Automate the STIG documentation

With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386

.gitignore

@@ -65,3 +65,6 @@ releasenotes/build
 
 # Vagrant testing artifacts
 .vagrant
+
+# Automatically generated documentation
+doc/source/auto_*

doc/metadata/import-existing-notes.py

@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Import existing developer notes into base YAML format."""
+import os
+
+
+import jinja2
+
+
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+METADATA_DIR = "{0}/rhel6".format(SCRIPT_DIR)
+NOTES_DIR = "{0}/../source/stig-notes".format(SCRIPT_DIR)
+
+yaml_tmp = """---
+id: {{ note_data['id'] }}
+status: {{ note_data['status'] }}
+tag: {{ note_data['tag'] }}
+---
+
+{{ note_data['deployer_notes'] }}
+"""
+
+
+note_files = [x for x in os.listdir(NOTES_DIR) if 'developer' in x]
+for note_file in note_files:
+    stig_id = note_file[0:7]
+
+    with open("{0}/{1}".format(NOTES_DIR, note_file), 'r') as f:
+        content = f.read()
+
+    first_line = content.splitlines()[0]
+    print(first_line)
+    if 'exception' in first_line.lower():
+        status = 'exception'
+    elif 'opt-in' in first_line.lower():
+        status = 'opt-in'
+    else:
+        status = 'implemented'
+
+    note_data = {
+        'id': stig_id,
+        'status': status,
+        'tag': 'misc',
+        'deployer_notes': content
+    }
+
+    with open("{0}/{1}.rst".format(METADATA_DIR, stig_id), 'w') as f:
+        template = jinja2.Template(yaml_tmp)
+        f.write(template.render(note_data=note_data))

doc/metadata/rhel6/V-38437.rst

@@ -1,3 +1,9 @@
+---
+id: V-38437
+status: implemented
+tag: misc
+---
+
 If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
 of this change, adjust the following variable:
 

doc/metadata/rhel6/V-38438.rst

@@ -1,7 +1,10 @@
-The role will add ``audit=1`` to the ``GRUB_CMDLINE_LINUX_DEFAULT`` variable
+---
-in the GRUB configuration within ``/etc/default/grub.d/`` and it will also
+id: V-38438
-update the active ``grub.cfg`` so that the change takes effect on the next
+status: exception
-boot.
+tag: misc
+---
+
+**Exception**
 
 To opt-out of the change, set the following variable:
 

doc/metadata/rhel6/V-38439.rst

@@ -1,3 +1,9 @@
+---
+id: V-38439
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although adding centralized authentication and carefully managing user

doc/metadata/rhel6/V-38443.rst

@@ -1,2 +1,8 @@
+---
+id: V-38443
+status: implemented
+tag: misc
+---
+
 The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
 16.04 and CentOS 7. The security role ensures that the file is owned by root.

doc/metadata/rhel6/V-38444.rst

@@ -1,3 +1,9 @@
+---
+id: V-38444
+status: exception
+tag: misc
+---
+
 **Exception**
 
 See V-38551 for additional details. IPv6 configuration and filtering is left

doc/metadata/rhel6/V-38445.rst

@@ -1,3 +1,9 @@
+---
+id: V-38445
+status: implemented
+tag: misc
+---
+
 The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
 Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
 are owned by the root user.

doc/metadata/rhel6/V-38446.rst

@@ -1,3 +1,9 @@
+---
+id: V-38446
+status: implemented
+tag: misc
+---
+
 Forwarding root's email to another user is highly recommended, but the Ansible
 tasks won't configure an email address to receive root's email unless that
 email address is configured. Set ``security_root_forward_email`` to an email

doc/metadata/rhel6/V-38447.rst

@@ -1,3 +1,9 @@
+---
+id: V-38447
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although Ubuntu provides the ``debsums`` command for checking the contents of

doc/metadata/rhel6/V-38448.rst

@@ -1,2 +1,8 @@
+---
+id: V-38448
+status: implemented
+tag: misc
+---
+
 Although the ``/etc/gshadow`` file is group-owned by root by default, the
 Ansible tasks will ensure that it is configured that way.

