Pike Series Release Notes


New Features

  • The security_sshd_permit_root_login setting can now be set to change the PermitRootLogin setting in /etc/ssh/sshd_config to any of the possible options. Set security_sshd_permit_root_login to one of without-password, prohibit-password, forced-commands-only, yes or no.

  • Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting security_find_world_writable_dirs to yes.



The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.

New Features

  • Deployers can provide a customized login banner via a new Ansible variable: security_login_banner_text. This banner text is used for non-graphical logins, which includes console and ssh logins.

Security Issues

  • The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting security_reset_perm_ownership to yes.

  • The tasks that search for .shosts and shosts.equiv files (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.

  • The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.

  • The cn_map permissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.

  • The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.