Handle RHEL 7 STIG renumbering
This patch gets the docs adjusted to work with the new RHEL 7 STIG version 1 release. The new STIG release has changed all of the numbering, but it maintains a link to (most) of the old STIG IDs in the XML. Closes-bug: 1676865 Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
This commit is contained in:
Major Hayden
parent
c1780c7152
commit
dccce1d5cc
|
|
@ -384,156 +384,154 @@ security_unattended_upgrades_notifications: false
|
|||
|
||||
## AIDE (aide)
|
||||
# Initialize the AIDE database immediately (may take time).
|
||||
security_rhel7_initialize_aide: no # RHEL-07-020130
|
||||
security_rhel7_initialize_aide: no # V-71973
|
||||
|
||||
## Audit daemon (auditd)
|
||||
# Send audit records to a different system using audisp.
|
||||
#security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330
|
||||
#security_audisp_remote_server: '10.0.21.1' # V-72083
|
||||
# Encrypt audit records when they are transmitted over the network.
|
||||
#security_audisp_enable_krb5: yes # RHEL-07-030331
|
||||
#security_audisp_enable_krb5: yes # V-72085
|
||||
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
|
||||
security_rhel7_audit_failure_flag: 1 # RHEL-07-030090
|
||||
security_rhel7_audit_failure_flag: 1 # V-72081
|
||||
# Set the action to take when the disk is full or network events cannot be sent.
|
||||
security_rhel7_auditd_disk_full_action: syslog # RHEL-07-030340
|
||||
security_rhel7_auditd_network_failure_action: syslog # RHEL-07-030340
|
||||
security_rhel7_auditd_disk_full_action: syslog # V-72087
|
||||
security_rhel7_auditd_network_failure_action: syslog # V-72087
|
||||
# Size of remaining disk space (in MB) that triggers alerts.
|
||||
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # RHEL-07-030350
|
||||
security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # V-72089
|
||||
# Action to take when the space_left threshold is reached.
|
||||
security_rhel7_auditd_space_left_action: email # RHEL-07-030351
|
||||
security_rhel7_auditd_space_left_action: email # V-72091
|
||||
# Send auditd email alerts to this user.
|
||||
security_rhel7_auditd_action_mail_acct: root # RHEL-07-030352
|
||||
security_rhel7_auditd_action_mail_acct: root # V-72093
|
||||
# Add audit rules for commands/syscalls.
|
||||
security_rhel7_audit_chsh: yes # RHEL-07-030525
|
||||
security_rhel7_audit_chage: yes # RHEL-07-030513
|
||||
security_rhel7_audit_chcon: yes # RHEL-07-030443
|
||||
security_rhel7_audit_chmod: no # RHEL-07-030390
|
||||
security_rhel7_audit_chown: no # RHEL-07-030380
|
||||
security_rhel7_audit_creat: yes # RHEL-07-030420
|
||||
security_rhel7_audit_crontab: yes # RHEL-07-030561
|
||||
security_rhel7_audit_delete_module: yes # RHEL-07-030671
|
||||
security_rhel7_audit_fchmod: no # RHEL-07-030391
|
||||
security_rhel7_audit_fchmodat: no # RHEL-07-030392
|
||||
security_rhel7_audit_fchown: no # RHEL-07-030381
|
||||
security_rhel7_audit_fchownat: no # RHEL-07-030383
|
||||
security_rhel7_audit_fremovexattr: no # RHEL-07-030404
|
||||
security_rhel7_audit_fsetxattr: no # RHEL-07-030401
|
||||
security_rhel7_audit_ftruncate: yes # RHEL-07-030425
|
||||
security_rhel7_audit_init_module: yes # RHEL-07-030670
|
||||
security_rhel7_audit_gpasswd: yes # RHEL-07-030512
|
||||
security_rhel7_audit_lchown: no # RHEL-07-030382
|
||||
security_rhel7_audit_lremovexattr: no # RHEL-07-030405
|
||||
security_rhel7_audit_lsetxattr: no # RHEL-07-030402
|
||||
security_rhel7_audit_mount: yes # RHEL-07-030530
|
||||
security_rhel7_audit_newgrp: yes # RHEL-07-030524
|
||||
security_rhel7_audit_open: yes # RHEL-07-030421
|
||||
security_rhel7_audit_openat: yes # RHEL-07-030422
|
||||
security_rhel7_audit_open_by_handle_at: yes # RHEL-07-030423
|
||||
security_rhel7_audit_pam_timestamp_check: yes # RHEL-07-030630
|
||||
security_rhel7_audit_passwd: yes # RHEL-07-030510
|
||||
security_rhel7_audit_postdrop: yes # RHEL-07-030540
|
||||
security_rhel7_audit_postqueue: yes # RHEL-07-030541
|
||||
security_rhel7_audit_pt_chown: yes # RHEL-07-030560
|
||||
security_rhel7_audit_removexattr: no # RHEL-07-030403
|
||||
