Major Hayden e57593dfd4 Automate the STIG documentation
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

29 lines
810 B
ReStructuredText

---
id: V-38497
status: implemented
tag: misc
---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
authenticate via PAM by default. This STIG requires that those login attempts
are blocked.
For Ubuntu, the ``nullok_secure`` option will be removed from ``/etc/pam.d
/common-auth``.
For CentOS, the ``nullok`` option will be removed from ``/etc/pam.d/system-
auth``.
The effects of the change are **immediate** and no service restarts are
required.
Deployers can opt-out of this change by adjusting an Ansible variable:
.. code-block:: yaml
security_pam_remove_nullok: no
Setting the variable to ``yes`` (the default) will cause the Ansible tasks to
remove the ``nullok_secure`` parameter while setting the variable to ``no``
will leave the PAM configuration unchanged.