
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
27 lines
1.1 KiB
ReStructuredText
27 lines
1.1 KiB
ReStructuredText
---
|
|
id: V-38454
|
|
status: exception
|
|
tag: misc
|
|
---
|
|
|
|
**Exception**
|
|
|
|
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
|
files installed from packages, it cannot perform a detailed level of checking
|
|
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
|
|
checksums for all files. Deployers are encouraged to use ``debsums -c``
|
|
regularly to check for alterations in as many packages as possible.
|
|
|
|
Ubuntu does not currently have a capability to check file permissions,
|
|
ownership, or group ownership against the permissions that were originally set
|
|
when the package was installed.
|
|
|
|
In CentOS, the ``rpm`` command can verify package contents, ownership, group
|
|
ownership, and permissions after the package has been installed. However, many
|
|
configuration files are changed by the security role and this will cause the
|
|
verification to fail.
|
|
|
|
Deployers should utilize the monitoring capabilities of the ``aide`` package
|
|
(which is installed by other Ansible tasks in this role) to determine which
|
|
configuration files, libraries or binaries may have been changed.
|