Ocata Series Release Notes¶
15.1.11¶
Bug Fixes¶
The sysctl configuration task was not skipping configurations where
enabledwas set tono. Instead, it was removing configurations whenenabled: nowas set.There is now a fix in place that ensures any sysctl configuration with
enabled: nowill be skipped and the configuration will be left unaltered on the system.
15.1.9¶
Security Issues¶
PermitRootLoginin the ssh configuration has changed fromyestowithout-password. This will only allow ssh to be used to authenticate root via a key.
15.1.0¶
Security Issues¶
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
security_reset_perm_ownershiptoyes.
The tasks that search for
.shostsandshosts.equivfiles (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
15.0.0¶
New Features¶
The installation of
chronyis still enabled by default, but it is now controlled by thesecurity_enable_chronyvariable.
The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:
stig_version: rhel6
Upgrade Notes¶
The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set
security_package_statetolatestto ensure that all packages installed by the security role are up to date.
Deployers should review the new RHEL 7 STIG variables in
defaults/main.ymlto provide custom configuration for the Ansible tasks.
Deprecation Notes¶
The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.
