Handle RHEL 7 STIG renumbering

This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.

Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604

defaults/main.yml

@@ -384,156 +384,154 @@ security_unattended_upgrades_notifications: false
 
 ## AIDE (aide)
 # Initialize the AIDE database immediately (may take time).
-security_rhel7_initialize_aide: no                           # RHEL-07-020130
+security_rhel7_initialize_aide: no                           # V-71973
 
 ## Audit daemon (auditd)
 # Send audit records to a different system using audisp.
-#security_audisp_remote_server: '10.0.21.1'                  # RHEL-07-030330
+#security_audisp_remote_server: '10.0.21.1'                  # V-72083
 # Encrypt audit records when they are transmitted over the network.
-#security_audisp_enable_krb5: yes                            # RHEL-07-030331
+#security_audisp_enable_krb5: yes                            # V-72085
 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
-security_rhel7_audit_failure_flag: 1                         # RHEL-07-030090
+security_rhel7_audit_failure_flag: 1                         # V-72081
 # Set the action to take when the disk is full or network events cannot be sent.
-security_rhel7_auditd_disk_full_action: syslog               # RHEL-07-030340
+security_rhel7_auditd_disk_full_action: syslog               # V-72087
-security_rhel7_auditd_network_failure_action: syslog         # RHEL-07-030340
+security_rhel7_auditd_network_failure_action: syslog         # V-72087
 # Size of remaining disk space (in MB) that triggers alerts.
-security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # RHEL-07-030350
+security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
 # Action to take when the space_left threshold is reached.
-security_rhel7_auditd_space_left_action: email               # RHEL-07-030351
+security_rhel7_auditd_space_left_action: email               # V-72091
 # Send auditd email alerts to this user.
-security_rhel7_auditd_action_mail_acct: root                 # RHEL-07-030352
+security_rhel7_auditd_action_mail_acct: root                 # V-72093
 # Add audit rules for commands/syscalls.
-security_rhel7_audit_chsh: yes                               # RHEL-07-030525
+security_rhel7_audit_chsh: yes                               # V-72167
-security_rhel7_audit_chage: yes                              # RHEL-07-030513
+security_rhel7_audit_chage: yes                              # V-72155
-security_rhel7_audit_chcon: yes                              # RHEL-07-030443
+security_rhel7_audit_chcon: yes                              # V-72139
-security_rhel7_audit_chmod: no                               # RHEL-07-030390
+security_rhel7_audit_chmod: no                               # V-72105
-security_rhel7_audit_chown: no                               # RHEL-07-030380
+security_rhel7_audit_chown: no                               # V-72097
-security_rhel7_audit_creat: yes                              # RHEL-07-030420
+security_rhel7_audit_creat: yes                              # V-72123
-security_rhel7_audit_crontab: yes                            # RHEL-07-030561
+security_rhel7_audit_crontab: yes                            # V-72183
-security_rhel7_audit_delete_module: yes                      # RHEL-07-030671
+security_rhel7_audit_delete_module: yes                      # V-72189
-security_rhel7_audit_fchmod: no                              # RHEL-07-030391
+security_rhel7_audit_fchmod: no                              # V-72107
-security_rhel7_audit_fchmodat: no                            # RHEL-07-030392
+security_rhel7_audit_fchmodat: no                            # V-72109
-security_rhel7_audit_fchown: no                              # RHEL-07-030381
+security_rhel7_audit_fchown: no                              # V-72099
-security_rhel7_audit_fchownat: no                            # RHEL-07-030383
+security_rhel7_audit_fchownat: no                            # V-72103
-security_rhel7_audit_fremovexattr: no                        # RHEL-07-030404
+security_rhel7_audit_fremovexattr: no                        # V-72119
-security_rhel7_audit_fsetxattr: no                           # RHEL-07-030401
+security_rhel7_audit_fsetxattr: no                           # V-72113
-security_rhel7_audit_ftruncate: yes                          # RHEL-07-030425
+security_rhel7_audit_ftruncate: yes                          # V-72133
-security_rhel7_audit_init_module: yes                        # RHEL-07-030670
+security_rhel7_audit_init_module: yes                        # V-72187
-security_rhel7_audit_gpasswd: yes                            # RHEL-07-030512
+security_rhel7_audit_gpasswd: yes                            # V-72153
-security_rhel7_audit_lchown: no                              # RHEL-07-030382
+security_rhel7_audit_lchown: no                              # V-72101
-security_rhel7_audit_lremovexattr: no                        # RHEL-07-030405
+security_rhel7_audit_lremovexattr: no                        # V-72121
-security_rhel7_audit_lsetxattr: no                           # RHEL-07-030402
+security_rhel7_audit_lsetxattr: no                           # V-72115
-security_rhel7_audit_mount: yes                              # RHEL-07-030530
+security_rhel7_audit_mount: yes                              # V-72171
-security_rhel7_audit_newgrp: yes                             # RHEL-07-030524
+security_rhel7_audit_newgrp: yes                             # V-72165
-security_rhel7_audit_open: yes                               # RHEL-07-030421
+security_rhel7_audit_open: yes                               # V-72125
-security_rhel7_audit_openat: yes                             # RHEL-07-030422
+security_rhel7_audit_openat: yes                             # V-72127
-security_rhel7_audit_open_by_handle_at: yes                  # RHEL-07-030423
+security_rhel7_audit_open_by_handle_at: yes                  # V-72129
-security_rhel7_audit_pam_timestamp_check: yes                # RHEL-07-030630
+security_rhel7_audit_pam_timestamp_check: yes                # V-72185
-security_rhel7_audit_passwd: yes                             # RHEL-07-030510
+security_rhel7_audit_passwd: yes                             # V-72149
-security_rhel7_audit_postdrop: yes                           # RHEL-07-030540
+security_rhel7_audit_postdrop: yes                           # V-72175
-security_rhel7_audit_postqueue: yes                          # RHEL-07-030541
+security_rhel7_audit_postqueue: yes                          # V-72177
-security_rhel7_audit_pt_chown: yes                           # RHEL-07-030560
+security_rhel7_audit_pt_chown: yes                           # V-72181
-security_rhel7_audit_removexattr: no                         # RHEL-07-030403
+security_rhel7_audit_removexattr: no                         # V-72117
-security_rhel7_audit_rename: yes                             # RHEL-07-030750
+security_rhel7_audit_rename: yes                             # V-72199
-security_rhel7_audit_renameat: yes                           # RHEL-07-030751
+security_rhel7_audit_renameat: yes                           # V-72201
-security_rhel7_audit_restorecon: yes                         # RHEL-07-030444
+security_rhel7_audit_restorecon: yes                         # V-72141
-security_rhel7_audit_rmdir: yes                              # RHEL-07-030752
+security_rhel7_audit_rmdir: yes                              # V-72203
-security_rhel7_audit_semanage: yes                           # RHEL-07-030441
+security_rhel7_audit_semanage: yes                           # V-72135
-security_rhel7_audit_setsebool: yes                          # RHEL-07-030442
+security_rhel7_audit_setsebool: yes                          # V-72137
-security_rhel7_audit_setxattr: no                            # RHEL-07-030400
+security_rhel7_audit_setxattr: no                            # V-72111
-security_rhel7_audit_ssh_keysign: yes                        # RHEL-07-030550
+security_rhel7_audit_ssh_keysign: yes                        # V-72179
-security_rhel7_audit_su: yes                                 # RHEL-07-030521
+security_rhel7_audit_su: yes                                 # V-72159
-security_rhel7_audit_sudo: yes                               # RHEL-07-030522
+security_rhel7_audit_sudo: yes                               # V-72161
-security_rhel7_audit_sudoedit: yes                           # RHEL-07-030526
+security_rhel7_audit_sudoedit: yes                           # V-72169
-security_rhel7_audit_truncate: yes                           # RHEL-07-030424
+security_rhel7_audit_truncate: yes                           # V-72131
-security_rhel7_audit_umount: yes                             # RHEL-07-030531
+security_rhel7_audit_umount: yes                             # V-72173
-security_rhel7_audit_unix_chkpwd: yes                        # RHEL-07-030511
+security_rhel7_audit_unix_chkpwd: yes                        # V-72151
-security_rhel7_audit_unlink: yes                             # RHEL-07-030753
+security_rhel7_audit_unlink: yes                             # V-72205
-security_rhel7_audit_unlinkat: yes                           # RHEL-07-030754
+security_rhel7_audit_unlinkat: yes                           # V-72207
-security_rhel7_audit_userhelper: yes                         # RHEL-07-030514
+security_rhel7_audit_userhelper: yes                         # V-72157
 # Add audit rules for other events.
-security_rhel7_audit_account_access: yes                     # RHEL-07-030490
+security_rhel7_audit_account_access: yes                     # V-72143
-security_rhel7_audit_sudo_config_changes: yes                # RHEL-07-030523
+security_rhel7_audit_sudo_config_changes: yes                # V-72163
-security_rhel7_audit_insmod: yes                             # RHEL-07-030672
+security_rhel7_audit_insmod: yes                             # V-72191
-security_rhel7_audit_rmmod: yes                              # RHEL-07-030673
+security_rhel7_audit_rmmod: yes                              # V-72193
-security_rhel7_audit_modprobe: yes                           # RHEL-07-030674
+security_rhel7_audit_modprobe: yes                           # V-72195
-security_rhel7_audit_account_actions: yes                    # RHEL-07-030710
+security_rhel7_audit_account_actions: yes                    # V-72197
 
