Skip to content

SCAP Security Guide 0.1.28 Release Notes

Compare
Choose a tag to compare
@iankko iankko released this 25 Jan 10:56
· 32869 commits to master since this release

Highlights (in order the changes have been merged):

  • SCAP Security Guide build process refactoring
  • New "OpenStack/RHEL-OSP/7/" to hold the SCAP
    content for Red Hat Enterprise Linux OpenStack Platform v7
  • Improved (more granular) mapping of official PCI DSS v3 standard
    to the PCI DSS profile for Red Hat Enterprise Linux 7,
  • The build process has been updated to produce STATIC rule IDs in the benchmarks
    (very handy for benchmark version diffs)
  • Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes
    (see below for more concrete details)

Enhancements:

  • OVAL for RHEL-6 benchmark will be produced in 5.11 version if underlying
    oscap version supports OVAL-5.11 version already
  • New shared/oval/oval_5.11 directory to hold shared OVAL checks using
    OVAL-5.11 language constructs

XCCDF changes / enhancements:

  • [BugFix] [Debian/8] Fix typos (in selected rules)
  • [Debian/8] Cleaning on common profile. No more undefined ref
  • [RHEL/7] Refine pcidss-req 'security_patches_up_to_date' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_redhat_gpgkey_installed' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_globally_activated' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_never_disabled' -> 6.2
  • [Debian/8] Add ssh basics to Debian 8 xccdf
  • [BugFix] [Debian/8] Updated invalid href for rules refences. Add reference to Debian secrity manual
  • [Enhancement] [Debian/8] Add dsg references
  • [Debian/8] Clean dsg from official security guides. Updated ssh reference. Clean postbuild
  • [Debian/8] Clean all references to dsg in xccdf. clean cis link (rhel specific).
    Updated validate while xccdf is not complete
  • [Debian/8] Merge install xccdf part into system part for homogeneous content with other distros
  • [Debian/8] Add support for logging XCCDF check
  • [Debian/8] Add rsyslog basic check in common profile, without network part (client or server side)
  • [Debian/8] Cleaning account files access right checks
  • [RHEL/7] Added shm and sticky bits rules into RHEL7 standard profile
  • [RHEL/7] Added package management related rules to RHEL7 standard profile
  • [RHEL/6] Ported the RHEL7 standard profile over to RHEL6
  • [RHEL/6] [RHEL/7] Added more rules to standard profiles for RHEL6 and 7

OVAL check changes / enhancements:

  • [Debian/8] Updated CPE naming for nist conformity
  • [Debian/8] CPE naming based on NIST NVD 2.2 naming
  • [Debian/8] Cleaning CPE (emptyline)
  • [BugFix] [Debian/8] Fix mistyped OVAL check name in the Debian 8 CPE
  • [BugFix] [Debian/8] Fix tag for 'installed_OS_is_debian8' OVAL check
  • [Enhancement] [Debian/8] Add support for ssh service shared oval files in Debian8
  • [Enhancement] [Debian/8] Add disabled services support. Adding openssh (needed for shared oval)
  • [BugFix] [shared] Updated RPM-based distribution specific shared oval file to RPM based platform only
  • [BugFix] [shared] Updated other RPM-based distrib specific OVAL files
  • [SHARED] Adding _all on ssh oval files
  • [shared] Add SSH protocol v2 only check to multi_platform_debian also
  • [shared] Add rhel-osp to previously multi_platform_all transformed into RPM specific multi-platform oval files
  • [RHEL/6] Fix for issue #932
  • [BugFix] [RHEL/5] Removed an unused idtranslate.py from RHEL5/input/oval
  • [BugFix] [RHEL/6] Update the sysctl XCCDF value fix for ipv6 parameters as well
  • [BugFix] [RHEL/7] Fix Ticket 932 on RHEL7
  • [BugFix] [RHEL/7] Add missing generated files and doc changes for ticket 932
  • [BugFix] [Debian/8] Updated template comment for correct path
  • [RHEL/7] Update "RHEL/7/input/oval/oval_5.11/templates/services_disabled.csv"
    content to start using new daemon_name CSV value expected by 'create_services_disabled.py'
    helper script (prevent ValueError)
  • [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_groupownership' rule (with OVAL-5.11)
  • [Enhancement] [RHEL/7] [Fedora] Move former product specific oval for
    'rsyslog_files_groupownership' rule into shared/oval/oval_5.11 directory
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_ownership' rule (with OVAL-5.11)
  • [Enhancement] [Debian/8] [RHEL/7] [Fedora] Move former per-product based
    'rsyslog_files_ownership' OVAL check into shared/oval/oval_5.11 directory
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_permissions' rule (with OVAL-5.11)
  • [Enhancement] [RHEL/7] [Fedora] Move former per-product version of
    OVAL for 'rsyslog_files_permissions' rule into shared/oval/oval_5.11
  • [BugFix] [RHEL/6] Enhance the RHEL-6 OVAL for 'package_openswan_installed' rule

New Remediations:

  • [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
  • [Enhancement] [RHEL/6] New RHEL-6 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

  • [BugFix] [Debian/8] Cleaning remediation dir

Build System Bug Fixes:

  • [BugFix] Fix failing RHEL-6 "make validate" target (2015-12-17)
  • [BugFix] [BugFix] [Debian/8] Fix 'make validate' on Debian/8 content issue
    when content build on RHEL-6 with openscap-1.0.10-3.el6.* (2015-12-22)
  • [BugFix] [Debian/8] Fix failing 'make' target when Debian/8 content build
    is attempted on a system using openscap-1.0.x version

Infrastructure:

  • [Refactoring] Start using verify-references.py from the shared directory
  • [Refactoring] Move the documentation close to the script
    (Also remove the documentation from previous locations)
  • [Unification] Remove the support.sh script
  • [Refactoring] Put common Makefile declarations to a single file
  • [Refactoring] Make a use of product-make.include file
  • [Refactoring] Put query for OVAL 5.11 into a common Makefile
  • [Refactoring] Put query for guide-from-ds-oscap into a common Makefile
  • [Refactoring] Put query for SVG support into a common Makefile
  • [Enhancement] Create a shorthand target that emulates what jenkins runs
  • [Debian/8] Updated templates recopy calls to correct places in Makefiles
  • [Enhancement] Create a shorthand target that emulates what jenkins runs
  • [Unification] Use $(OUT) variable consistently
  • [Refactoring] Avoid changes in letter capitalization between the Makefiles
  • [Correction] Fix python binary name
  • [Refactoring] Refactor the very first make target: the guide.xml
  • [Refactoring] Imperceptible makefile changes
  • [Clarification] Amend documentation to mirror exactly what is going to happen
  • [Refactoring] Consolidate filename of shorthand.xml
  • [Refactoring] Move PHONY shorthand-guide to the common Makefile
  • [BugFix] [Debian/8] Put xhtml:p into a correct namespace for Debian content
  • [Refactoring] Spell-out all the dependencies of the guide.xml that exists
  • [Refactoring] Refactor shorthand-guide phony target to non-phony variant
  • [Refactoring] Create xccdf-unlinked-unresolved.xml as a separate target
  • [Refactoring] Create xccdf-unlinked-empty-groups.xml as a separate target
  • [Refactoring] Minor changes in webmin shorthand transformation
  • [Refactoring] Minor changes in openstack shorthand transformation
  • [BugFix] Fix broken xslt (causing "$ sudo chgrp root xsl:value-of select="@file"/>"
    in the HTML guides
  • [Refactoring] Openstack and webmin makefiles should use xccdf-unlinked-unresolved target
  • [Refactoring] [RHEVM3] Update shorthand to assign namespaces
  • [Refactoring] [RHEVM3] Remove 'addprofiles.xslt' step
  • [Refactoring] [RHEVM3] Resolve xccdf before proceeding
  • [Refactoring] [OpenStack] Update shorthand to assign namespaces
  • [Refactoring] [OpenStack] Remove addprofiles.xslt' step
  • [Refactoring] [OpenStack] Resolve xccdf before proceeding
  • [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transformation
  • [Refactoring] Drop xccdf-addrefs.xslt
  • [Refactoring] Create ocil-unlinked.xml as a separate target
  • [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transform even more
  • [Infrastructure] Temporarily allow the modified 'cpe_generate.py' transform
    to continue even if the intermediary OVAL is invalid
  • [BugFix] [Main Makefile] Use updated Openstack/RHEL-OSP/7 location in
    the 'make clean' target of the main Makefile
  • [BugFix] [OpenStack/RHEL-OSP/7] Makefile changes
  • [Refactoring] Create xccdf-unlinked-ocilrefs as a separate target
  • [BugFix] [Debian/8] Modify Debian/8 package_installed.csv template
  • [Refactoring] Move shared constants to a separate file
  • [Refactoring] Move xccdf-ocilheck2ref.xslt to the shared directory
  • [Refactoring] Remove commented version and config include
  • [Refactoring] Remove INCLUDE_TEST_PROFILE=0 setting
