
With the upcoming changes to rebase onto the RHEL 7 STIG controls, there needs to be a new solution for documentation that is easier to manage and filter. This patch automates the generation of the STIG control documentation in the following way: * A Sphinx extension runs early in the doc build process that writes all of the individual STIG control docs as well as ToC pages. * ToC pages are now sorted by severity, tag, and implementation status. * A giant listing of controls is easier to navigate now. * Docs are generated from metadata in the /doc/metadata directory. New documentation only needs to be added there. (Will explain this in the developer notes in a subsequent patch.) Implements: blueprint security-rhel7-stig Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
15 lines
585 B
ReStructuredText
15 lines
585 B
ReStructuredText
---
|
|
id: V-38504
|
|
status: implemented
|
|
tag: misc
|
|
---
|
|
|
|
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
|
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
|
|
Ansible tasks in the security role ensure that the mode meets the requirement.
|
|
|
|
**Special note for Ubuntu:** This change doesn't affect how the system operates
|
|
since root is the only user that should be able to read from and write to
|
|
``/etc/shadow``. Allowing users to read the file could open up the system to
|
|
attacks since the password hashes can be dumped and brute forced.
|