 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.
-security_disallow_blank_password_login: yes                  # RHEL-07-010260
+security_disallow_blank_password_login: yes                  # V-71937
 # Apply password quality rules.
 # NOTE: The security_pwquality_apply_rules variable is a "master switch".
 # Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
 # the password quality rules. Each rule can be disabled with a value of 'no'.
 security_pwquality_apply_rules: no
-security_pwquality_require_uppercase: yes                    # RHEL-07-010090
+security_pwquality_require_uppercase: yes                    # V-71903
-security_pwquality_require_lowercase: yes                    # RHEL-07-010100
+security_pwquality_require_lowercase: yes                    # V-71905
-security_pwquality_require_numeric: yes                      # RHEL-07-010110
+security_pwquality_require_numeric: yes                      # V-71907
-security_pwquality_require_special: yes                      # RHEL-07-010120
+security_pwquality_require_special: yes                      # V-71909
-security_pwquality_require_characters_changed: yes           # RHEL-07-010130
+security_pwquality_require_characters_changed: yes           # V-71911
-security_pwquality_require_character_classes_changed: yes    # RHEL-07-010140
+security_pwquality_require_character_classes_changed: yes    # V-71913
-security_pwquality_limit_repeated_characters: yes            # RHEL-07-010150
+security_pwquality_limit_repeated_characters: yes            # V-71915
-security_pwquality_limit_repeated_character_classes: yes     # RHEL-07-010160
+security_pwquality_limit_repeated_character_classes: yes     # V-71917
-security_pwquality_require_minimum_password_length: no       # RHEL-07-010250
+security_pwquality_require_minimum_password_length: no       # V-71935
+# Use pwquality when passwords are changed or established.
+security_enable_pwquality_password_set: no                   # V-73159
 # Ensure passwords are stored using SHA512.
-security_password_encrypt_method: SHA512                     # RHEL-07-010180
+security_password_encrypt_method: SHA512                     # V-71921
 # Ensure user/group admin utilities only store encrypted passwords.
-security_libuser_crypt_style_sha512: yes                     # RHEL-07-010190
+security_libuser_crypt_style_sha512: yes                     # V-71923
 # Set a minimum/maximum lifetime limit for user passwords.
-#security_password_min_lifetime_days: 1                      # RHEL-07-010200
+#security_password_min_lifetime_days: 1                      # V-71925
-#security_password_max_lifetime_days: 60                     # RHEL-07-010220
+#security_password_max_lifetime_days: 60                     # V-71929
-# Set a timeout (in seconds) to cache NSS authenticators with sssd.
-security_nss_cached_authenticator_timeout: 86400             # RHEL-07-010400
-# Set a timeout (in days) to cache PAM/ssh authenticators with sssd.
-security_pam_offline_credentials_expiration_days: 1          # RHEL-07-010401 / RHEL-07-010402
 # Set a delay (in seconds) between failed login attempts.
-security_shadow_utils_fail_delay: 4                          # RHEL-07-010420
+security_shadow_utils_fail_delay: 4                          # V-71951
 # Set a umask for all authenticated users.
-# security_shadow_utils_umask: '077'                         # RHEL-07-020230
+# security_shadow_utils_umask: '077'                         # V-71995
 # Create home directories for new users by default.
-security_shadow_utils_create_home: yes                       # RHEL-07-020630
+security_shadow_utils_create_home: yes                       # V-72013
 # How many old user password to remember to prevent password re-use.
-#security_password_remember_password: 5                      # RHEL-07-010240
+#security_password_remember_password: 5                      # V-71933
 # Disable user accounts if the password expires.
-security_disable_account_if_password_expires: no             # RHEL-07-010280
+security_disable_account_if_password_expires: no             # V-71941
 # Lock user accounts with excessive login failures. See documentation.
-security_pam_faillock_enable: no                             # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
+security_pam_faillock_enable: no                             # V-71945 / V-71943 / RHEL-07-010373
 security_pam_faillock_interval: 900
 security_pam_faillock_attempts: 3
 security_pam_faillock_deny_root: yes                         # RHEL-07-010373
-security_pam_faillock_unlock_time: 604800                    # RHEL-07-010372
+security_pam_faillock_unlock_time: 604800                    # V-71943
 # Limit the number of concurrent connections per account.
-#security_rhel7_concurrent_session_limit: 10                 # RHEL-07-040010
+#security_rhel7_concurrent_session_limit: 10                 # V-72217
 # Remove .shosts and shosts.equiv files.
-security_rhel7_remove_shosts_files: no                       # RHEL-07-040330
+security_rhel7_remove_shosts_files: no                       # V-72277
 
