e57593dfd4
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
24 lines
997 B
ReStructuredText
24 lines
997 B
ReStructuredText
---
|
|
id: V-38462
|
|
status: implemented
|
|
tag: misc
|
|
---
|
|
|
|
All versions of Ubuntu and CentOS supported by the role verify packages against
|
|
GPG signatures by default.
|
|
|
|
Deployers can disable GPG verification for all packages in Ubuntu by setting
|
|
the ``AllowUnauthenticated`` configuration option in a file within
|
|
``/etc/apt/apt.conf.d/``. The Ansible tasks will search for this configuration
|
|
option and will stop the playbook execution if the option is set. Note
|
|
that users can pass an argument on the apt command line to bypass the checks as
|
|
well, but that's outside the scope of this check and remediation.
|
|
|
|
In CentOS, deployers can set ``gpgcheck=0`` within individual yum repository
|
|
files in ``/etc/yum.repos.d/`` to disable GPG signature checking. The Ansible
|
|
tasks will check for this configuration option in those files and stop the
|
|
playbook execution.
|
|
|
|
Deployers can use ``--skip-tags V-38462`` to omit these tasks when applying the
|
|
security role on systems where GPG verification must be disabled.
|