Content 0.1.44 Release Notes

Highlights

• SCAP 1.3 DS generated along side SCAP 1.2 DS
• An Ansible Playbook is generated for each rule
• Remediation roles terminology fixed
  • Ansible "roles" are now called Playbooks
  • Bash "roles" are now called bash scripts
    Introduction of package CPEs for Rule applicability
• Content will detect Podman as a container environment
• Several fixes in Ansible snippets so that they don't error during execution

Products and Profiles

• Significant content additions and bugfixes for OpenShift
• Enable RHV-H and RHEL-H draft STIG profiles
• RHEL7 STIG profiles renamed to have shorter ID
• RHEL7 nist-800-171-cui renamed to cui
• New rules enabled for SLE12

Rules

• FIPS regulatory warning updated
• Rules not relevant for containers tagged as machine only
• Fixed duplicated CCEs

Documentation

• Documentation in Build.md merged into Developer Guide
• Mention profile_stats.py in Developer Guide
• Update Ansible section in Developer Guide
• Add documentation to build zipfile target

Infrastructure

• Rename profile_stats to profile_tool and update usage by CMake.
• CCE checksums are now validated
• Update ansible template, readme, and script to bring in line with Ansible Galaxy

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.43 Release Notes

This release features several profile updates, and improvements to the content Test Suite.

• Content updates
  • OpenShift - Miscellaneous updates
  • Added OL7 Draft DISA STIG profile
  • Added OL8 profiles:
    • Draft HIPAA
    • Draft CUI
    • Draft OSPP
    • CJIS security policy profile
  • Added RHEL7 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • Added RHV4 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • RHEL8 profiles:
    • Updated RHEL8 OSPP
    • Update PCI-DSS profile
    • Added kickstart for OSPP and PCI-DSS profiles
• Minimum supported ansible version bumped to 2.5
• Ansible-lint fixes and remove some trailing whitespace
• TestSuite
  • Updated documentation
  • New Podman backend
  • Usability improvements
• Added build_product script to help build content

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.42 Release Notes

This release is mostly about improvements in content,
including lots of new rules, checks and remediations added and bugfixes to them.
This release features significant updates in content for

• Oracle Linux 7, OpenStack Platform 13
• OpenShift Container Platform 3
• and newly added product Red Hat Enterprise Linux 8.

Highlights

• Addition of RHEL8 product
• Content for OSP7 have been update for OSP13
• Contents for OCP3 have updated
• New contents are enabled for OL7
• Addition of rules that cover configuration of system-wide crypto policy
• Addition of Fedora 29 in place of Fedora 27
• Update of TestSuite to work with python3.7
• Introduction of platform dependent test scenarios

Known issues

• Building content for RHEL derivatives (CentOS and Scientific Linux) can sometimes fail on target man_page.
  This is a race condition issue caused by a missing dependency for man_page build target.
  The issue is fixed by following patch: #3662

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.41 Release Notes

This release continues with the fixes "under the hood", the checks and fixes are now better placed, in the same directory as the rule description.
We also feature new Products and new Profiles, test coverage for the rules was significantly improved, along with testing capabilities of SSGTestSuite.

Highlights

• Improved test scenario coverage of rules
• Improvements regarding content for Kubernetes for opencis-ocp-master Profile
• Introduction of concept of stable Profiles
• Addition of Ubuntu 1804 Product with ANSSI and standard Profiles
• Addition of OSPP 4.2 Profile for Fedora
• Addition of PCI-DSS Profile for Fedora
• Possibility to manually debug test scenarios
• Addition of Example Product
• Support to evaluate test scenarios on container images
• Introduction of SSG unit tests for build system functions
• Reorganization of checks and fixes into to be closer to rule description

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.40

SSG 0.1.40 Release Notes

The 0.1.40 release has most changes "under the hood". A huge amount of content was de-duplicated, similar checks for slightly different producsts were unified and merged. This has fixed a huge number of imperfections and subtle bugs.

