rst delete mode 100644 doc/metadata/rhel6/V-38670.rst delete mode 100644 doc/metadata/rhel6/V-38671.rst delete mode 100644 doc/metadata/rhel6/V-38672.rst delete mode 100644 doc/metadata/rhel6/V-38673.rst delete mode 100644 doc/metadata/rhel6/V-38674.rst delete mode 100644 doc/metadata/rhel6/V-38675.rst delete mode 100644 doc/metadata/rhel6/V-38676.rst delete mode 100644 doc/metadata/rhel6/V-38677.rst delete mode 100644 doc/metadata/rhel6/V-38678.rst delete mode 100644 doc/metadata/rhel6/V-38679.rst delete mode 100644 doc/metadata/rhel6/V-38680.rst delete mode 100644 doc/metadata/rhel6/V-38681.rst delete mode 100644 doc/metadata/rhel6/V-38682.rst delete mode 100644 doc/metadata/rhel6/V-38683.rst delete mode 100644 doc/metadata/rhel6/V-38684.rst delete mode 100644 doc/metadata/rhel6/V-38685.rst delete mode 100644 doc/metadata/rhel6/V-38686.rst delete mode 100644 doc/metadata/rhel6/V-38687.rst delete mode 100644 doc/metadata/rhel6/V-38688.rst delete mode 100644 doc/metadata/rhel6/V-38689.rst delete mode 100644 doc/metadata/rhel6/V-38690.rst delete mode 100644 doc/metadata/rhel6/V-38691.rst delete mode 100644 doc/metadata/rhel6/V-38692.rst delete mode 100644 doc/metadata/rhel6/V-38693.rst delete mode 100644 doc/metadata/rhel6/V-38694.rst delete mode 100644 doc/metadata/rhel6/V-38695.rst delete mode 100644 doc/metadata/rhel6/V-38696.rst delete mode 100644 doc/metadata/rhel6/V-38697.rst delete mode 100644 doc/metadata/rhel6/V-38698.rst delete mode 100644 doc/metadata/rhel6/V-38699.rst delete mode 100644 doc/metadata/rhel6/V-38700.rst delete mode 100644 doc/metadata/rhel6/V-38701.rst delete mode 100644 doc/metadata/rhel6/V-38702.rst delete mode 100644 doc/metadata/rhel6/V-43150.rst delete mode 100644 doc/metadata/rhel6/V-51337.rst delete mode 100644 doc/metadata/rhel6/V-51363.rst delete mode 100644 doc/metadata/rhel6/V-51369.rst delete mode 100644 doc/metadata/rhel6/V-51379.rst delete mode 100644 doc/metadata/rhel6/V-51391.rst delete mode 100644 doc/metadata/rhel6/V-51875.rst delete mode 100644 doc/metadata/rhel6/V-54381.rst delete mode 100644 doc/metadata/rhel6/V-57569.rst delete mode 100644 doc/metadata/rhel6/V-58901.rst delete mode 100644 doc/metadata/template_all.j2 delete mode 100644 doc/metadata/template_doc.j2 delete mode 100644 doc/metadata/template_toc.j2 delete mode 100755 doc/source/_exts/metadata-docs.py delete mode 100644 doc/source/controls.rst delete mode 100644 tasks/rhel6stig/aide.yml delete mode 100644 tasks/rhel6stig/apt.yml delete mode 100644 tasks/rhel6stig/auditd.yml delete mode 100644 tasks/rhel6stig/auth.yml delete mode 100644 tasks/rhel6stig/boot.yml delete mode 100644 tasks/rhel6stig/console.yml delete mode 100644 tasks/rhel6stig/file_perms.yml delete mode 100644 tasks/rhel6stig/kernel.yml delete mode 100644 tasks/rhel6stig/lsm.yml delete mode 100644 tasks/rhel6stig/mail.yml delete mode 100644 tasks/rhel6stig/main.yml delete mode 100644 tasks/rhel6stig/misc.yml delete mode 100644 tasks/rhel6stig/nfsd.yml delete mode 100644 tasks/rhel6stig/rpm.yml delete mode 100644 tasks/rhel6stig/services.yml delete mode 100644 tasks/rhel6stig/sshd.yml diff --git a/README.md b/README.md index 746bf775..e57666cc 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,6 @@ to systems running the following distributions: * openSUSE Leap 42.2 and 42.3 * Red Hat Enterprise Linux 7 * SUSE Linux Enterprise 12 (*experimental*) -* Ubuntu 14.04 *(deprecated)* * Ubuntu 16.04 For more details, review the @@ -50,7 +49,6 @@ Running with Vagrant This role can be tested easily on multiple platforms using Vagrant. The `Vagrantfile` supports testing on: - * Ubuntu 14.04 * Ubuntu 16.04 * CentOS 7 diff --git a/defaults/main.yml b/defaults/main.yml index 7f72d177..71ee30d4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,10 +24,7 @@ # * SUSE Linux Enterprise 12 # * Ubuntu 16.04 Xenial LTS # -# The RHEL 6 STIG content is deprecated in the Ocata release. It is compatible -# with Ubuntu 14.04 Trusty LTS. -# -# Valid options: rhel7, rhel6 +# Valid options: rhel7 stig_version: rhel7 ## APT Cache Options @@ -73,6 +70,16 @@ security_set_maximum_password_lifetime: no # V-71931 # Initialize the AIDE database immediately (may take