 ## File permissions (file_perms)
 # Reset file permissions and ownership for files installed via RPM packages.
-security_reset_perm_ownership: no                            # RHEL-07-010010
+security_reset_perm_ownership: no                            # V-71849
 # Search for files/directories owned by invalid users or groups.
-security_search_for_invalid_owner: no                        # RHEL-07-020360
+security_search_for_invalid_owner: no                        # V-72007
-security_search_for_invalid_group_owner: no                  # RHEL-07-020370
+security_search_for_invalid_group_owner: no                  # V-72009
 # Set user/group owners on each home directory and set mode to 0750.
-security_set_home_directory_permissions_and_owners: no       # RHEL-07-020650 / RHEL-07-020660 / RHEL-07-020670
+security_set_home_directory_permissions_and_owners: no       # V-72017 / V-72019 / V-72021
 
 ## Graphical interfaces (graphical)
 # Disable automatic gdm logins
-security_disable_gdm_automatic_login: yes                    # RHEL-07-010430
+security_disable_gdm_automatic_login: yes                    # V-71953
 # Disable timed gdm logins for guests
-security_disable_gdm_timed_login: yes                        # RHEL-07-010431
+security_disable_gdm_timed_login: yes                        # V-71955
 # Enable session locking for graphical logins.
-security_lock_session: no                                    # RHEL-07-010060
+security_lock_session: no                                    # V-71891
 # Set a timer (in seconds) when an inactive session is locked.
-security_lock_session_inactive_delay: 900                    # RHEL-07-010070
+security_lock_session_inactive_delay: 900                    # V-71893
 # Prevent users from modifying session lock settings.
 security_lock_session_override_user: yes                     # RHEL-07-010071
 # Lock a session (start screensaver) when a session is inactive.
-security_lock_session_when_inactive: yes                     # RHEL-07-010073
+security_lock_session_when_inactive: yes                     # V-71893
 # Time after screensaver starts when user login is required.
-security_lock_session_screensaver_lock_delay: 5              # RHEL-07-010074
+security_lock_session_screensaver_lock_delay: 5              # V-71901
 # Enable a login banner and set the text for the banner.
-security_enable_graphical_login_message: yes                 # RHEL-07-010030
+security_enable_graphical_login_message: yes                 # V-71859
 security_enable_graphical_login_message_text: >
     You are accessing a secured system and your actions will be logged along
     with identifying information. Disconnect immediately if you are not an
@@ -541,105 +539,107 @@ security_enable_graphical_login_message_text: >
 
