From 38b512e7acdac335348a7fd4ad164b7392607c6c Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 27 Jun 2016 10:41:33 -0700 Subject: [PATCH] Docs: Fix rendering of :orphan: This patch removes the ``:orphan:`` docinfo from the documentation and instead adds the orphaned docs into the ``exclude_pattern`` configuration option. There's a bug that causes the tag to actually get rendered in the docs when those docs are brought in via an include. Backport-of: Iacce8f5bfd9a629117564938bbb376bf5abcec31 Change-Id: I815070d1de924c9c4ec7c21098acb6c52baac3b8 --- doc/source/conf.py | 5 ++++- doc/source/developer-notes/V-38437.rst | 2 -- doc/source/developer-notes/V-38438.rst | 2 -- doc/source/developer-notes/V-38439.rst | 2 -- doc/source/developer-notes/V-38443.rst | 2 -- doc/source/developer-notes/V-38444.rst | 2 -- doc/source/developer-notes/V-38445.rst | 2 -- doc/source/developer-notes/V-38446.rst | 2 -- doc/source/developer-notes/V-38447.rst | 2 -- doc/source/developer-notes/V-38448.rst | 2 -- doc/source/developer-notes/V-38449.rst | 2 -- doc/source/developer-notes/V-38450.rst | 2 -- doc/source/developer-notes/V-38451.rst | 2 -- doc/source/developer-notes/V-38452.rst | 2 -- doc/source/developer-notes/V-38453.rst | 2 -- doc/source/developer-notes/V-38454.rst | 2 -- doc/source/developer-notes/V-38455.rst | 2 -- doc/source/developer-notes/V-38456.rst | 2 -- doc/source/developer-notes/V-38457.rst | 2 -- doc/source/developer-notes/V-38458.rst | 2 -- doc/source/developer-notes/V-38459.rst | 4 +--- doc/source/developer-notes/V-38460.rst | 2 -- doc/source/developer-notes/V-38461.rst | 2 -- doc/source/developer-notes/V-38462.rst | 2 -- doc/source/developer-notes/V-38463.rst | 2 -- doc/source/developer-notes/V-38464.rst | 2 -- doc/source/developer-notes/V-38465.rst | 2 -- doc/source/developer-notes/V-38466.rst | 2 -- doc/source/developer-notes/V-38467.rst | 2 -- doc/source/developer-notes/V-38468.rst | 2 -- doc/source/developer-notes/V-38469.rst | 2 -- doc/source/developer-notes/V-38470.rst | 2 -- doc/source/developer-notes/V-38471.rst | 2 -- doc/source/developer-notes/V-38472.rst | 2 -- doc/source/developer-notes/V-38473.rst | 2 -- doc/source/developer-notes/V-38474.rst | 2 -- doc/source/developer-notes/V-38475.rst | 2 -- doc/source/developer-notes/V-38476.rst | 2 -- doc/source/developer-notes/V-38477.rst | 2 -- doc/source/developer-notes/V-38478.rst | 2 -- doc/source/developer-notes/V-38479.rst | 2 -- doc/source/developer-notes/V-38480.rst | 2 -- doc/source/developer-notes/V-38481.rst | 2 -- doc/source/developer-notes/V-38482.rst | 2 -- doc/source/developer-notes/V-38483.rst | 2 -- doc/source/developer-notes/V-38484.rst | 2 -- doc/source/developer-notes/V-38486.rst | 2 -- doc/source/developer-notes/V-38487.rst | 2 -- doc/source/developer-notes/V-38488.rst | 2 -- doc/source/developer-notes/V-38489.rst | 2 -- doc/source/developer-notes/V-38490.rst | 2 -- doc/source/developer-notes/V-38491.rst | 2 -- doc/source/developer-notes/V-38492.rst | 2 -- doc/source/developer-notes/V-38493.rst | 2 -- doc/source/developer-notes/V-38494.rst | 2 -- doc/source/developer-notes/V-38495.rst | 2 -- doc/source/developer-notes/V-38496.rst | 2 -- doc/source/developer-notes/V-38497.rst | 2 -- doc/source/developer-notes/V-38498.rst | 2 -- doc/source/developer-notes/V-38499.rst | 2 -- doc/source/developer-notes/V-38500.rst | 2 -- doc/source/developer-notes/V-38501.rst | 2 -- doc/source/developer-notes/V-38502.rst | 2 -- doc/source/developer-notes/V-38503.rst | 2 -- doc/source/developer-notes/V-38504.rst | 2 -- doc/source/developer-notes/V-38511.rst | 2 -- doc/source/developer-notes/V-38512.rst | 2 -- doc/source/developer-notes/V-38514.rst | 2 -- doc/source/developer-notes/V-38515.rst | 2 -- doc/source/developer-notes/V-38516.rst | 2 -- doc/source/developer-notes/V-38517.rst | 2 -- doc/source/developer-notes/V-38518.rst | 2 -- doc/source/developer-notes/V-38520.rst | 4 +--- doc/source/developer-notes/V-38522.rst | 2 -- doc/source/developer-notes/V-38523.rst | 2 -- doc/source/developer-notes/V-38525.rst | 2 -- doc/source/developer-notes/V-38527.rst | 2 -- doc/source/developer-notes/V-38528.rst | 2 -- doc/source/developer-notes/V-38530.rst | 2 -- doc/source/developer-notes/V-38531.rst | 2 -- doc/source/developer-notes/V-38534.rst | 2 -- doc/source/developer-notes/V-38535.rst | 2 -- doc/source/developer-notes/V-38536.rst | 2 -- doc/source/developer-notes/V-38537.rst | 2 -- doc/source/developer-notes/V-38538.rst | 2 -- doc/source/developer-notes/V-38539.rst | 2 -- doc/source/developer-notes/V-38540.rst | 2 -- doc/source/developer-notes/V-38541.rst | 2 -- doc/source/developer-notes/V-38543.rst | 2 -- doc/source/developer-notes/V-38545.rst | 2 -- doc/source/developer-notes/V-38546.rst | 2 -- doc/source/developer-notes/V-38548.rst | 2 -- doc/source/developer-notes/V-38549.rst | 2 -- doc/source/developer-notes/V-38551.rst | 2 -- doc/source/developer-notes/V-38552.rst | 2 -- doc/source/developer-notes/V-38554.rst | 2 -- doc/source/developer-notes/V-38555.rst | 2 -- doc/source/developer-notes/V-38556.rst | 4 +--- doc/source/developer-notes/V-38557.rst | 2 -- doc/source/developer-notes/V-38558.rst | 2 -- doc/source/developer-notes/V-38559.rst | 2 -- doc/source/developer-notes/V-38561.rst | 2 -- doc/source/developer-notes/V-38563.rst | 2 -- doc/source/developer-notes/V-38565.rst | 2 -- doc/source/developer-notes/V-38566.rst | 2 -- doc/source/developer-notes/V-38567.rst | 2 -- doc/source/developer-notes/V-38568.rst | 2 -- doc/source/developer-notes/V-38574.rst | 2 -- doc/source/developer-notes/V-38575.rst | 2 -- doc/source/developer-notes/V-38576.rst | 2 -- doc/source/developer-notes/V-38577.rst | 2 -- doc/source/developer-notes/V-38578.rst | 2 -- doc/source/developer-notes/V-38579.rst | 2 -- doc/source/developer-notes/V-38580.rst | 2 -- doc/source/developer-notes/V-38581.rst | 2 -- doc/source/developer-notes/V-38582.rst | 2 -- doc/source/developer-notes/V-38583.rst | 2 -- doc/source/developer-notes/V-38584.rst | 2 -- doc/source/developer-notes/V-38585.rst | 2 -- doc/source/developer-notes/V-38586.rst | 2 -- doc/source/developer-notes/V-38587.rst | 2 -- doc/source/developer-notes/V-38588.rst | 2 -- doc/source/developer-notes/V-38589.rst | 2 -- doc/source/developer-notes/V-38590.rst | 2 -- doc/source/developer-notes/V-38591.rst | 2 -- doc/source/developer-notes/V-38592.rst | 2 -- doc/source/developer-notes/V-38593.rst | 2 -- doc/source/developer-notes/V-38594.rst | 2 -- doc/source/developer-notes/V-38595.rst | 2 -- doc/source/developer-notes/V-38596.rst | 2 -- doc/source/developer-notes/V-38597.rst | 2 -- doc/source/developer-notes/V-38598.rst | 2 -- doc/source/developer-notes/V-38599.rst | 2 -- doc/source/developer-notes/V-38600.rst | 2 -- doc/source/developer-notes/V-38601.rst | 2 -- doc/source/developer-notes/V-38602.rst | 2 -- doc/source/developer-notes/V-38603.rst | 2 -- doc/source/developer-notes/V-38604.rst | 2 -- doc/source/developer-notes/V-38605.rst | 2 -- doc/source/developer-notes/V-38606.rst | 2 -- doc/source/developer-notes/V-38607.rst | 2 -- doc/source/developer-notes/V-38608.rst | 2 -- doc/source/developer-notes/V-38609.rst | 2 -- doc/source/developer-notes/V-38610.rst | 2 -- doc/source/developer-notes/V-38611.rst | 2 -- doc/source/developer-notes/V-38612.rst | 2 -- doc/source/developer-notes/V-38613.rst | 2 -- doc/source/developer-notes/V-38614.rst | 2 -- doc/source/developer-notes/V-38615.rst | 2 -- doc/source/developer-notes/V-38616.rst | 2 -- doc/source/developer-notes/V-38617.rst | 2 -- doc/source/developer-notes/V-38618.rst | 2 -- doc/source/developer-notes/V-38619.rst | 2 -- doc/source/developer-notes/V-38620.rst | 2 -- doc/source/developer-notes/V-38621.rst | 2 -- doc/source/developer-notes/V-38622.rst | 2 -- doc/source/developer-notes/V-38623.rst | 2 -- doc/source/developer-notes/V-38624.rst | 2 -- doc/source/developer-notes/V-38625.rst | 2 -- doc/source/developer-notes/V-38627.rst | 2 -- doc/source/developer-notes/V-38628.rst | 2 -- doc/source/developer-notes/V-38629.rst | 2 -- doc/source/developer-notes/V-38631.rst | 2 -- doc/source/developer-notes/V-38632.rst | 2 -- doc/source/developer-notes/V-38633.rst | 2 -- doc/source/developer-notes/V-38634.rst | 2 -- doc/source/developer-notes/V-38635.rst | 2 -- doc/source/developer-notes/V-38636.rst | 2 -- doc/source/developer-notes/V-38637.rst | 2 -- doc/source/developer-notes/V-38640.rst | 2 -- doc/source/developer-notes/V-38641.rst | 2 -- doc/source/developer-notes/V-38642.rst | 2 -- doc/source/developer-notes/V-38643.rst | 2 -- doc/source/developer-notes/V-38644.rst | 2 -- doc/source/developer-notes/V-38645.rst | 2 -- doc/source/developer-notes/V-38646.rst | 2 -- doc/source/developer-notes/V-38647.rst | 2 -- doc/source/developer-notes/V-38648.rst | 2 -- doc/source/developer-notes/V-38649.rst | 2 -- doc/source/developer-notes/V-38650.rst | 2 -- doc/source/developer-notes/V-38651.rst | 2 -- doc/source/developer-notes/V-38652.rst | 2 -- doc/source/developer-notes/V-38653.rst | 2 -- doc/source/developer-notes/V-38654.rst | 2 -- doc/source/developer-notes/V-38655.rst | 2 -- doc/source/developer-notes/V-38656.rst | 2 -- doc/source/developer-notes/V-38657.rst | 2 -- doc/source/developer-notes/V-38658.rst | 2 -- doc/source/developer-notes/V-38659.rst | 2 -- doc/source/developer-notes/V-38660.rst | 2 -- doc/source/developer-notes/V-38666.rst | 2 -- doc/source/developer-notes/V-38667.rst | 2 -- doc/source/developer-notes/V-38668.rst | 2 -- doc/source/developer-notes/V-38669.rst | 2 -- doc/source/developer-notes/V-38670.rst | 2 -- doc/source/developer-notes/V-38671.rst | 2 -- doc/source/developer-notes/V-38672.rst | 2 -- doc/source/developer-notes/V-38673.rst | 2 -- doc/source/developer-notes/V-38674.rst | 2 -- doc/source/developer-notes/V-38675.rst | 2 -- doc/source/developer-notes/V-38676.rst | 2 -- doc/source/developer-notes/V-38677.rst | 2 -- doc/source/developer-notes/V-38678.rst | 2 -- doc/source/developer-notes/V-38679.rst | 2 -- doc/source/developer-notes/V-38680.rst | 2 -- doc/source/developer-notes/V-38681.rst | 2 -- doc/source/developer-notes/V-38682.rst | 2 -- doc/source/developer-notes/V-38683.rst | 2 -- doc/source/developer-notes/V-38684.rst | 2 -- doc/source/developer-notes/V-38685.rst | 2 -- doc/source/developer-notes/V-38687.rst | 2 -- doc/source/developer-notes/V-38691.rst | 2 -- doc/source/developer-notes/V-38692.rst | 2 -- doc/source/developer-notes/V-38697.rst | 2 -- doc/source/developer-notes/V-38699.rst | 2 -- doc/source/developer-notes/V-38701.rst | 2 -- doc/source/developer-notes/V-38702.rst | 2 -- doc/source/developer-notes/V-51337.rst | 2 -- doc/source/developer-notes/V-51363.rst | 2 -- doc/source/developer-notes/V-51369.rst | 2 -- doc/source/developer-notes/V-51379.rst | 2 -- doc/source/developer-notes/V-51391.rst | 2 -- doc/source/developer-notes/V-54381.rst | 2 -- doc/source/developer-notes/V-57569.rst | 2 -- doc/source/developer-notes/V-58901.rst | 2 -- doc/source/stig-notes/V-38437.rst | 2 -- doc/source/stig-notes/V-38438.rst | 2 -- doc/source/stig-notes/V-38439.rst | 2 -- doc/source/stig-notes/V-38443.rst | 2 -- doc/source/stig-notes/V-38444.rst | 2 -- doc/source/stig-notes/V-38445.rst | 2 -- doc/source/stig-notes/V-38446.rst | 2 -- doc/source/stig-notes/V-38447.rst | 2 -- doc/source/stig-notes/V-38448.rst | 2 -- doc/source/stig-notes/V-38449.rst | 2 -- doc/source/stig-notes/V-38450.rst | 2 -- doc/source/stig-notes/V-38451.rst | 2 -- doc/source/stig-notes/V-38452.rst | 2 -- doc/source/stig-notes/V-38453.rst | 2 -- doc/source/stig-notes/V-38454.rst | 2 -- doc/source/stig-notes/V-38455.rst | 2 -- doc/source/stig-notes/V-38456.rst | 2 -- doc/source/stig-notes/V-38457.rst | 2 -- doc/source/stig-notes/V-38458.rst | 2 -- doc/source/stig-notes/V-38459.rst | 2 -- doc/source/stig-notes/V-38460.rst | 2 -- doc/source/stig-notes/V-38461.rst | 2 -- doc/source/stig-notes/V-38462.rst | 2 -- doc/source/stig-notes/V-38463.rst | 2 -- doc/source/stig-notes/V-38464.rst | 2 -- doc/source/stig-notes/V-38465.rst | 2 -- doc/source/stig-notes/V-38466.rst | 2 -- doc/source/stig-notes/V-38467.rst | 2 -- doc/source/stig-notes/V-38468.rst | 2 -- doc/source/stig-notes/V-38469.rst | 2 -- doc/source/stig-notes/V-38470.rst | 2 -- doc/source/stig-notes/V-38471.rst | 2 -- doc/source/stig-notes/V-38472.rst | 2 -- doc/source/stig-notes/V-38473.rst | 2 -- doc/source/stig-notes/V-38474.rst | 2 -- doc/source/stig-notes/V-38475.rst | 2 -- doc/source/stig-notes/V-38476.rst | 2 -- doc/source/stig-notes/V-38477.rst | 2 -- doc/source/stig-notes/V-38478.rst | 2 -- doc/source/stig-notes/V-38479.rst | 2 -- doc/source/stig-notes/V-38480.rst | 2 -- doc/source/stig-notes/V-38481.rst | 2 -- doc/source/stig-notes/V-38482.rst | 2 -- doc/source/stig-notes/V-38483.rst | 2 -- doc/source/stig-notes/V-38484.rst | 2 -- doc/source/stig-notes/V-38486.rst | 2 -- doc/source/stig-notes/V-38487.rst | 2 -- doc/source/stig-notes/V-38488.rst | 2 -- doc/source/stig-notes/V-38489.rst | 2 -- doc/source/stig-notes/V-38490.rst | 2 -- doc/source/stig-notes/V-38491.rst | 2 -- doc/source/stig-notes/V-38492.rst | 2 -- doc/source/stig-notes/V-38493.rst | 2 -- doc/source/stig-notes/V-38494.rst | 2 -- doc/source/stig-notes/V-38495.rst | 2 -- doc/source/stig-notes/V-38496.rst | 2 -- doc/source/stig-notes/V-38497.rst | 2 -- doc/source/stig-notes/V-38498.rst | 2 -- doc/source/stig-notes/V-38499.rst | 2 -- doc/source/stig-notes/V-38500.rst | 2 -- doc/source/stig-notes/V-38501.rst | 2 -- doc/source/stig-notes/V-38502.rst | 2 -- doc/source/stig-notes/V-38503.rst | 2 -- doc/source/stig-notes/V-38504.rst | 2 -- doc/source/stig-notes/V-38511.rst | 2 -- doc/source/stig-notes/V-38512.rst | 2 -- doc/source/stig-notes/V-38513.rst | 2 -- doc/source/stig-notes/V-38514.rst | 2 -- doc/source/stig-notes/V-38515.rst | 2 -- doc/source/stig-notes/V-38516.rst | 2 -- doc/source/stig-notes/V-38517.rst | 2 -- doc/source/stig-notes/V-38518.rst | 2 -- doc/source/stig-notes/V-38519.rst | 2 -- doc/source/stig-notes/V-38520.rst | 2 -- doc/source/stig-notes/V-38521.rst | 2 -- doc/source/stig-notes/V-38522.rst | 2 -- doc/source/stig-notes/V-38523.rst | 2 -- doc/source/stig-notes/V-38524.rst | 2 -- doc/source/stig-notes/V-38525.rst | 2 -- doc/source/stig-notes/V-38526.rst | 2 -- doc/source/stig-notes/V-38527.rst | 2 -- doc/source/stig-notes/V-38528.rst | 2 -- doc/source/stig-notes/V-38529.rst | 2 -- doc/source/stig-notes/V-38530.rst | 2 -- doc/source/stig-notes/V-38531.rst | 2 -- doc/source/stig-notes/V-38532.rst | 2 -- doc/source/stig-notes/V-38533.rst | 2 -- doc/source/stig-notes/V-38534.rst | 2 -- doc/source/stig-notes/V-38535.rst | 2 -- doc/source/stig-notes/V-38536.rst | 2 -- doc/source/stig-notes/V-38537.rst | 2 -- doc/source/stig-notes/V-38538.rst | 2 -- doc/source/stig-notes/V-38539.rst | 2 -- doc/source/stig-notes/V-38540.rst | 2 -- doc/source/stig-notes/V-38541.rst | 2 -- doc/source/stig-notes/V-38542.rst | 2 -- doc/source/stig-notes/V-38543.rst | 2 -- doc/source/stig-notes/V-38544.rst | 2 -- doc/source/stig-notes/V-38545.rst | 2 -- doc/source/stig-notes/V-38546.rst | 2 -- doc/source/stig-notes/V-38547.rst | 2 -- doc/source/stig-notes/V-38548.rst | 2 -- doc/source/stig-notes/V-38549.rst | 2 -- doc/source/stig-notes/V-38550.rst | 2 -- doc/source/stig-notes/V-38551.rst | 2 -- doc/source/stig-notes/V-38552.rst | 2 -- doc/source/stig-notes/V-38553.rst | 2 -- doc/source/stig-notes/V-38554.rst | 2 -- doc/source/stig-notes/V-38555.rst | 2 -- doc/source/stig-notes/V-38556.rst | 2 -- doc/source/stig-notes/V-38557.rst | 2 -- doc/source/stig-notes/V-38558.rst | 2 -- doc/source/stig-notes/V-38559.rst | 2 -- doc/source/stig-notes/V-38560.rst | 2 -- doc/source/stig-notes/V-38561.rst | 2 -- doc/source/stig-notes/V-38563.rst | 2 -- doc/source/stig-notes/V-38565.rst | 2 -- doc/source/stig-notes/V-38566.rst | 2 -- doc/source/stig-notes/V-38567.rst | 2 -- doc/source/stig-notes/V-38568.rst | 2 -- doc/source/stig-notes/V-38569.rst | 2 -- doc/source/stig-notes/V-38570.rst | 2 -- doc/source/stig-notes/V-38571.rst | 2 -- doc/source/stig-notes/V-38572.rst | 2 -- doc/source/stig-notes/V-38573.rst | 2 -- doc/source/stig-notes/V-38574.rst | 2 -- doc/source/stig-notes/V-38575.rst | 2 -- doc/source/stig-notes/V-38576.rst | 2 -- doc/source/stig-notes/V-38577.rst | 2 -- doc/source/stig-notes/V-38578.rst | 2 -- doc/source/stig-notes/V-38579.rst | 2 -- doc/source/stig-notes/V-38580.rst | 2 -- doc/source/stig-notes/V-38581.rst | 2 -- doc/source/stig-notes/V-38582.rst | 2 -- doc/source/stig-notes/V-38583.rst | 2 -- doc/source/stig-notes/V-38584.rst | 2 -- doc/source/stig-notes/V-38585.rst | 2 -- doc/source/stig-notes/V-38586.rst | 2 -- doc/source/stig-notes/V-38587.rst | 2 -- doc/source/stig-notes/V-38588.rst | 2 -- doc/source/stig-notes/V-38589.rst | 2 -- doc/source/stig-notes/V-38590.rst | 2 -- doc/source/stig-notes/V-38591.rst | 2 -- doc/source/stig-notes/V-38592.rst | 2 -- doc/source/stig-notes/V-38593.rst | 2 -- doc/source/stig-notes/V-38594.rst | 2 -- doc/source/stig-notes/V-38595.rst | 2 -- doc/source/stig-notes/V-38596.rst | 2 -- doc/source/stig-notes/V-38597.rst | 2 -- doc/source/stig-notes/V-38598.rst | 2 -- doc/source/stig-notes/V-38599.rst | 2 -- doc/source/stig-notes/V-38600.rst | 2 -- doc/source/stig-notes/V-38601.rst | 2 -- doc/source/stig-notes/V-38602.rst | 2 -- doc/source/stig-notes/V-38603.rst | 2 -- doc/source/stig-notes/V-38604.rst | 2 -- doc/source/stig-notes/V-38605.rst | 2 -- doc/source/stig-notes/V-38606.rst | 2 -- doc/source/stig-notes/V-38607.rst | 2 -- doc/source/stig-notes/V-38608.rst | 2 -- doc/source/stig-notes/V-38609.rst | 2 -- doc/source/stig-notes/V-38610.rst | 2 -- doc/source/stig-notes/V-38611.rst | 2 -- doc/source/stig-notes/V-38612.rst | 2 -- doc/source/stig-notes/V-38613.rst | 2 -- doc/source/stig-notes/V-38614.rst | 2 -- doc/source/stig-notes/V-38615.rst | 2 -- doc/source/stig-notes/V-38616.rst | 2 -- doc/source/stig-notes/V-38617.rst | 2 -- doc/source/stig-notes/V-38618.rst | 2 -- doc/source/stig-notes/V-38619.rst | 2 -- doc/source/stig-notes/V-38620.rst | 2 -- doc/source/stig-notes/V-38621.rst | 2 -- doc/source/stig-notes/V-38622.rst | 2 -- doc/source/stig-notes/V-38623.rst | 2 -- doc/source/stig-notes/V-38624.rst | 2 -- doc/source/stig-notes/V-38625.rst | 2 -- doc/source/stig-notes/V-38626.rst | 2 -- doc/source/stig-notes/V-38627.rst | 2 -- doc/source/stig-notes/V-38628.rst | 2 -- doc/source/stig-notes/V-38629.rst | 2 -- doc/source/stig-notes/V-38630.rst | 2 -- doc/source/stig-notes/V-38631.rst | 2 -- doc/source/stig-notes/V-38632.rst | 2 -- doc/source/stig-notes/V-38633.rst | 2 -- doc/source/stig-notes/V-38634.rst | 2 -- doc/source/stig-notes/V-38635.rst | 2 -- doc/source/stig-notes/V-38636.rst | 2 -- doc/source/stig-notes/V-38637.rst | 2 -- doc/source/stig-notes/V-38638.rst | 2 -- doc/source/stig-notes/V-38639.rst | 2 -- doc/source/stig-notes/V-38640.rst | 2 -- doc/source/stig-notes/V-38641.rst | 2 -- doc/source/stig-notes/V-38642.rst | 2 -- doc/source/stig-notes/V-38643.rst | 2 -- doc/source/stig-notes/V-38644.rst | 2 -- doc/source/stig-notes/V-38645.rst | 2 -- doc/source/stig-notes/V-38646.rst | 2 -- doc/source/stig-notes/V-38647.rst | 2 -- doc/source/stig-notes/V-38648.rst | 2 -- doc/source/stig-notes/V-38649.rst | 2 -- doc/source/stig-notes/V-38650.rst | 2 -- doc/source/stig-notes/V-38651.rst | 2 -- doc/source/stig-notes/V-38652.rst | 2 -- doc/source/stig-notes/V-38653.rst | 2 -- doc/source/stig-notes/V-38654.rst | 2 -- doc/source/stig-notes/V-38655.rst | 2 -- doc/source/stig-notes/V-38656.rst | 2 -- doc/source/stig-notes/V-38657.rst | 2 -- doc/source/stig-notes/V-38658.rst | 2 -- doc/source/stig-notes/V-38659.rst | 2 -- doc/source/stig-notes/V-38660.rst | 2 -- doc/source/stig-notes/V-38661.rst | 2 -- doc/source/stig-notes/V-38662.rst | 2 -- doc/source/stig-notes/V-38663.rst | 2 -- doc/source/stig-notes/V-38664.rst | 2 -- doc/source/stig-notes/V-38665.rst | 2 -- doc/source/stig-notes/V-38666.rst | 2 -- doc/source/stig-notes/V-38667.rst | 2 -- doc/source/stig-notes/V-38668.rst | 2 -- doc/source/stig-notes/V-38669.rst | 2 -- doc/source/stig-notes/V-38670.rst | 2 -- doc/source/stig-notes/V-38671.rst | 2 -- doc/source/stig-notes/V-38672.rst | 2 -- doc/source/stig-notes/V-38673.rst | 2 -- doc/source/stig-notes/V-38674.rst | 2 -- doc/source/stig-notes/V-38675.rst | 2 -- doc/source/stig-notes/V-38676.rst | 2 -- doc/source/stig-notes/V-38677.rst | 2 -- doc/source/stig-notes/V-38678.rst | 2 -- doc/source/stig-notes/V-38679.rst | 2 -- doc/source/stig-notes/V-38680.rst | 2 -- doc/source/stig-notes/V-38681.rst | 2 -- doc/source/stig-notes/V-38682.rst | 2 -- doc/source/stig-notes/V-38683.rst | 2 -- doc/source/stig-notes/V-38684.rst | 2 -- doc/source/stig-notes/V-38685.rst | 2 -- doc/source/stig-notes/V-38686.rst | 2 -- doc/source/stig-notes/V-38687.rst | 2 -- doc/source/stig-notes/V-38688.rst | 2 -- doc/source/stig-notes/V-38689.rst | 2 -- doc/source/stig-notes/V-38690.rst | 2 -- doc/source/stig-notes/V-38691.rst | 2 -- doc/source/stig-notes/V-38692.rst | 2 -- doc/source/stig-notes/V-38693.rst | 2 -- doc/source/stig-notes/V-38694.rst | 2 -- doc/source/stig-notes/V-38695.rst | 2 -- doc/source/stig-notes/V-38696.rst | 2 -- doc/source/stig-notes/V-38697.rst | 2 -- doc/source/stig-notes/V-38698.rst | 2 -- doc/source/stig-notes/V-38699.rst | 2 -- doc/source/stig-notes/V-38700.rst | 2 -- doc/source/stig-notes/V-38701.rst | 2 -- doc/source/stig-notes/V-38702.rst | 2 -- doc/source/stig-notes/V-43150.rst | 2 -- doc/source/stig-notes/V-51337.rst | 2 -- doc/source/stig-notes/V-51363.rst | 2 -- doc/source/stig-notes/V-51369.rst | 2 -- doc/source/stig-notes/V-51379.rst | 2 -- doc/source/stig-notes/V-51391.rst | 2 -- doc/source/stig-notes/V-51875.rst | 2 -- doc/source/stig-notes/V-54381.rst | 2 -- doc/source/stig-notes/V-57569.rst | 2 -- doc/source/stig-notes/V-58901.rst | 2 -- 489 files changed, 7 insertions(+), 980 deletions(-) diff --git a/doc/source/conf.py b/doc/source/conf.py index 8339d120..106994da 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -74,7 +74,10 @@ language = None # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. -exclude_patterns = [] +exclude_patterns = [ + 'developer-notes/*.rst', + 'stig-notes/*.rst' +] # The reST default role (used for this markup: `text`) to use for all # documents. diff --git a/doc/source/developer-notes/V-38437.rst b/doc/source/developer-notes/V-38437.rst index 1e2ae6a0..b98be695 100644 --- a/doc/source/developer-notes/V-38437.rst +++ b/doc/source/developer-notes/V-38437.rst @@ -1,5 +1,3 @@ -:orphan: - If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out of this change, adjust the following variable: diff --git a/doc/source/developer-notes/V-38438.rst b/doc/source/developer-notes/V-38438.rst index 948c1881..4b39ed3d 100644 --- a/doc/source/developer-notes/V-38438.rst +++ b/doc/source/developer-notes/V-38438.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Adjusting the bootloader configuration can cause issues with reboots and this diff --git a/doc/source/developer-notes/V-38439.rst b/doc/source/developer-notes/V-38439.rst index 283b8c43..d06d35fe 100644 --- a/doc/source/developer-notes/V-38439.rst +++ b/doc/source/developer-notes/V-38439.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Although adding centralized authentication and carefully managing user diff --git a/doc/source/developer-notes/V-38443.rst b/doc/source/developer-notes/V-38443.rst index 42174bb4..0f8a56f4 100644 --- a/doc/source/developer-notes/V-38443.rst +++ b/doc/source/developer-notes/V-38443.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will ensure that ``/etc/gshadow`` is owned by root. This is the default in Ubuntu 14.04 already, but the tasks will ensure that the permissions match the STIG requirements in case they were changed by other diff --git a/doc/source/developer-notes/V-38444.rst b/doc/source/developer-notes/V-38444.rst index 1c3d854a..eaea8db5 100644 --- a/doc/source/developer-notes/V-38444.rst +++ b/doc/source/developer-notes/V-38444.