Fix documentation warnings from sphinx
Many of the documentation pages in the security role aren't meant to be displayed in a table of contents, and this was generating lots of warnings in the sphinx output. This patch sets the :orphan: tag on any pages that shouldn't appear inside a toctree. Change-Id: I1b1f95e35946731ab1122bb1835bbd448b356acc
This commit is contained in:
Major Hayden
@@ -2,7 +2,7 @@
|
||||
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
|
||||
|
||||
Security hardening controls in detail
|
||||
=================================
|
||||
=====================================
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
If ``autofs`` is installed, it will be disabled by Ansible tasks. To opt-out
|
||||
of this change, adjust the following variable:
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adjusting the bootloader configuration can cause issues with reboots and this
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Although adding centralized authentication and carefully managing user
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The ``/etc/gshadow`` file is owned by root by default on Ubuntu 14.04, Ubuntu
|
||||
16.04 and CentOS 7. The security role ensures that the file is owned by root.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
See V-38551 for additional details. IPv6 configuration and filtering is left
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The logs generated by the audit daemon are owned by root in Ubuntu 14.04,
|
||||
Ubuntu 16.04 and CentOS 7. The Ansible task for V-38445 ensures that the files
|
||||
are owned by the root user.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Forwarding root's email to another user is highly recommended, but the Ansible
|
||||
tasks won't configure an email address to receive root's email unless that
|
||||
email address is configured. Set ``security_root_forward_email`` to an email
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Although Ubuntu provides the ``debsums`` command for checking the contents of
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Although the ``/etc/gshadow`` file is group-owned by root by default, the
|
||||
Ansible tasks will ensure that it is configured that way.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The ``/etc/gshadow`` file's permissions will be changed to ``0000`` to meet
|
||||
the requirements of the STIG.
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
The ownership of ``/etc/passwd`` will be changed to root.
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
The group ownership for ``/etc/passwd`` will be set to root.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception for Ubuntu**
|
||||
|
||||
Verifying ownership and permissions of installed packages isn't possible in the
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/tmp`` can disrupt a running system and this
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring another mount for ``/var`` can disrupt a running system and this
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
The permissions for ``/etc/passwd`` will be set to ``0644``.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task will ensure that the ``/etc/group`` file is owned by the root
|
||||
user.
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
The tasks in file_perms.yml will ensure that "/etc/group" is owned by the root account.
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible tasks will check for ``all_squash`` in ``/etc/exports`` (if it is
|
||||
present). If found, a warning message will be printed. No configuration
|
||||
changes will be made since neither Ubuntu or openstack-ansible configures
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu sets the mode of ``/etc/group`` to ``0644`` by default and the Ansible
|
||||
task will ensure that it is current set to those permissions.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
All versions of Ubuntu and CentOS supported by the role verify packages against
|
||||
GPG signatures by default.
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Configuring a separate partition for ``/var/log`` is currently left up to the
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
|
||||
only suspends audit logging when there is a disk error on the system.
|
||||
Suspending audit logging can lead to security problems because the system is no
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04 and CentOS 7 set library files to have ``0755`` (or
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
As with V-38465, Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the ownership of
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Storing audit logs on a separate partition is recommended, but this change
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
|
||||
suspends audit logging. Suspending audit logging can lead to security problems
|
||||
because the system is no longer keeping track of which syscalls were made.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the permissions for system
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The default configuration for ``security_space_left_action`` is ``SUSPEND``,
|
||||
which actually only suspends audit logging. Suspending audit logging can lead
|
||||
to security problems because the system is no longer keeping track of which
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
An Ansible task will adjust ``active`` from `no` to `yes` in
|
||||
``/etc/audisp/plugins.d/syslog.conf`` so that auditd records are forwarded to
|
||||
syslog automatically. The auditd daemon will be restarted if the configuration
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set system commands to be owned by
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Creating ``/home`` on a different partition is highly recommended but it is
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The openstack-ansible roles don't install X by default, so there is no
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends passwords to be a minimum of 14 characters in length. To
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The security role verifies that the GPG keys that correspond to each supported
|
||||
Linux distribution are installed on each host. If the GPG keys are not found,
|
||||
or if they differ from the list of trusted GPG keys, the playbook execution
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends setting a limit of one password change per day. To enable
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Ubuntu and CentOS do not use the Red Hat Network Service. However, there are
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
The STIG recommends setting a limit of 60 days before a password must
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Configuration required**
|
||||
|
||||
After enabling password age limits in V-38479, be sure to configure
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
Operating system patching policies vary from organization to organization and
|
||||
@@ -14,7 +16,7 @@ are typically established based on business requirements and risk tolerance.
|
||||
and the associated risks prior to enabling automatic upgrades.
|
||||
|
||||
Deployers can enable automatic updates by setting
|
||||
``security_unattended_upgrades`` to ``True`::
|
||||
``security_unattended_upgrades`` to ``True``:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Password complexity requirements are left up to the deployer. Deployers are
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task for V-38462 already checks for configurations that would
|
||||
disable any GPG checks when installing packages. However, it is possible for
|
||||
the root user to override these configurations via command line parameters.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 already enable the display of the last
|
||||
successful login for a user immediately after login. An Ansible task ensures
|
||||
this setting is applied and restarts the ssh daemon if necessary.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task for V-38462 already checks for apt configurations that would
|
||||
disable any GPG checks when installing packages. However, it's possible for
|
||||
the root user to override these configurations via command line parameters.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
System backups are left to the deployer to configure. Deployers are stringly
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The security role installs and configures the ``aide`` package to provide file
|
||||
integrity monitoring on the host.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Disabling the ``usb-storage`` module can add extra security, but it's not
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task will check for the presence of ``/etc/hosts.equiv`` and
|
||||
``/root/.rhosts``. Both of those files could potentially be used with ``rsh``
|
||||
for host access.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Virtual consoles are helpful during an emergency and they can only be reached
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 set the mode of ``/var/log/audit/`` to
|
||||
``0750`` by default. The Ansible task for this requirement ensures that the
|
||||
mode is ``0750`` (which is more strict than the STIG requirement).