security_rhel7_audit_rename: yes # RHEL-07-030750
|
||||
security_rhel7_audit_renameat: yes # RHEL-07-030751
|
||||
security_rhel7_audit_restorecon: yes # RHEL-07-030444
|
||||
security_rhel7_audit_rmdir: yes # RHEL-07-030752
|
||||
security_rhel7_audit_semanage: yes # RHEL-07-030441
|
||||
security_rhel7_audit_setsebool: yes # RHEL-07-030442
|
||||
security_rhel7_audit_setxattr: no # RHEL-07-030400
|
||||
security_rhel7_audit_ssh_keysign: yes # RHEL-07-030550
|
||||
security_rhel7_audit_su: yes # RHEL-07-030521
|
||||
security_rhel7_audit_sudo: yes # RHEL-07-030522
|
||||
security_rhel7_audit_sudoedit: yes # RHEL-07-030526
|
||||
security_rhel7_audit_truncate: yes # RHEL-07-030424
|
||||
security_rhel7_audit_umount: yes # RHEL-07-030531
|
||||
security_rhel7_audit_unix_chkpwd: yes # RHEL-07-030511
|
||||
security_rhel7_audit_unlink: yes # RHEL-07-030753
|
||||
security_rhel7_audit_unlinkat: yes # RHEL-07-030754
|
||||
security_rhel7_audit_userhelper: yes # RHEL-07-030514
|
||||
security_rhel7_audit_chsh: yes # V-72167
|
||||
security_rhel7_audit_chage: yes # V-72155
|
||||
security_rhel7_audit_chcon: yes # V-72139
|
||||
security_rhel7_audit_chmod: no # V-72105
|
||||
security_rhel7_audit_chown: no # V-72097
|
||||
security_rhel7_audit_creat: yes # V-72123
|
||||
security_rhel7_audit_crontab: yes # V-72183
|
||||
security_rhel7_audit_delete_module: yes # V-72189
|
||||
security_rhel7_audit_fchmod: no # V-72107
|
||||
security_rhel7_audit_fchmodat: no # V-72109
|
||||
security_rhel7_audit_fchown: no # V-72099
|
||||
security_rhel7_audit_fchownat: no # V-72103
|
||||
security_rhel7_audit_fremovexattr: no # V-72119
|
||||
security_rhel7_audit_fsetxattr: no # V-72113
|
||||
security_rhel7_audit_ftruncate: yes # V-72133
|
||||
security_rhel7_audit_init_module: yes # V-72187
|
||||
security_rhel7_audit_gpasswd: yes # V-72153
|
||||
security_rhel7_audit_lchown: no # V-72101
|
||||
security_rhel7_audit_lremovexattr: no # V-72121
|
||||
security_rhel7_audit_lsetxattr: no # V-72115
|
||||
security_rhel7_audit_mount: yes # V-72171
|
||||
security_rhel7_audit_newgrp: yes # V-72165
|
||||
security_rhel7_audit_open: yes # V-72125
|
||||
security_rhel7_audit_openat: yes # V-72127
|
||||
security_rhel7_audit_open_by_handle_at: yes # V-72129
|
||||
security_rhel7_audit_pam_timestamp_check: yes # V-72185
|
||||
security_rhel7_audit_passwd: yes # V-72149
|
||||
security_rhel7_audit_postdrop: yes # V-72175
|
||||
security_rhel7_audit_postqueue: yes # V-72177
|
||||
security_rhel7_audit_pt_chown: yes # V-72181
|
||||
security_rhel7_audit_removexattr: no # V-72117
|
||||
security_rhel7_audit_rename: yes # V-72199
|
||||
security_rhel7_audit_renameat: yes # V-72201
|
||||
security_rhel7_audit_restorecon: yes # V-72141
|
||||
security_rhel7_audit_rmdir: yes # V-72203
|
||||
security_rhel7_audit_semanage: yes # V-72135
|
||||
security_rhel7_audit_setsebool: yes # V-72137
|
||||
security_rhel7_audit_setxattr: no # V-72111
|
||||
security_rhel7_audit_ssh_keysign: yes # V-72179
|
||||
security_rhel7_audit_su: yes # V-72159
|
||||
security_rhel7_audit_sudo: yes # V-72161
|
||||
security_rhel7_audit_sudoedit: yes # V-72169
|
||||
security_rhel7_audit_truncate: yes # V-72131
|
||||
security_rhel7_audit_umount: yes # V-72173
|
||||
security_rhel7_audit_unix_chkpwd: yes # V-72151
|
||||
security_rhel7_audit_unlink: yes # V-72205
|
||||
security_rhel7_audit_unlinkat: yes # V-72207
|
||||
security_rhel7_audit_userhelper: yes # V-72157
|
||||
# Add audit rules for other events.
|
||||
security_rhel7_audit_account_access: yes # RHEL-07-030490
|
||||
security_rhel7_audit_sudo_config_changes: yes # RHEL-07-030523
|
||||
security_rhel7_audit_insmod: yes # RHEL-07-030672
|
||||
security_rhel7_audit_rmmod: yes # RHEL-07-030673
|
||||
security_rhel7_audit_modprobe: yes # RHEL-07-030674
|
||||
security_rhel7_audit_account_actions: yes # RHEL-07-030710
|
||||
security_rhel7_audit_account_access: yes # V-72143
|
||||
security_rhel7_audit_sudo_config_changes: yes # V-72163
|
||||
security_rhel7_audit_insmod: yes # V-72191
|
||||
security_rhel7_audit_rmmod: yes # V-72193
|
||||
