Queens Series Release Notes¶
17.0.4-11¶
New Features¶
It is now possible to modify the NTP server options in chrony using
security_ntp_server_options
.
Chrony got a new configuration option to synchronize the system clock back to the RTC using the
security_ntp_sync_rtc
variable. Disabled by default.
17.0.0¶
New Features¶
Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use
epel-release
by default, but some deployers have a customized package that redirects servers to internal mirrors.
Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting
security_check_package_checksums
toyes
.
Fedora 26 is now supported.
The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the
security_ntp_servers
Ansible variable.
The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.
The
security_sshd_permit_root_login
setting can now be set to change thePermitRootLogin
setting in/etc/ssh/sshd_config
to any of the possible options. Setsecurity_sshd_permit_root_login
to one ofwithout-password
,prohibit-password
,forced-commands-only
,yes
orno
.
The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.
The
sysctl
parameterkernel.randomize_va_space
is now set to2
by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.
The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.
Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting
security_find_world_writable_dirs
toyes
.
Upgrade Notes¶
The EPEL repository is only installed and configured when the deployer sets
security_enable_virus_scanner
toyes
. This allows the ClamAV packages to be installed. Ifsecurity_enable_virus_scanner
is set tono
(the default), the EPEL repository will not be added.See Bug 1702167 for more details.
Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting
security_epel_install_repository
tono
prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.
The tasks for V-72181, which include adding audit rules for the
pt_chown
command, have been removed. They are not required in the RHEL 7 STIG V1R2 release.
Deprecation Notes¶
Fedora 25 support is deprecated and no longer tested on each commit.
Security Issues¶
PermitRootLogin
in the ssh configuration has changed fromyes
towithout-password
. This will only allow ssh to be used to authenticate root via a key.
Bug Fixes¶
The sysctl configuration task was not skipping configurations where
enabled
was set tono
. Instead, it was removing configurations whenenabled: no
was set.There is now a fix in place that ensures any sysctl configuration with
enabled: no
will be skipped and the configuration will be left unaltered on the system.