Skip to content

Releases: ComplianceAsCode/content

Content 0.1.75

14 Nov 19:57
73a89fb
Compare
Choose a tag to compare

Important Highlights

  • Add new product kylinserver10 (#12393)
  • Create OL10 product (#12290)
  • Update PCI-DSS control file for version 4.0.1 (#12435)

New Rules and Profiles

  • [New Rule] Package kea removed (#12464)
  • Add Ism profile for ol8 (#12493)
  • Add Ism profile to OL9 (#12346)
  • Create CIS rules for login banners (#12472)
  • New rule tftp_uses_secure_mode_systemd (#12436)
  • Update chrony rules for RHEL 10 (#12415)
  • Update RHEL 9 STIG to V2R2 (#12551)

Updated Rules and Profiles

  • Add to slmicro5 STIG pam pwhistory remember rule (#12255)
  • Add CCI to package_postfix_installed (#12446)
  • Add hipaa reference to sshd_use_directory_configuration (#12437)
  • Add Ism profile for ol8 (#12493)
  • Add Missing CPEs for RHEL10 (#12411)
  • Add OL into jinja conditionals (#12461)
  • Add package_rng-tools_installed to Fedora OSPP profile (#12244)
  • Add RHEL 10 to Jinja if statements in firewalld_sshd_port_enabled (#12504)
  • Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
  • Add rule chronyd_or_ntpd_set_maxpoll to SLE Micro 5 STIG profile (#12499)
  • Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
  • Add rules removed from RHEL8/RHEL9 profiles back to datastream (#12572)
  • Add STIG rules for slmicro5 covering lib dirs root ownership (#12252)
  • Add support for XCCDF variables into sshd_lineinfile template (#12251)
  • Adjust FIPS enable_fips_mode for RHEL 10 (#12414)
  • Adjust zipl_bls_entries_option template remedation to allow RHEL 10 (#12410)
  • Change directory_permissions_etc_iptables to 700 (#12384)
  • Change platform for rules related to partitions (#12562)
  • Change platform in xwindows_runlevel_target (#12563)
  • Consolidate ASCS RHEL profiles lastlog via sshd (#12249)
  • convert more rules to sshd_lineinfile template (#12301)
  • Create CIS rules for login banners (#12472)
  • Fix a typo (#12275)
  • Fix Audit related rules in RHEL 10 (#12359)
  • Fix chronyd remote server filepath dir regex (#12312)
  • fix for issue 11909 (#12318)
  • Fix rules from the net-snmp component (#12391)
  • grub2_vsyscall_argument should only be applicable to x86_64 (#12408)
  • Hide CJIS profile for OL8 (#12357)
  • Move daemon.* to /var/log/messages (#12433)
  • Move package_rear_installed to related rules in e8 (#12456)
  • Move RPM verify rules to use --restore (#12413)
  • OCP4: Optimize ingress trusted ca remediation (#12268)
  • Remove sshd_enable_warning_banner_net from HIPAA control file (#12534)
  • Remove Outdated GNOME Rules in RHEL 10 (#12460)
  • Remove package_talk-server_removed from RHEL 10 ANSSI (#12457)
  • Remove rng-tools package rules from RHEL 10 (#12455)
  • Remove sendmail from RHEL 10 profiles (#12452)
  • Remove sshd_allow_only_protocol2 from RHEL 10 (#12390)
  • Remove ypbind rules from RHEL10 (#12450)
  • Remove ypserv from RHEL 10 profiles (#12451)
  • Rename cron package to cronie for RHEL10 product (#12463)
  • Review PCI-DSS requirements and rules for RHEL 10 (#12347)
  • Review sshd_set_maxstartups rule (#12419)
  • RHEL 10 HIPAA Profile Updates (#12345)
  • RHEL 10 ISM_O: add back enable_fips_mode rule (#12449)
  • RHEL 10 STIG Update (#12348)
  • RHEL 10 tmux changes (#12383)
  • RHEL 9 STIG: change remediated Networkmanager DNS mode (#12448)
  • Slmicro5 stig add accounts and amount rules support (#12353)
  • Slmicro5 stig add accounts and software rules support (#12364)
  • Slmicro5 stig add rules selinux ssh and audit (#12316)
  • Slmicro5 stig add services and software rules support (#12395)
  • Stabilization: update audit_ospp_general with the latest content (#12592)
  • Two CIS RHEL 9 enhancements (#12453)
  • Ubuntu 22.04 STIG V2R1 changes (#12298)
  • Update ANSSI BP28 profiles in rhel10 product (#12351)
  • Update CCI Numbers due to new STIG/SRG GPOS (#12374)
  • Update chrony rules for RHEL 10 (#12415)
  • Update e8 profile for RHEL 10 (#12402)
  • Update file_permissions_etc_chrony_keys (#12521)
  • Update file_permissions_etc_chrony_keys to 640 (#12577)
  • Update install_smartcard_packages for RHEL10 (#12459)
  • update ism_o profiles for RHEL 10 (#12418)
  • Update Jinja for package_rsync_removed for RHEL 10 (#12480)
  • Update networkmanager_dns_mode for bootable containers (#12574)
  • Update of the rule encrypt_partitions to support SLEM (#12343)
  • Update ol7 stig (#12544)
  • Update ol8 stig (#12545)
  • Update OSPP control file (#12369)
  • Update PCI-DSS control file for version 4.0.1 (#12435)
  • update pwd length requirements for ism_o profile (#12431)
  • Update RHEL 10 STIG Selections (#12376)
  • Update RHEL 8 STIG due to rule removal (#12559)
  • Update RHEL 8 STIG to V2R1 (#12550)
  • Update RHEL 9 STIG to V2R1 (#12373)
  • Update RHEL 9 STIG to V2R2 (#12551)
  • Update rsyslog_cron_logging for bootable containers (#12575)
  • Update service_rngd_enabled for RHEL 10 (#12243)
  • Update SLE12 STIG version to V3R1 (#12580)
  • Update SLE15 STIG version to V2R2 (#12570)
  • Update various openshift assertions (#12443)
  • Updated 6 rules 2 for sle micro (#12331)
  • Updated packages related to openssh to support slem (#12338)
  • Updated rules based on template service_disabled to support slem (#12337)
  • Updates for Debian 12.6 (#12432)
  • Updates related to the rule permissions_local_var_log_audit (#12356)
  • Various Bug Fixes for Debian (#12084)

Removed Products

Changes in Remediations

  • Add ansible remediation configure_bind_crypto_policy (#12325)
  • Add ansible remediation to ensure_oracle_gpgkey_installed rule (#12323)
  • Add ansible remediation to mount_option_home template (#12546)
  • Add ansible remediaton for rsyslog_cron_logging rule (#12326)
  • Add insensitive option to ansible_lineinfile macro (#12314)
  • Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
  • Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
  • Add rules to support remote offload of journal logs (#12479)
  • Add support for XCCDF variables into sshd_lineinfile template (#12251)
  • Added remediation and tests for the rule permissions_local_var_log_audit (#12360)
  • Avoid tmpfiles override (#12218)
  • Bring bash version in-sync with Ansible (#12398)
  • Change flags cleanup (#12397)
  • Create CIS rules for login banners (#12472)
  • Don't autoremove packages on dnf package uninstall (#12389)
  • Fix "unknown predicate -L" (#12305)
  • Fix ansible remediation for audispd plugin UBTU-20-010216 (#12293)
  • Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined (#12527)
  • SLE15 related fixes in ntp and aide rules (#12548)
  • Slmicro5 stig add accounts and software rules support (#12364)
  • Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule (#12324)
  • Update bash remediation to fix bug into account_disable_inactivity* (#12134)
  • Update remedation for firewalld_sshd_port_enabled (#12522)
  • Update select rules for RHEL not to modify systemd units in /usr (#12486)
  • Update SLE12 STIG version to V3R1 (#12580)
  • Update SLE15 STIG version to V2R2 (#12570)

Changes in Checks

  • Add "is_substring" variable to grub2_bootloader_argument template (#12308)
  • Add OL9 into installed_OS_is_vendor_supported (#12333)
  • Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
  • Add support for XCCDF variables into sshd_lineinfile template (#12251)
  • convert more rules to sshd_lineinfile template (#12301)
  • Create CIS rules for login banners (#12472)
  • enhance the grub2_argument template to cover more use cases (#12375)
  • Fix Audit related rules in RHEL 10 (#12359)
  • Fix inventory_test_kernel_installed for SLE (#12516)
  • Remove redundant sshd oval macro (#12532)
  • Slmicro5 stig add accounts and software rules support (#12364)
  • Update SLE15 STIG version to V2R2 (#12570)