security_rhel7_audit_modprobe: yes # V-72195
|
||||
security_rhel7_audit_account_actions: yes # V-72197
|
||||
|
||||
## Authentication (auth)
|
||||
# Disallow logins from accounts with blank/null passwords via PAM.
|
||||
security_disallow_blank_password_login: yes # RHEL-07-010260
|
||||
security_disallow_blank_password_login: yes # V-71937
|
||||
# Apply password quality rules.
|
||||
# NOTE: The security_pwquality_apply_rules variable is a "master switch".
|
||||
# Set the 'security_pwquality_apply_rules' variable to 'yes' to apply all of
|
||||
# the password quality rules. Each rule can be disabled with a value of 'no'.
|
||||
security_pwquality_apply_rules: no
|
||||
security_pwquality_require_uppercase: yes # RHEL-07-010090
|
||||
security_pwquality_require_lowercase: yes # RHEL-07-010100
|
||||
security_pwquality_require_numeric: yes # RHEL-07-010110
|
||||
security_pwquality_require_special: yes # RHEL-07-010120
|
||||
security_pwquality_require_characters_changed: yes # RHEL-07-010130
|
||||
security_pwquality_require_character_classes_changed: yes # RHEL-07-010140
|
||||
security_pwquality_limit_repeated_characters: yes # RHEL-07-010150
|
||||
security_pwquality_limit_repeated_character_classes: yes # RHEL-07-010160
|
||||
security_pwquality_require_minimum_password_length: no # RHEL-07-010250
|
||||
security_pwquality_require_uppercase: yes # V-71903
|
||||
security_pwquality_require_lowercase: yes # V-71905
|
||||
security_pwquality_require_numeric: yes # V-71907
|
||||
security_pwquality_require_special: yes # V-71909
|
||||
security_pwquality_require_characters_changed: yes # V-71911
|
||||
security_pwquality_require_character_classes_changed: yes # V-71913
|
||||
security_pwquality_limit_repeated_characters: yes # V-71915
|
||||
security_pwquality_limit_repeated_character_classes: yes # V-71917
|
||||
security_pwquality_require_minimum_password_length: no # V-71935
|
||||
# Use pwquality when passwords are changed or established.
|
||||
security_enable_pwquality_password_set: no # V-73159
|
||||
# Ensure passwords are stored using SHA512.
|
||||
security_password_encrypt_method: SHA512 # RHEL-07-010180
|
||||
security_password_encrypt_method: SHA512 # V-71921
|
||||
# Ensure user/group admin utilities only store encrypted passwords.
|
||||
security_libuser_crypt_style_sha512: yes # RHEL-07-010190
|
||||
security_libuser_crypt_style_sha512: yes # V-71923
|
||||
# Set a minimum/maximum lifetime limit for user passwords.
|
||||
#security_password_min_lifetime_days: 1 # RHEL-07-010200
|
||||
#security_password_max_lifetime_days: 60 # RHEL-07-010220
|
||||
# Set a timeout (in seconds) to cache NSS authenticators with sssd.
|
||||
security_nss_cached_authenticator_timeout: 86400 # RHEL-07-010400
|
||||
# Set a timeout (in days) to cache PAM/ssh authenticators with sssd.
|
||||
security_pam_offline_credentials_expiration_days: 1 # RHEL-07-010401 / RHEL-07-010402
|
||||
#security_password_min_lifetime_days: 1 # V-71925
|
||||
#security_password_max_lifetime_days: 60 # V-71929
|
||||
# Set a delay (in seconds) between failed login attempts.
|
||||
security_shadow_utils_fail_delay: 4 # RHEL-07-010420
|
||||
security_shadow_utils_fail_delay: 4 # V-71951
|
||||
# Set a umask for all authenticated users.
|
||||
# security_shadow_utils_umask: '077' # RHEL-07-020230
|
||||
# security_shadow_utils_umask: '077' # V-71995
|
||||
# Create home directories for new users by default.
|
||||
security_shadow_utils_create_home: yes # RHEL-07-020630
|
||||
security_shadow_utils_create_home: yes # V-72013
|
||||
# How many old user password to remember to prevent password re-use.
|
||||
#security_password_remember_password: 5 # RHEL-07-010240
|
||||
#security_password_remember_password: 5 # V-71933
|
||||
# Disable user accounts if the password expires.
|
||||
security_disable_account_if_password_expires: no # RHEL-07-010280
|
||||
security_disable_account_if_password_expires: no # V-71941
|
||||
# Lock user accounts with excessive login failures. See documentation.
|
||||
security_pam_faillock_enable: no # RHEL-07-010371 / RHEL-07-010372 / RHEL-07-010373