 ## Linux Security Module (lsm)
 # Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
-security_rhel7_enable_linux_security_module: yes             # RHEL-07-020210 / RHEL-07-020211
+security_rhel7_enable_linux_security_module: yes             # V-71989 / V-71991
 
 ## Miscellaneous (misc)
 # Disable the autofs service.
-security_rhel7_disable_autofs: yes                           # RHEL-07-020161
+security_rhel7_disable_autofs: yes                           # V-71985
 # Enable virus scanning with clamav
-security_enable_virus_scanner: no                            # RHEL-07-030810
+security_enable_virus_scanner: no                            # V-72213
 # Disable ctrl-alt-delete key sequence on the console.
-security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
+security_rhel7_disable_ctrl_alt_delete: yes                  # V-71993
 # Install and enable firewalld for iptables management.
-security_enable_firewalld: no                                # RHEL-07-040290
+security_enable_firewalld: no                                # V-72273
 # Rate limit TCP connections to 25/min and burstable to 100.
-security_enable_firewalld_rate_limit: no                     # RHEL-07-040250
+security_enable_firewalld_rate_limit: no                     # V-72271
 security_enable_firewalld_rate_limit_per_minute: 25
 security_enable_firewalld_rate_limit_burst: 100
 # Require authentication in GRUB to boot into single-user or maintenance modes.
-security_require_grub_authentication: no                     # RHEL-07-010460 / RHEL-07-010470
+security_require_grub_authentication: no                     # V-71961 / V-71963
 # The default password for grub authentication is 'secrete'.
 security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
 # Set session timeout.
-security_rhel7_session_timeout: 600                          # RHEL-07-040160
+security_rhel7_session_timeout: 600                          # V-72223
 # Enable chrony for NTP time synchronization.
-security_rhel7_enable_chrony: yes                            # RHEL-07-040210
+security_rhel7_enable_chrony: yes                            # V-72269
 # Restrict mail relaying.
-security_rhel7_restrict_mail_relaying: yes                   # RHEL-07-040480
+security_rhel7_restrict_mail_relaying: yes                   # V-72297
 
 ## Packages (packages)
 # Remove packages from the system as required by the STIG. Set any of these
 # to 'no' to skip their removal.
-security_rhel7_remove_rsh_server: yes                        # RHEL-07-020000
+security_rhel7_remove_rsh_server: yes                        # V-71967
-security_rhel7_remove_telnet_server: yes                     # RHEL-07-021910
+security_rhel7_remove_telnet_server: yes                     # V-72077
-security_rhel7_remove_tftp_server: yes                       # RHEL-07-040500
+security_rhel7_remove_tftp_server: yes                       # V-72301
-security_rhel7_remove_xorg: yes                              # RHEL-07-040560
+security_rhel7_remove_xorg: yes                              # V-72307
-security_rhel7_remove_ypserv: yes                            # RHEL-07-020010
+security_rhel7_remove_ypserv: yes                            # V-71969
 # Automatically remove dependencies when removing packages.
-security_package_clean_on_remove: no                         # RHEL-07-020200
+security_package_clean_on_remove: no                         # V-71987
 # Automatically update packages.
-security_rhel7_automatic_package_updates: no                 # RHEL-07-020250
+security_rhel7_automatic_package_updates: no                 # V-71999
+# Install packages for multi-factor authentication.
+security_install_multifactor_auth_packages: yes              # V-72417
 
 ## RPM (rpm)
 # Enable GPG checks for packages and repository data.
-security_enable_gpgcheck_packages: yes                       # RHEL-07-020150
+security_enable_gpgcheck_packages: yes                       # V-71977
-security_enable_gpgcheck_packages_local: yes                 # RHEL-07-020151
+security_enable_gpgcheck_packages_local: yes                 # V-71979
-security_enable_gpgcheck_repo: no                            # RHEL-07-020152
+security_enable_gpgcheck_repo: no                            # V-71981
 
