Ocata Series Release Notes¶
The sysctl configuration task was not skipping configurations where
enabledwas set to
no. Instead, it was removing configurations when
enabled: nowas set.
There is now a fix in place that ensures any sysctl configuration with
enabled: nowill be skipped and the configuration will be left unaltered on the system.
PermitRootLoginin the ssh configuration has changed from
without-password. This will only allow ssh to be used to authenticate root via a key.
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
The tasks that search for
shosts.equivfiles (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
The installation of
chronyis still enabled by default, but it is now controlled by the
The Red Hat Enterprise Linux (RHEL) 7 STIG content is now deployed by default. Deployers can continue using the RHEL 7 STIG content by setting the following Ansible variable:
The security role will accept the currently installed version of a package rather than attempting to update it. This reduces unexpected changes on the system from subsequent runs of the security role. Deployers can still set
latestto ensure that all packages installed by the security role are up to date.
Deployers should review the new RHEL 7 STIG variables in
defaults/main.ymlto provide custom configuration for the Ansible tasks.
The Red Hat Enteprise Linux 6 STIG content has been deprecated. The tasks and variables for the RHEL 6 STIG will be removed in a future release.