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** See V-38551 for additional details. IPv6 configuration and filtering is left diff --git a/doc/source/developer-notes/V-38445.rst b/doc/source/developer-notes/V-38445.rst index 5b0e6266..3818e0fd 100644 --- a/doc/source/developer-notes/V-38445.rst +++ b/doc/source/developer-notes/V-38445.rst @@ -1,5 +1,3 @@ -:orphan: - Although audit log files are owned by the root user and group by default in Ubuntu 14.04, the Ansible task for V-38445 will ensure that they are configured as such. diff --git a/doc/source/developer-notes/V-38446.rst b/doc/source/developer-notes/V-38446.rst index 15bcab15..de70a78c 100644 --- a/doc/source/developer-notes/V-38446.rst +++ b/doc/source/developer-notes/V-38446.rst @@ -1,5 +1,3 @@ -:orphan: - Forwarding root's email to another user is highly recommended, but the Ansible tasks won't configure an email address to receive root's email unless that email address is configured. Set ``root_forward_email`` to an email address diff --git a/doc/source/developer-notes/V-38447.rst b/doc/source/developer-notes/V-38447.rst index e937e853..11df8d93 100644 --- a/doc/source/developer-notes/V-38447.rst +++ b/doc/source/developer-notes/V-38447.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Verifying contents of files installed from packages is more difficult in diff --git a/doc/source/developer-notes/V-38448.rst b/doc/source/developer-notes/V-38448.rst index 9b2a5996..ef9023ab 100644 --- a/doc/source/developer-notes/V-38448.rst +++ b/doc/source/developer-notes/V-38448.rst @@ -1,4 +1,2 @@ -:orphan: - Although the ``/etc/gshadow`` file is group-owned by root by default, the Ansible tasks will ensure that it is configured that way. diff --git a/doc/source/developer-notes/V-38449.rst b/doc/source/developer-notes/V-38449.rst index ef78b257..c4746e25 100644 --- a/doc/source/developer-notes/V-38449.rst +++ b/doc/source/developer-notes/V-38449.rst @@ -1,4 +1,2 @@ -:orphan: - The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet the requirements of the STIG. diff --git a/doc/source/developer-notes/V-38450.rst b/doc/source/developer-notes/V-38450.rst index 08c170ac..e697cf70 100644 --- a/doc/source/developer-notes/V-38450.rst +++ b/doc/source/developer-notes/V-38450.rst @@ -1,3 +1 @@ -:orphan: - The ownership of ``/etc/passwd`` will be changed to root. diff --git a/doc/source/developer-notes/V-38451.rst b/doc/source/developer-notes/V-38451.rst index 2212f5ff..6bc4e6e8 100644 --- a/doc/source/developer-notes/V-38451.rst +++ b/doc/source/developer-notes/V-38451.rst @@ -1,3 +1 @@ -:orphan: - The group ownership for ``/etc/passwd`` will be set to root. diff --git a/doc/source/developer-notes/V-38452.rst b/doc/source/developer-notes/V-38452.rst index 2450bfc0..4d2d9992 100644 --- a/doc/source/developer-notes/V-38452.rst +++ b/doc/source/developer-notes/V-38452.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Verifying permissions of installed packages isn't possible in the current diff --git a/doc/source/developer-notes/V-38453.rst b/doc/source/developer-notes/V-38453.rst index b4c4b251..8f7ae067 100644 --- a/doc/source/developer-notes/V-38453.rst +++ b/doc/source/developer-notes/V-38453.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Verifying ownership of installed packages isn't possible in the current diff --git a/doc/source/developer-notes/V-38454.rst b/doc/source/developer-notes/V-38454.rst index 3fde149e..e21b199d 100644 --- a/doc/source/developer-notes/V-38454.rst +++ b/doc/source/developer-notes/V-38454.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Verifying ownership of installed packages isn't possible in the current diff --git a/doc/source/developer-notes/V-38455.rst b/doc/source/developer-notes/V-38455.rst index cda66372..6e7733fd 100644 --- a/doc/source/developer-notes/V-38455.rst +++ b/doc/source/developer-notes/V-38455.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Configuring another mount for ``/tmp`` can disrupt a running system and this diff --git a/doc/source/developer-notes/V-38456.rst b/doc/source/developer-notes/V-38456.rst index 48e8b621..fce916fe 100644 --- a/doc/source/developer-notes/V-38456.rst +++ b/doc/source/developer-notes/V-38456.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Configuring another mount for ``/var`` can disrupt a running system and this diff --git a/doc/source/developer-notes/V-38457.rst b/doc/source/developer-notes/V-38457.rst index 551c5fb9..76d83a9e 100644 --- a/doc/source/developer-notes/V-38457.rst +++ b/doc/source/developer-notes/V-38457.rst @@ -1,3 +1 @@ -:orphan: - The permissions for ``/etc/passwd`` will be set to ``0644``. diff --git a/doc/source/developer-notes/V-38458.rst b/doc/source/developer-notes/V-38458.rst index 3bfc42ea..8711a5d5 100644 --- a/doc/source/developer-notes/V-38458.rst +++ b/doc/source/developer-notes/V-38458.rst @@ -1,4 +1,2 @@ -:orphan: - The Ansible task will ensure that the ``/etc/group`` file is owned by the root user. diff --git a/doc/source/developer-notes/V-38459.rst b/doc/source/developer-notes/V-38459.rst index 7bab0d18..be36c3d4 100644 --- a/doc/source/developer-notes/V-38459.rst +++ b/doc/source/developer-notes/V-38459.rst @@ -1,3 +1 @@ -:orphan: - -The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account. \ No newline at end of file +The tasks in file_perms.yml will ensure that ``/etc/group`` is owned by the root account. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38460.rst b/doc/source/developer-notes/V-38460.rst index 39bd2076..3333843d 100644 --- a/doc/source/developer-notes/V-38460.rst +++ b/doc/source/developer-notes/V-38460.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is present). If found, a warning message will be printed. No configuration changes will be made since neither Ubuntu or openstack-ansible configures diff --git a/doc/source/developer-notes/V-38461.rst b/doc/source/developer-notes/V-38461.rst index 9b26cce4..b10c0988 100644 --- a/doc/source/developer-notes/V-38461.rst +++ b/doc/source/developer-notes/V-38461.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible task will ensure that it is current set to those permissions. diff --git a/doc/source/developer-notes/V-38462.rst b/doc/source/developer-notes/V-38462.rst index 1e83ded6..13834fd1 100644 --- a/doc/source/developer-notes/V-38462.rst +++ b/doc/source/developer-notes/V-38462.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu checks packages against GPG signatures by default. It can be turned off for all package installations by a setting in /etc/apt/apt.conf.d/ and we search for that in the Ansible task. A warning is printed if the diff --git a/doc/source/developer-notes/V-38463.rst b/doc/source/developer-notes/V-38463.rst index 5b8c6f3f..91a1a032 100644 --- a/doc/source/developer-notes/V-38463.rst +++ b/doc/source/developer-notes/V-38463.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Configuring a separate partition for ``/var/log`` is currently left up to the diff --git a/doc/source/developer-notes/V-38464.rst b/doc/source/developer-notes/V-38464.rst index c5130997..8bc9bcc5 100644 --- a/doc/source/developer-notes/V-38464.rst +++ b/doc/source/developer-notes/V-38464.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu's default for ``disk_error_action`` is ``SUSPEND``, which actually only suspends audit logging. That could be a security issue, so ``SYSLOG`` is recommended and is set by default by openstack-ansible-security. There diff --git a/doc/source/developer-notes/V-38465.rst b/doc/source/developer-notes/V-38465.rst index 8373c01c..0afc2ad4 100644 --- a/doc/source/developer-notes/V-38465.rst +++ b/doc/source/developer-notes/V-38465.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu 14.04 sets library files to have ``0755`` (or more restrictive) diff --git a/doc/source/developer-notes/V-38466.rst b/doc/source/developer-notes/V-38466.rst index 2e3bbb17..972ecdde 100644 --- a/doc/source/developer-notes/V-38466.rst +++ b/doc/source/developer-notes/V-38466.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** As with V-38465, Ubuntu sets the ownership of library files to root by diff --git a/doc/source/developer-notes/V-38467.rst b/doc/source/developer-notes/V-38467.rst index f36078aa..88931522 100644 --- a/doc/source/developer-notes/V-38467.rst +++ b/doc/source/developer-notes/V-38467.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Storing audit logs on a separate partition is recommended, but this change diff --git a/doc/source/developer-notes/V-38468.rst b/doc/source/developer-notes/V-38468.rst index e57b4b67..01348435 100644 --- a/doc/source/developer-notes/V-38468.rst +++ b/doc/source/developer-notes/V-38468.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu's default for ``disk_full_action`` is ``SUSPEND``, which actually only suspends audit logging. That could be a security issue, so ``SYSLOG`` is recommended and is set by default by openstack-ansible-security. If syslog diff --git a/doc/source/developer-notes/V-38469.rst b/doc/source/developer-notes/V-38469.rst index 9e72e7b3..36e64026 100644 --- a/doc/source/developer-notes/V-38469.rst +++ b/doc/source/developer-notes/V-38469.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu sets the permissions for system commands to ``0755`` or less already. diff --git a/doc/source/developer-notes/V-38470.rst b/doc/source/developer-notes/V-38470.rst index d6424406..01e7d202 100644 --- a/doc/source/developer-notes/V-38470.rst +++ b/doc/source/developer-notes/V-38470.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu's default for ``space_left_action`` is ``SUSPEND``, which actually only suspends audit logging. That could be a security issue, so ``SYSLOG`` is recommended and is set by default by openstack-ansible-security. If syslog diff --git a/doc/source/developer-notes/V-38471.rst b/doc/source/developer-notes/V-38471.rst index 9778b36a..64c61b21 100644 --- a/doc/source/developer-notes/V-38471.rst +++ b/doc/source/developer-notes/V-38471.rst @@ -1,5 +1,3 @@ -:orphan: - An Ansible task will adjust ``active`` from `no` to `yes` in ``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to syslog automatically. The auditd daemon will be restarted if the configuration diff --git a/doc/source/developer-notes/V-38472.rst b/doc/source/developer-notes/V-38472.rst index 3c3015f3..ab8da360 100644 --- a/doc/source/developer-notes/V-38472.rst +++ b/doc/source/developer-notes/V-38472.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu sets system commands to be owned by root by default Deployers are diff --git a/doc/source/developer-notes/V-38473.rst b/doc/source/developer-notes/V-38473.rst index 6dd26495..10f99698 100644 --- a/doc/source/developer-notes/V-38473.rst +++ b/doc/source/developer-notes/V-38473.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Creating ``/home`` on a different partition is highly recommended but it is diff --git a/doc/source/developer-notes/V-38474.rst b/doc/source/developer-notes/V-38474.rst index 3cdbc7ac..e6e70aff 100644 --- a/doc/source/developer-notes/V-38474.rst +++ b/doc/source/developer-notes/V-38474.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The openstack-ansible roles don't install X by default, so there is no diff --git a/doc/source/developer-notes/V-38475.rst b/doc/source/developer-notes/V-38475.rst index a607f9d1..2a5dc965 100644 --- a/doc/source/developer-notes/V-38475.rst +++ b/doc/source/developer-notes/V-38475.rst @@ -1,5 +1,3 @@ -:orphan: - **Configuration required** Ubuntu 14.04 does not set a password length requirement by default. The STIG diff --git a/doc/source/developer-notes/V-38476.rst b/doc/source/developer-notes/V-38476.rst index db1542c0..26f82492 100644 --- a/doc/source/developer-notes/V-38476.rst +++ b/doc/source/developer-notes/V-38476.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG talks about yum having the RHN GPG keys installed, but this requirement has been adapted to check for the Ubuntu signing keys normally present in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38477.rst b/doc/source/developer-notes/V-38477.rst index 46c9b44e..7df792fa 100644 --- a/doc/source/developer-notes/V-38477.rst +++ b/doc/source/developer-notes/V-38477.rst @@ -1,5 +1,3 @@ -:orphan: - **Configuration required** Ubuntu doesn't set a limitation on how frequently uses can change passwords. diff --git a/doc/source/developer-notes/V-38478.rst b/doc/source/developer-notes/V-38478.rst index 3b5bcfe0..84e8ee7d 100644 --- a/doc/source/developer-notes/V-38478.rst +++ b/doc/source/developer-notes/V-38478.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu doesn't use the Red Hat Network Service, so this requirement doesn't diff --git a/doc/source/developer-notes/V-38479.rst b/doc/source/developer-notes/V-38479.rst index 29e04e96..16d75124 100644 --- a/doc/source/developer-notes/V-38479.rst +++ b/doc/source/developer-notes/V-38479.rst @@ -1,5 +1,3 @@ -:orphan: - **Configuration required** Ubuntu doesn't set a limitation on the age of passwords. diff --git a/doc/source/developer-notes/V-38480.rst b/doc/source/developer-notes/V-38480.rst index 0272e1bb..3ad15a57 100644 --- a/doc/source/developer-notes/V-38480.rst +++ b/doc/source/developer-notes/V-38480.rst @@ -1,5 +1,3 @@ -:orphan: - **Configuration required** After enabling password age limits in V-38479, be sure to configure diff --git a/doc/source/developer-notes/V-38481.rst b/doc/source/developer-notes/V-38481.rst index c20ef5a0..a4bf072e 100644 --- a/doc/source/developer-notes/V-38481.rst +++ b/doc/source/developer-notes/V-38481.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Operating system patching is left up to the deployer to configure based on diff --git a/doc/source/developer-notes/V-38482.rst b/doc/source/developer-notes/V-38482.rst index 26da8df7..344697e5 100644 --- a/doc/source/developer-notes/V-38482.rst +++ b/doc/source/developer-notes/V-38482.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Password complexity requirements are left up to the deployer. Deployers are diff --git a/doc/source/developer-notes/V-38483.rst b/doc/source/developer-notes/V-38483.rst index 2b02a24e..071c1b7e 100644 --- a/doc/source/developer-notes/V-38483.rst +++ b/doc/source/developer-notes/V-38483.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task for V-38462 already checks for apt configurations that would disable any GPG checks when installing packages. However, it's possible for the root user to override these configurations via command line parameters. diff --git a/doc/source/developer-notes/V-38484.rst b/doc/source/developer-notes/V-38484.rst index 7dcae3bb..ad9eb08c 100644 --- a/doc/source/developer-notes/V-38484.rst +++ b/doc/source/developer-notes/V-38484.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu 14.04 already enables the display of the last successful login for a user immediately after login. An Ansible task ensures this setting is applied and restarts the ssh daemon if necessary. diff --git a/doc/source/developer-notes/V-38486.rst b/doc/source/developer-notes/V-38486.rst index cf2e8dcb..df0448e0 100644 --- a/doc/source/developer-notes/V-38486.rst +++ b/doc/source/developer-notes/V-38486.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** System backups are left to the deployer to configure. Deployers are stringly diff --git a/doc/source/developer-notes/V-38487.rst b/doc/source/developer-notes/V-38487.rst index 2b02a24e..071c1b7e 100644 --- a/doc/source/developer-notes/V-38487.rst +++ b/doc/source/developer-notes/V-38487.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task for V-38462 already checks for apt configurations that would disable any GPG checks when installing packages. However, it's possible for the root user to override these configurations via command line parameters. diff --git a/doc/source/developer-notes/V-38488.rst b/doc/source/developer-notes/V-38488.rst index cf2e8dcb..df0448e0 100644 --- a/doc/source/developer-notes/V-38488.rst +++ b/doc/source/developer-notes/V-38488.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** System backups are left to the deployer to configure. Deployers are stringly diff --git a/doc/source/developer-notes/V-38489.rst b/doc/source/developer-notes/V-38489.rst index 7575c5b8..cf8d9110 100644 --- a/doc/source/developer-notes/V-38489.rst +++ b/doc/source/developer-notes/V-38489.rst @@ -1,3 +1 @@ -:orphan: - The ``aide`` package will be installed by Ansible tasks. diff --git a/doc/source/developer-notes/V-38490.rst b/doc/source/developer-notes/V-38490.rst index 49fd8581..db1bb537 100644 --- a/doc/source/developer-notes/V-38490.rst +++ b/doc/source/developer-notes/V-38490.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Disabling the ``usb-storage`` module can add extra security, but it's not diff --git a/doc/source/developer-notes/V-38491.rst b/doc/source/developer-notes/V-38491.rst index 1f95aed2..bdaf6189 100644 --- a/doc/source/developer-notes/V-38491.rst +++ b/doc/source/developer-notes/V-38491.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task will check for the presence of ``/etc/hosts.equiv`` and ``/root/.rhosts``. Both of those files could potentially be used with ``rsh`` for host access, but ``rshd`` is not installed by default with Ubuntu 14.04 diff --git a/doc/source/developer-notes/V-38492.rst b/doc/source/developer-notes/V-38492.rst index db8f6ab3..9e10f5ee 100644 --- a/doc/source/developer-notes/V-38492.rst +++ b/doc/source/developer-notes/V-38492.rst @@ -1,4 +1,2 @@ -:orphan: - The virtual consoles mentioned in V-38492 aren't used in Ubuntu 14.04 by default. diff --git a/doc/source/developer-notes/V-38493.rst b/doc/source/developer-notes/V-38493.rst index cb025394..084043b1 100644 --- a/doc/source/developer-notes/V-38493.rst +++ b/doc/source/developer-notes/V-38493.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu 14.04 sets the mode of ``/var/log/audit/`` to ``0750`` by default. The Ansible task for this requirement ensures that the mode is ``0750`` (which is more strict than the STIG requirement). diff --git a/doc/source/developer-notes/V-38494.rst b/doc/source/developer-notes/V-38494.rst index 52f28b84..092a8113 100644 --- a/doc/source/developer-notes/V-38494.rst +++ b/doc/source/developer-notes/V-38494.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Removing serial consoles from ``/etc/securetty`` can make troubleshooting diff --git a/doc/source/developer-notes/V-38495.rst b/doc/source/developer-notes/V-38495.rst index 59cafd9f..f6c42e3a 100644 --- a/doc/source/developer-notes/V-38495.rst +++ b/doc/source/developer-notes/V-38495.rst @@ -1,4 +1,2 @@ -:orphan: - The Ansible tasks will ensure that files in ``/var/log/audit`` are owned by the root user. diff --git a/doc/source/developer-notes/V-38496.rst b/doc/source/developer-notes/V-38496.rst index 366d3720..27275b4d 100644 --- a/doc/source/developer-notes/V-38496.rst +++ b/doc/source/developer-notes/V-38496.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The Ansible tasks will check for default system accounts (other than root) diff --git a/doc/source/developer-notes/V-38497.rst b/doc/source/developer-notes/V-38497.rst index 3e0e2f3f..813f4b2d 100644 --- a/doc/source/developer-notes/V-38497.rst +++ b/doc/source/developer-notes/V-38497.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked. diff --git a/doc/source/developer-notes/V-38498.rst b/doc/source/developer-notes/V-38498.rst index f031112f..50961e5c 100644 --- a/doc/source/developer-notes/V-38498.rst +++ b/doc/source/developer-notes/V-38498.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu and CentOS set the current audit log (the one that is actively being written to) to ``0600`` so that only the root user can read and write to it. The older, rotated logs are set to ``0400`` since they should not receive diff --git a/doc/source/developer-notes/V-38499.rst b/doc/source/developer-notes/V-38499.rst index 6b50a8d2..00a1219d 100644 --- a/doc/source/developer-notes/V-38499.rst +++ b/doc/source/developer-notes/V-38499.rst @@ -1,4 +1,2 @@ -:orphan: - The Ansible task will search for password hashes in ``/etc/passwd`` using awk and report a failure if any are found. diff --git a/doc/source/developer-notes/V-38500.rst b/doc/source/developer-notes/V-38500.rst index 0dc642c0..3e39edc5 100644 --- a/doc/source/developer-notes/V-38500.rst +++ b/doc/source/developer-notes/V-38500.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0 that aren't the normal root account. If any matching accounts are found, a warning is printed to stdout and the Ansible play will fail. diff --git a/doc/source/developer-notes/V-38501.rst b/doc/source/developer-notes/V-38501.rst index e2858fdd..8dbfbe52 100644 --- a/doc/source/developer-notes/V-38501.rst +++ b/doc/source/developer-notes/V-38501.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception and opt-in alternative** Adjusting PAM configurations is very risky since it affects how all users diff --git a/doc/source/developer-notes/V-38502.rst b/doc/source/developer-notes/V-38502.rst index 050af627..98f129f5 100644 --- a/doc/source/developer-notes/V-38502.rst +++ b/doc/source/developer-notes/V-38502.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by default. The Ansible task will ensure that the default is maintained. diff --git a/doc/source/developer-notes/V-38503.rst b/doc/source/developer-notes/V-38503.rst index 050af627..98f129f5 100644 --- a/doc/source/developer-notes/V-38503.rst +++ b/doc/source/developer-notes/V-38503.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by default. The Ansible task will ensure that the default is maintained. diff --git a/doc/source/developer-notes/V-38504.rst b/doc/source/developer-notes/V-38504.rst index 942aab18..e1451c45 100644 --- a/doc/source/developer-notes/V-38504.rst +++ b/doc/source/developer-notes/V-38504.rst @@ -1,5 +1,3 @@ -:orphan: - Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG requires a mode of ``0000``. This doesn't affect how the system operates since root is the only user that should be able to read from and write to diff --git a/doc/source/developer-notes/V-38511.rst b/doc/source/developer-notes/V-38511.rst index 4ce92139..7e872ff9 100644 --- a/doc/source/developer-notes/V-38511.rst +++ b/doc/source/developer-notes/V-38511.rst @@ -1,5 +1,3 @@ -:orphan: - **Special Case** Running virtual infrastructure requires IP forwarding to be enabled on various diff --git a/doc/source/developer-notes/V-38512.rst b/doc/source/developer-notes/V-38512.rst index 699bd767..63471791 100644 --- a/doc/source/developer-notes/V-38512.rst +++ b/doc/source/developer-notes/V-38512.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Although a minimal set of iptables rules are configured on openstack-ansible diff --git a/doc/source/developer-notes/V-38514.rst b/doc/source/developer-notes/V-38514.rst index 0f5e9a6f..7d4718d3 100644 --- a/doc/source/developer-notes/V-38514.rst +++ b/doc/source/developer-notes/V-38514.rst @@ -1,5 +1,3 @@ -:orphan: - The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not needed. Neither Ubuntu 14.04 or openstack-ansible utilizes this kernel module and the Ansible tasks will disable it by default. diff --git a/doc/source/developer-notes/V-38515.rst b/doc/source/developer-notes/V-38515.rst index 90b9d5b7..0201988e 100644 --- a/doc/source/developer-notes/V-38515.rst +++ b/doc/source/developer-notes/V-38515.rst @@ -1,5 +1,3 @@ -:orphan: - The Stream Control Transmission Protocol (SCTP) must be disabled. This module isn't used by Ubuntu 14.04 or openstack-ansible by default. diff --git a/doc/source/developer-notes/V-38516.rst b/doc/source/developer-notes/V-38516.rst index 4e848611..01aa7ced 100644 --- a/doc/source/developer-notes/V-38516.rst +++ b/doc/source/developer-notes/V-38516.rst @@ -1,5 +1,3 @@ -:orphan: - The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by default, so the Ansible tasks in this role will disable the module. diff --git a/doc/source/developer-notes/V-38517.rst b/doc/source/developer-notes/V-38517.rst index a3e040cd..966589dc 100644 --- a/doc/source/developer-notes/V-38517.rst +++ b/doc/source/developer-notes/V-38517.rst @@ -1,5 +1,3 @@ -:orphan: - The `Transparent Inter-Process Communication (TIPC)`_ protocol must be disabled. Neither Ubuntu 14.04 or openstack-ansible enables this module by default, so the Ansible tasks in this role will disable the module. diff --git a/doc/source/developer-notes/V-38518.rst b/doc/source/developer-notes/V-38518.rst index d4810bc7..1d3fce1a 100644 --- a/doc/source/developer-notes/V-38518.rst +++ b/doc/source/developer-notes/V-38518.