Other highlighs

• SSG can be built by Python3
• SSG build system got unit tests setup.
• Syntax checks of Ansible playbooks have been added to the test suite.
• Project documentation has been updated, expanded, and restructured.
• Dropped support for XSLT in the content in favor of jinja2 macros that are nicer and easier to edit.
• Build system has become more predictable - strict validation for rule identifiers, CCEs and references at build time has been introduced.
• Improved user feedback on more build-time errors.
• Better support for rule checks that use multiple OVAL versions (5.10 and 5.11).
• Made the build system to deduce some properties of producs (e.g. pkg_system from pkg_manager)
• Updated Ansible playbooks, so they don't use deprecated constructs.
• Updated grep invocation to use LC_ALL=C, so it is faster and more predictable.
• anaconda-populate variable substitution has been fixed.
• Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
• Set up jinja2 cache for faster builds.
• Restructure of Python code, which has been divided into the core ssg package, build-scripts and utils.
• Improved the compare_generated.sh tool for inspection of generated content.
• The Dockerfile has been modernized, supports Ansible and started to use the Fedora baseimage.

Additions

• Added mcafee_antivirus_definitions_updated OVAL and XCCDF variables
• OpenSUSE Leap 15.0 CPE
• Rules in 0.1.39 that were missing warnings got them.
• Many OL7 additions (+ pci-dss profile stub).
• Added tests of auditd rules to SSG Test Suite.
• dod_banner selector added for RHEL6
• Support augenrules in RHEL6 for audit_rules_dac_modification

Removals

• Removed FIPS remediations as well as RHEL CCEs from CentOS.

SCAP Security Guide 0.1.39 Release Notes

Highlights

• XCCDF Rules moved to yaml format
• Jinja2 templating for Rules, Checks and remediation introduced
• Profile IDs simplified
• Product Oracle Linux 7 added
• Common Profile removed in favor of Standard Profile
• RHEL7 STIG reference updated to V1R4
• RHEL6 STIG reference updated to V1R18

Profiles

• [Bugfix] remove kernel IPv6 from RHEL6 STIG
• [Bugfix] Remove disabling all usb devices in kernel for OSPP and HIPAA profile
• [Bugfix] Add Missing DISA RHEL7 STIG XCCDF rules
• [Bugfix] rhel7: fix titles/descriptions, indicate draft status (rebase of #2717)
• update references to RHEL7 STIG release to V1R4
• [Bugfix] Update RHEL 6 STIG Reference to V1R18
• [Enhancement] Add profile sap to the product ol7
• [Enhancement] OL7 standard profile extra rules
• [Enhancement] Simplify profile ids
• [Bugfix] RHEL 7 STIG V1R4
• [Bugfix] Remove common profile and use standard profile instead
• [Enhancement] Extra Apache STIG rules
• [issue 2571] update OSPP profile name and description
• [Bugfix] Added the forgotted ospp42 profile
• [RHEL7] Initial OSPP v4.2 draft profile
• [Bugfix] Removed duplicate sudo related selects in rhel7's HIPAA
• [Enhancement] Hippaaahhh

Rules

• [Enhancement] Fix missing elements and description in var_auditd_admin_space_left_action and var_auditd_space_left_action
• [Bugfix] rhel6 dod banner prohibit whitespace
• [Bugfix] update prose to reflect cron time shorthand codes
• [Bugfix] Remove ignore option for auditing configuration
• [Bugfix] Change ID of Rule that checks for IPV6 disabled
• [Bugfix] Fix a mismatched tag issue in RHEL6 sudo.xml

OVAL

• [Enhancement] Add Docker SELinux check in daemon.json
• [Bugfix] fix faillock audit oval
• [Enhancement] aide cron flex
• audit_rules_privileged_commands: allow arbitrary key
• ftp_present_banner: update pattern in oval file and add remediation
• [Bugfix] Add disabled OVAL 5.11 services for SSHD for OpenSUSE
• Fix Rule ensure logrotate activated
• Fix #2618