 ## ssh server (sshd)
 # Ensure sshd is running and enabled at boot time.
-security_enable_sshd: yes                                    # RHEL-07-040261
+security_enable_sshd: yes                                    # V-72235
 # Disallow logins from users with empty/null passwords.
-security_sshd_disallow_empty_password: yes                   # RHEL-07-010270 / RHEL-07-010440
+security_sshd_disallow_empty_password: yes                   # V-71939 / RHEL-07-010440
 # Disallow users from overriding the ssh environment variables.
-security_sshd_disallow_environment_override: yes             # RHEL-07-010441
+security_sshd_disallow_environment_override: yes             # V-71957
 # Disallow host based authentication.
-security_sshd_disallow_host_based_auth: yes                  # RHEL-07-010442
+security_sshd_disallow_host_based_auth: yes                  # V-71959
 # Set a list of allowed ssh ciphers.
-security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
+security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
 # Specify a text file to be displayed as the banner/MOTD for all sessions.
-security_sshd_banner_file: /etc/motd                         # RHEL-07-010040 / RHEL-07-040170
+security_sshd_banner_file: /etc/motd                         # V-71861 / V-72225
 # Set the interval for max session length and the number of intervals to allow.
-security_sshd_client_alive_interval: 600                     # RHEL-07-040190
+security_sshd_client_alive_interval: 600                     # V-72237
-security_sshd_client_alive_count_max: 0                      # RHEL-07-040191
+security_sshd_client_alive_count_max: 0                      # V-72241
 # Print the last login for a user when they log in over ssh.
-security_sshd_print_last_log: yes                            # RHEL-07-040301
+security_sshd_print_last_log: yes                            # V-72245
 # Permit direct root logins
-security_sshd_permit_root_login: no                          # RHEL-07-040310
+security_sshd_permit_root_login: no                          # V-72247
 # Disallow authentication using known hosts authentication.
-security_sshd_disallow_known_hosts_auth: yes                 # RHEL-07-040332 / RHEL-07-040333
+security_sshd_disallow_known_hosts_auth: yes                 # V-72249 / V-72239
 # Disallow rhosts authentication.
-security_sshd_disallow_rhosts_auth: yes                      # RHEL-07-040334
+security_sshd_disallow_rhosts_auth: yes                      # V-72243
 # Enable X11 forwarding.
-security_sshd_enable_x11_forwarding: yes                     # RHEL-07-040540
+security_sshd_enable_x11_forwarding: yes                     # V-72303
 # Set the allowed ssh protocols.
-security_sshd_protocol: 2                                    # RHEL-07-040590
+security_sshd_protocol: 2                                    # V-72251
 # Set the list of allowed Message Authentication Codes (MACs) for ssh.
-security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'    # RHEL-07-040620
+security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512'    # V-72253
 # Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
-security_sshd_disallow_gssapi: yes                           # RHEL-07-040660
+security_sshd_disallow_gssapi: yes                           # V-72259
 # Disallow compression or delay after login.
-security_sshd_compression: 'delayed'                         # RHEL-07-040700
+security_sshd_compression: 'delayed'                         # V-72267
 # Require privilege separation at every opportunity.
-security_sshd_enable_privilege_separation: yes               # RHEL-07-040690
+security_sshd_enable_privilege_separation: yes               # V-72265
 # Require strict mode checking of home directory configuration files.
-security_sshd_enable_strict_modes: yes                       # RHEL-07-040680
+security_sshd_enable_strict_modes: yes                       # V-72263
 # Disallow Kerberos authentication.
-security_sshd_disable_kerberos_auth: yes                     # RHEL-07-040670
+security_sshd_disable_kerberos_auth: yes                     # V-72261
 
 ## Kernel settings (kernel)
 # Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
 # immediately and by default on new interfaces.
-security_disallow_source_routed_packet_forward_ipv4: yes     # RHEL-07-040350 / RHEL-07-040351
+security_disallow_source_routed_packet_forward_ipv4: yes     # V-72283 / V-72285
-security_disallow_source_routed_packet_forward_ipv6: yes     # RHEL-07-040860
+security_disallow_source_routed_packet_forward_ipv6: yes     # V-72319
 # Disallow responses to IPv4 ICMP echoes sent to broadcast address.
-security_disallow_echoes_broadcast_address: yes              # RHEL-07-040380
+security_disallow_echoes_broadcast_address: yes              # V-72287
 # Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
 # new interfaces.
-security_disallow_icmp_redirects: yes                        # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
+security_disallow_icmp_redirects: yes                        # V-73175 / V-72289 / V-72291 / V-72293
 # Disallow IP forwarding.
-security_disallow_ip_forwarding: no                          # RHEL-07-040730
+security_disallow_ip_forwarding: no                          # V-72309
 # Disable USB storage support.
-security_rhel7_disable_usb_storage: yes                      # RHEL-07-020160
+security_rhel7_disable_usb_storage: yes                      # V-71983
 # Disable kdump.
-security_disable_kdump: yes                                  # RHEL-07-021230
+security_disable_kdump: yes                                  # V-72057

doc/metadata/rhel7/RHEL-07-010031.rst

@@ -1,9 +0,0 @@
----
-id: RHEL-07-010031
-status: implemented
-tag: graphical
----
-
-This STIG control is implemented by:
-
-* :ref:`stig-RHEL-07-010030`

doc/metadata/rhel7/RHEL-07-010070.rst

@@ -1,15 +0,0 @@
----
-id: RHEL-07-010070
-status: implemented
-tag: graphical
----
-
-The session inactivity timeout is set to 900 seconds to meet the STIG
-requirements. After this time, users must re-enter their credentials to regain
-access to the system.
-
-Deployers can adjust this timeout by setting an Ansible variable:
-
-.. code-block:: yaml
-
-    security_lock_session_inactive_delay: 900

doc/metadata/rhel7/RHEL-07-010071.rst

@@ -1,15 +0,0 @@
----
-id: RHEL-07-010071
-status: implemented
-tag: graphical
----
-
-The STIG does not allow regular users to override the system-wide settings for
-graphical session locks. These settings are locked out by default.
-
-Deployers can opt out of overriding user settings for session locks by setting
-the following Ansible variable:
-
-.. code-block:: yaml
-
-    security_lock_session_override_user: no

doc/metadata/rhel7/RHEL-07-010373.rst

@@ -1,9 +0,0 @@
----
-id: RHEL-07-010373
-status: opt-in - Red Hat Only
-tag: auth
----
-
-This STIG control is implemented by:
-
-* :ref:`stig-RHEL-07-010371`

