openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/metadata/rhel6/V-38454.rst
Major Hayden e57593dfd4 Automate the STIG documentation 
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

27 lines
1.1 KiB
ReStructuredText
Raw Blame History

---
id: V-38454
status: exception
tag: misc
---
**Exception**
Although Ubuntu provides the ``debsums`` command for checking the contents of
files installed from packages, it cannot perform a detailed level of checking
sufficient to meet the STIG requirement. Some packages are not shipped with MD5
checksums for all files. Deployers are encouraged to use ``debsums -c``
regularly to check for alterations in as many packages as possible.
Ubuntu does not currently have a capability to check file permissions,
ownership, or group ownership against the permissions that were originally set
when the package was installed.
In CentOS, the ``rpm`` command can verify package contents, ownership, group
ownership, and permissions after the package has been installed. However, many
configuration files are changed by the security role and this will cause the
verification to fail.
Deployers should utilize the monitoring capabilities of the ``aide`` package
(which is installed by other Ansible tasks in this role) to determine which
configuration files, libraries or binaries may have been changed.
View Git Blame Copy Permalink