doc/metadata/rhel6/V-38449.rst

@@ -1,2 +1,8 @@
+---
+id: V-38449
+status: implemented
+tag: misc
+---
+
 The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
 the requirements of the STIG.

doc/metadata/rhel6/V-38450.rst

@@ -1 +1,7 @@
+---
+id: V-38450
+status: implemented
+tag: misc
+---
+
 The ownership of ``/etc/passwd`` will be changed to root.

doc/metadata/rhel6/V-38451.rst

@@ -1 +1,7 @@
+---
+id: V-38451
+status: implemented
+tag: misc
+---
+
 The group ownership for ``/etc/passwd`` will be set to root.

doc/metadata/rhel6/V-38452.rst

@@ -1,3 +1,9 @@
+---
+id: V-38452
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although Ubuntu provides the ``debsums`` command for checking the contents of

doc/metadata/rhel6/V-38453.rst

@@ -1,3 +1,9 @@
+---
+id: V-38453
+status: exception
+tag: misc
+---
+
 **Exception for Ubuntu**
 
 Verifying ownership and permissions of installed packages isn't possible in the

doc/metadata/rhel6/V-38454.rst

@@ -1,3 +1,9 @@
+---
+id: V-38454
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although Ubuntu provides the ``debsums`` command for checking the contents of

doc/metadata/rhel6/V-38455.rst

@@ -1,3 +1,9 @@
+---
+id: V-38455
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Configuring another mount for ``/tmp`` can disrupt a running system and this

doc/metadata/rhel6/V-38456.rst

@@ -1,3 +1,9 @@
+---
+id: V-38456
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Configuring another mount for ``/var`` can disrupt a running system and this

doc/metadata/rhel6/V-38457.rst

@@ -1 +1,7 @@
+---
+id: V-38457
+status: implemented
+tag: misc
+---
+
 The permissions for ``/etc/passwd`` will be set to ``0644``.

doc/metadata/rhel6/V-38458.rst

@@ -1,2 +1,8 @@
+---
+id: V-38458
+status: implemented
+tag: misc
+---
+
 The Ansible task will ensure that the ``/etc/group`` file is owned by the root
 user.

doc/metadata/rhel6/V-38459.rst

@@ -1,2 +1,8 @@
+---
+id: V-38459
+status: implemented
+tag: misc
+---
+
 The tasks in file_perms.yml will ensure that "/etc/group" is owned by
 the root account.

doc/metadata/rhel6/V-38460.rst

@@ -1,3 +1,9 @@
+---
+id: V-38460
+status: implemented
+tag: misc
+---
+
 The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
 present). If found, a warning message will be printed. No configuration
 changes will be made since neither Ubuntu or openstack-ansible configures

doc/metadata/rhel6/V-38461.rst

@@ -1,2 +1,8 @@
+---
+id: V-38461
+status: implemented
+tag: misc
+---
+
 Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
 task will ensure that it is current set to those permissions.

doc/metadata/rhel6/V-38462.rst

@@ -1,3 +1,9 @@
+---
+id: V-38462
+status: implemented
+tag: misc
+---
+
 All versions of Ubuntu and CentOS supported by the role verify packages against
 GPG signatures by default.
 

doc/metadata/rhel6/V-38463.rst

@@ -1,3 +1,9 @@
+---
+id: V-38463
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Configuring a separate partition for ``/var/log`` is currently left up to the

doc/metadata/rhel6/V-38464.rst

@@ -1,3 +1,9 @@
+---
+id: V-38464
+status: implemented
+tag: misc
+---
+
 The default configuration for ``disk_error_action`` is ``SUSPEND``, which
 only suspends audit logging when there is a disk error on the system.
 Suspending audit logging can lead to security problems because the system is no

doc/metadata/rhel6/V-38465.rst

@@ -1,3 +1,9 @@
+---
+id: V-38465
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or

doc/metadata/rhel6/V-38466.rst

@@ -1,3 +1,9 @@
+---
+id: V-38466
+status: exception
+tag: misc
+---
+
 **Exception**
 
 As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of

doc/metadata/rhel6/V-38467.rst

@@ -1,3 +1,9 @@
+---
+id: V-38467
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Storing audit logs on a separate partition is recommended, but this change

doc/metadata/rhel6/V-38468.rst

@@ -1,3 +1,9 @@
+---
+id: V-38468
+status: implemented
+tag: misc
+---
+
 The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
 suspends audit logging. Suspending audit logging can lead to security problems
 because the system is no longer keeping track of which syscalls were made.

