SCAP Security Guide 0.1.24 Release Notes

Highlights:

• Add initial draft of Standard Security Profile for RHEL-7 to serve as base to ensure common security sanity of various flavous of Red Hat Enterprise Linux 7 system ("traditional", virtualized / containerized, RHEL-7 Atomic host etc.),
• Dozen of new remediation scripts for various audit rules of Red Hat Enterprise Linux 7 system,
• HTML formatted guides enhancements (start building HTML guide for each profile, minimize the HTML guide size by unselecting empty groups). Thanks to Martin Preisler for contributing these!

Enhancements:

• Add initial draft of Standard Security Profile for RHEL-7,
• Use XCCDF's override inheritance model when extend-ing profiles,
• Enhance the former fix_audit_watch_rule and fix_audit_syscall_rule remediation functions to work properly also on RHEL-7 and Fedora systems,
• Start building HTML formatted guide for every profile for every benchmark (product),
• Apply that build-all-guides change to Fedora, Chromium, Firefox, JRE, OpenStack, RHEL/5, RHEL/6, RHEL/7, Chromium, and Webmin products,
• Implement HTML index file to ease browsing across the HTML guides produced,
• Implement non-JavaScript option for HTML index files,
• Build default profile as part of build-all-guides effort,
• Changed logic when building the HTML formatted guides in the sense now the XCCDF:groups not having at least one rule selected in them, would not be visible in the final HTML guide (though they would still be accessible when tailoring the content),
• Added CentOS6 CPE to CPE dictionary for RHEL-6 and variants,
• Added CentOS7 CPE to CPE dictionary for RHEL-7 and variants,
• Added Scientific Linux 6 CPE to CPE dictionary for RHEL-6 and variants,
• Added Scientific Linux 7 CPE to CPE dictionary for RHEL-7 and variants,
• Add draft / example PCI-DSS' profile kickstart for Red Hat Enterprise Linux 7 Server system using the Oscap Anaconda Addon tool,

XCCDF changes / enhancements:

• [RHEL/7] Update the XCCDF prose for Enable the NTP Daemon rule to properly deal with chronyd daemon,

OVAL check changes:

• [RHEL/7] Update the existing OVAL check for Enable the NTP Daemon rule to return PASS if at least one of chronyd, or ntpd services are enabled (besides other things the patch for this issue fixed also one invalid selector RHEL-7 PCI-DSS profile issue),

New Remediations:

• [RHEL/7] audit_rules_file_deletion_events,
• [RHEL/7] audit_rules_kernel_module_loading,
• [RHEL/7] audit_rules_sysadmin_actions,
• [RHEL/7] audit_rules_media_export,
• [RHEL/7] audit_rules_unsuccessful_file_modification,
• [RHEL/6] [RHEL/7] audit_rules_session_events,
• [RHEL/7] audit_rules_dac_modification_setxattr,
• [RHEL/7] audit_rules_dac_modification_removexattr,
• [RHEL/7] audit_rules_dac_modification_lsetxattr,
• [RHEL/7] audit_rules_dac_modification_lremovexattr,
• [RHEL/7] audit_rules_dac_modification_fsetxattr,
• [RHEL/7] audit_rules_dac_modification_fremovexattr,
• [RHEL/7] audit_rules_dac_modification_chown,
• [RHEL/7] audit_rules_dac_modification_fchown,
• [RHEL/7] audit_rules_dac_modification_fchownat,
• [RHEL/7] audit_rules_dac_modification_lchown,
• [RHEL/7] audit_rules_dac_modification_chmod,
• [RHEL/7] audit_rules_dac_modification_fchmod,
• [RHEL/7] audit_rules_dac_modification_fchmodat,
• [RHEL/7] audit_rules_mac_modification,
• [RHEL/7] audit_rules_networkconfig_modification,
• [RHEL/7] audit_rules_usergroup_modification,
• [RHEL/7] audit_rules_time_watch_localtime,

Remediation fixes / other changes:

• [RHEL/6] Rewrite audit_rules_dac_modification_setxattr remediation to start using fix_audit_syscall_rule remediation function,
• [RHEL/6] Rewrite existing RHEL-6 audit_rules_dac_modification_chown, audit_rules_dac_modification_fchown, audit_rules_dac_modification_fchownat, and audit_rules_dac_modification_lchown remediation scripts to start using fix_audit_syscall_rule function,
• [RHEL/6] Rewrite audit_rules_dac_modification_chmod, audit_rules_dac_modification_fchmod, audit_rules_dac_modification_fchmodat to start using fix_audit_syscall_rule function,

Bug Fixes:

