Skip to content

SCAP Security Guide 0.1.33 Release Notes
Compare
Choose a tag to compare
@yuumasato yuumasato released this 29 Apr 09:37
· 30448 commits to master since this release
v0.1.33
251f6bf

Highlights:

  • DISA RHEL7 STIG profile alignment improved
  • Introduction of remediation roles
  • RPM and DEB test packages are built by CMake with CPack
  • Lots of remediation fixes

Profile:

  • adding initial SELinux booleans to OSPP
  • [Bugfix] Fix user login in RHEL7-OSPP kickstart
  • [Enhancement] Sorted rule names in OSPP profile
  • Update ftp profile title to proper form
  • [RHEL7] Update STIG profile names
  • [Bugfix] Fixed a typo in title of the FISMA profile for RHEL6
  • [Enhancement][SSG-DISA RHEL7 STIG Alignment] Additional DISA STIG alignments
  • Debian 8: ntpd service name is "ntp"
  • [RHEL7][SSG-DISA RHEL7 STIG Alignment] DISA STIG refactoring

XCCDF:

  • [issue 1842] nosuid on /home
  • update SSH checks with full list of FIPS Ciphers and MACs
  • update sshd xccdf/oval rules
  • XCCDF profile descr <= 80 chars, added periods, assigned missing CCEs

OVAL:

  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Evaluate if var_ntp_set_maxpoll is less than or equal
  • [Enhancement][RHEL7] Use variables in SELinux boolean OVAL content and enable in XCCDF
  • [Bugfix][RHEL7] update enable_dconf_user_profile to check if dconf installed
  • [Bugfix] Make rsyslog_remote_loghost scapval compliant
  • [Bugfix] Change external_variable accounts_umask_etc_login_defs
  • [Bugfix] Fix file_owner_cron_allow and file_groupowner_cron_allow checks

Remediations:

  • fix for ensure_redhat_gpgkey_installed remediation
  • Improve reliability of smartcard_auth remediation
  • Added remediation for aide_scan_notification rule.
  • [Bugfix] Fix remediation for accounts_logon_fail_delay
  • [Bugfix] Use unset IFS instead of unset $IFS
  • [Enhancement] Relabel when SELinux state is changed
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1875: Add a remediation script for aide_verify_ext_attributes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1874: Add a remediation script for aide_verify_acls
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1876: Add remediation script for aide_use_fips_hashes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1886: Add a remediation for rsyslog_remote_loghost
  • [Bugfix] [issue 1930] remove double quote from audit_rules_* remediations
  • [Bugfix] Fixed pam_faillock_deny_root remediation for RHEL 7.
  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Disable prelink in grub2_enable_fips_mode.sh
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1889: remediation sshd_use_approved_macs
  • [SSG-DISA RHEL7 STIG Alignment] Remediations for /etc/cron.allow ownership
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1880: Fix remediation for grub2_enable_fips_mode
  • [SSG-DISA RHEL7 STIG Alignment] Add remediations for mount options of removable partitions
  • [SSG-DISA RHEL7 STIG Alignment] missing and broken remediations
  • [Bugfix] RHBZ #1403905: Fix rules for removable media properties

Infrastructure

  • Use @CCENUM@ instead of $CCENUM for the token replacement
  • [Infrastructure] Remove stig-integration-stats.sh in favor of profile_stats.py
  • [Infrastructure] Build remediation roles
  • Re-enable generation of SELinux booleans OVAL checks from templates
  • [Bugfix] Protect variable expansion in replace_or_append
  • [Bugfix] Fix variable expansion in sysctl templates
  • Update manual on how to build a tarball, package and zipfile
  • [Infrastructure] Self implement subprocess.check_output for python 2.6
  • [Infrastructure] Bring shellcheck back
  • [Infrastructure] Fix svg detection
  • [Infrastructure] Build guides into build/guides instead of directly into build/
  • [Infrastructure] Build tables into build/tables
  • [Infrastructure] Remove global Makefile as cmake is the build system now
  • [Infrastructure] Drop OVAL checks whose extend_definition refs don't exist
  • [Infrastructure] Build zipfiles through CMake
  • updated README for Debian installation procedure
  • [Infrastructure] Enable building of RPM and DEB packages with CPack
  • [Bugfix][Infrastructure] Remove refresh-stig-refs.sh as it is replaced by create-stig-overlay.py
  • [Enhancement][Infrastructure] Update User and Developer guides to asciidoc format
  • [Infrastructure] Install kickstarts
  • [Infrastructure] Depend on the CPE dict when generating CPE files
  • [Enhancement] Add create-stig-overlay.py for STIG overlay generation

Full list of issues and pull requests closed in this release

Assets 7
Loading