doc/metadata/rhel7/RHEL-07-010400.rst

@@ -1,14 +0,0 @@
----
-id: RHEL-07-010400
-status: implemented
-tag: auth
----
-
-The ``memcache_timeout`` setting is set to ``86400`` (86400 seconds = 1 day)
-within the ``[nss]`` section of ``/etc/sssd/sssd.conf``. Deployers can choose a
-different timeout for cached nss authenticators by setting the following
-Ansible variable:
-
-.. code-block:: yaml
-
-    security_nss_cached_authenticator_timeout: 86400

doc/metadata/rhel7/RHEL-07-010401.rst

@@ -1,14 +0,0 @@
----
-id: RHEL-07-010401
-status: implemented
-tag: auth
----
-
-The ``offline_credentials_expiration`` configuration is set to ``1`` in
-``/etc/sssd/sssd.conf``, which causes credentials to expire after one day.
-Deployers can adjust this expiration time by setting the following Ansible
-variable:
-
-.. code-block:: yaml
-
-    security_pam_offline_credentials_expiration_days: 1

doc/metadata/rhel7/RHEL-07-010440.rst

@@ -1,8 +0,0 @@
----
-id: RHEL-07-010440
-status: implemented
-tag: sshd
----
-
-The tasks for :ref:`stig-RHEL-07-010270` disable logins for accounts with empty
-passwords. No other action is needed for this STIG requirement.

doc/metadata/rhel7/RHEL-07-010470.rst

@@ -1,10 +0,0 @@
----
-id: RHEL-07-010470
-status: opt-in
-tag: misc
----
-
-The tasks in the security role for RHEL-07-010460 will also apply changes to
-systems that use UEFI. For more details, refer to the following documentation:
-
-* :ref:`stig-RHEL-07-010460`

doc/metadata/rhel7/RHEL-07-010490.rst

@@ -1,10 +0,0 @@
----
-id: RHEL-07-010490
-status: exception - manual intervention
-tag: auth
----
-
-Deployers are strongly urged to review the list of user accounts on each server
-regularly. Evaluation of user accounts must be done on a case-by-case basis and
-the tasks in the security role are unable to determine which user accounts are
-valid. Deployers must complete this work manually.

doc/metadata/rhel7/RHEL-07-020170.rst

@@ -1,9 +0,0 @@
----
-id: RHEL-07-020170
-status: exception - manual intervention
-tag: misc
----
-
-Deployers should consider the best encryption strategy for their needs and add
-that to the initial provisioning process. The tasks in the security role do not
-apply encryption to disks or individual files.

doc/metadata/rhel7/RHEL-07-020870.rst

@@ -1,8 +0,0 @@
----
-id: RHEL-07-020870
-status: exception - manual intervention
-tag: misc
----
-
-Deployers should manually inspect initialization files in each user's home
-directory and verify that all ``PATH`` lines use absolute paths.

doc/metadata/rhel7/RHEL-07-040020.rst

@@ -1,10 +0,0 @@
----
-id: RHEL-07-040020
-status: exception - manual intervention
-tag: misc
----
-
-Deployers should review their logging configuration to ensure it meets the
-requirements of the STIG. All operating systems supported by the role already
-log the ``auth``, ``authpriv``, and ``daemon`` facilities at the correct levels
-by default.

doc/metadata/rhel7/RHEL-07-040030.rst

@@ -1,13 +0,0 @@
----
-id: RHEL-07-040030
-status: verification only
-tag: auth
----
-
-The tasks in the security role examine the ``/etc/pam_pkcs11/pam_pkcs11.conf``
-file (if it exists) to ensure that ``ocsp_on`` is included in all three
-``cert_policy`` directives. If ``oscp_on`` is not found three times in the
-file, a message is printed in the Ansible output.
-
-This change is only needed on systems which use PKI-based authentication (using
-certificates).

doc/metadata/rhel7/RHEL-07-040040.rst

@@ -1,12 +0,0 @@
----
-id: RHEL-07-040040
-status: verification only
-tag: auth
----
-
-The tasks in the security role check for ``cackey`` or ``coolkey`` as
-acceptable values for ``use_pkcs11_module`` in
-``/etc/pam_pkcs11/pam_pkcs11.conf``. If neither are found, a message is printed
-in the Ansible output.
-
-This change only applies to systems that use PKI-based authentication.

doc/metadata/rhel7/RHEL-07-040050.rst

@@ -1,11 +0,0 @@
----
-id: RHEL-07-040050
-status: exception - manual intervention
-tag: file_perms
----
-
-This control requires that ``/etc/pam_pkcs11/subject_mapping`` exists on the
-system. It is only required on systems that use PKI-based authentication.
-
-Deployers should perform this step manually based on the needs of their
-authentication configuration.

doc/metadata/rhel7/RHEL-07-040060.rst

@@ -1,9 +0,0 @@
----
-id: RHEL-07-040060
-status: implemented
-tag: file_perms
----
-
-The tasks in this role set the mode on ``/etc/pam_pkcs11/cn_map`` to ``0644``.
-If the file permissions are more restrictive than ``0644`` on the system, they
-are not changed.

doc/metadata/rhel7/RHEL-07-040070.rst

@@ -1,8 +0,0 @@
----
-id: RHEL-07-040070
-status: implemented
-tag: file_perms
----
-
-The default owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role ensures
-that this default is maintained if the file exists.

