Pike Series Release Notes¶
security_sshd_permit_root_loginsetting can now be set to change the
/etc/ssh/sshd_configto any of the possible options. Set
security_sshd_permit_root_loginto one of
Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting
The first release of the Red Hat Enterprise Linux 7 STIG was entirely renumbered from the pre-release versions. Many of the STIG configurations simply changed numbers, but some were removed or changed. A few new configurations were added as well.
Deployers can provide a customized login banner via a new Ansible variable:
security_login_banner_text. This banner text is used for non-graphical logins, which includes console and ssh logins.
The security role will no longer fix file permissions and ownership based on the contents of the RPM database by default. Deployers can opt in for these changes by setting
The tasks that search for
shosts.equivfiles (STIG ID: RHEL-07-040330) are now skipped by default. The search takes a long time to complete on systems with lots of files and it also causes a significant amount of disk I/O while it runs.
The latest version of the RHEL 7 STIG requires that a standard login banner is presented to users when they log into the system (V-71863). The security role now deploys a login banner that is used for console and ssh sessions.
cn_mappermissions and ownership adjustments included as part of RHEL-07-040070 and RHEL-07-040080 has been removed. This STIG configuration was removed in the most recent release of the RHEL 7 STIG.
The PKI-based authentication checks for RHEL-07-040030, RHEL-07-040040, and RHEL-07-040050 are no longer included in the RHEL 7 STIG. The tasks and documentation for these outdated configurations are removed.