openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/source/deviations.rst
Major Hayden 875f635ab4 [Docs] Overhaul STIG by tag docs 
This patch gets rid of the old "special notes" section that was a
dead-end in the documentation and replaces it with a brief header
followed by a dynamically-generated list of tag-specific
documentation. All of this sits underneath the "Hardening Domains"
section.

It also splits the "Deviations" documentation into its own section
because it's quite important for a deployer to review.

The patch also includes a link to video/slides from the Boston
Summit, which provided the latest updates for the project and some
background on how everything fits together.

Change-Id: I1a5e78733c301335fe1bcfcee36cc146d690b841
2017-06-13 06:33:16 +00:00

38 lines
1.6 KiB
ReStructuredText
Raw Blame History

Deviations from the Security Technical Implementation Guide (STIG)
==================================================================
The ansible-hardening role deviates from some of the STIG's requirements when a
security control could cause significant issues with production systems. The
role classifies each control into an implementation status and provides notes
on why a certain control is skipped or altered.
The following provides a brief overview of each implementation status:
Exception
If a control requires manual intervention outside the host, or if it could
cause significant harm to a host, it will be skipped and listed as an
exception. All controls in this category are not implemented in Ansible.
Configuration Required
These controls require some type of initial configuration before they can
be applied. Review the notes for each control to determine how to configure
each of them.
Implemented
These controls are fully implemented and they may have configurations which
can be adjusted. The notes for each control will identify which configuration
options are available.
Opt-In
The controls in the opt-in list are implemented in Ansible, but are disabled
by default. They are often disabled because they could cause harm to a subset
of systems. Each control has notes that explains the caveats of the control
and how to enable it if needed.
Deployers should review the full list of controls
`sorted by implementation status <auto_controls-by-status.html>`_.
.. note::
All of the default configurations are found within ``defaults/main.yml``.
View Git Blame Copy Permalink