doc/metadata/rhel7/RHEL-07-040080.rst

@@ -1,8 +0,0 @@
----
-id: RHEL-07-040080
-status: implemented
-tag: file_perms
----
-
-The default group owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role
-ensures that this default is maintained if the file exists.

doc/metadata/rhel7/RHEL-07-040230.rst

@@ -1,17 +0,0 @@
----
-id: RHEL-07-040230
-status: exception - manual intervention
-tag: misc
----
-
-This control applies only to systems that run PKI services, such as the
-`FreeIPA <https://www.freeipa.org/page/Main_Page>`_ project or the
-`Red Hat Identity Management <https://access.redhat.com/products/identity-management>`_
-product. Deployers should carefully review the requirements for this control
-before making any changes.
-
-.. warning::
-
-    Changing revocation settings might cause certain systems or users to lose
-    access to critical servers. Always test these configuration changes in a
-    non-production environment first.

doc/metadata/rhel7/RHEL-07-040333.rst

@@ -1,7 +0,0 @@
----
-id: RHEL-07-040333
-status: implemented
-tag: sshd
----
-
-This STIG is already applied by the changes for :ref:`stig-RHEL-07-040332`.

doc/metadata/rhel7/RHEL-07-040490.rst

@@ -1,14 +0,0 @@
----
-id: RHEL-07-040490
-status: implemented
-tag: packages
----
-
-If a TFTP server package is installed (``tftpd`` on Ubuntu and ``tftp-server``
-on CentOS and Red Hat Enterprise Linux), the package is removed.
-
-Deployers can opt out of this change by setting the following Ansible variable:
-
-.. code-block:: yaml
-
-    security_rhel7_remove_tftp_server: no

doc/metadata/rhel7/RHEL-07-040810.rst

@@ -1,10 +0,0 @@
----
-id: RHEL-07-040810
-status: opt-in
-tag: misc
----
-
-The ``firewalld`` service is optionally enabled in the tasks for another STIG
-control:
-
-* :ref:`stig-RHEL-07-040290`

doc/metadata/rhel7/V-71849.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010010
+id: V-71849
 status: opt-in
 tag: file_perms
 ---

doc/metadata/rhel7/V-71855.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010020
+id: V-71855
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71859.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010030
+id: V-71859
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71861.rst

@@ -1,9 +1,9 @@
 ---
-id: RHEL-07-010040
+id: V-71861
 status: implemented
 tag: sshd
 ---
 
 This control is implemented by the tasks for another control:
 
-* :ref:`stig-RHEL-07-040170`
+* :ref:`stig-V-72225`

doc/metadata/rhel7/V-71863.rst

@@ -0,0 +1,9 @@
+---
+id: V-71863
+status: implemented
+tag: misc
+---
+
+The STIG requires a standardized login banner for all command line user logins.
+The security role deploys a default banner from ``files/login_banner.txt`` to
+``/etc/issue`` on the system.

doc/metadata/rhel7/V-71891.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010060
+id: V-71891
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71893.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010073
+id: V-71893
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71895.rst

@@ -0,0 +1,10 @@
+---
+id: V-71895
+status: implemented
+tag: file_perms
+---
+
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-V-71893`

doc/metadata/rhel7/V-71897.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010072
+id: V-71897
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71899.rst

@@ -0,0 +1,10 @@
+---
+id: V-71899
+status: implemented
+tag: file_perms
+---
+
+This control is implemented by the tasks for another control. Refer to the
+documentation for more details on the change and how to opt out:
+
+* :ref:`stig-V-71893`

doc/metadata/rhel7/V-71901.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010074
+id: V-71901
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71903.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010090
+id: V-71903
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71905.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010100
+id: V-71905
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71907.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010110
+id: V-71907
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71909.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010120
+id: V-71909
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71911.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010130
+id: V-71911
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71913.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010140
+id: V-71913
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71915.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010150
+id: V-71915
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71917.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010160
+id: V-71917
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71919.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010170
+id: V-71919
 status: implemented
 tag: implemented
 ---

doc/metadata/rhel7/V-71921.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010180
+id: V-71921
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-71923.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010190
+id: V-71923
 status: implemented - red hat only
 tag: misc
 ---

doc/metadata/rhel7/V-71925.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010200
+id: V-71925
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71927.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010210
+id: V-71927
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-71929.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010220
+id: V-71929
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71931.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010230
+id: V-71931
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-71933.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010240
+id: V-71933
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71935.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010250
+id: V-71935
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71937.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010260
+id: V-71937
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-71939.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010270
+id: V-71939
 status: implemented
 tag: sshd
 ---

doc/metadata/rhel7/V-71941.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010280
+id: V-71941
 status: opt-in
 tag: auth
 ---

doc/metadata/rhel7/V-71943.rst

@@ -1,9 +1,9 @@
 ---
-id: RHEL-07-010372
+id: V-71943
 status: opt-in - Red Hat Only
 tag: auth
 ---
 
 This STIG control is implemented by:
 
