Content 0.1.74

Important Highlights

• Add Amazon Linux 2023 product (#12006)
• Introduce new remediation type Kickstart (#12144)
• Make PAM macros more flexible to variables (#12133)
• Remove Debian 10 Product (#12205)
• Remove Red Hat Enterprise Linux 7 product (#12093)
• Update CIS RHEL9 control file to v2.0.0 (#12067)

New Rules and Profiles

• Add initial RHEL 10 CIS profiles (#12075)
• Add new rule audit_rules_var_log_journal (#11920)
• Add new rule file_permissions_var_log_audit_stig (#11966)
• Add new rule install_endpoint_security_software (#11970)
• Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
• Add rule dir_groupowner_system_journal (#11838)
• Add rule dir_owner_system_journal (#11839)
• Add rule file_group_ownership_var_log_audit_stig (#11924)
• Add rule file_groupowner_journalctl (#11841)
• Add rule file_owner_journalctl (#11835)
• Add rule file_permissions_etc_audit_rules (#11959)
• Add rule file_permissions_journalctl (#11834)
• Check ufw is active (#11984)
• Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
• Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
• Initial HIPAA RHEL 10 Profile (#11915)
• Initial ISM O RHEL 10 Profile (#11994)
• Initial OSPP Control File (#11882)
• Initial RHEL 10 e8 Profile (#11976)

Updated Rules and Profiles

• Add package_rng-tools_installed to Fedora OSPP profile (#12246)
• Add package_firewalld_installed to CCN and enable CCN Advanced profile test in CI (#12139)
• Add CCEs to RHEL 10 Rules (#12113)
• Add draft status to all RHEL 10 profiles (#12224)
• Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
• Add SSH related STIG rule to slmicro5 platform (#12193)
• Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
• Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
• Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
• Better description and test scenarios for set_nftables_table (#11991)
• CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
• CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
• CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
• Correct the platform for rule package_iptables-persistent_removed (#12195)
• Disable OSPP Profile for RHEL 10 (#12223)
• Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
• Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
• Ensure code consistency by using aide_conf_path var (#12066)
• Ensure that security_patches_up_to_date is not built with remediations (#11995)
• Exclude package_screen_installed from RHEL 10 OSPP (#12179)
• Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
• Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
• Fix missing variable for Ubuntu 22.04 (#11973)
• Fix package name for libpam-pkcs11 on Ubuntu (#11854)
• Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
• Fix pwquality package name for Ubuntu 22.04 (#11919)
• Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
• Fix rule name in Ubuntu 22.04 STIG profile (#11971)
• Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
• Guide/anssi r45 (#12129)
• increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
• Make the behavior of chronyd_sync_clock rule more consistent (#12039)
• Modify rule file_groupowner_system_journal (#11836)
• Move to default crypto policy for RHEL10 for CIS Profiles (#12187)
• OCPBUGS-1316: Add missing variable reference to rules (#12012)
• OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
• OCPBUGS-33945: select required SSHD timeout rule (#12091)
• OSPP profile, use Logind session timeout feature instead of tmux (#12212)
• Override few variables for Ubuntu 22.04 (#11928)
• remove logind_session_timeout from stig_gui profiles (#12086)
• Remove rhel7 only rules (#12112)
• Revert changes to no_empty_passwords for Ubuntu (#11918)
• Slmicro5 stig add privileged commands support (#12221)
• Support all boolean values in dnf.conf (#11965)
• Update rules related to PAM hashing algorithm (#12164)
• Update SLE15 STIG version to V1R13 (#11921)
• Updated 10 rules to support SLE Micro 5 (#12210)

Removed Products

• Remove Debian 10 Product (#12205)
• Remove Red Hat Enterprise Linux 7 product (#12093)

Changes in Remediations

• Improve remediation for enable_authselect (#12038)
• Achieve consistent file and directory permissions for systemd journals (#11974)
• Add ansible automation for configure_usbguard_auditbackend (#12092)
• Add ansible remediation for account_password_selinux_faillock_dir (#12094)
• Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
• Add ansible remediation for no_tmux_in_shells rule (#12138)
• add namespace parameter for cluster-test (#11824)
• Add SCE check for ufw_rate_limit for Ubuntu (#11998)
• Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
• Adjust bash template (group)file_owner to follow symlinks (#12214)
• align template systemd_dropin_configuration (#12054)
• Create dconf db directory for local profile (#12079)
• Create file if it doesn't exist for coredump rules (#12181)
• Ensure that security_patches_up_to_date is not built with remediations (#11995)
• Fix bash_package_installed macro (#12140)
• Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
• Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
• Fix permissions for dconf db on Ubuntu (#12056)
• Fix Ubuntu faillock (#11932)
• Introduce new remediation type Kickstart (#12144)
• Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
• Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
• Simplify use of ansible_ensure_pam_module_option macro (#12159)
• Slmicro5 auth,security and audit STIG rules (#12192)
• templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
• Update ansible remediation CCE-85972-8 to support idempotency (#12152)
• Update rules related to PAM hashing algorithm (#12164)