time). security_rhel7_initialize_aide: no # V-71973 +# The default Ubuntu configuration for AIDE will cause it to wander into some +# terrible places on the system, such as /var/lib/lxc and images in /opt. +# The following three default exclusions are highly recommended for AIDE to +# work properly, but additional exclusions can be added to this list if needed. +security_aide_exclude_dirs: + - /openstack + - /opt + - /run + - /var + ## Audit daemon (auditd) # Send audit records to a different system using audisp. #security_audisp_remote_server: '10.0.21.1' # V-72083 @@ -243,6 +250,8 @@ security_enable_firewalld: no # V-72273 security_enable_firewalld_rate_limit: no # V-72271 security_enable_firewalld_rate_limit_per_minute: 25 security_enable_firewalld_rate_limit_burst: 100 +# Update the grub configuration. +security_enable_grub_update: yes # Require authentication in GRUB to boot into single-user or maintenance modes. security_require_grub_authentication: no # V-71961 / V-71963 # The default password for grub authentication is 'secrete'. @@ -341,342 +350,3 @@ security_disallow_ip_forwarding: no # V-72309 security_rhel7_disable_usb_storage: yes # V-71983 # Disable kdump. security_disable_kdump: yes # V-72057 - - -############################################################################### -# ____ _ _ _____ _ __ ____ _____ ___ ____ -# | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___| -# | |_) | |_| | _| | | | '_ \ \___ \ | | | | | _ -# | _ <| _ | |___| |___ | (_) | ___) || | | | |_| | -# |_| \_\_| |_|_____|_____| \___/ |____/ |_| |___\____| -# -# DEPRECATED! The RHEL 6 STIG content and its tasks were deprecated in the -# Ocata release and will be removed in a future release. -# -# These configuration options apply to the RHEL 6 STIG content. Be sure to set -# `stig_version` to `rhel6` to use the tasks for the RHEL 6 STIG content. -# -############################################################################### - -## AIDE -# The default Ubuntu configuration for AIDE will cause it to wander into some -# terrible places on the system, such as /var/lib/lxc and images in /opt. -# The following three default exclusions are highly recommended for AIDE to -# work properly, but additional exclusions can be added to this list if needed. -security_aide_exclude_dirs: - - /openstack - - /opt - - /run - - /var -# -# By default, the AIDE database won't be initialized immediately since it can -# consume plenty of CPU and I/O resources while it runs. To initialize the -# AIDE database immediately when the playbook finishes, set the following -# variable to 'true': -security_initialize_aide: false - -## Audit daemon -# V-38438 requires that auditd is enabled at boot time with a parameter in the -# GRUB configuration. -# -# If 'security_enable_audit_during_boot' is set to 'yes', then the 'audit=1' -# parameter will be added in /etc/default/grub.d/. -# If 'security_enable_grub_update is set to 'yes', the grub.cfg will be -# updated automatically. -security_enable_audit_during_boot: yes # V-38438 -security_enable_grub_update: yes # V-38438 - -# The following booleans control the rule sets added to auditd's default -# set of auditing rules. To see which rules will be added for each boolean, -# refer to the templates/osas-auditd.j2 file. -# -# If the template changes due to booleans being adjusted, the new template -# will be deployed onto the host and auditd will get the new rules loaded -# automatically with augenrules. -# -security_audit_account_modification: yes # V-38531, V-38534, V-38538 -security_audit_change_localtime: yes # V-38530 -security_audit_change_system_time: yes # V-38635 -security_audit_clock_settime: yes # V-38527 -security_audit_clock_settimeofday: yes # V-38522 -security_audit_clock_stime: yes # V-38525 -security_audit_DAC_chmod: no # V-38543 -security_audit_DAC_chown: no # V-38545 -security_audit_DAC_lchown: no # V-38558 -security_audit_DAC_fchmod: no # V-38547 -security_audit_DAC_fchmodat: no # V-38550 -security_audit_DAC_fchown: no # V-38552 -security_audit_DAC_fchownat: no # V-38554 -security_audit_DAC_fremovexattr: no # V-38556 -security_audit_DAC_lremovexattr: no # V-38559 -security_audit_DAC_fsetxattr: no # V-38557 -security_audit_DAC_lsetxattr: no # V-38561 -security_audit_DAC_setxattr: no # V-38565 -security_audit_deletions: no # V-38575 -security_audit_failed_access: no # V-38566 -security_audit_filesystem_mounts: yes # V-38568 -security_audit_kernel_modules: yes # V-38580 -security_audit_mac_changes: yes # V-38541 -security_audit_network_changes: yes # V-38540 -security_audit_sudoers: yes # V-38578 -# -# **DANGER** -# Changing the options below can cause systems to go offline unexpectedly or -# stop serving requests as a security precaution. Read the developer notes for -# each STIG prior to adjusting the following variables. -# **DANGER** -# -# Set an action to occur when there is a disk error. Review the -# documentation for V-38464 before changing this option. -security_disk_error_action: SYSLOG # V-38464 -# -# Set an action to occur when the disk is full. Review the documentation for -# V-38468 before changing this option. -security_disk_full_action: SYSLOG # V-38468 -# -# V-38678 - Set the amount of megabytes left when the space_left_action -# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a -# default of 75MB, which is reasonable. -security_space_left: 75 # V-38678 -# -# Set an action to occur when the disk is approaching its capacity. -# Review the documentation for V-38470 before changing this option. -security_space_left_action: SYSLOG # V-38470 -# -# Set the maximum size of a rotated log file. Ubuntu's default -# matches the STIG requirement of 6MB. -security_max_log_file: 6 # V 38633 -# -# Sets the action to take when log files reach the maximum file size. -# Review the documentation for V-38634 before changing this option. -security_max_log_file_action: ROTATE # V-38634 -# -# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default -# and this matches the STIG's requirements. -security_num_logs: 5 # V-38636 -# -# Set the email address of someone who can receive and respond to notifications -# about low disk space for log volumes. -security_action_mail_acct: root # V-38680 -# -# **IMMINENT DANGER** -# The STIG says that the system should switch to single user mode when the -# storage capacity gets very low. This can cause serious service disruptions -# and should only be set to 'single' for deployers in extremely high security -# environments. Ubuntu's default is SUSPEND, which will suspend logging. -# **IMMENENT DANGER** -security_admin_space_left_action: SUSPEND # V-54381 - -## Chrony (NTP) configuration -# Install and enable chrony to sync time with NTP servers. -security_enable_chrony: yes # V-38620 -# Adjust the following NTP servers if necessary. -security_ntp_servers: - - 0.north-america.pool.ntp.org - - 1.north-america.pool.ntp.org - - 2.north-america.pool.ntp.org - - 3.north-america.pool.ntp.org -# Chrony limits access to clients that are on certain subnets. Adjust the -# following subnets here to limit client access to chrony servers. -security_allowed_ntp_subnets: - - 10/8 - - 192.168/16 - - 172.16/12 -# Listen for NTP requests only on local interfaces. -security_ntp_bind_local_interfaces_only: yes - -## Core dumps -# V-38675 requires disabling core dumps for all users unless absolutely -# necessary. Set this variable to 'no' to skip this change. -security_disable_core_dumps: yes # V-38675 - -## Services -# The STIG recommends ensuring that some services are running if no services -# utilizing it are enabled. Setting a boolean to 'yes' here will ensure that -# a service isn't actively running and will not be started after boot-up. -# Setting a 'no' will ensure that this Ansible role does not alter the service -# in any way from its current configuration. -# -security_disable_abrtd: yes # V-38641 -security_disable_atd: yes # V-38640 -security_disable_autofs: yes # V-38437 -security_disable_avahi: yes # V-31618 -security_disable_bluetooth: yes # V-38691 -security_disable_netconsole: yes # v-38672 -security_disable_qpidd: yes # V-38648 -security_disable_rdisc: yes # V-38650 -security_disable_rsh: yes # V-38594 -security_disable_ypbind: yes # V-38604 -security_disable_xinetd: yes # V-38582 -# -# The STIG recommends ensuring that some services aren't installed at ANY time. -# Those services are