Remediation

• [Bugfix] Fix dconf_gnome_disable_geolocation script and add missing dconf remedation scripts
• Removed an accidentally committed file in shared/fixes/bash
• [Bugfix] Use include_dconf_settings bash remediation function
• [Bugfix][Enhancement] Use new dconf bash functions for bash scripts and add some missing dconf scripts
• [Bugfix] Make sure that dconf dirs exist
• [Enhancement] Unify sshd disable empty passwords
• [Enhancement] Added support for checks and remediation for mount_options.
• [Bugfix] Add create_module and finit_module scripts
• [Enhancement] Add Anaconda Kdump disable script
• [Bugfix] Fix accounts_passwords_pam_faillock_deny.sh script
• [Bugfix] Not escaping / character breaks perform_audit_rules_privileged_commands_remediation.sh
• [Bugfix] Fix typo in set_faillock_option_to_value_in_pam_file.sh
• updated rhel7/fixes/ansible/service_avahi-daemon_disabled.yml to match template_ANSIBLE_service_disabled
• [Enhancement] Further improved replace_or_append
• Improve remediation of auditd_data_disk_full_action
• [Enhancement] Improved replace_or_append.
• [Bugfix] Partition remediations
• Improved bash syntax of bash remediations
• [Bugfix] eaccess should actually be eacces

SSGTestSuite

• [Ssgtestsuite] Add tests for verifying file permissions and hashes with RPM
• [Ssgtestsuite] Added tests for checking for bootloader password protection.
• Minor in size, but substantial test suite improvements.
• [Ssgtestsuite] Tests and OVAL fix for Rule sssd_enable_pam_services
• [Ssgtestsuite] Add remediation for ldap_client_start_tls

Infrastructure

• [Bugfix] Change yaml.Loader to yaml.SafeLoader
• Add benchmark metadata element to shorthand
• Remove all references for dropped OVALs
• [Infrastructure][Enhancement] Package command apt get
• [Enhancement] Add minimum package version check with jinja2 template
• [Bugfix] testoval_module.py not processing oval version correctly
• [Bugfix] openSUSE CPE update and clean-up
• [Enhancement] Use yaml.safe_load for build related yaml files
• [Bugfix] Add python jinja2 package to build doc
• [Enhancement] Add regex handling for SRG and STIG reference versions in CMake
• [Infrastructure][Enhancement] jinja2 for fixes, checks and the opencontrol yaml
• [Bugfix] Add external content to yaml
• [Bugfix] Don't exit with 0 when product.yml loading fails
• [Infrastructure][Enhancement] Template ubuntu packages
• [Documentation] Docs directory cleanup
• [Enhancement] Require the python yaml module, fatal error if it's not found
• [Documentation] user_guide.adoc: updates
• [Bugfix] Document minimum Ansible version in User/Developer Guides
• [Bugfix] Don't load yaml booleans as python booleans
• fix link in user guide
• README.md: fix link
• Fixed OVAL check exports.
• [Infrastructure][Bugfix] Apply elements with relevant prodtype when generating xccdf xml
• Mark draft profiles as "documentation_complete: false"
• Refactoring of relabel-ids.py
• Allow over 80 chars-long lines in Python scripts.
• [Bugfix] Update build instructions to include PyYAML
• Made the service disable command more complete.
• [Infrastructure] Added print function support for Python2 where applicable.
• [Infrastructure] Make it possible to build SSG with python3
• [Infrastructure] shorthand.xml target should depend on the yaml-to-shorthand script
• [Infrastructure] Configure python interpreter
• [Infrastructure] Profile file extension is now ".profile"
• [Enhancement] Moved stuff around so that the folder matches the Makefile target
• Update COPR section
• [Infrastructure] Make SSG easier to edit (the yaml project)
• RHOSP7 now uses the shared guide
• Use the shared benchmark for opensuse
• [Bugfix] remediation functions xml is no longer in shared
• OL7 was using one group outside of shared but everything else was shared
• Add support for Oracle Linux 7
• Updated parts of the project documentation.
• Made Ubuntu14 and Ubuntu16 to use local content.
• Move debian8 and rhel6 system and services locally
• [Bugfix] Source only local shorthand XCCDF to build debian8 content
• Remove the empty RHEVM3 benchmark
• [Bugfix] RHEL6 to only use its local shorthand content
• [Infrastructure][Enhancement] Fedora shared benchmark
• Remove shared XCCDF from WRLinux for yaml prep
• [Bugfix] Untangle shared shorthands
• [Bugfix] Moved firefox shorthand XML to the firefox product folder from shared
• [Bugfix] Chromium XCCDF was in shared even though it uses nothing else from sh…
• [Bugfix] Moved the .gitkeep file to where the author most likely intended it
• [Infrastructure][Bugfix] Fix install of PCI-DSS centric HTML guides

