openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/source/controls.rst
Major Hayden 6f6c08f4c3 Enable RHEL 7 STIG tasks as default [+Docs] 
This patch enables the RHEL 7 STIG content tasks as the default.
Documentation has also been updated to reflect the change and provide
more concise information about what is available with each release.

The OpenStack-Ansible repo is still set to use the RHEL 6 STIG until
some issues with individual roles are resolved.

Implements: blueprint security-rhel7-stig
Change-Id: Ic72d97b87c0fb16646e5a31030404e1a9ad6a469
2017-01-13 19:06:07 +00:00

47 lines
1.9 KiB
ReStructuredText
Raw Blame History

Security hardening controls in detail (RHEL 6 STIG)
===================================================
The Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux
6 contains over 200 security controls. The links below will allow you to review
each control based on a certain set of criteria.
Controls are divided into groups based on certain properties:
* **Severity:** Normally high, medium and low. High severity items are the ones
which should be completed first, since they pose the greatest threat to the
security of a system.
*(These severity levels are set within the STIG.)*
* **Implementation status:** Each control is assessed thoroughly before Ansible
tasks are written. Some controls may be listed as *exceptions* since they
can't be implemented with automation, or they could cause damage to an
existing system. Other controls are listed as *opt-in* when they are
implemented, but they require a deployer to enable them.
*(This categorization comes from openstack-ansible-security, not the STIG.)*
* **Tag:** The controls are also separated based on which parts of the system
they act upon. Something that secures ``grub`` would be tagged with *boot*
while controls for ``sshd`` would be tagged with *auth*.
*(This categorization comes from openstack-ansible-security, not the STIG.)*
You can also review the STIG controls in one very large page. This can be
helpful when you need to search using your web browser.
.. note::
The RHEL 6 STIG content is deprecated in the Ocata release and will be
removed in a future release. Deployers can choose to deploy the RHEL 6
STIG content by setting the ``stig_version`` Ansible variable:
.. code-block:: console
ansible-playbook -i hosts playbook.yml -e stig_version=rhel7
.. toctree::
:maxdepth: 2
auto_controls-by-severity.rst
auto_controls-by-status.rst
auto_controls-by-tag.rst
auto_controls-all.rst
View Git Blame Copy Permalink