|
||||
security_pam_faillock_enable: no # V-71945 / V-71943 / RHEL-07-010373
|
||||
security_pam_faillock_interval: 900
|
||||
security_pam_faillock_attempts: 3
|
||||
security_pam_faillock_deny_root: yes # RHEL-07-010373
|
||||
security_pam_faillock_unlock_time: 604800 # RHEL-07-010372
|
||||
security_pam_faillock_unlock_time: 604800 # V-71943
|
||||
# Limit the number of concurrent connections per account.
|
||||
#security_rhel7_concurrent_session_limit: 10 # RHEL-07-040010
|
||||
#security_rhel7_concurrent_session_limit: 10 # V-72217
|
||||
# Remove .shosts and shosts.equiv files.
|
||||
security_rhel7_remove_shosts_files: no # RHEL-07-040330
|
||||
security_rhel7_remove_shosts_files: no # V-72277
|
||||
|
||||
## File permissions (file_perms)
|
||||
# Reset file permissions and ownership for files installed via RPM packages.
|
||||
security_reset_perm_ownership: no # RHEL-07-010010
|
||||
security_reset_perm_ownership: no # V-71849
|
||||
# Search for files/directories owned by invalid users or groups.
|
||||
security_search_for_invalid_owner: no # RHEL-07-020360
|
||||
security_search_for_invalid_group_owner: no # RHEL-07-020370
|
||||
security_search_for_invalid_owner: no # V-72007
|
||||
security_search_for_invalid_group_owner: no # V-72009
|
||||
# Set user/group owners on each home directory and set mode to 0750.
|
||||
security_set_home_directory_permissions_and_owners: no # RHEL-07-020650 / RHEL-07-020660 / RHEL-07-020670
|
||||
security_set_home_directory_permissions_and_owners: no # V-72017 / V-72019 / V-72021
|
||||
|
||||
## Graphical interfaces (graphical)
|
||||
# Disable automatic gdm logins
|
||||
security_disable_gdm_automatic_login: yes # RHEL-07-010430
|
||||
security_disable_gdm_automatic_login: yes # V-71953
|
||||
# Disable timed gdm logins for guests
|
||||
security_disable_gdm_timed_login: yes # RHEL-07-010431
|
||||
security_disable_gdm_timed_login: yes # V-71955
|
||||
# Enable session locking for graphical logins.
|
||||
security_lock_session: no # RHEL-07-010060
|
||||
security_lock_session: no # V-71891
|
||||
# Set a timer (in seconds) when an inactive session is locked.
|
||||
security_lock_session_inactive_delay: 900 # RHEL-07-010070
|
||||
security_lock_session_inactive_delay: 900 # V-71893
|
||||
# Prevent users from modifying session lock settings.
|
||||
security_lock_session_override_user: yes # RHEL-07-010071
|
||||
# Lock a session (start screensaver) when a session is inactive.
|
||||
security_lock_session_when_inactive: yes # RHEL-07-010073
|
||||
security_lock_session_when_inactive: yes # V-71893
|
||||
# Time after screensaver starts when user login is required.
|
||||
security_lock_session_screensaver_lock_delay: 5 # RHEL-07-010074
|
||||
security_lock_session_screensaver_lock_delay: 5 # V-71901
|
||||
# Enable a login banner and set the text for the banner.
|
||||
security_enable_graphical_login_message: yes # RHEL-07-010030
|
||||
security_enable_graphical_login_message: yes # V-71859
|
||||
security_enable_graphical_login_message_text: >
|
||||
You are accessing a secured system and your actions will be logged along
|
||||
with identifying information. Disconnect immediately if you are not an
|
||||
|
|
@ -541,105 +539,107 @@ security_enable_graphical_login_message_text: >
|
|||
|
||||
## Linux Security Module (lsm)
|
||||
# Enable SELinux on Red Hat/CentOS and AppArmor on Ubuntu.
|
||||
security_rhel7_enable_linux_security_module: yes # RHEL-07-020210 / RHEL-07-020211
|
||||
security_rhel7_enable_linux_security_module: yes # V-71989 / V-71991
|
||||
|
||||
## Miscellaneous (misc)
|
||||
# Disable the autofs service.
|
||||
security_rhel7_disable_autofs: yes # RHEL-07-020161
|
||||
security_rhel7_disable_autofs: yes # V-71985
|
||||
# Enable virus scanning with clamav
|
||||
security_enable_virus_scanner: no # RHEL-07-030810
|
||||
security_enable_virus_scanner: no # V-72213
|
||||
# Disable ctrl-alt-delete key sequence on the console.
|
||||
security_rhel7_disable_ctrl_alt_delete: yes # RHEL-07-020220
|
||||
security_rhel7_disable_ctrl_alt_delete: yes # V-71993
|
||||
# Install and enable firewalld for iptables management.
|
||||
security_enable_firewalld: no # RHEL-07-040290
|
||||
security_enable_firewalld: no # V-72273
|
||||
# Rate limit TCP connections to 25/min and burstable to 100.
|
||||
security_enable_firewalld_rate_limit: no # RHEL-07-040250
|
||||
security_enable_firewalld_rate_limit: no # V-72271
|
||||
security_enable_firewalld_rate_limit_per_minute: 25
|
||||
security_enable_firewalld_rate_limit_burst: 100
|
||||
# Require authentication in GRUB to boot into single-user or maintenance modes.
|
||||
security_require_grub_authentication: no # RHEL-07-010460 / RHEL-07-010470
|
||||
security_require_grub_authentication: no # V-71961 / V-71963
|
||||
# The default password for grub authentication is 'secrete'.
|
||||
security_grub_password_hash: grub.pbkdf2.sha512.10000.7B21785BEAFEE3AC71459D8210E3FB42EC0F5011C24A2DF31A8127D43A0BB4F1563549DF443791BE8EDA3AE4E4D4E04DB78D4CA35320E4C646CF38320CBE16EC.4B46176AAB1405D97BADB696377C29DE3B3266188D9C3D2E57F3AE851815CCBC16A275B0DBF6F79D738DAD8F598BEE64C73AE35F19A28C5D1E7C7D96FF8A739B