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Different systems may have different log files populated depending on the type diff --git a/doc/source/developer-notes/V-38520.rst b/doc/source/developer-notes/V-38520.rst index 6195a58b..b4be545e 100644 --- a/doc/source/developer-notes/V-38520.rst +++ b/doc/source/developer-notes/V-38520.rst @@ -1,8 +1,6 @@ -:orphan: - **Exception** -At the moment, openstack-ansible already sends logs to the rsyslog container +At the moment, OpenStack-Ansible already sends logs to the rsyslog container from various containers and hosts. However, deployers are strongly urged to forward these logs to a system outside their openstack-ansible environment to ensure that they cannot be altered. diff --git a/doc/source/developer-notes/V-38522.rst b/doc/source/developer-notes/V-38522.rst index da203e12..1fb1e67a 100644 --- a/doc/source/developer-notes/V-38522.rst +++ b/doc/source/developer-notes/V-38522.rst @@ -1,3 +1 @@ -:orphan: - Rules are added for auditing changes to system time made via ``settimeofday``. diff --git a/doc/source/developer-notes/V-38523.rst b/doc/source/developer-notes/V-38523.rst index b0159266..3c57bba8 100644 --- a/doc/source/developer-notes/V-38523.rst +++ b/doc/source/developer-notes/V-38523.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The STIG makes several requirements for IPv4 network restrictions, but these diff --git a/doc/source/developer-notes/V-38525.rst b/doc/source/developer-notes/V-38525.rst index f42d77b8..eb832856 100644 --- a/doc/source/developer-notes/V-38525.rst +++ b/doc/source/developer-notes/V-38525.rst @@ -1,3 +1 @@ -:orphan: - Rules are added for auditing changes to system time done via ``stime``. diff --git a/doc/source/developer-notes/V-38527.rst b/doc/source/developer-notes/V-38527.rst index 7ddbc617..26fb737f 100644 --- a/doc/source/developer-notes/V-38527.rst +++ b/doc/source/developer-notes/V-38527.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing changes to system time done via ``clock_settime``. diff --git a/doc/source/developer-notes/V-38528.rst b/doc/source/developer-notes/V-38528.rst index 5a3b5978..83b0df9d 100644 --- a/doc/source/developer-notes/V-38528.rst +++ b/doc/source/developer-notes/V-38528.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task in this role will ensure that martian packets are logged to rsyslog. Wikpedia's article on `martian packets`_ provides additional information. diff --git a/doc/source/developer-notes/V-38530.rst b/doc/source/developer-notes/V-38530.rst index 610ee858..3c3b37c9 100644 --- a/doc/source/developer-notes/V-38530.rst +++ b/doc/source/developer-notes/V-38530.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added to auditd to log all attempts to change the system time using ``/etc/localtime``. diff --git a/doc/source/developer-notes/V-38531.rst b/doc/source/developer-notes/V-38531.rst index 6db9f968..c3ef2294 100644 --- a/doc/source/developer-notes/V-38531.rst +++ b/doc/source/developer-notes/V-38531.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38534.rst b/doc/source/developer-notes/V-38534.rst index bcb8cb13..7a16b83c 100644 --- a/doc/source/developer-notes/V-38534.rst +++ b/doc/source/developer-notes/V-38534.rst @@ -1,5 +1,3 @@ -:orphan: - Audit rules are added in a task so that any events associated with account modifications are logged. The new audit rule will be loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38535.rst b/doc/source/developer-notes/V-38535.rst index 67c035f4..fd9273bf 100644 --- a/doc/source/developer-notes/V-38535.rst +++ b/doc/source/developer-notes/V-38535.rst @@ -1,5 +1,3 @@ -:orphan: - By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address. The Ansible tasks for this STIG configuration ensures that the secure default setting is maintained. diff --git a/doc/source/developer-notes/V-38536.rst b/doc/source/developer-notes/V-38536.rst index 6db9f968..c3ef2294 100644 --- a/doc/source/developer-notes/V-38536.rst +++ b/doc/source/developer-notes/V-38536.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38537.rst b/doc/source/developer-notes/V-38537.rst index 82d4ffcc..beea151d 100644 --- a/doc/source/developer-notes/V-38537.rst +++ b/doc/source/developer-notes/V-38537.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu already ignores ICMPv4 bogus error messages by default. The role will ensure that this default setting is maintained. diff --git a/doc/source/developer-notes/V-38538.rst b/doc/source/developer-notes/V-38538.rst index 6db9f968..c3ef2294 100644 --- a/doc/source/developer-notes/V-38538.rst +++ b/doc/source/developer-notes/V-38538.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules from V-38534 already cover all account modifications. diff --git a/doc/source/developer-notes/V-38539.rst b/doc/source/developer-notes/V-38539.rst index 120f8601..bc97ce98 100644 --- a/doc/source/developer-notes/V-38539.rst +++ b/doc/source/developer-notes/V-38539.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods. Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure that the default is maintained. diff --git a/doc/source/developer-notes/V-38540.rst b/doc/source/developer-notes/V-38540.rst index e309b827..6a356ed1 100644 --- a/doc/source/developer-notes/V-38540.rst +++ b/doc/source/developer-notes/V-38540.rst @@ -1,5 +1,3 @@ -:orphan: - Rules are added for auditing network configuration changes. The path to Ubuntu's standard network configuration location has replaced the path to Red Hat's default network configuration location. diff --git a/doc/source/developer-notes/V-38541.rst b/doc/source/developer-notes/V-38541.rst index 723cdf3c..2b070433 100644 --- a/doc/source/developer-notes/V-38541.rst +++ b/doc/source/developer-notes/V-38541.rst @@ -1,5 +1,3 @@ -:orphan: - The RHEL 6 STIG requires that changes to SELinux policies and configuration are audited. However, Ubuntu's preference for Mandatory Access Control (MAC) is AppArmor and openstack-ansible configures AppArmor by default. diff --git a/doc/source/developer-notes/V-38543.rst b/doc/source/developer-notes/V-38543.rst index 90b98cb8..17fe6b19 100644 --- a/doc/source/developer-notes/V-38543.rst +++ b/doc/source/developer-notes/V-38543.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat`` diff --git a/doc/source/developer-notes/V-38545.rst b/doc/source/developer-notes/V-38545.rst index 11583754..ec742e13 100644 --- a/doc/source/developer-notes/V-38545.rst +++ b/doc/source/developer-notes/V-38545.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditd to log discretionary access control permission changes done with chown. diff --git a/doc/source/developer-notes/V-38546.rst b/doc/source/developer-notes/V-38546.rst index 2cfeb9c0..3776d343 100644 --- a/doc/source/developer-notes/V-38546.rst +++ b/doc/source/developer-notes/V-38546.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** The STIG requires IPv6 to be disabled system-wide unless it is needed for the diff --git a/doc/source/developer-notes/V-38548.rst b/doc/source/developer-notes/V-38548.rst index ea62a652..27b4567a 100644 --- a/doc/source/developer-notes/V-38548.rst +++ b/doc/source/developer-notes/V-38548.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Disabling IPv6 redirects can cause issues with OpenStack environments which diff --git a/doc/source/developer-notes/V-38549.rst b/doc/source/developer-notes/V-38549.rst index 3b1246fe..737ff656 100644 --- a/doc/source/developer-notes/V-38549.rst +++ b/doc/source/developer-notes/V-38549.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to diff --git a/doc/source/developer-notes/V-38551.rst b/doc/source/developer-notes/V-38551.rst index 59670d0e..031ababd 100644 --- a/doc/source/developer-notes/V-38551.rst +++ b/doc/source/developer-notes/V-38551.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Filtering IPv6 traffic is left up to the deployer to implement. The diff --git a/doc/source/developer-notes/V-38552.rst b/doc/source/developer-notes/V-38552.rst index db4ba9bf..363ed3ab 100644 --- a/doc/source/developer-notes/V-38552.rst +++ b/doc/source/developer-notes/V-38552.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made by fchown. diff --git a/doc/source/developer-notes/V-38554.rst b/doc/source/developer-notes/V-38554.rst index 535d5563..14c0ac2b 100644 --- a/doc/source/developer-notes/V-38554.rst +++ b/doc/source/developer-notes/V-38554.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made by fchownat. diff --git a/doc/source/developer-notes/V-38555.rst b/doc/source/developer-notes/V-38555.rst index ce221d5d..1ecb440d 100644 --- a/doc/source/developer-notes/V-38555.rst +++ b/doc/source/developer-notes/V-38555.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to diff --git a/doc/source/developer-notes/V-38556.rst b/doc/source/developer-notes/V-38556.rst index 058bdf3d..0f01a145 100644 --- a/doc/source/developer-notes/V-38556.rst +++ b/doc/source/developer-notes/V-38556.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made -by fremovexattr. +by ``fremovexattr``. diff --git a/doc/source/developer-notes/V-38557.rst b/doc/source/developer-notes/V-38557.rst index 46563611..723f4466 100644 --- a/doc/source/developer-notes/V-38557.rst +++ b/doc/source/developer-notes/V-38557.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made via ``fsetxattr``. diff --git a/doc/source/developer-notes/V-38558.rst b/doc/source/developer-notes/V-38558.rst index 389bba6e..e58996c9 100644 --- a/doc/source/developer-notes/V-38558.rst +++ b/doc/source/developer-notes/V-38558.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made via ``lchown``. diff --git a/doc/source/developer-notes/V-38559.rst b/doc/source/developer-notes/V-38559.rst index 3a929dd7..540899ed 100644 --- a/doc/source/developer-notes/V-38559.rst +++ b/doc/source/developer-notes/V-38559.rst @@ -1,4 +1,2 @@ -:orphan: - Rules are added for auditing discretionary access control changes made via ``lremovexattr``. diff --git a/doc/source/developer-notes/V-38561.rst b/doc/source/developer-notes/V-38561.rst index 792373d7..62d92c26 100644 --- a/doc/source/developer-notes/V-38561.rst +++ b/doc/source/developer-notes/V-38561.rst @@ -1,5 +1,3 @@ -:orphan: - Rules are added to auditd to log all DAC modifications using `lsetxattr`_. .. _lsetxattr: http://linux.die.net/man/2/lsetxattr diff --git a/doc/source/developer-notes/V-38563.rst b/doc/source/developer-notes/V-38563.rst index fa8bd24f..09642b61 100644 --- a/doc/source/developer-notes/V-38563.rst +++ b/doc/source/developer-notes/V-38563.rst @@ -1,5 +1,3 @@ -:orphan: - Audit rules are added in a task so that any events associated with the discretionary access controls (DAC) permission modifications are logged. The new audit rule will be loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38565.rst b/doc/source/developer-notes/V-38565.rst index deb1ac10..6e6694f5 100644 --- a/doc/source/developer-notes/V-38565.rst +++ b/doc/source/developer-notes/V-38565.rst @@ -1,5 +1,3 @@ -:orphan: - Rules are added so that all permission modifications made via `setxattr`_ are logged. diff --git a/doc/source/developer-notes/V-38566.rst b/doc/source/developer-notes/V-38566.rst index 67da3007..d5e927d0 100644 --- a/doc/source/developer-notes/V-38566.rst +++ b/doc/source/developer-notes/V-38566.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules for logging failed access attempts can generate significant diff --git a/doc/source/developer-notes/V-38567.rst b/doc/source/developer-notes/V-38567.rst index b8d449d8..7b598281 100644 --- a/doc/source/developer-notes/V-38567.rst +++ b/doc/source/developer-notes/V-38567.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Keeping the list of setuid/setgid applications up to date and adding the paths diff --git a/doc/source/developer-notes/V-38568.rst b/doc/source/developer-notes/V-38568.rst index 62c090e2..6b50b462 100644 --- a/doc/source/developer-notes/V-38568.rst +++ b/doc/source/developer-notes/V-38568.rst @@ -1,3 +1 @@ -:orphan: - Rules are added for auditd to log successful filesystem mounts. diff --git a/doc/source/developer-notes/V-38574.rst b/doc/source/developer-notes/V-38574.rst index fe534fd9..877dad22 100644 --- a/doc/source/developer-notes/V-38574.rst +++ b/doc/source/developer-notes/V-38574.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the default in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38575.rst b/doc/source/developer-notes/V-38575.rst index 43f241b4..cdf6866e 100644 --- a/doc/source/developer-notes/V-38575.rst +++ b/doc/source/developer-notes/V-38575.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The audit rules for monitoring deleted files can cause very high system load diff --git a/doc/source/developer-notes/V-38576.rst b/doc/source/developer-notes/V-38576.rst index 927e8c7d..fd72d720 100644 --- a/doc/source/developer-notes/V-38576.rst +++ b/doc/source/developer-notes/V-38576.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the default in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38577.rst b/doc/source/developer-notes/V-38577.rst index 598c08c2..7adb97f8 100644 --- a/doc/source/developer-notes/V-38577.rst +++ b/doc/source/developer-notes/V-38577.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires SHA512 to be used for hashing password since it is in the list of FIPS 140-2 approved hashing algorithms. This is also the default in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38578.rst b/doc/source/developer-notes/V-38578.rst index e8588c21..4e89e176 100644 --- a/doc/source/developer-notes/V-38578.rst +++ b/doc/source/developer-notes/V-38578.rst @@ -1,3 +1 @@ -:orphan: - Rules are added to audit changes to ``/etc/sudoers``. diff --git a/doc/source/developer-notes/V-38579.rst b/doc/source/developer-notes/V-38579.rst index 09830253..ac733bcd 100644 --- a/doc/source/developer-notes/V-38579.rst +++ b/doc/source/developer-notes/V-38579.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu 14.04 sets the ownership on ``/boot/grub/grub.cfg`` to root by default. The Ansible task will ensure that the secure default is maintained. diff --git a/doc/source/developer-notes/V-38580.rst b/doc/source/developer-notes/V-38580.rst index 78f6f31e..e1f619f4 100644 --- a/doc/source/developer-notes/V-38580.rst +++ b/doc/source/developer-notes/V-38580.rst @@ -1,4 +1,2 @@ -:orphan: - Rules will be added to auditd so that any kernel module loading or unloading events will be logged. diff --git a/doc/source/developer-notes/V-38581.rst b/doc/source/developer-notes/V-38581.rst index 5838ef3e..f602bf2d 100644 --- a/doc/source/developer-notes/V-38581.rst +++ b/doc/source/developer-notes/V-38581.rst @@ -1,3 +1 @@ -:orphan: - The group ownership for ``/boot/grub/grub.cfg`` will be set to `root`. diff --git a/doc/source/developer-notes/V-38582.rst b/doc/source/developer-notes/V-38582.rst index 1761ae6b..6a133b18 100644 --- a/doc/source/developer-notes/V-38582.rst +++ b/doc/source/developer-notes/V-38582.rst @@ -1,5 +1,3 @@ -:orphan: - If the ``xinetd`` package is installed, it will be stopped immediately and will not start on the next boot. No action is taken if xinetd isn't installed. diff --git a/doc/source/developer-notes/V-38583.rst b/doc/source/developer-notes/V-38583.rst index d8beab7f..e36b6259 100644 --- a/doc/source/developer-notes/V-38583.rst +++ b/doc/source/developer-notes/V-38583.rst @@ -1,3 +1 @@ -:orphan: - The permissions on ``/boot/grub/grub.cfg`` will be set to ``0644``. diff --git a/doc/source/developer-notes/V-38584.rst b/doc/source/developer-notes/V-38584.rst index 764802d7..c1fb4d40 100644 --- a/doc/source/developer-notes/V-38584.rst +++ b/doc/source/developer-notes/V-38584.rst @@ -1,5 +1,3 @@ -:orphan: - The ``xinetd`` service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to ``no``: diff --git a/doc/source/developer-notes/V-38585.rst b/doc/source/developer-notes/V-38585.rst index ea419851..a741c460 100644 --- a/doc/source/developer-notes/V-38585.rst +++ b/doc/source/developer-notes/V-38585.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Configuring a password for the bootloader is left up to the deployer to diff --git a/doc/source/developer-notes/V-38586.rst b/doc/source/developer-notes/V-38586.rst index c396e9d0..be76e902 100644 --- a/doc/source/developer-notes/V-38586.rst +++ b/doc/source/developer-notes/V-38586.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** As with V-38585, this is left to the deployer to configure bassed on their diff --git a/doc/source/developer-notes/V-38587.rst b/doc/source/developer-notes/V-38587.rst index a69ec715..7e38b1d2 100644 --- a/doc/source/developer-notes/V-38587.rst +++ b/doc/source/developer-notes/V-38587.rst @@ -1,5 +1,3 @@ -:orphan: - The ``telnetd`` service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to ``no``: diff --git a/doc/source/developer-notes/V-38588.rst b/doc/source/developer-notes/V-38588.rst index fe849790..029f79e5 100644 --- a/doc/source/developer-notes/V-38588.rst +++ b/doc/source/developer-notes/V-38588.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** As with V-38585, this configuration is left up to the deployer to determine diff --git a/doc/source/developer-notes/V-38589.rst b/doc/source/developer-notes/V-38589.rst index 5f3222fe..831113d1 100644 --- a/doc/source/developer-notes/V-38589.rst +++ b/doc/source/developer-notes/V-38589.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** Neither Ubuntu or openstack-ansible installs the telnet daemon by default. diff --git a/doc/source/developer-notes/V-38590.rst b/doc/source/developer-notes/V-38590.rst index 4674d5a8..4662bf00 100644 --- a/doc/source/developer-notes/V-38590.rst +++ b/doc/source/developer-notes/V-38590.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** While providing text screen locking does add additional security, deployers diff --git a/doc/source/developer-notes/V-38591.rst b/doc/source/developer-notes/V-38591.rst index c0defa49..2af37d86 100644 --- a/doc/source/developer-notes/V-38591.rst +++ b/doc/source/developer-notes/V-38591.rst @@ -1,5 +1,3 @@ -:orphan: - The ``rshd`` service will be removed by the Ansible tasks, if it is installed. To opt-out of this change, adjust the following variable to ``no``: diff --git a/doc/source/developer-notes/V-38592.rst b/doc/source/developer-notes/V-38592.rst index 88aa1f48..0ec38280 100644 --- a/doc/source/developer-notes/V-38592.rst +++ b/doc/source/developer-notes/V-38592.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Adjusting PAM configurations on a running system carries a fair amount of risk, diff --git a/doc/source/developer-notes/V-38593.rst b/doc/source/developer-notes/V-38593.rst index 22bc8845..bd1a290a 100644 --- a/doc/source/developer-notes/V-38593.rst +++ b/doc/source/developer-notes/V-38593.rst @@ -1,4 +1,2 @@ -:orphan: - A default warning banner will replace the contents of ``/etc/issue.net``. To configure the banner, simply edit ``files/login_banner.txt``. diff --git a/doc/source/developer-notes/V-38594.rst b/doc/source/developer-notes/V-38594.rst index 9d779bf3..57e448a3 100644 --- a/doc/source/developer-notes/V-38594.rst +++ b/doc/source/developer-notes/V-38594.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** Neither Ubuntu or openstack-ansible installs the rsh daemon by default. diff --git a/doc/source/developer-notes/V-38595.rst b/doc/source/developer-notes/V-38595.rst index e539d99b..bd257e6a 100644 --- a/doc/source/developer-notes/V-38595.rst +++ b/doc/source/developer-notes/V-38595.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Use of additional factors for authentication is left up to the deployer, but diff --git a/doc/source/developer-notes/V-38596.rst b/doc/source/developer-notes/V-38596.rst index 91965cf4..e2ff4dc1 100644 --- a/doc/source/developer-notes/V-38596.rst +++ b/doc/source/developer-notes/V-38596.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will set ``kernel.randomize_va_space=2`` immediately and will also ensure that the setting is applied on the next boot. This setting is currently the default in Ubuntu 14.04. diff --git a/doc/source/developer-notes/V-38597.rst b/doc/source/developer-notes/V-38597.rst index 3ba430a1..b72fd4e4 100644 --- a/doc/source/developer-notes/V-38597.rst +++ b/doc/source/developer-notes/V-38597.rst @@ -1,5 +1,3 @@ -:orphan: - Although Red Hat kernels provide ExecShield, Ubuntu provides Non-Executable Memory (NX) support and it is enabled by default. There's not an option to enable or disable it. diff --git a/doc/source/developer-notes/V-38598.rst b/doc/source/developer-notes/V-38598.rst index 091249d3..5c82ae60 100644 --- a/doc/source/developer-notes/V-38598.rst +++ b/doc/source/developer-notes/V-38598.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** The ``rexecd`` daemon is part of the package that contains the ``rsh`` daemon. diff --git a/doc/source/developer-notes/V-38599.rst b/doc/source/developer-notes/V-38599.rst index a89ffcef..fdf2b51c 100644 --- a/doc/source/developer-notes/V-38599.rst +++ b/doc/source/developer-notes/V-38599.rst @@ -1,5 +1,3 @@ -:orphan: - If the ``vsftpd`` package is installed, a login banner will be applied so that users will see if after logging in. This package isn't installed by default in Ubuntu 14.04 and it isn't installed by openstack-ansible either. diff --git a/doc/source/developer-notes/V-38600.rst b/doc/source/developer-notes/V-38600.rst index 271896a7..3e5634dc 100644 --- a/doc/source/developer-notes/V-38600.rst +++ b/doc/source/developer-notes/V-38600.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will disable the sending of ICMPv4 redirects by setting the sysctl variable ``net.ipv4.conf.default.send_redirects=0``. However, bridging still requires redirects to be enabled, so those interfaces won't diff --git a/doc/source/developer-notes/V-38601.rst b/doc/source/developer-notes/V-38601.rst index 5730d9ee..9bb669db 100644 --- a/doc/source/developer-notes/V-38601.rst +++ b/doc/source/developer-notes/V-38601.rst @@ -1,3 +1 @@ -:orphan: - See the documentation for V-38600 for more details. diff --git a/doc/source/developer-notes/V-38602.rst b/doc/source/developer-notes/V-38602.rst index fbf1192d..c93a6354 100644 --- a/doc/source/developer-notes/V-38602.rst +++ b/doc/source/developer-notes/V-38602.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** The ``rlogind`` daemon is part of the package that contains the ``rsh`` daemon. diff --git a/doc/source/developer-notes/V-38603.rst b/doc/source/developer-notes/V-38603.rst index c1f60ba9..a93d693c 100644 --- a/doc/source/developer-notes/V-38603.rst +++ b/doc/source/developer-notes/V-38603.rst @@ -1,5 +1,3 @@ -:orphan: - The ``nis`` package is Ubuntu's equivalent of Red Hat's ``ypserv`` package. The Ansible tasks will remove the ``nis`` package if it is installed. To opt-out of this change, adjust the following configuration variable to ``no``: diff --git a/doc/source/developer-notes/V-38604.rst b/doc/source/developer-notes/V-38604.rst index 5fe5f089..4daa8c9e 100644 --- a/doc/source/developer-notes/V-38604.rst +++ b/doc/source/developer-notes/V-38604.