  • [Refactoring] [BugFix] [Debian/8] Modify the 'validate' target in the similar
    way like it's modified in Fedora or RHEL/7 product case
  • [Infrastructure] [Post PR#913 Cleanup] Make RHEL-OSP/7 content to use
    shared/ version of 'verify-references.py' script
  • [Refactoring] Consolidate xccdf-unlinked-ocilrefs target, shared constants.xslt,
    and xccdf-ocilheck2ref.xslt transformation
  • [Refactoring] [BugFix] [Infrastructure] Various "cpe_generate.py" shared/
    transform hardenings
  • [Enhancement] Add support for multi_platform_debian. Requires some patches in shared/oval
  • [Enhancement] Updated shared oval in order to avoid multi_platform_all oval
    extending multi_platform_(rhel|fedora) definitions
  • [Enhancement] Keep a human readable hints in SSG IDs after relabelling
  • [Enhancement] Produce stable IDs, no longer generate a mapping INI file
  • [Bugfix][Debian/8] Update Debian Makefile and global makefile
  • [Refactoring] Refactor BUILD_REMEDIATIONS variable to shared makefile
  • [Refactoring] Remediations should be always sourced from the shared directories
  • [BugFix] Add RHEVM to combineremediations.py
  • [Refactoring] Create bash-remediations.xml as a separate target
  • [Refactoring] bash-remediations.xml should not depend on oval.config
  • [Enhancement] Make ocilrefs xccdf for Fedora as well
  • [Refactoring] Move xccdf-create-ocil.xslt to the shared directory
  • [Refactoring] Create xccdf-unlinked-final.xml as a separate target
  • [Refactoring] Drop shorthand2xccdf as a dependency of the all target
  • [Refactoring] table* targets should not depend on shorthand2xccdf
  • [Refactoring] The content-stig target should depend on the table-stigs targets
  • [Refactoring] Create table-stigs target for RHEVM3
  • [Refactoring] Get a rid of shorthand2xccdf target
  • [Refactoring] Share xccdf-addremediations.xslt among the products
  • [Debian/8] Add cisurl to constants list (compilation error).
    Yet should be deleted properly, this variable is RHEL specific
  • [BugFix] Deleted autogenerated oval files from git
  • [BugFix] [Webmin] Drop unused 'services_enabled.csv' and 'services_disabled.csv'
  • [Enhancement] [shared] Make 'create_services_disabled.py' helper script
    more verbose when raising ValueError (print concrete item)
  • [BugFix] [Firefox] Drop unused 'services_enabled' and 'services_disabled' CSV files
  • [BugFix] [Firefox] Drop 'make services' target from input/oval/templates/Makefile
  • [BugFix] [OpenStack/RHEL-OSP/7] Update 'services_disabled' CSV
    file for this product to support daemon_name too
  • [BugFix] [OpenStack/RHEL-OSP/7] Fix SHARED dir location in the
    input/oval/oval_5.11/templates/Makefile for this product
  • [RHEL/5] [RHEL/6] Enhance the 'services_disabled' CSV file to add support for daemon_name voluntary value
  • [Debian/8] Enhance the 'services_disabled' CSV file to add support for daemon_name voluntary value
  • [Enhancement] Add support for shared/oval/oval_5.11 directory
  • [BugFix] [Infrastructure] Modify the way we propagate the information
    about OVAL-5.11 being supported by system's oscap version during the benchmark build
  • [Enhancement] [RHEL/6] Allow RHEL-6 content to start using OVAL-5.11
    language constructs if underlying system oscap version supports OVAL-5.11
  • [Enhancement] [Infrastructure] product-make.include -- When including
    remediations during benchmark build verify the remediations got truly
    included. Exit with error if not
  • [Infrastructure] [shared/product-make.include] Change the order
    of prerequisities for the "$(OUT)/xccdf-unlinked-final.xml" target
  • [BugFix] [Infrastructure] [shared/product-make.include] Include the
    remediation scripts back into the benchmarks
  • [Refactoring] Avoid requesting the rpm twice
  • [Refactoring] Simplify the logic to get path to bash-remediations.xml

Other changes:

  • Reference to dynamically build Workbench manual
  • Add reference to OpenSCAP manual

Full list of issues and pull requests closed in this release