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.38 Release Notes

Highlights

• New License - BSD-3 Clause
• New Profiles introduced for development
  • ANSSI
  • HIPAA
  • C2S-Docker
• Adoption of CTest for schema validation
• Several remediation fixes

Profiles

• [Enhancement] Add initial C2S Docker Profile
• [Bugfix] This is a shorthand XCCDF, not the actual XCCDF 1.1, the xmlns makes …
• [Bugfix] It's HIPAA, not HIPPA
• Add some rules for protection of data in transit and adequate capacity to ensure availabity for HIPAA
• Add anssi reference to rsyslog_service_enabled
• [Enhancement] Add initial HIPPA profile
• [Enhancement] Added "anssi" profile to the RHEL7 product
• [Bugfix] Fix ID of RHEL6 DISA STIG Profile
• Fixing reference to outdated PAM configuration manual

XCCDF

• [Bugfix] Add override to C2S-docker Profile
• [Bugfix] Fix kernel module loading and unloading rules
• Grub2 password fix
• [Bugfix] Specify default account expiration value
• [Bugfix] Specify default LUKS cipher and minimum key size
• [Bugfix] Reference real files instead of procfs and sysfs files

OVAL

• update to match all supported EAP 6 releases
• Improve OVAL filepath expressions.
• Add check and remediation for RHEL-07-040550 (shosts.equiv)
• Add check and remediation for RHEL-07-040540

Remediation

• [Enhancement] Introduced draft of SSG Bash scripting guidelines.
• [Bugfix] Fixes #2607 - audit_rules_login_events
• [Bugfix] Enable correct ansible templte for file modification audit rules
• [Bugfix] Fix Ansible remediations broken by Ansible bug.
• [Bugfix] Fixed the banner enablement option name.
• [Bugfix] Add Ansible pre-task version checking for Ansible roles
• [Bugfix] Remove duplicate install_smartcard_packages BASH script
• [Enhancement] Ensure libsemanage-python is installed or Ansible SELinux boolean tas…
• [Bugfix] Fix chronyd or ntpd set maxpoll
• [Bugfix] fixed syntax issue with sed in auditd_data_retention_space_left.sh
• [Ansible] Hooksie1 ansible pam faillock
• [Bugfix] Add some of the missing BASH remediations
• [Bugfix] Disable service remediation fails if service is not installed - ansible
• [Bugfix] Check if prelink is installed before trying to disable
• [Bugfix] updated kernel module loading init and delete to use b32 and b64
• [Bugfix] fixed rpm_verify_permissions to use 4th field in cut statement
• [Bugfix] Fix UsePrivilegeSeparation ansible remediation
• [Bugfix] updated key variable to recognize both -k and -F key=
• [Bugfix] reset IFS back to default in ensure_redhat_gpgkey_installed.sh
• [Infrastructure][Bugfix] fixed template_BASH_sebool_var with valid bash syntax

SSG Test Suite

• [Ssgtestsuite] Add tests for accounts_passwords_pam_faillock_deny
• [Ssgtestsuite] Tests for ctrlaltdel burstaction and audit rules time
• Changed test suite benchmark specification to use Ref-Id.
• Update rule_sshd_use_priv_separation test to check for sandbox value
• [Ssgtestsuite] Add test coverage for rule_accounts_have_homedir_login_defs
• [Ssgtestsuite] Add test scenarios of rule_umask_for_daemons.
• [Ssgtestsuite][Bugfix] Small test suite tweaks
• [Ssgtestsuite] Better bash remediations tests.
• Add tests accounts umask etc login defs
• [Ssgtestsuite] Add scenario remediation parameter and fix sshd test scenarios

