Docs: Fix rendering of :orphan:
This patch removes the ``:orphan:`` docinfo from the documentation and instead adds the orphaned docs into the ``exclude_pattern`` configuration option. There's a bug that causes the tag to actually get rendered in the docs when those docs are brought in via an include. Backport-of: Iacce8f5bfd9a629117564938bbb376bf5abcec31 Change-Id: I815070d1de924c9c4ec7c21098acb6c52baac3b8
This commit is contained in:
Major Hayden
Amy Marrich (spotz)
parent
b79214c754
commit
38b512e7ac
|
|
@ -74,7 +74,10 @@ language = None
|
|||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = []
|
||||
exclude_patterns = [
|
||||
'developer-notes/*.rst',
|
||||
'stig-notes/*.rst'
|
||||
]
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all
|
||||
# documents.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
|
||||
of this change, adjust the following variable:
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adjusting the bootloader configuration can cause issues with reboots and this
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Although adding centralized authentication and carefully managing user
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is
|
||||
the default in Ubuntu 14.04 already, but the tasks will ensure that the
|
||||
permissions match the STIG requirements in case they were changed by other
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
See V-38551 for additional details. IPv6 configuration and filtering is left
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Although audit log files are owned by the root user and group by default
|
||||
in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are
|
||||
configured as such.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Forwarding root's email to another user is highly recommended, but the Ansible
|
||||
tasks won't configure an email address to receive root's email unless that
|
||||
email address is configured. Set ``root_forward_email`` to an email address
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Verifying contents of files installed from packages is more difficult in
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Although the ``/etc/gshadow`` file is group-owned by root by default, the
|
||||
Ansible tasks will ensure that it is configured that way.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
|
||||
the requirements of the STIG.
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
The ownership of ``/etc/passwd`` will be changed to root.
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
The group ownership for ``/etc/passwd`` will be set to root.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Verifying permissions of installed packages isn't possible in the current
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Verifying ownership of installed packages isn't possible in the current
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Verifying ownership of installed packages isn't possible in the current
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/tmp`` can disrupt a running system and this
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/var`` can disrupt a running system and this
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
The permissions for ``/etc/passwd`` will be set to ``0644``.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task will ensure that the ``/etc/group`` file is owned by the root
|
||||
user.
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account.
|
||||
The tasks in file_perms.yml will ensure that ``/etc/group`` is owned by the root account.
|
||||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
|
||||
present). If found, a warning message will be printed. No configuration
|
||||
changes will be made since neither Ubuntu or openstack-ansible configures
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
|
||||
task will ensure that it is current set to those permissions.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu checks packages against GPG signatures by default. It can be turned
|
||||
off for all package installations by a setting in /etc/apt/apt.conf.d/ and we
|
||||
search for that in the Ansible task. A warning is printed if the
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring a separate partition for ``/var/log`` is currently left up to the
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually
|
||||
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||
is recommended and is set by default by openstack-ansible-security. There
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
As with V-38465, Ubuntu sets the ownership of library files to root by
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Storing audit logs on a separate partition is recommended, but this change
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually
|
||||
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||
is recommended and is set by default by openstack-ansible-security. If syslog
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu sets the permissions for system commands to ``0755`` or less already.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually
|
||||
only suspends audit logging. That could be a security issue, so ``SYSLOG``
|
||||
is recommended and is set by default by openstack-ansible-security. If syslog
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
An Ansible task will adjust ``active`` from `no` to `yes` in
|
||||
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
|
||||
syslog automatically. The auditd daemon will be restarted if the configuration
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu sets system commands to be owned by root by default Deployers are
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Creating ``/home`` on a different partition is highly recommended but it is
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The openstack-ansible roles don't install X by default, so there is no
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu 14.04 does not set a password length requirement by default. The STIG
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The STIG talks about yum having the RHN GPG keys installed, but this
|
||||
requirement has been adapted to check for the Ubuntu signing keys normally
|
||||
present in Ubuntu 14.04.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu doesn't set a limitation on how frequently uses can change passwords.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
Ubuntu doesn't set a limitation on the age of passwords.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
After enabling password age limits in V-38479, be sure to configure
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Operating system patching is left up to the deployer to configure based on
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Password complexity requirements are left up to the deployer. Deployers are
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task for V-38462 already checks for apt configurations that would
|
||||
disable any GPG checks when installing packages. However, it's possible for
|
||||
the root user to override these configurations via command line parameters.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu 14.04 already enables the display of the last successful login for a
|
||||
user immediately after login. An Ansible task ensures this setting is
|
||||
applied and restarts the ssh daemon if necessary.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task for V-38462 already checks for apt configurations that would
|
||||
disable any GPG checks when installing packages. However, it's possible for
|
||||
the root user to override these configurations via command line parameters.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
The ``aide`` package will be installed by Ansible tasks.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Disabling the ``usb-storage`` module can add extra security, but it's not
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
|
||||
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
|
||||
for host access, but ``rshd`` is not installed by default with Ubuntu 14.04
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by
|
||||
default.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The
|
||||
Ansible task for this requirement ensures that the mode is ``0750`` (which
|
||||
is more strict than the STIG requirement).
