From 3c19f00a7f29d723c157e935651c7748ef0a8e7c Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 12 Sep 2016 14:07:16 -0500 Subject: [PATCH] [Docs] Metadata cleanup This patch adds the right tags to each piece of metadata and corrects small errors found in the deployer notes. Closes-bug: 1595669 Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433 --- doc/metadata/rhel6/V-38437.rst | 2 +- doc/metadata/rhel6/V-38438.rst | 6 ++---- doc/metadata/rhel6/V-38439.rst | 6 ++---- doc/metadata/rhel6/V-38443.rst | 2 +- doc/metadata/rhel6/V-38444.rst | 6 ++---- doc/metadata/rhel6/V-38445.rst | 2 +- doc/metadata/rhel6/V-38446.rst | 14 ++++++++------ doc/metadata/rhel6/V-38447.rst | 4 +--- doc/metadata/rhel6/V-38448.rst | 2 +- doc/metadata/rhel6/V-38449.rst | 2 +- doc/metadata/rhel6/V-38450.rst | 2 +- doc/metadata/rhel6/V-38451.rst | 2 +- doc/metadata/rhel6/V-38452.rst | 4 +--- doc/metadata/rhel6/V-38453.rst | 10 +++++----- doc/metadata/rhel6/V-38454.rst | 4 +--- doc/metadata/rhel6/V-38455.rst | 6 ++---- doc/metadata/rhel6/V-38456.rst | 6 ++---- doc/metadata/rhel6/V-38457.rst | 2 +- doc/metadata/rhel6/V-38458.rst | 2 +- doc/metadata/rhel6/V-38459.rst | 6 +++--- doc/metadata/rhel6/V-38460.rst | 2 +- doc/metadata/rhel6/V-38461.rst | 6 +++--- doc/metadata/rhel6/V-38462.rst | 2 +- doc/metadata/rhel6/V-38463.rst | 4 +--- doc/metadata/rhel6/V-38464.rst | 2 +- doc/metadata/rhel6/V-38465.rst | 6 ++---- doc/metadata/rhel6/V-38466.rst | 4 +--- doc/metadata/rhel6/V-38467.rst | 6 ++---- doc/metadata/rhel6/V-38468.rst | 2 +- doc/metadata/rhel6/V-38469.rst | 4 +--- doc/metadata/rhel6/V-38470.rst | 2 +- doc/metadata/rhel6/V-38471.rst | 4 ++-- doc/metadata/rhel6/V-38472.rst | 4 +--- doc/metadata/rhel6/V-38473.rst | 4 +--- doc/metadata/rhel6/V-38474.rst | 4 +--- doc/metadata/rhel6/V-38475.rst | 6 ++---- doc/metadata/rhel6/V-38476.rst | 2 +- doc/metadata/rhel6/V-38477.rst | 6 ++---- doc/metadata/rhel6/V-38478.rst | 4 +--- doc/metadata/rhel6/V-38479.rst | 6 ++---- doc/metadata/rhel6/V-38480.rst | 6 ++---- doc/metadata/rhel6/V-38481.rst | 4 +--- doc/metadata/rhel6/V-38482.rst | 4 +--- doc/metadata/rhel6/V-38483.rst | 2 +- doc/metadata/rhel6/V-38484.rst | 2 +- doc/metadata/rhel6/V-38486.rst | 2 -- doc/metadata/rhel6/V-38487.rst | 2 +- doc/metadata/rhel6/V-38488.rst | 2 -- doc/metadata/rhel6/V-38489.rst | 2 +- doc/metadata/rhel6/V-38490.rst | 6 ++---- doc/metadata/rhel6/V-38491.rst | 2 +- doc/metadata/rhel6/V-38492.rst | 4 +--- doc/metadata/rhel6/V-38493.rst | 2 +- doc/metadata/rhel6/V-38494.rst | 4 +--- doc/metadata/rhel6/V-38495.rst | 2 +- doc/metadata/rhel6/V-38496.rst | 6 ++---- doc/metadata/rhel6/V-38497.rst | 2 +- doc/metadata/rhel6/V-38498.rst | 2 +- doc/metadata/rhel6/V-38499.rst | 2 +- doc/metadata/rhel6/V-38500.rst | 2 +- doc/metadata/rhel6/V-38501.rst | 6 ++---- doc/metadata/rhel6/V-38502.rst | 2 +- doc/metadata/rhel6/V-38503.rst | 2 +- doc/metadata/rhel6/V-38504.rst | 2 +- doc/metadata/rhel6/V-38511.rst | 2 -- doc/metadata/rhel6/V-38512.rst | 4 +--- doc/metadata/rhel6/V-38513.rst | 6 ++---- doc/metadata/rhel6/V-38514.rst | 2 +- doc/metadata/rhel6/V-38515.rst | 2 +- doc/metadata/rhel6/V-38516.rst | 2 +- doc/metadata/rhel6/V-38517.rst | 2 +- doc/metadata/rhel6/V-38518.rst | 4 +--- doc/metadata/rhel6/V-38519.rst | 4 +--- doc/metadata/rhel6/V-38520.rst | 6 ++---- doc/metadata/rhel6/V-38521.rst | 6 ++---- doc/metadata/rhel6/V-38523.rst | 4 +--- doc/metadata/rhel6/V-38524.rst | 18 +++++++++--------- doc/metadata/rhel6/V-38525.rst | 2 +- doc/metadata/rhel6/V-38526.rst | 4 +--- doc/metadata/rhel6/V-38527.rst | 2 +- doc/metadata/rhel6/V-38528.rst | 6 ++---- doc/metadata/rhel6/V-38529.rst | 4 +--- doc/metadata/rhel6/V-38530.rst | 2 +- doc/metadata/rhel6/V-38531.rst | 6 ++---- doc/metadata/rhel6/V-38532.rst | 4 +--- doc/metadata/rhel6/V-38533.rst | 4 +--- doc/metadata/rhel6/V-38534.rst | 2 +- doc/metadata/rhel6/V-38535.rst | 8 ++++---- doc/metadata/rhel6/V-38536.rst | 6 ++---- doc/metadata/rhel6/V-38537.rst | 7 ++++--- doc/metadata/rhel6/V-38538.rst | 6 ++---- doc/metadata/rhel6/V-38539.rst | 2 +- doc/metadata/rhel6/V-38540.rst | 6 ++---- doc/metadata/rhel6/V-38541.rst | 2 +- doc/metadata/rhel6/V-38542.rst | 4 +--- doc/metadata/rhel6/V-38543.rst | 6 ++---- doc/metadata/rhel6/V-38544.rst | 4 +--- doc/metadata/rhel6/V-38545.rst | 6 ++---- doc/metadata/rhel6/V-38546.rst | 4 +--- doc/metadata/rhel6/V-38547.rst | 6 ++---- doc/metadata/rhel6/V-38548.rst | 4 +--- doc/metadata/rhel6/V-38549.rst | 6 ++---- doc/metadata/rhel6/V-38550.rst | 6 ++---- doc/metadata/rhel6/V-38551.rst | 6 ++---- doc/metadata/rhel6/V-38552.rst | 6 ++---- doc/metadata/rhel6/V-38553.rst | 6 ++---- doc/metadata/rhel6/V-38554.rst | 6 ++---- doc/metadata/rhel6/V-38555.rst | 6 ++---- doc/metadata/rhel6/V-38556.rst | 6 ++---- doc/metadata/rhel6/V-38557.rst | 6 ++---- doc/metadata/rhel6/V-38558.rst | 6 ++---- doc/metadata/rhel6/V-38559.rst | 6 ++---- doc/metadata/rhel6/V-38560.rst | 6 ++---- doc/metadata/rhel6/V-38561.rst | 6 ++---- doc/metadata/rhel6/V-38563.rst | 2 +- doc/metadata/rhel6/V-38565.rst | 6 ++---- doc/metadata/rhel6/V-38566.rst | 6 ++---- doc/metadata/rhel6/V-38567.rst | 4 +--- doc/metadata/rhel6/V-38568.rst | 2 +- doc/metadata/rhel6/V-38569.rst | 4 +--- doc/metadata/rhel6/V-38570.rst | 4 +--- doc/metadata/rhel6/V-38571.rst | 4 +--- doc/metadata/rhel6/V-38572.rst | 4 +--- doc/metadata/rhel6/V-38573.rst | 6 ++---- doc/metadata/rhel6/V-38574.rst | 2 +- doc/metadata/rhel6/V-38575.rst | 6 ++---- doc/metadata/rhel6/V-38576.rst | 2 +- doc/metadata/rhel6/V-38577.rst | 2 +- doc/metadata/rhel6/V-38578.rst | 2 +- doc/metadata/rhel6/V-38579.rst | 2 +- doc/metadata/rhel6/V-38580.rst | 2 +- doc/metadata/rhel6/V-38581.rst | 2 +- doc/metadata/rhel6/V-38582.rst | 2 +- doc/metadata/rhel6/V-38583.rst | 4 +--- doc/metadata/rhel6/V-38584.rst | 2 +- doc/metadata/rhel6/V-38585.rst | 6 ++---- doc/metadata/rhel6/V-38586.rst | 6 ++---- doc/metadata/rhel6/V-38587.rst | 2 +- doc/metadata/rhel6/V-38588.rst | 4 +--- doc/metadata/rhel6/V-38589.rst | 4 +--- doc/metadata/rhel6/V-38590.rst | 4 +--- doc/metadata/rhel6/V-38591.rst | 2 +- doc/metadata/rhel6/V-38592.rst | 6 ++---- doc/metadata/rhel6/V-38593.rst | 2 +- doc/metadata/rhel6/V-38594.rst | 4 +--- doc/metadata/rhel6/V-38595.rst | 6 ++---- doc/metadata/rhel6/V-38596.rst | 6 +++--- doc/metadata/rhel6/V-38597.rst | 2 +- doc/metadata/rhel6/V-38598.rst | 4 +--- doc/metadata/rhel6/V-38599.rst | 2 +- doc/metadata/rhel6/V-38600.rst | 4 ++-- doc/metadata/rhel6/V-38601.rst | 5 +++-- doc/metadata/rhel6/V-38602.rst | 4 +--- doc/metadata/rhel6/V-38603.rst | 2 +- doc/metadata/rhel6/V-38604.rst | 2 +- doc/metadata/rhel6/V-38605.rst | 2 +- doc/metadata/rhel6/V-38606.rst | 2 +- doc/metadata/rhel6/V-38607.rst | 2 +- doc/metadata/rhel6/V-38608.rst | 2 +- doc/metadata/rhel6/V-38609.rst | 2 +- doc/metadata/rhel6/V-38610.rst | 2 +- doc/metadata/rhel6/V-38611.rst | 6 +++--- doc/metadata/rhel6/V-38612.rst | 2 +- doc/metadata/rhel6/V-38613.rst | 4 ++-- doc/metadata/rhel6/V-38614.rst | 2 +- doc/metadata/rhel6/V-38615.rst | 2 +- doc/metadata/rhel6/V-38616.rst | 2 +- doc/metadata/rhel6/V-38617.rst | 2 +- doc/metadata/rhel6/V-38618.rst | 2 +- doc/metadata/rhel6/V-38622.rst | 2 +- doc/metadata/rhel6/V-38623.rst | 2 +- doc/metadata/rhel6/V-38624.rst | 2 +- doc/metadata/rhel6/V-38625.rst | 6 ++---- doc/metadata/rhel6/V-38626.rst | 6 ++---- doc/metadata/rhel6/V-38627.rst | 2 +- doc/metadata/rhel6/V-38628.rst | 2 +- doc/metadata/rhel6/V-38629.rst | 4 +--- doc/metadata/rhel6/V-38630.rst | 4 +--- doc/metadata/rhel6/V-38631.rst | 2 +- doc/metadata/rhel6/V-38632.rst | 2 +- doc/metadata/rhel6/V-38633.rst | 2 +- doc/metadata/rhel6/V-38634.rst | 2 +- doc/metadata/rhel6/V-38635.rst | 2 +- doc/metadata/rhel6/V-38636.rst | 2 +- doc/metadata/rhel6/V-38637.rst | 2 +- doc/metadata/rhel6/V-38638.rst | 4 +--- doc/metadata/rhel6/V-38639.rst | 4 +--- doc/metadata/rhel6/V-38640.rst | 2 +- doc/metadata/rhel6/V-38641.rst | 2 +- doc/metadata/rhel6/V-38642.rst | 4 +--- doc/metadata/rhel6/V-38643.rst | 4 +--- doc/metadata/rhel6/V-38645.rst | 6 ++---- doc/metadata/rhel6/V-38646.rst | 6 ++---- doc/metadata/rhel6/V-38647.rst | 4 +--- doc/metadata/rhel6/V-38648.rst | 2 +- doc/metadata/rhel6/V-38649.rst | 4 +--- doc/metadata/rhel6/V-38650.rst | 2 +- doc/metadata/rhel6/V-38651.rst | 4 +--- doc/metadata/rhel6/V-38652.rst | 4 +--- doc/metadata/rhel6/V-38653.rst | 2 -- doc/metadata/rhel6/V-38654.rst | 4 +--- doc/metadata/rhel6/V-38655.rst | 4 +--- doc/metadata/rhel6/V-38656.rst | 4 ++-- doc/metadata/rhel6/V-38657.rst | 6 ++---- doc/metadata/rhel6/V-38658.rst | 6 ++---- doc/metadata/rhel6/V-38659.rst | 4 +--- doc/metadata/rhel6/V-38661.rst | 4 +--- doc/metadata/rhel6/V-38662.rst | 4 +--- doc/metadata/rhel6/V-38663.rst | 10 +++++----- doc/metadata/rhel6/V-38664.rst | 6 ++---- doc/metadata/rhel6/V-38665.rst | 6 ++---- doc/metadata/rhel6/V-38666.rst | 4 +--- doc/metadata/rhel6/V-38667.rst | 4 +--- doc/metadata/rhel6/V-38668.rst | 2 +- doc/metadata/rhel6/V-38669.rst | 2 +- doc/metadata/rhel6/V-38670.rst | 11 ++++++----- doc/metadata/rhel6/V-38671.rst | 2 +- doc/metadata/rhel6/V-38672.rst | 4 ++-- doc/metadata/rhel6/V-38673.rst | 14 ++++---------- doc/metadata/rhel6/V-38674.rst | 2 +- doc/metadata/rhel6/V-38676.rst | 2 +- doc/metadata/rhel6/V-38677.rst | 7 ++++--- doc/metadata/rhel6/V-38678.rst | 2 +- doc/metadata/rhel6/V-38679.rst | 4 +--- doc/metadata/rhel6/V-38680.rst | 6 +++--- doc/metadata/rhel6/V-38681.rst | 2 +- doc/metadata/rhel6/V-38682.rst | 2 +- doc/metadata/rhel6/V-38683.rst | 2 +- doc/metadata/rhel6/V-38684.rst | 2 -- doc/metadata/rhel6/V-38685.rst | 4 +--- doc/metadata/rhel6/V-38686.rst | 8 +++----- doc/metadata/rhel6/V-38687.rst | 6 ++---- doc/metadata/rhel6/V-38688.rst | 4 +--- doc/metadata/rhel6/V-38689.rst | 4 +--- doc/metadata/rhel6/V-38690.rst | 6 ++---- doc/metadata/rhel6/V-38691.rst | 2 +- doc/metadata/rhel6/V-38692.rst | 4 +--- doc/metadata/rhel6/V-38693.rst | 6 ++---- doc/metadata/rhel6/V-38694.rst | 4 +--- doc/metadata/rhel6/V-38695.rst | 3 ++- doc/metadata/rhel6/V-38696.rst | 2 +- doc/metadata/rhel6/V-38697.rst | 2 -- doc/metadata/rhel6/V-38698.rst | 2 +- doc/metadata/rhel6/V-38699.rst | 6 ++---- doc/metadata/rhel6/V-38700.rst | 2 +- doc/metadata/rhel6/V-38701.rst | 10 ++++------ doc/metadata/rhel6/V-43150.rst | 4 +--- doc/metadata/rhel6/V-51337.rst | 2 +- doc/metadata/rhel6/V-51363.rst | 2 +- doc/metadata/rhel6/V-51369.rst | 12 +++++++----- doc/metadata/rhel6/V-51379.rst | 6 ++---- doc/metadata/rhel6/V-51391.rst | 2 +- doc/metadata/rhel6/V-51875.rst | 2 +- doc/metadata/rhel6/V-54381.rst | 6 ++---- doc/metadata/rhel6/V-57569.rst | 6 ++---- doc/metadata/rhel6/V-58901.rst | 2 +- doc/metadata/template_toc.j2 | 8 ++++++-- 257 files changed, 386 insertions(+), 641 deletions(-) diff --git a/doc/metadata/rhel6/V-38437.rst b/doc/metadata/rhel6/V-38437.rst index 35fc9733..d050d210 100644 --- a/doc/metadata/rhel6/V-38437.rst +++ b/doc/metadata/rhel6/V-38437.rst @@ -1,7 +1,7 @@ --- id: V-38437 status: implemented -tag: misc +tag: services --- If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out diff --git a/doc/metadata/rhel6/V-38438.rst b/doc/metadata/rhel6/V-38438.rst index ac6846a1..17bfefc3 100644 --- a/doc/metadata/rhel6/V-38438.rst +++ b/doc/metadata/rhel6/V-38438.rst @@ -1,11 +1,9 @@ --- id: V-38438 -status: exception -tag: misc +status: implemented +tag: boot --- -**Exception** - To opt-out of the change, set the following variable: .. code-block:: yaml diff --git a/doc/metadata/rhel6/V-38439.rst b/doc/metadata/rhel6/V-38439.rst index 632a4a0d..05dedcf5 100644 --- a/doc/metadata/rhel6/V-38439.rst +++ b/doc/metadata/rhel6/V-38439.rst @@ -1,11 +1,9 @@ --- id: V-38439 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Although adding centralized authentication and carefully managing user accounts is critical for securing any system, that's left up to deployers to handle via their internal business processes. diff --git a/doc/metadata/rhel6/V-38443.rst b/doc/metadata/rhel6/V-38443.rst index 3062e6dd..de21a6f0 100644 --- a/doc/metadata/rhel6/V-38443.rst +++ b/doc/metadata/rhel6/V-38443.rst @@ -1,7 +1,7 @@ --- id: V-38443 status: implemented -tag: misc +tag: auth --- The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu diff --git a/doc/metadata/rhel6/V-38444.rst b/doc/metadata/rhel6/V-38444.rst index ba17b514..03c9ad8d 100644 --- a/doc/metadata/rhel6/V-38444.rst +++ b/doc/metadata/rhel6/V-38444.rst @@ -1,10 +1,8 @@ --- id: V-38444 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - See V-38551 for additional details. IPv6 configuration and filtering is left up to the deployer. diff --git a/doc/metadata/rhel6/V-38445.rst b/doc/metadata/rhel6/V-38445.rst index 255e015e..b29a4a55 100644 --- a/doc/metadata/rhel6/V-38445.rst +++ b/doc/metadata/rhel6/V-38445.rst @@ -1,7 +1,7 @@ --- id: V-38445 status: implemented -tag: misc +tag: auditd --- The logs generated by the audit daemon are owned by root in Ubuntu 14.04, diff --git a/doc/metadata/rhel6/V-38446.rst b/doc/metadata/rhel6/V-38446.rst index 5f13c273..8946e490 100644 --- a/doc/metadata/rhel6/V-38446.rst +++ b/doc/metadata/rhel6/V-38446.rst @@ -1,10 +1,12 @@ --- id: V-38446 -status: implemented -tag: misc +status: configuration required +tag: mail --- -Forwarding root's email to another user is highly recommended, but the Ansible -tasks won't configure an email address to receive root's email unless that -email address is configured. Set ``security_root_forward_email`` to an email -address that is ready to receive root's email. +Forwarding root's email to another user is highly recommended so that someone +can receive emails about errors or security events. + +Deployers should set ``security_root_forward_email`` to a valid email address +of a user or mailing list that should receive critical automated emails from +the server. diff --git a/doc/metadata/rhel6/V-38447.rst b/doc/metadata/rhel6/V-38447.rst index c7c84bdf..1387b811 100644 --- a/doc/metadata/rhel6/V-38447.rst +++ b/doc/metadata/rhel6/V-38447.rst @@ -1,11 +1,9 @@ --- id: V-38447 status: exception -tag: misc +tag: package --- -**Exception** - Although Ubuntu provides the ``debsums`` command for checking the contents of files installed from packages, it cannot perform a detailed level of checking sufficient to meet the STIG requirement. Some packages are not shipped with MD5 diff --git a/doc/metadata/rhel6/V-38448.rst b/doc/metadata/rhel6/V-38448.rst index aa220470..1bee5107 100644 --- a/doc/metadata/rhel6/V-38448.rst +++ b/doc/metadata/rhel6/V-38448.rst @@ -1,7 +1,7 @@ --- id: V-38448 status: implemented -tag: misc +tag: auth --- Although the ``/etc/gshadow`` file is group-owned by root by default, the diff --git a/doc/metadata/rhel6/V-38449.rst b/doc/metadata/rhel6/V-38449.rst index 3411c84a..b8ba84ae 100644 --- a/doc/metadata/rhel6/V-38449.rst +++ b/doc/metadata/rhel6/V-38449.rst @@ -1,7 +1,7 @@ --- id: V-38449 status: implemented -tag: misc +tag: auth --- The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet diff --git a/doc/metadata/rhel6/V-38450.rst b/doc/metadata/rhel6/V-38450.rst index 0c1da8f2..375ada87 100644 --- a/doc/metadata/rhel6/V-38450.rst +++ b/doc/metadata/rhel6/V-38450.rst @@ -1,7 +1,7 @@ --- id: V-38450 status: implemented -tag: misc +tag: auth --- The ownership of ``/etc/passwd`` will be changed to root. diff --git a/doc/metadata/rhel6/V-38451.rst b/doc/metadata/rhel6/V-38451.rst index 618cec4d..361c674c 100644 --- a/doc/metadata/rhel6/V-38451.rst +++ b/doc/metadata/rhel6/V-38451.rst @@ -1,7 +1,7 @@ --- id: V-38451 status: implemented -tag: misc +tag: auth --- The group ownership for ``/etc/passwd`` will be set to root. diff --git a/doc/metadata/rhel6/V-38452.rst b/doc/metadata/rhel6/V-38452.rst index d32dd45a..eb82a66e 100644 --- a/doc/metadata/rhel6/V-38452.rst +++ b/doc/metadata/rhel6/V-38452.rst @@ -1,11 +1,9 @@ --- id: V-38452 status: exception -tag: misc +tag: package --- -**Exception** - Although Ubuntu provides the ``debsums`` command for checking the contents of files installed from packages, it cannot perform a detailed level of checking sufficient to meet the STIG requirement. Some packages are not shipped with MD5 diff --git a/doc/metadata/rhel6/V-38453.rst b/doc/metadata/rhel6/V-38453.rst index 12396a40..9bb227be 100644 --- a/doc/metadata/rhel6/V-38453.rst +++ b/doc/metadata/rhel6/V-38453.rst @@ -1,11 +1,11 @@ --- id: V-38453 -status: exception -tag: misc +status: exception - ubuntu +tag: package --- -**Exception for Ubuntu** - Verifying ownership and permissions of installed packages isn't possible in the current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. +is skipped for Ubuntu. + +For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38454.rst b/doc/metadata/rhel6/V-38454.rst index 5c6fb091..2a97162a 100644 --- a/doc/metadata/rhel6/V-38454.rst +++ b/doc/metadata/rhel6/V-38454.rst @@ -1,11 +1,9 @@ --- id: V-38454 status: exception -tag: misc +tag: package --- -**Exception** - Although Ubuntu provides the ``debsums`` command for checking the contents of files installed from packages, it cannot perform a detailed level of checking sufficient to meet the STIG requirement. Some packages are not shipped with MD5 diff --git a/doc/metadata/rhel6/V-38455.rst b/doc/metadata/rhel6/V-38455.rst index dd5d336d..f690d0f9 100644 --- a/doc/metadata/rhel6/V-38455.rst +++ b/doc/metadata/rhel6/V-38455.rst @@ -1,11 +1,9 @@ --- id: V-38455 -status: exception -tag: misc +status: exception - initial provisioning +tag: boot --- -**Exception** - Configuring another mount for ``/tmp`` can disrupt a running system and this configuration is skipped. diff --git a/doc/metadata/rhel6/V-38456.rst b/doc/metadata/rhel6/V-38456.rst index ff11426f..faed78ab 100644 --- a/doc/metadata/rhel6/V-38456.rst +++ b/doc/metadata/rhel6/V-38456.rst @@ -1,11 +1,9 @@ --- id: V-38456 -status: exception -tag: misc +status: exception - initial provisioning +tag: boot --- -**Exception** - Configuring another mount for ``/var`` can disrupt a running system and this configuration is skipped. diff --git a/doc/metadata/rhel6/V-38457.rst b/doc/metadata/rhel6/V-38457.rst index 4a4ca46f..074ccc7e 100644 --- a/doc/metadata/rhel6/V-38457.rst +++ b/doc/metadata/rhel6/V-38457.rst @@ -1,7 +1,7 @@ --- id: V-38457 status: implemented -tag: misc +tag: auth --- The permissions for ``/etc/passwd`` will be set to ``0644``. diff --git a/doc/metadata/rhel6/V-38458.rst b/doc/metadata/rhel6/V-38458.rst index cd140460..3d3f7332 100644 --- a/doc/metadata/rhel6/V-38458.rst +++ b/doc/metadata/rhel6/V-38458.rst @@ -1,7 +1,7 @@ --- id: V-38458 status: implemented -tag: misc +tag: auth --- The Ansible task will ensure that the ``/etc/group`` file is owned by the root diff --git a/doc/metadata/rhel6/V-38459.rst b/doc/metadata/rhel6/V-38459.rst index db089eff..a61ba6ad 100644 --- a/doc/metadata/rhel6/V-38459.rst +++ b/doc/metadata/rhel6/V-38459.rst @@ -1,8 +1,8 @@ --- id: V-38459 status: implemented -tag: misc +tag: auth --- -The tasks in file_perms.yml will ensure that "/etc/group" is owned by -the root account. +The Ansible tasks will ensure that ``/etc/group`` is owned by the ``root`` +user. diff --git a/doc/metadata/rhel6/V-38460.rst b/doc/metadata/rhel6/V-38460.rst index 57182280..81eb0313 100644 --- a/doc/metadata/rhel6/V-38460.rst +++ b/doc/metadata/rhel6/V-38460.rst @@ -1,7 +1,7 @@ --- id: V-38460 status: implemented -tag: misc +tag: nfsd --- The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is diff --git a/doc/metadata/rhel6/V-38461.rst b/doc/metadata/rhel6/V-38461.rst index bf6f6e24..b68ef5aa 100644 --- a/doc/metadata/rhel6/V-38461.rst +++ b/doc/metadata/rhel6/V-38461.rst @@ -1,8 +1,8 @@ --- id: V-38461 status: implemented -tag: misc +tag: auth --- -Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible -task will ensure that it is current set to those permissions. +The Ansible tasks will ensure that the mode of ``/etc/group//` is set to +``0644``. diff --git a/doc/metadata/rhel6/V-38462.rst b/doc/metadata/rhel6/V-38462.rst index 402c5c1c..49b30466 100644 --- a/doc/metadata/rhel6/V-38462.rst +++ b/doc/metadata/rhel6/V-38462.rst @@ -1,7 +1,7 @@ --- id: V-38462 status: implemented -tag: misc +tag: package --- All versions of Ubuntu and CentOS supported by the role verify packages against diff --git a/doc/metadata/rhel6/V-38463.rst b/doc/metadata/rhel6/V-38463.rst index 77be6cc7..5dd410a8 100644 --- a/doc/metadata/rhel6/V-38463.rst +++ b/doc/metadata/rhel6/V-38463.rst @@ -1,11 +1,9 @@ --- id: V-38463 -status: exception +status: exception - initial provisioning tag: misc --- -**Exception** - Configuring a separate partition for ``/var/log`` is currently left up to the deployer. There are security and operational benefits that come from the change, but it must be done when the system is initially installed. diff --git a/doc/metadata/rhel6/V-38464.rst b/doc/metadata/rhel6/V-38464.rst index b299a65c..d827640f 100644 --- a/doc/metadata/rhel6/V-38464.rst +++ b/doc/metadata/rhel6/V-38464.rst @@ -1,7 +1,7 @@ --- id: V-38464 status: implemented -tag: misc +tag: auditd --- The default configuration for ``disk_error_action`` is ``SUSPEND``, which diff --git a/doc/metadata/rhel6/V-38465.rst b/doc/metadata/rhel6/V-38465.rst index ecda4f1e..c1031383 100644 --- a/doc/metadata/rhel6/V-38465.rst +++ b/doc/metadata/rhel6/V-38465.rst @@ -1,11 +1,9 @@ --- id: V-38465 status: exception -tag: misc +tag: file_perms --- -**Exception** - -Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or +Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set library files to have ``0755`` (or more restrictive) permissions by default. Deployers are urged to review the permissions of libraries regularly to ensure the system has not been altered. diff --git a/doc/metadata/rhel6/V-38466.rst b/doc/metadata/rhel6/V-38466.rst index 40912e91..87eb69db 100644 --- a/doc/metadata/rhel6/V-38466.rst +++ b/doc/metadata/rhel6/V-38466.rst @@ -1,11 +1,9 @@ --- id: V-38466 status: exception -tag: misc +tag: file_perms --- -**Exception** - As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of library files to root by default. Deployers are urged to configure monitoring for changes to these files. diff --git a/doc/metadata/rhel6/V-38467.rst b/doc/metadata/rhel6/V-38467.rst index afb1f739..52de7efe 100644 --- a/doc/metadata/rhel6/V-38467.rst +++ b/doc/metadata/rhel6/V-38467.rst @@ -1,10 +1,8 @@ --- id: V-38467 -status: exception -tag: misc +status: exception - initial provisioning +tag: auditd --- -**Exception** - Storing audit logs on a separate partition is recommended, but this change is left up to deployers to configure during the installation of the OS. diff --git a/doc/metadata/rhel6/V-38468.rst b/doc/metadata/rhel6/V-38468.rst index 289b4e14..5f06f25f 100644 --- a/doc/metadata/rhel6/V-38468.rst +++ b/doc/metadata/rhel6/V-38468.rst @@ -1,7 +1,7 @@ --- id: V-38468 status: implemented -tag: misc +tag: auditd --- The default configuration for ``disk_full_action`` is ``SUSPEND``, which only diff --git a/doc/metadata/rhel6/V-38469.rst b/doc/metadata/rhel6/V-38469.rst index 7f314e10..46d3d69b 100644 --- a/doc/metadata/rhel6/V-38469.rst +++ b/doc/metadata/rhel6/V-38469.rst @@ -1,11 +1,9 @@ --- id: V-38469 status: exception -tag: misc +tag: file_perms --- -**Exception** - Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system commands to ``0755`` or less already. Deployers are urged to review these permissions for changes over time as they can be a sign of a compromise. diff --git a/doc/metadata/rhel6/V-38470.rst b/doc/metadata/rhel6/V-38470.rst index c3cceec5..29a9732e 100644 --- a/doc/metadata/rhel6/V-38470.rst +++ b/doc/metadata/rhel6/V-38470.rst @@ -1,7 +1,7 @@ --- id: V-38470 status: implemented -tag: misc +tag: auditd --- The default configuration for ``security_space_left_action`` is ``SUSPEND``, diff --git a/doc/metadata/rhel6/V-38471.rst b/doc/metadata/rhel6/V-38471.rst index 80de8a2f..152da008 100644 --- a/doc/metadata/rhel6/V-38471.rst +++ b/doc/metadata/rhel6/V-38471.rst @@ -1,10 +1,10 @@ --- id: V-38471 status: implemented -tag: misc +tag: auditd --- -An Ansible task will adjust ``active`` from `no` to `yes` in +An Ansible task will adjust ``active`` from ``no`` to ``yes`` in ``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to syslog automatically. The auditd daemon will be restarted if the configuration file is changed. diff --git a/doc/metadata/rhel6/V-38472.rst b/doc/metadata/rhel6/V-38472.rst index 138501a6..d3d4d515 100644 --- a/doc/metadata/rhel6/V-38472.rst +++ b/doc/metadata/rhel6/V-38472.rst @@ -1,11 +1,9 @@ --- id: V-38472 status: exception -tag: misc +tag: file_perms --- -**Exception** - Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by root by default. Deployers are urged to review ownership changes via auditd rules to ensure system commands haven't changed ownership over time. diff --git a/doc/metadata/rhel6/V-38473.rst b/doc/metadata/rhel6/V-38473.rst index 9728abea..d9173ae5 100644 --- a/doc/metadata/rhel6/V-38473.rst +++ b/doc/metadata/rhel6/V-38473.rst @@ -1,10 +1,8 @@ --- id: V-38473 -status: exception +status: exception - initial provisioning tag: misc --- -**Exception** - Creating ``/home`` on a different partition is highly recommended but it is left to deployers to configure during the installation of the OS. diff --git a/doc/metadata/rhel6/V-38474.rst b/doc/metadata/rhel6/V-38474.rst index 8879af0c..104a021d 100644 --- a/doc/metadata/rhel6/V-38474.rst +++ b/doc/metadata/rhel6/V-38474.rst @@ -1,10 +1,8 @@ --- id: V-38474 status: exception -tag: misc +tag: x11 --- -**Exception** - The openstack-ansible roles don't install X by default, so there is no graphical desktop to configure. diff --git a/doc/metadata/rhel6/V-38475.rst b/doc/metadata/rhel6/V-38475.rst index f2dbaf6e..67eff981 100644 --- a/doc/metadata/rhel6/V-38475.rst +++ b/doc/metadata/rhel6/V-38475.rst @@ -1,11 +1,9 @@ --- id: V-38475 -status: implemented -tag: misc +status: configuration required +tag: auth --- -**Configuration required** - The STIG recommends passwords to be a minimum of 14 characters in length. To apply this setting, set the following Ansible variable: diff --git a/doc/metadata/rhel6/V-38476.rst b/doc/metadata/rhel6/V-38476.rst index 58485283..4f6c701e 100644 --- a/doc/metadata/rhel6/V-38476.rst +++ b/doc/metadata/rhel6/V-38476.rst @@ -1,7 +1,7 @@ --- id: V-38476 status: implemented -tag: misc +tag: package --- The security role verifies that the GPG keys that correspond to each supported diff --git a/doc/metadata/rhel6/V-38477.rst b/doc/metadata/rhel6/V-38477.rst index 37dd10ab..3e3266d4 100644 --- a/doc/metadata/rhel6/V-38477.rst +++ b/doc/metadata/rhel6/V-38477.rst @@ -1,11 +1,9 @@ --- id: V-38477 -status: implemented -tag: misc +status: configuration required +tag: auth --- -**Configuration required** - The STIG recommends setting a limit of one password change per day. To enable this configuration, use this Ansible variable: diff --git a/doc/metadata/rhel6/V-38478.rst b/doc/metadata/rhel6/V-38478.rst index fa4e67ee..78aba6a0 100644 --- a/doc/metadata/rhel6/V-38478.rst +++ b/doc/metadata/rhel6/V-38478.rst @@ -1,11 +1,9 @@ --- id: V-38478 status: exception -tag: misc +tag: package --- -**Exception** - Ubuntu and CentOS do not use the Red Hat Network Service. However, there are tasks in the security role which ensure that all packages have GPG checks enabled (see V-38462) and provide the option for deployers to apply updates diff --git a/doc/metadata/rhel6/V-38479.rst b/doc/metadata/rhel6/V-38479.rst index 3dfd9c77..52223d82 100644 --- a/doc/metadata/rhel6/V-38479.rst +++ b/doc/metadata/rhel6/V-38479.rst @@ -1,11 +1,9 @@ --- id: V-38479 -status: implemented -tag: misc +status: configuration required +tag: auth --- -**Configuration required** - The STIG recommends setting a limit of 60 days before a password must be changed. To enable this configuration, use this Ansible variable: diff --git a/doc/metadata/rhel6/V-38480.rst b/doc/metadata/rhel6/V-38480.rst index fa6f08fd..d062505a 100644 --- a/doc/metadata/rhel6/V-38480.rst +++ b/doc/metadata/rhel6/V-38480.rst @@ -1,11 +1,9 @@ --- id: V-38480 -status: implemented -tag: misc +status: configuration required +tag: auth --- -**Configuration required** - After enabling password age limits in V-38479, be sure to configure warnings for users so they know when their password is approaching expiration. STIG's recommendation is seven days prior to the expiration. Use an Ansible diff --git a/doc/metadata/rhel6/V-38481.rst b/doc/metadata/rhel6/V-38481.rst index 639b157c..a1eb9233 100644 --- a/doc/metadata/rhel6/V-38481.rst +++ b/doc/metadata/rhel6/V-38481.rst @@ -1,11 +1,9 @@ --- id: V-38481 status: opt-in -tag: misc +tag: package --- -**Opt-in required** - Operating system patching policies vary from organization to organization and are typically established based on business requirements and risk tolerance. diff --git a/doc/metadata/rhel6/V-38482.rst b/doc/metadata/rhel6/V-38482.rst index efec833d..ad8db957 100644 --- a/doc/metadata/rhel6/V-38482.rst +++ b/doc/metadata/rhel6/V-38482.rst @@ -1,11 +1,9 @@ --- id: V-38482 status: exception -tag: misc +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38483.rst b/doc/metadata/rhel6/V-38483.rst index 364dac22..87edb3a5 100644 --- a/doc/metadata/rhel6/V-38483.rst +++ b/doc/metadata/rhel6/V-38483.rst @@ -1,7 +1,7 @@ --- id: V-38483 status: implemented -tag: misc +tag: package --- The Ansible task for V-38462 already checks for configurations that would diff --git a/doc/metadata/rhel6/V-38484.rst b/doc/metadata/rhel6/V-38484.rst index 9b261b03..125db0dc 100644 --- a/doc/metadata/rhel6/V-38484.rst +++ b/doc/metadata/rhel6/V-38484.rst @@ -1,7 +1,7 @@ --- id: V-38484 status: implemented -tag: misc +tag: package --- Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last diff --git a/doc/metadata/rhel6/V-38486.rst b/doc/metadata/rhel6/V-38486.rst index 6ab69cec..8b7a0008 100644 --- a/doc/metadata/rhel6/V-38486.rst +++ b/doc/metadata/rhel6/V-38486.rst @@ -4,8 +4,6 @@ status: exception tag: misc --- -**Exception** - System backups are left to the deployer to configure. Deployers are stringly urged to maintain backups of each system, including log files and critical configuration information. diff --git a/doc/metadata/rhel6/V-38487.rst b/doc/metadata/rhel6/V-38487.rst index fba16e46..b34de394 100644 --- a/doc/metadata/rhel6/V-38487.rst +++ b/doc/metadata/rhel6/V-38487.rst @@ -1,7 +1,7 @@ --- id: V-38487 status: implemented -tag: misc +tag: package --- The Ansible task for V-38462 already checks for apt configurations that would diff --git a/doc/metadata/rhel6/V-38488.rst b/doc/metadata/rhel6/V-38488.rst index 37b5168c..1eb8b731 100644 --- a/doc/metadata/rhel6/V-38488.rst +++ b/doc/metadata/rhel6/V-38488.rst @@ -4,8 +4,6 @@ status: exception tag: misc --- -**Exception** - System backups are left to the deployer to configure. Deployers are stringly urged to maintain backups of each system, including log files and critical configuration information. diff --git a/doc/metadata/rhel6/V-38489.rst b/doc/metadata/rhel6/V-38489.rst index 788d0849..68a3e6fa 100644 --- a/doc/metadata/rhel6/V-38489.rst +++ b/doc/metadata/rhel6/V-38489.rst @@ -1,7 +1,7 @@ --- id: V-38489 status: implemented -tag: misc +tag: aide --- The security role installs and configures the ``aide`` package to provide file diff --git a/doc/metadata/rhel6/V-38490.rst b/doc/metadata/rhel6/V-38490.rst index 206127a1..631d97f1 100644 --- a/doc/metadata/rhel6/V-38490.rst +++ b/doc/metadata/rhel6/V-38490.rst @@ -1,11 +1,9 @@ --- id: V-38490 -status: exception -tag: misc +status: opt-in +tag: kernel --- -**Exception** - Disabling the ``usb-storage`` module can add extra security, but it's not necessary on most systems. To disable the ``usb-storage`` module on hosts, set the following variable to ``yes``: diff --git a/doc/metadata/rhel6/V-38491.rst b/doc/metadata/rhel6/V-38491.rst index 1c0feb11..3e094b34 100644 --- a/doc/metadata/rhel6/V-38491.rst +++ b/doc/metadata/rhel6/V-38491.rst @@ -1,7 +1,7 @@ --- id: V-38491 status: implemented -tag: misc +tag: auth --- The Ansible task will check for the presence of ``/etc/hosts.equiv`` and diff --git a/doc/metadata/rhel6/V-38492.rst b/doc/metadata/rhel6/V-38492.rst index ee1e0b7a..40b6031f 100644 --- a/doc/metadata/rhel6/V-38492.rst +++ b/doc/metadata/rhel6/V-38492.rst @@ -1,11 +1,9 @@ --- id: V-38492 status: exception -tag: misc +tag: auth --- -**Exception** - Virtual consoles are helpful during an emergency and they can only be reached by physical or other out-of-band access (such as DRAC, iLO, or iKVM). This change can be confusing for system administrators and it is left up to the diff --git a/doc/metadata/rhel6/V-38493.rst b/doc/metadata/rhel6/V-38493.rst index 9b1addf5..f2c87f75 100644 --- a/doc/metadata/rhel6/V-38493.rst +++ b/doc/metadata/rhel6/V-38493.rst @@ -1,7 +1,7 @@ --- id: V-38493 status: implemented -tag: misc +tag: auditd --- Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to diff --git a/doc/metadata/rhel6/V-38494.rst b/doc/metadata/rhel6/V-38494.rst index d40af463..c48cebf1 100644 --- a/doc/metadata/rhel6/V-38494.rst +++ b/doc/metadata/rhel6/V-38494.rst @@ -1,11 +1,9 @@ --- id: V-38494 status: exception -tag: misc +tag: auth --- -**Exception** - Removing serial consoles from ``/etc/securetty`` can make troubleshooting a server extremely difficult. Deployers are urged to use strong physical security practices to prevent unauthorized users from gaining physical access diff --git a/doc/metadata/rhel6/V-38495.rst b/doc/metadata/rhel6/V-38495.rst index 7ca44ae0..827df0c9 100644 --- a/doc/metadata/rhel6/V-38495.rst +++ b/doc/metadata/rhel6/V-38495.rst @@ -1,7 +1,7 @@ --- id: V-38495 status: implemented -tag: misc +tag: auditd --- The Ansible tasks will ensure that files in ``/var/log/audit`` are owned diff --git a/doc/metadata/rhel6/V-38496.rst b/doc/metadata/rhel6/V-38496.rst index 9f42f9b8..4dafc238 100644 --- a/doc/metadata/rhel6/V-38496.rst +++ b/doc/metadata/rhel6/V-38496.rst @@ -1,11 +1,9 @@ --- id: V-38496 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - The Ansible tasks will check for default system accounts (other than root) that are not locked. The tasks won't take any action, however, because any action could cause authorized users to be unable to access the system. diff --git a/doc/metadata/rhel6/V-38497.rst b/doc/metadata/rhel6/V-38497.rst index be43a526..701563ab 100644 --- a/doc/metadata/rhel6/V-38497.rst +++ b/doc/metadata/rhel6/V-38497.rst @@ -1,7 +1,7 @@ --- id: V-38497 status: implemented -tag: misc +tag: auth --- Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to diff --git a/doc/metadata/rhel6/V-38498.rst b/doc/metadata/rhel6/V-38498.rst index 7f5791db..c11b635c 100644 --- a/doc/metadata/rhel6/V-38498.rst +++ b/doc/metadata/rhel6/V-38498.rst @@ -1,7 +1,7 @@ --- id: V-38498 status: implemented -tag: misc +tag: auditd --- Ubuntu and CentOS set the current audit log (the one that is actively being diff --git a/doc/metadata/rhel6/V-38499.rst b/doc/metadata/rhel6/V-38499.rst index f444132a..6acc252a 100644 --- a/doc/metadata/rhel6/V-38499.rst +++ b/doc/metadata/rhel6/V-38499.rst @@ -1,7 +1,7 @@ --- id: V-38499 status: implemented -tag: misc +tag: auth --- The Ansible task will search for password hashes in ``/etc/passwd`` using diff --git a/doc/metadata/rhel6/V-38500.rst b/doc/metadata/rhel6/V-38500.rst index 801e6ead..4af74113 100644 --- a/doc/metadata/rhel6/V-38500.rst +++ b/doc/metadata/rhel6/V-38500.rst @@ -1,7 +1,7 @@ --- id: V-38500 status: implemented -tag: misc +tag: auth --- The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0 diff --git a/doc/metadata/rhel6/V-38501.rst b/doc/metadata/rhel6/V-38501.rst index 72612a19..a58fb5d7 100644 --- a/doc/metadata/rhel6/V-38501.rst +++ b/doc/metadata/rhel6/V-38501.rst @@ -1,11 +1,9 @@ --- id: V-38501 -status: exception -tag: misc +status: opt-in +tag: auth --- -**Exception and opt-in alternative** - Adjusting PAM configurations is very risky since it affects how all users authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu. diff --git a/doc/metadata/rhel6/V-38502.rst b/doc/metadata/rhel6/V-38502.rst index 4eeaf8c1..f02ed570 100644 --- a/doc/metadata/rhel6/V-38502.rst +++ b/doc/metadata/rhel6/V-38502.rst @@ -1,7 +1,7 @@ --- id: V-38502 status: implemented -tag: misc +tag: auth --- The user and group ownership of ``/etc/passwd`` is root by default. The Ansible diff --git a/doc/metadata/rhel6/V-38503.rst b/doc/metadata/rhel6/V-38503.rst index 18971266..84787e95 100644 --- a/doc/metadata/rhel6/V-38503.rst +++ b/doc/metadata/rhel6/V-38503.rst @@ -1,7 +1,7 @@ --- id: V-38503 status: implemented -tag: misc +tag: auth --- The user and group ownership of ``/etc/passwd`` is root by default. The Ansible diff --git a/doc/metadata/rhel6/V-38504.rst b/doc/metadata/rhel6/V-38504.rst index 36b962da..b01a883e 100644 --- a/doc/metadata/rhel6/V-38504.rst +++ b/doc/metadata/rhel6/V-38504.rst @@ -1,7 +1,7 @@ --- id: V-38504 status: implemented -tag: misc +tag: auth --- Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but diff --git a/doc/metadata/rhel6/V-38511.rst b/doc/metadata/rhel6/V-38511.rst index c8539d60..7d3d0b7c 100644 --- a/doc/metadata/rhel6/V-38511.rst +++ b/doc/metadata/rhel6/V-38511.rst @@ -4,8 +4,6 @@ status: implemented tag: misc --- -**Special Case** - Running virtual infrastructure requires IP forwarding to be enabled on various interfaces. The STIG allows for this, so long as the system is being operated as a router (as is the case for an OpenStack host). diff --git a/doc/metadata/rhel6/V-38512.rst b/doc/metadata/rhel6/V-38512.rst index f2116873..8a380292 100644 --- a/doc/metadata/rhel6/V-38512.rst +++ b/doc/metadata/rhel6/V-38512.rst @@ -1,11 +1,9 @@ --- id: V-38512 status: exception -tag: misc +tag: network --- -**Exception** - Although a minimal set of iptables rules are configured on openstack-ansible hosts, the "deny all" requirement of the STIG is not met. This is largely left up to the deployer to do, based on their assessment of their own network diff --git a/doc/metadata/rhel6/V-38513.rst b/doc/metadata/rhel6/V-38513.rst index 0b2a0c6b..4b4ec54d 100644 --- a/doc/metadata/rhel6/V-38513.rst +++ b/doc/metadata/rhel6/V-38513.rst @@ -1,11 +1,9 @@ --- id: V-38513 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Although a minimal set of iptables rules are configured on openstack-ansible hosts, the "deny all" requirement of the STIG is not met. This is largely left up to the deployer to do, based on their assessment of their own network diff --git a/doc/metadata/rhel6/V-38514.rst b/doc/metadata/rhel6/V-38514.rst index 74132e98..c834849f 100644 --- a/doc/metadata/rhel6/V-38514.rst +++ b/doc/metadata/rhel6/V-38514.rst @@ -1,7 +1,7 @@ --- id: V-38514 status: implemented -tag: misc +tag: kernel --- The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not diff --git a/doc/metadata/rhel6/V-38515.rst b/doc/metadata/rhel6/V-38515.rst index 67d833e2..af224af7 100644 --- a/doc/metadata/rhel6/V-38515.rst +++ b/doc/metadata/rhel6/V-38515.rst @@ -1,7 +1,7 @@ --- id: V-38515 status: implemented -tag: misc +tag: kernel --- The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of diff --git a/doc/metadata/rhel6/V-38516.rst b/doc/metadata/rhel6/V-38516.rst index 11ba5c57..78e84122 100644 --- a/doc/metadata/rhel6/V-38516.rst +++ b/doc/metadata/rhel6/V-38516.rst @@ -1,7 +1,7 @@ --- id: V-38516 status: implemented -tag: misc +tag: kernel --- The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible diff --git a/doc/metadata/rhel6/V-38517.rst b/doc/metadata/rhel6/V-38517.rst index 7f0130e9..fc5d5ed5 100644 --- a/doc/metadata/rhel6/V-38517.rst +++ b/doc/metadata/rhel6/V-38517.rst @@ -1,7 +1,7 @@ --- id: V-38517 status: implemented -tag: misc +tag: kernel --- The `Transparent Inter-Process Communication (TIPC)`_ protocol must be diff --git a/doc/metadata/rhel6/V-38518.rst b/doc/metadata/rhel6/V-38518.rst index 7628d22d..0ca417b3 100644 --- a/doc/metadata/rhel6/V-38518.rst +++ b/doc/metadata/rhel6/V-38518.rst @@ -1,11 +1,9 @@ --- id: V-38518 status: exception -tag: misc +tag: file_perms --- -**Exception** - Different systems may have different log files populated depending on the type of data that ``rsyslogd`` receives. By default, log files are created with the user and group ownership set to root. diff --git a/doc/metadata/rhel6/V-38519.rst b/doc/metadata/rhel6/V-38519.rst index e4599e70..c3bd6a67 100644 --- a/doc/metadata/rhel6/V-38519.rst +++ b/doc/metadata/rhel6/V-38519.rst @@ -1,11 +1,9 @@ --- id: V-38519 status: exception -tag: misc +tag: file_perms --- -**Exception** - Different systems may have different log files populated depending on the type of data that ``rsyslogd`` receives. By default, log files are created with the user and group ownership set to root. diff --git a/doc/metadata/rhel6/V-38520.rst b/doc/metadata/rhel6/V-38520.rst index bc9c2491..baaa7a1d 100644 --- a/doc/metadata/rhel6/V-38520.rst +++ b/doc/metadata/rhel6/V-38520.rst @@ -1,11 +1,9 @@ --- id: V-38520 -status: exception -tag: misc +status: exception - manual intervention +tag: log --- -**Exception** - At the moment, openstack-ansible already sends logs to the rsyslog container from various containers and hosts. However, deployers are strongly urged to forward these logs to a system outside their openstack-ansible environment diff --git a/doc/metadata/rhel6/V-38521.rst b/doc/metadata/rhel6/V-38521.rst index cadb48cc..6751a53b 100644 --- a/doc/metadata/rhel6/V-38521.rst +++ b/doc/metadata/rhel6/V-38521.rst @@ -1,11 +1,9 @@ --- id: V-38521 -status: exception -tag: misc +status: exception - manual intervention +tag: log --- -**Exception** - At the moment, openstack-ansible already sends logs to the rsyslog container from various containers and hosts. However, deployers are strongly urged to forward these logs to a system outside their openstack-ansible environment diff --git a/doc/metadata/rhel6/V-38523.rst b/doc/metadata/rhel6/V-38523.rst index e8c20ab0..2ea5258e 100644 --- a/doc/metadata/rhel6/V-38523.rst +++ b/doc/metadata/rhel6/V-38523.rst @@ -1,11 +1,9 @@ --- id: V-38523 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38524.rst b/doc/metadata/rhel6/V-38524.rst index defc0ac2..b32c35c7 100644 --- a/doc/metadata/rhel6/V-38524.rst +++ b/doc/metadata/rhel6/V-38524.rst @@ -1,15 +1,15 @@ --- id: V-38524 -status: implemented -tag: misc +status: opt-in +tag: kernel --- -This patch disables ICMPv4 redirects feature on the host. -Accepting ICMP redirects has few legitimate uses. -It should be disabled unless it is absolutely required. +The STIG requires that ICMPv4 redirects are disabled on the host. However, this +can cause problems with LXC-based deployments, such as environments deployed +with OpenStack-Ansible. -It is configurable by ``security_disable_icmpv4_redirects`` variable. -This feature is disabled by default as it can disrupt ``LXC`` deployments. +Deployers can opt-in for this change by setting the following Ansible variable: -Deployers can skip or enable this task by setting -``security_disable_icmpv4_redirects`` to ``no`` or ``yes``, respectively. +.. code-block:: yaml + + security_disable_icmpv4_redirects: yes diff --git a/doc/metadata/rhel6/V-38525.rst b/doc/metadata/rhel6/V-38525.rst index 3a28fa31..5778d348 100644 --- a/doc/metadata/rhel6/V-38525.rst +++ b/doc/metadata/rhel6/V-38525.rst @@ -1,7 +1,7 @@ --- id: V-38525 status: implemented -tag: misc +tag: auditd --- Rules are added for auditing changes to system time done via ``stime``. diff --git a/doc/metadata/rhel6/V-38526.rst b/doc/metadata/rhel6/V-38526.rst index 2a448505..27efc170 100644 --- a/doc/metadata/rhel6/V-38526.rst +++ b/doc/metadata/rhel6/V-38526.rst @@ -1,11 +1,9 @@ --- id: V-38526 status: opt-in -tag: misc +tag: kernel --- -**Opt-in required** - The STIG requires that secure ICMP redirects are disabled, but this can cause issues in some virtualized or containerized environments. The Ansible tasks in the security role will not disable these redirects by default. diff --git a/doc/metadata/rhel6/V-38527.rst b/doc/metadata/rhel6/V-38527.rst index 7f451cfb..88bf3242 100644 --- a/doc/metadata/rhel6/V-38527.rst +++ b/doc/metadata/rhel6/V-38527.rst @@ -1,7 +1,7 @@ --- id: V-38527 status: implemented -tag: misc +tag: auditd --- Rules are added for auditing changes to system time done via diff --git a/doc/metadata/rhel6/V-38528.rst b/doc/metadata/rhel6/V-38528.rst index 241f1fc3..16f486b0 100644 --- a/doc/metadata/rhel6/V-38528.rst +++ b/doc/metadata/rhel6/V-38528.rst @@ -1,11 +1,9 @@ --- id: V-38528 -status: exception -tag: misc +status: opt-in +tag: kernel --- -**Exception** - The STIG requires that all martian packets are logged by setting the sysctl parameter ``net.ipv4.conf.all.log_martians`` to ``1``. diff --git a/doc/metadata/rhel6/V-38529.rst b/doc/metadata/rhel6/V-38529.rst index 7861b0a9..78ed16e9 100644 --- a/doc/metadata/rhel6/V-38529.rst +++ b/doc/metadata/rhel6/V-38529.rst @@ -1,11 +1,9 @@ --- id: V-38529 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38530.rst b/doc/metadata/rhel6/V-38530.rst index 53f3cc34..552fe6cb 100644 --- a/doc/metadata/rhel6/V-38530.rst +++ b/doc/metadata/rhel6/V-38530.rst @@ -1,7 +1,7 @@ --- id: V-38530 status: implemented -tag: misc +tag: auditd --- Rules are added to auditd to log all attempts to change the system time using diff --git a/doc/metadata/rhel6/V-38531.rst b/doc/metadata/rhel6/V-38531.rst index b47dc9e1..7bccd652 100644 --- a/doc/metadata/rhel6/V-38531.rst +++ b/doc/metadata/rhel6/V-38531.rst @@ -1,9 +1,7 @@ --- id: V-38531 -status: exception -tag: misc +status: implemented +tag: auditd --- -**Exception** - The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38532.rst b/doc/metadata/rhel6/V-38532.rst index 8c488ba1..e6d33f48 100644 --- a/doc/metadata/rhel6/V-38532.rst +++ b/doc/metadata/rhel6/V-38532.rst @@ -1,11 +1,9 @@ --- id: V-38532 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38533.rst b/doc/metadata/rhel6/V-38533.rst index 63365865..9478de85 100644 --- a/doc/metadata/rhel6/V-38533.rst +++ b/doc/metadata/rhel6/V-38533.rst @@ -1,11 +1,9 @@ --- id: V-38533 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38534.rst b/doc/metadata/rhel6/V-38534.rst index 64feb972..6b00d0e0 100644 --- a/doc/metadata/rhel6/V-38534.rst +++ b/doc/metadata/rhel6/V-38534.rst @@ -1,7 +1,7 @@ --- id: V-38534 status: implemented -tag: misc +tag: auditd --- Audit rules are added in a task so that any events associated with diff --git a/doc/metadata/rhel6/V-38535.rst b/doc/metadata/rhel6/V-38535.rst index 7d3bfa46..956bd4ce 100644 --- a/doc/metadata/rhel6/V-38535.rst +++ b/doc/metadata/rhel6/V-38535.rst @@ -1,9 +1,9 @@ --- id: V-38535 status: implemented -tag: misc +tag: kernel --- -By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address. -The Ansible tasks for this STIG configuration ensures that the secure default -setting is maintained. +The Ansible tasks will ensure that ``net.ipv4.icmp_echo_ignore_broadcasts`` is +set to ``1``, which will cause the system to stop responding to ICMPv4 packets +sent to the broadcast address. diff --git a/doc/metadata/rhel6/V-38536.rst b/doc/metadata/rhel6/V-38536.rst index 564d115e..e7b35ed7 100644 --- a/doc/metadata/rhel6/V-38536.rst +++ b/doc/metadata/rhel6/V-38536.rst @@ -1,9 +1,7 @@ --- id: V-38536 -status: exception -tag: misc +status: implemented +tag: auditd --- -**Exception** - The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38537.rst b/doc/metadata/rhel6/V-38537.rst index 45f5b5b3..31e9c245 100644 --- a/doc/metadata/rhel6/V-38537.rst +++ b/doc/metadata/rhel6/V-38537.rst @@ -1,8 +1,9 @@ --- id: V-38537 status: implemented -tag: misc +tag: kernel --- -Ubuntu already ignores ICMPv4 bogus error messages by default. The role will -ensure that this default setting is maintained. +The Ansible tasks will ensure that +``net.ipv4.icmp_ignore_bogus_error_responses`` is set to ``1``. This prevents +a host from responding to bogus ICMPv4 error messages. diff --git a/doc/metadata/rhel6/V-38538.rst b/doc/metadata/rhel6/V-38538.rst index 3d0d6b58..2dadb702 100644 --- a/doc/metadata/rhel6/V-38538.rst +++ b/doc/metadata/rhel6/V-38538.rst @@ -1,9 +1,7 @@ --- id: V-38538 -status: exception -tag: misc +status: implemented +tag: auditd --- -**Exception** - The audit rules from V-38534 already cover all account modifications. diff --git a/doc/metadata/rhel6/V-38539.rst b/doc/metadata/rhel6/V-38539.rst index dbecc3dd..cfb8c5e8 100644 --- a/doc/metadata/rhel6/V-38539.rst +++ b/doc/metadata/rhel6/V-38539.rst @@ -1,7 +1,7 @@ --- id: V-38539 status: implemented -tag: misc +tag: kernel --- The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. diff --git a/doc/metadata/rhel6/V-38540.rst b/doc/metadata/rhel6/V-38540.rst index 4ae33ec2..0c7b64a9 100644 --- a/doc/metadata/rhel6/V-38540.rst +++ b/doc/metadata/rhel6/V-38540.rst @@ -1,9 +1,7 @@ --- id: V-38540 status: implemented -tag: misc +tag: auditd --- -Rules are added for auditing network configuration changes. The path to -Ubuntu's standard network configuration location has replaced the path -to Red Hat's default network configuration location. +Rules are added that allows auditd to track network configuration changes. diff --git a/doc/metadata/rhel6/V-38541.rst b/doc/metadata/rhel6/V-38541.rst index e654273b..b511fd0d 100644 --- a/doc/metadata/rhel6/V-38541.rst +++ b/doc/metadata/rhel6/V-38541.rst @@ -1,7 +1,7 @@ --- id: V-38541 status: implemented -tag: misc +tag: auditd --- For Ubuntu, rules are added to auditd that will log any changes made in the diff --git a/doc/metadata/rhel6/V-38542.rst b/doc/metadata/rhel6/V-38542.rst index 323e8bec..c9ec5fd2 100644 --- a/doc/metadata/rhel6/V-38542.rst +++ b/doc/metadata/rhel6/V-38542.rst @@ -1,11 +1,9 @@ --- id: V-38542 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38543.rst b/doc/metadata/rhel6/V-38543.rst index 496c5353..3abd610e 100644 --- a/doc/metadata/rhel6/V-38543.rst +++ b/doc/metadata/rhel6/V-38543.rst @@ -1,11 +1,9 @@ --- id: V-38543 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments and while updating packages with apt. By default, these rules are disabled. diff --git a/doc/metadata/rhel6/V-38544.rst b/doc/metadata/rhel6/V-38544.rst index abb1de7e..aaad20b4 100644 --- a/doc/metadata/rhel6/V-38544.rst +++ b/doc/metadata/rhel6/V-38544.rst @@ -1,11 +1,9 @@ --- id: V-38544 status: exception -tag: misc +tag: kernel --- -**Exception** - The STIG makes several requirements for IPv4 network restrictions, but these restrictions can impact certain network interfaces and cause service disruptions. Some security configurations make sense for certain types of diff --git a/doc/metadata/rhel6/V-38545.rst b/doc/metadata/rhel6/V-38545.rst index 5802c980..d2135219 100644 --- a/doc/metadata/rhel6/V-38545.rst +++ b/doc/metadata/rhel6/V-38545.rst @@ -1,11 +1,9 @@ --- id: V-38545 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``chown`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38546.rst b/doc/metadata/rhel6/V-38546.rst index ca38da02..16114862 100644 --- a/doc/metadata/rhel6/V-38546.rst +++ b/doc/metadata/rhel6/V-38546.rst @@ -1,11 +1,9 @@ --- id: V-38546 status: opt-in -tag: misc +tag: kernel --- -**Opt-in required** - The STIG requires IPv6 to be disabled system-wide unless it is needed for the system to operate. Deployers must consider how their network is configured before disabling IPv6 entirely. diff --git a/doc/metadata/rhel6/V-38547.rst b/doc/metadata/rhel6/V-38547.rst index 51e96b94..cbc9e923 100644 --- a/doc/metadata/rhel6/V-38547.rst +++ b/doc/metadata/rhel6/V-38547.rst @@ -1,11 +1,9 @@ --- id: V-38547 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments and while updating packages with apt. By default, these rules are disabled. diff --git a/doc/metadata/rhel6/V-38548.rst b/doc/metadata/rhel6/V-38548.rst index d6e9a110..10df5483 100644 --- a/doc/metadata/rhel6/V-38548.rst +++ b/doc/metadata/rhel6/V-38548.rst @@ -1,11 +1,9 @@ --- id: V-38548 status: opt-in -tag: misc +tag: kernel --- -**Opt-in required** - Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required. diff --git a/doc/metadata/rhel6/V-38549.rst b/doc/metadata/rhel6/V-38549.rst index 028cd9bd..5ab1a3f3 100644 --- a/doc/metadata/rhel6/V-38549.rst +++ b/doc/metadata/rhel6/V-38549.rst @@ -1,11 +1,9 @@ --- id: V-38549 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to configure. Deployers are urged to use proper network segmentation between their OpenStack infrastructure and virtual machines, which will mitigate diff --git a/doc/metadata/rhel6/V-38550.rst b/doc/metadata/rhel6/V-38550.rst index 169d880a..1dedbedb 100644 --- a/doc/metadata/rhel6/V-38550.rst +++ b/doc/metadata/rhel6/V-38550.rst @@ -1,11 +1,9 @@ --- id: V-38550 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` syscalls can cause high CPU and I/O load during OpenStack-Ansible deployments and while updating packages with apt. By default, these rules are disabled. diff --git a/doc/metadata/rhel6/V-38551.rst b/doc/metadata/rhel6/V-38551.rst index 1a0acfff..8f0cf4cc 100644 --- a/doc/metadata/rhel6/V-38551.rst +++ b/doc/metadata/rhel6/V-38551.rst @@ -1,11 +1,9 @@ --- id: V-38551 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Filtering IPv6 traffic is left up to the deployer to implement. The openstack-ansible roles don't configure IPv6 (at this time) and adding persistent ip6tables rules could harm a running system. diff --git a/doc/metadata/rhel6/V-38552.rst b/doc/metadata/rhel6/V-38552.rst index 89baba56..7da11a1b 100644 --- a/doc/metadata/rhel6/V-38552.rst +++ b/doc/metadata/rhel6/V-38552.rst @@ -1,11 +1,9 @@ --- id: V-38552 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``fchown`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38553.rst b/doc/metadata/rhel6/V-38553.rst index d9f6c830..c6d222ad 100644 --- a/doc/metadata/rhel6/V-38553.rst +++ b/doc/metadata/rhel6/V-38553.rst @@ -1,11 +1,9 @@ --- id: V-38553 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to configure. Deployers are urged to use proper network segmentation between their OpenStack infrastructure and virtual machines, which will mitigate diff --git a/doc/metadata/rhel6/V-38554.rst b/doc/metadata/rhel6/V-38554.rst index 5153d2d4..f70173dc 100644 --- a/doc/metadata/rhel6/V-38554.rst +++ b/doc/metadata/rhel6/V-38554.rst @@ -1,11 +1,9 @@ --- id: V-38554 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``fchownat`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38555.rst b/doc/metadata/rhel6/V-38555.rst index b0a67a60..23a9fe92 100644 --- a/doc/metadata/rhel6/V-38555.rst +++ b/doc/metadata/rhel6/V-38555.rst @@ -1,11 +1,9 @@ --- id: V-38555 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to configure. Deployers are urged to use proper network segmentation between their OpenStack infrastructure and virtual machines, which will mitigate diff --git a/doc/metadata/rhel6/V-38556.rst b/doc/metadata/rhel6/V-38556.rst index 824060ec..e245864f 100644 --- a/doc/metadata/rhel6/V-38556.rst +++ b/doc/metadata/rhel6/V-38556.rst @@ -1,11 +1,9 @@ --- id: V-38556 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``fremovexattr`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38557.rst b/doc/metadata/rhel6/V-38557.rst index fac6dada..a770df81 100644 --- a/doc/metadata/rhel6/V-38557.rst +++ b/doc/metadata/rhel6/V-38557.rst @@ -1,11 +1,9 @@ --- id: V-38557 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``fsetxattr`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38558.rst b/doc/metadata/rhel6/V-38558.rst index cc03c7d4..bc42996d 100644 --- a/doc/metadata/rhel6/V-38558.rst +++ b/doc/metadata/rhel6/V-38558.rst @@ -1,11 +1,9 @@ --- id: V-38558 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``lchown`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38559.rst b/doc/metadata/rhel6/V-38559.rst index 39fa3bd5..77006cc8 100644 --- a/doc/metadata/rhel6/V-38559.rst +++ b/doc/metadata/rhel6/V-38559.rst @@ -1,11 +1,9 @@ --- id: V-38559 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``lremovexattr`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38560.rst b/doc/metadata/rhel6/V-38560.rst index 114424f5..f30d30ac 100644 --- a/doc/metadata/rhel6/V-38560.rst +++ b/doc/metadata/rhel6/V-38560.rst @@ -1,11 +1,9 @@ --- id: V-38560 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to configure. Deployers are urged to use proper network segmentation between their OpenStack infrastructure and virtual machines, which will mitigate diff --git a/doc/metadata/rhel6/V-38561.rst b/doc/metadata/rhel6/V-38561.rst index 582c589f..83dc479a 100644 --- a/doc/metadata/rhel6/V-38561.rst +++ b/doc/metadata/rhel6/V-38561.rst @@ -1,11 +1,9 @@ --- id: V-38561 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``lxsetxattr`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38563.rst b/doc/metadata/rhel6/V-38563.rst index fa8dcc97..16443b4f 100644 --- a/doc/metadata/rhel6/V-38563.rst +++ b/doc/metadata/rhel6/V-38563.rst @@ -1,7 +1,7 @@ --- id: V-38563 status: implemented -tag: misc +tag: auditd --- Audit rules are added in a task so that any events associated with the diff --git a/doc/metadata/rhel6/V-38565.rst b/doc/metadata/rhel6/V-38565.rst index affe8a3a..cec0d930 100644 --- a/doc/metadata/rhel6/V-38565.rst +++ b/doc/metadata/rhel6/V-38565.rst @@ -1,11 +1,9 @@ --- id: V-38565 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for permission changes made with ``setxattr`` are disabled by default as they can generate an excessive amount of logs in a short period of time, especially during a deployment. diff --git a/doc/metadata/rhel6/V-38566.rst b/doc/metadata/rhel6/V-38566.rst index 4d7f260f..f6eafdc7 100644 --- a/doc/metadata/rhel6/V-38566.rst +++ b/doc/metadata/rhel6/V-38566.rst @@ -1,11 +1,9 @@ --- id: V-38566 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for logging failed access attempts can generate significant amounts of log traffic in some environments. These rules are disabled by default. diff --git a/doc/metadata/rhel6/V-38567.rst b/doc/metadata/rhel6/V-38567.rst index 8329f94d..90e8b716 100644 --- a/doc/metadata/rhel6/V-38567.rst +++ b/doc/metadata/rhel6/V-38567.rst @@ -1,11 +1,9 @@ --- id: V-38567 status: exception -tag: misc +tag: file_perms --- -**Exception** - Keeping