Changes in Checks

• Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
• Fix broken OVAL metadata (#12151)
• Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
• Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
• Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
• Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
• Improve Rsyslog rules to support RainerScript syntax (#12010)
• Slmicro5 auth,security and audit STIG rules (#12192)
• templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
• Update OVAL check in accounts_password_last_change_is_in_past (#12177)
• Update rules related to PAM hashing algorithm (#12164)

Changes in the Infrastructure

• Add a script for finding unused rules (#12110)
• Add option to build per rule playbook via build_product script (#12105)
• Allow multiple control files to add the same reference type (#12165)
• Ensure that RHEL 10 has CCEs (#12137)
• Expand CCE Available Test to OCP4 (#12114)
• Fix Filename for UBI test (#12115)
• Fix Nightly Build - Debian 12 (#12033)
• Improve error handling when loading yaml stream (#11962)
• Include product property in profile class (#12050)
• Install dependency "xmllint" package (#12080)
• Mark some scenarios as specific to SCE (#12052)
• OCP Update variable filter to consider go_template (#11906)
• Remove duplicate product (#12049)
• Review and reorganize CMakeLists.txt file (#12000)
• Show most used rules of component (#12001)
• Stop building -ds-1.2.xml data streams (#11990)
• Update Gating (#12041)

Changes in the Test Suite

• Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
• Add Ubuntu 22.04 Automatus workflow (#12058)
• Automatus to UBI 8 (#12100)
• Better description and test scenarios for set_nftables_table (#11991)
• Clean Up Tests Due to RHEL 7 Removal (#12101)
• Disable service_enabled templated test for service_bluetooth_disabled (#12211)
• Do not run package_audit-libs_installed package removal test scenarios (#12099)
• Fix crypto policy in CIS test scenario (#12098)
• Fix OL7 GH Action (#12143)
• Fix platforms -> platform in test metadata (#12057)
• Fix regex in file_ownership_audit_configuration (#12029)
• Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
• Github Action Ansible shell module changes check (#12014)
• Include test scenario for multiple partitions (#11950)
• Make Rawhide CI Green (#12065)
• OCP4: Add workflow to test ocp content (#11615)
• OCP4: use new assertion formate for OCP CI (#11790)
• Pin GitHub actions using Frizbee (#12082)
• Populate _rule_id virtual template parameter in Automatus (#11943)
• Remove the excluded_files (#12196)
• Validate Automatus Metadata (#12059)

Documentation

• Add script to Create a Control file from references (#11916)
• Additional updates in kernel_module_disabled template (#12160)
• Bump version after release (#12025)
• Fix a typo (#12017)
• Fix typos in notes for ocp4 controls (#11963)
• Update Contributors for v0.1.74 (#12225)
• Update control schema (#11942)
• Update RHEL 8 STIG SCAP Content to V1R13 (#12219)

Content 0.1.73

Important Highlights

• CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
• Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
• Generate rule references from control files (#11540)
• Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)

New Rules and Profiles

• Add and modify rules file/dir_permissions_system_journal (#11840)
• Add ANSSI Profiles for RHEL 10 (#11787)
• Add initial RHEL 10 PCI DSS profile (#11872)
• Add new rule file_permissions_sudo (#11584)
• Add new templated rules for System.map files (#11640)
• ANSSI R31 updates (#11560)
• Audit watch on /etc/sysconfig/network-scripts (#11724)
• CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
• CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
• Implement ANSSI requirement R69 for RHEL (#11663)
• Improve ANSSI R28 (#11626)
• Inital RHEL 10 STIG (#11793)
• Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
• Openembedded fixes (#11652)
• Update ANSSI R50 (#11588)