Infrastructure

• Update Contributors list for release v0.1.38
• [Infrastructure][Bugfix] Glob source xccdf files recursively
• [Infrastructure][Ansible] Script to auto-upload / update ansible galaxy roles from SSG
• cmake/SSGCommon.cmake: added check for override attribute
• HTML table sanity check
• [Easy Fix] Avoid 3 copy paste definitions of subprocess_check_output
• Initial docs about ctest and adding tests to the cmake build system
• [regression] Import ssgcommon in profile-stats
• [Bugfix] New License
• [Infrastructure][Enhancement] Use ctest instead of make validate
• [Infrastructure][Bugfix][Enhancement] Update Vendor String in python files to ssgcommon.py
• [Enhancement] Added description how to write new rules.
• HTML tables for ANSSI Rules in RHEL7
• [Bugfix] Fatal error if user attempts in-source build
• [Infrastructure][Enhancement] Add common python module for centralizing reusable code
• [Infrastructure][Bugfix] Apply to XCCDF file only the Rule and Group elements that apply to product being built
• [Infrastructure] Added scanner of STIG IDs for rules in STIG profiles.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.37 Release Notes

Highlights

• New Profile DISA STIG for Apache HTTP for RHEL7 (#2474)
• Support for Ansible remediations in SSG Test Suite (#2468)
• Better content support for DISA STIG Viewer (#2418)

Profile

• [Bugfix] Disable pt_chown rule
• [Bugfix] Fix title of DISA STIG profile in RHEL6 DS.
• [Enhancement] Add HTTP STIG and new RHT Product STIGs
• Add GDM login banner checks to C2S profile.

XCCDF

• [Bugfix] Deprecate RhostsRSAAuthentication as it have been deprecated in 7.4
• [Bugfix] Fix two stigid mappings
• [Bugfix] Remove references to pam_ldap.conf

OVAL

• Add OVAL check and fix for RHEL-07-041001 rule.
• [Bugfix] Fix gpgcheck OVAL to validate Scientific Linux gpg keys
• [Bugfix] Check state of openssh-server package when sshd_required is unset
• [Bugfix] Do not check library ownership in libexec
• [Bugfix] RHBZ #1520493: Fix umask_for_daemons
• [Bugfix] Fix StrictModes and KerberosAuthentication checks
• [Bugfix] Fix typo in auditd OVAL files

Remediation

• [Bugfix] Ansible: don't use spaces in custom.conf
• [Bugfix] Added --follow-symlinks to sed commands in display_login_attempts.sh
• [Bugfix] Updated aide_scan_notification remediation to run cron job as root
• [Ansible][Enhancement] Add ansible content for accounts_password_pam_retry and accounts_password_pam_unix_remember
• [Bugfix] Fix accounts_umask_etc_login_defs remediation
• [Bugfix] Fix typos "local/d" -> "local.d"
• [Bugfix] Fixed few remediation errors caused by missing include.
• Fixes ansible remediations
• Fix rhel7 ansible role

Infrastructure

• Support for Ansible remediations in SSG Test Suite
• Move build examples to rhel7
• [Bugfix] Remove OVAL conf file usage and use ArgParse instead of sys.argv
• Added pull request creation and workflow suggestions.
• [Enhancement] Add STIG Rule ID to rules
• [Bugfix][Infrastructure] Update CMake and python scripts to use OVAL versioning
• [Bugfix][Infrastructure] Remove CCI formatting from shared table-srgmap XSLT
• [Enhancement] Add test scenarios for whole permissions_important_account_files group.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.36 Release Notes

Highlights

• Introduction of SCAP Security Guide Test Suite
• Better alignment of RHEL6 and RHEL7 with DISA STIG
• Remove JBoss EAP5 content due to being End-of-Life
• New STIG Profile for JBOSS EAP 6
• Updates in C2S Profile for RHEL 7
• Variables can be directly tailored in Ansible roles
• Content presents less false positives in containers
• Major changes in directory layout
  • oval_5.11 directory removed
  • oval definitions moved to checks/oval
  • static checks are not in templates/static anymore

Profile

• [Bugfix][Enhancement] Add remaining STIG XCCDF content for RHEL6 and RHEL7
• [Bugfix] Remove rules no longer in rhel6 STIG profile
• [Bugfix] Remove RHEL6 tests directory
• [Enhancement] Add initial OCP3 structure, C2S Profiles, and CPE content
• [Bugfix][Enhancement] SSG RHEL6 STIG alignment
• [Bugfix] Add more rules to the C2S profile
• [Bugfix] Fix XML in rhel7/profiles/C2S.xml
• [Bugfix] C2S profile updates
• [Bugfix] Align RHEL6 STIG profiles
• [Bugfix] Update RHEL6 STIG References to the latest release
• CJIS profile updates
• [Enhancement] Add JBoss EAP 6 Rough Draft
• [Enhancement] Updating C2S profile and CIS reference numbers with existing checks.