doc/metadata/rhel6/V-38469.rst

@@ -1,3 +1,9 @@
+---
+id: V-38469
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system

doc/metadata/rhel6/V-38470.rst

@@ -1,3 +1,9 @@
+---
+id: V-38470
+status: implemented
+tag: misc
+---
+
 The default configuration for ``security_space_left_action`` is ``SUSPEND``,
 which actually only suspends audit logging. Suspending audit logging can lead
 to security problems because the system is no longer keeping track of which

doc/metadata/rhel6/V-38471.rst

@@ -1,3 +1,9 @@
+---
+id: V-38471
+status: implemented
+tag: misc
+---
+
 An Ansible task will adjust ``active`` from `no` to `yes` in
 ``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
 syslog automatically. The auditd daemon will be restarted if the configuration

doc/metadata/rhel6/V-38472.rst

@@ -1,3 +1,9 @@
+---
+id: V-38472
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by

doc/metadata/rhel6/V-38473.rst

@@ -1,3 +1,9 @@
+---
+id: V-38473
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Creating ``/home`` on a different partition is highly recommended but it is

doc/metadata/rhel6/V-38474.rst

@@ -1,3 +1,9 @@
+---
+id: V-38474
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The openstack-ansible roles don't install X by default, so there is no

doc/metadata/rhel6/V-38475.rst

@@ -1,3 +1,9 @@
+---
+id: V-38475
+status: implemented
+tag: misc
+---
+
 **Configuration required**
 
 The STIG recommends passwords to be a minimum of 14 characters in length. To

doc/metadata/rhel6/V-38476.rst

@@ -1,3 +1,9 @@
+---
+id: V-38476
+status: implemented
+tag: misc
+---
+
 The security role verifies that the GPG keys that correspond to each supported
 Linux distribution are installed on each host. If the GPG keys are not found,
 or if they differ from the list of trusted GPG keys, the playbook execution

doc/metadata/rhel6/V-38477.rst

@@ -1,3 +1,9 @@
+---
+id: V-38477
+status: implemented
+tag: misc
+---
+
 **Configuration required**
 
 The STIG recommends setting a limit of one password change per day. To enable

doc/metadata/rhel6/V-38478.rst

@@ -1,3 +1,9 @@
+---
+id: V-38478
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Ubuntu and CentOS do not use the Red Hat Network Service. However, there are

doc/metadata/rhel6/V-38479.rst

@@ -1,3 +1,9 @@
+---
+id: V-38479
+status: implemented
+tag: misc
+---
+
 **Configuration required**
 
 The STIG recommends setting a limit of 60 days before a password must

doc/metadata/rhel6/V-38480.rst

@@ -1,3 +1,9 @@
+---
+id: V-38480
+status: implemented
+tag: misc
+---
+
 **Configuration required**
 
 After enabling password age limits in V-38479, be sure to configure

doc/metadata/rhel6/V-38481.rst

@@ -1,3 +1,9 @@
+---
+id: V-38481
+status: opt-in
+tag: misc
+---
+
 **Opt-in required**
 
 Operating system patching policies vary from organization to organization and

doc/metadata/rhel6/V-38482.rst

@@ -1,3 +1,9 @@
+---
+id: V-38482
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Password complexity requirements are left up to the deployer. Deployers are

doc/metadata/rhel6/V-38483.rst

@@ -1,3 +1,9 @@
+---
+id: V-38483
+status: implemented
+tag: misc
+---
+
 The Ansible task for V-38462 already checks for configurations that would
 disable any GPG checks when installing packages. However, it is possible for
 the root user to override these configurations via command line parameters.

doc/metadata/rhel6/V-38484.rst

@@ -1,3 +1,9 @@
+---
+id: V-38484
+status: implemented
+tag: misc
+---
+
 Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
 successful login for a user immediately after login. An Ansible task ensures
 this setting is applied and restarts the ssh daemon if necessary.

doc/metadata/rhel6/V-38486.rst

@@ -1,3 +1,9 @@
+---
+id: V-38486
+status: exception
+tag: misc
+---
+
 **Exception**
 