Updated Rules and Profiles

• [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
• accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
• Add a note to ANSSI R23 (#11571)
• Add a warning to sshd_limit_user_access (#11507)
• Add automation to enable faillock rules (#11458)
• Add platform machine to systctl.d rules (#11622)
• Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
• Additional updates in kernel_module_disabled template (#11508)
• Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
• Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
• Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
• ANSSI R31 updates (#11560)
• api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
• CMP 2453 pci dss requirement 1 (#11725)
• CMP-2365: Fix check for rotating kubelet server certificates (#11543)
• CMP-2372: Remove info override for virtual syscall rules (#11544)
• CMP-2378: Fix OCP version regex (#11499)
• CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
• CMP-2471: Disable rules on s390x (#11743)
• Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
• Do not require existence of /var/tmp/tmp-inst (#11762)
• Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
• ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
• extend the explanation why ANSSI R52 requirement is manual (#11629)
• Fix #11895 issue (#11897)
• Fix #11898 issue (#11899)
• Fix #11902 issue (#11905)
• Fix dconf package name for Ubuntu (#11821)
• Fix description for auditd_max_log_file_action (#11585)
• Fix kdump service name on Ubuntu 22.04 (#11914)
• Fix OCP node OVN check (#11861)
• Fix rule for accounts_authorized_local_users in SLE15 (#11602)
• Fix SCE check for ip6tables_rules_for_open_ports (#11849)
• Fix SCE checks for iptables_loopback_traffic (#11850)
• HIPAA profile for SLE 15 - update (#11582)
• Implement ANSSI requirement R69 for RHEL (#11663)
• Improve ANSSI R28 (#11626)
• Improve Rsyslog Rainer regex to find log files (#11808)
• Improve title of CCN profiles for RHEL9 (#11852)
• Make package installation for iptables and nftables mutually exclusive (#11191)
• mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
• Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
• oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
• OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
• OCP4: Add rule to check ACS sensor deployed (#11675)
• OCP4: Fix rules with both platform and platforms (#11760)
• OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
• OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
• OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
• OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
• Openembedded fixes (#11652)
• put exec back to configure_bashrc_exec_tmux (#11561)
• Remove disabling_ipv6_autoconfig rule (#11550)
• Replace dead HTML links for the chronyd project (#11799)
• RHEL-09-232045: align with STIG (#11890)
• Rule had incorrect CRD reference rule.yml (#11823)
• Set the requires to sshd_set_keepalive on sshd_set_idle_timeout (#11815)
• sysctl template: allow skipping of runtime checks (#11574)
• trivial: fix linting issue (#11711)
• trivial: Update link to audit profile documentation link (#11732)
• Try 4110 for file_permissions_sudo (#11805)
• ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
• Update ANSSI R29 requirement (#11633)
• Update ANSSI R32 (#11570)
• Update ANSSI R36 requirement (#11632)
• Update ANSSI R40 (#11563)
• Update ANSSI R50 (#11588)
• Update ANSSI R67 requirement (#11642)
• Update ANSSI R68 (#11580)
• Update ANSSI R71 (#11578)
• Update audit_ospp_general (#11519)
• Update CIS requirement status (#11784)
• Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
• Update CIS RHEL8 requirements related to crypto (#11506)
• update cryptopolicy used in CUI profile to fips (#11792)
• Update notes in ANSSI R3 (#11680)
• update notes of the R36 requirement for ANSSI (#11639)
• Update ol8 pcidss (#11867)
• Update ol8 profiles (#11829)
• Update ol8 stig (#11828)
• Update ol8 stig reference (#11884)
• Update ol9 pcidss (#11873)
• Update ol9 profiles (#11846)
• Update RHEL 8 STIG to V1R14 (#11878)
• Update RHEL9 STIG to V1R3 (#11877)
• Update SLE12 STIG to V2R13 (#11599)
• Update SLE15 STIG to V1R12 (#11598)
• update sles oval feed url (#11461)
• Update SRG GPOS Control File (#11634)
• Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
• Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
• Update STIG PSC Content (#11664)
• Update sudo_dedicated_group (#11586)
• Use string instead of number in oauth variable (#11613)
• Use controls to assign ANSSI references (#11556)

