e57593dfd4
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
997 B
---id: V-38462 status: implemented tag: misc ---
All versions of Ubuntu and CentOS supported by the role verify packages against GPG signatures by default.
Deployers can disable GPG verification for all packages in Ubuntu by
setting the AllowUnauthenticated configuration option in a
file within /etc/apt/apt.conf.d/. The Ansible tasks will
search for this configuration option and will stop the playbook
execution if the option is set. Note that users can pass an argument on
the apt command line to bypass the checks as well, but that's outside
the scope of this check and remediation.
In CentOS, deployers can set gpgcheck=0 within
individual yum repository files in /etc/yum.repos.d/ to
disable GPG signature checking. The Ansible tasks will check for this
configuration option in those files and stop the playbook execution.
Deployers can use --skip-tags V-38462 to omit these
tasks when applying the security role on systems where GPG verification
must be disabled.