the list of setuid/setgid applications up to date and adding the paths to those files within the ``audit.rules`` file is challenging. Deployers are urged to use setuid/setgid sparingly and carefully monitor all applications diff --git a/doc/metadata/rhel6/V-38568.rst b/doc/metadata/rhel6/V-38568.rst index 01b5f0cf..20c4035c 100644 --- a/doc/metadata/rhel6/V-38568.rst +++ b/doc/metadata/rhel6/V-38568.rst @@ -1,7 +1,7 @@ --- id: V-38568 status: implemented -tag: misc +tag: auditd --- Rules are added for auditd to log successful filesystem mounts. diff --git a/doc/metadata/rhel6/V-38569.rst b/doc/metadata/rhel6/V-38569.rst index cd165127..47163ed1 100644 --- a/doc/metadata/rhel6/V-38569.rst +++ b/doc/metadata/rhel6/V-38569.rst @@ -1,11 +1,9 @@ --- id: V-38569 status: exception -tag: misc +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38570.rst b/doc/metadata/rhel6/V-38570.rst index 3b0d443f..b25f7202 100644 --- a/doc/metadata/rhel6/V-38570.rst +++ b/doc/metadata/rhel6/V-38570.rst @@ -1,11 +1,9 @@ --- id: V-38570 status: exception -tag: misc +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38571.rst b/doc/metadata/rhel6/V-38571.rst index 89005ed6..26729681 100644 --- a/doc/metadata/rhel6/V-38571.rst +++ b/doc/metadata/rhel6/V-38571.rst @@ -1,11 +1,9 @@ --- id: V-38571 status: exception -tag: misc +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38572.rst b/doc/metadata/rhel6/V-38572.rst index 11b2becd..0d2c9777 100644 --- a/doc/metadata/rhel6/V-38572.rst +++ b/doc/metadata/rhel6/V-38572.rst @@ -1,11 +1,9 @@ --- id: V-38572 status: exception -tag: misc +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38573.rst b/doc/metadata/rhel6/V-38573.rst index ffb2dbb8..82c80797 100644 --- a/doc/metadata/rhel6/V-38573.rst +++ b/doc/metadata/rhel6/V-38573.rst @@ -1,11 +1,9 @@ --- id: V-38573 -status: exception -tag: misc +status: opt-in +tag: auth --- -**Exception and opt-in alternative** - Adjusting PAM configurations is very risky since it affects how all users authenticate. In addition, ``pam_faillock.so`` isn't available in Ubuntu. diff --git a/doc/metadata/rhel6/V-38574.rst b/doc/metadata/rhel6/V-38574.rst index e348b511..9db6745d 100644 --- a/doc/metadata/rhel6/V-38574.rst +++ b/doc/metadata/rhel6/V-38574.rst @@ -1,7 +1,7 @@ --- id: V-38574 status: implemented -tag: misc +tag: auth --- The STIG requires SHA512 to be used for hashing password since it is diff --git a/doc/metadata/rhel6/V-38575.rst b/doc/metadata/rhel6/V-38575.rst index 92678d78..5248c8c5 100644 --- a/doc/metadata/rhel6/V-38575.rst +++ b/doc/metadata/rhel6/V-38575.rst @@ -1,11 +1,9 @@ --- id: V-38575 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The audit rules for monitoring deleted files can cause very high system load during OpenStack-Ansible deployments and during package updates using apt. It's recommended that deployers keep these rules disabled unless they're diff --git a/doc/metadata/rhel6/V-38576.rst b/doc/metadata/rhel6/V-38576.rst index acd24a64..a9f49bd9 100644 --- a/doc/metadata/rhel6/V-38576.rst +++ b/doc/metadata/rhel6/V-38576.rst @@ -1,7 +1,7 @@ --- id: V-38576 status: implemented -tag: misc +tag: auth --- The STIG requires SHA512 to be used for hashing password since it is diff --git a/doc/metadata/rhel6/V-38577.rst b/doc/metadata/rhel6/V-38577.rst index b9027082..4d3f4b1b 100644 --- a/doc/metadata/rhel6/V-38577.rst +++ b/doc/metadata/rhel6/V-38577.rst @@ -1,7 +1,7 @@ --- id: V-38577 status: implemented -tag: misc +tag: auth --- The STIG requires SHA512 to be used for hashing password since it is diff --git a/doc/metadata/rhel6/V-38578.rst b/doc/metadata/rhel6/V-38578.rst index 3a7115c9..217e5f42 100644 --- a/doc/metadata/rhel6/V-38578.rst +++ b/doc/metadata/rhel6/V-38578.rst @@ -1,7 +1,7 @@ --- id: V-38578 status: implemented -tag: misc +tag: auditd --- Rules are added to audit changes to ``/etc/sudoers``. diff --git a/doc/metadata/rhel6/V-38579.rst b/doc/metadata/rhel6/V-38579.rst index 89972ecd..216eab49 100644 --- a/doc/metadata/rhel6/V-38579.rst +++ b/doc/metadata/rhel6/V-38579.rst @@ -1,7 +1,7 @@ --- id: V-38579 status: implemented -tag: misc +tag: boot --- Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default. diff --git a/doc/metadata/rhel6/V-38580.rst b/doc/metadata/rhel6/V-38580.rst index b6a53b73..787d52ba 100644 --- a/doc/metadata/rhel6/V-38580.rst +++ b/doc/metadata/rhel6/V-38580.rst @@ -1,7 +1,7 @@ --- id: V-38580 status: implemented -tag: misc +tag: auditd --- Rules will be added to auditd so that any kernel module loading or unloading diff --git a/doc/metadata/rhel6/V-38581.rst b/doc/metadata/rhel6/V-38581.rst index e7a9dc78..a6504651 100644 --- a/doc/metadata/rhel6/V-38581.rst +++ b/doc/metadata/rhel6/V-38581.rst @@ -1,7 +1,7 @@ --- id: V-38581 status: implemented -tag: misc +tag: file_perms --- The group ownership for ``/boot/grub/grub.cfg`` will be set to `root`. diff --git a/doc/metadata/rhel6/V-38582.rst b/doc/metadata/rhel6/V-38582.rst index 30296bc6..71d8abdd 100644 --- a/doc/metadata/rhel6/V-38582.rst +++ b/doc/metadata/rhel6/V-38582.rst @@ -1,7 +1,7 @@ --- id: V-38582 status: implemented -tag: misc +tag: services --- If the ``xinetd`` package is installed, it will be stopped immediately and diff --git a/doc/metadata/rhel6/V-38583.rst b/doc/metadata/rhel6/V-38583.rst index d41b73a9..f91bf30b 100644 --- a/doc/metadata/rhel6/V-38583.rst +++ b/doc/metadata/rhel6/V-38583.rst @@ -1,11 +1,9 @@ --- id: V-38583 status: exception -tag: misc +tag: boot --- -**Exception for grub2** - For Ubuntu 14.04, the permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``. diff --git a/doc/metadata/rhel6/V-38584.rst b/doc/metadata/rhel6/V-38584.rst index cb3e10be..edd82338 100644 --- a/doc/metadata/rhel6/V-38584.rst +++ b/doc/metadata/rhel6/V-38584.rst @@ -1,7 +1,7 @@ --- id: V-38584 status: implemented -tag: misc +tag: services --- The ``xinetd`` service will be removed by the Ansible tasks, if it is diff --git a/doc/metadata/rhel6/V-38585.rst b/doc/metadata/rhel6/V-38585.rst index cfddc354..8a73e26c 100644 --- a/doc/metadata/rhel6/V-38585.rst +++ b/doc/metadata/rhel6/V-38585.rst @@ -1,11 +1,9 @@ --- id: V-38585 -status: exception -tag: misc +status: exception - manual intervention +tag: boot --- -**Exception** - Configuring a password for the bootloader is left up to the deployer to configure. Each deployer should consider the potential damage to their system should someone gain unauthorized physical access at the server diff --git a/doc/metadata/rhel6/V-38586.rst b/doc/metadata/rhel6/V-38586.rst index deb465cd..a437c114 100644 --- a/doc/metadata/rhel6/V-38586.rst +++ b/doc/metadata/rhel6/V-38586.rst @@ -1,12 +1,10 @@ --- id: V-38586 status: exception -tag: misc +tag: boot --- -**Exception** - -As with V-38585, this is left to the deployer to configure bassed on their +As with V-38585, this is left to the deployer to configure based on their exposure to physical threats. If there is a concern around a user gaining unauthorized physical access and/or gaining access through an out-of-band access mechanism, deployers are strongly urged to consider applying this diff --git a/doc/metadata/rhel6/V-38587.rst b/doc/metadata/rhel6/V-38587.rst index 6895c6bf..2864ac9e 100644 --- a/doc/metadata/rhel6/V-38587.rst +++ b/doc/metadata/rhel6/V-38587.rst @@ -1,7 +1,7 @@ --- id: V-38587 status: implemented -tag: misc +tag: services --- The ``telnetd`` service will be removed by the Ansible tasks, if it is diff --git a/doc/metadata/rhel6/V-38588.rst b/doc/metadata/rhel6/V-38588.rst index 3d4012bb..9c448178 100644 --- a/doc/metadata/rhel6/V-38588.rst +++ b/doc/metadata/rhel6/V-38588.rst @@ -1,11 +1,9 @@ --- id: V-38588 status: exception -tag: misc +tag: boot --- -**Exception** - As with V-38585, this configuration is left up to the deployer to determine their risk of attacks via physical access or out-of-band access to a server console. diff --git a/doc/metadata/rhel6/V-38589.rst b/doc/metadata/rhel6/V-38589.rst index fcfd8e3d..07246fef 100644 --- a/doc/metadata/rhel6/V-38589.rst +++ b/doc/metadata/rhel6/V-38589.rst @@ -1,11 +1,9 @@ --- id: V-38589 status: implemented -tag: misc +tag: services --- -**Fixed by V-38587** - Running a telnet daemon isn't recommended under most situations, so the telnet server package will be removed from the system if it is installed. The telnet server is removed by the Ansible tasks for V-38587, so no action is required diff --git a/doc/metadata/rhel6/V-38590.rst b/doc/metadata/rhel6/V-38590.rst index f09e374e..e3e40443 100644 --- a/doc/metadata/rhel6/V-38590.rst +++ b/doc/metadata/rhel6/V-38590.rst @@ -1,11 +1,9 @@ --- id: V-38590 status: exception -tag: misc +tag: console --- -**Exception** - While providing text screen locking does add additional security, deployers are strongly urged to limit physical access and out-of-band access to servers where someone else might be able to join a user's session when diff --git a/doc/metadata/rhel6/V-38591.rst b/doc/metadata/rhel6/V-38591.rst index 1a1e75db..d1bfee54 100644 --- a/doc/metadata/rhel6/V-38591.rst +++ b/doc/metadata/rhel6/V-38591.rst @@ -1,7 +1,7 @@ --- id: V-38591 status: implemented -tag: misc +tag: services --- The ``rshd`` service will be removed by the Ansible tasks, if it is diff --git a/doc/metadata/rhel6/V-38592.rst b/doc/metadata/rhel6/V-38592.rst index 255960a8..1c607280 100644 --- a/doc/metadata/rhel6/V-38592.rst +++ b/doc/metadata/rhel6/V-38592.rst @@ -1,11 +1,9 @@ --- id: V-38592 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Adjusting PAM configurations on a running system carries a fair amount of risk, and deployers are urged to rely upon ssh keys or centralized authentication for user authentication. diff --git a/doc/metadata/rhel6/V-38593.rst b/doc/metadata/rhel6/V-38593.rst index 9bfdca1d..76d9f30c 100644 --- a/doc/metadata/rhel6/V-38593.rst +++ b/doc/metadata/rhel6/V-38593.rst @@ -1,7 +1,7 @@ --- id: V-38593 status: implemented -tag: misc +tag: console --- A default warning banner will replace the contents of ``/etc/issue.net``. To diff --git a/doc/metadata/rhel6/V-38594.rst b/doc/metadata/rhel6/V-38594.rst index c29db4b0..3bf7d906 100644 --- a/doc/metadata/rhel6/V-38594.rst +++ b/doc/metadata/rhel6/V-38594.rst @@ -1,11 +1,9 @@ --- id: V-38594 status: implemented -tag: misc +tag: services --- -**Fixed by V-38591** - Running a rsh daemon isn't recommended under most situations, so the rsh server package will be removed from the system if it is installed. The rsh server is removed by the Ansible tasks for V-38591, so no action is required here. diff --git a/doc/metadata/rhel6/V-38595.rst b/doc/metadata/rhel6/V-38595.rst index 50060386..cd2c18f1 100644 --- a/doc/metadata/rhel6/V-38595.rst +++ b/doc/metadata/rhel6/V-38595.rst @@ -1,10 +1,8 @@ --- id: V-38595 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Use of additional factors for authentication is left up to the deployer, but it is strongly recommended. diff --git a/doc/metadata/rhel6/V-38596.rst b/doc/metadata/rhel6/V-38596.rst index a5f157ae..527e6476 100644 --- a/doc/metadata/rhel6/V-38596.rst +++ b/doc/metadata/rhel6/V-38596.rst @@ -1,9 +1,9 @@ --- id: V-38596 status: implemented -tag: misc +tag: kernel --- -The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and -will also ensure that the setting is applied on the next boot. This setting +The Ansible tasks will set ``kernel.randomize_va_space`` to ``2`` immediately +and will also ensure that the setting is applied on the next boot. This setting is currently the default in Ubuntu 14.04, Ubuntu 16.04, and CentOS 7. diff --git a/doc/metadata/rhel6/V-38597.rst b/doc/metadata/rhel6/V-38597.rst index 96e435c1..896c0ffd 100644 --- a/doc/metadata/rhel6/V-38597.rst +++ b/doc/metadata/rhel6/V-38597.rst @@ -1,7 +1,7 @@ --- id: V-38597 status: implemented -tag: misc +tag: kernel --- Non-Executable Memory (NX) is the successor to ExecShield, and it is enabled by diff --git a/doc/metadata/rhel6/V-38598.rst b/doc/metadata/rhel6/V-38598.rst index 82cff4c2..7db843c9 100644 --- a/doc/metadata/rhel6/V-38598.rst +++ b/doc/metadata/rhel6/V-38598.rst @@ -1,11 +1,9 @@ --- id: V-38598 status: implemented -tag: misc +tag: services --- -**Fixed by V-38591** - On Ubuntu, the ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon. CentOS 7 doesn't provide the ``rexecd`` daemon in any packages. diff --git a/doc/metadata/rhel6/V-38599.rst b/doc/metadata/rhel6/V-38599.rst index 1be08353..d7fb24ae 100644 --- a/doc/metadata/rhel6/V-38599.rst +++ b/doc/metadata/rhel6/V-38599.rst @@ -1,7 +1,7 @@ --- id: V-38599 status: implemented -tag: misc +tag: services --- If the ``vsftpd`` package is installed, a login banner will be applied so that diff --git a/doc/metadata/rhel6/V-38600.rst b/doc/metadata/rhel6/V-38600.rst index 19957933..0c625931 100644 --- a/doc/metadata/rhel6/V-38600.rst +++ b/doc/metadata/rhel6/V-38600.rst @@ -1,10 +1,10 @@ --- id: V-38600 status: implemented -tag: misc +tag: kernel --- The Ansible tasks will disable the sending of ICMPv4 redirects by setting -the sysctl variable ``net.ipv4.conf.default.send_redirects=0``. However, +the sysctl variable ``net.ipv4.conf.default.send_redirects`` to ``0``. However, bridging still requires redirects to be enabled, so those interfaces won't be affected by this change. diff --git a/doc/metadata/rhel6/V-38601.rst b/doc/metadata/rhel6/V-38601.rst index 3cd776d5..3634d662 100644 --- a/doc/metadata/rhel6/V-38601.rst +++ b/doc/metadata/rhel6/V-38601.rst @@ -1,7 +1,8 @@ --- id: V-38601 status: implemented -tag: misc +tag: kernel --- -See the documentation for V-38600 for more details. +The Ansible tasks will set ``net.ipv4.conf.all.send_redirects`` to ``0`` so +that hosts will stop sending ICMPv4 redirects on all interfaces. diff --git a/doc/metadata/rhel6/V-38602.rst b/doc/metadata/rhel6/V-38602.rst index 2b1317b8..c284b23d 100644 --- a/doc/metadata/rhel6/V-38602.rst +++ b/doc/metadata/rhel6/V-38602.rst @@ -1,11 +1,9 @@ --- id: V-38602 status: implemented -tag: misc +tag: services --- -**Fixed by V-38591** - In Ubuntu, the ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon. CentOS 7 does not provide the ``rlogind`` daemon in any packages. diff --git a/doc/metadata/rhel6/V-38603.rst b/doc/metadata/rhel6/V-38603.rst index 01697944..c1ae31b9 100644 --- a/doc/metadata/rhel6/V-38603.rst +++ b/doc/metadata/rhel6/V-38603.rst @@ -1,7 +1,7 @@ --- id: V-38603 status: implemented -tag: misc +tag: services --- This packages is named differently depending on the Linux distribution: diff --git a/doc/metadata/rhel6/V-38604.rst