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The ``ypbind`` service is removed as part of V-38603 where the ``nis`` package diff --git a/doc/source/developer-notes/V-38605.rst b/doc/source/developer-notes/V-38605.rst index a116fa8f..8977ddb0 100644 --- a/doc/source/developer-notes/V-38605.rst +++ b/doc/source/developer-notes/V-38605.rst @@ -1,5 +1,3 @@ -:orphan: - The ``cron`` service is running by default in Ubuntu and is required for openstack-ansible's services to function properly. The Ansible tasks in this role will ensure that ``cron`` is running and is configured to start diff --git a/doc/source/developer-notes/V-38606.rst b/doc/source/developer-notes/V-38606.rst index b897a63f..d2e8e66c 100644 --- a/doc/source/developer-notes/V-38606.rst +++ b/doc/source/developer-notes/V-38606.rst @@ -1,5 +1,3 @@ -:orphan: - The ``tftpd`` package in Ubuntu will be removed. To opt-out, adjust the following configuration variable to ``no``: diff --git a/doc/source/developer-notes/V-38607.rst b/doc/source/developer-notes/V-38607.rst index 43ec74b9..3dcee345 100644 --- a/doc/source/developer-notes/V-38607.rst +++ b/doc/source/developer-notes/V-38607.rst @@ -1,3 +1 @@ -:orphan: - The tasks in sshd.yml will ensure that SSH does uses protocol version 2. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38608.rst b/doc/source/developer-notes/V-38608.rst index 8232948b..b908dc7d 100644 --- a/doc/source/developer-notes/V-38608.rst +++ b/doc/source/developer-notes/V-38608.rst @@ -1,5 +1,3 @@ -:orphan: - The ``ClientAliveInterval`` in the ssh configuration will be set to 15 minutes as recommended by the STIG. However, this time is configurable by setting ``ssh_client_alive_interval`` to another value, in seconds. diff --git a/doc/source/developer-notes/V-38609.rst b/doc/source/developer-notes/V-38609.rst index 24e3c071..a75ea9ca 100644 --- a/doc/source/developer-notes/V-38609.rst +++ b/doc/source/developer-notes/V-38609.rst @@ -1,5 +1,3 @@ -:orphan: - The ``tftpd`` service is removed by V-38606 and it is not installed by Ubuntu or openstack-ansible by default. For this reason, it's recommended to remove the service by using the Ansible task from V-38606. diff --git a/doc/source/developer-notes/V-38610.rst b/doc/source/developer-notes/V-38610.rst index 007b385f..8a0bb726 100644 --- a/doc/source/developer-notes/V-38610.rst +++ b/doc/source/developer-notes/V-38610.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG recommends setting ``ClientAliveCountMax`` to ensure that ssh connections will close after reaching the ``ClientAliveInterval`` one time. To change this setting, simply change this configuration option diff --git a/doc/source/developer-notes/V-38611.rst b/doc/source/developer-notes/V-38611.rst index 1f2245b6..7bfbec56 100644 --- a/doc/source/developer-notes/V-38611.rst +++ b/doc/source/developer-notes/V-38611.rst @@ -1,5 +1,3 @@ -:orphan: - By default, Ubuntu configures the ssh daemon so that rsh's .rhosts files are ignored. The Ansible tasks will ensure that this setting hasn't changed from the default. diff --git a/doc/source/developer-notes/V-38612.rst b/doc/source/developer-notes/V-38612.rst index ef5e45ca..7a9c5d12 100644 --- a/doc/source/developer-notes/V-38612.rst +++ b/doc/source/developer-notes/V-38612.rst @@ -1,3 +1 @@ -:orphan: - The tasks in sshd.yml will ensure that SSH does not allow host based authentication. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38613.rst b/doc/source/developer-notes/V-38613.rst index ca771823..8259ccea 100644 --- a/doc/source/developer-notes/V-38613.rst +++ b/doc/source/developer-notes/V-38613.rst @@ -1,5 +1,3 @@ -:orphan: - Although the STIG recommends disabling root logins via ssh, the default in this role is to allow it. The openstack-ansible deployment uses the root user by default at this time, but that may change later and allow for this diff --git a/doc/source/developer-notes/V-38614.rst b/doc/source/developer-notes/V-38614.rst index 9f867500..572b1060 100644 --- a/doc/source/developer-notes/V-38614.rst +++ b/doc/source/developer-notes/V-38614.rst @@ -1,3 +1 @@ -:orphan: - The tasks in sshd.yml will ensure that SSH does not allow empty passwords. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38615.rst b/doc/source/developer-notes/V-38615.rst index 0b1dce2a..702271dd 100644 --- a/doc/source/developer-notes/V-38615.rst +++ b/doc/source/developer-notes/V-38615.rst @@ -1,5 +1,3 @@ -:orphan: - The ssh daemon will be configured so that a warning banner will be displayed after login. To configure the banner, edit the ``files/login_banner.txt`` file. diff --git a/doc/source/developer-notes/V-38616.rst b/doc/source/developer-notes/V-38616.rst index 6ba9650e..50c8e6cf 100644 --- a/doc/source/developer-notes/V-38616.rst +++ b/doc/source/developer-notes/V-38616.rst @@ -1,4 +1,2 @@ -:orphan: - The ssh daemon will be configured to disallow user environment settings that may allow users to bypass access restrictions in some cases. diff --git a/doc/source/developer-notes/V-38617.rst b/doc/source/developer-notes/V-38617.rst index 03cc3025..072acace 100644 --- a/doc/source/developer-notes/V-38617.rst +++ b/doc/source/developer-notes/V-38617.rst @@ -1,4 +1,2 @@ -:orphan: - The ssh daemon will be configured to use the approved list of ciphers as recommended by the STIG. diff --git a/doc/source/developer-notes/V-38618.rst b/doc/source/developer-notes/V-38618.rst index 7b60bdbe..14531666 100644 --- a/doc/source/developer-notes/V-38618.rst +++ b/doc/source/developer-notes/V-38618.rst @@ -1,3 +1 @@ -:orphan: - The avahi daemon will be disabled if the package is installed. diff --git a/doc/source/developer-notes/V-38619.rst b/doc/source/developer-notes/V-38619.rst index 273cf930..d7b6b1f7 100644 --- a/doc/source/developer-notes/V-38619.rst +++ b/doc/source/developer-notes/V-38619.rst @@ -1,4 +1,2 @@ -:orphan: - The Ansible tasks will check for ``.netrc`` files in ``/root`` and ``/home`` on the system and print a failure warning if any are found. diff --git a/doc/source/developer-notes/V-38620.rst b/doc/source/developer-notes/V-38620.rst index a8849625..64877916 100644 --- a/doc/source/developer-notes/V-38620.rst +++ b/doc/source/developer-notes/V-38620.rst @@ -1,5 +1,3 @@ -:orphan: - The ``chrony`` service is installed to manage clock synchronization for hosts and to serve as an NTP server for NTP clients. Chrony was chosen over ntpd because it's actively maintained and has some enhancements for virtualized diff --git a/doc/source/developer-notes/V-38621.rst b/doc/source/developer-notes/V-38621.rst index 03c6c456..e1fa428b 100644 --- a/doc/source/developer-notes/V-38621.rst +++ b/doc/source/developer-notes/V-38621.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** The Ansible tasks for V-38620 will configure the ``chrony`` daemon and allow diff --git a/doc/source/developer-notes/V-38622.rst b/doc/source/developer-notes/V-38622.rst index 0b87fd95..de2c6f4f 100644 --- a/doc/source/developer-notes/V-38622.rst +++ b/doc/source/developer-notes/V-38622.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires that postfix only listens on the localhost so that it isn't abused as a mail relay. The Ansible task will adjust the ``inet_interfaces`` line in the Postfix configuration and restart postfix if the line is changed. diff --git a/doc/source/developer-notes/V-38623.rst b/doc/source/developer-notes/V-38623.rst index d2fae19e..47ae252f 100644 --- a/doc/source/developer-notes/V-38623.rst +++ b/doc/source/developer-notes/V-38623.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu sets the mode on rsyslog files to ``0640`` by default, but the STIG requires ``0600`` or less. The Ansible tasks will adjust the rsyslog configuration so that any new log files will have the mode set to ``0600``. diff --git a/doc/source/developer-notes/V-38624.rst b/doc/source/developer-notes/V-38624.rst index 95257d02..78090030 100644 --- a/doc/source/developer-notes/V-38624.rst +++ b/doc/source/developer-notes/V-38624.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires that system logs are rotate daily, but the check only involves verifying that logrotate is installed and activated by cron. The openstack-ansible project already configures weekly log rotation with diff --git a/doc/source/developer-notes/V-38625.rst b/doc/source/developer-notes/V-38625.rst index 87b07fbb..18a73677 100644 --- a/doc/source/developer-notes/V-38625.rst +++ b/doc/source/developer-notes/V-38625.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Neither Ubuntu 14.04 or openstack-ansible configures LDAP authentication by diff --git a/doc/source/developer-notes/V-38627.rst b/doc/source/developer-notes/V-38627.rst index 17eafab3..b45a6c4b 100644 --- a/doc/source/developer-notes/V-38627.rst +++ b/doc/source/developer-notes/V-38627.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires that any LDAP server packages on the system are removed. The Ansible role will remove ``slapd`` from the server if it is present. diff --git a/doc/source/developer-notes/V-38628.rst b/doc/source/developer-notes/V-38628.rst index eeb62bbf..d45851d7 100644 --- a/doc/source/developer-notes/V-38628.rst +++ b/doc/source/developer-notes/V-38628.rst @@ -1,3 +1 @@ -:orphan: - This STIG requirement overlaps with V-38632. diff --git a/doc/source/developer-notes/V-38629.rst b/doc/source/developer-notes/V-38629.rst index 92fc0b20..cc52eee9 100644 --- a/doc/source/developer-notes/V-38629.rst +++ b/doc/source/developer-notes/V-38629.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Neither Ubuntu or openstack-ansible installs a graphical desktop by default. diff --git a/doc/source/developer-notes/V-38631.rst b/doc/source/developer-notes/V-38631.rst index eeb62bbf..d45851d7 100644 --- a/doc/source/developer-notes/V-38631.rst +++ b/doc/source/developer-notes/V-38631.rst @@ -1,3 +1 @@ -:orphan: - This STIG requirement overlaps with V-38632. diff --git a/doc/source/developer-notes/V-38632.rst b/doc/source/developer-notes/V-38632.rst index cdc5e471..628e3852 100644 --- a/doc/source/developer-notes/V-38632.rst +++ b/doc/source/developer-notes/V-38632.rst @@ -1,5 +1,3 @@ -:orphan: - The tasks in auth.yml will install `auditd`_ and ensure it is running. .. _auditd: http://people.redhat.com/sgrubb/audit/ diff --git a/doc/source/developer-notes/V-38633.rst b/doc/source/developer-notes/V-38633.rst index 031cfc67..b03c4f71 100644 --- a/doc/source/developer-notes/V-38633.rst +++ b/doc/source/developer-notes/V-38633.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu's default setting for ``max_log_files`` matches the STIG requirement of rotating logs when they reach 6MB. The Ansible task for this STIG requirement ensures that the secure default is maintained. diff --git a/doc/source/developer-notes/V-38634.rst b/doc/source/developer-notes/V-38634.rst index b81879ef..278e1a30 100644 --- a/doc/source/developer-notes/V-38634.rst +++ b/doc/source/developer-notes/V-38634.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu's default action for ``max_log_file_action`` is to rotate the logs. This meets the STIG requirements and the Ansible task will ensure that the secure default is maintained. diff --git a/doc/source/developer-notes/V-38635.rst b/doc/source/developer-notes/V-38635.rst index 7e7da86e..0b3241ab 100644 --- a/doc/source/developer-notes/V-38635.rst +++ b/doc/source/developer-notes/V-38635.rst @@ -1,5 +1,3 @@ -:orphan: - Audit rules are added in a task so that any events associated with altering system time are logged. The new audit rule will be loaded immediately with ``augenrules --load``. diff --git a/doc/source/developer-notes/V-38636.rst b/doc/source/developer-notes/V-38636.rst index 84c2f737..1711229f 100644 --- a/doc/source/developer-notes/V-38636.rst +++ b/doc/source/developer-notes/V-38636.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu keeps 5 rotated logs with the ``num_logs`` option and this meets the STIG requirement. The Ansible task will ensure that the secure default is maintained. diff --git a/doc/source/developer-notes/V-38637.rst b/doc/source/developer-notes/V-38637.rst index 931c8dcc..0de32fb0 100644 --- a/doc/source/developer-notes/V-38637.rst +++ b/doc/source/developer-notes/V-38637.rst @@ -1,5 +1,3 @@ -:orphan: - The auditd package is verified with ``debsums`` and the playbook will fail immediately if any of the files from the auditd package have been altered. This could be the sign of a system compromise. diff --git a/doc/source/developer-notes/V-38640.rst b/doc/source/developer-notes/V-38640.rst index 5aa65dc2..577c6903 100644 --- a/doc/source/developer-notes/V-38640.rst +++ b/doc/source/developer-notes/V-38640.rst @@ -1,3 +1 @@ -:orphan: - services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38641.rst b/doc/source/developer-notes/V-38641.rst index 5aa65dc2..577c6903 100644 --- a/doc/source/developer-notes/V-38641.rst +++ b/doc/source/developer-notes/V-38641.rst @@ -1,3 +1 @@ -:orphan: - services.yml reads a list of services and their desired state from the 'defaults/main.yml' cat3_services variable. With this list the tasks will ensure the services are in the state desired by their corresponding STIG requirement. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38642.rst b/doc/source/developer-notes/V-38642.rst index 04693d45..cb27284f 100644 --- a/doc/source/developer-notes/V-38642.rst +++ b/doc/source/developer-notes/V-38642.rst @@ -1,5 +1,3 @@ -:orphan: - The STIG requires that daemons have their umask set to ``027`` or ``022``. Since changing umasks can disrupt some systems, this is an opt-in change. diff --git a/doc/source/developer-notes/V-38643.rst b/doc/source/developer-notes/V-38643.rst index 36a15f6d..f47d7db3 100644 --- a/doc/source/developer-notes/V-38643.rst +++ b/doc/source/developer-notes/V-38643.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Searching for world-writable files on a host deployed with openstack-ansible diff --git a/doc/source/developer-notes/V-38644.rst b/doc/source/developer-notes/V-38644.rst index 454ba265..160a7fd9 100644 --- a/doc/source/developer-notes/V-38644.rst +++ b/doc/source/developer-notes/V-38644.rst @@ -1,5 +1,3 @@ -:orphan: - **Special case** Ubuntu doesn't provide the same ``ntpdate`` service that a Red Hat Enterprise diff --git a/doc/source/developer-notes/V-38645.rst b/doc/source/developer-notes/V-38645.rst index f1f39bf8..f6c385ea 100644 --- a/doc/source/developer-notes/V-38645.rst +++ b/doc/source/developer-notes/V-38645.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu's default umask setting in ``/etc/login.defs`` is ``022``, but the STIG diff --git a/doc/source/developer-notes/V-38646.rst b/doc/source/developer-notes/V-38646.rst index e2873e27..3fee80f4 100644 --- a/doc/source/developer-notes/V-38646.rst +++ b/doc/source/developer-notes/V-38646.rst @@ -1,5 +1,3 @@ -:orphan: - **Special case** Ubuntu doesn't package the ``oddjobd`` daemon, so there are no packages to diff --git a/doc/source/developer-notes/V-38647.rst b/doc/source/developer-notes/V-38647.rst index 26cf493f..0a196166 100644 --- a/doc/source/developer-notes/V-38647.rst +++ b/doc/source/developer-notes/V-38647.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** Ubuntu 14.04 doesn't use umask settings in ``/etc/profile``. Those settings diff --git a/doc/source/developer-notes/V-38648.rst b/doc/source/developer-notes/V-38648.rst index d57e9e0f..5b7a43ee 100644 --- a/doc/source/developer-notes/V-38648.rst +++ b/doc/source/developer-notes/V-38648.rst @@ -1,5 +1,3 @@ -:orphan: - Although some OpenStack implementations use ``qpidd`` for their messaging hub, neither Ubuntu or openstack-ansible configures the service on the hosts by default. The Ansible task for this STIG will check to see if the init script diff --git a/doc/source/developer-notes/V-38649.rst b/doc/source/developer-notes/V-38649.rst index b83aafa9..832eeb87 100644 --- a/doc/source/developer-notes/V-38649.rst +++ b/doc/source/developer-notes/V-38649.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** Neither Ubuntu or openstack-ansible installs the csh shell by default. diff --git a/doc/source/developer-notes/V-38650.rst b/doc/source/developer-notes/V-38650.rst index 5ff98b86..b9671ca8 100644 --- a/doc/source/developer-notes/V-38650.rst +++ b/doc/source/developer-notes/V-38650.rst @@ -1,5 +1,3 @@ -:orphan: - **Special case** Ubuntu doesn't provide packages containing the ``rdisc`` service at this time. diff --git a/doc/source/developer-notes/V-38651.rst b/doc/source/developer-notes/V-38651.rst index 83b133c1..fc81ffdc 100644 --- a/doc/source/developer-notes/V-38651.rst +++ b/doc/source/developer-notes/V-38651.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** Changing the umask for the bash shell is an opt-in setting. Deployers that diff --git a/doc/source/developer-notes/V-38652.rst b/doc/source/developer-notes/V-38652.rst index c9df1bfa..1dd08d58 100644 --- a/doc/source/developer-notes/V-38652.rst +++ b/doc/source/developer-notes/V-38652.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems diff --git a/doc/source/developer-notes/V-38653.rst b/doc/source/developer-notes/V-38653.rst index a42fd53b..d00ca4f3 100644 --- a/doc/source/developer-notes/V-38653.rst +++ b/doc/source/developer-notes/V-38653.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The openstack-ansible project doesn't install snmpd by default, and neither diff --git a/doc/source/developer-notes/V-38654.rst b/doc/source/developer-notes/V-38654.rst index bb60f84b..0a0479b3 100644 --- a/doc/source/developer-notes/V-38654.rst +++ b/doc/source/developer-notes/V-38654.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Although neither Ubuntu 14.04 or openstack-ansible mount remote filesystems diff --git a/doc/source/developer-notes/V-38655.rst b/doc/source/developer-notes/V-38655.rst index 6cdba20e..2b363980 100644 --- a/doc/source/developer-notes/V-38655.rst +++ b/doc/source/developer-notes/V-38655.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Neither Ubuntu nor openstack-ansible will configure any removable media mounts diff --git a/doc/source/developer-notes/V-38656.rst b/doc/source/developer-notes/V-38656.rst index 452a1c26..df8c1c32 100644 --- a/doc/source/developer-notes/V-38656.rst +++ b/doc/source/developer-notes/V-38656.rst @@ -1,5 +1,3 @@ -:orphan: - Although the ``samba`` server isn't installed by Ubuntu or openstack-ansible by default, the Ansible tasks will check to see if the package is installed and the configuration file will be adjusted. If adjustments are made, the diff --git a/doc/source/developer-notes/V-38657.rst b/doc/source/developer-notes/V-38657.rst index 2110e110..00401a5a 100644 --- a/doc/source/developer-notes/V-38657.rst +++ b/doc/source/developer-notes/V-38657.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Ubuntu and openstack-ansible do not currently configure any samba share mounts diff --git a/doc/source/developer-notes/V-38658.rst b/doc/source/developer-notes/V-38658.rst index 44c90626..06685c51 100644 --- a/doc/source/developer-notes/V-38658.rst +++ b/doc/source/developer-notes/V-38658.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Making adjustments to PAM configurations via automated methods is risky since diff --git a/doc/source/developer-notes/V-38659.rst b/doc/source/developer-notes/V-38659.rst index 9a1b4bba..a7573757 100644 --- a/doc/source/developer-notes/V-38659.rst +++ b/doc/source/developer-notes/V-38659.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Creating encrypted storage is left up to the deployer to consider and diff --git a/doc/source/developer-notes/V-38660.rst b/doc/source/developer-notes/V-38660.rst index 432dc601..36eb418c 100644 --- a/doc/source/developer-notes/V-38660.rst +++ b/doc/source/developer-notes/V-38660.rst @@ -1,5 +1,3 @@ -:orphan: - Although neither Ubuntu 14.04 or openstack-ansible install or configure the SNMP daemon by default, the Ansible tasks will check to see if the SNMP configuration file is present. If the file is present, and the file contains diff --git a/doc/source/developer-notes/V-38666.rst b/doc/source/developer-notes/V-38666.rst index 164a22ff..585cf5b3 100644 --- a/doc/source/developer-notes/V-38666.rst +++ b/doc/source/developer-notes/V-38666.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Installing an antivirus program on openstack-ansible infrastructure is left diff --git a/doc/source/developer-notes/V-38667.rst b/doc/source/developer-notes/V-38667.rst index b2ae5f7d..488b3ef7 100644 --- a/doc/source/developer-notes/V-38667.rst +++ b/doc/source/developer-notes/V-38667.rst @@ -1,5 +1,3 @@ -:orphan: - **Fixed by another STIG** The openstack-ansible project already installs and configures AppArmor, which diff --git a/doc/source/developer-notes/V-38668.rst b/doc/source/developer-notes/V-38668.rst index afc7a2ad..d5e8ec77 100644 --- a/doc/source/developer-notes/V-38668.rst +++ b/doc/source/developer-notes/V-38668.rst @@ -1,5 +1,3 @@ -:orphan: - The control-alt-delete keyboard sequence is disable by an Ansible task in ``/etc/init/control-alt-delete.conf``. A reboot is recommended to apply the change. diff --git a/doc/source/developer-notes/V-38669.rst b/doc/source/developer-notes/V-38669.rst index 1182cc93..c192168c 100644 --- a/doc/source/developer-notes/V-38669.rst +++ b/doc/source/developer-notes/V-38669.rst @@ -1,5 +1,3 @@ -:orphan: - The ``postfix`` package will be installed and configured to run at boot time. Review the documentation for V-38446 to ensure that root's email is forwarded to an email account that can monitor for critical alerts and other diff --git a/doc/source/developer-notes/V-38670.rst b/doc/source/developer-notes/V-38670.rst index 6fdd604b..e264f8c0 100644 --- a/doc/source/developer-notes/V-38670.rst +++ b/doc/source/developer-notes/V-38670.rst @@ -1,5 +1,3 @@ -:orphan: - The AIDE package is already installed as part of the Ansible tasks to fix V-38429, but these Ansible tasks will verify that the cron job file is actually in place. Ubuntu will configure the cron job automatically as soon as the diff --git a/doc/source/developer-notes/V-38671.rst b/doc/source/developer-notes/V-38671.rst index 7779fb4e..b70b78e0 100644 --- a/doc/source/developer-notes/V-38671.rst +++ b/doc/source/developer-notes/V-38671.rst @@ -1,5 +1,3 @@ -:orphan: - Although neither Ubuntu nor openstack-ansible install or configure sendmail by default, the Ansible task will remove the sendmail package if it exists on the system. diff --git a/doc/source/developer-notes/V-38672.rst b/doc/source/developer-notes/V-38672.rst index 209d3737..b5667d6b 100644 --- a/doc/source/developer-notes/V-38672.rst +++ b/doc/source/developer-notes/V-38672.rst @@ -1,4 +1,2 @@ -:orphan: - Ubuntu doesn't provide the netconsole package and the daemon isn't included in any other Ubuntu packages. Therefore, no action is required for this STIG. diff --git a/doc/source/developer-notes/V-38673.rst b/doc/source/developer-notes/V-38673.rst index 17078ad5..c6b11189 100644 --- a/doc/source/developer-notes/V-38673.rst +++ b/doc/source/developer-notes/V-38673.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Installing AIDE on Ubuntu isn't an issue, but there's a bug that causes AIDE diff --git a/doc/source/developer-notes/V-38674.rst b/doc/source/developer-notes/V-38674.rst index 8ada3de4..299f42b8 100644 --- a/doc/source/developer-notes/V-38674.rst +++ b/doc/source/developer-notes/V-38674.