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Removing serial consoles from ``/etc/securetty`` can make troubleshooting
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible tasks will ensure that files in ``/var/log/audit`` are owned
|
||||
by the root user.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The Ansible tasks will check for default system accounts (other than root)
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
|
||||
authenticate via PAM by default. This STIG requires that those login attempts
|
||||
are blocked.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu and CentOS set the current audit log (the one that is actively being
|
||||
written to) to ``0600`` so that only the root user can read and write to it.
|
||||
The older, rotated logs are set to ``0400`` since they should not receive
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task will search for password hashes in ``/etc/passwd`` using
|
||||
awk and report a failure if any are found.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible tasks will search for accounts in ``/etc/passwd`` that have UID 0
|
||||
that aren't the normal root account. If any matching accounts are found, a
|
||||
warning is printed to stdout and the Ansible play will fail.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception and opt-in alternative**
|
||||
|
||||
Adjusting PAM configurations is very risky since it affects how all users
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
task will ensure that the default is maintained.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
The user and group ownership of ``/etc/passwd`` is root by default. The Ansible
|
||||
task will ensure that the default is maintained.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
||||
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
|
||||
Ansible tasks in the security role ensure that the mode meets the requirement.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Special Case**
|
||||
|
||||
Running virtual infrastructure requires IP forwarding to be enabled on various
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Although a minimal set of iptables rules are configured on openstack-ansible
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Datagram Congestion Control Protocol (DCCP) must be disabled if it's not
|
||||
needed. Although this protocol is occasionally used in some OpenStack
|
||||
environments for quality of service functions, it is not in the default
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Stream Control Transmission Protocol (SCTP) must be disabled. To opt-out of
|
||||
this change, set the following variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The `Reliable Datagram Sockets (RDS)`_ protocol must be disabled. The Ansible
|
||||
tasks in this role will disable the module.
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The `Transparent Inter-Process Communication (TIPC)`_ protocol must be
|
||||
disabled. To opt-out of this change, set the following variable to ``no``:
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Different systems may have different log files populated depending on the type
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
At the moment, openstack-ansible already sends logs to the rsyslog container
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time made via ``settimeofday``.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The STIG makes several requirements for IPv4 network restrictions, but these
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
This patch disables ICMPv4 redirects feature on the host.
|
||||
Accepting ICMP redirects has few legitimate uses.
|
||||
It should be disabled unless it is absolutely required.
|
||||
|
||||
@@ -1 +1,3 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time done via ``stime``.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing changes to system time done via
|
||||
``clock_settime``.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The Ansible task in this role will ensure that martian packets are logged to
|
||||
rsyslog. Wikpedia's article on `martian packets`_ provides additional
|
||||
information.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added to auditd to log all attempts to change the system time using
|
||||
``/etc/localtime``.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Audit rules are added in a task so that any events associated with
|
||||
account modifications are logged. The new audit rule will be loaded immediately
|
||||
with ``augenrules --load``.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
By default, Ubuntu 14.04 rejects ICMPv4 packets sent to a broadcast address.
|
||||
The Ansible tasks for this STIG configuration ensures that the secure default
|
||||
setting is maintained.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Ubuntu already ignores ICMPv4 bogus error messages by default. The role will
|
||||
ensure that this default setting is maintained.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules from V-38534 already cover all account modifications.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
The STIG recommends enabling TCP SYN cookies to deal with TCP SYN floods.
|
||||
Ubuntu 14.04 already enables SYN cookies by default, and this role will ensure
|
||||
that the default is maintained.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing network configuration changes. The path to
|
||||
Ubuntu's standard network configuration location has replaced the path
|
||||
to Red Hat's default network configuration location.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
For Ubuntu, rules are added to auditd that will log any changes made in the
|
||||
``/etc/apparmor`` directory.
|
||||
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
The audit rules which monitor ``chmod``, ``fchmod``, and ``fchmodat``
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditd to log discretionary access control permission
|
||||
changes done with chown.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Opt-in required**
|
||||
|
||||
The STIG requires IPv6 to be disabled system-wide unless it is needed for the
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Disabling IPv6 redirects can cause issues with OpenStack environments which
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adding IPv6 firewalling on OpenStack hosts is left up to the deployer to
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Filtering IPv6 traffic is left up to the deployer to implement. The
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes
|
||||
made by fchown.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made by
|
||||
fchownat.
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
:orphan:
|
||||
|
||||
**Exception**
|
||||
|
||||
Adding IPv4 firewalling on OpenStack hosts is left up to the deployer to
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made
|
||||
by fremovexattr.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made via
|
||||
``fsetxattr``.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made via
|
||||
``lchown``.
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
:orphan:
|
||||
|
||||
Rules are added for auditing discretionary access control changes made via
|
||||
``lremovexattr``.
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user