Changes in Remediations

• [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
• [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
• [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
• [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
• accounts_passwords_pam_tally2_deny_root fix (#11676)
• Add Ansible remediation to sssd_enable_pam_services (#11796)
• Add Ansible Remediations (#11763)
• Add root user to interactive users (#11729)
• Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
• Additional updates in kernel_module_disabled template (#11508)
• Align securetty_root_login_console_only remediations with OVAL/rule description (#11716)
• Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
• Changes in template service_disabled - ansible part (#11645)
• Disallow spaces in SSSD certificate_verification option (#11728)
• Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
• Fix ansible lint for SLE platforms (#11911)
• fix ansible SLES stig remediations in check mode (#11248)
• Fix Bash remediation of firewalld-based rules for offline mode (#11868)
• Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
• Fix non-idempotent bash remediation for sysctl template (#11671)
• fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
• Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
• Fix ubuntu remediation for pam_faildelay (#11532)
• Fix Ubuntu remediation for pam_faillock rules (#11488)
• Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
• Issue when using set -e with grep commands (#11712)
• Make Blueprint for service_disabled template to mask services (#11679)
• OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
• pam_options ansible template dry-run fix (#11677)
• Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
• remove prodtype from add_kubernetes_rule (#11500)
• Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
• Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
• set indent to 4 (#11530)
• Simplify output of ip link show command (#11657)
• update links and unify documentation in kickstart files (#11765)
• Update links for Ansible role (#11737)
• Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
• use failed_when:false for Ansible register: checks (#11782)

Changes in Checks

• accounts_passwords_pam_tally2_deny_root fix (#11676)
• Add root user to interactive users (#11729)
• Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
• all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
• App armor oval check (#11273)
• Correction in oval part ensure_gpgcheck_globally_activated (#11709)
• Disallow spaces in SSSD certificate_verification option (#11728)
• Enforce explicit setting in password-auth (#11742)
• Enforce explicit setting in system-auth (#11740)
• Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
• Fix macro for extracting local interactive users (#11589)
• Fix regression in grub2_bootloader_argument (#11768)
• Make additional check if selinux is enabled and operational (#11510)
• Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
• Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
• Restrict the list of accepted shells in no_shelllogin_for_systemaccounts...

Content 0.1.72

Important Highlights

• ANSSI BP 028 profile for debian12 (#11368)
• Building on Windows (#11406)
• Control for BSI APP.4.4 (#11342)
• update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks

New Rules and Profiles

• Add alinux2/alinux3 support for pci-dss compliance (#11398)
• Add anolis23/anolis8 support for pci-dss compliance. (#11401)
• Add new rule file_cron_allow_exists (#11441)
• Add rules for /etc/shells (#11467)
• Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
• ANSSI BP 028 profile for debian12 (#11368)
• Control for BSI APP.4.4 (#11342)
• Add rules for /etc/shells (#11467)
• Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)

Updated Rules and Profiles

• Review CIS RHEL8 v3.0.0 Section 3 (#11469)
• Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
• Add package_firewalld_installed to RHEL 9 CIS (#11351)
• align description of audit_rules_kernel_module_loading (#11443)
• Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
• Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
• align rule audit_rules_privileged_commands_kmod (#11320)
• Allow spaces in rule sudo_custom_logfile (#11433)
• Enable Rules For OSBuild (#11362)
• enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
• Fix a duplication of the code ID 3.5.2.1 (#11421)
• Fix ANSSI URL in control file and update RHEL profiles (#11365)
• Fix RHEL 8 STIG version (#11515)
• Fix Service Applicability for RHEL 9 Profiles (#11367)
• Handle rules trying to remove no longer existing packages (#11354)
• Improve Performance on rules probing the whole file system (#11319)
• Minor modifications to RHEL STIG profiles (#11327)
• Move to /bin/false for disabling kernel modules (#11475)
• Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
• Remove irrelevant rules from PCI-DSS profiles (#11338)
• Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
• Remove warning from kubelet rule (#11243)
• Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
• Review rpm_verify_hashes rule (#11332)
• Review rpm_verify_ownership rule (#11333)
• Review rpm_verify_permissions rule (#11335)
• RHEL 7: change how xwindows is disabled in CIS profile (#11466)
• RHEL 8: align with CIS 3, section 2 (#11457)
• RHEL7 CIS: align section 2 with the final version (#11453)
• Stablization: Update audit_ospp_general (#11520)
• Support drop-in config in journald rules on RHEL (#11440)
• Update CIS profiles descriptions (#11491)
• Update grub2_mitigation_argument (#11271)
• Update OL stig references (#11472)
• Update OL8 STIG id references (#11451)
• Update OL8 stig selection for OL08-00-040259 (#11312)
• Update Oracle Linux anssi profiles (#11313)
• Update RHEL 7 CIS Section 1 (#11449)
• Update RHEL 7 STIG to V3R14 (#11477)
• Update RHEL 8 STIG to V1R13 (#11478)
• Update RHEL 9 STIG to V1R2 (#11479)
• Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
• Update STIG version for SLES 12 and SLES 15 (#11357)
• Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
• Use correct HTML element for inline code (#11408)
• various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
• xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)

