Queens Series Release Notes


New Features

  • It is now possible to modify the NTP server options in chrony using security_ntp_server_options.

  • Chrony got a new configuration option to synchronize the system clock back to the RTC using the security_ntp_sync_rtc variable. Disabled by default.


New Features

  • Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use epel-release by default, but some deployers have a customized package that redirects servers to internal mirrors.

  • Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting security_check_package_checksums to yes.

  • Fedora 26 is now supported.

  • The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the security_ntp_servers Ansible variable.

  • The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.

  • The security_sshd_permit_root_login setting can now be set to change the PermitRootLogin setting in /etc/ssh/sshd_config to any of the possible options. Set security_sshd_permit_root_login to one of without-password, prohibit-password, forced-commands-only, yes or no.

  • The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.

  • The sysctl parameter kernel.randomize_va_space is now set to 2 by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.

  • The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.

  • Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting security_find_world_writable_dirs to yes.

Upgrade Notes

  • The EPEL repository is only installed and configured when the deployer sets security_enable_virus_scanner to yes. This allows the ClamAV packages to be installed. If security_enable_virus_scanner is set to no (the default), the EPEL repository will not be added.

    See Bug 1702167 for more details.

  • Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting security_epel_install_repository to no prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.

  • The tasks for V-72181, which include adding audit rules for the pt_chown command, have been removed. They are not required in the RHEL 7 STIG V1R2 release.

Deprecation Notes

  • Fedora 25 support is deprecated and no longer tested on each commit.

Security Issues

  • PermitRootLogin in the ssh configuration has changed from yes to without-password. This will only allow ssh to be used to authenticate root via a key.

Bug Fixes

  • The sysctl configuration task was not skipping configurations where enabled was set to no. Instead, it was removing configurations when enabled: no was set.

    There is now a fix in place that ensures any sysctl configuration with enabled: no will be skipped and the configuration will be left unaltered on the system.