e57593dfd4
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
1.1 KiB
---id: V-38447 status: exception tag: misc ---
Exception
Although Ubuntu provides the debsums command for
checking the contents of files installed from packages, it cannot
perform a detailed level of checking sufficient to meet the STIG
requirement. Some packages are not shipped with MD5 checksums for all
files. Deployers are encouraged to use debsums -c regularly
to check for alterations in as many packages as possible.
Ubuntu does not currently have a capability to check file permissions, ownership, or group ownership against the permissions that were originally set when the package was installed.
In CentOS, the rpm command can verify package contents,
ownership, group ownership, and permissions after the package has been
installed. However, many configuration files are changed by the security
role and this will cause the verification to fail.
Deployers should utilize the monitoring capabilities of the
aide package (which is installed by other Ansible tasks in
this role) to determine which configuration files, libraries or binaries
may have been changed.