Changes in Remediations

• [Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
• A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
• Add blueprint remedation for enable_fips_mode (#11363)
• Add check if to continue with ansible task (#11299)
• add explaining comment to mount_option bash template (#11444)
• Add support to disable wifi interfaces via wicked (#11428)
• Ansible: change the sysctl module fqcn for rhel7 product (#11465)
• configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
• Do not change comments by remediations (#11434)
• Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
• Fix in sebool ansible (#11245)
• Fix ShellCheck Issues in CPE Checks (#11322)
• fix: service_timesyncd_configured (#11410)
• Make some improvements to bash remediation template (#11361)
• Move to /bin/false for disabling kernel modules (#11475)
• Sle15 fix ansible cis remediations (#11258)
• Sle15 fix ansible hipaa remediation (#11264)
• Sle15 fix ansible pci-dss remediations in check mode (#11263)
• Stabilization - Fix Ansible compatibility with sysctl module (#11538)
• Support drop-in config in journald rules on RHEL (#11440)
• Turn off blueprint for package_MFEhiplsm_installed (#11350)
• Turn off remedations for /dev/shm (#11364)
• Use commit hash for image tag (#11233)

Changes in Checks

• Add ocp platforms to some eks shared OVALs (#11436)
• Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
• Fix invoke parent's init function (#11400)
• Generate OVAL document for each rule (#11291)
• Improve Performance on rules probing the whole file system (#11319)
• Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
• Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
• Review rpm_verify_ownership rule (#11333)
• Review rpm_verify_permissions rule (#11335)
• Support drop-in config in journald rules on RHEL (#11440)
• Update Select SSSD Rules for RHEL 7 STIG Update (#11476)

Changes in the Infrastructure

• Add Gate tests back to master (#11331)
• Add missing group.yml (#11373)
• Add Windows CI (#11412)
• add XSLT_PATH prefix with environment override (#11390)
• Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
• Building on Windows (#11406)
• Control Files' level key must be an array (#11417)
• Fix Debian 10 CI (#11426)
• Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
• Fix invoke parent's init function (#11400)
• Fixes update-oscal.yml to remove env context from matrix variables (#11374)
• Generate OVAL document for each rule (#11291)
• Ignore mypy in the EOF Checker (#11323)
• OCP4: Update k8s action to build image on new PR (#11384)
• Refactoring: Remove 'prodtype' Mk.2 (#11378)
• Remove bogus specifier from audit_rules_privileged_commands_unix2_chkpwd (#11379)
• remove the task which deletes artifacts from automatus GH workflows (#11482)
• Update GitHub Artifacts Action Steps to v4 (#11411)
• Validate levels in controls (#11427)
• We should raise NotImplementedError (#11414)

Changes in the Test Suite

• Allow tests/test_product_stability.py to be executed (#11464)
• Fix OpenEmbedded name in test stability (#11463)
• Fix Secure Boot Automatus VM Installs (#11239)
• Fix tests for sudo_require_authentication (#11315)
• OCP4: Fix e2e result on OCP 4.14 changes (#11207)
• Update test-check-eof for smoke test (#11402)
• Update Install VM to use Fedora 39 (#11418)

Documentation

• Add documentation of the steps that OVAL content goes through during the build (#11336)
• Add GitHub Actions Style Guide (#11330)
• Add STIG Tables for RHEL 9 (#11376)
• bump version to 0.1.72 (#11308)
• Finish rename to Automatus (#11404)
• Fix broken formatting (#11403)
• Remove all contributors file (#11317)
• Update contributors list for v0.1.72 release (#11483)
• Update SRG GPOS to V2R7 (#11480)

Content 0.1.71

Important Highlights

• Add RHEL 9 STIG (#11193)
• Add support for Debian 12 (#11228)
• Update PCI-DSS profile for RHEL (#11267)

New Rules and Profiles

• New Rule: networkmanager_dns_mode (#11160)

