e57593dfd4
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
585 B
585 B
---id: V-38504 status: implemented tag: misc ---
Ubuntu 14.04 and Ubuntu 16.04 set the mode of
/etc/shadow to 0640, but CentOS 7 sets it to
000. The STIG requires the mode to be 000 and
the Ansible tasks in the security role ensure that the mode meets the
requirement.
Special note for Ubuntu: This change doesn't affect
how the system operates since root is the only user that should be able
to read from and write to /etc/shadow. Allowing users to
read the file could open up the system to attacks since the password
hashes can be dumped and brute forced.