Ocata Series Release Notes


Bug Fixes

  • The sysctl configuration task was not skipping configurations where enabled was set to no. Instead, it was removing configurations when enabled: no was set.

    There is now a fix in place that ensures any sysctl configuration with enabled: no will be skipped and the configuration will be left unaltered on the system.


Security Issues

  • PermitRootLogin in the ssh configuration has changed from yes to without-password. This will only allow ssh to be used to authenticate root via a key.


Security Issues

  • The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting security_reset_perm_ownership to yes.

  • The tasks that search for .shosts and shosts.equiv files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.


New Features

  • The installation of chrony is still enabled by default, but it is now controlled by the security_enable_chrony variable.

  • The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:

    stig_version: rhel6

Upgrade Notes

  • The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set security_package_state to latest to ensure that all packages installed by the security role are up to date.

  • Deployers should review the new RHEL 7 STIG variables in defaults/main.yml to provide custom configuration for the Ansible tasks.

Deprecation Notes

  • The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.