|
||||
# Set session timeout.
|
||||
security_rhel7_session_timeout: 600 # RHEL-07-040160
|
||||
security_rhel7_session_timeout: 600 # V-72223
|
||||
# Enable chrony for NTP time synchronization.
|
||||
security_rhel7_enable_chrony: yes # RHEL-07-040210
|
||||
security_rhel7_enable_chrony: yes # V-72269
|
||||
# Restrict mail relaying.
|
||||
security_rhel7_restrict_mail_relaying: yes # RHEL-07-040480
|
||||
security_rhel7_restrict_mail_relaying: yes # V-72297
|
||||
|
||||
## Packages (packages)
|
||||
# Remove packages from the system as required by the STIG. Set any of these
|
||||
# to 'no' to skip their removal.
|
||||
security_rhel7_remove_rsh_server: yes # RHEL-07-020000
|
||||
security_rhel7_remove_telnet_server: yes # RHEL-07-021910
|
||||
security_rhel7_remove_tftp_server: yes # RHEL-07-040500
|
||||
security_rhel7_remove_xorg: yes # RHEL-07-040560
|
||||
security_rhel7_remove_ypserv: yes # RHEL-07-020010
|
||||
security_rhel7_remove_rsh_server: yes # V-71967
|
||||
security_rhel7_remove_telnet_server: yes # V-72077
|
||||
security_rhel7_remove_tftp_server: yes # V-72301
|
||||
security_rhel7_remove_xorg: yes # V-72307
|
||||
security_rhel7_remove_ypserv: yes # V-71969
|
||||
# Automatically remove dependencies when removing packages.
|
||||
security_package_clean_on_remove: no # RHEL-07-020200
|
||||
security_package_clean_on_remove: no # V-71987
|
||||
# Automatically update packages.
|
||||
security_rhel7_automatic_package_updates: no # RHEL-07-020250
|
||||
security_rhel7_automatic_package_updates: no # V-71999
|
||||
# Install packages for multi-factor authentication.
|
||||
security_install_multifactor_auth_packages: yes # V-72417
|
||||
|
||||
## RPM (rpm)
|
||||
# Enable GPG checks for packages and repository data.
|
||||
security_enable_gpgcheck_packages: yes # RHEL-07-020150
|
||||
security_enable_gpgcheck_packages_local: yes # RHEL-07-020151
|
||||
security_enable_gpgcheck_repo: no # RHEL-07-020152
|
||||
security_enable_gpgcheck_packages: yes # V-71977
|
||||
security_enable_gpgcheck_packages_local: yes # V-71979
|
||||
security_enable_gpgcheck_repo: no # V-71981
|
||||
|
||||
## ssh server (sshd)
|
||||
# Ensure sshd is running and enabled at boot time.
|
||||
security_enable_sshd: yes # RHEL-07-040261
|
||||
security_enable_sshd: yes # V-72235
|
||||
# Disallow logins from users with empty/null passwords.
|
||||
security_sshd_disallow_empty_password: yes # RHEL-07-010270 / RHEL-07-010440
|
||||
security_sshd_disallow_empty_password: yes # V-71939 / RHEL-07-010440
|
||||
# Disallow users from overriding the ssh environment variables.
|
||||
security_sshd_disallow_environment_override: yes # RHEL-07-010441
|
||||
security_sshd_disallow_environment_override: yes # V-71957
|
||||
# Disallow host based authentication.
|
||||
security_sshd_disallow_host_based_auth: yes # RHEL-07-010442
|
||||
security_sshd_disallow_host_based_auth: yes # V-71959
|
||||
# Set a list of allowed ssh ciphers.
|
||||
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # RHEL-07-040110
|
||||
security_sshd_cipher_list: 'aes128-ctr,aes192-ctr,aes256-ctr' # V-72221
|
||||
# Specify a text file to be displayed as the banner/MOTD for all sessions.
|
||||
security_sshd_banner_file: /etc/motd # RHEL-07-010040 / RHEL-07-040170
|
||||
security_sshd_banner_file: /etc/motd # V-71861 / V-72225
|
||||
# Set the interval for max session length and the number of intervals to allow.
|
||||
security_sshd_client_alive_interval: 600 # RHEL-07-040190
|
||||
security_sshd_client_alive_count_max: 0 # RHEL-07-040191
|
||||
security_sshd_client_alive_interval: 600 # V-72237
|
||||
security_sshd_client_alive_count_max: 0 # V-72241
|
||||
# Print the last login for a user when they log in over ssh.
|
||||
security_sshd_print_last_log: yes # RHEL-07-040301
|
||||
security_sshd_print_last_log: yes # V-72245
|
||||
# Permit direct root logins
|
||||
security_sshd_permit_root_login: no # RHEL-07-040310
|
||||
security_sshd_permit_root_login: no # V-72247
|
||||
# Disallow authentication using known hosts authentication.
|
||||
security_sshd_disallow_known_hosts_auth: yes # RHEL-07-040332 / RHEL-07-040333
|
||||
security_sshd_disallow_known_hosts_auth: yes # V-72249 / V-72239
|
||||
# Disallow rhosts authentication.
|
||||
security_sshd_disallow_rhosts_auth: yes # RHEL-07-040334
|
||||
security_sshd_disallow_rhosts_auth: yes # V-72243
|
||||
# Enable X11 forwarding.
|
||||
security_sshd_enable_x11_forwarding: yes # RHEL-07-040540
|
||||
security_sshd_enable_x11_forwarding: yes # V-72303
|
||||
# Set the allowed ssh protocols.
|
||||
security_sshd_protocol: 2 # RHEL-07-040590
|
||||
security_sshd_protocol: 2 # V-72251
|
||||
# Set the list of allowed Message Authentication Codes (MACs) for ssh.
|
||||
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # RHEL-07-040620
|
||||
security_sshd_allowed_macs: 'hmac-sha2-256,hmac-sha2-512' # V-72253