 System backups are left to the deployer to configure. Deployers are stringly

doc/metadata/rhel6/V-38487.rst

@@ -1,3 +1,9 @@
+---
+id: V-38487
+status: implemented
+tag: misc
+---
+
 The Ansible task for V-38462 already checks for apt configurations that would
 disable any GPG checks when installing packages. However, it's possible for
 the root user to override these configurations via command line parameters.

doc/metadata/rhel6/V-38488.rst

@@ -1,3 +1,9 @@
+---
+id: V-38488
+status: exception
+tag: misc
+---
+
 **Exception**
 
 System backups are left to the deployer to configure. Deployers are stringly

doc/metadata/rhel6/V-38489.rst

@@ -1,2 +1,8 @@
+---
+id: V-38489
+status: implemented
+tag: misc
+---
+
 The security role installs and configures the ``aide`` package to provide file
 integrity monitoring on the host.

doc/metadata/rhel6/V-38490.rst

@@ -1,3 +1,9 @@
+---
+id: V-38490
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Disabling the ``usb-storage`` module can add extra security, but it's not

doc/metadata/rhel6/V-38491.rst

@@ -1,3 +1,9 @@
+---
+id: V-38491
+status: implemented
+tag: misc
+---
+
 The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
 ``/root/.rhosts``.  Both of those files could potentially be used with ``rsh``
 for host access.

doc/metadata/rhel6/V-38492.rst

@@ -1,3 +1,9 @@
+---
+id: V-38492
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Virtual consoles are helpful during an emergency and they can only be reached

doc/metadata/rhel6/V-38493.rst

@@ -1,3 +1,9 @@
+---
+id: V-38493
+status: implemented
+tag: misc
+---
+
 Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
 ``0750`` by default. The Ansible task for this requirement ensures that the
 mode is ``0750`` (which is more strict than the STIG requirement).

doc/metadata/rhel6/V-38494.rst

@@ -1,3 +1,9 @@
+---
+id: V-38494
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Removing serial consoles from ``/etc/securetty`` can make troubleshooting

doc/metadata/rhel6/V-38495.rst

@@ -1,2 +1,8 @@
+---
+id: V-38495
+status: implemented
+tag: misc
+---
+
 The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
 by the root user.

doc/metadata/rhel6/V-38496.rst

@@ -1,3 +1,9 @@
+---
+id: V-38496
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The Ansible tasks will check for default system accounts (other than root)

doc/metadata/rhel6/V-38497.rst

@@ -1,3 +1,9 @@
+---
+id: V-38497
+status: implemented
+tag: misc
+---
+
 Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
 authenticate via PAM by default. This STIG requires that those login attempts
 are blocked.

doc/metadata/rhel6/V-38498.rst

@@ -1,3 +1,9 @@
+---
+id: V-38498
+status: implemented
+tag: misc
+---
+
 Ubuntu and CentOS set the current audit log (the one that is actively being
 written to) to ``0600`` so that only the root user can read and write to it.
 The older, rotated logs are set to ``0400`` since they should not receive

doc/metadata/rhel6/V-38499.rst

@@ -1,2 +1,8 @@
+---
+id: V-38499
+status: implemented
+tag: misc
+---
+
 The Ansible task will search for password hashes in ``/etc/passwd`` using
 awk and report a failure if any are found.

doc/metadata/rhel6/V-38500.rst

@@ -1,3 +1,9 @@
+---
+id: V-38500
+status: implemented
+tag: misc
+---
+
 The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
 that aren't the normal root account. If any matching accounts are found, a
 warning is printed to stdout and the Ansible play will fail.

doc/metadata/rhel6/V-38501.rst

@@ -1,3 +1,9 @@
+---
+id: V-38501
+status: exception
+tag: misc
+---
+
 **Exception and opt-in alternative**
 
 Adjusting PAM configurations is very risky since it affects how all users

doc/metadata/rhel6/V-38502.rst

@@ -1,2 +1,8 @@
+---
+id: V-38502
+status: implemented
+tag: misc
+---
+
 The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
 task will ensure that the default is maintained.