XCCDF

• [Bugfix] Fixing CIS reference number for noexec on /tmp partition
• [Bugfix] Remove old/automated references
• [Bugfix] Mcafee related rules as machine only
• [Bugfix] Add rpm_verify_ownership to rhel7 XCCDF
• [Bugfix] Add XCCDF Value sshd_required to other products
• [Bugfix] Add EFI specific permissions content
• [Bugfix] Fix lock-delay variable description
• [Enhancement] Adding /home nodev check for CIS rule 1.1.14
• [Bugfix][Enhancement] Add JBoss Configuration Profile Variable
• [Bugfix] Remove STIG idents
• [Enhancement] Remove APPSRG in JBoss XCCDF
• [Enhancement] Services are machine only
• [Bugfix][Enhancement] Update RHEL6 references
• [Bugfix] Assign CCEs to EAP6 content
• [Bugfix] Add JBoss EAP 6 Titles
• [Bugfix] Add missing RHEL6 STIGIDs
• [Bugfix] Fix typo in SSH checklist
• [Bugfix] Fix ntp/chrony maxpoll value description

OVAL

• [Bugfix] OVAL service templates should check if service is running/not running
• [Bugfix] Add disable_ctrlaltdel_burstaction OVAL
• [Bugfix] Fix OVAL for chronyd_or_ntpd_set_maxpoll and add remediation
• [Bugfix] Check both .socket and .service unit files in service templates
• [Bugfix] OpenSSH 7.4 allows only Protocol 2
• Check if sshd is expected by Profiles
• [Bugfix] Allow time_clock_settime key to be set to any string
• [Enhancement] Implemented a check for JBoss EAP6 file permissions
• [Enhancement] Implemented logging directory permission checks for JBoss EAP6
• [Enhancement] Added check to verify vault is present in config file
• [Bugfix][Enhancement] Check for standalone-openshift.xml
• [Bugfix][Enhancement] Eap64 jmx check
• [Enhancement] Implemented more EAP 6 checks
• [Enhancement] Implemented check to ensure that the JBoss EAP6 ROOT logger is at a valid Level
• [Enhancement] implemented checks for JBoss EAP6 for silent authentication
• [Bugfix] Update JBoss install OVAL check
• [Enhancement] Implemented security manager check fixed other checks
• [Bugfix] Implementation of configuration check for JBoss EAP6 Audit Log Configuration
• [Enhancement] Add JBoss Vendor Supported OVAL File
• [Bugfix] Update JBoss EAP CPEs and installed JBoss version OVAL check
• [Infrastructure] [WIP] Remove .service from service OVAL template files

Remediation

• [Bugfix] Enable chronyd_or_ntpd_set_maxpoll remediation to fix incorrect values of maxpoll
• [Bugfix] gpgcheck_globally and gpgcheck_local fail on CentOS
• [Bugfix] Ansible variable rework
• [Bugfix] Add remote_src option to aide build db remediation - ansible
• [Bugfix] Removed extra quotes in ansible audit_rules templates
• [Bugfix] Login banners regex
• [Ansible] Aide cron check
• [Bugfix] Drop firewalld default zone and sshd port fixes
• [Ansible] PR 2283 from Shawn
• [Bugfix] Firewalld open sshd port
• Add task to disable prelinking
• PR 2245 from Shawn
• [Ansible][Enhancement] ansible: ensure_gpgcheck_local_packages