|
||||
# Disallow Generic Security Service Application Program Interface (GSSAPI) auth.
|
||||
security_sshd_disallow_gssapi: yes # RHEL-07-040660
|
||||
security_sshd_disallow_gssapi: yes # V-72259
|
||||
# Disallow compression or delay after login.
|
||||
security_sshd_compression: 'delayed' # RHEL-07-040700
|
||||
security_sshd_compression: 'delayed' # V-72267
|
||||
# Require privilege separation at every opportunity.
|
||||
security_sshd_enable_privilege_separation: yes # RHEL-07-040690
|
||||
security_sshd_enable_privilege_separation: yes # V-72265
|
||||
# Require strict mode checking of home directory configuration files.
|
||||
security_sshd_enable_strict_modes: yes # RHEL-07-040680
|
||||
security_sshd_enable_strict_modes: yes # V-72263
|
||||
# Disallow Kerberos authentication.
|
||||
security_sshd_disable_kerberos_auth: yes # RHEL-07-040670
|
||||
security_sshd_disable_kerberos_auth: yes # V-72261
|
||||
|
||||
## Kernel settings (kernel)
|
||||
# Disallow forwarding IPv4/IPv6 source routed packets on all interfaces
|
||||
# immediately and by default on new interfaces.
|
||||
security_disallow_source_routed_packet_forward_ipv4: yes # RHEL-07-040350 / RHEL-07-040351
|
||||
security_disallow_source_routed_packet_forward_ipv6: yes # RHEL-07-040860
|
||||
security_disallow_source_routed_packet_forward_ipv4: yes # V-72283 / V-72285
|
||||
security_disallow_source_routed_packet_forward_ipv6: yes # V-72319
|
||||
# Disallow responses to IPv4 ICMP echoes sent to broadcast address.
|
||||
security_disallow_echoes_broadcast_address: yes # RHEL-07-040380
|
||||
security_disallow_echoes_broadcast_address: yes # V-72287
|
||||
# Disallow IPV4 ICMP redirects on all interfaces immediately and by default on
|
||||
# new interfaces.
|
||||
security_disallow_icmp_redirects: yes # RHEL-07-040410 / RHEL-07-040420 / RHEL-07-040421
|
||||
security_disallow_icmp_redirects: yes # V-73175 / V-72289 / V-72291 / V-72293
|
||||
# Disallow IP forwarding.
|
||||
security_disallow_ip_forwarding: no # RHEL-07-040730
|
||||
security_disallow_ip_forwarding: no # V-72309
|
||||
# Disable USB storage support.
|
||||
security_rhel7_disable_usb_storage: yes # RHEL-07-020160
|
||||
security_rhel7_disable_usb_storage: yes # V-71983
|
||||
# Disable kdump.
|
||||
security_disable_kdump: yes # RHEL-07-021230
|
||||
security_disable_kdump: yes # V-72057
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010031
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
||||
This STIG control is implemented by:
|
||||
|
||||
* :ref:`stig-RHEL-07-010030`
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010070
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
||||
The session inactivity timeout is set to 900 seconds to meet the STIG
|
||||
requirements. After this time, users must re-enter their credentials to regain
|
||||
access to the system.
|
||||
|
||||
Deployers can adjust this timeout by setting an Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_lock_session_inactive_delay: 900
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010071
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
||||
The STIG does not allow regular users to override the system-wide settings for
|
||||
graphical session locks. These settings are locked out by default.
|
||||
|
||||
Deployers can opt out of overriding user settings for session locks by setting
|
||||
the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_lock_session_override_user: no
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010373
|
||||
status: opt-in - Red Hat Only
|
||||
tag: auth
|
||||
---
|
||||
|
||||
This STIG control is implemented by:
|
||||
|
||||
* :ref:`stig-RHEL-07-010371`
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010400
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The ``memcache_timeout`` setting is set to ``86400`` (86400 seconds = 1 day)
|
||||
within the ``[nss]`` section of ``/etc/sssd/sssd.conf``. Deployers can choose a
|
||||
different timeout for cached nss authenticators by setting the following
|
||||
Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_nss_cached_authenticator_timeout: 86400
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010401
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The ``offline_credentials_expiration`` configuration is set to ``1`` in
|
||||
``/etc/sssd/sssd.conf``, which causes credentials to expire after one day.
|
||||
Deployers can adjust this expiration time by setting the following Ansible
|
||||
variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_pam_offline_credentials_expiration_days: 1
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010440
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
||||
The tasks for :ref:`stig-RHEL-07-010270` disable logins for accounts with empty
|
||||
passwords. No other action is needed for this STIG requirement.