doc/metadata/rhel6/V-38503.rst

@@ -1,2 +1,8 @@
+---
+id: V-38503
+status: implemented
+tag: misc
+---
+
 The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
 task will ensure that the default is maintained.

doc/metadata/rhel6/V-38504.rst

@@ -1,3 +1,9 @@
+---
+id: V-38504
+status: implemented
+tag: misc
+---
+
 Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
 CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
 Ansible tasks in the security role ensure that the mode meets the requirement.

doc/metadata/rhel6/V-38511.rst

@@ -1,3 +1,9 @@
+---
+id: V-38511
+status: implemented
+tag: misc
+---
+
 **Special Case**
 
 Running virtual infrastructure requires IP forwarding to be enabled on various

doc/metadata/rhel6/V-38512.rst

@@ -1,3 +1,9 @@
+---
+id: V-38512
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although a minimal set of iptables rules are configured on openstack-ansible

doc/metadata/rhel6/V-38513.rst

@@ -1,3 +1,9 @@
+---
+id: V-38513
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Although a minimal set of iptables rules are configured on openstack-ansible

doc/metadata/rhel6/V-38514.rst

@@ -1,3 +1,9 @@
+---
+id: V-38514
+status: implemented
+tag: misc
+---
+
 The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
 needed. Although this protocol is occasionally used in some OpenStack
 environments for quality of service functions, it is not in the default

doc/metadata/rhel6/V-38515.rst

@@ -1,3 +1,9 @@
+---
+id: V-38515
+status: implemented
+tag: misc
+---
+
 The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
 this change, set the following variable to ``no``:
 

doc/metadata/rhel6/V-38516.rst

@@ -1,3 +1,9 @@
+---
+id: V-38516
+status: implemented
+tag: misc
+---
+
 The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
 tasks in this role will disable the module.
 

doc/metadata/rhel6/V-38517.rst

@@ -1,3 +1,9 @@
+---
+id: V-38517
+status: implemented
+tag: misc
+---
+
 The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
 disabled. To opt-out of this change, set the following variable to ``no``:
 

doc/metadata/rhel6/V-38518.rst

@@ -1,3 +1,9 @@
+---
+id: V-38518
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Different systems may have different log files populated depending on the type

doc/metadata/rhel6/V-38519.rst

@@ -1,3 +1,9 @@
+---
+id: V-38519
+status: exception
+tag: misc
+---
+
 **Exception**
 
 Different systems may have different log files populated depending on the type

doc/metadata/rhel6/V-38520.rst

@@ -1,3 +1,9 @@
+---
+id: V-38520
+status: exception
+tag: misc
+---
+
 **Exception**
 
 At the moment, openstack-ansible already sends logs to the rsyslog container

doc/metadata/rhel6/V-38521.rst

@@ -1,3 +1,9 @@
+---
+id: V-38521
+status: exception
+tag: misc
+---
+
 **Exception**
 
 At the moment, openstack-ansible already sends logs to the rsyslog container

doc/metadata/rhel6/V-38522.rst

@@ -1 +1,7 @@
+---
+id: V-38522
+status: implemented
+tag: misc
+---
+
 Rules are added for auditing changes to system time made via ``settimeofday``.

doc/metadata/rhel6/V-38523.rst

@@ -1,3 +1,9 @@
+---
+id: V-38523
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The STIG makes several requirements for IPv4 network restrictions, but these

doc/metadata/rhel6/V-38524.rst

@@ -1,3 +1,9 @@
+---
+id: V-38524
+status: implemented
+tag: misc
+---
+
 This patch disables ICMPv4 redirects feature on the host.
 Accepting ICMP redirects has few legitimate uses.
 It should be disabled unless it is absolutely required.

doc/metadata/rhel6/V-38525.rst

@@ -1 +1,7 @@
+---
+id: V-38525
+status: implemented
+tag: misc
+---
+
 Rules are added for auditing changes to system time done via ``stime``.

doc/metadata/rhel6/V-38526.rst

@@ -1,3 +1,9 @@
+---
+id: V-38526
+status: opt-in
+tag: misc
+---
+
 **Opt-in required**
 