• Fix broken make dist target,
• [RHEL/7] [Fedora] Fix false positive in disable_prelink OVAL check in certain circumstances,
• Fix out missing CentOS6 and CentOS7 CPEs when building CentOS content with older versions of oscap,
• Don't include the Fedora OVAL-5.11 checks into the benchmark by default, only upon request This fixes failing make target when building Fedora content on RHEL-6 system against oscap not supporting OVAL-5.11 language version yet,

Infrastructure:

• Drop Fedora 20 support in Fedora benchmark since EOL,
• Multiple ShellCheck warnings fixed across the content,
• Multiple scap-security-guide.spec.in simplifications,
• Unified all LICENSE files into just one ./LICENSE,

SCAP Security Guide 0.1.23 Release Notes

Highlights:

• Start porting of PCI-DSS profile from RHEL-6 to RHEL-7
• Add OVAL-5.11 language support for RHEL-7 product if underlying system's oscap version supports OVAL-5.11 already
• Start generating benchmarks for derivative OSes (CentOS, Scientific Linux)
• Get rid of using symbolic links mechanism for OVAL checks shared across multiple products (RHEL/6, RHEL/7, and Fedora)
• Enhance XML files validation performed via make validate target for all products (optimize speed, validate all XML files against schematron where possible etc.)

Enhancements:

• Add Chromium SCAP STIG content

• Include Firefox, JRE, and Chromium content by default into Fedora's RPM

• [Fedora] Add ShellCheck test as part of make validate for Fedora content

• Ported OVAL checks:

  • audit_rules_mac_modification,
  • audit_rules_networkconfig_modification,
  • audit_rules_time_watch_localtime,
  • audit_rules_time_clock_settime,
  • audit_rules_time_stime,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_adjtimex

  audit rules have been ported to RHEL-7 and Fedora products.

• [RHEL/7] [Fedora] Port accounts_passwords_pam_faillock_unlock_time OVAL check to RHEL-7 && Fedora

• [RHEL/7] [Fedora] Port audit_rules_immutable OVAL check to RHEL-7 and Fedora

• [RHEL/7] [Fedora] Port audit_rules_login_events OVAL check to RHEL-7 and Fedora

• [RHEL/7] [Fedora] Port audit_rules_session_events OVAL check to RHEL-7 && Fedora

• [RHEL/7] Enable service_auditd_enabled and service_chronyd_enabled for RHEL-7's PCI-DSS profile

New OVAL checks:

• [RHEL/7] Add RHEL-7 OVAL checks for service_rdisc_disabled and service_rsyslog_enabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_oddjobd_disabled and service_qpidd_disabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_autofs_disabled and service_ntpdate_disabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_atd_disabled and service_abrtd_disabled
• [RHEL/7] [Fedora] Add display_login_attempts OVAL check for RHEL-7 and Fedora products

New remediations:

• [RHEL/7] Implement remediation fix for RHEL-7's accounts_password_pam_maxrepeat rule

Bug Fixes:

• [Infrastructure] Multiple testcheck.py fixes and enhancements:
  • De-duplicate OVAL entity identifiers
  • Enhance testcheck.py to return appropriate exit code depending on the exit status
    of the internally called oscap oval eval command
  • Add support for quiet mode (options -q | --quiet | --silent) to testcheck.py
  • Fix testcheck.py bug when dealing with external variables
• Fix broken python modules in Git tree
• [RHEL/6] [OVAL check fix] Fix accounts_passwords_pam_faillock_interval and accounts_passwords_pam_faillock_unlock_time to use preauth option instead of authsucc
• Correct some of the remediation script issues reported by the ShellCheck tool for the remediation scripts for Firefox, JRE, RHEL-6, and RHEL-7 products
• [RHEL/6] Fix OVAL checks for sysctl_net_ipv6_conf_default_accept_ra and sysctl_net_ipv6_conf_default_accept_redirects to report proper results if IPv6 is disabled on the underlying system
• [RHEL/7] Fix missing selector values to selected PAM variables as required by PCI-DSS profile
• [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for display_login_attempts rule for RHEL-7 and Fedora products to provide correct recommendation wrt to pam_lastlog settings on these products
• [BugFix] [Infrastructure] Fix test_attestation links to be valid URLs (both for XCCDF and for OVAL)
• [RHEL/7] Fix remediation script for accounts_password_pam_minclass
• [BugFix] [RHEL/6] [RHEL/7] Don't include the test profile into the final benchmark by default, only upon request
• [BugFix] [Chromium] [Firefox] [Java] [Webmin] Specify correct profile name when generating HTML guides for these products
• [BugFix] Rename 'Java' product to be 'JRE' product (since JRE has been suggested as a more appropriate name for this benchmark)
• [BugFix] [JRE] Fix trailing whitespace issues in the JRE content

Remediation fixes:

• [RHEL/7] sshd_enable_warning_banner ensure the banner config appears on a line by itself
• [RHEL/6] accounts_passwords_pam_faillock_interval remediation - use proper fail_interval option