openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/metadata/rhel6/V-38481.rst
Major Hayden e57593dfd4 Automate the STIG documentation 
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

35 lines
1.1 KiB
ReStructuredText
Raw Blame History

---
id: V-38481
status: opt-in
tag: misc
---
**Opt-in required**
Operating system patching policies vary from organization to organization and
are typically established based on business requirements and risk tolerance.
.. note::
Automatically upgrading packages can provide significant security benefits,
but they can reduce availability and reliability. Updating packages can
cause daemons to restart on some systems and they can cause local
customizations of configuration files to be lost.
Deployers are **strongly urged** to understand the nature of this change
and the associated risks prior to enabling automatic upgrades.
Deployers can enable automatic updates by setting
``security_unattended_upgrades`` to ``True``:
.. code-block:: yaml
security_unattended_upgrades: true
In Ubuntu, the ``unattended-upgrades`` package is installed and enabled. This
will apply updates that are made available to the trusty-security (Ubuntu
14.04) or xenial-security (Ubuntu 16.04) repositories.
In CentOS, the ``yum-cron`` package is installed and configured to
automatically apply updates.
View Git Blame Copy Permalink