listed here. Setting a boolean here to 'yes' wiil -# ensure that the STIG is followed and the service is removed. Setting a -# boolean to 'no' means that the playbook will not alter the service. -# -security_remove_ldap_server: yes # V-38627 -security_remove_rsh_server: yes # V-38591 -security_remove_sendmail: yes # V-38671 -security_remove_telnet_server: yes # V-38587 -security_remove_tftp_server: yes # V-38606 -security_remove_xinetd: yes # V-38584 -security_remove_xorg: yes # v-38676 -security_remove_ypserv: yes # V-38603 -# -# The STIG does not allow the system to run a graphical interface. Set this -# variable to 'no' if you need a graphical interface on the server. -security_disable_x_windows: yes # V-38674 - -## SSH configuration -# The following configuration items will adjust how the ssh daemon is -# configured. The recommendations from the RHEL 6 STIG are shown below, but -# they can be adjusted to fit a particular environment. -# -# Set a 15 minute time out for SSH sessions if there is no activity -security_ssh_client_alive_interval: 900 # V-38608 -# -# Timeout ssh sessions as soon as ClientAliveInterval is reached once -security_ssh_client_alive_count_max: 0 # V-38610 -# -# The ssh daemon must not permit root logins. The default value of -# 'without-password' is a deviation from the STIG requirements due to how -# OpenStack-Ansible operates, especially within OpenStack CI gate jobs. See -# documentation for V-38613 for more details. -security_ssh_permit_root_login: 'without-password' # V-38613 - -## Kernel -# Set these booleans to 'yes' to disable the kernel module (following the -# STIG requirements). Set the boolean to 'no' to ensure no changes are made. -security_disable_module_bluetooth: yes # V-38682 -security_disable_module_dccp: yes # V-38514 -security_disable_module_rds: yes # V-38516 -security_disable_module_sctp: yes # V-38515 -security_disable_module_tipc: yes # V-38517 -security_disable_module_usb_storage: no # V-38490 -security_disable_icmpv4_redirects: no # V-38524 -security_disable_icmpv4_redirects_secure: no # V-38526 -security_disable_icmpv6_redirects: no # V-38548 -# -# ** DANGER ** -# It's strongly recommended to fully understand the effects of changing the -# following sysctl tunables. Refer to the documentation under 'Developer -# Notes' for each of the STIGs below before making any changes. -# ** DANGER ** -# -security_sysctl_enable_tcp_syncookies: yes # V-38539 -security_sysctl_enable_martian_logging: no # V-38528 -# -# Deployers who wish to disable IPv6 entirely must set this configuration -# variable to 'yes'. See the documentation for V-38546 before making this -# change. -security_disable_ipv6: no # V-38546 - -# Sets the global challenge ACK counter to a large value such -# that a potential attacker could not reasonably come up against it. -security_set_tcp_challenge_ack_limit: yes # CVE-2016-5696 - -## Mail -# The STIG requires inet_interfaces to be set to 'localhost', but Ubuntu will -# configure it to be 'all' when dpkg-reconfigure is unavailable (as it is when -# Ansible installs packages). The default here is 'localhost' to meet the STIG -# requirement, but some deployers may want this set to 'all' if their hosts -# need to receive emails over the network (which isn't common). -# -# See the documentation for V-38622 for more details. -security_postfix_inet_interfaces: localhost # V-38622 -# -# Configuring an email address here will cause hosts to forward the root user's -# email to another address. -# -#security_root_forward_email: user@example.com - -## Linux Security Module (LSM) -# AppArmor and SELinux provide powerful security controls on a Linux system -# by setting policies for allowed actions. By setting the following variable -# to true, the appropriate LSM will be enabled for the Linux distribution: -# -# Ubuntu: AppArmor -# CentOS: SELinux -# -# See the ansible-hardening documentation for more details. -security_enable_linux_security_module: yes # V-51337 - -## PAM and authentication -# V-38497 requires that accounts with null passwords aren't allowed to -# authenticate via PAM. Ubuntu 14.04's default allows these logins -- see the -# documentation for V-38497 for more