From 6f256af4a71aafe9a948c847e4747d50b1b9bc7b Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 15 Nov 2016 13:14:14 -0600 Subject: [PATCH] [Docs] Set cn_map permissions/owner This patch provides documentation for: If8b31cdc192bcbfe519dc9ec1e6b458309269f42 Implements: blueprint security-rhel7-stig Change-Id: I6b2733dafcf42b940ae1c0bf5d3163b765864353 --- doc/metadata/rhel7/RHEL-07-040050.rst | 10 +++++++--- doc/metadata/rhel7/RHEL-07-040060.rst | 8 +++++--- doc/metadata/rhel7/RHEL-07-040070.rst | 7 ++++--- doc/metadata/rhel7/RHEL-07-040080.rst | 7 ++++--- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/doc/metadata/rhel7/RHEL-07-040050.rst b/doc/metadata/rhel7/RHEL-07-040050.rst index 0be6fd51..f3d87671 100644 --- a/doc/metadata/rhel7/RHEL-07-040050.rst +++ b/doc/metadata/rhel7/RHEL-07-040050.rst @@ -1,7 +1,11 @@ --- id: RHEL-07-040050 -status: not implemented -tag: misc +status: exception - manual intervention +tag: file_perms --- -This STIG requirement is not yet implemented. +This control requires that ``/etc/pam_pkcs11/subject_mapping`` exists on the +system. It is only required on systems that use PKI-based authentication. + +Deployers should perform this step manually based on the needs of their +authentication configuration. diff --git a/doc/metadata/rhel7/RHEL-07-040060.rst b/doc/metadata/rhel7/RHEL-07-040060.rst index b9bdc303..554d2c32 100644 --- a/doc/metadata/rhel7/RHEL-07-040060.rst +++ b/doc/metadata/rhel7/RHEL-07-040060.rst @@ -1,7 +1,9 @@ --- id: RHEL-07-040060 -status: not implemented -tag: misc +status: implemented +tag: file_perms --- -This STIG requirement is not yet implemented. +The tasks in this role set the mode on ``/etc/pam_pkcs11/cn_map`` to ``0644``. +If the file permissions are more restrictive than ``0644`` on the system, they +are not changed. diff --git a/doc/metadata/rhel7/RHEL-07-040070.rst b/doc/metadata/rhel7/RHEL-07-040070.rst index 25ecff4f..d51db937 100644 --- a/doc/metadata/rhel7/RHEL-07-040070.rst +++ b/doc/metadata/rhel7/RHEL-07-040070.rst @@ -1,7 +1,8 @@ --- id: RHEL-07-040070 -status: not implemented -tag: misc +status: implemented +tag: file_perms --- -This STIG requirement is not yet implemented. +The default owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role ensures +that this default is maintained if the file exists. diff --git a/doc/metadata/rhel7/RHEL-07-040080.rst b/doc/metadata/rhel7/RHEL-07-040080.rst index 3c0f58f6..687ee3f6 100644 --- a/doc/metadata/rhel7/RHEL-07-040080.rst +++ b/doc/metadata/rhel7/RHEL-07-040080.rst @@ -1,7 +1,8 @@ --- id: RHEL-07-040080 -status: not implemented -tag: misc +status: implemented +tag: file_perms --- -This STIG requirement is not yet implemented. +The default group owner for ``/etc/pam_pkcs11/cn_map`` is ``root``. The role +ensures that this default is maintained if the file exists.