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010470
|
||||
status: opt-in
|
||||
tag: misc
|
||||
---
|
||||
|
||||
The tasks in the security role for RHEL-07-010460 will also apply changes to
|
||||
systems that use UEFI. For more details, refer to the following documentation:
|
||||
|
||||
* :ref:`stig-RHEL-07-010460`
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-010490
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
||||
Deployers are strongly urged to review the list of user accounts on each server
|
||||
regularly. Evaluation of user accounts must be done on a case-by-case basis and
|
||||
the tasks in the security role are unable to determine which user accounts are
|
||||
valid. Deployers must complete this work manually.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-020170
|
||||
status: exception - manual intervention
|
||||
tag: misc
|
||||
---
|
||||
|
||||
Deployers should consider the best encryption strategy for their needs and add
|
||||
that to the initial provisioning process. The tasks in the security role do not
|
||||
apply encryption to disks or individual files.
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-020870
|
||||
status: exception - manual intervention
|
||||
tag: misc
|
||||
---
|
||||
|
||||
Deployers should manually inspect initialization files in each user's home
|
||||
directory and verify that all ``PATH`` lines use absolute paths.
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040020
|
||||
status: exception - manual intervention
|
||||
tag: misc
|
||||
---
|
||||
|
||||
Deployers should review their logging configuration to ensure it meets the
|
||||
requirements of the STIG. All operating systems supported by the role already
|
||||
log the ``auth``, ``authpriv``, and ``daemon`` facilities at the correct levels
|
||||
by default.
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040030
|
||||
status: verification only
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The tasks in the security role examine the ``/etc/pam_pkcs11/pam_pkcs11.conf``
|
||||
file (if it exists) to ensure that ``ocsp_on`` is included in all three
|
||||
``cert_policy`` directives. If ``oscp_on`` is not found three times in the
|
||||
file, a message is printed in the Ansible output.
|
||||
|
||||
This change is only needed on systems which use PKI-based authentication (using
|
||||
certificates).
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040040
|
||||
status: verification only
|
||||
tag: auth
|
||||
---
|
||||
|
||||
The tasks in the security role check for ``cackey`` or ``coolkey`` as
|
||||
acceptable values for ``use_pkcs11_module`` in
|
||||
``/etc/pam_pkcs11/pam_pkcs11.conf``. If neither are found, a message is printed
|
||||
in the Ansible output.
|
||||
|
||||
This change only applies to systems that use PKI-based authentication.
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040050
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This control requires that ``/etc/pam_pkcs11/subject_mapping`` exists on the
|
||||
system. It is only required on systems that use PKI-based authentication.
|
||||
|
||||
Deployers should perform this step manually based on the needs of their
|
||||
authentication configuration.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040060
|
||||
status: implemented
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
The tasks in this role set the mode on ``/etc/pam_pkcs11/cn_map`` to ``0644``.
|
||||
If the file permissions are more restrictive than ``0644`` on the system, they
|
||||
are not changed.
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040070
|
||||
status: implemented
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
The default owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role ensures
|
||||
that this default is maintained if the file exists.
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040080
|
||||
status: implemented
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
The default group owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role
|
||||
ensures that this default is maintained if the file exists.
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040230
|
||||
status: exception - manual intervention
|
||||
tag: misc
|
||||
---
|
||||
|
||||
This control applies only to systems that run PKI services, such as the
|
||||
`FreeIPA <https://www.freeipa.org/page/Main_Page>`_ project or the
|
||||
`Red Hat Identity Management <https://access.redhat.com/products/identity-management>`_
|
||||
product. Deployers should carefully review the requirements for this control
|
||||
before making any changes.
|
||||
|
||||
.. warning::
|
||||
|
||||
Changing revocation settings might cause certain systems or users to lose
|
||||
access to critical servers. Always test these configuration changes in a
|
||||
non-production environment first.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040333
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
||||
This STIG is already applied by the changes for :ref:`stig-RHEL-07-040332`.
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040490
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
||||
If a TFTP server package is installed (``tftpd`` on Ubuntu and ``tftp-server``
|
||||
on CentOS and Red Hat Enterprise Linux), the package is removed.
|
||||
|
||||
Deployers can opt out of this change by setting the following Ansible variable:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_rhel7_remove_tftp_server: no
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
id: RHEL-07-040810
|
||||
status: opt-in
|
||||
tag: misc
|
||||
---
|
||||
|
||||
The ``firewalld`` service is optionally enabled in the tasks for another STIG
|
||||
control:
|
||||
|
||||
* :ref:`stig-RHEL-07-040290`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010010
|
||||
id: V-71849
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010020
|
||||
id: V-71855
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010030
|
||||
id: V-71859
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
id: RHEL-07-010040
|
||||
id: V-71861
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
||||
This control is implemented by the tasks for another control:
|
||||
|
||||
* :ref:`stig-RHEL-07-040170`
|
||||
* :ref:`stig-V-72225`
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
id: V-71863
|
||||
status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
||||
The STIG requires a standardized login banner for all command line user logins.
|
||||
The security role deploys a default banner from ``files/login_banner.txt`` to
|
||||
``/etc/issue`` on the system.
