Queens Series Release Notes

Queens Series Release Notes¶

17.0.4-11¶

New Features¶

It is now possible to modify the NTP server options in chrony using security_ntp_server_options.

Chrony got a new configuration option to synchronize the system clock back to the RTC using the security_ntp_sync_rtc variable. Disabled by default.

17.0.0¶

New Features¶

Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use epel-release by default, but some deployers have a customized package that redirects servers to internal mirrors.

Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting security_check_package_checksums to yes.

Fedora 26 is now supported.

The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the security_ntp_servers Ansible variable.

The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.

The security_sshd_permit_root_login setting can now be set to change the PermitRootLogin setting in /etc/ssh/sshd_config to any of the possible options. Set security_sshd_permit_root_login to one of without-password, prohibit-password, forced-commands-only, yes or no.

The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.

The sysctl parameter kernel.randomize_va_space is now set to 2 by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.

The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.

Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting security_find_world_writable_dirs to yes.

Upgrade Notes¶

The EPEL repository is only installed and configured when the deployer sets security_enable_virus_scanner to yes. This allows the ClamAV packages to be installed. If security_enable_virus_scanner is set to no (the default), the EPEL repository will not be added.

See Bug 1702167 for more details.

Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting security_epel_install_repository to no prevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.

The tasks for V-72181, which include adding audit rules for the pt_chown command, have been removed. They are not required in the RHEL 7 STIG V1R2 release.

Deprecation Notes¶

Fedora 25 support is deprecated and no longer tested on each commit.

Security Issues¶

PermitRootLogin in the ssh configuration has changed from yes to without-password. This will only allow ssh to be used to authenticate root via a key.

Bug Fixes¶

The sysctl configuration task was not skipping configurations where enabled was set to no. Instead, it was removing configurations when enabled: no was set.

There is now a fix in place that ensures any sysctl configuration with enabled: no will be skipped and the configuration will be left unaltered on the system.

this page last updated: 2025-09-26 09:13:56

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.