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu sets the default runlevel in ``/etc/init/rc-sysinit.conf`` and it should be set to ``2`` on Ubuntu systems. The Ansible task will verify that the correct runlevel is set. If the verification fails, an error will be printed diff --git a/doc/source/developer-notes/V-38675.rst b/doc/source/developer-notes/V-38675.rst index b8eb2080..cfa86435 100644 --- a/doc/source/developer-notes/V-38675.rst +++ b/doc/source/developer-notes/V-38675.rst @@ -1,5 +1,3 @@ -:orphan: - Ubuntu doesn't restrict core dumps by default, but the STIG requires that core dumps are disabled for all users unless absolutely necessary. diff --git a/doc/source/developer-notes/V-38676.rst b/doc/source/developer-notes/V-38676.rst index 87c2bb14..9e285bb2 100644 --- a/doc/source/developer-notes/V-38676.rst +++ b/doc/source/developer-notes/V-38676.rst @@ -1,5 +1,3 @@ -:orphan: - Neither Ubuntu nor openstack-ansible install the X windows server by default. The ansible tasks will remove the ``xserver-xorg`` package if it is present. diff --git a/doc/source/developer-notes/V-38677.rst b/doc/source/developer-notes/V-38677.rst index dd046c70..183cd2b4 100644 --- a/doc/source/developer-notes/V-38677.rst +++ b/doc/source/developer-notes/V-38677.rst @@ -1,3 +1 @@ -:orphan: - The tasks in nfsd.yml first check to see if the system has nfs exports. If so, it then checks for the presence of 'insecure_locks'. \ No newline at end of file diff --git a/doc/source/developer-notes/V-38678.rst b/doc/source/developer-notes/V-38678.rst index d88060f8..14afc899 100644 --- a/doc/source/developer-notes/V-38678.rst +++ b/doc/source/developer-notes/V-38678.rst @@ -1,5 +1,3 @@ -:orphan: - When auditd notices that free disk space on its logging partition is low, it will trigger the ``space_left_action``. The threshold of remaining disk space is configured by ``space_left`` in ``/etc/audit/auditd.conf``. diff --git a/doc/source/developer-notes/V-38679.rst b/doc/source/developer-notes/V-38679.rst index b8b915a6..80ee7ad9 100644 --- a/doc/source/developer-notes/V-38679.rst +++ b/doc/source/developer-notes/V-38679.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The DHCP client is needed for containers to function properly and may be diff --git a/doc/source/developer-notes/V-38680.rst b/doc/source/developer-notes/V-38680.rst index bb0598ed..2fae9bf0 100644 --- a/doc/source/developer-notes/V-38680.rst +++ b/doc/source/developer-notes/V-38680.rst @@ -1,5 +1,3 @@ -:orphan: - By default, Ubuntu sets the default recipient for storage capacity issues in auditd to the root user. The Ansible task ensures that the default remains set. diff --git a/doc/source/developer-notes/V-38681.rst b/doc/source/developer-notes/V-38681.rst index e6f66043..dabfed00 100644 --- a/doc/source/developer-notes/V-38681.rst +++ b/doc/source/developer-notes/V-38681.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible tasks will run ``pwck`` to find any groups that are defined in ``/etc/passwd`` but not in ``/etc/group``. This could be a sign of an accidental misconfiguration or a more serious security problem. If the command diff --git a/doc/source/developer-notes/V-38682.rst b/doc/source/developer-notes/V-38682.rst index ba36399a..61ef5c05 100644 --- a/doc/source/developer-notes/V-38682.rst +++ b/doc/source/developer-notes/V-38682.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task will disable the bluetooth kernel modules to meet the STIG requirements. To opt-out of this change, adjust the following Ansible variable to ``no``: diff --git a/doc/source/developer-notes/V-38683.rst b/doc/source/developer-notes/V-38683.rst index ff4b898a..5818a09b 100644 --- a/doc/source/developer-notes/V-38683.rst +++ b/doc/source/developer-notes/V-38683.rst @@ -1,5 +1,3 @@ -:orphan: - The Ansible task will use the ``pwck`` command to search for non-unique usernames on the system. If any matching usernames are found, an error will be printed and the playbook will fail. diff --git a/doc/source/developer-notes/V-38684.rst b/doc/source/developer-notes/V-38684.rst index ac070aeb..7dda867c 100644 --- a/doc/source/developer-notes/V-38684.rst +++ b/doc/source/developer-notes/V-38684.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** Ubuntu does not set a limit on the maximum number of active sessions that diff --git a/doc/source/developer-notes/V-38685.rst b/doc/source/developer-notes/V-38685.rst index 547aa6f0..e391573e 100644 --- a/doc/source/developer-notes/V-38685.rst +++ b/doc/source/developer-notes/V-38685.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** It's not possible to determine which accounts may be temporary or permanent diff --git a/doc/source/developer-notes/V-38687.rst b/doc/source/developer-notes/V-38687.rst index aa30b819..8cd7d43c 100644 --- a/doc/source/developer-notes/V-38687.rst +++ b/doc/source/developer-notes/V-38687.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The configuration of encrypted tunnels between deployers and their OpenStack diff --git a/doc/source/developer-notes/V-38691.rst b/doc/source/developer-notes/V-38691.rst index 1064305d..a8900001 100644 --- a/doc/source/developer-notes/V-38691.rst +++ b/doc/source/developer-notes/V-38691.rst @@ -1,5 +1,3 @@ -:orphan: - Although neither Ubuntu 14.04 or openstack-ansible installs the ``bluetooth`` package, the Ansible tasks will disable the service and stop it if it's found to be running on the system. diff --git a/doc/source/developer-notes/V-38692.rst b/doc/source/developer-notes/V-38692.rst index 010646f0..0005bfeb 100644 --- a/doc/source/developer-notes/V-38692.rst +++ b/doc/source/developer-notes/V-38692.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** By default, Ubuntu doesn't require that inactive accounts are locked after a diff --git a/doc/source/developer-notes/V-38697.rst b/doc/source/developer-notes/V-38697.rst index c2168de6..e75e0f4b 100644 --- a/doc/source/developer-notes/V-38697.rst +++ b/doc/source/developer-notes/V-38697.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Running a ``find`` command on the system during the playbook run is diff --git a/doc/source/developer-notes/V-38699.rst b/doc/source/developer-notes/V-38699.rst index c6e05665..a6c415ed 100644 --- a/doc/source/developer-notes/V-38699.rst +++ b/doc/source/developer-notes/V-38699.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The STIG requires administrators to search for directories meeting all of the diff --git a/doc/source/developer-notes/V-38701.rst b/doc/source/developer-notes/V-38701.rst index 53e910b0..1ecc417c 100644 --- a/doc/source/developer-notes/V-38701.rst +++ b/doc/source/developer-notes/V-38701.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Neither Ubuntu 14.04 nor openstack-ansible adds a tftp daemon to the system. diff --git a/doc/source/developer-notes/V-38702.rst b/doc/source/developer-notes/V-38702.rst index e04473b5..04da5aae 100644 --- a/doc/source/developer-notes/V-38702.rst +++ b/doc/source/developer-notes/V-38702.rst @@ -1,5 +1,3 @@ -:orphan: - Although neither Ubuntu nor openstack-ansible installs or configures ``vsftpd`` by default, the Ansible task will ensure that the appropriate log configuration lines are applied to ``/etc/vsftpd.conf`` to meet the diff --git a/doc/source/developer-notes/V-51337.rst b/doc/source/developer-notes/V-51337.rst index 7fdb7772..8bb2b9b3 100644 --- a/doc/source/developer-notes/V-51337.rst +++ b/doc/source/developer-notes/V-51337.rst @@ -1,5 +1,3 @@ -:orphan: - **Opt-in required** The tasks in the security role can enable the Linux Security Module (LSM) that diff --git a/doc/source/developer-notes/V-51363.rst b/doc/source/developer-notes/V-51363.rst index 1f7e6ae6..8f44a7d1 100644 --- a/doc/source/developer-notes/V-51363.rst +++ b/doc/source/developer-notes/V-51363.rst @@ -1,5 +1,3 @@ -:orphan: - The openstack-ansible project configures AppArmor to limit the actions of containers and reduce the changes (and potential damages) of a container breakout. The RHEL 6 STIG mentions SELinux but the existing SELinux policies diff --git a/doc/source/developer-notes/V-51369.rst b/doc/source/developer-notes/V-51369.rst index ebca4b3d..95de5874 100644 --- a/doc/source/developer-notes/V-51369.rst +++ b/doc/source/developer-notes/V-51369.rst @@ -1,5 +1,3 @@ -:orphan: - Although SELinux is available on Ubuntu 14.04, the policies aren't maintained as well as they are on Red Hat-based systems. The openstack-ansible project has chosen to use the more Ubuntu-compatible Linux security module, AppArmor. diff --git a/doc/source/developer-notes/V-51379.rst b/doc/source/developer-notes/V-51379.rst index 5d8de6f4..393e1b4f 100644 --- a/doc/source/developer-notes/V-51379.rst +++ b/doc/source/developer-notes/V-51379.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Although SELinux works through a labeling system where every file (including diff --git a/doc/source/developer-notes/V-51391.rst b/doc/source/developer-notes/V-51391.rst index 5be1db5e..b032c8e2 100644 --- a/doc/source/developer-notes/V-51391.rst +++ b/doc/source/developer-notes/V-51391.rst @@ -1,5 +1,3 @@ -:orphan: - When AIDE is first installed for V-38429, a new database will be created. The creation process takes some time because AIDE needs to review each file in its list of monitored files to get timestamps and hashes. The diff --git a/doc/source/developer-notes/V-54381.rst b/doc/source/developer-notes/V-54381.rst index 1a5503e7..115af033 100644 --- a/doc/source/developer-notes/V-54381.rst +++ b/doc/source/developer-notes/V-54381.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** The STIG requires that the audit system must switch the entire system into diff --git a/doc/source/developer-notes/V-57569.rst b/doc/source/developer-notes/V-57569.rst index 0da70141..001084a8 100644 --- a/doc/source/developer-notes/V-57569.rst +++ b/doc/source/developer-notes/V-57569.rst @@ -1,5 +1,3 @@ -:orphan: - **Exception** Altering partitions and how they are mounted is left up to the deployer diff --git a/doc/source/developer-notes/V-58901.rst b/doc/source/developer-notes/V-58901.rst index ff20f101..2ba15a48 100644 --- a/doc/source/developer-notes/V-58901.rst +++ b/doc/source/developer-notes/V-58901.rst @@ -1,5 +1,3 @@ -:orphan: - This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within the sudoers configuration files. Using these directives reduces the security of the system. diff --git a/doc/source/stig-notes/V-38437.rst b/doc/source/stig-notes/V-38437.rst index 936ad73d..059fef51 100644 --- a/doc/source/stig-notes/V-38437.rst +++ b/doc/source/stig-notes/V-38437.rst @@ -1,5 +1,3 @@ -:orphan: - V-38437: Automated file system mounting tools must not be enabled unless needed. -------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38438.rst b/doc/source/stig-notes/V-38438.rst index 4c59b175..8888bf4d 100644 --- a/doc/source/stig-notes/V-38438.rst +++ b/doc/source/stig-notes/V-38438.rst @@ -1,5 +1,3 @@ -:orphan: - V-38438: Auditing must be enabled at boot by setting a kernel parameter. ------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38439.rst b/doc/source/stig-notes/V-38439.rst index b0fea9e9..d98b00f9 100644 --- a/doc/source/stig-notes/V-38439.rst +++ b/doc/source/stig-notes/V-38439.rst @@ -1,5 +1,3 @@ -:orphan: - V-38439: The system must provide automated support for account management functions. ------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38443.rst b/doc/source/stig-notes/V-38443.rst index 517849a2..f4e93ade 100644 --- a/doc/source/stig-notes/V-38443.rst +++ b/doc/source/stig-notes/V-38443.rst @@ -1,5 +1,3 @@ -:orphan: - V-38443: The /etc/gshadow file must be owned by root. ----------------------------------------------------- diff --git a/doc/source/stig-notes/V-38444.rst b/doc/source/stig-notes/V-38444.rst index ea06a9b3..6933d4ae 100644 --- a/doc/source/stig-notes/V-38444.rst +++ b/doc/source/stig-notes/V-38444.rst @@ -1,5 +1,3 @@ -:orphan: - V-38444: The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. ------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38445.rst b/doc/source/stig-notes/V-38445.rst index bb9a3730..80325499 100644 --- a/doc/source/stig-notes/V-38445.rst +++ b/doc/source/stig-notes/V-38445.rst @@ -1,5 +1,3 @@ -:orphan: - V-38445: Audit log files must be group-owned by root. ----------------------------------------------------- diff --git a/doc/source/stig-notes/V-38446.rst b/doc/source/stig-notes/V-38446.rst index 29253347..8f79688d 100644 --- a/doc/source/stig-notes/V-38446.rst +++ b/doc/source/stig-notes/V-38446.rst @@ -1,5 +1,3 @@ -:orphan: - V-38446: The mail system must forward all mail for root to one or more system administrators. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38447.rst b/doc/source/stig-notes/V-38447.rst index 541c4079..94e0557b 100644 --- a/doc/source/stig-notes/V-38447.rst +++ b/doc/source/stig-notes/V-38447.rst @@ -1,5 +1,3 @@ -:orphan: - V-38447: The system package management tool must verify contents of all files associated with packages. ------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38448.rst b/doc/source/stig-notes/V-38448.rst index 07da068d..29bc9ae7 100644 --- a/doc/source/stig-notes/V-38448.rst +++ b/doc/source/stig-notes/V-38448.rst @@ -1,5 +1,3 @@ -:orphan: - V-38448: The /etc/gshadow file must be group-owned by root. ----------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38449.rst b/doc/source/stig-notes/V-38449.rst index 2f225080..d6acf027 100644 --- a/doc/source/stig-notes/V-38449.rst +++ b/doc/source/stig-notes/V-38449.rst @@ -1,5 +1,3 @@ -:orphan: - V-38449: The /etc/gshadow file must have mode 0000. --------------------------------------------------- diff --git a/doc/source/stig-notes/V-38450.rst b/doc/source/stig-notes/V-38450.rst index 95336b4c..f59d4198 100644 --- a/doc/source/stig-notes/V-38450.rst +++ b/doc/source/stig-notes/V-38450.rst @@ -1,5 +1,3 @@ -:orphan: - V-38450: The /etc/passwd file must be owned by root. ---------------------------------------------------- diff --git a/doc/source/stig-notes/V-38451.rst b/doc/source/stig-notes/V-38451.rst index 17f8b4f6..f112e431 100644 --- a/doc/source/stig-notes/V-38451.rst +++ b/doc/source/stig-notes/V-38451.rst @@ -1,5 +1,3 @@ -:orphan: - V-38451: The /etc/passwd file must be group-owned by root. ---------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38452.rst b/doc/source/stig-notes/V-38452.rst index d1ef4b8b..72a307c0 100644 --- a/doc/source/stig-notes/V-38452.rst +++ b/doc/source/stig-notes/V-38452.rst @@ -1,5 +1,3 @@ -:orphan: - V-38452: The system package management tool must verify permissions on all files and directories associated with packages. -------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38453.rst b/doc/source/stig-notes/V-38453.rst index 64b9cf9f..5627f069 100644 --- a/doc/source/stig-notes/V-38453.rst +++ b/doc/source/stig-notes/V-38453.rst @@ -1,5 +1,3 @@ -:orphan: - V-38453: The system package management tool must verify group-ownership on all files and directories associated with packages. ------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38454.rst b/doc/source/stig-notes/V-38454.rst index b139e722..a461b993 100644 --- a/doc/source/stig-notes/V-38454.rst +++ b/doc/source/stig-notes/V-38454.rst @@ -1,5 +1,3 @@ -:orphan: - V-38454: The system package management tool must verify ownership on all files and directories associated with packages. ------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38455.rst b/doc/source/stig-notes/V-38455.rst index cb43d1b0..18b14344 100644 --- a/doc/source/stig-notes/V-38455.rst +++ b/doc/source/stig-notes/V-38455.rst @@ -1,5 +1,3 @@ -:orphan: - V-38455: The system must use a separate file system for /tmp. ------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38456.rst b/doc/source/stig-notes/V-38456.rst index 3c759ea1..ea95a5ac 100644 --- a/doc/source/stig-notes/V-38456.rst +++ b/doc/source/stig-notes/V-38456.rst @@ -1,5 +1,3 @@ -:orphan: - V-38456: The system must use a separate file system for /var. ------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38457.rst b/doc/source/stig-notes/V-38457.rst index 8db99611..5cb84172 100644 --- a/doc/source/stig-notes/V-38457.rst +++ b/doc/source/stig-notes/V-38457.rst @@ -1,5 +1,3 @@ -:orphan: - V-38457: The /etc/passwd file must have mode 0644 or less permissive. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38458.rst b/doc/source/stig-notes/V-38458.rst index 931fdd59..64e3a16a 100644 --- a/doc/source/stig-notes/V-38458.rst +++ b/doc/source/stig-notes/V-38458.rst @@ -1,5 +1,3 @@ -:orphan: - V-38458: The /etc/group file must be owned by root. --------------------------------------------------- diff --git a/doc/source/stig-notes/V-38459.rst b/doc/source/stig-notes/V-38459.rst index a654e689..998e87ba 100644 --- a/doc/source/stig-notes/V-38459.rst +++ b/doc/source/stig-notes/V-38459.rst @@ -1,5 +1,3 @@ -:orphan: - V-38459: The /etc/group file must be group-owned by root. --------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38460.rst b/doc/source/stig-notes/V-38460.rst index 93d7e9e9..6253e300 100644 --- a/doc/source/stig-notes/V-38460.rst +++ b/doc/source/stig-notes/V-38460.rst @@ -1,5 +1,3 @@ -:orphan: - V-38460: The NFS server must not have the all_squash option enabled. -------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38461.rst b/doc/source/stig-notes/V-38461.rst index b84cd3e0..dc6b19f6 100644 --- a/doc/source/stig-notes/V-38461.rst +++ b/doc/source/stig-notes/V-38461.rst @@ -1,5 +1,3 @@ -:orphan: - V-38461: The /etc/group file must have mode 0644 or less permissive. -------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38462.rst b/doc/source/stig-notes/V-38462.rst index 2cee3a55..a34c2087 100644 --- a/doc/source/stig-notes/V-38462.rst +++ b/doc/source/stig-notes/V-38462.rst @@ -1,5 +1,3 @@ -:orphan: - V-38462: The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. ------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38463.rst b/doc/source/stig-notes/V-38463.rst index 02759cca..210f92a5 100644 --- a/doc/source/stig-notes/V-38463.rst +++ b/doc/source/stig-notes/V-38463.rst @@ -1,5 +1,3 @@ -:orphan: - V-38463: The system must use a separate file system for /var/log. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38464.rst b/doc/source/stig-notes/V-38464.rst index 2a1fdb44..19231e9b 100644 --- a/doc/source/stig-notes/V-38464.rst +++ b/doc/source/stig-notes/V-38464.rst @@ -1,5 +1,3 @@ -:orphan: - V-38464: The audit system must take appropriate action when there are disk errors on the audit storage volume. -------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38465.rst b/doc/source/stig-notes/V-38465.rst index ffae4078..ff6dba90 100644 --- a/doc/source/stig-notes/V-38465.rst +++ b/doc/source/stig-notes/V-38465.rst @@ -1,5 +1,3 @@ -:orphan: - V-38465: Library files must have mode 0755 or less permissive. -------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38466.rst b/doc/source/stig-notes/V-38466.rst index 0bf3fea6..5cd906eb 100644 --- a/doc/source/stig-notes/V-38466.rst +++ b/doc/source/stig-notes/V-38466.rst @@ -1,5 +1,3 @@ -:orphan: - V-38466: Library files must be owned by root. --------------------------------------------- diff --git a/doc/source/stig-notes/V-38467.rst b/doc/source/stig-notes/V-38467.rst index 9dc642e0..1a3b862e 100644 --- a/doc/source/stig-notes/V-38467.rst +++ b/doc/source/stig-notes/V-38467.rst @@ -1,5 +1,3 @@ -:orphan: - V-38467: The system must use a separate file system for the system audit data path. ----------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38468.rst b/doc/source/stig-notes/V-38468.rst index ee6ce44f..0f87b321 100644 --- a/doc/source/stig-notes/V-38468.rst +++ b/doc/source/stig-notes/V-38468.rst @@ -1,5 +1,3 @@ -:orphan: - V-38468: The audit system must take appropriate action when the audit storage volume is full. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38469.rst b/doc/source/stig-notes/V-38469.rst index 7a10a14c..a0c3b713 100644 --- a/doc/source/stig-notes/V-38469.rst +++ b/doc/source/stig-notes/V-38469.rst @@ -1,5 +1,3 @@ -:orphan: - V-38469: All system command files must have mode 755 or less permissive. ------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38470.rst b/doc/source/stig-notes/V-38470.rst index d57234f0..3da36e88 100644 --- a/doc/source/stig-notes/V-38470.rst +++ b/doc/source/stig-notes/V-38470.rst @@ -1,5 +1,3 @@ -:orphan: - V-38470: The audit system must alert designated staff members when the audit storage volume approaches capacity. ---------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38471.rst b/doc/source/stig-notes/V-38471.rst index 11510f7f..b772355b 100644 --- a/doc/source/stig-notes/V-38471.rst +++ b/doc/source/stig-notes/V-38471.rst @@ -1,5 +1,3 @@ -:orphan: - V-38471: The system must forward audit records to the syslog service. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38472.rst b/doc/source/stig-notes/V-38472.rst index aa05b003..1ef1e2c6 100644 --- a/doc/source/stig-notes/V-38472.rst +++ b/doc/source/stig-notes/V-38472.rst @@ -1,5 +1,3 @@ -:orphan: - V-38472: All system command files must be owned by root. -------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38473.rst b/doc/source/stig-notes/V-38473.rst index fb37f6bc..6ad42b3e 100644 --- a/doc/source/stig-notes/V-38473.rst +++ b/doc/source/stig-notes/V-38473.rst @@ -1,5 +1,3 @@ -:orphan: - V-38473: The system must use a separate file system for user home directories. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38474.rst b/doc/source/stig-notes/V-38474.rst index 4c26f1be..86730e90 100644 --- a/doc/source/stig-notes/V-38474.rst +++ b/doc/source/stig-notes/V-38474.rst @@ -1,5 +1,3 @@ -:orphan: - V-38474: The system must allow locking of graphical desktop sessions. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38475.rst b/doc/source/stig-notes/V-38475.rst index 8888084b..a162f5ae 100644 --- a/doc/source/stig-notes/V-38475.rst +++ b/doc/source/stig-notes/V-38475.rst @@ -1,5 +1,3 @@ -:orphan: - V-38475: The system must require passwords to contain a minimum of 14 characters. --------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38476.rst b/doc/source/stig-notes/V-38476.rst index 6c0cfa69..ff679426 100644 --- a/doc/source/stig-notes/V-38476.rst +++ b/doc/source/stig-notes/V-38476.rst @@ -1,5 +1,3 @@ -:orphan: - V-38476: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software. ----------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38477.rst b/doc/source/stig-notes/V-38477.rst index 734b26e0..3af1c71f 100644 --- a/doc/source/stig-notes/V-38477.rst +++ b/doc/source/stig-notes/V-38477.rst @@ -1,5 +1,3 @@ -:orphan: - V-38477: Users must not be able to change passwords more than once every 24 hours. ---------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38478.rst b/doc/source/stig-notes/V-38478.rst index 376ab6b3..a4778072 100644 --- a/doc/source/stig-notes/V-38478.rst +++ b/doc/source/stig-notes/V-38478.rst @@ -1,5 +1,3 @@ -:orphan: - V-38478: The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite. --------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38479.rst b/doc/source/stig-notes/V-38479.rst index eb65b5f4..23e0d6e2 100644 --- a/doc/source/stig-notes/V-38479.rst +++ b/doc/source/stig-notes/V-38479.rst @@ -1,5 +1,3 @@ -:orphan: - V-38479: User passwords must be changed at least every 60 days. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38480.rst b/doc/source/stig-notes/V-38480.rst index 257c9177..47da8d02 100644 --- a/doc/source/stig-notes/V-38480.rst +++ b/doc/source/stig-notes/V-38480.rst @@ -1,5 +1,3 @@ -:orphan: - V-38480: Users must be warned 7 days in advance of password expiration. ----------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38481.rst b/doc/source/stig-notes/V-38481.rst index b3a54ee1..39ed884f 100644 --- a/doc/source/stig-notes/V-38481.rst +++ b/doc/source/stig-notes/V-38481.rst @@ -1,5 +1,3 @@ -:orphan: - V-38481: System security patches and updates must be installed and up-to-date. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38482.rst b/doc/source/stig-notes/V-38482.rst index 81043b1e..f52338e3 100644 --- a/doc/source/stig-notes/V-38482.rst +++ b/doc/source/stig-notes/V-38482.rst @@ -1,5 +1,3 @@ -:orphan: - V-38482: The system must require passwords to contain at least one numeric character. ------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38483.rst b/doc/source/stig-notes/V-38483.rst index dec2dbab..5caff5ea 100644 --- a/doc/source/stig-notes/V-38483.rst +++ b/doc/source/stig-notes/V-38483.rst @@ -1,5 +1,3 @@ -:orphan: - V-38483: The system package management tool must cryptographically verify the authenticity of system software packages during installation. ------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38484.rst b/doc/source/stig-notes/V-38484.rst index 533273e4..c29538ee 100644 --- a/doc/source/stig-notes/V-38484.rst +++ b/doc/source/stig-notes/V-38484.rst @@ -1,5 +1,3 @@ -:orphan: - V-38484: The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh. ------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38486.rst b/doc/source/stig-notes/V-38486.rst index 8b197657..c71e011b 100644 --- a/doc/source/stig-notes/V-38486.rst +++ b/doc/source/stig-notes/V-38486.rst @@ -1,5 +1,3 @@ -:orphan: - V-38486: The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38487.rst b/doc/source/stig-notes/V-38487.rst index 176c0b91..53075c6d 100644 --- a/doc/source/stig-notes/V-38487.rst +++ b/doc/source/stig-notes/V-38487.rst @@ -1,5 +1,3 @@ -:orphan: - V-38487: The system package management tool must cryptographically verify the authenticity of all software packages during installation. ---------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38488.rst b/doc/source/stig-notes/V-38488.rst index 56dc4fe1..8a0dc213 100644 --- a/doc/source/stig-notes/V-38488.rst +++ b/doc/source/stig-notes/V-38488.rst @@ -1,5 +1,3 @@ -:orphan: - V-38488: The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38489.rst b/doc/source/stig-notes/V-38489.rst index a4a53b2b..2ee1bcc2 100644 --- a/doc/source/stig-notes/V-38489.rst +++ b/doc/source/stig-notes/V-38489.rst @@ -1,5 +1,3 @@ -:orphan: - V-38489: A file integrity tool must be installed. ------------------------------------------------- diff --git a/doc/source/stig-notes/V-38490.rst b/doc/source/stig-notes/V-38490.rst index 8c5b0009..3e60cb8d 100644 --- a/doc/source/stig-notes/V-38490.rst +++ b/doc/source/stig-notes/V-38490.rst @@ -1,5 +1,3 @@ -:orphan: - V-38490: The operating system must enforce requirements for the connection of mobile devices to operating systems. ------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38491.rst b/doc/source/stig-notes/V-38491.rst index a95a44a3..bfdd3dad 100644 --- a/doc/source/stig-notes/V-38491.rst +++ b/doc/source/stig-notes/V-38491.rst @@ -1,5 +1,3 @@ -:orphan: - V-38491: There must be no .rhosts or hosts.equiv files on the system. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38492.rst b/doc/source/stig-notes/V-38492.rst index c6c2f813..153916f3 100644 --- a/doc/source/stig-notes/V-38492.rst +++ b/doc/source/stig-notes/V-38492.rst @@ -1,5 +1,3 @@ -:orphan: - V-38492: The system must prevent the root account from logging in from virtual consoles. ---------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38493.rst b/doc/source/stig-notes/V-38493.rst index 5c64ce64..adbc8c14 100644 --- a/doc/source/stig-notes/V-38493.rst +++ b/doc/source/stig-notes/V-38493.rst @@ -1,5 +1,3 @@ -:orphan: - V-38493: Audit log directories must have mode 0755 or less permissive. ---------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38494.rst b/doc/source/stig-notes/V-38494.rst index f40ebdb8..38cd5ef4 100644 --- a/doc/source/stig-notes/V-38494.rst +++ b/doc/source/stig-notes/V-38494.rst @@ -1,5 +1,3 @@ -:orphan: - V-38494: The system must prevent the root account from logging in from serial consoles. --------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38495.rst b/doc/source/stig-notes/V-38495.rst index 2db2d0a4..5a09ab64 100644 --- a/doc/source/stig-notes/V-38495.rst +++ b/doc/source/stig-notes/V-38495.rst @@ -1,5 +1,3 @@ -:orphan: - V-38495: Audit log files must be owned by root. ----------------------------------------------- diff --git a/doc/source/stig-notes/V-38496.rst b/doc/source/stig-notes/V-38496.rst index 2631feb4..12e7e8bd 100644 --- a/doc/source/stig-notes/V-38496.rst +++ b/doc/source/stig-notes/V-38496.rst @@ -1,5 +1,3 @@ -:orphan: - V-38496: Default operating system accounts, other than root, must be locked. ---------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38497.rst b/doc/source/stig-notes/V-38497.rst index 6149f824..e046f38e 100644 --- a/doc/source/stig-notes/V-38497.rst +++ b/doc/source/stig-notes/V-38497.rst @@ -1,5 +1,3 @@ -:orphan: - V-38497: The system must not have accounts configured with blank or null passwords. ----------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38498.rst b/doc/source/stig-notes/V-38498.rst index eba929c1..0de05e1b 100644 --- a/doc/source/stig-notes/V-38498.rst +++ b/doc/source/stig-notes/V-38498.rst @@ -1,5 +1,3 @@ -:orphan: - V-38498: Audit log files must have mode 0640 or less permissive. ---------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38499.rst b/doc/source/stig-notes/V-38499.rst index 1986728b..d0404001 100644 --- a/doc/source/stig-notes/V-38499.rst +++ b/doc/source/stig-notes/V-38499.rst @@ -1,5 +1,3 @@ -:orphan: - V-38499: The /etc/passwd file must not contain password hashes. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38500.rst b/doc/source/stig-notes/V-38500.rst index b9eb4ee0..c8e0e76d 100644 --- a/doc/source/stig-notes/V-38500.rst +++ b/doc/source/stig-notes/V-38500.rst @@ -1,5 +1,3 @@ -:orphan: - V-38500: The root account must be the only account having a UID of 0. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38501.rst b/doc/source/stig-notes/V-38501.rst index 0a437a23..bd9b1cf6 100644 --- a/doc/source/stig-notes/V-38501.rst +++ b/doc/source/stig-notes/V-38501.rst @@ -1,5 +1,3 @@ -:orphan: - V-38501: The system must disable accounts after excessive login failures within a 15-minute interval. ----------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38502.rst b/doc/source/stig-notes/V-38502.rst index 66fc2c6d..cc0bc91d 100644 --- a/doc/source/stig-notes/V-38502.rst +++ b/doc/source/stig-notes/V-38502.rst @@ -1,5 +1,3 @@ -:orphan: - V-38502: The /etc/shadow file must be owned by root. ---------------------------------------------------- diff --git a/doc/source/stig-notes/V-38503.rst b/doc/source/stig-notes/V-38503.rst index 5d66b135..98362124 100644 --- a/doc/source/stig-notes/V-38503.rst +++ b/doc/source/stig-notes/V-38503.rst @@ -1,5 +1,3 @@ -:orphan: - V-38503: The /etc/shadow file must be group-owned by root. ---------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38504.rst b/doc/source/stig-notes/V-38504.rst index 50e65f96..870cbc0b 100644 --- a/doc/source/stig-notes/V-38504.rst +++ b/doc/source/stig-notes/V-38504.rst @@ -1,5 +1,3 @@ -:orphan: - V-38504: The /etc/shadow file must have mode 0000. -------------------------------------------------- diff --git a/doc/source/stig-notes/V-38511.rst b/doc/source/stig-notes/V-38511.rst index 600e3d1d..2543fd7a 100644 --- a/doc/source/stig-notes/V-38511.rst +++ b/doc/source/stig-notes/V-38511.rst @@ -1,5 +1,3 @@ -:orphan: - V-38511: IP forwarding for IPv4 must not be enabled, unless the system is a router. ----------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38512.rst b/doc/source/stig-notes/V-38512.rst index 5ec6ef65..46d8e751 100644 --- a/doc/source/stig-notes/V-38512.rst +++ b/doc/source/stig-notes/V-38512.rst @@ -1,5 +1,3 @@ -:orphan: - V-38512: The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38513.rst b/doc/source/stig-notes/V-38513.rst index d6d59212..80700a68 100644 --- a/doc/source/stig-notes/V-38513.rst +++ b/doc/source/stig-notes/V-38513.rst @@ -1,5 +1,3 @@ -:orphan: - V-38513: The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. ------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38514.rst b/doc/source/stig-notes/V-38514.rst index 742cfb72..b0318f59 100644 --- a/doc/source/stig-notes/V-38514.rst +++ b/doc/source/stig-notes/V-38514.rst @@ -1,5 +1,3 @@ -:orphan: - V-38514: The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. ------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38515.rst b/doc/source/stig-notes/V-38515.rst index 5fa8e158..f8f2ec1b 100644 --- a/doc/source/stig-notes/V-38515.rst +++ b/doc/source/stig-notes/V-38515.rst @@ -1,5 +1,3 @@ -:orphan: - V-38515: The Stream Control Transmission Protocol (SCTP) must be disabled unless required. ------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38516.rst b/doc/source/stig-notes/V-38516.rst index 19fb10a2..2c74b063 100644 --- a/doc/source/stig-notes/V-38516.rst +++ b/doc/source/stig-notes/V-38516.rst @@ -1,5 +1,3 @@ -:orphan: - V-38516: The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. --------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38517.rst b/doc/source/stig-notes/V-38517.rst index a8e4c112..b1a2714f 100644 --- a/doc/source/stig-notes/V-38517.rst +++ b/doc/source/stig-notes/V-38517.rst @@ -1,5 +1,3 @@ -:orphan: - V-38517: The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. ------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38518.rst b/doc/source/stig-notes/V-38518.rst index c21f1a47..fe111dbd 100644 --- a/doc/source/stig-notes/V-38518.rst +++ b/doc/source/stig-notes/V-38518.rst @@ -1,5 +1,3 @@ -:orphan: - V-38518: All rsyslog-generated log files must be owned by root. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38519.rst b/doc/source/stig-notes/V-38519.rst index d159d7a0..6ebb19ad 100644 --- a/doc/source/stig-notes/V-38519.rst +++ b/doc/source/stig-notes/V-38519.rst @@ -1,5 +1,3 @@ -:orphan: - V-38519: All rsyslog-generated log files must be group-owned by root. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38520.rst b/doc/source/stig-notes/V-38520.rst index 57f9e482..ddc5e20f 100644 --- a/doc/source/stig-notes/V-38520.rst +++ b/doc/source/stig-notes/V-38520.rst @@ -1,5 +1,3 @@ -:orphan: - V-38520: The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. ------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38521.rst b/doc/source/stig-notes/V-38521.rst index d0bf0073..95a53339 100644 --- a/doc/source/stig-notes/V-38521.rst +++ b/doc/source/stig-notes/V-38521.rst @@ -1,5 +1,3 @@ -:orphan: - V-38521: The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38522.rst b/doc/source/stig-notes/V-38522.rst index 6724d7ae..bb50ae91 100644 --- a/doc/source/stig-notes/V-38522.rst +++ b/doc/source/stig-notes/V-38522.rst @@ -1,5 +1,3 @@ -:orphan: - V-38522: The audit system must be configured to audit all attempts to alter system time through settimeofday. ------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38523.rst b/doc/source/stig-notes/V-38523.rst index 4671283c..61a3c392 100644 --- a/doc/source/stig-notes/V-38523.rst +++ b/doc/source/stig-notes/V-38523.rst @@ -1,5 +1,3 @@ -:orphan: - V-38523: The system must not accept IPv4 source-routed packets on any interface. -------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38524.rst b/doc/source/stig-notes/V-38524.rst index 75045bab..b9edc585 100644 --- a/doc/source/stig-notes/V-38524.rst +++ b/doc/source/stig-notes/V-38524.rst @@ -1,5 +1,3 @@ -:orphan: - V-38524: The system must not accept ICMPv4 redirect packets on any interface. ----------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38525.rst b/doc/source/stig-notes/V-38525.rst index e1975865..8e15cd8a 100644 --- a/doc/source/stig-notes/V-38525.rst +++ b/doc/source/stig-notes/V-38525.rst @@ -1,5 +1,3 @@ -:orphan: - V-38525: The audit system must be configured to audit all attempts to alter system time through stime. ------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38526.rst b/doc/source/stig-notes/V-38526.rst index a16c185c..2a542303 100644 --- a/doc/source/stig-notes/V-38526.rst +++ b/doc/source/stig-notes/V-38526.rst @@ -1,5 +1,3 @@ -:orphan: - V-38526: The system must not accept ICMPv4 secure redirect packets on any interface. ------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38527.rst b/doc/source/stig-notes/V-38527.rst index 1f511414..941a154a 100644 --- a/doc/source/stig-notes/V-38527.rst +++ b/doc/source/stig-notes/V-38527.rst @@ -1,5 +1,3 @@ -:orphan: - V-38527: The audit system must be configured to audit all attempts to alter system time through clock_settime. -------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38528.rst b/doc/source/stig-notes/V-38528.rst index 163548dc..f3981980 100644 --- a/doc/source/stig-notes/V-38528.rst +++ b/doc/source/stig-notes/V-38528.rst @@ -1,5 +1,3 @@ -:orphan: - V-38528: The system must log Martian packets. --------------------------------------------- diff --git a/doc/source/stig-notes/V-38529.rst b/doc/source/stig-notes/V-38529.rst index 5331186a..921e9777 100644 --- a/doc/source/stig-notes/V-38529.rst +++ b/doc/source/stig-notes/V-38529.rst @@ -1,5 +1,3 @@ -:orphan: - V-38529: The system must not accept IPv4 source-routed packets by default. -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38530.rst b/doc/source/stig-notes/V-38530.rst index e27fdc66..274766ca 100644 --- a/doc/source/stig-notes/V-38530.rst +++ b/doc/source/stig-notes/V-38530.rst @@ -1,5 +1,3 @@ -:orphan: - V-38530: The audit system must be configured to audit all attempts to alter system time through /etc/localtime. --------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38531.rst b/doc/source/stig-notes/V-38531.rst index 1b0c5f8a..533f6c5b 100644 --- a/doc/source/stig-notes/V-38531.rst +++ b/doc/source/stig-notes/V-38531.rst @@ -1,5 +1,3 @@ -:orphan: - V-38531: The operating system must automatically audit account creation. ------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38532.rst b/doc/source/stig-notes/V-38532.rst index 7a2db33d..6c75b68b 100644 --- a/doc/source/stig-notes/V-38532.rst +++ b/doc/source/stig-notes/V-38532.rst @@ -1,5 +1,3 @@ -:orphan: - V-38532: The system must not accept ICMPv4 secure redirect packets by default. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38533.rst b/doc/source/stig-notes/V-38533.rst index eee9da01..9588af9f 100644 --- a/doc/source/stig-notes/V-38533.rst +++ b/doc/source/stig-notes/V-38533.rst @@ -1,5 +1,3 @@ -:orphan: - V-38533: The system must ignore ICMPv4 redirect messages by default. -------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38534.rst b/doc/source/stig-notes/V-38534.rst index 88be217b..95374aa8 100644 --- a/doc/source/stig-notes/V-38534.rst +++ b/doc/source/stig-notes/V-38534.rst @@ -1,5 +1,3 @@ -:orphan: - V-38534: The operating system must automatically audit account modification. ---------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38535.rst b/doc/source/stig-notes/V-38535.rst index d749fd30..9da8abc9 100644 --- a/doc/source/stig-notes/V-38535.rst +++ b/doc/source/stig-notes/V-38535.rst @@ -1,5 +1,3 @@ -:orphan: - V-38535: The system must not respond to ICMPv4 sent to a broadcast address. --------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38536.rst b/doc/source/stig-notes/V-38536.rst index dcd3a4e3..ac146f3a 100644 --- a/doc/source/stig-notes/V-38536.rst +++ b/doc/source/stig-notes/V-38536.rst @@ -1,5 +1,3 @@ -:orphan: - V-38536: The operating system must automatically audit account disabling actions. --------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38537.rst b/doc/source/stig-notes/V-38537.rst index c3ae454c..507e1a8c 100644 --- a/doc/source/stig-notes/V-38537.rst +++ b/doc/source/stig-notes/V-38537.rst @@ -1,5 +1,3 @@ -:orphan: - V-38537: The system must ignore ICMPv4 bogus error responses. ------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38538.rst b/doc/source/stig-notes/V-38538.rst index 3fbfb8dd..55367dfc 100644 --- a/doc/source/stig-notes/V-38538.rst +++ b/doc/source/stig-notes/V-38538.rst @@ -1,5 +1,3 @@ -:orphan: - V-38538: The operating system must automatically audit account termination. --------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38539.rst b/doc/source/stig-notes/V-38539.rst index ec8167f2..8945eb13 100644 --- a/doc/source/stig-notes/V-38539.rst +++ b/doc/source/stig-notes/V-38539.rst @@ -1,5 +1,3 @@ -:orphan: - V-38539: The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. ----------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38540.rst b/doc/source/stig-notes/V-38540.rst index 0525e173..18197e7b 100644 --- a/doc/source/stig-notes/V-38540.rst +++ b/doc/source/stig-notes/V-38540.rst @@ -1,5 +1,3 @@ -:orphan: - V-38540: The audit system must be configured to audit modifications to the systems network configuration. --------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38541.rst b/doc/source/stig-notes/V-38541.rst index a86bec16..257c2b1e 100644 --- a/doc/source/stig-notes/V-38541.rst +++ b/doc/source/stig-notes/V-38541.rst @@ -1,5 +1,3 @@ -:orphan: - V-38541: The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). ------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38542.rst b/doc/source/stig-notes/V-38542.rst index f9e0cb52..4cc0ac8b 100644 --- a/doc/source/stig-notes/V-38542.rst +++ b/doc/source/stig-notes/V-38542.rst @@ -1,5 +1,3 @@ -:orphan: - V-38542: The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. ------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38543.rst b/doc/source/stig-notes/V-38543.rst index 7c6c256e..b0e788fe 100644 --- a/doc/source/stig-notes/V-38543.rst +++ b/doc/source/stig-notes/V-38543.rst @@ -1,5 +1,3 @@ -:orphan: - V-38543: The audit system must be configured to audit all discretionary access control permission modifications using chmod. ---------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38544.rst b/doc/source/stig-notes/V-38544.rst index 96a64a68..66e7ffa5 100644 --- a/doc/source/stig-notes/V-38544.rst +++ b/doc/source/stig-notes/V-38544.rst @@ -1,5 +1,3 @@ -:orphan: - V-38544: The system must use a reverse-path filter for IPv4 network traffic when possible by default. ----------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38545.rst b/doc/source/stig-notes/V-38545.rst index ae200b3f..7c78b579 100644 --- a/doc/source/stig-notes/V-38545.rst +++ b/doc/source/stig-notes/V-38545.rst @@ -1,5 +1,3 @@ -:orphan: - V-38545: The audit system must be configured to audit all discretionary access control permission modifications using chown. ---------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38546.rst b/doc/source/stig-notes/V-38546.rst index 3a002eae..d16c0520 100644 --- a/doc/source/stig-notes/V-38546.rst +++ b/doc/source/stig-notes/V-38546.rst @@ -1,5 +1,3 @@ -:orphan: - V-38546: The IPv6 protocol handler must not be bound to the network stack unless needed. ---------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38547.rst b/doc/source/stig-notes/V-38547.rst index 3f30645e..a721f739 100644 --- a/doc/source/stig-notes/V-38547.rst +++ b/doc/source/stig-notes/V-38547.rst @@ -1,5 +1,3 @@ -:orphan: - V-38547: The audit system must be configured to audit all discretionary access control permission modifications using fchmod. ----------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38548.rst b/doc/source/stig-notes/V-38548.rst index 0a5a2197..7f9367b0 100644 --- a/doc/source/stig-notes/V-38548.rst +++ b/doc/source/stig-notes/V-38548.rst @@ -1,5 +1,3 @@ -:orphan: - V-38548: The system must ignore ICMPv6 redirects by default. ------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38549.rst b/doc/source/stig-notes/V-38549.rst index b86b85c8..927c7619 100644 --- a/doc/source/stig-notes/V-38549.rst +++ b/doc/source/stig-notes/V-38549.rst @@ -1,5 +1,3 @@ -:orphan: - V-38549: The system must employ a local IPv6 firewall. ------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38550.rst b/doc/source/stig-notes/V-38550.rst index 2b1a22ab..7ac8840c 100644 --- a/doc/source/stig-notes/V-38550.rst +++ b/doc/source/stig-notes/V-38550.rst @@ -1,5 +1,3 @@ -:orphan: - V-38550: The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. ------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38551.rst b/doc/source/stig-notes/V-38551.rst index 2dd61159..a28d0391 100644 --- a/doc/source/stig-notes/V-38551.rst +++ b/doc/source/stig-notes/V-38551.rst @@ -1,5 +1,3 @@ -:orphan: - V-38551: The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38552.rst b/doc/source/stig-notes/V-38552.rst index 0775a299..43bb1a09 100644 --- a/doc/source/stig-notes/V-38552.rst +++ b/doc/source/stig-notes/V-38552.rst @@ -1,5 +1,3 @@ -:orphan: - V-38552: The audit system must be configured to audit all discretionary access control permission modifications using fchown. ----------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38553.rst b/doc/source/stig-notes/V-38553.rst index 2a5727bf..753415ea 100644 --- a/doc/source/stig-notes/V-38553.rst +++ b/doc/source/stig-notes/V-38553.rst @@ -1,5 +1,3 @@ -:orphan: - V-38553: The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38554.rst b/doc/source/stig-notes/V-38554.rst index a21af9eb..d0e23cc9 100644 --- a/doc/source/stig-notes/V-38554.rst +++ b/doc/source/stig-notes/V-38554.rst @@ -1,5 +1,3 @@ -:orphan: - V-38554: The audit system must be configured to audit all discretionary access control permission modifications using fchownat. ------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38555.rst b/doc/source/stig-notes/V-38555.rst index 22e42836..fc83fc60 100644 --- a/doc/source/stig-notes/V-38555.rst +++ b/doc/source/stig-notes/V-38555.rst @@ -1,5 +1,3 @@ -:orphan: - V-38555: The system must employ a local IPv4 firewall. ------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38556.rst b/doc/source/stig-notes/V-38556.rst index 48c83922..2bafdbaa 100644 --- a/doc/source/stig-notes/V-38556.rst +++ b/doc/source/stig-notes/V-38556.rst @@ -1,5 +1,3 @@ -:orphan: - V-38556: The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. ----------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38557.rst b/doc/source/stig-notes/V-38557.rst index 75987819..79315ae3 100644 --- a/doc/source/stig-notes/V-38557.rst +++ b/doc/source/stig-notes/V-38557.rst @@ -1,5 +1,3 @@ -:orphan: - V-38557: The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. -------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38558.rst b/doc/source/stig-notes/V-38558.rst index e21e6cda..96043ea5 100644 --- a/doc/source/stig-notes/V-38558.rst +++ b/doc/source/stig-notes/V-38558.rst @@ -1,5 +1,3 @@ -:orphan: - V-38558: The audit system must be configured to audit all discretionary access control permission modifications using lchown. ----------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38559.rst b/doc/source/stig-notes/V-38559.rst index 0bd9d652..e89bc023 100644 --- a/doc/source/stig-notes/V-38559.rst +++ b/doc/source/stig-notes/V-38559.rst @@ -1,5 +1,3 @@ -:orphan: - V-38559: The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. ----------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38560.rst b/doc/source/stig-notes/V-38560.rst index 96939786..bce8e119 100644 --- a/doc/source/stig-notes/V-38560.rst +++ b/doc/source/stig-notes/V-38560.rst @@ -1,5 +1,3 @@ -:orphan: - V-38560: The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38561.rst b/doc/source/stig-notes/V-38561.rst index 2d0f9f8f..5962e316 100644 --- a/doc/source/stig-notes/V-38561.rst +++ b/doc/source/stig-notes/V-38561.rst @@ -1,5 +1,3 @@ -:orphan: - V-38561: The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. -------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38563.rst b/doc/source/stig-notes/V-38563.rst index 003526f4..847fd95f 100644 --- a/doc/source/stig-notes/V-38563.rst +++ b/doc/source/stig-notes/V-38563.rst @@ -1,5 +1,3 @@ -:orphan: - V-38563: The audit system must be configured to audit all discretionary access control permission modifications using removexattr. ---------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38565.rst b/doc/source/stig-notes/V-38565.rst index 0fe4a8ef..ecb8475d 100644 --- a/doc/source/stig-notes/V-38565.rst +++ b/doc/source/stig-notes/V-38565.rst @@ -1,5 +1,3 @@ -:orphan: - V-38565: The audit system must be configured to audit all discretionary access control permission modifications using setxattr. ------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38566.rst b/doc/source/stig-notes/V-38566.rst index 1de778e1..922846aa 100644 --- a/doc/source/stig-notes/V-38566.rst +++ b/doc/source/stig-notes/V-38566.rst @@ -1,5 +1,3 @@ -:orphan: - V-38566: The audit system must be configured to audit failed attempts to access files and programs. --------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38567.rst b/doc/source/stig-notes/V-38567.rst index 81d2d73c..e3e57c67 100644 --- a/doc/source/stig-notes/V-38567.rst +++ b/doc/source/stig-notes/V-38567.rst @@ -1,5 +1,3 @@ -:orphan: - V-38567: The audit system must be configured to audit all use of setuid and setgid programs. -------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38568.rst b/doc/source/stig-notes/V-38568.rst index 165d5c46..f8942649 100644 --- a/doc/source/stig-notes/V-38568.rst +++ b/doc/source/stig-notes/V-38568.rst @@ -1,5 +1,3 @@ -:orphan: - V-38568: The audit system must be configured to audit successful file system mounts. ------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38569.rst b/doc/source/stig-notes/V-38569.rst index 9ffffe29..b4f27dfc 100644 --- a/doc/source/stig-notes/V-38569.rst +++ b/doc/source/stig-notes/V-38569.rst @@ -1,5 +1,3 @@ -:orphan: - V-38569: The system must require passwords to contain at least one uppercase alphabetic character. -------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38570.rst b/doc/source/stig-notes/V-38570.rst index 411d995c..126cae13 100644 --- a/doc/source/stig-notes/V-38570.rst +++ b/doc/source/stig-notes/V-38570.rst @@ -1,5 +1,3 @@ -:orphan: - V-38570: The system must require passwords to contain at least one special character. ------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38571.rst b/doc/source/stig-notes/V-38571.rst index 35a3a821..b1b65938 100644 --- a/doc/source/stig-notes/V-38571.rst +++ b/doc/source/stig-notes/V-38571.rst @@ -1,5 +1,3 @@ -:orphan: - V-38571: The system must require passwords to contain at least one lowercase alphabetic character. -------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38572.rst b/doc/source/stig-notes/V-38572.rst index c132ddf5..c047b84e 100644 --- a/doc/source/stig-notes/V-38572.rst +++ b/doc/source/stig-notes/V-38572.rst @@ -1,5 +1,3 @@ -:orphan: - V-38572: The system must require at least four characters be changed between the old and new passwords during a password change. -------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38573.rst b/doc/source/stig-notes/V-38573.rst index 66735047..ea678af3 100644 --- a/doc/source/stig-notes/V-38573.rst +++ b/doc/source/stig-notes/V-38573.rst @@ -1,5 +1,3 @@ -:orphan: - V-38573: The system must disable accounts after three consecutive unsuccessful logon attempts. ---------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38574.rst b/doc/source/stig-notes/V-38574.rst index c828e73a..51f7fe2a 100644 --- a/doc/source/stig-notes/V-38574.rst +++ b/doc/source/stig-notes/V-38574.rst @@ -1,5 +1,3 @@ -:orphan: - V-38574: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). ---------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38575.rst b/doc/source/stig-notes/V-38575.rst index b2997028..3a0ce5ca 100644 --- a/doc/source/stig-notes/V-38575.rst +++ b/doc/source/stig-notes/V-38575.rst @@ -1,5 +1,3 @@ -:orphan: - V-38575: The audit system must be configured to audit user deletions of files and programs. ------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38576.rst b/doc/source/stig-notes/V-38576.rst index 8ae55c17..ce7e3642 100644 --- a/doc/source/stig-notes/V-38576.rst +++ b/doc/source/stig-notes/V-38576.rst @@ -1,5 +1,3 @@ -:orphan: - V-38576: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). --------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38577.rst b/doc/source/stig-notes/V-38577.rst index aa25f8b3..52f652ce 100644 --- a/doc/source/stig-notes/V-38577.rst +++ b/doc/source/stig-notes/V-38577.rst @@ -1,5 +1,3 @@ -:orphan: - V-38577: The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). ----------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38578.rst b/doc/source/stig-notes/V-38578.rst index cc76e8ba..fe151db1 100644 --- a/doc/source/stig-notes/V-38578.rst +++ b/doc/source/stig-notes/V-38578.rst @@ -1,5 +1,3 @@ -:orphan: - V-38578: The audit system must be configured to audit changes to the /etc/sudoers file. --------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38579.rst b/doc/source/stig-notes/V-38579.rst index bbbb91fa..460e114b 100644 --- a/doc/source/stig-notes/V-38579.rst +++ b/doc/source/stig-notes/V-38579.rst @@ -1,5 +1,3 @@ -:orphan: - V-38579: The system boot loader configuration file(s) must be owned by root. ---------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38580.rst b/doc/source/stig-notes/V-38580.rst index 9033ed78..47b487eb 100644 --- a/doc/source/stig-notes/V-38580.rst +++ b/doc/source/stig-notes/V-38580.rst @@ -1,5 +1,3 @@ -:orphan: - V-38580: The audit system must be configured to audit the loading and unloading of dynamic kernel modules. ---------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38581.rst b/doc/source/stig-notes/V-38581.rst index e6bc4a3e..62d259d6 100644 --- a/doc/source/stig-notes/V-38581.rst +++ b/doc/source/stig-notes/V-38581.rst @@ -1,5 +1,3 @@ -:orphan: - V-38581: The system boot loader configuration file(s) must be group-owned by root. ---------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38582.rst b/doc/source/stig-notes/V-38582.rst index 1639d8d0..00843597 100644 --- a/doc/source/stig-notes/V-38582.rst +++ b/doc/source/stig-notes/V-38582.rst @@ -1,5 +1,3 @@ -:orphan: - V-38582: The xinetd service must be disabled if no network services utilizing it are enabled. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38583.rst b/doc/source/stig-notes/V-38583.rst index 79ac7f2f..6ffb8ac3 100644 --- a/doc/source/stig-notes/V-38583.rst +++ b/doc/source/stig-notes/V-38583.rst @@ -1,5 +1,3 @@ -:orphan: - V-38583: The system boot loader configuration file(s) must have mode 0600 or less permissive. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38584.rst b/doc/source/stig-notes/V-38584.rst index fd668875..27a56bee 100644 --- a/doc/source/stig-notes/V-38584.rst +++ b/doc/source/stig-notes/V-38584.rst @@ -1,5 +1,3 @@ -:orphan: - V-38584: The xinetd service must be uninstalled if no network services utilizing it are enabled. ------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38585.rst b/doc/source/stig-notes/V-38585.rst index 99144e71..076d7e9e 100644 --- a/doc/source/stig-notes/V-38585.rst +++ b/doc/source/stig-notes/V-38585.rst @@ -1,5 +1,3 @@ -:orphan: - V-38585: The system boot loader must require authentication. ------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38586.rst b/doc/source/stig-notes/V-38586.rst index d84efd92..dc508806 100644 --- a/doc/source/stig-notes/V-38586.rst +++ b/doc/source/stig-notes/V-38586.rst @@ -1,5 +1,3 @@ -:orphan: - V-38586: The system must require authentication upon booting into single-user and maintenance modes. ---------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38587.rst b/doc/source/stig-notes/V-38587.rst index 434629fe..8c92967c 100644 --- a/doc/source/stig-notes/V-38587.rst +++ b/doc/source/stig-notes/V-38587.rst @@ -1,5 +1,3 @@ -:orphan: - V-38587: The telnet-server package must not be installed. --------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38588.rst b/doc/source/stig-notes/V-38588.rst index 2b1c7af3..abbc823d 100644 --- a/doc/source/stig-notes/V-38588.rst +++ b/doc/source/stig-notes/V-38588.rst @@ -1,5 +1,3 @@ -:orphan: - V-38588: The system must not permit interactive boot. ----------------------------------------------------- diff --git a/doc/source/stig-notes/V-38589.rst b/doc/source/stig-notes/V-38589.rst index 9b12f50b..03f0551f 100644 --- a/doc/source/stig-notes/V-38589.rst +++ b/doc/source/stig-notes/V-38589.rst @@ -1,5 +1,3 @@ -:orphan: - V-38589: The telnet daemon must not be running. ----------------------------------------------- diff --git a/doc/source/stig-notes/V-38590.rst b/doc/source/stig-notes/V-38590.rst index 83a3e76f..d2a169e2 100644 --- a/doc/source/stig-notes/V-38590.rst +++ b/doc/source/stig-notes/V-38590.rst @@ -1,5 +1,3 @@ -:orphan: - V-38590: The system must allow locking of the console screen in text mode. -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38591.rst b/doc/source/stig-notes/V-38591.rst index f8211e5c..aaee903a 100644 --- a/doc/source/stig-notes/V-38591.rst +++ b/doc/source/stig-notes/V-38591.rst @@ -1,5 +1,3 @@ -:orphan: - V-38591: The rsh-server package must not be installed. ------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38592.rst b/doc/source/stig-notes/V-38592.rst index afb538e0..88228ba0 100644 --- a/doc/source/stig-notes/V-38592.rst +++ b/doc/source/stig-notes/V-38592.rst @@ -1,5 +1,3 @@ -:orphan: - V-38592: The system must require administrator action to unlock an account locked by excessive failed login attempts. --------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38593.rst b/doc/source/stig-notes/V-38593.rst index 41758adc..850aeda3 100644 --- a/doc/source/stig-notes/V-38593.rst +++ b/doc/source/stig-notes/V-38593.rst @@ -1,5 +1,3 @@ -:orphan: - V-38593: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. ----------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38594.rst b/doc/source/stig-notes/V-38594.rst index 306dcfb1..7c72e315 100644 --- a/doc/source/stig-notes/V-38594.rst +++ b/doc/source/stig-notes/V-38594.rst @@ -1,5 +1,3 @@ -:orphan: - V-38594: The rshd service must not be running. ---------------------------------------------- diff --git a/doc/source/stig-notes/V-38595.rst b/doc/source/stig-notes/V-38595.rst index 3b2a6fe1..c2af5371 100644 --- a/doc/source/stig-notes/V-38595.rst +++ b/doc/source/stig-notes/V-38595.rst @@ -1,5 +1,3 @@ -:orphan: - V-38595: The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication. ---------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38596.rst b/doc/source/stig-notes/V-38596.rst index f2bce090..1aa74060 100644 --- a/doc/source/stig-notes/V-38596.rst +++ b/doc/source/stig-notes/V-38596.rst @@ -1,5 +1,3 @@ -:orphan: - V-38596: The system must implement virtual address space randomization. ----------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38597.rst b/doc/source/stig-notes/V-38597.rst index 5de4d7fe..ce990072 100644 --- a/doc/source/stig-notes/V-38597.rst +++ b/doc/source/stig-notes/V-38597.rst @@ -1,5 +1,3 @@ -:orphan: - V-38597: The system must limit the ability of processes to have simultaneous write and execute access to memory. ---------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38598.rst b/doc/source/stig-notes/V-38598.rst index 033461de..cbe89467 100644 --- a/doc/source/stig-notes/V-38598.rst +++ b/doc/source/stig-notes/V-38598.rst @@ -1,5 +1,3 @@ -:orphan: - V-38598: The rexecd service must not be running. ------------------------------------------------ diff --git a/doc/source/stig-notes/V-38599.rst b/doc/source/stig-notes/V-38599.rst index a67d90e4..b44c72de 100644 --- a/doc/source/stig-notes/V-38599.rst +++ b/doc/source/stig-notes/V-38599.rst @@ -1,5 +1,3 @@ -:orphan: - V-38599: The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner. ----------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38600.rst b/doc/source/stig-notes/V-38600.rst index 8324ff71..b4e4f0bc 100644 --- a/doc/source/stig-notes/V-38600.rst +++ b/doc/source/stig-notes/V-38600.rst @@ -1,5 +1,3 @@ -:orphan: - V-38600: The system must not send ICMPv4 redirects by default. -------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38601.rst b/doc/source/stig-notes/V-38601.rst index ab624f94..de865c1f 100644 --- a/doc/source/stig-notes/V-38601.rst +++ b/doc/source/stig-notes/V-38601.rst @@ -1,5 +1,3 @@ -:orphan: - V-38601: The system must not send ICMPv4 redirects from any interface. ---------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38602.rst b/doc/source/stig-notes/V-38602.rst index 89dcd317..b3d2136b 100644 --- a/doc/source/stig-notes/V-38602.rst +++ b/doc/source/stig-notes/V-38602.rst @@ -1,5 +1,3 @@ -:orphan: - V-38602: The rlogind service must not be running. ------------------------------------------------- diff --git a/doc/source/stig-notes/V-38603.rst b/doc/source/stig-notes/V-38603.rst index ee7775c2..c08d5c2d 100644 --- a/doc/source/stig-notes/V-38603.rst +++ b/doc/source/stig-notes/V-38603.rst @@ -1,5 +1,3 @@ -:orphan: - V-38603: The ypserv package must not be installed. -------------------------------------------------- diff --git a/doc/source/stig-notes/V-38604.rst b/doc/source/stig-notes/V-38604.rst index 4b9e5f38..fd9883af 100644 --- a/doc/source/stig-notes/V-38604.rst +++ b/doc/source/stig-notes/V-38604.rst @@ -1,5 +1,3 @@ -:orphan: - V-38604: The ypbind service must not be running. ------------------------------------------------ diff --git a/doc/source/stig-notes/V-38605.rst b/doc/source/stig-notes/V-38605.rst index 7673d6e4..23b30871 100644 --- a/doc/source/stig-notes/V-38605.rst +++ b/doc/source/stig-notes/V-38605.rst @@ -1,5 +1,3 @@ -:orphan: - V-38605: The cron service must be running. ------------------------------------------ diff --git a/doc/source/stig-notes/V-38606.rst b/doc/source/stig-notes/V-38606.rst index 36c9700c..46350221 100644 --- a/doc/source/stig-notes/V-38606.rst +++ b/doc/source/stig-notes/V-38606.rst @@ -1,5 +1,3 @@ -:orphan: - V-38606: The tftp-server package must not be installed unless required. ----------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38607.rst b/doc/source/stig-notes/V-38607.rst index 8054ba4c..0f80867c 100644 --- a/doc/source/stig-notes/V-38607.rst +++ b/doc/source/stig-notes/V-38607.rst @@ -1,5 +1,3 @@ -:orphan: - V-38607: The SSH daemon must be configured to use only the SSHv2 protocol. -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38608.rst b/doc/source/stig-notes/V-38608.rst index 548a7c56..b5fd6e2b 100644 --- a/doc/source/stig-notes/V-38608.rst +++ b/doc/source/stig-notes/V-38608.rst @@ -1,5 +1,3 @@ -:orphan: - V-38608: The SSH daemon must set a timeout interval on idle sessions. --------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38609.rst b/doc/source/stig-notes/V-38609.rst index 00f0d486..835f113b 100644 --- a/doc/source/stig-notes/V-38609.rst +++ b/doc/source/stig-notes/V-38609.rst @@ -1,5 +1,3 @@ -:orphan: - V-38609: The TFTP service must not be running. ---------------------------------------------- diff --git a/doc/source/stig-notes/V-38610.rst b/doc/source/stig-notes/V-38610.rst index 3c1244e1..9451a396 100644 --- a/doc/source/stig-notes/V-38610.rst +++ b/doc/source/stig-notes/V-38610.rst @@ -1,5 +1,3 @@ -:orphan: - V-38610: The SSH daemon must set a timeout count on idle sessions. ------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38611.rst b/doc/source/stig-notes/V-38611.rst index aeda42e2..257a0cb7 100644 --- a/doc/source/stig-notes/V-38611.rst +++ b/doc/source/stig-notes/V-38611.rst @@ -1,5 +1,3 @@ -:orphan: - V-38611: The SSH daemon must ignore .rhosts files. -------------------------------------------------- diff --git a/doc/source/stig-notes/V-38612.rst b/doc/source/stig-notes/V-38612.rst index 8b3598e2..c556607e 100644 --- a/doc/source/stig-notes/V-38612.rst +++ b/doc/source/stig-notes/V-38612.rst @@ -1,5 +1,3 @@ -:orphan: - V-38612: The SSH daemon must not allow host-based authentication. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38613.rst b/doc/source/stig-notes/V-38613.rst index 3aeb7cbb..ed4dcb35 100644 --- a/doc/source/stig-notes/V-38613.rst +++ b/doc/source/stig-notes/V-38613.rst @@ -1,5 +1,3 @@ -:orphan: - V-38613: The system must not permit root logins using remote access programs such as ssh. ----------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38614.rst b/doc/source/stig-notes/V-38614.rst index 5dea845b..f5bb01d0 100644 --- a/doc/source/stig-notes/V-38614.rst +++ b/doc/source/stig-notes/V-38614.rst @@ -1,5 +1,3 @@ -:orphan: - V-38614: The SSH daemon must not allow authentication using an empty password. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38615.rst b/doc/source/stig-notes/V-38615.rst index 84875c95..18d33313 100644 --- a/doc/source/stig-notes/V-38615.rst +++ b/doc/source/stig-notes/V-38615.rst @@ -1,5 +1,3 @@ -:orphan: - V-38615: The SSH daemon must be configured with the Department of Defense (DoD) login banner. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38616.rst b/doc/source/stig-notes/V-38616.rst index 2ab0be04..2e7271cd 100644 --- a/doc/source/stig-notes/V-38616.rst +++ b/doc/source/stig-notes/V-38616.rst @@ -1,5 +1,3 @@ -:orphan: - V-38616: The SSH daemon must not permit user environment settings. ------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38617.rst b/doc/source/stig-notes/V-38617.rst index b6dcd948..6b5451da 100644 --- a/doc/source/stig-notes/V-38617.rst +++ b/doc/source/stig-notes/V-38617.rst @@ -1,5 +1,3 @@ -:orphan: - V-38617: The SSH daemon must be configured to use only FIPS 140-2 approved ciphers. ----------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38618.rst b/doc/source/stig-notes/V-38618.rst index da3d5fa8..74409a30 100644 --- a/doc/source/stig-notes/V-38618.rst +++ b/doc/source/stig-notes/V-38618.rst @@ -1,5 +1,3 @@ -:orphan: - V-38618: The avahi service must be disabled. -------------------------------------------- diff --git a/doc/source/stig-notes/V-38619.rst b/doc/source/stig-notes/V-38619.rst index abf5ce5d..7a18d068 100644 --- a/doc/source/stig-notes/V-38619.rst +++ b/doc/source/stig-notes/V-38619.rst @@ -1,5 +1,3 @@ -:orphan: - V-38619: There must be no .netrc files on the system. ----------------------------------------------------- diff --git a/doc/source/stig-notes/V-38620.rst b/doc/source/stig-notes/V-38620.rst index 92297aad..c5f0eac1 100644 --- a/doc/source/stig-notes/V-38620.rst +++ b/doc/source/stig-notes/V-38620.rst @@ -1,5 +1,3 @@ -:orphan: - V-38620: The system clock must be synchronized continuously, or at least daily. ------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38621.rst b/doc/source/stig-notes/V-38621.rst index b5413801..6641191e 100644 --- a/doc/source/stig-notes/V-38621.rst +++ b/doc/source/stig-notes/V-38621.rst @@ -1,5 +1,3 @@ -:orphan: - V-38621: The system clock must be synchronized to an authoritative DoD time source. ----------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38622.rst b/doc/source/stig-notes/V-38622.rst index 8f439e43..0b32b608 100644 --- a/doc/source/stig-notes/V-38622.rst +++ b/doc/source/stig-notes/V-38622.rst @@ -1,5 +1,3 @@ -:orphan: - V-38622: Mail relaying must be restricted. ------------------------------------------ diff --git a/doc/source/stig-notes/V-38623.rst b/doc/source/stig-notes/V-38623.rst index 7f75ace5..9dda475e 100644 --- a/doc/source/stig-notes/V-38623.rst +++ b/doc/source/stig-notes/V-38623.rst @@ -1,5 +1,3 @@ -:orphan: - V-38623: All rsyslog-generated log files must have mode 0600 or less permissive. -------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38624.rst b/doc/source/stig-notes/V-38624.rst index 839af7e1..d9adb58b 100644 --- a/doc/source/stig-notes/V-38624.rst +++ b/doc/source/stig-notes/V-38624.rst @@ -1,5 +1,3 @@ -:orphan: - V-38624: System logs must be rotated daily. ------------------------------------------- diff --git a/doc/source/stig-notes/V-38625.rst b/doc/source/stig-notes/V-38625.rst index 523a692c..a244ff2a 100644 --- a/doc/source/stig-notes/V-38625.rst +++ b/doc/source/stig-notes/V-38625.rst @@ -1,5 +1,3 @@ -:orphan: - V-38625: If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38626.rst b/doc/source/stig-notes/V-38626.rst index 12bfb9de..62c1059b 100644 --- a/doc/source/stig-notes/V-38626.rst +++ b/doc/source/stig-notes/V-38626.rst @@ -1,5 +1,3 @@ -:orphan: - V-38626: The LDAP client must use a TLS connection using trust certificates signed by the site CA. -------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38627.rst b/doc/source/stig-notes/V-38627.rst index 6f041bf0..8f2d688b 100644 --- a/doc/source/stig-notes/V-38627.rst +++ b/doc/source/stig-notes/V-38627.rst @@ -1,5 +1,3 @@ -:orphan: - V-38627: The openldap-servers package must not be installed unless required. ---------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38628.rst b/doc/source/stig-notes/V-38628.rst index 876481fb..c7cc2c1a 100644 --- a/doc/source/stig-notes/V-38628.rst +++ b/doc/source/stig-notes/V-38628.rst @@ -1,5 +1,3 @@ -:orphan: - V-38628: The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event. ------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38629.rst b/doc/source/stig-notes/V-38629.rst index 58c429fa..63fe7445 100644 --- a/doc/source/stig-notes/V-38629.rst +++ b/doc/source/stig-notes/V-38629.rst @@ -1,5 +1,3 @@ -:orphan: - V-38629: The graphical desktop environment must set the idle timeout to no more than 15 minutes. ------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38630.rst b/doc/source/stig-notes/V-38630.rst index 8eb21861..b4d1d544 100644 --- a/doc/source/stig-notes/V-38630.rst +++ b/doc/source/stig-notes/V-38630.rst @@ -1,5 +1,3 @@ -:orphan: - V-38630: The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38631.rst b/doc/source/stig-notes/V-38631.rst index 45a17786..dfc0aa92 100644 --- a/doc/source/stig-notes/V-38631.rst +++ b/doc/source/stig-notes/V-38631.rst @@ -1,5 +1,3 @@ -:orphan: - V-38631: The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods. --------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38632.rst b/doc/source/stig-notes/V-38632.rst index f11655e4..aa92a927 100644 --- a/doc/source/stig-notes/V-38632.rst +++ b/doc/source/stig-notes/V-38632.rst @@ -1,5 +1,3 @@ -:orphan: - V-38632: The operating system must produce audit records containing sufficient information to establish what type of events occurred. ------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38633.rst b/doc/source/stig-notes/V-38633.rst index 62dc648d..cc150bb0 100644 --- a/doc/source/stig-notes/V-38633.rst +++ b/doc/source/stig-notes/V-38633.rst @@ -1,5 +1,3 @@ -:orphan: - V-38633: The system must set a maximum audit log file size. ----------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38634.rst b/doc/source/stig-notes/V-38634.rst index 5a58cf31..770f0270 100644 --- a/doc/source/stig-notes/V-38634.rst +++ b/doc/source/stig-notes/V-38634.rst @@ -1,5 +1,3 @@ -:orphan: - V-38634: The system must rotate audit log files that reach the maximum file size. --------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38635.rst b/doc/source/stig-notes/V-38635.rst index e89d5915..a866e4d0 100644 --- a/doc/source/stig-notes/V-38635.rst +++ b/doc/source/stig-notes/V-38635.rst @@ -1,5 +1,3 @@ -:orphan: - V-38635: The audit system must be configured to audit all attempts to alter system time through adjtimex. --------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38636.rst b/doc/source/stig-notes/V-38636.rst index 688df3d5..8b723c98 100644 --- a/doc/source/stig-notes/V-38636.rst +++ b/doc/source/stig-notes/V-38636.rst @@ -1,5 +1,3 @@ -:orphan: - V-38636: The system must retain enough rotated audit logs to cover the required log retention period. ----------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38637.rst b/doc/source/stig-notes/V-38637.rst index c8751a08..b1cc0bb5 100644 --- a/doc/source/stig-notes/V-38637.rst +++ b/doc/source/stig-notes/V-38637.rst @@ -1,5 +1,3 @@ -:orphan: - V-38637: The system package management tool must verify contents of all files associated with the audit package. ---------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38638.rst b/doc/source/stig-notes/V-38638.rst index 81ead744..3ad4f675 100644 --- a/doc/source/stig-notes/V-38638.rst +++ b/doc/source/stig-notes/V-38638.rst @@ -1,5 +1,3 @@ -:orphan: - V-38638: The graphical desktop environment must have automatic lock enabled. ---------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38639.rst b/doc/source/stig-notes/V-38639.rst index e50e903c..1422d878 100644 --- a/doc/source/stig-notes/V-38639.rst +++ b/doc/source/stig-notes/V-38639.rst @@ -1,5 +1,3 @@ -:orphan: - V-38639: The system must display a publicly-viewable pattern during a graphical desktop environment session lock. ----------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38640.rst b/doc/source/stig-notes/V-38640.rst index d6fda8a9..b3dfc34c 100644 --- a/doc/source/stig-notes/V-38640.rst +++ b/doc/source/stig-notes/V-38640.rst @@ -1,5 +1,3 @@ -:orphan: - V-38640: The Automatic Bug Reporting Tool (abrtd) service must not be running. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38641.rst b/doc/source/stig-notes/V-38641.rst index 6850f66f..fdf5a1e1 100644 --- a/doc/source/stig-notes/V-38641.rst +++ b/doc/source/stig-notes/V-38641.rst @@ -1,5 +1,3 @@ -:orphan: - V-38641: The atd service must be disabled. ------------------------------------------ diff --git a/doc/source/stig-notes/V-38642.rst b/doc/source/stig-notes/V-38642.rst index 8d026600..ef0ef6f9 100644 --- a/doc/source/stig-notes/V-38642.rst +++ b/doc/source/stig-notes/V-38642.rst @@ -1,5 +1,3 @@ -:orphan: - V-38642: The system default umask for daemons must be 027 or 022. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38643.rst b/doc/source/stig-notes/V-38643.rst index 82c97525..45a34457 100644 --- a/doc/source/stig-notes/V-38643.rst +++ b/doc/source/stig-notes/V-38643.rst @@ -1,5 +1,3 @@ -:orphan: - V-38643: There must be no world-writable files on the system. ------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38644.rst b/doc/source/stig-notes/V-38644.rst index 61fc77a7..3ee82d59 100644 --- a/doc/source/stig-notes/V-38644.rst +++ b/doc/source/stig-notes/V-38644.rst @@ -1,5 +1,3 @@ -:orphan: - V-38644: The ntpdate service must not be running. ------------------------------------------------- diff --git a/doc/source/stig-notes/V-38645.rst b/doc/source/stig-notes/V-38645.rst index 512f43f6..5d486e49 100644 --- a/doc/source/stig-notes/V-38645.rst +++ b/doc/source/stig-notes/V-38645.rst @@ -1,5 +1,3 @@ -:orphan: - V-38645: The system default umask in /etc/login.defs must be 077. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38646.rst b/doc/source/stig-notes/V-38646.rst index 9428d791..dff48a24 100644 --- a/doc/source/stig-notes/V-38646.rst +++ b/doc/source/stig-notes/V-38646.rst @@ -1,5 +1,3 @@ -:orphan: - V-38646: The oddjobd service must not be running. ------------------------------------------------- diff --git a/doc/source/stig-notes/V-38647.rst b/doc/source/stig-notes/V-38647.rst index 40f53260..91e66d4f 100644 --- a/doc/source/stig-notes/V-38647.rst +++ b/doc/source/stig-notes/V-38647.rst @@ -1,5 +1,3 @@ -:orphan: - V-38647: The system default umask in /etc/profile must be 077. -------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38648.rst b/doc/source/stig-notes/V-38648.rst index e7e74519..d8e2ba40 100644 --- a/doc/source/stig-notes/V-38648.rst +++ b/doc/source/stig-notes/V-38648.rst @@ -1,5 +1,3 @@ -:orphan: - V-38648: The qpidd service must not be running. ----------------------------------------------- diff --git a/doc/source/stig-notes/V-38649.rst b/doc/source/stig-notes/V-38649.rst index 24258be6..22a67a4a 100644 --- a/doc/source/stig-notes/V-38649.rst +++ b/doc/source/stig-notes/V-38649.rst @@ -1,5 +1,3 @@ -:orphan: - V-38649: The system default umask for the csh shell must be 077. ---------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38650.rst b/doc/source/stig-notes/V-38650.rst index d1b52a64..ed5f7087 100644 --- a/doc/source/stig-notes/V-38650.rst +++ b/doc/source/stig-notes/V-38650.rst @@ -1,5 +1,3 @@ -:orphan: - V-38650: The rdisc service must not be running. ----------------------------------------------- diff --git a/doc/source/stig-notes/V-38651.rst b/doc/source/stig-notes/V-38651.rst index 8abc5276..0b2bd71c 100644 --- a/doc/source/stig-notes/V-38651.rst +++ b/doc/source/stig-notes/V-38651.rst @@ -1,5 +1,3 @@ -:orphan: - V-38651: The system default umask for the bash shell must be 077. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38652.rst b/doc/source/stig-notes/V-38652.rst index 3d610304..3278aadf 100644 --- a/doc/source/stig-notes/V-38652.rst +++ b/doc/source/stig-notes/V-38652.rst @@ -1,5 +1,3 @@ -:orphan: - V-38652: Remote file systems must be mounted with the nodev option. ------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38653.rst b/doc/source/stig-notes/V-38653.rst index 1d83c4c4..80aeec2c 100644 --- a/doc/source/stig-notes/V-38653.rst +++ b/doc/source/stig-notes/V-38653.rst @@ -1,5 +1,3 @@ -:orphan: - V-38653: The snmpd service must not use a default password. ----------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38654.rst b/doc/source/stig-notes/V-38654.rst index ecd49e61..740f0e1b 100644 --- a/doc/source/stig-notes/V-38654.rst +++ b/doc/source/stig-notes/V-38654.rst @@ -1,5 +1,3 @@ -:orphan: - V-38654: Remote file systems must be mounted with the nosuid option. -------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38655.rst b/doc/source/stig-notes/V-38655.rst index 61d3ea67..d735cabf 100644 --- a/doc/source/stig-notes/V-38655.rst +++ b/doc/source/stig-notes/V-38655.rst @@ -1,5 +1,3 @@ -:orphan: - V-38655: The noexec option must be added to removable media partitions. ----------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38656.rst b/doc/source/stig-notes/V-38656.rst index c67ccfd0..4c6b8664 100644 --- a/doc/source/stig-notes/V-38656.rst +++ b/doc/source/stig-notes/V-38656.rst @@ -1,5 +1,3 @@ -:orphan: - V-38656: The system must use SMB client signing for connecting to samba servers using smbclient. ------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38657.rst b/doc/source/stig-notes/V-38657.rst index 409f63f4..731f40c1 100644 --- a/doc/source/stig-notes/V-38657.rst +++ b/doc/source/stig-notes/V-38657.rst @@ -1,5 +1,3 @@ -:orphan: - V-38657: The system must use SMB client signing for connecting to samba servers using mount.cifs. ------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38658.rst b/doc/source/stig-notes/V-38658.rst index fbd7692e..30ab073a 100644 --- a/doc/source/stig-notes/V-38658.rst +++ b/doc/source/stig-notes/V-38658.rst @@ -1,5 +1,3 @@ -:orphan: - V-38658: The system must prohibit the reuse of passwords within twenty-four iterations. --------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38659.rst b/doc/source/stig-notes/V-38659.rst index cdbef38d..e7dee171 100644 --- a/doc/source/stig-notes/V-38659.rst +++ b/doc/source/stig-notes/V-38659.rst @@ -1,5 +1,3 @@ -:orphan: - V-38659: The operating system must employ cryptographic mechanisms to protect information in storage. ----------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38660.rst b/doc/source/stig-notes/V-38660.rst index dd919314..50d6800f 100644 --- a/doc/source/stig-notes/V-38660.rst +++ b/doc/source/stig-notes/V-38660.rst @@ -1,5 +1,3 @@ -:orphan: - V-38660: The snmpd service must use only SNMP protocol version 3 or newer. -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38661.rst b/doc/source/stig-notes/V-38661.rst index 199f07ab..d5a8a7ef 100644 --- a/doc/source/stig-notes/V-38661.rst +++ b/doc/source/stig-notes/V-38661.rst @@ -1,5 +1,3 @@ -:orphan: - V-38661: The operating system must protect the confidentiality and integrity of data at rest. ---------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38662.rst b/doc/source/stig-notes/V-38662.rst index df02b9d1..cf73d8ac 100644 --- a/doc/source/stig-notes/V-38662.rst +++ b/doc/source/stig-notes/V-38662.rst @@ -1,5 +1,3 @@ -:orphan: - V-38662: The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38663.rst b/doc/source/stig-notes/V-38663.rst index 74158939..6204d724 100644 --- a/doc/source/stig-notes/V-38663.rst +++ b/doc/source/stig-notes/V-38663.rst @@ -1,5 +1,3 @@ -:orphan: - V-38663: The system package management tool must verify permissions on all files and directories associated with the audit package. ----------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38664.rst b/doc/source/stig-notes/V-38664.rst index 4f741caf..54857b36 100644 --- a/doc/source/stig-notes/V-38664.rst +++ b/doc/source/stig-notes/V-38664.rst @@ -1,5 +1,3 @@ -:orphan: - V-38664: The system package management tool must verify ownership on all files and directories associated with the audit package. --------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38665.rst b/doc/source/stig-notes/V-38665.rst index 5a6169d6..29b716de 100644 --- a/doc/source/stig-notes/V-38665.rst +++ b/doc/source/stig-notes/V-38665.rst @@ -1,5 +1,3 @@ -:orphan: - V-38665: The system package management tool must verify group-ownership on all files and directories associated with the audit package. --------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38666.rst b/doc/source/stig-notes/V-38666.rst index 31116ba3..c70654b7 100644 --- a/doc/source/stig-notes/V-38666.rst +++ b/doc/source/stig-notes/V-38666.rst @@ -1,5 +1,3 @@ -:orphan: - V-38666: The system must use and update a DoD-approved virus scan program. -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38667.rst b/doc/source/stig-notes/V-38667.rst index ce2e9e7e..d608722e 100644 --- a/doc/source/stig-notes/V-38667.rst +++ b/doc/source/stig-notes/V-38667.rst @@ -1,5 +1,3 @@ -:orphan: - V-38667: The system must have a host-based intrusion detection tool installed. ------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38668.rst b/doc/source/stig-notes/V-38668.rst index d453ada1..759d0ba9 100644 --- a/doc/source/stig-notes/V-38668.rst +++ b/doc/source/stig-notes/V-38668.rst @@ -1,5 +1,3 @@ -:orphan: - V-38668: The x86 Ctrl-Alt-Delete key sequence must be disabled. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38669.rst b/doc/source/stig-notes/V-38669.rst index 118f3caa..1cd4a0cb 100644 --- a/doc/source/stig-notes/V-38669.rst +++ b/doc/source/stig-notes/V-38669.rst @@ -1,5 +1,3 @@ -:orphan: - V-38669: The postfix service must be enabled for mail delivery. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38670.rst b/doc/source/stig-notes/V-38670.rst index 8787e759..e73add91 100644 --- a/doc/source/stig-notes/V-38670.rst +++ b/doc/source/stig-notes/V-38670.rst @@ -1,5 +1,3 @@ -:orphan: - V-38670: The operating system must detect unauthorized changes to software and information. -------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38671.rst b/doc/source/stig-notes/V-38671.rst index 227359ec..b422598b 100644 --- a/doc/source/stig-notes/V-38671.rst +++ b/doc/source/stig-notes/V-38671.rst @@ -1,5 +1,3 @@ -:orphan: - V-38671: The sendmail package must be removed. ---------------------------------------------- diff --git a/doc/source/stig-notes/V-38672.rst b/doc/source/stig-notes/V-38672.rst index f92b9dab..3640aa89 100644 --- a/doc/source/stig-notes/V-38672.rst +++ b/doc/source/stig-notes/V-38672.rst @@ -1,5 +1,3 @@ -:orphan: - V-38672: The netconsole service must be disabled unless required. ----------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38673.rst b/doc/source/stig-notes/V-38673.rst index 89231795..fb51b686 100644 --- a/doc/source/stig-notes/V-38673.rst +++ b/doc/source/stig-notes/V-38673.rst @@ -1,5 +1,3 @@ -:orphan: - V-38673: The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked. --------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38674.rst b/doc/source/stig-notes/V-38674.rst index a20577ac..471d5d3c 100644 --- a/doc/source/stig-notes/V-38674.rst +++ b/doc/source/stig-notes/V-38674.rst @@ -1,5 +1,3 @@ -:orphan: - V-38674: X Windows must not be enabled unless required. ------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38675.rst b/doc/source/stig-notes/V-38675.rst index 1feb12f0..c8bed1cc 100644 --- a/doc/source/stig-notes/V-38675.rst +++ b/doc/source/stig-notes/V-38675.rst @@ -1,5 +1,3 @@ -:orphan: - V-38675: Process core dumps must be disabled unless needed. ----------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38676.rst b/doc/source/stig-notes/V-38676.rst index 530a885e..45983006 100644 --- a/doc/source/stig-notes/V-38676.rst +++ b/doc/source/stig-notes/V-38676.rst @@ -1,5 +1,3 @@ -:orphan: - V-38676: The xorg-x11-server-common (X Windows) package must not be installed, unless required. ----------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38677.rst b/doc/source/stig-notes/V-38677.rst index f4457483..f3a5ee91 100644 --- a/doc/source/stig-notes/V-38677.rst +++ b/doc/source/stig-notes/V-38677.rst @@ -1,5 +1,3 @@ -:orphan: - V-38677: The NFS server must not have the insecure file locking option enabled. ------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38678.rst b/doc/source/stig-notes/V-38678.rst index 7faedb87..0447b1dd 100644 --- a/doc/source/stig-notes/V-38678.rst +++ b/doc/source/stig-notes/V-38678.rst @@ -1,5 +1,3 @@ -:orphan: - V-38678: The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. --------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38679.rst b/doc/source/stig-notes/V-38679.rst index 4c8f0a90..6ce25b69 100644 --- a/doc/source/stig-notes/V-38679.rst +++ b/doc/source/stig-notes/V-38679.rst @@ -1,5 +1,3 @@ -:orphan: - V-38679: The DHCP client must be disabled if not needed. -------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38680.rst b/doc/source/stig-notes/V-38680.rst index 375b6b98..5edbdd88 100644 --- a/doc/source/stig-notes/V-38680.rst +++ b/doc/source/stig-notes/V-38680.rst @@ -1,5 +1,3 @@ -:orphan: - V-38680: The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. --------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38681.rst b/doc/source/stig-notes/V-38681.rst index 7feb57be..2d9ebc9c 100644 --- a/doc/source/stig-notes/V-38681.rst +++ b/doc/source/stig-notes/V-38681.rst @@ -1,5 +1,3 @@ -:orphan: - V-38681: All GIDs referenced in /etc/passwd must be defined in /etc/group ------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38682.rst b/doc/source/stig-notes/V-38682.rst index 91f15d0a..f5c46a5b 100644 --- a/doc/source/stig-notes/V-38682.rst +++ b/doc/source/stig-notes/V-38682.rst @@ -1,5 +1,3 @@ -:orphan: - V-38682: The Bluetooth kernel module must be disabled. ------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38683.rst b/doc/source/stig-notes/V-38683.rst index 9ded7045..58aec003 100644 --- a/doc/source/stig-notes/V-38683.rst +++ b/doc/source/stig-notes/V-38683.rst @@ -1,5 +1,3 @@ -:orphan: - V-38683: All accounts on the system must have unique user or account names -------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38684.rst b/doc/source/stig-notes/V-38684.rst index 41213fb6..1969c2d2 100644 --- a/doc/source/stig-notes/V-38684.rst +++ b/doc/source/stig-notes/V-38684.rst @@ -1,5 +1,3 @@ -:orphan: - V-38684: The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. --------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38685.rst b/doc/source/stig-notes/V-38685.rst index 77d8df88..4df08686 100644 --- a/doc/source/stig-notes/V-38685.rst +++ b/doc/source/stig-notes/V-38685.rst @@ -1,5 +1,3 @@ -:orphan: - V-38685: Temporary accounts must be provisioned with an expiration date. ------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38686.rst b/doc/source/stig-notes/V-38686.rst index 637b5ce1..23873352 100644 --- a/doc/source/stig-notes/V-38686.rst +++ b/doc/source/stig-notes/V-38686.rst @@ -1,5 +1,3 @@ -:orphan: - V-38686: The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets. --------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38687.rst b/doc/source/stig-notes/V-38687.rst index a53206be..c9608ada 100644 --- a/doc/source/stig-notes/V-38687.rst +++ b/doc/source/stig-notes/V-38687.rst @@ -1,5 +1,3 @@ -:orphan: - V-38687: The system must provide VPN connectivity for communications over untrusted networks. --------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38688.rst b/doc/source/stig-notes/V-38688.rst index 7fd2eefe..320ee133 100644 --- a/doc/source/stig-notes/V-38688.rst +++ b/doc/source/stig-notes/V-38688.rst @@ -1,5 +1,3 @@ -:orphan: - V-38688: A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. --------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38689.rst b/doc/source/stig-notes/V-38689.rst index 131f6e8d..97675138 100644 --- a/doc/source/stig-notes/V-38689.rst +++ b/doc/source/stig-notes/V-38689.rst @@ -1,5 +1,3 @@ -:orphan: - V-38689: The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts. --------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38690.rst b/doc/source/stig-notes/V-38690.rst index 92b8ec2a..1fa703d5 100644 --- a/doc/source/stig-notes/V-38690.rst +++ b/doc/source/stig-notes/V-38690.rst @@ -1,5 +1,3 @@ -:orphan: - V-38690: Emergency accounts must be provisioned with an expiration date. ------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38691.rst b/doc/source/stig-notes/V-38691.rst index 69e0afb2..0f019075 100644 --- a/doc/source/stig-notes/V-38691.rst +++ b/doc/source/stig-notes/V-38691.rst @@ -1,5 +1,3 @@ -:orphan: - V-38691: The Bluetooth service must be disabled. ------------------------------------------------ diff --git a/doc/source/stig-notes/V-38692.rst b/doc/source/stig-notes/V-38692.rst index 808fe365..e62165ff 100644 --- a/doc/source/stig-notes/V-38692.rst +++ b/doc/source/stig-notes/V-38692.rst @@ -1,5 +1,3 @@ -:orphan: - V-38692: Accounts must be locked upon 35 days of inactivity. ------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38693.rst b/doc/source/stig-notes/V-38693.rst index ab79274e..b07fac3c 100644 --- a/doc/source/stig-notes/V-38693.rst +++ b/doc/source/stig-notes/V-38693.rst @@ -1,5 +1,3 @@ -:orphan: - V-38693: The system must require passwords to contain no more than three consecutive repeating characters. ---------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38694.rst b/doc/source/stig-notes/V-38694.rst index 7a999557..237df2d3 100644 --- a/doc/source/stig-notes/V-38694.rst +++ b/doc/source/stig-notes/V-38694.rst @@ -1,5 +1,3 @@ -:orphan: - V-38694: The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38695.rst b/doc/source/stig-notes/V-38695.rst index 1bb30909..d9c60b51 100644 --- a/doc/source/stig-notes/V-38695.rst +++ b/doc/source/stig-notes/V-38695.rst @@ -1,5 +1,3 @@ -:orphan: - V-38695: A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38696.rst b/doc/source/stig-notes/V-38696.rst index 951870d3..9620d9dd 100644 --- a/doc/source/stig-notes/V-38696.rst +++ b/doc/source/stig-notes/V-38696.rst @@ -1,5 +1,3 @@ -:orphan: - V-38696: The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38697.rst b/doc/source/stig-notes/V-38697.rst index aaedeb35..b18fbe0e 100644 --- a/doc/source/stig-notes/V-38697.rst +++ b/doc/source/stig-notes/V-38697.rst @@ -1,5 +1,3 @@ -:orphan: - V-38697: The sticky bit must be set on all public directories. -------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38698.rst b/doc/source/stig-notes/V-38698.rst index 5c084043..2e46c306 100644 --- a/doc/source/stig-notes/V-38698.rst +++ b/doc/source/stig-notes/V-38698.rst @@ -1,5 +1,3 @@ -:orphan: - V-38698: The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38699.rst b/doc/source/stig-notes/V-38699.rst index 6eb8a067..f347b029 100644 --- a/doc/source/stig-notes/V-38699.rst +++ b/doc/source/stig-notes/V-38699.rst @@ -1,5 +1,3 @@ -:orphan: - V-38699: All public directories must be owned by a system account. ------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38700.rst b/doc/source/stig-notes/V-38700.rst index b209fc53..2995e557 100644 --- a/doc/source/stig-notes/V-38700.rst +++ b/doc/source/stig-notes/V-38700.rst @@ -1,5 +1,3 @@ -:orphan: - V-38700: The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. --------------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-38701.rst b/doc/source/stig-notes/V-38701.rst index 9912bf4b..cc3067e4 100644 --- a/doc/source/stig-notes/V-38701.rst +++ b/doc/source/stig-notes/V-38701.rst @@ -1,5 +1,3 @@ -:orphan: - V-38701: The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. ------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-38702.rst b/doc/source/stig-notes/V-38702.rst index 23c28532..c2cdc589 100644 --- a/doc/source/stig-notes/V-38702.rst +++ b/doc/source/stig-notes/V-38702.rst @@ -1,5 +1,3 @@ -:orphan: - V-38702: The FTP daemon must be configured for logging or verbose mode. ----------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-43150.rst b/doc/source/stig-notes/V-43150.rst index 259dbafe..a81f0010 100644 --- a/doc/source/stig-notes/V-43150.rst +++ b/doc/source/stig-notes/V-43150.rst @@ -1,5 +1,3 @@ -:orphan: - V-43150: The login user list must be disabled. ---------------------------------------------- diff --git a/doc/source/stig-notes/V-51337.rst b/doc/source/stig-notes/V-51337.rst index 78560d99..d3f60f54 100644 --- a/doc/source/stig-notes/V-51337.rst +++ b/doc/source/stig-notes/V-51337.rst @@ -1,5 +1,3 @@ -:orphan: - V-51337: The system must use a Linux Security Module at boot time. ------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-51363.rst b/doc/source/stig-notes/V-51363.rst index 965183b0..373c5ffb 100644 --- a/doc/source/stig-notes/V-51363.rst +++ b/doc/source/stig-notes/V-51363.rst @@ -1,5 +1,3 @@ -:orphan: - V-51363: The system must use a Linux Security Module configured to enforce limits on system services. ----------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-51369.rst b/doc/source/stig-notes/V-51369.rst index dfd47374..785156eb 100644 --- a/doc/source/stig-notes/V-51369.rst +++ b/doc/source/stig-notes/V-51369.rst @@ -1,5 +1,3 @@ -:orphan: - V-51369: The system must use a Linux Security Module configured to limit the privileges of system services. ----------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-51379.rst b/doc/source/stig-notes/V-51379.rst index aafcb029..75b784ab 100644 --- a/doc/source/stig-notes/V-51379.rst +++ b/doc/source/stig-notes/V-51379.rst @@ -1,5 +1,3 @@ -:orphan: - V-51379: All device files must be monitored by the system Linux Security Module. -------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-51391.rst b/doc/source/stig-notes/V-51391.rst index 350fbde8..02b6a5df 100644 --- a/doc/source/stig-notes/V-51391.rst +++ b/doc/source/stig-notes/V-51391.rst @@ -1,5 +1,3 @@ -:orphan: - V-51391: A file integrity baseline must be created. --------------------------------------------------- diff --git a/doc/source/stig-notes/V-51875.rst b/doc/source/stig-notes/V-51875.rst index a8575690..28d10a80 100644 --- a/doc/source/stig-notes/V-51875.rst +++ b/doc/source/stig-notes/V-51875.rst @@ -1,5 +1,3 @@ -:orphan: - V-51875: The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ diff --git a/doc/source/stig-notes/V-54381.rst b/doc/source/stig-notes/V-54381.rst index cd3fd1ee..6d1d2ce8 100644 --- a/doc/source/stig-notes/V-54381.rst +++ b/doc/source/stig-notes/V-54381.rst @@ -1,5 +1,3 @@ -:orphan: - V-54381: The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. --------------------------------------------------------------------------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-57569.rst b/doc/source/stig-notes/V-57569.rst index eb910363..8be43284 100644 --- a/doc/source/stig-notes/V-57569.rst +++ b/doc/source/stig-notes/V-57569.rst @@ -1,5 +1,3 @@ -:orphan: - V-57569: The noexec option must be added to the /tmp partition. --------------------------------------------------------------- diff --git a/doc/source/stig-notes/V-58901.rst b/doc/source/stig-notes/V-58901.rst index 575df86c..9068df2f 100644 --- a/doc/source/stig-notes/V-58901.rst +++ b/doc/source/stig-notes/V-58901.rst @@ -1,5 +1,3 @@ -:orphan: - V-58901: The sudo command must require authentication. ------------------------------------------------------