b/doc/metadata/rhel6/V-38604.rst index 6c7874d7..fcb4aa24 100644 --- a/doc/metadata/rhel6/V-38604.rst +++ b/doc/metadata/rhel6/V-38604.rst @@ -1,7 +1,7 @@ --- id: V-38604 status: implemented -tag: misc +tag: services --- The ``ypbind`` service is removed entirely as part of V-38603. diff --git a/doc/metadata/rhel6/V-38605.rst b/doc/metadata/rhel6/V-38605.rst index 13e60799..78ad7de2 100644 --- a/doc/metadata/rhel6/V-38605.rst +++ b/doc/metadata/rhel6/V-38605.rst @@ -1,7 +1,7 @@ --- id: V-38605 status: implemented -tag: misc +tag: services --- The ``cron`` service is running by default in Ubuntu 14.04, Ubuntu 16.04, and diff --git a/doc/metadata/rhel6/V-38606.rst b/doc/metadata/rhel6/V-38606.rst index 32e5e06d..42e7a455 100644 --- a/doc/metadata/rhel6/V-38606.rst +++ b/doc/metadata/rhel6/V-38606.rst @@ -1,7 +1,7 @@ --- id: V-38606 status: implemented -tag: misc +tag: services --- The package containing the tftp daemon has different names depending on the diff --git a/doc/metadata/rhel6/V-38607.rst b/doc/metadata/rhel6/V-38607.rst index 83ffafa4..4486f709 100644 --- a/doc/metadata/rhel6/V-38607.rst +++ b/doc/metadata/rhel6/V-38607.rst @@ -1,7 +1,7 @@ --- id: V-38607 status: implemented -tag: misc +tag: sshd --- The tasks in ``sshd.yml`` will ensure that SSH requires all connections to use diff --git a/doc/metadata/rhel6/V-38608.rst b/doc/metadata/rhel6/V-38608.rst index f12c65da..618b0993 100644 --- a/doc/metadata/rhel6/V-38608.rst +++ b/doc/metadata/rhel6/V-38608.rst @@ -1,7 +1,7 @@ --- id: V-38608 status: implemented -tag: misc +tag: sshd --- The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes diff --git a/doc/metadata/rhel6/V-38609.rst b/doc/metadata/rhel6/V-38609.rst index cf382b47..7baf02dc 100644 --- a/doc/metadata/rhel6/V-38609.rst +++ b/doc/metadata/rhel6/V-38609.rst @@ -1,7 +1,7 @@ --- id: V-38609 status: implemented -tag: misc +tag: services --- The package containing the ``tftpd`` service is removed by V-38606. diff --git a/doc/metadata/rhel6/V-38610.rst b/doc/metadata/rhel6/V-38610.rst index 9e837b8f..56b9dc50 100644 --- a/doc/metadata/rhel6/V-38610.rst +++ b/doc/metadata/rhel6/V-38610.rst @@ -1,7 +1,7 @@ --- id: V-38610 status: implemented -tag: misc +tag: sshd --- The STIG recommends setting ``ClientAliveCountMax`` to ensure that ssh diff --git a/doc/metadata/rhel6/V-38611.rst b/doc/metadata/rhel6/V-38611.rst index 11066b8d..4a7e3ad4 100644 --- a/doc/metadata/rhel6/V-38611.rst +++ b/doc/metadata/rhel6/V-38611.rst @@ -1,9 +1,9 @@ --- id: V-38611 status: implemented -tag: misc +tag: sshd --- Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 configure the ssh daemon so that rsh's -.rhosts files are ignored by default. The Ansible tasks will ensure that this -setting has not changed from the default. +``.rhosts`` files are ignored by default. The Ansible tasks will ensure that +this setting has not changed from the default. diff --git a/doc/metadata/rhel6/V-38612.rst b/doc/metadata/rhel6/V-38612.rst index 1fd92eb4..397dddf0 100644 --- a/doc/metadata/rhel6/V-38612.rst +++ b/doc/metadata/rhel6/V-38612.rst @@ -1,7 +1,7 @@ --- id: V-38612 status: implemented -tag: misc +tag: sshd --- The Ansible tasks in the security role ensure that the ssh daemon does not diff --git a/doc/metadata/rhel6/V-38613.rst b/doc/metadata/rhel6/V-38613.rst index 21b5ae2a..bd1c5284 100644 --- a/doc/metadata/rhel6/V-38613.rst +++ b/doc/metadata/rhel6/V-38613.rst @@ -1,7 +1,7 @@ --- id: V-38613 -status: implemented -tag: misc +status: opt-in +tag: sshd --- Although the STIG recommends disabling root logins via ssh, the default in diff --git a/doc/metadata/rhel6/V-38614.rst b/doc/metadata/rhel6/V-38614.rst index dec8b269..8245b005 100644 --- a/doc/metadata/rhel6/V-38614.rst +++ b/doc/metadata/rhel6/V-38614.rst @@ -1,7 +1,7 @@ --- id: V-38614 status: implemented -tag: misc +tag: sshd --- The tasks in ``sshd.yml`` will ensure that SSH does not allow empty passwords. diff --git a/doc/metadata/rhel6/V-38615.rst b/doc/metadata/rhel6/V-38615.rst index 15cce350..1900cac6 100644 --- a/doc/metadata/rhel6/V-38615.rst +++ b/doc/metadata/rhel6/V-38615.rst @@ -1,7 +1,7 @@ --- id: V-38615 status: implemented -tag: misc +tag: sshd --- The ssh daemon will be configured so that a warning banner will be displayed diff --git a/doc/metadata/rhel6/V-38616.rst b/doc/metadata/rhel6/V-38616.rst index cec16957..4ae1ae14 100644 --- a/doc/metadata/rhel6/V-38616.rst +++ b/doc/metadata/rhel6/V-38616.rst @@ -1,7 +1,7 @@ --- id: V-38616 status: implemented -tag: misc +tag: sshd --- The ssh daemon will be configured to disallow user environment settings that diff --git a/doc/metadata/rhel6/V-38617.rst b/doc/metadata/rhel6/V-38617.rst index b0747522..7a87b7e8 100644 --- a/doc/metadata/rhel6/V-38617.rst +++ b/doc/metadata/rhel6/V-38617.rst @@ -1,7 +1,7 @@ --- id: V-38617 status: implemented -tag: misc +tag: sshd --- The ssh daemon will be configured to use the approved list of ciphers as diff --git a/doc/metadata/rhel6/V-38618.rst b/doc/metadata/rhel6/V-38618.rst index bf48e046..ff079f13 100644 --- a/doc/metadata/rhel6/V-38618.rst +++ b/doc/metadata/rhel6/V-38618.rst @@ -1,7 +1,7 @@ --- id: V-38618 status: implemented -tag: misc +tag: services --- The avahi daemon will be disabled if the package is installed. diff --git a/doc/metadata/rhel6/V-38622.rst b/doc/metadata/rhel6/V-38622.rst index 913853f4..b10105c2 100644 --- a/doc/metadata/rhel6/V-38622.rst +++ b/doc/metadata/rhel6/V-38622.rst @@ -1,7 +1,7 @@ --- id: V-38622 status: implemented -tag: misc +tag: mail --- The STIG requires that postfix only listens on the localhost so that it isn't diff --git a/doc/metadata/rhel6/V-38623.rst b/doc/metadata/rhel6/V-38623.rst index 20163520..0cac5a10 100644 --- a/doc/metadata/rhel6/V-38623.rst +++ b/doc/metadata/rhel6/V-38623.rst @@ -1,7 +1,7 @@ --- id: V-38623 status: implemented -tag: misc +tag: file_perms --- The mode on rsyslog files is set to ``0640`` by default in Ubuntu 14.04 and diff --git a/doc/metadata/rhel6/V-38624.rst b/doc/metadata/rhel6/V-38624.rst index 52c9a40f..d03289e5 100644 --- a/doc/metadata/rhel6/V-38624.rst +++ b/doc/metadata/rhel6/V-38624.rst @@ -4,7 +4,7 @@ status: implemented tag: misc --- -The STIG requires that system logs are rotate daily, but the check only +The STIG requires that system logs are rotated daily, but the check only involves verifying that logrotate is installed and activated by cron. The openstack-ansible project already configures weekly log rotation with compression. For high-traffic logging environments, changing the frequency diff --git a/doc/metadata/rhel6/V-38625.rst b/doc/metadata/rhel6/V-38625.rst index 99e11a33..ed304a9c 100644 --- a/doc/metadata/rhel6/V-38625.rst +++ b/doc/metadata/rhel6/V-38625.rst @@ -1,11 +1,9 @@ --- id: V-38625 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Deployers that use LDAP authentication for systems are strongly urged to use TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers on the network from reading the authentication attempts as they are made. The diff --git a/doc/metadata/rhel6/V-38626.rst b/doc/metadata/rhel6/V-38626.rst index e655ea98..d1dda851 100644 --- a/doc/metadata/rhel6/V-38626.rst +++ b/doc/metadata/rhel6/V-38626.rst @@ -1,11 +1,9 @@ --- id: V-38626 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Deployers that use LDAP authentication for systems are strongly urged to use TLS connectivity between client hosts and LDAP servers to prevent eavesdroppers on the network from reading the authentication attempts as they are made. The diff --git a/doc/metadata/rhel6/V-38627.rst b/doc/metadata/rhel6/V-38627.rst index 06e86b4c..d433da61 100644 --- a/doc/metadata/rhel6/V-38627.rst +++ b/doc/metadata/rhel6/V-38627.rst @@ -1,7 +1,7 @@ --- id: V-38627 status: implemented -tag: misc +tag: services --- The STIG requires that any LDAP server packages on the system are removed. diff --git a/doc/metadata/rhel6/V-38628.rst b/doc/metadata/rhel6/V-38628.rst index 5a18ebff..bd14c863 100644 --- a/doc/metadata/rhel6/V-38628.rst +++ b/doc/metadata/rhel6/V-38628.rst @@ -1,7 +1,7 @@ --- id: V-38628 status: implemented -tag: misc +tag: auditd --- This STIG requirement overlaps with V-38632. diff --git a/doc/metadata/rhel6/V-38629.rst b/doc/metadata/rhel6/V-38629.rst index 311495bf..07898e8d 100644 --- a/doc/metadata/rhel6/V-38629.rst +++ b/doc/metadata/rhel6/V-38629.rst @@ -1,11 +1,9 @@ --- id: V-38629 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38630.rst b/doc/metadata/rhel6/V-38630.rst index fe4cca62..d9e79c71 100644 --- a/doc/metadata/rhel6/V-38630.rst +++ b/doc/metadata/rhel6/V-38630.rst @@ -1,11 +1,9 @@ --- id: V-38630 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38631.rst b/doc/metadata/rhel6/V-38631.rst index cfdfef70..e54ad5e9 100644 --- a/doc/metadata/rhel6/V-38631.rst +++ b/doc/metadata/rhel6/V-38631.rst @@ -1,7 +1,7 @@ --- id: V-38631 status: implemented -tag: misc +tag: auditd --- This STIG requirement overlaps with V-38632. diff --git a/doc/metadata/rhel6/V-38632.rst b/doc/metadata/rhel6/V-38632.rst index d006a3b6..21d09ee1 100644 --- a/doc/metadata/rhel6/V-38632.rst +++ b/doc/metadata/rhel6/V-38632.rst @@ -1,7 +1,7 @@ --- id: V-38632 status: implemented -tag: misc +tag: auditd --- The tasks in auth.yml will install `auditd`_ and ensure it is running. diff --git a/doc/metadata/rhel6/V-38633.rst b/doc/metadata/rhel6/V-38633.rst index ab01de9e..721e6211 100644 --- a/doc/metadata/rhel6/V-38633.rst +++ b/doc/metadata/rhel6/V-38633.rst @@ -1,7 +1,7 @@ --- id: V-38633 status: implemented -tag: misc +tag: auditd --- The default setting for ``security_max_log_file`` in Ubuntu 14.04, Ubuntu diff --git a/doc/metadata/rhel6/V-38634.rst b/doc/metadata/rhel6/V-38634.rst index c2d5cc88..c42a7235 100644 --- a/doc/metadata/rhel6/V-38634.rst +++ b/doc/metadata/rhel6/V-38634.rst @@ -1,7 +1,7 @@ --- id: V-38634 status: implemented -tag: misc +tag: auditd --- The default action for ``security_max_log_file_action`` on Ubuntu 14.04, Ubuntu diff --git a/doc/metadata/rhel6/V-38635.rst b/doc/metadata/rhel6/V-38635.rst index fb5d0d13..5c44fadd 100644 --- a/doc/metadata/rhel6/V-38635.rst +++ b/doc/metadata/rhel6/V-38635.rst @@ -1,7 +1,7 @@ --- id: V-38635 status: implemented -tag: misc +tag: auditd --- Audit rules are added in a task so that any events associated with altering diff --git a/doc/metadata/rhel6/V-38636.rst b/doc/metadata/rhel6/V-38636.rst index 2d73f947..d09cb184 100644 --- a/doc/metadata/rhel6/V-38636.rst +++ b/doc/metadata/rhel6/V-38636.rst @@ -1,7 +1,7 @@ --- id: V-38636 status: implemented -tag: misc +tag: auditd --- Ubuntu keeps 5 rotated logs with the ``security_num_logs`` option and this diff --git a/doc/metadata/rhel6/V-38637.rst b/doc/metadata/rhel6/V-38637.rst index 5d05b56a..1fbd0b39 100644 --- a/doc/metadata/rhel6/V-38637.rst +++ b/doc/metadata/rhel6/V-38637.rst @@ -1,7 +1,7 @@ --- id: V-38637 status: implemented -tag: misc +tag: auditd --- The auditd package is verified with ``debsums`` in Ubuntu and with ``rpm`` in diff --git a/doc/metadata/rhel6/V-38638.rst b/doc/metadata/rhel6/V-38638.rst index da11ae34..c3ad3ffd 100644 --- a/doc/metadata/rhel6/V-38638.rst +++ b/doc/metadata/rhel6/V-38638.rst @@ -1,11 +1,9 @@ --- id: V-38638 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38639.rst b/doc/metadata/rhel6/V-38639.rst index 919c4bc3..52da4564 100644 --- a/doc/metadata/rhel6/V-38639.rst +++ b/doc/metadata/rhel6/V-38639.rst @@ -1,11 +1,9 @@ --- id: V-38639 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38640.rst b/doc/metadata/rhel6/V-38640.rst index 76778afd..164be01b 100644 --- a/doc/metadata/rhel6/V-38640.rst +++ b/doc/metadata/rhel6/V-38640.rst @@ -1,7 +1,7 @@ --- id: V-38640 status: implemented -tag: misc +tag: services --- The Ansible tasks in the security role will disable the abrtd service and stop diff --git a/doc/metadata/rhel6/V-38641.rst b/doc/metadata/rhel6/V-38641.rst index 590736ba..691e7dec 100644 --- a/doc/metadata/rhel6/V-38641.rst +++ b/doc/metadata/rhel6/V-38641.rst @@ -1,7 +1,7 @@ --- id: V-38641 status: implemented -tag: misc +tag: services --- The Ansible tasks in the security role will disable the atd service and stop diff --git a/doc/metadata/rhel6/V-38642.rst b/doc/metadata/rhel6/V-38642.rst index cbb8c98e..5e42e5a0 100644 --- a/doc/metadata/rhel6/V-38642.rst +++ b/doc/metadata/rhel6/V-38642.rst @@ -1,11 +1,9 @@ --- id: V-38642 status: opt-in -tag: misc +tag: file_perms --- -**Opt-in required** - The STIG requires that daemons have their umask set to ``027`` or ``022``. Since changing umasks can disrupt some systems, this is an opt-in change. diff --git a/doc/metadata/rhel6/V-38643.rst b/doc/metadata/rhel6/V-38643.rst index ab612f82..cbd45fd2 100644 --- a/doc/metadata/rhel6/V-38643.rst +++ b/doc/metadata/rhel6/V-38643.rst @@ -1,11 +1,9 @@ --- id: V-38643 status: exception -tag: misc +tag: file_perms --- -**Exception** - Searching for world-writable files on a host deployed with openstack-ansible can be very time consuming and it can create unneccessary I/O load on hosts. Deployers are urged to check for world-writable files on a regular basis in diff --git a/doc/metadata/rhel6/V-38645.rst b/doc/metadata/rhel6/V-38645.rst index dad263b0..151df41f 100644 --- a/doc/metadata/rhel6/V-38645.rst +++ b/doc/metadata/rhel6/V-38645.rst @@ -1,11 +1,9 @@ --- id: V-38645 -status: exception -tag: misc +status: opt-in +tag: file_perms --- -**Exception** - Changing umask settings can disrupt some systems and this change requires a deployer to opt-in. To opt-in for this change and adjust the umask, set the following Ansible variable: diff --git a/doc/metadata/rhel6/V-38646.rst b/doc/metadata/rhel6/V-38646.rst index 4ebe4436..3c009db7 100644 --- a/doc/metadata/rhel6/V-38646.rst +++ b/doc/metadata/rhel6/V-38646.rst @@ -1,11 +1,9 @@ --- id: V-38646 -status: implemented -tag: misc +status: exception - manual intervention +tag: services --- -**Special case** - Very few environments run the ``oddjobd`` service, and those that do run it are usually associated with highly-available, clustered systems. Deployers will need to disable this service manually if it is running on the system. diff --git a/doc/metadata/rhel6/V-38647.rst b/doc/metadata/rhel6/V-38647.rst index ab0355a7..a552f6ae 100644 --- a/doc/metadata/rhel6/V-38647.rst +++ b/doc/metadata/rhel6/V-38647.rst @@ -1,11 +1,9 @@ --- id: V-38647 status: implemented -tag: misc +tag: file_perms --- -**Fixed by another STIG** - Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings are expected to be in ``/etc/login.defs`` instead. diff --git a/doc/metadata/rhel6/V-38648.rst b/doc/metadata/rhel6/V-38648.rst index 257bc671..ce08b3da 100644 --- a/doc/metadata/rhel6/V-38648.rst +++ b/doc/metadata/rhel6/V-38648.rst @@ -1,7 +1,7 @@ --- id: V-38648 status: implemented -tag: misc +tag: services --- Although some OpenStack implementations use ``qpidd`` for their messaging hub, diff --git a/doc/metadata/rhel6/V-38649.rst b/doc/metadata/rhel6/V-38649.rst index 8b3e1103..8880fca2 100644 --- a/doc/metadata/rhel6/V-38649.rst +++ b/doc/metadata/rhel6/V-38649.rst @@ -1,11 +1,9 @@ --- id: V-38649 status: opt-in -tag: misc +tag: file_perms --- -**Opt-in required** - Since umask changes can be disruptive on some systems, the deployer must opt-in for this change to happen. If the ``security_umask_csh`` Ansible variable is set **and** the csh package is installed, the Ansible tasks will ensure the diff --git a/doc/metadata/rhel6/V-38650.rst b/doc/metadata/rhel6/V-38650.rst index c2992682..cbbcfdce 100644 --- a/doc/metadata/rhel6/V-38650.rst +++ b/doc/metadata/rhel6/V-38650.rst @@ -1,7 +1,7 @@ --- id: V-38650 status: implemented -tag: misc +tag: services --- Ubuntu doesn't provide packages containing the ``rdisc`` service at this time. diff --git a/doc/metadata/rhel6/V-38651.rst b/doc/metadata/rhel6/V-38651.rst index f095591c..21887fc0 100644 --- a/doc/metadata/rhel6/V-38651.rst +++ b/doc/metadata/rhel6/V-38651.rst @@ -1,11 +1,9 @@ --- id: V-38651 status: opt-in -tag: misc +tag: file_perms --- -**Opt-in required** - Changing the umask for the bash shell is an opt-in setting. Deployers that want to set the umask for bash sessions to match the STIG requirement must set the Ansible variable ``security_umask_bash`` to ``077``. diff --git a/doc/metadata/rhel6/V-38652.rst b/doc/metadata/rhel6/V-38652.rst index 36a615bb..d9be6ec1 100644 --- a/doc/metadata/rhel6/V-38652.rst +++ b/doc/metadata/rhel6/V-38652.rst @@ -1,11 +1,9 @@ --- id: V-38652 -status: exception +status: exception - manual intervention tag: misc --- -**Exception** - Deployers are urged to use the ``nodev`` option on any remotely mounted filesystems whenever possible. diff --git a/doc/metadata/rhel6/V-38653.rst b/doc/metadata/rhel6/V-38653.rst index c4fa2332..8b6af349 100644 --- a/doc/metadata/rhel6/V-38653.rst +++ b/doc/metadata/rhel6/V-38653.rst @@ -4,8 +4,6 @@ status: exception tag: misc --- -**Exception** - The OpenStack-Ansible project doesn't install snmpd by default. Deployers are strongly recommended to use SNMPv3 with strong passwords for all connectivity if they choose to install snmpd. diff --git a/doc/metadata/rhel6/V-38654.rst b/doc/metadata/rhel6/V-38654.rst index 76555b96..9fe0fe21 100644 --- a/doc/metadata/rhel6/V-38654.rst +++ b/doc/metadata/rhel6/V-38654.rst @@ -1,11 +1,9 @@ --- id: V-38654 -status: exception +status: exception - manual intervention tag: misc --- -**Exception** - Deployers are urged to use the ``nosuid`` option on any remotely mounted filesystems whenever possible. diff --git a/doc/metadata/rhel6/V-38655.rst b/doc/metadata/rhel6/V-38655.rst index 1e5090dd..a0342799 100644 --- a/doc/metadata/rhel6/V-38655.rst +++ b/doc/metadata/rhel6/V-38655.rst @@ -1,11 +1,9 @@ --- id: V-38655 -status: exception +status: exception - manual intervention tag: misc --- -**Exception** - Deployers are strongly urged to mount any additional disks with the ``noexec`` mount option set whenever possible. diff --git a/doc/metadata/rhel6/V-38656.rst b/doc/metadata/rhel6/V-38656.rst index 74675058..477a72b9 100644 --- a/doc/metadata/rhel6/V-38656.rst +++ b/doc/metadata/rhel6/V-38656.rst @@ -1,9 +1,9 @@ --- id: V-38656 status: implemented -tag: misc +tag: services --- -The Ansible tasks will check to see if the package is installed and the +The Ansible tasks will check to see if the samba package is installed and the configuration file will be adjusted. If adjustments are made, the service will be restarted. diff --git a/doc/metadata/rhel6/V-38657.rst b/doc/metadata/rhel6/V-38657.rst index 44d05c22..fb4eeea5 100644 --- a/doc/metadata/rhel6/V-38657.rst +++ b/doc/metadata/rhel6/V-38657.rst @@ -1,10 +1,8 @@ --- id: V-38657 -status: exception -tag: misc +status: exception - manual intervention +tag: services --- -**Exception** - Deployers are urged to require SMB client signing if they ever mount samba shares within their infrastructure. diff --git a/doc/metadata/rhel6/V-38658.rst b/doc/metadata/rhel6/V-38658.rst index 4d642b43..66cd565f 100644 --- a/doc/metadata/rhel6/V-38658.rst +++ b/doc/metadata/rhel6/V-38658.rst @@ -1,11 +1,9 @@ --- id: V-38658 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Making adjustments to PAM configurations via automated methods is risky since it can disrupt user authentication on various hosts. Deployers are strongly urged to rely on ssh keys as opposed to enforcing password complexity and diff --git a/doc/metadata/rhel6/V-38659.rst b/doc/metadata/rhel6/V-38659.rst index 01d64160..33e6ff2c 100644 --- a/doc/metadata/rhel6/V-38659.rst +++ b/doc/metadata/rhel6/V-38659.rst @@ -1,11 +1,9 @@ --- id: V-38659 -status: exception +status: exception - initial provisioning tag: misc --- -**Exception** - Creating encrypted storage is left up to the deployer to consider and implement. Although encrypting data at rest on storage volumes does reduce the chances of data theft if the server is physically compromised, it doesn't diff --git a/doc/metadata/rhel6/V-38661.rst b/doc/metadata/rhel6/V-38661.rst index 5c4cf9e4..15c68c74 100644 --- a/doc/metadata/rhel6/V-38661.rst +++ b/doc/metadata/rhel6/V-38661.rst @@ -1,11 +1,9 @@ --- id: V-38661 -status: exception +status: exception - initial provisioning tag: misc --- -**Exception** - Creating encrypted storage is left up to the deployer to consider and implement. Although encrypting data at rest on storage volumes does reduce the chances of data theft if the server is physically compromised, it doesn't diff --git a/doc/metadata/rhel6/V-38662.rst b/doc/metadata/rhel6/V-38662.rst index 02d75db9..87183c91 100644 --- a/doc/metadata/rhel6/V-38662.rst +++ b/doc/metadata/rhel6/V-38662.rst @@ -1,11 +1,9 @@ --- id: V-38662 -status: exception +status: exception - initial provisioning tag: misc --- -**Exception** - Creating encrypted storage is left up to the deployer to consider and implement. Although encrypting data at rest on storage volumes does reduce the chances of data theft if the server is physically compromised, it doesn't diff --git a/doc/metadata/rhel6/V-38663.rst b/doc/metadata/rhel6/V-38663.rst index ad079751..49b9a102 100644 --- a/doc/metadata/rhel6/V-38663.rst +++ b/doc/metadata/rhel6/V-38663.rst @@ -1,11 +1,11 @@ --- id: V-38663 -status: exception -tag: misc +status: exception - ubuntu +tag: package --- -**Exception for Ubuntu** - Verifying ownership and permissions of installed packages isn't possible in the current version of ``dpkg`` as it is with ``rpm``. This security configuration -is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. +is skipped for Ubuntu. + +For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38664.rst b/doc/metadata/rhel6/V-38664.rst index b8d6e659..2dc84507 100644 --- a/doc/metadata/rhel6/V-38664.rst +++ b/doc/metadata/rhel6/V-38664.rst @@ -1,11 +1,9 @@ --- id: V-38664 -status: exception -tag: misc +status: exception - ubuntu +tag: package --- -**Exception for Ubuntu** - Verifying ownership and permissions of installed packages isn't possible in the current version of ``dpkg`` as it is with ``rpm``. This security configuration is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38665.rst b/doc/metadata/rhel6/V-38665.rst index 50e8c920..40877998 100644 --- a/doc/metadata/rhel6/V-38665.rst +++ b/doc/metadata/rhel6/V-38665.rst @@ -1,11 +1,9 @@ --- id: V-38665 -status: exception -tag: misc +status: exception - ubuntu +tag: package --- -**Exception for Ubuntu** - Verifying ownership and permissions of installed packages isn't possible in the current version of ``dpkg`` as it is with ``rpm``. This security configuration is skipped for Ubuntu. For CentOS, this check is done as part of V-38637. diff --git a/doc/metadata/rhel6/V-38666.rst b/doc/metadata/rhel6/V-38666.rst index 2993802e..95f36511 100644 --- a/doc/metadata/rhel6/V-38666.rst +++ b/doc/metadata/rhel6/V-38666.rst @@ -1,11 +1,9 @@ --- id: V-38666 -status: exception +status: exception - manual intervention tag: misc --- -**Exception** - The installation of an antivirus program is left up to the deployer. There are strong arguments against virus scanners due to detection failures and performance impacts. diff --git a/doc/metadata/rhel6/V-38667.rst b/doc/metadata/rhel6/V-38667.rst index 0f64863a..23984c46 100644 --- a/doc/metadata/rhel6/V-38667.rst +++ b/doc/metadata/rhel6/V-38667.rst @@ -1,11 +1,9 @@ --- id: V-38667 status: implemented -tag: misc +tag: lsm --- -**Fixed by another STIG** - The openstack-ansible project already installs and configures AppArmor, which is a Linux Security Module providing similar functionality to SELinux. In addition, AIDE is installed to monitor system files in the Ansible tasks for diff --git a/doc/metadata/rhel6/V-38668.rst b/doc/metadata/rhel6/V-38668.rst index 08b69731..ce5d10c2 100644 --- a/doc/metadata/rhel6/V-38668.rst +++ b/doc/metadata/rhel6/V-38668.rst @@ -1,7 +1,7 @@ --- id: V-38668 status: implemented -tag: misc +tag: console --- In Ubuntu 14.04, the Ansible tasks disable the control-alt-delete keyboard diff --git a/doc/metadata/rhel6/V-38669.rst b/doc/metadata/rhel6/V-38669.rst index 9d24a71d..01f59cc9 100644 --- a/doc/metadata/rhel6/V-38669.rst +++ b/doc/metadata/rhel6/V-38669.rst @@ -1,7 +1,7 @@ --- id: V-38669 status: implemented -tag: misc +tag: mail --- The ``postfix`` package will be installed and configured to run at boot time. diff --git a/doc/metadata/rhel6/V-38670.rst b/doc/metadata/rhel6/V-38670.rst index fbab0813..15848b6e 100644 --- a/doc/metadata/rhel6/V-38670.rst +++ b/doc/metadata/rhel6/V-38670.rst @@ -1,11 +1,12 @@ --- id: V-38670 status: implemented -tag: misc +tag: aide --- -The AIDE package is already installed as part of the Ansible tasks to fix +The ``aide`` package is already installed as part of the Ansible tasks to fix V-38429, but these Ansible tasks will verify that the cron job file is actually -in place. The cron job is installed as part of the aide package installation. -If the cron job is missing, an error will be printed and the playbook will -fail. +in place. + +The cron job is installed as part of the ``aide`` package installation. If the +cron job is missing, an error will be printed and the playbook will fail. diff --git a/doc/metadata/rhel6/V-38671.rst b/doc/metadata/rhel6/V-38671.rst index 41e5a106..7f8d55bd 100644 --- a/doc/metadata/rhel6/V-38671.rst +++ b/doc/metadata/rhel6/V-38671.rst @@ -1,7 +1,7 @@ --- id: V-38671 status: implemented -tag: misc +tag: services --- The security role will remove the sendmail package if it exists on the system. diff --git a/doc/metadata/rhel6/V-38672.rst b/doc/metadata/rhel6/V-38672.rst index 3a578652..330a22dc 100644 --- a/doc/metadata/rhel6/V-38672.rst +++ b/doc/metadata/rhel6/V-38672.rst @@ -1,10 +1,10 @@ --- id: V-38672 status: implemented -tag: misc +tag: services --- -Ubuntu doesn't provide the netconsole package and the daemon isn't included +Ubuntu doesn't provide the ``netconsole`` package and the daemon isn't included in any other Ubuntu packages. In CentOS, the ``netconsole`` daemon will be stopped and disabled if it is diff --git a/doc/metadata/rhel6/V-38673.rst b/doc/metadata/rhel6/V-38673.rst index ee4e47e1..fb70c016 100644 --- a/doc/metadata/rhel6/V-38673.rst +++ b/doc/metadata/rhel6/V-38673.rst @@ -1,14 +1,8 @@ --- id: V-38673 -status: exception -tag: misc +status: implemented +tag: aide --- -**Exception** - -Installing AIDE on Ubuntu isn't an issue, but there's a bug that causes AIDE -to wander into individual LXC infrastructure container filesystems. This -causes AIDE runs to take an extremely long time to complete and also adds -files into AIDE's database that shouldn't be included. - -This security configuration will be revisited at a later date. +AIDE is configured to exclude certain directories, and that list of directories +is controlled by the ``security_aide_exclude_dirs`` Ansible variable. diff --git a/doc/metadata/rhel6/V-38674.rst b/doc/metadata/rhel6/V-38674.rst index 3f5b4aab..efa6995f 100644 --- a/doc/metadata/rhel6/V-38674.rst +++ b/doc/metadata/rhel6/V-38674.rst @@ -1,7 +1,7 @@ --- id: V-38674 status: implemented -tag: misc +tag: x11 --- In Ubuntu 14.04, the upstart init system looks for the default runlevel in the diff --git a/doc/metadata/rhel6/V-38676.rst b/doc/metadata/rhel6/V-38676.rst index 06345842..5e041aeb 100644 --- a/doc/metadata/rhel6/V-38676.rst +++ b/doc/metadata/rhel6/V-38676.rst @@ -1,7 +1,7 @@ --- id: V-38676 status: implemented -tag: misc +tag: services --- The Ansible tasks will remove the ``xserver-xorg`` package if it is present. diff --git a/doc/metadata/rhel6/V-38677.rst b/doc/metadata/rhel6/V-38677.rst index 9ab064c6..35416b05 100644 --- a/doc/metadata/rhel6/V-38677.rst +++ b/doc/metadata/rhel6/V-38677.rst @@ -1,8 +1,9 @@ --- id: V-38677 status: implemented -tag: misc +tag: nfsd --- -The tasks in nfsd.yml first check to see if the system has nfs exports. If -so, it then checks for the presence of 'insecure_locks'. +If the system has NFS exports configured, the Ansible tasks will search for +``insecure_locks`` in the options column for any of the available exports. If +the option is found, the playbook will fail with an error. diff --git a/doc/metadata/rhel6/V-38678.rst b/doc/metadata/rhel6/V-38678.rst index 7ec968de..fe184142 100644 --- a/doc/metadata/rhel6/V-38678.rst +++ b/doc/metadata/rhel6/V-38678.rst @@ -1,7 +1,7 @@ --- id: V-38678 status: implemented -tag: misc +tag: auditd --- When auditd notices that free disk space on its logging partition is low, it diff --git a/doc/metadata/rhel6/V-38679.rst b/doc/metadata/rhel6/V-38679.rst index 3e0e93c6..5a29a05e 100644 --- a/doc/metadata/rhel6/V-38679.rst +++ b/doc/metadata/rhel6/V-38679.rst @@ -1,11 +1,9 @@ --- id: V-38679 status: exception -tag: misc +tag: services --- -**Exception** - The DHCP client is needed for containers to function properly and may be needed for some hosts as well. Deployers should examine their networking configuration to verify if DHCP clients can be disabled. diff --git a/doc/metadata/rhel6/V-38680.rst b/doc/metadata/rhel6/V-38680.rst index 5d5c4dd7..38ef2d6f 100644 --- a/doc/metadata/rhel6/V-38680.rst +++ b/doc/metadata/rhel6/V-38680.rst @@ -1,11 +1,11 @@ --- id: V-38680 status: implemented -tag: misc +tag: mail --- -By default, Ubuntu sets the default recipient for storage capacity issues in -auditd to the root user. The Ansible task ensures that the default remains set. +The Ansible tasks will ensure that mail for the ``auditd`` user is forwarded +to the ``root`` user for review. Deployers are strongly urged to review V-38446 to ensure they have set the ``security_root_forward_email`` variable so that the email system can route diff --git a/doc/metadata/rhel6/V-38681.rst b/doc/metadata/rhel6/V-38681.rst index 16b51d8f..837330ef 100644 --- a/doc/metadata/rhel6/V-38681.rst +++ b/doc/metadata/rhel6/V-38681.rst @@ -1,7 +1,7 @@ --- id: V-38681 status: implemented -tag: misc +tag: auth --- The Ansible tasks will run ``pwck`` to find any groups that are defined in diff --git a/doc/metadata/rhel6/V-38682.rst b/doc/metadata/rhel6/V-38682.rst index 1becedac..d7017dcf 100644 --- a/doc/metadata/rhel6/V-38682.rst +++ b/doc/metadata/rhel6/V-38682.rst @@ -1,7 +1,7 @@ --- id: V-38682 status: implemented -tag: misc +tag: kernel --- The Ansible task will disable the bluetooth kernel modules to meet the STIG diff --git a/doc/metadata/rhel6/V-38683.rst b/doc/metadata/rhel6/V-38683.rst index f2f9b8b2..efa6945d 100644 --- a/doc/metadata/rhel6/V-38683.rst +++ b/doc/metadata/rhel6/V-38683.rst @@ -1,7 +1,7 @@ --- id: V-38683 status: implemented -tag: misc +tag: auth --- The Ansible task will use the ``pwck`` command to search for non-unique diff --git a/doc/metadata/rhel6/V-38684.rst b/doc/metadata/rhel6/V-38684.rst index 0d9981e9..92fb86b8 100644 --- a/doc/metadata/rhel6/V-38684.rst +++ b/doc/metadata/rhel6/V-38684.rst @@ -4,8 +4,6 @@ status: opt-in tag: misc --- -**Opt-in required** - Ubuntu does not set a limit on the maximum number of active sessions that a single user can have at one time. The STIG requires setting a limit of ``10``. diff --git a/doc/metadata/rhel6/V-38685.rst b/doc/metadata/rhel6/V-38685.rst index e1d854f6..e9203879 100644 --- a/doc/metadata/rhel6/V-38685.rst +++ b/doc/metadata/rhel6/V-38685.rst @@ -1,11 +1,9 @@ --- id: V-38685 -status: exception +status: exception - manual intervention tag: misc --- -**Exception** - It's not possible to determine which accounts may be temporary or permanent via automated methods, so this configuration change is left to deployers to configure and manage. Refer to the documentation in the STIG Viewer (link diff --git a/doc/metadata/rhel6/V-38686.rst b/doc/metadata/rhel6/V-38686.rst index 2fe0ed2d..f2ec11d4 100644 --- a/doc/metadata/rhel6/V-38686.rst +++ b/doc/metadata/rhel6/V-38686.rst @@ -1,12 +1,10 @@ --- id: V-38686 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - -Although a minimal set of iptables rules are configured on openstack-ansible +Although a minimal set of iptables rules are configured on OpenStack-Ansible hosts, the "deny all" requirement of the STIG is not met. This is largely left up to the deployer to do, based on their assessment of their own network segmentation. diff --git a/doc/metadata/rhel6/V-38687.rst b/doc/metadata/rhel6/V-38687.rst index c9279e8a..d610c25a 100644 --- a/doc/metadata/rhel6/V-38687.rst +++ b/doc/metadata/rhel6/V-38687.rst @@ -1,10 +1,8 @@ --- id: V-38687 -status: exception -tag: misc +status: exception - manual intervention +tag: network --- -**Exception** - The configuration of encrypted tunnels between deployers and their OpenStack environment is left up to the deployers to configure. diff --git a/doc/metadata/rhel6/V-38688.rst b/doc/metadata/rhel6/V-38688.rst index 095c4c67..9fbc1e6e 100644 --- a/doc/metadata/rhel6/V-38688.rst +++ b/doc/metadata/rhel6/V-38688.rst @@ -1,11 +1,9 @@ --- id: V-38688 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38689.rst b/doc/metadata/rhel6/V-38689.rst index 7f80a2bc..2cfa9624 100644 --- a/doc/metadata/rhel6/V-38689.rst +++ b/doc/metadata/rhel6/V-38689.rst @@ -1,11 +1,9 @@ --- id: V-38689 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-38690.rst b/doc/metadata/rhel6/V-38690.rst index 4ec56199..180f8ab1 100644 --- a/doc/metadata/rhel6/V-38690.rst +++ b/doc/metadata/rhel6/V-38690.rst @@ -1,11 +1,9 @@ --- id: V-38690 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - It's not possible to determine which accounts may be temporary or permanent via automated methods, so this configuration change is left to deployers to configure and manage. Refer to the documentation in the STIG Viewer (link diff --git a/doc/metadata/rhel6/V-38691.rst b/doc/metadata/rhel6/V-38691.rst index dbe24f4c..3b57d311 100644 --- a/doc/metadata/rhel6/V-38691.rst +++ b/doc/metadata/rhel6/V-38691.rst @@ -1,7 +1,7 @@ --- id: V-38691 status: implemented -tag: misc +tag: services --- The Ansible tasks will disable the ``bluetooth`` service and stop it if it is diff --git a/doc/metadata/rhel6/V-38692.rst b/doc/metadata/rhel6/V-38692.rst index 77584efc..e3af1906 100644 --- a/doc/metadata/rhel6/V-38692.rst +++ b/doc/metadata/rhel6/V-38692.rst @@ -1,11 +1,9 @@ --- id: V-38692 status: opt-in -tag: misc +tag: auth --- -**Opt-in required** - Deployers must opt-in for this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel6/V-38693.rst b/doc/metadata/rhel6/V-38693.rst index 1d343625..deeb2fcf 100644 --- a/doc/metadata/rhel6/V-38693.rst +++ b/doc/metadata/rhel6/V-38693.rst @@ -1,11 +1,9 @@ --- id: V-38693 -status: exception -tag: misc +status: exception - manual intervention +tag: auth --- -**Exception** - Password complexity requirements are left up to the deployer. Deployers are urged to rely on SSH keys as often as possible to avoid problems with passwords. diff --git a/doc/metadata/rhel6/V-38694.rst b/doc/metadata/rhel6/V-38694.rst index 6d105879..a2e9fb6c 100644 --- a/doc/metadata/rhel6/V-38694.rst +++ b/doc/metadata/rhel6/V-38694.rst @@ -1,11 +1,9 @@ --- id: V-38694 status: opt-in -tag: misc +tag: auth --- -**Opt-in required** - Deployers must opt-in for this change by setting the following Ansible variable: diff --git a/doc/metadata/rhel6/V-38695.rst b/doc/metadata/rhel6/V-38695.rst index 1687da60..ab5c4da4 100644 --- a/doc/metadata/rhel6/V-38695.rst +++ b/doc/metadata/rhel6/V-38695.rst @@ -1,11 +1,12 @@ --- id: V-38695 status: implemented -tag: misc +tag: aide --- The AIDE package is already installed as part of the Ansible tasks to fix V-38429, but these Ansible tasks will verify that the cron job file is actually in place. The cron job is installed as part of the aide package installation. + If the cron job is missing, an error will be printed and the playbook will fail. diff --git a/doc/metadata/rhel6/V-38696.rst b/doc/metadata/rhel6/V-38696.rst index 07dfa974..566e14ce 100644 --- a/doc/metadata/rhel6/V-38696.rst +++ b/doc/metadata/rhel6/V-38696.rst @@ -1,7 +1,7 @@ --- id: V-38696 status: implemented -tag: misc +tag: aide --- The AIDE package is already installed as part of the Ansible tasks to fix diff --git a/doc/metadata/rhel6/V-38697.rst b/doc/metadata/rhel6/V-38697.rst index d5afd3d9..91d2d6b2 100644 --- a/doc/metadata/rhel6/V-38697.rst +++ b/doc/metadata/rhel6/V-38697.rst @@ -4,8 +4,6 @@ status: exception tag: misc --- -**Exception** - Running a ``find`` command on the system during the playbook run is time-consuming and will also slow down disk I/O while it runs. Deployers are urged to review public directories to ensure the sticky bit is diff --git a/doc/metadata/rhel6/V-38698.rst b/doc/metadata/rhel6/V-38698.rst index 1d0b85bb..8a27ddcb 100644 --- a/doc/metadata/rhel6/V-38698.rst +++ b/doc/metadata/rhel6/V-38698.rst @@ -1,7 +1,7 @@ --- id: V-38698 status: implemented -tag: misc +tag: aide --- The AIDE package is already installed as part of the Ansible tasks to fix diff --git a/doc/metadata/rhel6/V-38699.rst b/doc/metadata/rhel6/V-38699.rst index b1aac9c4..9a39a0b0 100644 --- a/doc/metadata/rhel6/V-38699.rst +++ b/doc/metadata/rhel6/V-38699.rst @@ -1,11 +1,9 @@ --- id: V-38699 -status: exception -tag: misc +status: exception - manual intervention +tag: file_perms --- -**Exception** - The STIG requires administrators to search for directories meeting all of the following criteria: diff --git a/doc/metadata/rhel6/V-38700.rst b/doc/metadata/rhel6/V-38700.rst index 758d2a2f..f2c89609 100644 --- a/doc/metadata/rhel6/V-38700.rst +++ b/doc/metadata/rhel6/V-38700.rst @@ -1,7 +1,7 @@ --- id: V-38700 status: implemented -tag: misc +tag: aide --- The AIDE package is already installed as part of the Ansible tasks to fix diff --git a/doc/metadata/rhel6/V-38701.rst b/doc/metadata/rhel6/V-38701.rst index 7dd4653e..ddce1996 100644 --- a/doc/metadata/rhel6/V-38701.rst +++ b/doc/metadata/rhel6/V-38701.rst @@ -1,12 +1,10 @@ --- id: V-38701 status: exception -tag: misc +tag: services --- -**Exception** - Neither OpenStack-Ansible or any of the operating systems supported by the -security role will install the tftp daemon by default. Deployers with a tftp -server deployed should review the risks associated with running the service and -configure it to meet the STIG's requirements. +security role will install the ``tftp`` daemon by default. Deployers with a +``tftp`` server deployed should review the risks associated with running the +service and configure it to meet the STIG's requirements. diff --git a/doc/metadata/rhel6/V-43150.rst b/doc/metadata/rhel6/V-43150.rst index fc18d33a..8ab1b018 100644 --- a/doc/metadata/rhel6/V-43150.rst +++ b/doc/metadata/rhel6/V-43150.rst @@ -1,11 +1,9 @@ --- id: V-43150 status: exception -tag: misc +tag: x11 --- -**Exception** - Deployers are urged to use graphical desktops only on client machines that connect to the OpenStack environment, rather than configuring graphical desktops within the OpenStack infrastructure itself. diff --git a/doc/metadata/rhel6/V-51337.rst b/doc/metadata/rhel6/V-51337.rst index 881444bf..7bd3326a 100644 --- a/doc/metadata/rhel6/V-51337.rst +++ b/doc/metadata/rhel6/V-51337.rst @@ -1,7 +1,7 @@ --- id: V-51337 status: implemented -tag: misc +tag: lsm --- The tasks in the security role will enable the Linux Security diff --git a/doc/metadata/rhel6/V-51363.rst b/doc/metadata/rhel6/V-51363.rst index e48ccddd..34ed4413 100644 --- a/doc/metadata/rhel6/V-51363.rst +++ b/doc/metadata/rhel6/V-51363.rst @@ -1,7 +1,7 @@ --- id: V-51363 status: implemented -tag: misc +tag: lsm --- For Ubuntu, the standard AppArmor policies provided by the AppArmor package are diff --git a/doc/metadata/rhel6/V-51369.rst b/doc/metadata/rhel6/V-51369.rst index b2b82d0a..2e573212 100644 --- a/doc/metadata/rhel6/V-51369.rst +++ b/doc/metadata/rhel6/V-51369.rst @@ -4,9 +4,11 @@ status: implemented tag: misc --- -Although SELinux is available on Ubuntu 14.04, the policies aren't maintained -as well as they are on Red Hat-based systems. The openstack-ansible project -has chosen to use the more Ubuntu-compatible Linux security module, AppArmor. +For Ubuntu, the standard AppArmor policies provided by the AppArmor package are +loaded. The OpenStack-Ansible project also configures AppArmor to limit the +actions of containers and reduce the changes (and potential damages) of a +container breakout. -AppArmor roles are configured in openstack-ansible to limit the chances of -container breakout and the potential damage done in case it does occur. +On CentOS 7, the ``selinux-policy-targeted`` package provides SELinux policies +that enforce limits on system services and users. SELinux is configured to use +the ``targeted`` policy by default. diff --git a/doc/metadata/rhel6/V-51379.rst b/doc/metadata/rhel6/V-51379.rst index 7d089ad9..44b241d1 100644 --- a/doc/metadata/rhel6/V-51379.rst +++ b/doc/metadata/rhel6/V-51379.rst @@ -1,11 +1,9 @@ --- id: V-51379 -status: exception -tag: misc +status: exception - ubuntu +tag: lsm --- -**Exception for Ubuntu** - The security role will search for unlabeled devices on CentOS and the playbook will fail with an error message if any unlabeled devices are found. diff --git a/doc/metadata/rhel6/V-51391.rst b/doc/metadata/rhel6/V-51391.rst index 745a4476..d7c4f20e 100644 --- a/doc/metadata/rhel6/V-51391.rst +++ b/doc/metadata/rhel6/V-51391.rst @@ -1,7 +1,7 @@ --- id: V-51391 status: implemented -tag: misc +tag: aide --- When AIDE is first installed for V-38429, a new database will be created. diff --git a/doc/metadata/rhel6/V-51875.rst b/doc/metadata/rhel6/V-51875.rst index d92b78e6..26aa160c 100644 --- a/doc/metadata/rhel6/V-51875.rst +++ b/doc/metadata/rhel6/V-51875.rst @@ -1,7 +1,7 @@ --- id: V-51875 status: implemented -tag: misc +tag: auth --- Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last diff --git a/doc/metadata/rhel6/V-54381.rst b/doc/metadata/rhel6/V-54381.rst index 03a250ac..c0a50132 100644 --- a/doc/metadata/rhel6/V-54381.rst +++ b/doc/metadata/rhel6/V-54381.rst @@ -1,11 +1,9 @@ --- id: V-54381 -status: exception -tag: misc +status: opt-in +tag: auditd --- -**Exception** - The STIG requires that the audit system must switch the entire system into single-user mode when the space for logging becomes dangerously low. diff --git a/doc/metadata/rhel6/V-57569.rst b/doc/metadata/rhel6/V-57569.rst index ab1e4d13..93549cc5 100644 --- a/doc/metadata/rhel6/V-57569.rst +++ b/doc/metadata/rhel6/V-57569.rst @@ -1,11 +1,9 @@ --- id: V-57569 -status: exception -tag: misc +status: exception - initial provisioning +tag: boot --- -**Exception** - Altering partitions and how they are mounted is left up to the deployer to configure during the OS installation process. Mounting ``/tmp/`` with the ``noexec`` option is highly recommended to prevent scripts diff --git a/doc/metadata/rhel6/V-58901.rst b/doc/metadata/rhel6/V-58901.rst index ecc08d16..11f7f809 100644 --- a/doc/metadata/rhel6/V-58901.rst +++ b/doc/metadata/rhel6/V-58901.rst @@ -1,7 +1,7 @@ --- id: V-58901 status: implemented -tag: misc +tag: auth --- This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within diff --git a/doc/metadata/template_toc.j2 b/doc/metadata/template_toc.j2 index 4aa57bd6..da546d51 100644 --- a/doc/metadata/template_toc.j2 +++ b/doc/metadata/template_toc.j2 @@ -3,13 +3,17 @@ {{ page_title }} {{ "=" * page_title | length }} -{% for section_header, stig_id_list in stig_dict.items() %} - .. contents:: :depth: 2 :backlinks: none +{% for section_header, stig_id_list in stig_dict.items() %} + +{% if toc_type == 'tag' %} +{% set section_title = section_header + " (" + stig_id_list | length | string + " controls)" %} +{% else %} {% set section_title = section_header | title + " (" + stig_id_list | length | string + " controls)" %} +{% endif %} {{ section_title }} {{ "=" * section_title | length }}