details. Set the variable below to 'yes' -# to remove 'nullok_secure' from the PAM configuration or set it to 'no' to -# leave the PAM configuration unaltered. -security_pam_remove_nullok: yes # V-38497 -# -# V-38501 requires that failed login attempts must lock a user account using -# pam_faillock, but Ubuntu doesn't package that PAM module. Instead, fail2ban -# can be installed to lock out IP addresses with failed logins for 15 minutes. -# Set the variable below to 'yes' to install and configure fail2ban. -security_install_fail2ban: no # V-38501 -# -# The STIG requires bans to last 15 minutes. Adjust the following variable -# to set the time an IP is banned by fail2ban (in seconds). -security_fail2ban_bantime: 900 # V-38501 - -## Password complexity and aging -# V-38475 - There is no password length requirement by default in Ubuntu 14.04. -# To set a password length requirement, uncomment -# security_password_minimum_length below. The STIG recommendation is 14 -# characters. -#security_password_minimum_length: 14 # V-38475 -# V-38477 - There is no password change limitation set by default in Ubuntu. To -# set the minimum number of days between password changes, uncomment the -# security_password_minimum_days variable below. The STIG recommendation is 1 -# day. -#security_password_minimum_days: 1 # V-38477 -# V-38479 - There is no age limit on password by default in Ubuntu. Uncomment -# line below to use the STIG recommendation of 60 days. -#security_password_maximum_days: 60 # V-38479 -# V-38480 - To warn users before their password expires, uncomment the line -# below and they will be warned 7 days prior (following the STIG). -#security_password_warn_age: 7 # V-38480 -# V-38684 - Setting the maximum number of simultaneous logins per user. The -# STIG sets a limit of 10. -#security_max_simultaneous_logins: 10 # V-38684 -# V-38692 - Lock accounts that are inactive for 35 days. -#security_inactive_account_lock_days: 35 # V-38692 - -## sudo -# V-58901 requires that 'NOPASSWD' and '!authenticate' do not appear in any -# sudoers files since they could lead to a compromise. Set the following -# variables to 'yes' to comment out any lines found with these prohibited -# parameters or leave them set to 'no' (the default) to leave sudoers files -# unaltered. Deployers are urged to review the documentation for this STIG -# before making changes. -security_sudoers_remove_nopasswd: no # V-58901 -security_sudoers_remove_authenticate: no # V-58901 - -## umask settings -# The STIG recommends changing various default umask settings for users and -# daemons via different methods. However, this could cause serious issues for -# production OpenStack environements which haven't been tested with these -# changes. -# -# The variables below are set to match the STIG requirements, but they are -# commented out to ensure they require deployers to opt-in for each change. To -# opt in for one of the changes below, simply uncomment the line and run the -# playbook. Deployers are strongly advised to review the documentation for -# these changes and review their systems to ensure these changes won't cause -# service disruptions. -# -# V-38642 - Set umask for daemons in init scripts to 027 or 022 -#security_umask_daemons_init: 027 # V-38642 -# -# V-38645 - System default umask in /etc/login.defs must be 077 -#security_umask_login_defs: 077 # V-38645 -# -# V-38649 - System default umask for csh must be 077 -#security_umask_csh: 077 # V-38649 -# -# V-38651 - System default umask for bash must be 077 -#security_umask_bash: 077 # V-38651 - -## Unattended upgrades (APT) configuration -security_unattended_upgrades_enabled: false -security_unattended_upgrades_notifications: false diff --git a/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml b/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml deleted file mode 100644 index e1ef90a5..00000000 --- a/doc/metadata/U_RedHat_6_V1R12_Manual-xccdf.xml +++ /dev/null @@ -1,3168 +0,0 @@ -acceptedRed Hat Enterprise Linux 6 Security Technical Implementation GuideThe Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 12 Benchmark Date: 22 Jul 20161I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>