Infrastructure

• [Enhancement][Infrastructure] Remove oval_5.11 dir checks usage
• [Enhancement] Add OVAL version to oval files
• [Bugfix][Infrastructure] Add OpenSCAP XSL CMake Variable
• [Bugfix] Remediations fixes refactoring
• [Enhancement][Infrastructure] Include roles zipfile
• [Bugfix][Infrastructure] Update create-stig-overlay.py
• [Bugfix][Infrastructure] Update docs for new directory structure
• [Bugfix][Infrastructure] Remove local utils directory
• [Enhancement][Infrastructure] Move deprecated content list to User Guide
• [Bugfix] Fix Application SRG web url to be more fine-grained
• [Enhancement][Infrastructure] Flatten out product name directories
• [Enhancement][Infrastructure] Move oval directory under the checks directory
• [Bugfix][Infrastructure] Rename remediations directory to fixes
• [Infrastructure] Rename and move platform/ directory
• [Bugfix][Infrastructure] Rename auxiliary directory to overlays
• [Enhancement][Infrastructure] Add Pull Request Template
• [Bugfix][Infrastructure] Remove usage of templates/static/ directory
• [Enhancement] Create issue template for future issues
• [Enhancement] Increments developer-guide.adoc with information on how to contribute to SSG
• [Bugfix] RHEL6 build fixes
• [Bugfix][Infrastructure] Clean up OVAL versioning in combine-ovals.py
• [Bugfix] Update JBoss STIG Overlay
• [Enhancement][Infrastructure] Add creation of ${ZIPNAME}-nist.zip to new nist-zipfile target
• [Bugfix] Improved document formatting
• [Bugfix] Add realpath to testoval.py
• [Bugfix] Updated regex to ignore some other filetypes
• [Bugfix][Infrastructure] Update references transforms
• [Bugfix][Infrastructure] Replace OSSRG with SRG
• [Enhancement] Add JBoss stig_overlay.xml
• [Enhancement] Update JBoss EAP CMakeLists.txt
• [Enhancement][Infrastructure] Handle different SRG reference types in CMake
• [Enhancement] HTML guide switcher fix for narrow screens
• [Enhancement] Add JBoss STIG reference
• [Bugfix][Infrastructure] Fix expansion of multiple bash populate instances
• [Bugfix] template_BASH_sebool_var: Fix template missing remediation functions
• start with a template for centos ci
• PR 2286 from Shawn
• [Enhancement] Rule title and other subs
• SSG Test Suite

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.35 Release Notes

Highlights

• Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
• Added several templates for OVAL checks
• Removal of input directory
• Many optimizations in build process
• Different title for PCI-DSS Benchmark variants

Profile

• [Bugfix] Refix selector for var_time_service_set_maxpoll
• [Bugfix] Fix selector for var_time_service_set_maxpoll
• [Bugfix] Removed extra whitespace around RHEL6 STIG profile titles
• updated profiles to properly use description override
• [Bugfix] update profiles to accept either DoD banner
• [Bugfix] Fix refined value typo in RHEL6 FISMA profile

XCCDF

• [Enhancement] Add firewalld and LDAP checks
• [Bugfix] Fix for Issue 2264
• [Bugfix] update ntpd maxpoll to align with DISA
• [Bugfix] update severity of RHEL-07-021350 (fips=1) to HIGH to align w/DISA
• [Bugfix] Add variable for dconf_gnome_screensaver_lock_delay
• [Bugfix] Maxpoll should be set if chronyd is in use
• Add dod_banners option to banner_login_text
• [Bugfix][Enhancement] Package firewalld installed
• [Bugfix] Use profile variable settings for login.defs to clear up scan results confusion
• STIG Updates
• RHEL-07-040460 - UsePrivilegeSeparation sandbox
• [Bugfix] CCE for insmod auditing

OVAL

• [Bugfix] change to also check inside of /etc/security/limits.d to verify core …
• [Bugfix] Check if SSH keys are present before validating file permissions
• [Bugfix] Update accounts_passwords_pam_faillock_deny to handle line skipping
• [Bugfix] Check if aide is installed in OVAL and remediation scripts