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
|
||||
by the root user.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The Ansible tasks will check for default system accounts (other than root)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by
|
||||
default. This STIG requires that those login attempts are blocked.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu and CentOS set the current audit log (the one that is actively being
|
||||
written to) to ``0600`` so that only the root user can read and write to it.
|
||||
The older, rotated logs are set to ``0400`` since they should not receive
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task will search for password hashes in ``/etc/passwd`` using
|
||||
awk and report a failure if any are found.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
|
||||
that aren't the normal root account. If any matching accounts are found, a
|
||||
warning is printed to stdout and the Ansible play will fail.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception and opt-in alternative**
|
||||
|
||||
Adjusting PAM configurations is very risky since it affects how all users
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
||||
default. The Ansible task will ensure that the default is maintained.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
|
||||
default. The Ansible task will ensure that the default is maintained.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
|
||||
requires a mode of ``0000``. This doesn't affect how the system operates since
|
||||
root is the only user that should be able to read from and write to
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Special Case**
|
||||
|
||||
Running virtual infrastructure requires IP forwarding to be enabled on various
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Although a minimal set of iptables rules are configured on openstack-ansible
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
||||
needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel
|
||||
module and the Ansible tasks will disable it by default.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Stream Control Transmission Protocol (SCTP) must be disabled. This module
|
||||
isn't used by Ubuntu 14.04 or openstack-ansible by default.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu
|
||||
14.04 or openstack-ansible enables this module by default, so the Ansible
|
||||
tasks in this role will disable the module.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
||||
disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by
|
||||
default, so the Ansible tasks in this role will disable the module.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Different systems may have different log files populated depending on the type
|
||||
|
|
|
|||
|
|
@ -1,8 +1,6 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
At the moment, openstack-ansible already sends logs to the rsyslog container
|
||||
At the moment, OpenStack-Ansible already sends logs to the rsyslog container
|
||||
from various containers and hosts. However, deployers are strongly urged
|
||||
to forward these logs to a system outside their openstack-ansible environment
|
||||
to ensure that they cannot be altered.
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time made via ``settimeofday``.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
|
|
|
|||
|
|
@ -1,3 +1 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time done via ``stime``.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time done via
|
||||
``clock_settime``.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The Ansible task in this role will ensure that martian packets are logged to
|
||||
rsyslog. Wikpedia's article on `martian packets`_ provides additional
|
||||
information.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added to auditd to log all attempts to change the system time using
|
||||
``/etc/localtime``.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Audit rules are added in a task so that any events associated with
|
||||
account modifications are logged. The new audit rule will be loaded immediately
|
||||
with ``augenrules --load``.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
|
||||
The Ansible tasks for this STIG configuration ensures that the secure default
|
||||
setting is maintained.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
|
||||
ensure that this default setting is maintained.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
|
||||
Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
|
||||
that the default is maintained.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing network configuration changes. The path to
|
||||
Ubuntu's standard network configuration location has replaced the path
|
||||
to Red Hat's default network configuration location.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
The RHEL 6 STIG requires that changes to SELinux policies and configuration are
|
||||
audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is
|
||||
AppArmor and openstack-ansible configures AppArmor by default.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with chown.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
The STIG requires IPv6 to be disabled system-wide unless it is needed for the
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Disabling IPv6 redirects can cause issues with OpenStack environments which
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Filtering IPv6 traffic is left up to the deployer to implement. The
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes
|
||||
made by fchown.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made by
|
||||
fchownat.
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made
|
||||
by fremovexattr.
|
||||
by ``fremovexattr``.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made via
|
||||
``fsetxattr``.
|
||||
|
|
|
|||
|
|
@ -1,4 +1,2 @@
|
|||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made via
|
||||
``lchown``.
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue