SCAP Security Guide 0.1.28 Release Notes
Highlights (in order the changes have been merged):
- SCAP Security Guide build process refactoring
- New "OpenStack/RHEL-OSP/7/" to hold the SCAP
content for Red Hat Enterprise Linux OpenStack Platform v7 - Improved (more granular) mapping of official PCI DSS v3 standard
to the PCI DSS profile for Red Hat Enterprise Linux 7, - The build process has been updated to produce STATIC rule IDs in the benchmarks
(very handy for benchmark version diffs) - Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes
(see below for more concrete details)
Enhancements:
- OVAL for RHEL-6 benchmark will be produced in 5.11 version if underlying
oscap version supports OVAL-5.11 version already - New shared/oval/oval_5.11 directory to hold shared OVAL checks using
OVAL-5.11 language constructs
XCCDF changes / enhancements:
- [BugFix] [Debian/8] Fix typos (in selected rules)
- [Debian/8] Cleaning on common profile. No more undefined ref
- [RHEL/7] Refine pcidss-req 'security_patches_up_to_date' -> 6.2
- [RHEL/7] Refine pcidss-req 'ensure_redhat_gpgkey_installed' -> 6.2
- [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_globally_activated' -> 6.2
- [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_never_disabled' -> 6.2
- [Debian/8] Add ssh basics to Debian 8 xccdf
- [BugFix] [Debian/8] Updated invalid href for rules refences. Add reference to Debian secrity manual
- [Enhancement] [Debian/8] Add dsg references
- [Debian/8] Clean dsg from official security guides. Updated ssh reference. Clean postbuild
- [Debian/8] Clean all references to dsg in xccdf. clean cis link (rhel specific).
Updated validate while xccdf is not complete - [Debian/8] Merge install xccdf part into system part for homogeneous content with other distros
- [Debian/8] Add support for logging XCCDF check
- [Debian/8] Add rsyslog basic check in common profile, without network part (client or server side)
- [Debian/8] Cleaning account files access right checks
- [RHEL/7] Added shm and sticky bits rules into RHEL7 standard profile
- [RHEL/7] Added package management related rules to RHEL7 standard profile
- [RHEL/6] Ported the RHEL7 standard profile over to RHEL6
- [RHEL/6] [RHEL/7] Added more rules to standard profiles for RHEL6 and 7
OVAL check changes / enhancements:
- [Debian/8] Updated CPE naming for nist conformity
- [Debian/8] CPE naming based on NIST NVD 2.2 naming
- [Debian/8] Cleaning CPE (emptyline)
- [BugFix] [Debian/8] Fix mistyped OVAL check name in the Debian 8 CPE
- [BugFix] [Debian/8] Fix tag for 'installed_OS_is_debian8' OVAL check
- [Enhancement] [Debian/8] Add support for ssh service shared oval files in Debian8
- [Enhancement] [Debian/8] Add disabled services support. Adding openssh (needed for shared oval)
- [BugFix] [shared] Updated RPM-based distribution specific shared oval file to RPM based platform only
- [BugFix] [shared] Updated other RPM-based distrib specific OVAL files
- [SHARED] Adding _all on ssh oval files
- [shared] Add SSH protocol v2 only check to multi_platform_debian also
- [shared] Add rhel-osp to previously multi_platform_all transformed into RPM specific multi-platform oval files
- [RHEL/6] Fix for issue #932
- [BugFix] [RHEL/5] Removed an unused idtranslate.py from RHEL5/input/oval
- [BugFix] [RHEL/6] Update the sysctl XCCDF value fix for ipv6 parameters as well
- [BugFix] [RHEL/7] Fix Ticket 932 on RHEL7
- [BugFix] [RHEL/7] Add missing generated files and doc changes for ticket 932
- [BugFix] [Debian/8] Updated template comment for correct path
- [RHEL/7] Update "RHEL/7/input/oval/oval_5.11/templates/services_disabled.csv"
content to start using new daemon_name CSV value expected by 'create_services_disabled.py'
helper script (prevent ValueError) - [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
- [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_groupownership' rule (with OVAL-5.11)
- [Enhancement] [RHEL/7] [Fedora] Move former product specific oval for
'rsyslog_files_groupownership' rule into shared/oval/oval_5.11 directory - [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_ownership' rule (with OVAL-5.11)
- [Enhancement] [Debian/8] [RHEL/7] [Fedora] Move former per-product based
'rsyslog_files_ownership' OVAL check into shared/oval/oval_5.11 directory - [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_permissions' rule (with OVAL-5.11)
- [Enhancement] [RHEL/7] [Fedora] Move former per-product version of
OVAL for 'rsyslog_files_permissions' rule into shared/oval/oval_5.11 - [BugFix] [RHEL/6] Enhance the RHEL-6 OVAL for 'package_openswan_installed' rule
New Remediations:
- [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
- [Enhancement] [RHEL/6] New RHEL-6 remediation for 'rsyslog_files_permissions' rule
Remediation fixes / other changes:
- [BugFix] [Debian/8] Cleaning remediation dir
Build System Bug Fixes:
- [BugFix] Fix failing RHEL-6 "make validate" target (2015-12-17)
- [BugFix] [BugFix] [Debian/8] Fix 'make validate' on Debian/8 content issue
when content build on RHEL-6 with openscap-1.0.10-3.el6.* (2015-12-22) - [BugFix] [Debian/8] Fix failing 'make' target when Debian/8 content build
is attempted on a system using openscap-1.0.x version
Infrastructure:
- [Refactoring] Start using verify-references.py from the shared directory
- [Refactoring] Move the documentation close to the script
(Also remove the documentation from previous locations) - [Unification] Remove the support.sh script
- [Refactoring] Put common Makefile declarations to a single file
- [Refactoring] Make a use of product-make.include file
- [Refactoring] Put query for OVAL 5.11 into a common Makefile
- [Refactoring] Put query for guide-from-ds-oscap into a common Makefile
- [Refactoring] Put query for SVG support into a common Makefile
- [Enhancement] Create a shorthand target that emulates what jenkins runs
- [Debian/8] Updated templates recopy calls to correct places in Makefiles
- [Enhancement] Create a shorthand target that emulates what jenkins runs
- [Unification] Use $(OUT) variable consistently
- [Refactoring] Avoid changes in letter capitalization between the Makefiles
- [Correction] Fix python binary name
- [Refactoring] Refactor the very first make target: the guide.xml
- [Refactoring] Imperceptible makefile changes
- [Clarification] Amend documentation to mirror exactly what is going to happen
- [Refactoring] Consolidate filename of shorthand.xml
- [Refactoring] Move PHONY shorthand-guide to the common Makefile
- [BugFix] [Debian/8] Put xhtml:p into a correct namespace for Debian content
- [Refactoring] Spell-out all the dependencies of the guide.xml that exists
- [Refactoring] Refactor shorthand-guide phony target to non-phony variant
- [Refactoring] Create xccdf-unlinked-unresolved.xml as a separate target
- [Refactoring] Create xccdf-unlinked-empty-groups.xml as a separate target
- [Refactoring] Minor changes in webmin shorthand transformation
- [Refactoring] Minor changes in openstack shorthand transformation
- [BugFix] Fix broken xslt (causing "$ sudo chgrp root xsl:value-of select="@file"/>"
in the HTML guides - [Refactoring] Openstack and webmin makefiles should use xccdf-unlinked-unresolved target
- [Refactoring] [RHEVM3] Update shorthand to assign namespaces
- [Refactoring] [RHEVM3] Remove 'addprofiles.xslt' step
- [Refactoring] [RHEVM3] Resolve xccdf before proceeding
- [Refactoring] [OpenStack] Update shorthand to assign namespaces
- [Refactoring] [OpenStack] Remove addprofiles.xslt' step
- [Refactoring] [OpenStack] Resolve xccdf before proceeding
- [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transformation
- [Refactoring] Drop xccdf-addrefs.xslt
- [Refactoring] Create ocil-unlinked.xml as a separate target
- [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transform even more
- [Infrastructure] Temporarily allow the modified 'cpe_generate.py' transform
to continue even if the intermediary OVAL is invalid - [BugFix] [Main Makefile] Use updated Openstack/RHEL-OSP/7 location in
the 'make clean' target of the main Makefile - [BugFix] [OpenStack/RHEL-OSP/7] Makefile changes
- [Refactoring] Create xccdf-unlinked-ocilrefs as a separate target
- [BugFix] [Debian/8] Modify Debian/8 package_installed.csv template