Changes in the Infrastructure

  • Add ocp4 pci dss references (#12309)
  • Add setuptools python package to Fedora (#12565)
  • Add setuptools to ocp4 build (#12566)
  • Build empty OVAL (#12262)
  • Build SCE content by default in rhel9 and rhel10 products (#12488)
  • Enable templated SCE checks (#12445)
  • Ensure that platforms is valid in Automatus tests (#12505)
  • Fix issue with ambiguity of control product (#12454)
  • Fix thin data streams with SCE (#12503)
  • Fix validation with OpenSCAP 1.4 (#12303)
  • Fix Windows for OpenSCAP 1.4.0 release (#12304)
  • Introduce bootc remediation type (#12497)
  • Move data stream component references (#12557)
  • Remove template option (#12341)
  • Stop SCAP content validation if not necessary (#12523)
  • Update Fedora in install_vm.py to F41 (#12567)

Changes in the Test Suite

  • add debian12 automatus workflow (#12128)
  • Add OCP and RHCOS assertion files for 4.17 (#12266)
  • Add RHEL Platform to Select AIDE Tests (#12483)
  • add rule sysctl_kernel_modules_disabled to unselect_rules_list (#12354)
  • Fix automatus podman (#12230)
  • Fix Automatus Sanity (#12188)
  • Improve Benchmark detection in Automatus (#12554)
  • Introduce /rpmbuild-ctest-fedora CI for all Fedora versions (#12176)
  • modify test scenarios of grub2_argument template to handle variables (#12428)
  • Remove missing-references ctest (#12434)
  • Remove template option (#12341)
  • Review and update install_vm.py script (#12254)

Documentation

  • Add UOS 20 removal to docs (#12257)
  • Align release date calculation with documentation (#12240)
  • Bump master version to 0.1.75 (#12235)
  • Clarify stabilization dates process for more predictability (#12232)
  • Include a section for fixed bugs in changelog (#12239)
  • Remove old and broken tldp.org link (#12284)
  • Update contributors for 0.1.75 (#12576)

Fixed Bugs

  • Remove installed_OS_is_FIPS_certified from sshd_use_approved_ciphers (#12242)
  • firewalld_sshd_port_enabled add zone to all connections (#12256)
  • Create CIS rules for login banners (#12472)
  • Disable sysctl_kernel_modules_disabled Ansible remediation (#12514)
  • Explicitly state FindOpenSCAP cmake so it...
Read more

Content 0.1.74

09 Aug 14:29
1bf21b0
Compare
Choose a tag to compare

Important Highlights

  • Add Amazon Linux 2023 product (#12006)
  • Introduce new remediation type Kickstart (#12144)
  • Make PAM macros more flexible to variables (#12133)
  • Remove Debian 10 Product (#12205)
  • Remove Red Hat Enterprise Linux 7 product (#12093)
  • Update CIS RHEL9 control file to v2.0.0 (#12067)

New Rules and Profiles

  • Add initial RHEL 10 CIS profiles (#12075)
  • Add new rule audit_rules_var_log_journal (#11920)
  • Add new rule file_permissions_var_log_audit_stig (#11966)
  • Add new rule install_endpoint_security_software (#11970)
  • Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
  • Add rule dir_groupowner_system_journal (#11838)
  • Add rule dir_owner_system_journal (#11839)
  • Add rule file_group_ownership_var_log_audit_stig (#11924)
  • Add rule file_groupowner_journalctl (#11841)
  • Add rule file_owner_journalctl (#11835)
  • Add rule file_permissions_etc_audit_rules (#11959)
  • Add rule file_permissions_journalctl (#11834)
  • Check ufw is active (#11984)
  • Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
  • Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
  • Initial HIPAA RHEL 10 Profile (#11915)
  • Initial ISM O RHEL 10 Profile (#11994)
  • Initial OSPP Control File (#11882)
  • Initial RHEL 10 e8 Profile (#11976)

Updated Rules and Profiles

  • Add package_rng-tools_installed to Fedora OSPP profile (#12246)
  • Add package_firewalld_installed to CCN and enable CCN Advanced profile test in CI (#12139)
  • Add CCEs to RHEL 10 Rules (#12113)
  • Add draft status to all RHEL 10 profiles (#12224)
  • Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
  • Add SSH related STIG rule to slmicro5 platform (#12193)
  • Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
  • Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
  • Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
  • Better description and test scenarios for set_nftables_table (#11991)
  • CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
  • CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
  • CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
  • Correct the platform for rule package_iptables-persistent_removed (#12195)
  • Disable OSPP Profile for RHEL 10 (#12223)
  • Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
  • Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
  • Ensure code consistency by using aide_conf_path var (#12066)
  • Ensure that security_patches_up_to_date is not built with remediations (#11995)
  • Exclude package_screen_installed from RHEL 10 OSPP (#12179)
  • Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
  • Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
  • Fix missing variable for Ubuntu 22.04 (#11973)
  • Fix package name for libpam-pkcs11 on Ubuntu (#11854)
  • Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
  • Fix pwquality package name for Ubuntu 22.04 (#11919)
  • Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
  • Fix rule name in Ubuntu 22.04 STIG profile (#11971)
  • Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
  • Guide/anssi r45 (#12129)
  • increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
  • Make the behavior of chronyd_sync_clock rule more consistent (#12039)
  • Modify rule file_groupowner_system_journal (#11836)
  • Move to default crypto policy for RHEL10 for CIS Profiles (#12187)
  • OCPBUGS-1316: Add missing variable reference to rules (#12012)
  • OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
  • OCPBUGS-33945: select required SSHD timeout rule (#12091)
  • OSPP profile, use Logind session timeout feature instead of tmux (#12212)
  • Override few variables for Ubuntu 22.04 (#11928)
  • remove logind_session_timeout from stig_gui profiles (#12086)
  • Remove rhel7 only rules (#12112)
  • Revert changes to no_empty_passwords for Ubuntu (#11918)
  • Slmicro5 stig add privileged commands support (#12221)
  • Support all boolean values in dnf.conf (#11965)
  • Update rules related to PAM hashing algorithm (#12164)
  • Update SLE15 STIG version to V1R13 (#11921)
  • Updated 10 rules to support SLE Micro 5 (#12210)

Removed Products

  • Remove Debian 10 Product (#12205)
  • Remove Red Hat Enterprise Linux 7 product (#12093)

Changes in Remediations

  • Improve remediation for enable_authselect (#12038)
  • Achieve consistent file and directory permissions for systemd journals (#11974)
  • Add ansible automation for configure_usbguard_auditbackend (#12092)
  • Add ansible remediation for account_password_selinux_faillock_dir (#12094)
  • Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
  • Add ansible remediation for no_tmux_in_shells rule (#12138)
  • add namespace parameter for cluster-test (#11824)
  • Add SCE check for ufw_rate_limit for Ubuntu (#11998)
  • Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
  • Adjust bash template (group)file_owner to follow symlinks (#12214)
  • align template systemd_dropin_configuration (#12054)
  • Create dconf db directory for local profile (#12079)
  • Create file if it doesn't exist for coredump rules (#12181)
  • Ensure that security_patches_up_to_date is not built with remediations (#11995)
  • Fix bash_package_installed macro (#12140)
  • Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
  • Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
  • Fix permissions for dconf db on Ubuntu (#12056)
  • Fix Ubuntu faillock (#11932)
  • Introduce new remediation type Kickstart (#12144)
  • Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
  • Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
  • Simplify use of ansible_ensure_pam_module_option macro (#12159)
  • Slmicro5 auth,security and audit STIG rules (#12192)
  • templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
  • Update ansible remediation CCE-85972-8 to support idempotency (#12152)
  • Update rules related to PAM hashing algorithm (#12164)

Changes in Checks

  • Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
  • Fix broken OVAL metadata (#12151)
  • Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
  • Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
  • Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
  • Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
  • Improve Rsyslog rules to support RainerScript syntax (#12010)
  • Slmicro5 auth,security and audit STIG rules (#12192)
  • templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
  • Update OVAL check in accounts_password_last_change_is_in_past (#12177)
  • Update rules related to PAM hashing algorithm (#12164)

Changes in the Infrastructure

  • Add a script for finding unused rules (#12110)
  • Add option to build per rule playbook via build_product script (#12105)
  • Allow multiple control files to add the same reference type (#12165)
  • Ensure that RHEL 10 has CCEs (#12137)
  • Expand CCE Available Test to OCP4 (#12114)
  • Fix Filename for UBI test (#12115)
  • Fix Nightly Build - Debian 12 (#12033)
  • Improve error handling when loading yaml stream (#11962)
  • Include product property in profile class (#12050)
  • Install dependency "xmllint" package (#12080)
  • Mark some scenarios as specific to SCE (#12052)
  • OCP Update variable filter to consider go_template (#11906)
  • Remove duplicate product (#12049)
  • Review and reorganize CMakeLists.txt file (#12000)
  • Show most used rules of component (#12001)
  • Stop building -ds-1.2.xml data streams (#11990)
  • Update Gating (#12041)