 The STIG requires that secure ICMP redirects are disabled, but this can cause

doc/metadata/rhel6/V-38527.rst

@@ -1,2 +1,8 @@
+---
+id: V-38527
+status: implemented
+tag: misc
+---
+
 Rules are added for auditing changes to system time done via
 ``clock_settime``.

doc/metadata/rhel6/V-38528.rst

@@ -1,3 +1,9 @@
+---
+id: V-38528
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The STIG requires that all martian packets are logged by setting the sysctl

doc/metadata/rhel6/V-38529.rst

@@ -1,3 +1,9 @@
+---
+id: V-38529
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The STIG makes several requirements for IPv4 network restrictions, but these

doc/metadata/rhel6/V-38530.rst

@@ -1,2 +1,8 @@
+---
+id: V-38530
+status: implemented
+tag: misc
+---
+
 Rules are added to auditd to log all attempts to change the system time using
 ``/etc/localtime``.

doc/metadata/rhel6/V-38531.rst

@@ -1,3 +1,9 @@
+---
+id: V-38531
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The audit rules from V-38534 already cover all account modifications.

doc/metadata/rhel6/V-38532.rst

@@ -1,3 +1,9 @@
+---
+id: V-38532
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The STIG makes several requirements for IPv4 network restrictions, but these

doc/metadata/rhel6/V-38533.rst

@@ -1,3 +1,9 @@
+---
+id: V-38533
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The STIG makes several requirements for IPv4 network restrictions, but these

doc/metadata/rhel6/V-38534.rst

@@ -1,3 +1,9 @@
+---
+id: V-38534
+status: implemented
+tag: misc
+---
+
 Audit rules are added in a task so that any events associated with
 account modifications are logged. The new audit rule will be loaded immediately
 with ``augenrules --load``.

doc/metadata/rhel6/V-38535.rst

@@ -1,3 +1,9 @@
+---
+id: V-38535
+status: implemented
+tag: misc
+---
+
 By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
 The Ansible tasks for this STIG configuration ensures that the secure default
 setting is maintained.

doc/metadata/rhel6/V-38536.rst

@@ -1,3 +1,9 @@
+---
+id: V-38536
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The audit rules from V-38534 already cover all account modifications.

doc/metadata/rhel6/V-38537.rst

@@ -1,2 +1,8 @@
+---
+id: V-38537
+status: implemented
+tag: misc
+---
+
 Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
 ensure that this default setting is maintained.

doc/metadata/rhel6/V-38538.rst

@@ -1,3 +1,9 @@
+---
+id: V-38538
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The audit rules from V-38534 already cover all account modifications.

doc/metadata/rhel6/V-38539.rst

@@ -1,3 +1,9 @@
+---
+id: V-38539
+status: implemented
+tag: misc
+---
+
 The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
 
 Note that high-traffic environments may require TCP SYN cookies to be disabled.

doc/metadata/rhel6/V-38540.rst

@@ -1,3 +1,9 @@
+---
+id: V-38540
+status: implemented
+tag: misc
+---
+
 Rules are added for auditing network configuration changes. The path to
 Ubuntu's standard network configuration location has replaced the path
 to Red Hat's default network configuration location.

doc/metadata/rhel6/V-38541.rst

@@ -1,3 +1,9 @@
+---
+id: V-38541
+status: implemented
+tag: misc
+---
+
 For Ubuntu, rules are added to auditd that will log any changes made in the
 ``/etc/apparmor`` directory.
 

doc/metadata/rhel6/V-38542.rst

@@ -0,0 +1,19 @@
+---
+id: V-38542
+status: exception
+tag: misc
+---
+
+**Exception**
+
+The STIG makes several requirements for IPv4 network restrictions, but these
+restrictions can impact certain network interfaces and cause service
+disruptions. Some security configurations make sense for certain types of
+network interfaces, like bridges, but other restrictions cause the network
+interface to stop passing valid traffic between hosts, containers, or virtual
+machines.
+
+The default network scripts and LXC userspace tools already configure various
+network devices to their most secure setting. Since some hosts will act as
+routers, enabling security configurations that restrict network traffic can
+cause service disruptions for OpenStack environments.

doc/metadata/rhel6/V-38543.rst

@@ -1,3 +1,9 @@
+---
+id: V-38543
+status: exception
+tag: misc
+---
+
 **Exception**
 
 The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``