-* :ref:`stig-RHEL-07-010371`
+* :ref:`stig-V-71945`

doc/metadata/rhel7/V-71945.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010371
+id: V-71945
 status: opt-in - Red Hat Only
 tag: auth
 ---

doc/metadata/rhel7/V-71947.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010380
+id: V-71947
 status: exception - manual intervention
 tag: auth
 ---

doc/metadata/rhel7/V-71949.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010381
+id: V-71949
 status: exception - manual intervention
 tag: auth
 ---

doc/metadata/rhel7/V-71951.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010420
+id: V-71951
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-71953.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010430
+id: V-71953
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71955.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010431
+id: V-71955
 status: implemented
 tag: graphical
 ---

doc/metadata/rhel7/V-71957.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010441
+id: V-71957
 status: implemented
 tag: sshd
 ---

doc/metadata/rhel7/V-71959.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010442
+id: V-71959
 status: implemented
 tag: sshd
 ---

doc/metadata/rhel7/V-71961.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010460
+id: V-71961
 status: opt-in
 tag: misc
 ---

doc/metadata/rhel7/V-71963.rst

@@ -0,0 +1,10 @@
+---
+id: V-71963
+status: opt-in
+tag: misc
+---
+
+The tasks in the security role for V-71961 will also apply changes to
+systems that use UEFI. For more details, refer to the following documentation:
+
+* :ref:`stig-V-71961`

doc/metadata/rhel7/V-71965.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-010500
+id: V-71965
 status: exception - manual intervention
 tag: auth
 ---

doc/metadata/rhel7/V-71967.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020000
+id: V-71967
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71969.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020010
+id: V-71969
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71971.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020090
+id: V-71971
 status: exception - manual intervention
 tag: auth
 ---

doc/metadata/rhel7/V-71973.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020130
+id: V-71973
 status: opt-in
 tag: aide
 ---

doc/metadata/rhel7/V-71975.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020140
+id: V-71975
 status: implemented
 tag: aide
 ---

doc/metadata/rhel7/V-71977.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020150
+id: V-71977
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71979.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020151
+id: V-71979
 status: implemented
 tag: packages
 ---

doc/metadata/rhel7/V-71981.rst

@@ -1,6 +1,6 @@
 ---
-id: RHEL-07-020152
+id: V-71981
-status: implemented
+status: opt in
 tag: packages
 ---
 

doc/metadata/rhel7/V-71983.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020160
+id: V-71983
 status: opt-in
 tag: kernel
 ---

doc/metadata/rhel7/V-71985.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020161
+id: V-71985
 status: implemented
 tag: misc
 ---

doc/metadata/rhel7/V-71987.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020200
+id: V-71987
 status: opt-in
 tag: packages
 ---

doc/metadata/rhel7/V-71989.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020210
+id: V-71989
 status: implemented
 tag: lsm
 ---

doc/metadata/rhel7/V-71991.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020211
+id: V-71991
 status: implemented
 tag: misc
 ---
@@ -9,4 +9,4 @@ AppArmor only has one set of policies, so this change has no effect on Ubuntu
 systems running AppArmor.
 
 For more information on this change and how to opt out, refer to
-:ref:`stig-RHEL-07-020210`.
+:ref:`stig-V-71989`.

doc/metadata/rhel7/V-71993.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020220
+id: V-71993
 status: implemented
 tag: misc
 ---

doc/metadata/rhel7/V-71995.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020230
+id: V-71995
 status: opt-in - Ubuntu only
 tag: auth
 ---

doc/metadata/rhel7/V-71997.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020240
+id: V-71997
 status: exception - manual intervention
 tag: packages
 ---

doc/metadata/rhel7/V-71999.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020250
+id: V-71999
 status: opt-in
 tag: packages
 ---

doc/metadata/rhel7/V-72001.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020290
+id: V-72001
 status: exception - manual intervention
 tag: auth
 ---

doc/metadata/rhel7/V-72003.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020300
+id: V-72003
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-72005.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020310
+id: V-72005
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-72007.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020360
+id: V-72007
 status: opt-in
 tag: file_perms
 ---

doc/metadata/rhel7/V-72009.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020370
+id: V-72009
 status: opt-in
 tag: file_perms
 ---

doc/metadata/rhel7/V-72011.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020620
+id: V-72011
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-72013.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020630
+id: V-72013
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-72015.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020640
+id: V-72015
 status: implemented
 tag: auth
 ---

doc/metadata/rhel7/V-72017.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020650
+id: V-72017
 status: opt-in
 tag: file_perms
 ---

doc/metadata/rhel7/V-72019.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020660
+id: V-72019
 status: opt-in
 tag: file_perms
 ---
@@ -7,4 +7,4 @@ tag: file_perms
 This control is implemented by the tasks for another control. Refer to the
 documentation for more details on the change and how to opt out:
 
-* :ref:`stig-RHEL-07-020650`
+* :ref:`stig-V-72017`

doc/metadata/rhel7/V-72021.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020670
+id: V-72021
 status: opt-in
 tag: file_perms
 ---
@@ -7,4 +7,4 @@ tag: file_perms
 This control is implemented by the tasks for another control. Refer to the
 documentation for more details on the change and how to opt out:
 
-* :ref:`stig-RHEL-07-020650`
+* :ref:`stig-V-72017`

doc/metadata/rhel7/V-72023.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020700
+id: V-72023
 status: exception - manual intervention
 tag: file_perms
 ---

doc/metadata/rhel7/V-72025.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020680
+id: V-72025
 status: exception - manual intervention
 tag: file_perms
 ---

doc/metadata/rhel7/V-72027.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020690
+id: V-72027
 status: exception - manual intervention
 tag: file_perms
 ---

doc/metadata/rhel7/V-72029.rst

@@ -1,5 +1,5 @@
 ---
-id: RHEL-07-020850
+id: V-72029
 status: exception - manual intervention
 tag: file_perms
 ---