Skip to content

Releases: ComplianceAsCode/content

Content 0.1.64

30 Sep 16:38
14bd2e7
Compare
Choose a tag to compare

Important Highlights

New Rules and Profiles

  • Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
  • add rule package_postfix_installed (#9191)
  • add audit policy rules specific for ppc64le platform (#9124)
  • Introduce ol9 stig profile (#9207)
  • Introduce Ol9 anssi profiles (#9243)
  • Introduce rule accounts_passwords_pam_faillock_audit (#9264)
  • Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
  • Introduced rules to disable accounts because of inactivity (#9244)
  • Introduce e8 profile for OL9 (#9284)
  • New sysctl ipv4 forwarding rule (#9277)
  • Introduce hipaa profile for ol9 (#9478)

Updated Rules and Profiles

  • Remove 3 crypto rules from RHEL 9 OSPP (#9181)
  • Remove 3 package rules from RHEL 9 OSPP (#9182)
  • Introduce new sebool description and ocil macros (#9184)
  • Add to SLE ANSSI profile various sysctl rules (#9185)
  • Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
  • Add more ANSSI Intermediary Rules (#9203)
  • Add more sysctl rules to intermediary profile (#9202)
  • The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
  • Remove 4 PAM related rules from RHEL9 OSPP (#9217)
  • switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
  • remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
  • add audit policy rules specific for ppc64le platform (#9124)
  • remove umask-related rules from RHEL9 OSPP (#9223)
  • Make audit AArch64 specific rules RHEL9 only (#9188)
  • Remove rules for package removal from RHEL 9 OSPP (#9233)
  • remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
  • Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
  • remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
  • Don't pass sssd rules when sssd.conf is absent (#9225)
  • Update accounts_password_pam_retry behavior (#8880)
  • System commands dir root or system account (#9258)
  • SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
  • Update RHEL8 STIG to V1R7 (#9276)
  • Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
  • Update few sysctl rules to accept multiple compliant values (#9286)
  • Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
  • Make OSPP profiles use minimal Authselect profile (#9298)
  • add warning to audit_rules_for_ospp (#9303)
  • add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
  • Update RHEL7 STIG to V3R8 (#9317)
  • change rules protecting boot in RHEL8 OSPP (#9306)
  • Add the AUID filters on RHEL7 audit kernel module rules (#9290)
  • add 4 rules back to RHEL9 datastream (#9334)
  • Implement DISA check for auditing kmod on RHEL7 (#9338)
  • Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
  • Include warning about the pam_securetty.so PAM module (#9348)
  • Add AUID filters on audit_rules_kernel_module_loading (#9371)
  • Mask sensitive objects (#9364)
  • Update RHEL9 STIG (#9378)
  • add/remove fedora from privileged commands depending if exists or not (#9367)
  • change way of disabling coredumps in RHEL9 OSPP (#9384)
  • Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
  • Bump version of OL8 to V1R3 and update STIG ids (#9457)
  • Add missing SRG references for RHEL 9 STIG (#9428)
  • Remove support for upstart init system (#9452)
  • Updates RHEL 9 STIG: Part 3 (#9489)
  • Add ol8 platform to existing required tests (#9485)
  • Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
  • Update account_password_selinux_faillock_dir rule (#9501)
  • Remove audit_rules_execution_restorecon from SRG control files. (#9503)
  • Add tests to file_ownership_binary_dirs (#9515)
  • Update ocil and ocil_clause in display_login_attempts (#9522)
  • Update some account rules according to RHEL9 STIG (#9499)
  • Include checktest for banner_etc_issue rule (#9521)
  • Update pam_faillock rules for RHEL9 STIG (#9520)
  • Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
  • Update clean_components_post_updating to align with RHEL9 STIG (#9510)
  • Update accounts_umask_etc_profile (#9496)
  • Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
  • Update audit rules RHEL9 STIG metadata (#9513)
  • Add tests to no_user_host_based_files (#9529)
  • Add tests to dir_perms_world_writable_system_owned (#9517)
  • Add tests to no_host_based_files (#9532)
  • Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
  • Add tests to clean_components_post_updating (#9530)
  • Update macros from audit privileged commands (#9502)
  • Update some PAM rules for RHEL9 STIG (#9514)
  • Add variable for auditd freq (#9504)
  • Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
  • [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)

Changes in Remediations

  • Allow two modes of SSH key ownership (#9094)
  • Add oval and remediation for auditd_audispd_disk_full_action (#9195)
  • include = sign in remediation of configure_openssl_crypto_policy (#9194)
  • Condition run of newaliases to its availability (#9241)
  • Update accounts_password_pam_retry behavior (#8880)
  • Add DISA STIG ids to when conditions in ansible roles (#9029)
  • Improve bash_ensure_pam_module_line macro (#9252)
  • Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
  • Fix rule sudo_custom_logfile (#9299)
  • Fix ansible partition conditionals (#9339)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Add Kubernetes remediation for rule configure_crypto_policy (#9266)
  • Fix 2 ctest shellcheck issues (#9398)
  • Fix kernel_module_disabled remediation template (#9346)
  • Conditional for Ansible remediation on RHEL7 (#9440)
  • change parameter of findmnt used in bash partition conditional (#9480)
  • Fix remediation of rules dealing with Audit watches (#9463)

Changes in Checks

  • Update accounts_password_pam_retry behavior (#8880)
  • Improve regex to match retry parameter in pwquality.conf (#9245)
  • Fix rule sudo_custom_logfile (#9299)
  • Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
  • Mask sensitive objects (#9364)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
  • Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
  • Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
  • [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)

Changes in the Infrastructure

  • Fix various bugs in utils (#9172)
  • Remove CentOS 6 and SL 6 references from the project (#9211)
  • Fix pre tag in ocil_mount_option (#9209)
  • Remove unused build option (#9213)
  • Update gitpod HTML preview extension. (#9261)
  • Install ansible for the extra modules (#9273)
  • Use DS to build Ansible Playbooks and Bash scripts (#9291)
  • Stop validating ssg-product-xccdf.xml (#9292)
  • Use data stream to verify profile titles and descriptions (#9294)
  • Use data stream to verify references (#9293)
  • Generate CCE tables from data stream (#9300)
  • Fix CMake dependencies (#9328)
  • Use XCCDF 1.2 to create STIG overlay (#9301)
  • Specify output file names (#9361)
  • Test missing references in a data stream (#9295)
  • Add trim_trailing_whitespace to editorconfig (#9391)
  • Sort check-export elements (#9397)
  • Use data stream to generate statistics (#9296)
  • Generate per profile testinfo tables from XCCDF 1.2 (#9325)
  • Fix missing OCIL text and 800-53 references (#9415)
  • Use XCCDF 1.2 to generate STIG HTML tables (#9406)
  • Add a script to import SRG export changes (#9416)
  • Make groups inherit platforms from parent groups (#9465)
  • Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
  • correct inheritance of platforms by rules from groups (#9491)
  • Improve HTML for Table Templates (#9481)
  • SRG Export: Improve vuldiscussion sourcing (#9493)
  • Remove empty load operation (#9492)
  • Add tests to rule no_tmux_in_shells (#9518)
  • Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
  • Avoid sed hack (#9363)