- [Refactoring] Move shared constants to a separate file
- [Refactoring] Move xccdf-ocilheck2ref.xslt to the shared directory
- [Refactoring] Remove commented version and config include
- [Refactoring] Remove INCLUDE_TEST_PROFILE=0 setting
- [Refactoring] [BugFix] [Debian/8] Modify the 'validate' target in the similar
way like it's modified in Fedora or RHEL/7 product case - [Infrastructure] [Post PR#913 Cleanup] Make RHEL-OSP/7 content to use
shared/ version of 'verify-references.py' script - [Refactoring] Consolidate xccdf-unlinked-ocilrefs target, shared constants.xslt,
and xccdf-ocilheck2ref.xslt transformation - [Refactoring] [BugFix] [Infrastructure] Various "cpe_generate.py" shared/
transform hardenings - [Enhancement] Add support for multi_platform_debian. Requires some patches in shared/oval
- [Enhancement] Updated shared oval in order to avoid multi_platform_all oval
extending multi_platform_(rhel|fedora) definitions - [Enhancement] Keep a human readable hints in SSG IDs after relabelling
- [Enhancement] Produce stable IDs, no longer generate a mapping INI file
- [Bugfix][Debian/8] Update Debian Makefile and global makefile
- [Refactoring] Refactor BUILD_REMEDIATIONS variable to shared makefile
- [Refactoring] Remediations should be always sourced from the shared directories
- [BugFix] Add RHEVM to combineremediations.py
- [Refactoring] Create bash-remediations.xml as a separate target
- [Refactoring] bash-remediations.xml should not depend on oval.config
- [Enhancement] Make ocilrefs xccdf for Fedora as well
- [Refactoring] Move xccdf-create-ocil.xslt to the shared directory
- [Refactoring] Create xccdf-unlinked-final.xml as a separate target
- [Refactoring] Drop shorthand2xccdf as a dependency of the all target
- [Refactoring] table* targets should not depend on shorthand2xccdf
- [Refactoring] The content-stig target should depend on the table-stigs targets
- [Refactoring] Create table-stigs target for RHEVM3
- [Refactoring] Get a rid of shorthand2xccdf target
- [Refactoring] Share xccdf-addremediations.xslt among the products
- [Debian/8] Add cisurl to constants list (compilation error).
Yet should be deleted properly, this variable is RHEL specific - [BugFix] Deleted autogenerated oval files from git
- [BugFix] [Webmin] Drop unused 'services_enabled.csv' and 'services_disabled.csv'
- [Enhancement] [shared] Make 'create_services_disabled.py' helper script
more verbose when raising ValueError (print concrete item) - [BugFix] [Firefox] Drop unused 'services_enabled' and 'services_disabled' CSV files
- [BugFix] [Firefox] Drop 'make services' target from input/oval/templates/Makefile
- [BugFix] [OpenStack/RHEL-OSP/7] Update 'services_disabled' CSV
file for this product to support daemon_name too - [BugFix] [OpenStack/RHEL-OSP/7] Fix SHARED dir location in the
input/oval/oval_5.11/templates/Makefile for this product - [RHEL/5] [RHEL/6] Enhance the 'services_disabled' CSV file to add support for daemon_name voluntary value
- [Debian/8] Enhance the 'services_disabled' CSV file to add support for daemon_name voluntary value
- [Enhancement] Add support for shared/oval/oval_5.11 directory
- [BugFix] [Infrastructure] Modify the way we propagate the information
about OVAL-5.11 being supported by system's oscap version during the benchmark build - [Enhancement] [RHEL/6] Allow RHEL-6 content to start using OVAL-5.11
language constructs if underlying system oscap version supports OVAL-5.11 - [Enhancement] [Infrastructure] product-make.include -- When including
remediations during benchmark build verify the remediations got truly
included. Exit with error if not - [Infrastructure] [shared/product-make.include] Change the order
of prerequisities for the "$(OUT)/xccdf-unlinked-final.xml" target - [BugFix] [Infrastructure] [shared/product-make.include] Include the
remediation scripts back into the benchmarks - [Refactoring] Avoid requesting the rpm twice
- [Refactoring] Simplify the logic to get path to bash-remediations.xml
Other changes:
- Reference to dynamically build Workbench manual
- Add reference to OpenSCAP manual