Pike Series Release Notes¶
16.0.5¶
New Features¶
The
security_sshd_permit_root_login
setting can now be set to change thePermitRootLogin
setting in/etc/ssh/sshd_config
to any of the possible options. Setsecurity_sshd_permit_root_login
to one ofwithout-password
,prohibit-password
,forced-commands-only
,yes
orno
.
Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting
security_find_world_writable_dirs
toyes
.
16.0.0¶
Prelude¶
The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.
New Features¶
Deployers can provide a customized login banner via a new Ansible variable:
security_login_banner_text
. This banner text is used for non-graphical logins, which includes console and ssh logins.
Security Issues¶
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
security_reset_perm_ownership
toyes
.
The tasks that search for
.shosts
andshosts.equiv
files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.
The
cn_map
permissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.
The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.