Changes in the Test Suite

  • Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
  • Add Ubuntu 22.04 Automatus workflow (#12058)
  • Automatus to UBI 8 (#12100)
  • Better description and test scenarios for set_nftables_table (#11991)
  • Clean Up Tests Due to RHEL 7 Removal (#12101)
  • Disable service_enabled templated test for service_bluetooth_disabled (#12211)
  • Do not run package_audit-libs_installed package removal test scenarios (#12099)
  • Fix crypto policy in CIS test scenario (#12098)
  • Fix OL7 GH Action (#12143)
  • Fix platforms -> platform in test metadata (#12057)
  • Fix regex in file_ownership_audit_configuration (#12029)
  • Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
  • Github Action Ansible shell module changes check (#12014)
  • Include test scenario for multiple partitions (#11950)
  • Make Rawhide CI Green (#12065)
  • OCP4: Add workflow to test ocp content (#11615)
  • OCP4: use new assertion formate for OCP CI (#11790)
  • Pin GitHub actions using Frizbee (#12082)
  • Populate _rule_id virtual template parameter in Automatus (#11943)
  • Remove the excluded_files (#12196)
  • Validate Automatus Metadata (#12059)

Documentation

  • Add script to Create a Control file from references (#11916)
  • Additional updates in kernel_module_disabled template (#12160)
  • Bump version after release (#12025)
  • Fix a typo (#12017)
  • Fix typos in notes for ocp4 controls (#11963)
  • Update Contributors for v0.1.74 (#12225)
  • Update control schema (#11942)
  • Update RHEL 8 STIG SCAP Content to V1R13 (#12219)

Content 0.1.73

16 May 18:44
2bf9d43
Compare
Choose a tag to compare

Important Highlights

  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
  • Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
  • Generate rule references from control files (#11540)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)

New Rules and Profiles

  • Add and modify rules file/dir_permissions_system_journal (#11840)
  • Add ANSSI Profiles for RHEL 10 (#11787)
  • Add initial RHEL 10 PCI DSS profile (#11872)
  • Add new rule file_permissions_sudo (#11584)
  • Add new templated rules for System.map files (#11640)
  • ANSSI R31 updates (#11560)
  • Audit watch on /etc/sysconfig/network-scripts (#11724)
  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
  • CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
  • Implement ANSSI requirement R69 for RHEL (#11663)
  • Improve ANSSI R28 (#11626)
  • Inital RHEL 10 STIG (#11793)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
  • Openembedded fixes (#11652)
  • Update ANSSI R50 (#11588)

Updated Rules and Profiles

  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
  • accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
  • Add a note to ANSSI R23 (#11571)
  • Add a warning to sshd_limit_user_access (#11507)
  • Add automation to enable faillock rules (#11458)
  • Add platform machine to systctl.d rules (#11622)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • Additional updates in kernel_module_disabled template (#11508)
  • Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
  • Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
  • Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
  • ANSSI R31 updates (#11560)
  • api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
  • CMP 2453 pci dss requirement 1 (#11725)
  • CMP-2365: Fix check for rotating kubelet server certificates (#11543)
  • CMP-2372: Remove info override for virtual syscall rules (#11544)
  • CMP-2378: Fix OCP version regex (#11499)
  • CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
  • CMP-2471: Disable rules on s390x (#11743)
  • Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
  • Do not require existence of /var/tmp/tmp-inst (#11762)
  • Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
  • ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
  • extend the explanation why ANSSI R52 requirement is manual (#11629)
  • Fix #11895 issue (#11897)
  • Fix #11898 issue (#11899)
  • Fix #11902 issue (#11905)
  • Fix dconf package name for Ubuntu (#11821)
  • Fix description for auditd_max_log_file_action (#11585)
  • Fix kdump service name on Ubuntu 22.04 (#11914)
  • Fix OCP node OVN check (#11861)
  • Fix rule for accounts_authorized_local_users in SLE15 (#11602)
  • Fix SCE check for ip6tables_rules_for_open_ports (#11849)
  • Fix SCE checks for iptables_loopback_traffic (#11850)
  • HIPAA profile for SLE 15 - update (#11582)
  • Implement ANSSI requirement R69 for RHEL (#11663)
  • Improve ANSSI R28 (#11626)
  • Improve Rsyslog Rainer regex to find log files (#11808)
  • Improve title of CCN profiles for RHEL9 (#11852)
  • Make package installation for iptables and nftables mutually exclusive (#11191)
  • mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
  • Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
  • oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
  • OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
  • OCP4: Add rule to check ACS sensor deployed (#11675)
  • OCP4: Fix rules with both platform and platforms (#11760)
  • OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
  • OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
  • OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
  • OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
  • Openembedded fixes (#11652)
  • put exec back to configure_bashrc_exec_tmux (#11561)
  • Remove disabling_ipv6_autoconfig rule (#11550)
  • Replace dead HTML links for the chronyd project (#11799)
  • RHEL-09-232045: align with STIG (#11890)
  • Rule had incorrect CRD reference rule.yml (#11823)
  • Set the requires to sshd_set_keepalive on sshd_set_idle_timeout (#11815)
  • sysctl template: allow skipping of runtime checks (#11574)
  • trivial: fix linting issue (#11711)
  • trivial: Update link to audit profile documentation link (#11732)
  • Try 4110 for file_permissions_sudo (#11805)
  • ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
  • Update ANSSI R29 requirement (#11633)
  • Update ANSSI R32 (#11570)
  • Update ANSSI R36 requirement (#11632)
  • Update ANSSI R40 (#11563)
  • Update ANSSI R50 (#11588)
  • Update ANSSI R67 requirement (#11642)
  • Update ANSSI R68 (#11580)
  • Update ANSSI R71 (#11578)
  • Update audit_ospp_general (#11519)
  • Update CIS requirement status (#11784)
  • Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
  • Update CIS RHEL8 requirements related to crypto (#11506)
  • update cryptopolicy used in CUI profile to fips (#11792)
  • Update notes in ANSSI R3 (#11680)
  • update notes of the R36 requirement for ANSSI (#11639)
  • Update ol8 pcidss (#11867)
  • Update ol8 profiles (#11829)
  • Update ol8 stig (#11828)
  • Update ol8 stig reference (#11884)
  • Update ol9 pcidss (#11873)
  • Update ol9 profiles (#11846)
  • Update RHEL 8 STIG to V1R14 (#11878)
  • Update RHEL9 STIG to V1R3 (#11877)
  • Update SLE12 STIG to V2R13 (#11599)
  • Update SLE15 STIG to V1R12 (#11598)
  • update sles oval feed url (#11461)
  • Update SRG GPOS Control File (#11634)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
  • Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
  • Update STIG PSC Content (#11664)
  • Update sudo_dedicated_group (#11586)
  • Use string instead of number in oauth variable (#11613)
  • Use controls to assign ANSSI references (#11556)

Changes in Remediations

  • [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
  • [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
  • [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
  • accounts_passwords_pam_tally2_deny_root fix (#11676)
  • Add Ansible remediation to sssd_enable_pam_services (#11796)
  • Add Ansible Remediations (#11763)
  • Add root user to interactive users (#11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • Additional updates in kernel_module_disabled template (#11508)
  • Align securetty_root_login_console_only remediations with OVAL/rule description (#11716)
  • Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
  • Changes in template service_disabled - ansible part (#11645)
  • Disallow spaces in SSSD certificate_verification option (#11728)
  • Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
  • Fix ansible lint for SLE platforms (#11911)
  • fix ansible SLES stig remediations in check mode (#11248)
  • Fix Bash remediation of firewalld-based rules for offline mode (#11868)
  • Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
  • Fix non-idempotent bash remediation for sysctl template (#11671)
  • fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
  • Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
  • Fix ubuntu remediation for pam_faildelay (#11532)
  • Fix Ubuntu remediation for pam_faillock rules (#11488)
  • Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
  • Issue when using set -e with grep commands (#11712)
  • Make Blueprint for service_disabled template to mask services (#11679)
  • OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
  • pam_options ansible template dry-run fix (#11677)
  • Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
  • remove prodtype from add_kubernetes_rule (#11500)
  • Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
  • Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
  • set indent to 4 (#11530)
  • Simplify output of ip link show command (#11657)
  • update links and unify documentation in kickstart files (#11765)
  • Update links for Ansible role (#11737)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
  • use failed_when:false for Ansible register: checks (#11782)

Changes in Checks

  • accounts_passwords_pam_tally2_deny_root fix (#11676)
  • Add root user to interactive users (#11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
  • App armor oval check (#11273)
  • Correction in oval part ensure_gpgcheck_globally_activated (#11709)
  • Disallow spaces in SSSD certificate_verification option (#11728)
  • Enforce explicit setting in password-auth (#11742)
  • Enforce explicit setting in system-auth (#11740)
  • Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
  • Fix macro for extracting local interactive users (#11589)
  • Fix regression in grub2_bootloader_argument (#11768)
  • Make additional check if selinux is enabled and operational (#11510)
  • Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
  • Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
  • Restrict the list of accepted shells in no_shelllogin_for_systemaccounts...
Read more

Content 0.1.72

09 Feb 13:29
7fb44f7
Compare
Choose a tag to compare

Important Highlights

  • ANSSI BP 028 profile for debian12 (#11368)
  • Building on Windows (#11406)
  • Control for BSI APP.4.4 (#11342)
  • update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks

New Rules and Profiles

  • Add alinux2/alinux3 support for pci-dss compliance (#11398)
  • Add anolis23/anolis8 support for pci-dss compliance. (#11401)
  • Add new rule file_cron_allow_exists (#11441)
  • Add rules for /etc/shells (#11467)
  • Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
  • ANSSI BP 028 profile for debian12 (#11368)
  • Control for BSI APP.4.4 (#11342)
  • Add rules for /etc/shells (#11467)
  • Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)

Updated Rules and Profiles

  • Review CIS RHEL8 v3.0.0 Section 3 (#11469)
  • Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
  • Add package_firewalld_installed to RHEL 9 CIS (#11351)
  • align description of audit_rules_kernel_module_loading (#11443)
  • Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
  • Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
  • align rule audit_rules_privileged_commands_kmod (#11320)
  • Allow spaces in rule sudo_custom_logfile (#11433)
  • Enable Rules For OSBuild (#11362)
  • enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
  • Fix a duplication of the code ID 3.5.2.1 (#11421)
  • Fix ANSSI URL in control file and update RHEL profiles (#11365)
  • Fix RHEL 8 STIG version (#11515)
  • Fix Service Applicability for RHEL 9 Profiles (#11367)
  • Handle rules trying to remove no longer existing packages (#11354)
  • Improve Performance on rules probing the whole file system (#11319)
  • Minor modifications to RHEL STIG profiles (#11327)
  • Move to /bin/false for disabling kernel modules (#11475)
  • Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
  • Remove irrelevant rules from PCI-DSS profiles (#11338)
  • Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
  • Remove warning from kubelet rule (#11243)
  • Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
  • Review rpm_verify_hashes rule (#11332)
  • Review rpm_verify_ownership rule (#11333)
  • Review rpm_verify_permissions rule (#11335)
  • RHEL 7: change how xwindows is disabled in CIS profile (#11466)
  • RHEL 8: align with CIS 3, section 2 (#11457)
  • RHEL7 CIS: align section 2 with the final version (#11453)
  • Stablization: Update audit_ospp_general (#11520)
  • Support drop-in config in journald rules on RHEL (#11440)
  • Update CIS profiles descriptions (#11491)
  • Update grub2_mitigation_argument (#11271)
  • Update OL stig references (#11472)
  • Update OL8 STIG id references (#11451)
  • Update OL8 stig selection for OL08-00-040259 (#11312)
  • Update Oracle Linux anssi profiles (#11313)
  • Update RHEL 7 CIS Section 1 (#11449)
  • Update RHEL 7 STIG to V3R14 (#11477)
  • Update RHEL 8 STIG to V1R13 (#11478)
  • Update RHEL 9 STIG to V1R2 (#11479)
  • Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
  • Update STIG version for SLES 12 and SLES 15 (#11357)
  • Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
  • Use correct HTML element for inline code (#11408)
  • various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
  • xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)

Changes in Remediations

  • [Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
  • A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
  • Add blueprint remedation for enable_fips_mode (#11363)
  • Add check if to continue with ansible task (#11299)
  • add explaining comment to mount_option bash template (#11444)
  • Add support to disable wifi interfaces via wicked (#11428)
  • Ansible: change the sysctl module fqcn for rhel7 product (#11465)
  • configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
  • Do not change comments by remediations (#11434)
  • Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
  • Fix in sebool ansible (#11245)
  • Fix ShellCheck Issues in CPE Checks (#11322)
  • fix: service_timesyncd_configured (#11410)
  • Make some improvements to bash remediation template (#11361)
  • Move to /bin/false for disabling kernel modules (#11475)
  • Sle15 fix ansible cis remediations (#11258)
  • Sle15 fix ansible hipaa remediation (#11264)
  • Sle15 fix ansible pci-dss remediations in check mode (#11263)
  • Stabilization - Fix Ansible compatibility with sysctl module (#11538)
  • Support drop-in config in journald rules on RHEL (#11440)
  • Turn off blueprint for package_MFEhiplsm_installed (#11350)
  • Turn off remedations for /dev/shm (#11364)
  • Use commit hash for image tag (#11233)

Changes in Checks

  • Add ocp platforms to some eks shared OVALs (#11436)
  • Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
  • Fix invoke parent's init function (#11400)
  • Generate OVAL document for each rule (#11291)
  • Improve Performance on rules probing the whole file system (#11319)
  • Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
  • Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
  • Review rpm_verify_ownership rule (#11333)
  • Review rpm_verify_permissions rule (#11335)
  • Support drop-in config in journald rules on RHEL (#11440)
  • Update Select SSSD Rules for RHEL 7 STIG Update (#11476)

Changes in the Infrastructure

  • Add Gate tests back to master (#11331)
  • Add missing group.yml (#11373)
  • Add Windows CI (#11412)
  • add XSLT_PATH prefix with environment override (#11390)
  • Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
  • Building on Windows (#11406)
  • Control Files' level key must be an array (#11417)
  • Fix Debian 10 CI (#11426)
  • Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
  • Fix invoke parent's init function (#11400)
  • Fixes update-oscal.yml to remove env context from matrix variables (#11374)
  • Generate OVAL document for each rule (#11291)
  • Ignore mypy in the EOF Checker (#11323)
  • OCP4: Update k8s action to build image on new PR (#11384)
  • Refactoring: Remove 'prodtype' Mk.2 (#11378)
  • Remove bogus specifier from audit_rules_privileged_commands_unix2_chkpwd (#11379)
  • remove the task which deletes artifacts from automatus GH workflows (#11482)
  • Update GitHub Artifacts Action Steps to v4 (#11411)
  • Validate levels in controls (#11427)
  • We should raise NotImplementedError (#11414)

Changes in the Test Suite

  • Allow tests/test_product_stability.py to be executed (#11464)
  • Fix OpenEmbedded name in test stability (#11463)
  • Fix Secure Boot Automatus VM Installs (#11239)
  • Fix tests for sudo_require_authentication (#11315)
  • OCP4: Fix e2e result on OCP 4.14 changes (#11207)
  • Update test-check-eof for smoke test (#11402)
  • Update Install VM to use Fedora 39 (#11418)

Documentation

  • Add documentation of the steps that OVAL content goes through during the build (#11336)
  • Add GitHub Actions Style Guide (#11330)
  • Add STIG Tables for RHEL 9 (#11376)
  • bump version to 0.1.72 (#11308)
  • Finish rename to Automatus (#11404)
  • Fix broken formatting (#11403)
  • Remove all contributors file (#11317)
  • Update contributors list for v0.1.72 release (#11483)
  • Update SRG GPOS to V2R7 (#11480)

Content 0.1.71

08 Dec 14:17
459f0ab
Compare
Choose a tag to compare

Important Highlights

  • Add RHEL 9 STIG (#11193)
  • Add support for Debian 12 (#11228)
  • Update PCI-DSS profile for RHEL (#11267)

New Rules and Profiles

  • New Rule: networkmanager_dns_mode (#11160)

Updated Rules and Profiles

  • Add remediation and OVAL for UBTU-20-010297 (#11098)
  • Add SRG id to file_owner_grub2_cfg for RHEL 9 STIG (#11261)
  • Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
  • Added missing variables to ubuntu profiles (#11227)
  • Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
  • Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
  • Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
  • daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
  • Daily prod fix: return rhel7 prodtypes to some rules (#11303)
  • Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
  • Fix audit_rules_privileged_commands_kmod (#11277)
  • Fix multiple STIG IDs for RHEL8 (#11250)
  • Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
  • fix ssh-keysign path for UBTU-20-010141 (#11082)
  • Fix ssh-keysign path for Ubuntu 22.04 (#11297)
  • Fixes for kernel_config_security rules (#11259)
  • Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
  • Make selinux context elevation for sudo more flexible (#11224)
  • Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
  • Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
  • remove sle15 from package_samba_common_installed (#11231)
  • Review and Update pcidss_4 control file (#11214)
  • Update PCI-DSS profile for RHEL (#11267)
  • Update RHEL 7 STIG V3R13 (#11223)
  • Update RHEL 8 STIG to V1R12 (#11219)

Changes in Remediations

  • Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
  • Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
  • Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
  • Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
  • Fix sudo_require_reauthentication remediations edge case (#11279)
  • Improve stability of timesyncd based remediation (#11247)
  • Include remediation for fapolicy_default_deny rule (#11211)
  • Refactor ensure_pam_wheel_group_empty rule (#11192)
  • remove duplicated multi_platform_sle in bash.template (#11244)
  • Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
  • SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
  • Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
  • Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
  • Update sshd lineinfile (#11151)

Changes in Checks

  • Fix kernel_module_disabled template for Ubuntu (#11294)
  • Include dracut filter to audit_rules_privileged_commands (#11246)
  • Integration of the OVAL object model into the combine_ovals.py script (#11236)
  • Modification of the OVAL linker to use the OVAL object model (#11290)
  • Prepare OVAL object model for integration (#11206)
  • Refactor ensure_pam_wheel_group_empty rule (#11192)
  • Reference validation in OVAL document object (#11235)
  • SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)

Changes in the Infrastructure

  • Access to enable the logging of the combine_oval.py script (#11260)
  • Add .github to EOF checker (#11287)
  • Add a better Error Message For Undefined Identifier Types (#11213)
  • Add alternatives to mandatory keys (#11268)
  • Add Better a Error Message For Undefined Reference Types (#11159)
  • Avoid duplicate loading of component files (#11195)
  • controleval.py: Return empty list when parameter is not found (#11300)
  • Fix CI job after Fedora 39 release (#11256)
  • Integration of the OVAL object model into the combine_ovals.py script (#11236)
  • Make prodtype Required in JSON Schema (#11281)
  • Modification of the OVAL linker to use the OVAL object model (#11290)
  • Move jqfilter parameter to common parser (#11232)
  • Reference validation in OVAL document object (#11235)
  • remove some unnecessary imports (#11175)
  • remove unused code (#11187)
  • Update Ansible Lint Config (#11283)
  • Use up to date build_ds_container script in add_platform_rule.py (#11042)

Changes in the Test Suite

  • Add package requirement for auditctl tests (#11181)
  • Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
  • Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
  • Enable PCI-DSS in test-farm tests (#11257)
  • Fix rpm python package SLE15 Automatus docker file (#11212)
  • Fix SLE15 tests (#11172)
  • Include dracut filter to audit_rules_privileged_commands (#11246)
  • Include remediation for fapolicy_default_deny rule (#11211)
  • New Rules Must Have a prodtype (#11252)
  • Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
  • Require SRG Reference for Rules with STIG Reference (#11265)

Documentation

  • Add stabilization phase description to developers guide (#11234)
  • Bump version for 0.1.71 (#11168)
  • Documentation for tool tox (#11165)
  • Fix docs for utils.add_kubernetes_rule (#11238)
  • update list of contributors before 0.1.71 release (#11307)
  • Update Style Guide to Ensure that PR Titles are Useful (#11284)

Content 0.1.70

12 Oct 18:19
28b7817
Compare
Choose a tag to compare

Important Highlights

  • Add openembedded distro support (#10793)
  • Remove DRAFT wording for OpenShift STIG (#11100)
  • Remove test-function-check_playbook_file_removed_and_added test (#10982)
  • scap-security-guide: Add Poky support (#11046)

New Rules and Profiles

  • Add rule package_s-nail-installed (#11144)
  • Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)

Updated Rules and Profiles

  • A correction in the rule pam_disable_automatic_configuration (#10902)
  • accounts_umask_etc_bashrc: depend on bash being installed (#10915)
  • Add a two rules to RHEL 9 STIG (#10910)
  • Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
  • Add missing CIS references for SLE platforms (#11024)
  • Add mount platform to mount_option_var_nosuid (#11037)
  • Add rule logind_session_timeout to OL8 STIG (#10917)
  • Add SELinux as platform (#11138)
  • Add SRG ID to logind_session_timeout (#10936)
  • Add tmux platform to tmux related rules (#11017)
  • Add UBTU-20-010044 to existing ansible remediation (#11073)
  • Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
  • Add UBTU-20-010401 to restrict kernel message buffer (#11063)
  • Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
  • Add UBTU-20-010462 to lock accounts without passwords (#11060)
  • Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
  • Add variable support to auditd_name_format rule (#11019)
  • Add version for OCP CIS (#11152)
  • Add version for OCP STIG (#11153)
  • Add version metadata to the OCP PCI-DSS profile (#11155)
  • Add warning to network_configure_name_resolution (#10997)
  • Allow default permission for user.cfg file in UEFI systems (#10884)
  • ANSSI: add rules to enable auditing service (#11005)
  • Build OCP STIG profiles by default (#11132)
  • Change how example ROLE_LIST are formatted (#11123)
  • Change rule to use variable when auditing faillock (#11007)
  • Changes in SLE 12/15 profiles to support logrotate service (#10796)
  • Couple of fixes in PAM related rules for SLE platforms (#11014)
  • Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
  • Deprecate UBTU-20-010180 (#11079)
  • Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
  • Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
  • Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
  • Enable logrotate.timer check on RHCOS4 (#11045)
  • Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
  • Express more accurate per package platform limitation for firewall rules (#10812)
  • Fix excluded_files and recursive for UBTU-20-010416 (#11086)
  • Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • fix naming for UBTU-20-010430 (#11056)
  • Fix package_audit-libs_installed rule.yml (#11127)
  • Fix rule ubtu 20 010033 (#11065)
  • Fix STIG references for SLE15 (#10850)
  • Fix UBTU-20-010179 to use proper parameters and key (#11080)
  • Fix UBTU-20-010267 and deprecate STIGs (#11084)
  • Fix UBTU-20-10450 STIG (#11058)
  • Fix variable selection when selecting the default value (#11015)
  • Implement rules for CIS OCP Section 1.4 (#10840)
  • Include new options in var_accounts_minimum_age_login_defs (#11052)
  • Include RHEL indentifiers in logrotate related rules (#10904)
  • Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
  • iptables_ruleset_modifications: depend on iptables being installed (#11030)
  • no_rsh_trust_files: depend on rsh-server being installed (#10809)
  • OCP4 CIS: Re-add forgotten rules (#10864)
  • OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
  • OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
  • OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
  • OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
  • OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
  • OCPBUGS-7455: Hide API warning messages (#10971)
  • OL7 DISA STIG v2r12 update (#10921)
  • Port over etcd encryption rule from CIS 1.3 controls (#10753)
  • Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
  • Remove controller_rotate_kubelet_server_certs from OCP CIS v.1.4.0 (#10992)
  • Remove CIS reference from image policy webhook rule (#10932)
  • Remove DRAFT wording for OpenShift STIG (#11100)
  • Remove protect kernel default and sysctl rules from CIS (#10931)
  • remove rules not relevant to RHEL 9 from STIG profile (#10996)
  • Remove rules that cannot be applied during image build (#10946)
  • Remove sebool_secure_mode_insmod from anssi (#11001)
  • Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
  • Remove tickets from CIS control files (#10869)
  • RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
  • Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
  • Standard Profile Improvements (#11109)
  • Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
  • Update CIS profiles to use control files (#10833)
  • Update kubelet event creation limit to 50 (#10950)
  • Update link to English version of ANSSI guide (#11038)
  • Update metadata of OSPP profile in RHEL8/9 (#10984)
  • Update OL8 STIG to V1R7 (#10918)
  • Update platform on bios_enable_execution_restrictions (#10880)
  • Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
  • Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
  • Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
  • Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
  • Version FedRAMP high and moderate profiles for OpenShift (#11154)

Changes in Remediations

  • 0640 permission in permissions_local_var_log should only apply to files (#10856)
  • accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
  • Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
  • Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
  • Add RHEL as platform in su pam wheel group remidiation (#10995)
  • Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
  • Avoid Ansible shell module if not necessary (#10887)
  • change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
  • Couple of small fixes (#11004)
  • Drop irrelevant return statement in bash remediation (#10988)
  • Fix ansible remediation of configure_ssh_crypto_policy (#11008)
  • Fix Ansible Tasks order (#11117)
  • Fix bash_sshd_remediation macro on OL exclusive code (#10980)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • Fix path and add ansible remediation UBTU-20-010298 (#11087)
  • Fix remediation of sssd_enable_smartcards (#10981)
  • Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
  • Fix umask bash and Ansible (#11108)
  • Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
  • improve bash remediation of mount_option template (#11009)
  • Improve remediation for SSH global settings (#11032)
  • Improve template macros for grub command line (#10989)
  • Minor improvements in configure_opensc_nss_db (#11044)
  • Modify adie db exist path for UBTU-20-010450 (#11064)
  • OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
  • Refactor Ansible remediations that search local file systems (#10912)
  • Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
  • SLE Add journald configuration droping remediations (#10671)
  • SLE AIDE periodic check and remediation via systemd timer (#10589)
  • SLE Service timesyncd configured rule (#10670)
  • templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
  • Update enable_fips_mode Ansible Remedation (#11026)
  • Update no_legacy_plus_entries_* Ansible Remedations (#11027)
  • Use parameter value in ansible lineinfile macro (#10958)
  • Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)

Changes in Checks

  • Couple of fixes in PAM related rules for SLE platforms (#11014)
  • enhance OVAL for enable_fips_mode (#10897)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • Improve OVAL readability in enable_fips_mode (#10911)
  • Improve sshd_use_approved_kex_ordered_stig (#11053)
  • Minor improvements in configure_opensc_nss_db (#11044)
  • Remove kernel cmdline check (#10961)
  • Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
  • SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
  • Sysctl template remediations do not modify package files (#10881)

Changes in the Infrastructure

  • Add a faster alternative for generating HTML guides (#11036)
  • Add Dependabot (#11113)
  • Add manifests to zipfile target (#10944)
  • Add Merge Group Trigger to Required Jobs (#11162)
  • Add product as parameter when building profile reports (#11023)
  • Add SCAPVal to Stabilize task (#11043)
  • Add tickets key to control validation (#10872)
  • Add version to profile element in the data stream (#10909)
  • Allow k8s-content workflow to write (#11020)
  • Build profile bash scripts differently (#11028)
  • Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
  • Dependabot Preparation (#11112)
  • Fail build if profiles or controls contain invalid rule selections (#11135)
  • Fix Ansible Tasks order (#11117)
  • Fix multiple STIG id table generation (#11016)
  • Fix OrderedDict definition (#11121)
  • Fix Rawhide Build (#10953)
  • Fix scap delta tailoring (#11145)
  • Fix stig overlay (#11114)
  • Generate profile oriented Ansible Playbooks in a different way (#11033)
  • G...
Read more

Content 0.1.69

02 Aug 09:59
cf12119
Compare
Choose a tag to compare

Important Highlights

  • Introduce a JSON build manifest (#10761)
  • Introduce a script to compare ComplianceAsCode versions (#10768)
  • Introduce CCN profiles for RHEL9 (#10860)
  • Map rules to components (#10609)
  • products/anolis23: supports Anolis OS 23 (#10548)
  • Render components to HTML (#10709)
  • Store rendered control files (#10656)
  • Test and use rules to components mapping (#10693)
  • Use distributed product properties (#10554)

New Rules and Profiles

  • Add modified audit suid privilege function rule for CIS (#10729)
  • Introduce CCN profiles for RHEL9 (#10860)
  • Introduce network access control rule (#10596)
  • New templated rule to remove iptables-services package (#10703)
  • RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
  • Include new kickstart files for CCN profiles (#10863)

Updated Rules and Profiles

  • A change into sudoers_validate_passwd (#10861)
  • Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
  • Add modified audit suid privilege function rule for CIS (#10729)
  • Add mount platforms (#10794)
  • Add platform package variables for firewalld and iptables (#10740)
  • Add warning to rsyslog_remote_tls_cacert (#10676)
  • add-rules sles-15-010418 sles-12-010498 (#10711)
  • Change rules related to /etc/shadow to check only local user configuration (#10838)
  • Deprecate account_emergency_expire_date (#10829)
  • ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
  • Fix grub2 remediation instructions (#10717)
  • Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
  • Fixes of cron package/service for SLE 12/15 (#10549)
  • Increase RHEL7 STIG Coverage (#10705)
  • Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
  • New applicability platform to check IPv6 state (#10830)
  • OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
  • pam_faillock rules: show XCCDF variables in rule description (#10824)
  • Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
  • Remove quotes from journald config parameters (#10790)
  • service_apport_disabled: depend on apport being installed (#10805)
  • Set package_iptables_installed as machine only (#10804)
  • Set package_nftables_installed as machine only (#10803)
  • Set package_rng-tools_installed as machine only (#10810)
  • Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
  • Update of anssi profile for SLE 12/15 (#10702)
  • Update OL8 cjis profile (#10771)
  • Update OL8 hipaa profile (#10822)
  • Update RHEL 7 STIG to v3r11 (#10821)
  • Update RHEL 8 STIG to V1R10 (#10826)
  • update rule SLES-12-030250 (#10644)
  • Update SLE 12/15 rule and change package name (#10580)
  • Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
  • use_pam_wheel_group_for_su: depend on pam being installed (#10807)
  • Updates of the rule use_pam_wheel_group_for_su (#10714)

Changes in Remediations

  • Add a Playbook name to Ansible Playbooks (#10713)
  • Add remediations for rule network_sniffer_disabled (#10659)
  • configure_openssl_cryptopolicy: align remediations with rule description (#10828)
  • Fix in service_autofs_disabled - ansible (#10521)
  • Fix issue when adding fstab entries with iso9660 (#10572)
  • fix: use grep -E instead of deprecated egrep (#10643)
  • fixes in file_groupownership template (#10666)
  • macros: bash: Avoid matching comments in fstab macros (#10754)
  • Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
  • SLE Add rsyslog_remote_loghost droping remediations (#10672)
  • SLE Coredump configuration support dropin remediation (#10604)
  • SLES15 use dropin configuration for issue banner (#10605)
  • Various fixes for Ubuntu (#10755)

Changes in Checks

  • enhance OVAL for enable_fips_mode (#10900)
  • Check only local users home directories (#10825)
  • Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)

Changes in the Infrastructure

  • .github/workflows/gate.yaml:Add anolis8 product. (#10814)
  • Add a sanity test of install_vm.py (#10684)
  • Add validation for Keys in Controls (#10813)
  • create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
  • Fix CMakelint (#10701)
  • Fix compare datastream check to correctly treat new line characters. (#10667)
  • Fix traceback in release helper (#10718)
  • Implement distributed product properties without applying them (#10648)
  • Stop using "imp" module (#10819)
  • utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)

Changes in the Test Suite

  • Add a test for rule journald_compress (#10818)
  • Add a test for rule journald_storage (#10817)
  • Add Automatus Testing (#10678)
  • Add SCAPVal to CTest (#10802)
  • Fix grep for Automatus sanity (#10752)
  • Fix install_vm.py on older versions of Python (#10651)
  • fix: ssg_test_suite: warning when rule not in benchmark (#10642)
  • Add requirements files for python dependencies (#10487)

Documentation

  • Add a section guiding through the process of rule divergence (#10763)
  • Add graphs to represent the life cycle of controls file (#1863
  • Integrate manpage with CMake better (#10624)
  • Move the most important links to a better place (#10745)
  • update list of contributors before stabilizing 0.1.69 (#10844)

Content 0.1.68

15 Jun 08:49
513280d
Compare
Choose a tag to compare

Important Highlights

  • Bump OL8 STIG version to V1R6 (#10497)
  • Introduce a Product class, make the project work with it (#10529)
  • Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
  • OL7 DISA STIG v2r11 update (#10498)
  • Publish rendered policy artifacts (#10585)
  • Update ANSSI BP-028 to version 2.0 (#10334)

New Rules and Profiles

  • Add rule package_mailx_installed (#10495)
  • Ensure access to the su command is restricted (#10386)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
  • Introduce file_permissions_audit_configuration rule (#10489)
  • Introduce rule to check if SELinux is not Disabled (#10575)
  • Introduce rules to configure loopback traffic with Firewalld (#10573)
  • New rules to complete CIS requirements for SSH Keys (#10552)
  • New SLE 15 rule set_nftables_base_chain (#10180)
  • Rebased hagenest set nftables loopback traffic (#10366)
  • Restart postfix service and add rule has_nonlocal_mta (#10359)
  • SLE15 add implementation of nftables_rules_permanent rule (#10201)
  • SLE15 add nftables ensure default deny policy (#10249)
  • Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)

Updated Rules and Profiles

  • Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
  • Add package_avahi_removed to ubuntu profiles (#10406)
  • Add rules SLES-15-010375 and SLES-12-010375 (#10625)
  • Add rules SLES-15-010419 and SLES-12-010499 (#10621)
  • Add rules SLES-15-010420 and SLES-12-010500 (#10623)
  • Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
  • audit_rules_privileged commands: skip /proc directory (#10471)
  • Bump OL8 STIG version to V1R6 (#10497)
  • Complete CIS requirement for system accounts (#10627)
  • Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
  • delete rule SLES-15-040280 (#10383)
  • Drop of some rules from SLE 12/15 profiles (#10527)
  • Enable ensure_shadow_group_empty for RHEL7 (#10416)
  • Enable service_nftables_disabled for RHEL (#10390)
  • Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
  • Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
  • Ensure access to the su command is restricted (#10386)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
  • Fix in sshd_use_approved_ciphers (#10535)
  • Fix in sudo_require_reauthentication (#10216)
  • Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
  • Introduce rule to check if SELinux is not Disabled (#10575)
  • Introduce rules to configure loopback traffic with Firewalld (#10573)
  • Modify SLE remediation for ensure_logrotate_activated (#10481)
  • No remediation warning for fapolicy_default_deny (#10433)
  • OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
  • OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
  • OL7 DISA STIG v2r11 update (#10498)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • SLE 12/15 profile updates (#10577)
  • SLE improve kernel module disabled rule (#10368)
  • SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
  • sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
  • Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
  • Ubuntu 22.04 CIS modify password remember rule (#10480)
  • Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
  • Update accounts_password_pam_retry yaml (#10496)
  • Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
  • Update ANSSI BP-028 to version 2.0 (#10334)
  • Update CIS controls related to nftables table and chains (#10629)
  • Update CIS requirement for SSH access limit (#10470)
  • Update netrc requirement in CIS for RHEL8 (#10511)
  • Update OL9 STIG profile (#10407)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
  • Update pass aging rules to not ignore empty pass (#10633)
  • update rule sles-15-040250 (#10492)

Changes in Remediations

  • Add Ubuntu SCE checks for iptables rules (#10587)
  • Ansible remediation for configure_bashrc_exec_tmux (#10584)
  • audit_rules_privileged commands: skip /proc directory (#10471)
  • Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
  • Fix changes in Ansible tasks not expected to fail (#10427)
  • Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
  • Fix up RHEL kickstarts (#10499)
  • fix: aide_string: drop nl at end (#10578)
  • fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
  • fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
  • Modify SLE remediation for ensure_logrotate_activated (#10481)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • Replace grep command with ansible find (#10579)
  • SLE add ability to configure emergency via dropin (#10482)
  • SLE improve kernel module disabled rule (#10368)
  • SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
  • Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
  • templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)

Changes in Checks

  • audit_rules_privileged commands: skip /proc directory (#10471)
  • bugfix: mount_option: handle commented lines (#10518)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix in sudo_require_reauthentication (#10216)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • SLE improve kernel module disabled rule (#10368)
  • Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
  • Update pass aging rules to not ignore empty pass (#10633)
  • Use specific name in private key groups instead of gid (#10622)

Changes in the Infrastructure

  • Add a product stability test (#10606)
  • Add CMakelint (#10468)
  • Add controls the EOF checker (#10477)
  • Automate and Fix Missing Newline at the of Files (#10361)
  • Expand the list of rules skiped by Ansible Lint (#10485)
  • Fix data stream component parsing (#10411)
  • Implement a tool for parsing profiles and outputing rules (#10455)
  • Introduce a Product class, make the project work with it (#10529)
  • Publish rendered policy artifacts (#10585)
  • Refactor the scapval test (#10611)
  • Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
  • Remove unused imports (#10384)
  • Remove unused variables (#10382)
  • Shell quote support for Jinja macros (#10524)
  • Stabilization: Fix install_vm.py on older versions of Python (#10652)
  • Stop using deprecated set-output in GitHub Actions (#10588)
  • Update CI Repo for CTF (#10385)
  • Update GitHub Action Versions (#10543)

Changes in the Test Suite

  • Add a product stability test (#10606)
  • Add a warning to AutoMatus (#10394)
  • bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
  • bugfix: packages: delim is comma (#10559)
  • bugfix: ssg_test_suite: RuleResult eq (#10365)
  • Fix template not found error in Automatus (#10631)
  • Fix tests applicablity for ol8 product (#10570)
  • Fix tests in sshd_lineinfile template (#10595)
  • Fix typo in tests for sshd_limit_user_acess (#10478)
  • install_vm refactor (#10607)
  • install-vm fixes / features (#10562)
  • Remove machine pruning from gating (#10453)
  • Revert change in test scenario script for enable_authselect rule (#10430)
  • Unused test code (#10558)
  • Use bash_package_* (#10557)
  • Use mkdir -p when creating directories (#10556)

Documentation

  • Add Kickstarts to the changelog (#10512)
  • add python3 to the list of build dependencies for RHEL-8+ (#10503)
  • Bump version for 0.1.68 (#10372)
  • Fix read the docs build (#10537)
  • fix: Fix misspelled word infrastruture (#10531)
  • Jinja macro doc fixes (#10599)
  • Reduce Doc Warnings (#10528)
  • Styleguide Update (#10466)
  • Update Add Product Guide (#10533)
  • Update release documentation about release_helper.py script (#10502)

Content 0.1.67

11 Apr 21:56
ee68832
Compare
Choose a tag to compare

Important Highlights

  • Add utils/controlrefcheck.py (#10096)
  • RHEL 9 STIG Update Q1 2023 (#10185)
  • Include warning for NetworkManager keyfiles in RHEL9 (#10330)
  • OL7 stig v2r10 update (#10125)
  • Bump version of OL8 STIG to V1R5 (#10123)

New Rules and Profiles

  • Add new rule package_systemd-journal-remote_installed (#10105)
  • New SLE 15 rule service_nftables_enabled (#10113)
  • Add CIS iptables rules (#10121)
  • New SLE 15 rule set_nftables_new_connections (#10114)
  • Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
  • Add a new rule ssh_keys_passphrase_protected (#10017)
  • Introduce new rule authconfig_config_files_symlinks (#10129)
  • Added rule partition_for_dev_shm (#9984)
  • New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
  • New SLE 15 rule set_nftables_table (#10128)
  • Add implementation for rsyslog_logging_configured rule (#10063)
  • New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
  • OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
  • Added a new rule accounts_password_set_warn_age_existing (#10006)
  • Add new rule socket_systemd-journal-remote_disabled (#10210)
  • Introduce rule to remove nginx package (#10291)
  • Introduce rule to remove cyrus-imapd package (#10292)
  • Add package_dnsmasq_removed rule (#10293)
  • Add package_ftp_removed rule (#10294)
  • Add new rule rsyslog_filecreatemode (#10264)
  • New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
  • Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)

Updated Rules and Profiles

  • accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
  • Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
  • Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
  • Add CIS iptables rules (#10121)
  • OL7 stig v2r10 update (#10125)
  • Bump version of OL8 STIG to V1R5 (#10123)
  • assign ntp_configure_restrictions to SLE12 (#10122)
  • Update tmux rules and add them to OL8 STIG profiles (#10124)
  • Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
  • Add missing SRG to aide_build_database rule (for master branch) (#10150)
  • remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
  • Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
  • Update levels of some rules in RHEL8 CIS (#10157)
  • Change custom zones check in firewalld_sshd_port_enabled (#10162)
  • improve applicability of rule package_rear_installed (master branch) (#10156)
  • Accept required and requisite control flag for pam_pwhistory (#10175)
  • OCP4 Modify etcd encryption check rules for hypershift (#10179)
  • Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
  • Fix prefer_64bit_os for SLE platforms (#10178)
  • remove rule logind_session_timeout and associated variable from profiles (#10202)
  • Shorten rule title (#10196)
  • products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
  • Create OVAL macro to consistently identify Interactive Users (#10215)
  • Include avahi related rules in RHEL CIS control files (#10233)
  • Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
  • Update CIS RHEL requirements for log files permissions (#10241)
  • Include rule for checking password last change in RHEL (#10243)
  • Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
  • Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
  • Update password hashing algorithm CIS requirement (#10271)
  • Complete CIS requirements related to dot-files (#10279)
  • Fix package names for some SUSE packages (#10283)
  • Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
  • Corrections in the rule package_openldap-clients_removed (#10273)
  • Enable sshd_enable_warning_banner_net for RHEL (#10287)
  • Add package_nginx_removed to Ubuntu CIS profiles (#10301)
  • Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
  • accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
  • accounts_passwords_pam_tally2: depend on pam being installed (#10305)
  • package_pam_pwquality_installed: depend on pam being installed (#10306)
  • apparmor: apply only to platform machine (#10303)
  • sudo_require_reauthentication: depend on sudo being installed (#10318)
  • vlock_installed: apply only to platform machine (#10307)
  • Remove VMM SRG References (#10336)
  • Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
  • Add some nftables rules to Ubuntu CIS profile (#10300)
  • make accounts_password_last_change_is_in_past not applicable to containers (#10339)
  • Align rhel7 dracut-fips-aesni remediations (#10352)
  • Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
  • NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)

