fa2800419e
This patch migrates all of the remaining non-unique variable names in the security role to a pattern that begins with `security_*`. This will reduce potential variable collisions with other roles. This is a breaking change for deployers and users who are moving from the liberty or stable/mitaka branches to master. Release notes are included with additional details to help with the transition. Closes-Bug: 1578326 Change-Id: Ib716e81e6fed971b21dc5579ae1a871736e21189
23 lines
1020 B
ReStructuredText
23 lines
1020 B
ReStructuredText
This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within
|
|
the sudoers configuration files. Using these directives reduces the security
|
|
of the system.
|
|
|
|
``NOPASSWD`` allows users to run commands as root without providing a password
|
|
first. Using ``!authenticate`` with the ``Defaults`` directive will disable
|
|
password usage for any users which use ``sudo``.
|
|
|
|
There are two configuration options for handling these changes. By default,
|
|
both of these options are set to ``no``, which means that the sudoers
|
|
configuration files will not be altered:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_sudoers_remove_nopasswd: no
|
|
security_sudoers_remove_authenticate: no
|
|
|
|
Setting ``security_sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible
|
|
tasks to search for any lines containing ``NOPASSWD`` and comment them out of
|
|
the configuration. Setting ``security_sudoers_remove_authenticate`` will do the
|
|
same actions on lines containing ``!authenticate``. Lines that are already
|
|
commented will be left unaltered.
|