Make .shosts search/removal opt in

This patch makes the search for .shosts/shosts.equiv files an opt in operation. Closes-Bug: 1665568 Change-Id: Ide0c69a4112981e75defeaa317609e6a5f930225
2017-03-07 12:14:14 -06:00 · 2017-03-07 12:14:14 -06:00 · 9efb8153f1
commit 9efb8153f1
parent 5f2d563e51
4 changed files with 16 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -506,7 +506,7 @@ security_pam_faillock_unlock_time: 604800                    # RHEL-07-010372
 # Limit the number of concurrent connections per account.
 #security_rhel7_concurrent_session_limit: 10                 # RHEL-07-040010
 # Remove .shosts and shosts.equiv files.
-security_rhel7_remove_shosts_files: yes                      # RHEL-07-040330
+security_rhel7_remove_shosts_files: no                       # RHEL-07-040330

 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
--- a/doc/metadata/rhel7/RHEL-07-040330.rst
+++ b/doc/metadata/rhel7/RHEL-07-040330.rst
@ -1,14 +1,18 @@
 ---
 id: RHEL-07-040330
-status: implemented
+status: opt-in
 tag: auth
 ---

 The tasks in the security role examine the filesystem for any ``.shosts`` or
 ``shosts.equiv`` files. If they are found, they are deleted.

-Deployers can opt out of this change by setting the following Ansible variable:
+The search for these files will take a very long time on systems with slow
+disks or systems with a large amount of files. Therefore, this task is skipped
+by default.
+
+Deployers can opt in for this change by setting the following Ansible variable:

 .. code-block:: yaml

-    security_rhel7_remove_shosts_files: no
+    security_rhel7_remove_shosts_files: yes
--- a/releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml
+++ b/releasenotes/notes/shosts-file-search-opt-in-887f600a79eef07e.yaml
@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The tasks that search for ``.shosts`` and ``shosts.equiv`` files
+    (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a
+    long time to complete on systems with lots of files and it also causes a
+    significant amount of disk I/O while it runs.
--- a/tests/test.yml
+++ b/tests/test.yml
@ -96,3 +96,4 @@
    security_require_grub_authentication: yes
    security_set_home_directory_permissions_and_owners_recursively: no
    security_reset_perm_ownership: yes
+    security_rhel7_remove_shosts_files: yes