Changes in Remediations

  • Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
  • Update sebool_secure_mode_insmod OL remediations (#9979)
  • Enable rsyslog_filecreatemode rule for RHEL (#10328)
  • kernel_module_disable template - regexp matches multiple lines (#10351)
  • fix loops within ansible template for rsyslog_files (#10349)

Changes in Checks

  • Update tmux rules and add them to OL8 STIG profiles (#10124)
  • Remove check of /var/log/dmesg from OVAL (#10145)
  • Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
  • Fix prefer_64bit_os for SLE platforms (#10178)
  • postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
  • Create OVAL macro to consistently identify Interactive Users (#10215)
  • Add offline capability to the 'mount_option' OVAL template (#10200)

Changes in the Infrastructure

  • Introduce script shorthand to OVAL (#10085)
  • Remove utils/count_oval_objects.py (#10133)
  • Update Rawhide Before Use (#10141)
  • Move to Code Climate for PEP 8 Checking (#10158)
  • Enable SCE integrity checks for RHEL8 (#10165)
  • Refactor ssg.build_ovals module (#10048)
  • Update srg diff (#10199)
  • Require OVAL ID to match rule ID (#10346)
  • Various python fixes (#10345)
  • Move platform_mount to use cpe-oval vs oval (#10441)

Changes in the Test Suite

  • Add utils/controlrefcheck.py (#10096)
  • Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
  • Update test scenarios for accounts_password_last_change_is_in_past (#10213)
  • add cap_system_chroot capability to Automatus podman container (#10246)
  • Fix Automatus on Python 3.6 (#10281)
  • Disable logrotate timer in ensure_logrotate_activated tests (#10375)

Documentation

  • Update Ansible section in project Style Guide (#10211)
  • Fix broken link to statistics page (#10217)
  • Introduce style guidelines for commit messages (#10220)
  • Remove VMM SRG References (#10336)
  • Add URL for ISM (#10337)
  • Convert User Docs (#10214)
  • Update Contributors for v0.1.67 (#10350)

Content 0.1.66

03 Feb 10:23
dac8184
Compare
Choose a tag to compare

Important Highlights

  • Ubuntu 22.04 CIS (#9953)
  • OL7 stig v2r9 update (#9976)
  • Bump OL8 STIG version to V1R4 (#9974)
  • Update RHEL7 STIG to V3R10 (#10079)
  • Update RHEL8 STIG to V1R9 (#10078)
  • Introduce CIS RHEL9 profiles (#10091)

New Rules and Profiles

  • Add nonessential services rule (#9912)
  • Added a new rule package_firewalld_removed (#9937)
  • Added a new SLE 12/15 rule package_rsync_removed (#9932)
  • Added a new rule package_cups_removed (#9930)
  • Added a new rule firewalld_service_disabled (#9941)
  • Added a new SLE 15 rule package_nftables_installed (#9934)
  • Add rule for no .forward files (#9990)
  • Add new rule grub2_enable_apparmor (#9978)
  • Added a new rule package_tcp_wrappers_removed (#9981)
  • Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
  • Add package prelink removed (#10062)
  • add new rule audit_rules_immutable_login_uids (#10070)
  • Added 2 rules for 15 related to nftables (#10068)
  • New SLE 15 rule ensure_iptables_are_flushed (#10107)
  • add new rule configure_bashrc_tmux (#10100)

Updated Rules and Profiles

  • Include warning regarding quota options in XFS (#9879)
  • Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
  • Sync rules for RHEL 9 STIG (#9788)
  • Changing a few harcoded OS names for full_name (#9936)
  • Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
  • SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
  • Update sudo_require_reauthentication (#9923)
  • Update kmod audit rule for OL7 (#9949)
  • Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
  • Add rule to OL7 stig profile (#10028)
  • Small corrections related to 3 rules (#9995)
  • Add new rule grub2_enable_apparmor (#9978)
  • Include Ubuntu products in package_rsync_removed (#10051)
  • Include Ubuntu products in package_nftables_installed (#10052)
  • Fix the service_telnet_disabled rule (#10033)
  • Update package name for RHEL in package_rsync_removed (#10053)
  • Include Ubuntu products in package_cups_removed (#10050)
  • Include Ubuntu products in package_rpcbind_removed (#10055)
  • Update link to NTP docs (#10056)
  • Include Ubuntu products in package_prelink_removed (#10071)
  • Add account_emergency_expire_date to OL7 stig (#10073)
  • Add aide_build_database to STIG in OL and RHEL (#10094)
  • Include Ubuntu products in two nftables rules (#10101)
  • Move two rules to higher level in cis_rhel8 control file (#10109)
  • add new rule configure_bashrc_tmux (#10100)
  • add missing SRG to aide_build_database rule (#10136)
  • change applicability of rules configuring idle session timeouts (#10127)
  • Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
  • improve applicability of rule package_rear_installed (#10144)
  • stabilization: Update levels of some rules in RHEL8 CIS (#10155)

Changes in Remediations

  • Fix indentation in Ansible shell module parameter (#9851)
  • Recognize 64bit architectures in Ansible remediations (#9887)
  • Make Ansible remediation less prone to fatal errors (#9914)
  • Add bash and ansible remediation for set_loopback_traffic (#9939)
  • Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
  • Update sudo_require_reauthentication (#9923)
  • Improve the arguments for Ansible command module (#9921)
  • Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
  • Fix Jinja condition in macro for pam_faillock (#10009)
  • Install NetworkManager as part of wireless_disable_interfaces remediation (#10018)
  • aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
  • Update accounts_password template for OL due to precedence confs (#9935)
  • accounts_password_set_min_life_existing: Avoid system accounts (#9955)
  • Improve service_disabled template (#10026)
  • accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
  • Rewrite remediations for rsyslog_remote_tls (#9866)
  • Fix accounts_password template for OL (#10045)
  • Using the Ansible shell actions is needed in package_prelink_remove (#10086)

Changes in Checks

  • Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
  • Update sudo_require_reauthentication (#9923)
  • accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
  • Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
  • aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
  • Update accounts_password template for OL due to precedence confs (#9935)
  • accounts_password_set_min_life_existing: Avoid system accounts (#9955)
  • accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)

Changes in the Infrastructure

  • Refactor build_cpe.py (#9834)
  • Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
  • Refactor templates v2 (#9870)
  • Add automatic detection of platform_package_overrides when using automatus (#9897)
  • Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
  • Introduce templated platforms (CPEs) (#9906)
  • Sort conditional remediation platform checks (#9902)
  • Add sanity tests for controleval.py (#9918)
  • Add Refchecker to Tests (#9862)
  • Wait for buffer flushes to finish writes (#9933)
  • Fix the file param in rule_dir_json (#9928)
  • Fix typing import in create_srg_export.py (#9929)
  • Build all profiles on all CentOS and CentOS Streams (#9946)
  • CTest Fixes (#9962)
  • CPE AL: Introduce version specifiers support (#9945)
  • Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
  • Raise exception when parametrized platform receives invalid argument (#9996)
  • Fix --datastream-only in ./build_product (#10020)
  • Add sanity tests for compare_disa_xml.py (#10030)
  • Add Ubuntu 22.04 to Gating (#9986)
  • Fix a few isssues in test-compare-disa-xml (#10034)
  • Update Ansible Lint Config (#10025)
  • platforms: rewrite mechanism which parses version into EVR (#10038)
  • Produce an understanable error when remediation collections goes wrong (#10027)
  • Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
  • Bump fedora version in Dockerfiles to 37 (#10036)
  • Fix the generation of SCE checks in the output datastream (#10015)
  • Scripts clean up (#10061)
  • Clean up SRG export (#10067)

Changes in the Test Suite

  • Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
  • Add automatic detection of platform_package_overrides when using automatus (#9897)
  • Add Refchecker to Tests (#9862)
  • Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
  • Improve service_disabled template (#10026)

Documentation

  • Add Timezone to the Contributors Script (#9844)
  • Add documentation about readthedocs.org integration (#9875)
  • Update Upstream Release doc (#9952)
  • Update contributors list for v0.1.66 release (#10108)