Changes in the Test Suite

  • Automatus: close hanging tempfiles descriptors (#9199)
  • Improve regex to match retry parameter in pwquality.conf (#9245)
  • Support commas in variables (#9280)
  • Refactor templated test scenarios (#9254)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Replace platform conditionals in whole remediation code (#9347)
  • install_vm.py: add new option for disk size specification (#9479)
  • correct inheritance of platforms by rules from groups (#9491)
  • Add tests to audit privileged commands template (#9487)

Documentation

  • Enable Security Content workshop into Gitpod environment (#9438)
  • Add ordering to the platform key (#9488)

Content 0.1.63

29 Jul 19:45
dd0b62b
Compare
Choose a tag to compare

Important Highlights

  • Expand project guidelines (#8314)
  • Add Draft OCP4 STIG profile (#8799)
  • Add anssi_bp28_intermediary profile (#9045)
  • add products/uos20 to support UnionTech OS Server 20 (#8779)
  • products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
  • Remove WRLinux Products (#9106)
  • Update CIS RHEL8 Benchmark for v2.0.0 (#9154)

New Rules and Profiles

  • Fill gaps in the RHEL8/RHEL9 STIG (#9016)
  • Add anssi_bp28_intermediary profile (#9045)
  • Introduce OL9 ospp profile (#9057)
  • products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
  • add Audit OSPP rules for AArch64 (#9091)
  • Add grub2_systemd_debug-shell_argument_absent (#9100)
  • CIS RHEL8 v2.0.0 small fixes (#9165)

Updated Rules and Profiles

  • Make krb5 rules applicable only to older versions of certain package (#9003)
  • RHEL8 STIG: Install redhat gpg key (#8993)
  • Add anssi gshadow rules (#9022)
  • Fill gaps in the RHEL8/RHEL9 STIG (#9016)
  • remove support for external Audit files and cleanup test scenarios (#9073)
  • Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
  • Remove rule zip_vsyscall_argument (#9083)
  • Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
  • Make rule audit_access_success in OSPP profile unenforcing (#9082)
  • Cleanup RHEL9 OSPP networking sysctl rules (#9092)
  • Add two rules and some more CCEIDs (#9107)
  • add Audit OSPP rules for AArch64 (#9091)
  • remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
  • remove Rsyslog related rules from RHEL9 OSPP (#9116)
  • Anssi Rules Added (#9105)
  • remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
  • Update SLE15 DISA STIG from v1r6 (#9146)
  • Remove yp-related rules from RHEL9 (#9148)
  • Add Enable Auth Select to RHEL8/9 STIG (#9151)
  • BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
  • Relax chrony check and remediations (#9156)
  • make RHEL-08-020231 automated again (#9125)
  • Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
  • Review and improve sssd_enable_smartcards rule (#9145)
  • Amend OSPP references for some package_*_installed rules. (#9164)
  • Add automation content to kernel_module_uvcvideo_disabled (#9162)
  • Add missing rules to OL8 STIG profile (#9171)
  • Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
  • [Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
  • Make Audit aarch64 rules specific to RHEL9 only (#9187)
  • [stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
  • Remove 3 package rules from RHEL 9 OSPP (#9228)
  • Remove 3 crypto rules from RHEL 9 OSPP (#9227)
  • [Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
  • add new rule package_postfix_installed (stabilization) (#9214)
  • [Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
  • [stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
  • [Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
  • Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)

Removed Products

  • Remove WRLinux Products (#9106)

Changes in Remediations

  • Add whitespace in macro function so CTF can properly parse tokens (#9030)
  • EKS: Fix typo (#9037)
  • Fix regular expression in Ansible remediation (#9063)
  • Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
  • Ansible remediation for enable_authselect (#9085)
  • Refactor bash macros for PAM (#9017)
  • Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
  • Fix ubuntu logic in display_login_attempts (#9110)
  • Refactor Ansible macros for PAM (#9097)
  • Add Ansible remediation (#9114)
  • Create Ansible macro for authselect backup command (#9128)
  • Align PAM Bash macros to equivalent in Ansible (#9127)
  • SLE15 SP4 audit_rules_augenrules broken. (#9130)
  • fix bash remediation of configure_libreswan_crypto_policy (#9134)
  • add Ansible conditionals to CPE platforms determining architecture (#9126)
  • Set pipefail in Ansible shell commands with pipe (#9123)
  • Update faillock related macros (#9139)
  • Command 'chown', change from '.' to ':' separator (#9159)
  • Review and improve sssd_enable_smartcards rule (#9145)
  • SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
  • add new rule package_postfix_installed (stabilization) (#9214)
  • [Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)

Changes in Checks

  • Add missing ocil_clause for audit rules (#9109)
  • SLE15 SP4 audit_rules_augenrules broken. (#9130)
  • Reduce the list of FIPS crypto policies (#9149)
  • Review and improve sssd_enable_smartcards rule (#9145)
  • Store intermediate OVAL check files (#9157)

Changes in the Infrastructure

  • Parametrize the file name of the container used by gitpod integration (#9043)
  • Add python vscode extension to the gitpod environment (#9074)
  • Add a markdown output target to create_srg_export (#9064)
  • Update docker files (#9153)
  • Remove the vendor-zipfile and redhat-zipfile targets (#9152)
  • Add per profile filter of missing_cce test (#9155)
  • Store intermediate OVAL check files (#9157)
  • [Stabilization] Install ansible for the extra modules (#9274)

Changes in the Test Suite

  • test_env.py: add more attempts when executing ssh command (#9015)
  • Rework tarball generation (#8883)
  • Add OL9 Dockerfile (#9099)
  • Update CIS L2 test for configure_crypto_policy (#9163)
  • Automatus: close hanging tempfiles descriptors (#9200)

Documentation

  • A EditorConfig file (#9020)
  • Add removed products to the changelog (#9108)
  • Guidelines: Add the entry about one-off scripts (#9089)
  • Fix typos in man page and profile descriptions (#9160)
  • Fix man-page header for lexgrog (#9158)