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010060
|
||||
id: V-71891
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010073
|
||||
id: V-71893
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
id: V-71895
|
||||
status: implemented
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-V-71893`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010072
|
||||
id: V-71897
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
id: V-71899
|
||||
status: implemented
|
||||
tag: file_perms
|
||||
---
|
||||
|
||||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-V-71893`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010074
|
||||
id: V-71901
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010090
|
||||
id: V-71903
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010100
|
||||
id: V-71905
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010110
|
||||
id: V-71907
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010120
|
||||
id: V-71909
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010130
|
||||
id: V-71911
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010140
|
||||
id: V-71913
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010150
|
||||
id: V-71915
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010160
|
||||
id: V-71917
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010170
|
||||
id: V-71919
|
||||
status: implemented
|
||||
tag: implemented
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010180
|
||||
id: V-71921
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010190
|
||||
id: V-71923
|
||||
status: implemented - red hat only
|
||||
tag: misc
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010200
|
||||
id: V-71925
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010210
|
||||
id: V-71927
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010220
|
||||
id: V-71929
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010230
|
||||
id: V-71931
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010240
|
||||
id: V-71933
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010250
|
||||
id: V-71935
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010260
|
||||
id: V-71937
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010270
|
||||
id: V-71939
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010280
|
||||
id: V-71941
|
||||
status: opt-in
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
id: RHEL-07-010372
|
||||
id: V-71943
|
||||
status: opt-in - Red Hat Only
|
||||
tag: auth
|
||||
---
|
||||
|
||||
This STIG control is implemented by:
|
||||
|
||||
* :ref:`stig-RHEL-07-010371`
|
||||
* :ref:`stig-V-71945`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010371
|
||||
id: V-71945
|
||||
status: opt-in - Red Hat Only
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010380
|
||||
id: V-71947
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010381
|
||||
id: V-71949
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010420
|
||||
id: V-71951
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010430
|
||||
id: V-71953
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010431
|
||||
id: V-71955
|
||||
status: implemented
|
||||
tag: graphical
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010441
|
||||
id: V-71957
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010442
|
||||
id: V-71959
|
||||
status: implemented
|
||||
tag: sshd
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010460
|
||||
id: V-71961
|
||||
status: opt-in
|
||||
tag: misc
|
||||
---
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
id: V-71963
|
||||
status: opt-in
|
||||
tag: misc
|
||||
---
|
||||
|
||||
The tasks in the security role for V-71961 will also apply changes to
|
||||
systems that use UEFI. For more details, refer to the following documentation:
|
||||
|
||||
* :ref:`stig-V-71961`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-010500
|
||||
id: V-71965
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020000
|
||||
id: V-71967
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020010
|
||||
id: V-71969
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020090
|
||||
id: V-71971
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020130
|
||||
id: V-71973
|
||||
status: opt-in
|
||||
tag: aide
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020140
|
||||
id: V-71975
|
||||
status: implemented
|
||||
tag: aide
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020150
|
||||
id: V-71977
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020151
|
||||
id: V-71979
|
||||
status: implemented
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
id: RHEL-07-020152
|
||||
status: implemented
|
||||
id: V-71981
|
||||
status: opt in
|
||||
tag: packages
|
||||
---
|
||||
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020160
|
||||
id: V-71983
|
||||
status: opt-in
|
||||
tag: kernel
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020161
|
||||
id: V-71985
|
||||
status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020200
|
||||
id: V-71987
|
||||
status: opt-in
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020210
|
||||
id: V-71989
|
||||
status: implemented
|
||||
tag: lsm
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020211
|
||||
id: V-71991
|
||||
status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
|
@ -9,4 +9,4 @@ AppArmor only has one set of policies, so this change has no effect on Ubuntu
|
|||
systems running AppArmor.
|
||||
|
||||
For more information on this change and how to opt out, refer to
|
||||
:ref:`stig-RHEL-07-020210`.
|
||||
:ref:`stig-V-71989`.
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020220
|
||||
id: V-71993
|
||||
status: implemented
|
||||
tag: misc
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020230
|
||||
id: V-71995
|
||||
status: opt-in - Ubuntu only
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020240
|
||||
id: V-71997
|
||||
status: exception - manual intervention
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020250
|
||||
id: V-71999
|
||||
status: opt-in
|
||||
tag: packages
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020290
|
||||
id: V-72001
|
||||
status: exception - manual intervention
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020300
|
||||
id: V-72003
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020310
|
||||
id: V-72005
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020360
|
||||
id: V-72007
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020370
|
||||
id: V-72009
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020620
|
||||
id: V-72011
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020630
|
||||
id: V-72013
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020640
|
||||
id: V-72015
|
||||
status: implemented
|
||||
tag: auth
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020650
|
||||
id: V-72017
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020660
|
||||
id: V-72019
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -7,4 +7,4 @@ tag: file_perms
|
|||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-RHEL-07-020650`
|
||||
* :ref:`stig-V-72017`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020670
|
||||
id: V-72021
|
||||
status: opt-in
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -7,4 +7,4 @@ tag: file_perms
|
|||
This control is implemented by the tasks for another control. Refer to the
|
||||
documentation for more details on the change and how to opt out:
|
||||
|
||||
* :ref:`stig-RHEL-07-020650`
|
||||
* :ref:`stig-V-72017`
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020700
|
||||
id: V-72023
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020680
|
||||
id: V-72025
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020690
|
||||
id: V-72027
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
id: RHEL-07-020850
|
||||
id: V-72029
|
||||
status: exception - manual intervention
|
||||
tag: file_perms
|
||||
---
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue