Queens Series Release Notes¶
It is now possible to modify the NTP server options in chrony using
Chrony got a new configuration option to synchronize the system clock back to the RTC using the
security_ntp_sync_rtcvariable. Disabled by default.
Deployers can now specify a custom package name or URL for an EPEL release package. CentOS systems use
epel-releaseby default, but some deployers have a customized package that redirects servers to internal mirrors.
Generating and validating checksums for all files installed by packages is now disabled by default. The check causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the check by setting
Fedora 26 is now supported.
The default list of NTP servers for chrony are now more friendly to users outside North America. Deployers can still provide their own list of NTP servers with the
The password minimum and maximum lifetimes are now opt-in changes that can take action against user accounts instead of printing debug warnings. Refer to the documentation for STIG requirements V-71927 and V-71931 to review the opt-in process and warnings.
security_sshd_permit_root_loginsetting can now be set to change the
/etc/ssh/sshd_configto any of the possible options. Set
security_sshd_permit_root_loginto one of
The tasks within the ansible-hardening role are now based on Version 1, Release 3 of the Red Hat Enteprise Linux Security Technical Implementation Guide.
kernel.randomize_va_spaceis now set to
2by default. This matches the default of most modern Linux distributions and it ensures that Address Space Layout Randomization (ASLR) is enabled.
The Datagram Congestion Control Protocol (DCCP) kernel module is now disabled by default, but a reboot is required to make the change effective.
Searching for world-writable files is now disabled by default. The search causes delays in playbook runs and it can consume a significant amount of CPU and I/O resources. Deployers can re-enable the search by setting
The EPEL repository is only installed and configured when the deployer sets
yes. This allows the ClamAV packages to be installed. If
security_enable_virus_scanneris set to
no(the default), the EPEL repository will not be added.
See Bug 1702167 for more details.
Deployers now have the option to prevent the EPEL repository from being installed by the role. Setting
noprevents EPEL from being installed. This setting may prevent certain packages from installing, such as ClamAV.
The tasks for V-72181, which include adding audit rules for the
pt_chowncommand, have been removed. They are not required in the RHEL 7 STIG V1R2 release.
Fedora 25 support is deprecated and no longer tested on each commit.
PermitRootLoginin the ssh configuration has changed from
without-password. This will only allow ssh to be used to authenticate root via a key.
The sysctl configuration task was not skipping configurations where
enabledwas set to
no. Instead, it was removing configurations when
enabled: nowas set.
There is now a fix in place that ensures any sysctl configuration with
enabled: nowill be skipped and the configuration will be left unaltered on the system.