Content 0.1.62

27 May 15:04
30b8273
Compare
Choose a tag to compare

Important Highlights

  • Update rhel8 stig to v1r6 (#8670)
  • OL7 STIG v2r7 update (#8689)
  • Initial definition of ANSSI BP28 minmal profile for SLE (#8540)

New Rules and Profiles

  • New rules for network sysctls (#8371)
  • Grub2 bootloader CPU mitigations (#8325)
  • Add new template to check kernel build configurations (#8435)
  • Kernel memory configs (#8477)
  • Add rules for kernel memory allocators settings (#8488)
  • Add rules for kernel data structure configs (#8483)
  • Add rules for various kernel behaviors (#8502)
  • Add rules to check kernel IP stack configs (#8501)
  • Add rules for kernel compiler features (#8499)
  • Add rules for kernel security options (#8498)
  • Add rules for kernel module security (#8492)
  • Add rules for ARM64 kernel (#8506)
  • Add rules for 64b kernel (#8504)
  • Add rules to configure Kernel panic behavior (#8503)

Updated Rules and Profiles

  • gid_passwd_group_same oval does not allow ! in passwd field (#8296)
  • Update SRG-OS-000028-GPOS-00009 for RHEL9 STIG (#8321)
  • Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
  • Fix missing "to" in account restriction warnings (#8399)
  • SLE15 add sysctl_kernel_exec_shield to HIPAA profile5 (#7891)
  • Update SRG-OS-000480-GPOS-00229 for RHEL9 STIG (#8405)
  • Update SRG-OS-000480-GPOS-00232 for RHEL9 STIG (#8403)
  • Add sudoers_default_includedir rule support to SLE12 and SLE15 platforms (#8406)
  • SUSE Group init_module and finit_module audit rules. (#8407)
  • Update SRG-OS-000031-GPOS-00012 for RHEL9 STIG (#8414)
  • Update SRG-OS-000445-GPOS-00199 for RHEL9 STIG (#8415)
  • Update SRG-OS-000370-GPOS-00155 for RHEL9 STIG (#8422)
  • Update SRG-OS-000437-GPOS-00194 for RHEL9 STIG (#8416)
  • Update SRG-OS-000445-GPOS-00199 (#8439)
  • Add a rule to STIG profile in OL8 and RHEL8 (#8447)
  • SRG-OS-000349-GPOS-00137 for RHEL 9 STIG (#8471)
  • Add auid criteria to rules related to syscall audit rules (#8327)
  • remove redundant rule from HIPAA profiles (#8509)
  • Update SRG-OS-000120-GPOS-00061 for RHEL 9 STIG (#8514)
  • align RHEL8 OSPP with certification requirements (#8508)
  • Fix broken Oracle Linux doc links. (#8538)
  • For sle systems the etc shadow is group shadow (#8554)
  • Enable for ansible and bash remediation for SLE15 and SLE12. (#8545)
  • consistent perm_x product filtering (#8607)
  • Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG (#8505)
  • strip trailing blank lines for some templated audit rules (#8805)
  • Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
  • Add auid criteria to rules related to syscall audit rules (#8327)

Changes in Remediations

  • Use UID field for bash remediation of homedirs (#8398)
  • SUSE disable_users_coredumps enable bash remediation for sle. (#8558)
  • consistent perm_x product filtering (#8607)
  • Remediation and improvement for file_permissions_home_dirs rule (#7963)
  • fix ansible remediation of enable_dracut_fips_module (#8823)

Changes in the Infrastructure

  • Add
     tag HTML element to STIG mapping tables (#8367)
  • Remove reference to a nonexistent file (#8370)
  • Unify a custom_command (#8357)
  • Like the docs requirments GitPod should also use https vs the lagecy git protocol (#8440)
  • Update utils/create_srg_export.py (#8437)
  • Build data stream without OpenSCAP (#8364)
  • Improve the list of HTML guides (#8460)
  • Remove update_sds_version.py (#8369)
  • Add new GH job to generate XLSX table and HTML page with SRG mapping (#8326)
  • Fix index page generation for guides artifacts. (#8533)
  • Organize fix text macros (#8529)
  • Load any *.jinja file and organize macros (#8576)
  • Add cce to srg export (#8571)
  • Full Support Variables in SRG Export (#8635)
  • utils/compare_results.py to work with --stig-viewer results and print rule identifiers (#8634)
  • Fix variable substitution in SRG export (#8683)
  • Add custom requirement (#8705)
  • GH actions nightly builds (#8137)

Changes in the Test Suite

  • Test template filtering (#8052)
  • Fix same shadow field bug in tests (#8458)
  • Add Centos Stream 8/9 support in install_vm script (#8481)
  • Add templated tests for dconf_ini_file (#8740)
  • Cleanup tests package installed or removed (#8752)
  • Cleanup duplicate scenarios for sshd_lineinfile template (#8742)
  • Include snapshot cleanup functions for SSGTS (#8729)
  • test scenario adjustments for file_permissions template (#8750)
  • Cleanup custom kernel_module_disabled scenarios (#8753)
  • Add templated test scenarios for shell_lineinfile template (#8754)
  • Remove similar test scenarios on rules templated by file_groupownership (#8755)
  • SSGTS: Update to handle CentOS CPEs and fix prefix name of snapshots wrt podman limitation (#8767)
  • Add template mode to SSGTS (#8730)
  • Remove redundant custom test scenarios for service enabled/disabled rules (#8760)

Documentation

  • Fix docs build (#8402)
  • Document GHA release process (#8096)
  • Add docuemntion for Pandas dependancy (#8544)
  • Point the docs to new jinja macro files (#8577)
  • Remove Link Checker from README (#8745)

Content 0.1.61

01 Apr 17:27
4ba3353
Compare
Choose a tag to compare

Important Highlights

  • Stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
  • Introduce OL9 product (#8102)
  • Implement handling of logical expressions in platform definitions (#8043)

New Rules and Profiles

  • Introduce OL9 product (#8102)
  • RHEL9 OSPP boot parameter rules (#8092)
  • Introduce stig_gui profile for OL8 (#8200)
  • New rules related to pam_pwquality (#8185)
  • add rules to add page_alloc.shuffle kernel boot parameter (#8234)
  • Add GRUB2 rule for slab_nomerge and mce (#8282)
  • Include rule mount_option_proc_hidepid (#8288)
  • New sysctl fs parameters (#8304)
  • Parametrize configuration of kernel.kptr_restrict and add rule for kernel.panic_on_oops (#8285)

Updated Rules and Profiles

  • Ol7 stig v2r5 (#7913)
  • HIPAA Rules in test (#7916)
  • Ubuntu specific bash and oval for dconf_gnome_login_banner_text (#7908)
  • The audit package and auditd service are needed for FAU_GEN.1 SFR. (#8069)
  • Clarify that log_format and name_format affects specifically information included in the audit records, not events for which audit records get generated. (#8071)
  • Ensuring immutable UIDs is related to the subject identity required by FAU_GEN.1.2, it does not affect for wihch events audit records will be generated. (#8072)
  • These auditd configurations affect the whole SFR, not just its specific parts. (#8070)
  • RHEL9 OSPP: drop some rules disabling kernel module loading (#8093)
  • The write_logs is related to where audit records end up stored, not what records get generated. (#8114)
  • Amend OSPP references for rsyslog omfwd/gtls configuration. (#8113)
  • On OSPP installation, the primary reason for having rsyslog installed… (#8111)
  • Configuring the CA certificate targets the TLS "internal" requirements, so FTP_ITC_EXT.1.1 is not needed. (#8112)
  • Ensure all processes are auditable and rules loaded for FAU_GEN.1 are applied. (#8098)
  • Update OL8 stig profile rule selection (#8124)
  • Requirement of not losing data at least to a limit comes from FAU_STG family. (#8133)
  • RHEL9 OSPP boot parameter rules (#8092)
  • Simple stig v2r6 updates for OL7 (#8162)
  • Create OVAL check for selinux_context_elevation_for_sudo [OL7] (#8160)
  • Update rule to only remove the graphical interface (#8170)
  • drop not needed auditd.conf rules from rhel9 ospp (#8188)
  • New rules related to pam_pwquality (#8185)
  • Update configure_bashrc_exec_tmux to consider .d directory (#8146)
  • align ospp audit rules with the latest upstream release (#8152)
  • Align description of grub2 rules with checks and remediations (#8184)
  • Update RHEL7 STIG items to V3R6 (#8225)
  • update description of rhel9 ospp profile (#8232)
  • Add sudoers_default_includedir to ol7 STIG (#8229)
  • add rules to add page_alloc.shuffle kernel boot parameter (#8234)
  • Fix bug 1195521 (#8215)
  • Fix for bug 1195523 (#8242)
  • Extend package_pam_pwquality_installed rule for RHEL (#8186)
  • make rule enable_fips_mode check only for technical state (#8255)
  • UEFI booting requires FAT support. (#8269)
  • Removed criteria in OVAL check of require_singleuser_auth (#8121)
  • no iptables.service in sle15 (#8292)
  • fix aide_build_database rule and remediation to work with sles 12 and 15 (#8287)
  • SLE 12 and 15 merge auditd file modification rules STIG IDs (#8295)
  • OL8 STIG severity adjustments (#8103)
  • Oval update for two rules to only allow results from only one file [ol7] (#8161)
  • Performance improvements for file permission and ownership templates (#8456)

Changes in Remediations

  • HIPAA Rules in test (#7916)
  • Fix handling of literal dollars in macros (#8252)
  • Various bash fixes (#8253)
  • Simplify generated augen bash expressions (#8254)
  • Fix the firewalld remediation (#8251)
  • Fix bash remediations of browsers (#8258)
  • Introduce convenience macros for find and awk (#8257)
  • Introduce a shellcheck test (#8032)
  • Refactor pam_faillock remediation (#8347)

Changes in the Infrastructure

  • Add condition to SCAPVal script that will trigger when SCAP standard is updated (#8062)
  • stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
  • Implement handling of logical expressions in platform definitions (#8043)
  • Add backends attribute to template in rules schema (#8090)
  • Add gitpod support (#8123)
  • Added utils/compare_disa_xml.py (#8120)
  • Gitpod: Build OpenSCAP 1.3.6 so it can build OCP4 and EKS content (#8206)
  • Fix issue with getting STIG items in create_scap_delta_tailoring.py (#8245)
  • Store OVAL of compiled platforms as string (#8238)
  • Add a script to audit the SRG export CSV (#8077)
  • Add version to delta tailoring file name (#8247)
  • Various improvments to SRG Export Script (#8091)

Changes in the Test Suite

  • align ospp audit rules with the latest upstream release (#8152)
  • Remove grub2_pti_argument tests (#8310)
  • Delete test scenario that removes SSH keys from machine (#8309)
  • Remove RHEL7 platform from invalid_rescue.pass.sh (#8311)

Documentation

  • Document boolean expressions in "platform" definitions (#8094)
  • Add github workflow to publish statistics, guides and tables (#8136)
  • Add missing rsync dependency to gh-pages workflow (#8151)
  • Fix badges and remove Centos legacy CI integration (#8244)

Content 0.1.60

27 Jan 13:16
a84b054
Compare
Choose a tag to compare

Important Highlights

  • OL8 draft stig profile v1r1 (#7932)
  • Add Amazon EKS platform and initial profiles for the CIS benchmark (#7579)
  • Add CentOS Stream 9 derivative product from RHEL9 (#7878)

New Rules and Profiles

  • Rename/remove rule for package abrt-addon-python (#7899)
  • OL8 draft stig profile v1r1 (#7932)
  • Add stig_gui profile for ol7 (#7939)

Updated Rules and Profiles

  • update description of grub2_uefi_password (#7859)
  • remove ABRT related rules from RHEL9 (#7906)
  • grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
  • add hint about audit backlog configuration (#7909)
  • Update chronyd_or_ntpd_set_maxpoll to add maxpoll option to chrony pool directives (#7910)
  • Clarify behaviour of SSHD rules (#7919)
  • OL8 stig prodtype and platform (#7933)
  • fix enable_fips_mode remediations (#7936)
  • Removed OSPP MLS from RHEL9 (#8037)
  • mark rhel9 ospp and cui as draft (#8042)
  • fix problems with trailing blank lines in audit rules (#8047)
  • fix wrong Jinja macro for audit_rules_execution_restorecon (#8073)
  • Make rule network_nmcli_permissions applicable only when polkit is installed (#8110)
  • remove configure_gnutls_tls_crypto_policy from rhel9 (#8116)

Changes in Remediations

  • Use authselect to edit pam files if it is present (#8026)
  • Use authselect and custom profile for pam_pwhistory (#8030)
  • Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)
  • Use correct config file in ensure_gpgcheck_local_packages (#8105)
  • sshd_lineinfile ansible macro dir support and directory check fix (#8109)

Changes in Checks

  • grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)

Changes in the Infrastructure

  • Add the ability to load controls from folder (#7876)
  • Add utils/compare_results.py (#7894)
  • Introduce handling of versioned Boolean algebra expressions (#7873)
  • Add a split option to utils/build_stig_control.py (#7904)
  • Upgrade to F34 in Gating (#7826)
  • Control to csv (#7775)
  • Fix issues with dividing a str by str in utils/render-policy.py (#7960)
  • Improve create_srg_export.py (#7959)
  • Add rationale to controls (#7975)
  • Clarify controleval.py help text (#8034)
  • Add better error messages to utils/controleval.py and add does not meet to stats output (#8038)
  • Improvements to controls and STIG export (#8039)
  • Generate release artifacts' checksums (#8087)

Changes in the Test Suite

  • grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
  • fix problems with trailing blank lines in audit rules (#8047)
  • override two more tests for grub2_kernel_trust_cpu_rng (#8067)
  • Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)

Documentation

  • add hint about audit backlog configuration (#7909)
  • Add docs for create srg export (#7976)

Content 0.1.59

26 Nov 22:58
Compare
Choose a tag to compare

Important Highlights

  • Add support for Debian 11 (#7715)
  • Add NERC CIP profiles for OCP4 and RHCOS (#7757)
  • Ground work for implementation of CPE applicability language (#7613)
  • Add HIPAA profile to SLE15 platform (#7776)
  • Add Delta Tailoring Files to the Build System (#7851)

New Rules and Profiles

  • Add rule only_allow_dod_certs (#7658)
  • Add new rule "service_ypserv_disabled" (#7679)
  • Add rule "Ensure All Groups on the System Have Unique Group Name" (#7676)
  • Add SSH LoginGraceTime rule (#7678)
  • Add rule accounts_root_gid_zero (#7685)
  • Add new rules for CIS Journald Config (#7682)
  • Add rule service_slapd_disabled (#7694)
  • Add rule group_unique_id (#7683)
  • Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
  • Add NERC CIP profiles for OCP4 and RHCOS (#7757)
  • Add HIPAA profile to SLE15 platform (#7776)

Updated Rules and Profiles

  • locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml: sles15 fix (#7389)
  • remove rule disable_prelink from rhel7 cis (#7621)
  • Make package_mcafeetp_installed work on Ubuntu (#7656)
  • Add rule to stig.profiles (#7664)
  • SLE bash remediation accounts_passwords_pam_faildelay_delay (#7661)
  • Add rule for RHEL8 CIS 5.2.16 (#7677)
  • remove old rule from rhel7 stig (#7710)
  • More flexibility for login banners (#7690)
  • Align rsyslog_remote_loghost to benchmarks (#7692)
  • Rework bash remediation for accounts_password_pam_unix_remember (#7660)
  • Return rule package_rsyslog-gnutls_installed to RHEL7 (#7731)
  • Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
  • Add var_sshd_set_keepalive to Ubuntu 20.04 STIG profile (#7771)
  • SLE15 Add rsh and talk server remove rules to HIPAA profile (#7813)
  • Change sshd_set_idle_timeout to require sshd_set_keepalive_0 (#7751)
  • SLE15 add service related rules to HIPAA profile (#7852)

Changes in Remediations

  • Add remaining Blueprint templates (#7609)
  • Make sure files have newline during bash lineinfile remediation (#7787)
  • accounts_no_uid_except_zero: Don't run passwd if awk returns nothing (#7779)
  • Make FIPS mode check idempotent (#7318)

Changes in the Infrastructure

  • Automated STIG Control File Creation (#7324)
  • Added Build, Test on OpenSUSE Leap 15 on pull requests (#7666)
  • Handle references with commas in utils/build_stig_control.py (#7697)
  • Add utils/create_scap_delta_tailoring.py (#7717)
  • Multi-file templates: file_permissions/file_groupowner/file_owner (#7405)
  • Ground work for implementation of CPE applicability language (#7613)
  • Fix utils/fix_rules.py exit codes (#7821)
  • Add Delta Tailoring Files to the Build System (#7851)
  • Add CentOS 7 build to CI (#7879)

Changes in the Test Suite

  • Test scenarios updates for gpgcheck rules (#7638)
  • service_enabled test scenarios templates (#7632)
  • Create test scenarios for rule gid_passwd_group_same (#7637)
  • ntp/chrony remove server remediations and test scenarios (#7631)
  • Add a fail test for accounts_password_all_shadowed (#7642)
  • Add test scenarios specific for CIS (#7634)
  • Implementing test ssh_set_max_sessions for rhel7 profiles (#7641)
  • Created pass/fail scripts for rule sshd_use_approved_macs (#7650)
  • Update SSGTS so it can use mount in containers (#7680)
  • Added ability to slice SSGTS rule checking runs (#7667)
  • Update tests for package_crypto-policies_installed (#7858)

Documentation

  • Add Styleguide (#7515)
  • improve documentation (#7063)
  • Add sphinx missing dependency in the developer guide (#7645)
  • Update CONTRIBUTING.md (#7722)
  • Add type hints to style guide (#7773)
  • Fix directories count in docs/manual/developer/03_creating_content.md (#7805)
  • Improve jinja docs (#7785)
  • Introduced graphs in the documentation (#7825)
  • Add rule schema (#7796)

Content 0.1.58

24 Sep 14:44
fb2bd4e
Compare
Choose a tag to compare

Important Highlights

  • Add SCE Support to build system (#7075)
  • Split RHEL 8 CIS profile using new controls file format (#6976)
  • Introduce automated CCE adder (#7249)
  • CIS Profiles for SLE12 (#7434)
  • Add initial Ubuntu 20.04 STIG Profile (#7220)

New Rules and Profiles

  • Add initial Ubuntu 20.04 STIG Profile (#7220)
  • Add rules for RHEL-08-030610 (#7256)
  • Add Ubuntu to cron.allow, at.allow rules for CIS (#7223)
  • New rules for RHEL-08-010290 (#7151)
  • New rules for RHEL-08-010291 (#7169)
  • Add /var/log/audit individual ownership rules (#7129)
  • New rule for RHEL-08-020270 (#7276)
  • Add rule new for RHEL-08-030700 (#7264)
  • Added new rule for RHEL-08-030710 (#7268)
  • Add rule for RHEL-08-020300 (#7289)
  • Add rule for RHEL-08-020090 (#7313)
  • Introduce support for the distributed SSHd configuration (#6926)
  • UBTU-20-010057: Add missing rules (#7363)
  • Add new rule for RHEL-08-030720 (#7288)
  • Add a new rules RHEL-08-010001 and RHEL-07-020019 (#7344)
  • Add new rule for RHEL-07-030330 and RHEL-08-030730 (#7323)
  • Added rule for RHEL-08-010400 (#7411)
  • Sysctl disable ipv6 (#7460)
  • CIS Profiles for SLE12 (#7434)

Updated Rules and Profiles

  • fix problems with variables in rhel7 cis (#7237)
  • Sort references, identifiers in rule.yml (#6882)
  • Correct some issues with the CIS ICMP redirects rule on RHEL 7/8 (#7259)
  • remove broken links to support.ntp.org (#7262)
  • Mark as machine rules that collect password_object (#7263)
  • OCP4: fips_mode_enabled rule relates to IA-7 (#7267)
  • Enable dconf rules for RHEL9 (#7011)
  • Enable generic rules for RHEL9 (#7147)
  • Introduce support for the distributed SSHd configuration (#6926)
  • Add service_pcscd_enabled to SLE15 PCI-DSS profile (#7322)
  • update version of rhel7 stig_gui profile (#7340)
  • Update References for RHEL8 STIG V1R3 (#7299)
  • Suse sle15 fix reference sles 15 030350 assignment (#7346)
  • Add to sle15 PCI-DSS profile rules for account uniqueness and grub config ownership (#7345)
  • Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286 (#7354)
  • Add SRGs for accounts_password_pam_dictcheck and sssd_enable_certmap (#7362)
  • Update RHEL 8 CIS references to match benchmark 1.0.1 (#7356)
  • Update CCEs and identifiers on rules that make up RHEL 8 CIS 4.1.15 (#7353)
  • generic updates to rhel7 CIS (#7384)
  • Update existing rule for RHEL-08-020320 (#7303)
  • OCP4: Remove kubelet_disable_hostname_override rule (#7391)
  • SLES-12-010599 - remove rule from the STIG (#7397)
  • add kickstarts for rhel8 CIS profiles (#7383)
  • add rhel7 kickstarts for CIS profiles (#7382)
  • UBTU-20-010056: Use rule accounts_password_pam_dictcheck (#7366)
  • Add ensure_logrotate_activated rule to SLES15 PCI-DSS (#7381)
  • products/sle15/profiles/stig.profile: Update according to U_SLES_15_STIG_V1R3 Manual (#7388)
  • Add PCI-DSS rules (#7373)
  • Add PCI-DSS file Rules (#7417)
  • Add PCI-DSS file rules (#7430)
  • SUSE SLE15 service chronyd or ntpd enabled pci dss (#7425)
  • Add rsyslog log file configuration rules to SUSE SLE15 PCI-DSS profile (#7420)
  • Update existing rules for RHEL-07-010492 and RHEL-07-010482 (#7438)
  • Add rule for SLES-12-030365 (#7177)
  • SLE15 add package_aide_installed to PCI-DSS profile (#7476)
  • SLE15 add package security rules to PCI-DSS profile (#7473)
  • SLE15 Add password hashing rules to PCI DSS profile (#7474)
  • SLE15 add audit data retnetion rules to PCI-DSS profile (#7475)
  • SLE15 add sssd_enable_smartcards to PCI-DSS rule (#7472)
  • PCI-DSS Add more auditd rules (#7477)
  • OL7 DISA STIG v2r4 update (#7496)
  • Pcidss Configure Crypto Rules (#7398)

Changes in Remediations

  • Enable remediations for crypto policy settings (#7242)
  • fix ansible of accounts_root_path_dirs_no_write (#7255)
  • add / fix remediations for audit rules wrt modules (#7252)
  • Fix possible issue in harden_openssl_crypto_policy remediation (#7178)
  • Mount option template updates (#7081)
  • Fix coverity problems (#7258)
  • Fix ansible remediation of display_login_attempts (#7271)
  • Fixed the remediations when there are no previous kernelopts (#7257)
  • Remove specific metadata in shared Bash remediations (#7254)
  • Update existing rule for RHEL-08-030650 (#7283)
  • Remove kubelet_disable_hostname_override rule (#7400)
  • Fix remaining audit rule files permissions. (#7440)

Changes in Checks

  • Add oval check for bios_enable_execution_restrictions (#7227)
  • Mount option template updates (#7081)
  • Update existing rule for RHEL-08-030650 (#7283)

Changes in the Infrastructure

  • Prioritize install_smartcard_packages like package_*_installed (#7224)
  • Sort references, identifiers in rule.yml (#6882)
  • Add SCE Support to build system (#7075)
  • SSGTS: tests for shared/templates (#7211)
  • Add new rule for RHEL-08-030720 (#7288)
  • Introduce automated CCE adder (#7249)
  • Add sort prodtypes to fix_rules (#7454)

Changes in the Test Suite

  • Add rhel9 Dockerfile and distro choice into install_vm.py (#7235)
  • fix ansible of accounts_root_path_dirs_no_write (#7255)
  • install_vm.py: add --console option (#7186)
  • Add some more tests (#7083)
  • Add RHEL7 specific test kickstart (#7355)
  • SSGTS: tests for shared/templates (#7211)
  • Fix combined mode execution in SSGTS (#7395)
  • Option --no-reports for SSGTS rule and combined modes (#7523)

Documentation

  • Document rule.yml modification utilities (#6916)
  • Update Mailing list location in docs (#7293)
  • Fix links to repo: SSG->CaC (#7311)
  • More documentation (#7406)
  • Fix RHEL7 documentation links (#7409)
  • Add readthedocs integration badge (#7407)
  • Fix RHEL7 documentation link (#7443)
  • Add bats to gating and docs (#7543)

Content 0.1.57

30 Jul 08:55
Compare
Choose a tag to compare

Highlights

  • CIS profile for RHEL 7 is updated
  • initial CIS profiles for Ubuntu 20.04
  • Major improvement of RHEL 9 content
  • new release process implemented using Github actions

New Rules and Profiles

  • Add rule sudo_add_passwd_timeout (#6984)
  • SLES-12-010420 and SLES-15-010510 rules (#7028)
  • SLES-15-010355 rule (#6947)
  • New rsyslog rule per RHEL-08-010070 STIG (#7114)
  • Add initial Ubuntu 20.04 CIS Profiles (#7181)

Updated Rules and Profiles

  • Update ANSSI policy metadata and undraft High Level (#6997)
  • Update cis sle15 profile to better represent the release version 1.0.0 (#7056)
  • Start splitting of rhel7 CIS (#7108)
  • Splitting rhel7 cis profile - section 2 (#7112)
  • Splitting rhel7 cis profile - section 3 (#7111)
  • splitting CIS rhel7 profile - section 4 (#7134)
  • Split RHEL 7 CIS profile - section 5 (#7193)
  • split CIS for rhel7 - section 6 (#7219)

Changes in Remediations

  • Add bash package installated macro (#7032)
  • Ansible playbook to role updates (#7042)
  • Add option to enable installation of individual ansible playbooks per rule (#7039)
  • Only enable ansible/yaml lint tests when playbooks are built (#7099)
  • ensure_pam_module_options now fix empty option value (#7116)
  • Fix bash remediation of sudo_defaults_option (#7146)
  • Fix regex in dconf ansible remediation (#7150)

Changes in Checks

  • Fix disable_users_coredumps's limits.d exists (#7030)
  • Fix oval check in uefi_no_removeable_media (#7067)
  • Add option_regex_suffix to sudo_defaults_option template (#7082)

Changes in the Infrastructure

  • Fix bugs in rule_dir_json.py (#6911)
  • Fix utilities after product move (#7113)
  • Fix kernel module disable template (#7086)
  • SSGTS: Jinja enablement for test cases (#7210)

Changes in the Test Suite

  • Fix SSG test suite support for setting variables (#7097)
  • SSGTS: Jinja enablement for test cases (#7210)

Content 0.1.56

26 May 12:31
Compare
Choose a tag to compare

Highlights:

  • Align ism_o profile with latest ISM SSP (#6878)
  • Align RHEL 7 STIG profile with DISA STIG V3R3
  • Creating new RHEL 7 STIG GUI profile (#6863)
  • Creating new RHEL 8 STIG GUI profile (#6862)
  • Add the RHEL9 product (#6801)
  • Initial support for SUSE SLE-15 (#6666)
  • add support for osbuild blueprint remediations (#6970)

Profiles changed in this release:

  • sle12: stig
  • sle15: cis, stig
  • rhel7: stig_gui, stig
  • rhel8: stig_gui, stig, ism_o
  • rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
  • ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
  • ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
  • rhv4: pci-dss
  • ocp4: cis-node, cis
  • rhel9: pci-dss

Profiles:

  • Add updated manual DISA STIG XML reference files (#6903)
  • rhcos4/e8: Use individual kernel module load audit rules (#6797)
  • rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
  • bump rhel7 stig version to v3r3 (#6951)
  • remove no longer relevant rules from rhel7 stig (#6865)
  • Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
  • Update OL e8 profiles (#6840)
  • Remove rules related to gnome/dconf (#6884)
  • Ol cjis profiles (#6851)
  • Add PCI-DSS profile to RHV4 (#6867)
  • OL hipaa profiles (#6819)
  • Update OL cui profiles (#6818)
  • remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
  • RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
  • rhcos4: Remove sssd configuration check from moderate profile (#6774)
  • RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
  • RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
  • RHCOS: Temporarily remove UEFI password rule (#6757)
  • Add new rules to sle12/profiles/stig.profile (#6665)
  • Remove package_gssproxy_removed from STIG GUI profile (#6967)
  • Updating RHEL8 STIG profile for readability changes (#6856)
  • Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
  • Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)

Rules:

  • Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
  • Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
  • Fix grub2's /boot location for Debian, Ubuntu (#6986)
  • Add rules to remove setroubleshoot server and plugin packages (#6969)
  • SLES-15-010362 (#6968)
  • Fix groupowner/permissions for ubuntu2004 (#6979)
  • SLES-15-10352 rule (#6822)
  • Enable RHEL9 for kernel-related rules (#6966)
  • Enable SELinux rules for RHEL9 (#6959)
  • Move rule grub2_enable_iommu_force to use template (#6956)
  • Clarify what fixes for AiDE acl and xattrs do (#6960)
  • Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
  • Adding new rule for RHEL-08-010294 (#6932)
  • Add OCIL to sshd_limit_user_access (#6836)
  • SLES-15-030390 add rule, remediation and test (#6802)
  • Add Rule for SLES-15-040382 (#6811)
  • RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
  • RHCOS4: Add recommended chrony config (#6786)
  • Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
  • Prevent global references to use product-qualifiers (#6896)
  • OCP: Fix description of kubelet TLS cipher suites (#6900)
  • Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
  • Update VSEL references to remove qualifier from global references (#6948)
  • SLES-15-010250 add rule, remediation and tests (#6879)
  • add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
  • Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
  • Add Rule,Remediation and Test for SLES-15-030760 (#6869)
  • Revert STIG id for require_emergency_target_auth (#6928)
  • Remove bogus nist: FOO-1(a) references (#6917)
  • remove product specific disa and srg references (#6895)
  • ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
  • Fix usbguard match-all syntax for HID rule (#6909)
  • RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
  • Notate that Ubuntu is a FIPS-certified OS (#6912)
  • OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
  • update require_emergency_target_auth (#6894)
  • add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
  • Add Rule,Test for SLES-15-020103 (#6881)
  • Prevent unqualified CIS and STIGID references (#6871)
  • SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
  • Add rules related to permissions of /var/log and /var/log/messages (#6861)
  • SLES-15-010220 updates for firewalld (#6831)
  • Add OL anssi profiles (#6817)
  • update accounts_tmout (#6839)
  • SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
  • add rule for disabling of GUI (#6860)
  • Add rules for SLES-12-010060 (#6806)
  • CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
  • fix service_sshd_enabled for SLE-15 (#6830)
  • RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
  • Add HIPAA rules references (#6854)
  • RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
  • Add CCI reference to package_gssproxy_removed (#6846)
  • Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
  • SLES-15-010353 map rule file_ownership_library_dirs (#6820)
  • Add CCEs for RHEL9 rsyslog rules (#6832)
  • SLES-15-010030 rule (#6821)
  • SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
  • Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#6824)
  • OCP4: Add applicability warnings (#6823)
  • service_nfs_disabled - change name of nfs service to nfs-server (#6777)
  • Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
  • OCP4: Address flowschema version change by handling different OCP versions (#6813)
  • Abort the build if an OVAL is not included due to extend_definition (#6402)
  • Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
  • service_rsyncd_disabled - update package name to rsync-daemon (#6783)
  • Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
  • RHCOS4: Fix require_singleuser_auth rule (#6780)
  • ocp4: Add relevant description for protectKernelDefaults rule (#6705)
  • CIS 5.2, 5.4, and 5.6 updates (#6704)
  • Add documentation links for OL7 and OL8 (#6756)
  • Update OL OSPP profiles (#6745)
  • Change dhcp server package name to dhcp-server in rhel8 (#6762)
  • SLES-15-020101 add rule and tests, no remediation (#6734)
  • Add ansible and bash remediation for wireless_disable_interfaces (#6685)
  • ocp4: Switch to using the platforms construct (#6759)
  • Add rule for RHCOS to check for interactive boot being disabled (#6747)
  • Fix oracle documentation links (#6740)
  • implement support for multiple platforms connected with disjunction (#6661)
  • rhcos4: Add check for nousb kernel argument (#6743)
  • Add tests for no files unowned by user/group rules (#6738)
  • Add rule for checking selinux is not disabled in coreos (#6737)
  • ocp4/etcd: Fix rule checks for 4.8 (#6732)
  • Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
  • CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
  • CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
  • Updating macros to support idempotency when deduplicating values (#6953)
  • Fix Rule CPE Name inheritance (#6943)
  • Reorganize env and product yaml (#6754)
  • RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#6787)
  • rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
  • RHCOS4: Add recommended auditd.conf remediation (#6782)
  • Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
  • Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
  • rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
  • RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
  • mount_option ansible remediation - remediate when mount point is not in mounted (#6713)

Tests:

  • install_vm.py: add possibility to install GUI system (#7004)
  • Improve the test suite wrapper (#6944)
  • Remove code from OCP4 e2e tests (#6961)
  • Add test scenarios for service enable/disable rules from CIS profile (#6785)
  • Missing references test (#6849)
  • Fix RHEL8 STIG with GUI stable profile data (#6874)
  • increase /usr partition size in testing kicstart (#6808)
  • Add Ubuntu as a known platform for ssg_test_suite (#6794)
  • Add package_* test scenarios (#6752)
  • Add tests for rule accounts_password_pam_minlen (#6751)
  • Add tests for rule accounts_no_uid_except_zero (#6750)
  • Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
  • Update tests of accounts_tmout to work when overriding profiles (#6765)
  • Update tests of account_disable_post_pw_expiration (#6753)
  • Add tests for rule account_unique_name (#6749)
  • accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
  • Switch to generic python shebang (#6744)
  • Add tests for rule no_netrc_files (#6741)
  • Add tests for rule accounts_minimum_age_login_defs (#6735)
  • Updated test scenarios to work on containers (#6701)
  • Add tests for rule accounts_password_warn_age_login_defs (#6736)
  • Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
  • ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
  • Add test scenarios for rsyslog rules (#6712)
  • set_firewalld_default test scenarios (#6721)
  • sysctl_net_* test scenarios (#6696)
  • rpm_verify_ownership test scenarios (#6703)
  • postfix_network_listening_disabled tests (#6708)
  • Ignore trailing whitespaces in...
Read more

Content 0.1.55

19 Mar 12:40
Compare
Choose a tag to compare

Highlights:

  • big update of rules used in SLES-12 STIG profile
  • Render policy to HTML (#6532)
  • Add variable support to yamlfile_value template (#6563)
  • Introduce new template for dconf configuration files (#6118)

Profiles changed in this release:

  • ocp4: cis-node, cis, e8, moderate
  • rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
  • rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
  • sle15: cis, standard
  • debian10: anssi_np_nt28_average, standard
  • debian9: anssi_np_nt28_average, standard
  • fedora: pci-dss, standard
  • ol7: pci-dss, stig, standard
  • ol8: ospp, hipaa, standard, pci-dss, cjis
  • rhcos4: e8, ospp, moderate
  • rhv4: rhvh-stig, rhvh-vpp
  • sle12: stig
  • ubuntu1604: anssi_np_nt28_average, standard
  • ubuntu1804: cis, anssi_np_nt28_average, standard
  • ubuntu2004: standard
  • wrlinux1019: draft_stig_wrlinux_disa

Profiles:

  • remove ensure_logrotate_configured from CIS profiles (#6693)
  • configure_crypto_policy update for CIS profile (#6673)
  • remove kernel_module_vfat_disabled from CIS profiles (#6613)
  • E8 ocp revisions (#6587)
  • Update ANSSI profile descriptions (#6592)
  • Bump RHEL7 STIG version to v3r2 (#6576)
  • OL7 DISA STIG v2r1 update (#6538)
  • Select RHEL8 STIG V1R1 existing content (#6579)
  • OL7 DISA STIG v2r2 update (#6607)
  • Update OL standard profiles (#6604)
  • Update OL pci-dss profiles (#6605)
  • Remove auditd_data_retention_space_left from RHEL8 STIG profile (#6615)
  • remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#6528)

Rules:

  • Update selinux_confinement_of_daemons rule (#6695)
  • Adds classification-banner rule (#6652)
  • CIS 5.1 changes (#6678)
  • ocp4: Fix audit log forwarding rule (#6680)
  • CIS 5.1 and 5.2: More ocil updates (#6689)
  • Change instances of cis to cis@ocp4 for openshift (#6654)
  • Revert hardcoding of ClientAliveCountMax to 0 (#6434)
  • SLES-12 add checks and remediations (#6635)
  • Update ANSSI references (#6662)
  • Add missing CIS references (#6660)
  • move ssh_client_rekey_limit to correct group (#6612)
  • Fix STIG id reference for sshd_x11_use_localhost (#6628)
  • fix wrong description of sshd_limit_user_access (#6623)
  • mark some CIS rules as machine-only (#6611)
  • CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#6435)
  • ocp4: Add link to documentation for etcd encryption (#6590)
  • Drop remediation for sysctl_kernel_modules_disabled (#6586)
  • OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#6547)
  • CIS: Update api_server_request_timeout description and check (#6572)
  • add rhel7 stig specific rule for sshd approved macs (#6546)
  • Reassign a new unique CCE identifier to approved macs STIG rule (#6564)
  • add rhel7 stig specific rule for ssh ciphers (#6541)
  • sshd_set_keepalive PCI DSS requirement reference (#6531)
  • add rule sysctl_kernel_modules_disabled (#6533)
  • RHEL-07-040710 now configures X11Forwarding to disable (#6537)
  • add rule sshd_x11_use_localhost (#6534)
  • Added a rule for having commands with arguments in sudoers - ANSSI R63 (#6525)
  • fix remediations of ensure_logrotate_activated (#6710)
  • ocp4/e2e: fix classification_banner remediation (#6679)
  • ocp4: Add e2e for no_direct_root_logins (#6621)
  • rhcos4: Add remediations and rules to enable usbguard (#6452)
  • Require separate filesystem for /var/tmp (#6523)
  • Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#6606)

Tests:

  • fix test for smartcard_auth (#6694)
  • Fix test scenario of rpm_verify_permissions rule (#6671)
  • Supress Ansible lint error 503 (#6542)
  • Add test to check for duplicated STIG ids (#6135)