Remediations

• [Bugfix] Fixing issue 2205
• [Bugfix] Ansible branch for issue 2205 RHEL 7.3 error: rpm_verify_permissi..
• [Bugfix] re-enable remediation for net.ipv6.conf.all.disable_ipv6 = 1
• [Ansible] ansible: account_disable_post_pw_expiration
• Ansible accounts umask etc login defs
• [Ansible] ansible: sssd_*
• [Enhancement] dconf_gnome_screensaver_* ansible scripts
• [Enhancement] GDM ansible scripts
• [Enhancement] Set rsyslog_remote_loghost_address to default value "logcollector"
• [Ansible] Creates file_permissions_* ANSIBLE remediation
• [Ansible] Creates file_owner_* ANSIBLE remediation
• [Ansible] ansible: dconf_gnome_disable_*
• [Enhancement] Creates file_groupowner_* Ansible remediation
• [Bugfix] Removes silent from the pam.d deny_root search/replace pattern
• [Bugfix] fix audit syscall rule sed needs an escape character to properly run
• [Bugfix] Adding update to fix_audit_syscall_rule to not use slashes
• [Ansible] Creates audit_rules_privileged_commands ANSIBLE remediation
• Disable remediation for "repo_gpgcheck=1"
• Additional Ansible Scripts
• [Bugfix] remove nullok, handle links
• [Ansible][Enhancement] Firewalld ansible fixes
• [Ansible][Enhancement] [ansible] security_patches_up_to_date

Infrastructure

• Update Fedora CPEs
• update manpage to have --oval-results in example
• Removes platform column from file_groupowner csv
• [Bugfix] add container_build to gitignore
• [Enhancement] Add "PCI-DSS variant" suffix to every title of the PCI-DSS benchmark
• [Enhancement] Remove input directory
• [Enhancement] docs: How to create stig_overlay.xml
• [Ansible][Enhancement] Creates templates for audit_rules_execution OVAL checks, BASH and ANSIBLE remediations
• [Bugfix] Functions use return, "exit" exits whole script
• [Bugfix][Infrastructure] Don't generate roles for empty profiles
• Minor idtranslate fixes
• [Bugfix][Enhancement] Minor PEP8 fixes in map_product_module.py
• Skip non-bash remediation function script files
• [Bugfix] Rebuild PCI-DSS XCCDF benchmark if the script or PCI-DSS ID json change.
• [Bugfix] Use str.replace instead of re.sub in create_audit_rules_..
• [Enhancement][Infrastructure] Creates template for audit_rules_usergroup_modification OVAL checks
• [Ansible][Infrastructure] Template for audit_rules_privileged_commands
• [Enhancement] Check that a trimmed key is not part of the result string after template sub
• Creates template for audit_rules_login_events OVAL checks and BASH remediations
• [Bugfix] Evaluate sed command
• Creates template for audit_rules_file_deletion_events OVAL and BASH
• [Bugfix] Fixed the variable substitution in template_OVAL_permissions
• Creates template for audit_rules_unsuccessful_file_modification OVAL and BASH
• Sorts the output of option --missing-fix in profile-stats.py
• Fixes bug in relabel-ids.py regarding missing OVAL definitions
• Adds CMakeLists.txt.user to .gitignore
• [Bugfix][Infrastructure] %VAR% for template replace, @var@ for build system replace
• [Bugfix] Dockerfile fixes
• [Infrastructure] Updates python shebangs for virtualenv support.
• [Infrastructure] Pci dss cjis ansible tags
• [Infrastructure] Only consider PCI-DSS related rules when constructing the PCI-DSS tree
• [Infrastructure] Ansible tags improvements
• [Enhancement][Infrastructure] Minor speedups in templates
• [Enhancement][Infrastructure] Minor cmake improvements
• [Enhancement][Infrastructure] Version bump
• [Bugfix][Enhancement][Infrastructure] Improved OVAL and OCIL generator elements
• [Bugfix][Infrastructure] Combine ovals namespace fixes
• [Bugfix] Pass the correct variable to the template in create services disabled
• [Infrastructure] Make schematron OVAL validation optional but still default it to true (build time optimization)
• [Infrastructure] Very minor optimization in srgmap XSLT (build time optimization)
• [Infrastructure] Make SSG build more portable
• [Bugfix][Disa Content Issues] Include AIDE installed in the STIG profile for RHEL7
• [Infrastructure] Make stats
• [Infrastructure] Generate roles from xccdf
• [Infrastructure] Don't list templating file outputs as explicit deps for the targets (build time optimization)

Full list of issues and pull requests closed in this release