Updated Rules and Profiles

• Add remediation and OVAL for UBTU-20-010297 (#11098)
• Add SRG id to file_owner_grub2_cfg for RHEL 9 STIG (#11261)
• Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
• Added missing variables to ubuntu profiles (#11227)
• Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
• Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
• Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
• daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
• Daily prod fix: return rhel7 prodtypes to some rules (#11303)
• Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
• Fix audit_rules_privileged_commands_kmod (#11277)
• Fix multiple STIG IDs for RHEL8 (#11250)
• Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
• fix ssh-keysign path for UBTU-20-010141 (#11082)
• Fix ssh-keysign path for Ubuntu 22.04 (#11297)
• Fixes for kernel_config_security rules (#11259)
• Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
• Make selinux context elevation for sudo more flexible (#11224)
• Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
• Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
• remove sle15 from package_samba_common_installed (#11231)
• Review and Update pcidss_4 control file (#11214)
• Update PCI-DSS profile for RHEL (#11267)
• Update RHEL 7 STIG V3R13 (#11223)
• Update RHEL 8 STIG to V1R12 (#11219)

Changes in Remediations

• Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
• Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
• Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
• Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
• Fix sudo_require_reauthentication remediations edge case (#11279)
• Improve stability of timesyncd based remediation (#11247)
• Include remediation for fapolicy_default_deny rule (#11211)
• Refactor ensure_pam_wheel_group_empty rule (#11192)
• remove duplicated multi_platform_sle in bash.template (#11244)
• Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
• SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
• Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
• Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
• Update sshd lineinfile (#11151)

Changes in Checks

• Fix kernel_module_disabled template for Ubuntu (#11294)
• Include dracut filter to audit_rules_privileged_commands (#11246)
• Integration of the OVAL object model into the combine_ovals.py script (#11236)
• Modification of the OVAL linker to use the OVAL object model (#11290)
• Prepare OVAL object model for integration (#11206)
• Refactor ensure_pam_wheel_group_empty rule (#11192)
• Reference validation in OVAL document object (#11235)
• SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)

Changes in the Infrastructure

• Access to enable the logging of the combine_oval.py script (#11260)
• Add .github to EOF checker (#11287)
• Add a better Error Message For Undefined Identifier Types (#11213)
• Add alternatives to mandatory keys (#11268)
• Add Better a Error Message For Undefined Reference Types (#11159)
• Avoid duplicate loading of component files (#11195)
• controleval.py: Return empty list when parameter is not found (#11300)
• Fix CI job after Fedora 39 release (#11256)
• Integration of the OVAL object model into the combine_ovals.py script (#11236)
• Make prodtype Required in JSON Schema (#11281)
• Modification of the OVAL linker to use the OVAL object model (#11290)
• Move jqfilter parameter to common parser (#11232)
• Reference validation in OVAL document object (#11235)
• remove some unnecessary imports (#11175)
• remove unused code (#11187)
• Update Ansible Lint Config (#11283)
• Use up to date build_ds_container script in add_platform_rule.py (#11042)

Changes in the Test Suite

• Add package requirement for auditctl tests (#11181)
• Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
• Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
• Enable PCI-DSS in test-farm tests (#11257)
• Fix rpm python package SLE15 Automatus docker file (#11212)
• Fix SLE15 tests (#11172)
• Include dracut filter to audit_rules_privileged_commands (#11246)
• Include remediation for fapolicy_default_deny rule (#11211)
• New Rules Must Have a prodtype (#11252)
• Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
• Require SRG Reference for Rules with STIG Reference (#11265)

Documentation

• Add stabilization phase description to developers guide (#11234)
• Bump version for 0.1.71 (#11168)
• Documentation for tool tox (#11165)
• Fix docs for utils.add_kubernetes_rule (#11238)
• update list of contributors before 0.1.71 release (#11307)
• Update Style Guide to Ensure that PR Titles are Useful (#11284)

Content 0.1.70

Important Highlights

• Add openembedded distro support (#10793)
• Remove DRAFT wording for OpenShift STIG (#11100)
• Remove test-function-check_playbook_file_removed_and_added test (#10982)
• scap-security-guide: Add Poky support (#11046)

New Rules and Profiles

• Add rule package_s-nail-installed (#11144)
• Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)

Updated Rules and Profiles

• A correction in the rule pam_disable_automatic_configuration (#10902)
• accounts_umask_etc_bashrc: depend on bash being installed (#10915)
• Add a two rules to RHEL 9 STIG (#10910)
• Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
• Add missing CIS references for SLE platforms (#11024)
• Add mount platform to mount_option_var_nosuid (#11037)
• Add rule logind_session_timeout to OL8 STIG (#10917)
• Add SELinux as platform (#11138)
• Add SRG ID to logind_session_timeout (#10936)
• Add tmux platform to tmux related rules (#11017)
• Add UBTU-20-010044 to existing ansible remediation (#11073)
• Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
• Add UBTU-20-010401 to restrict kernel message buffer (#11063)
• Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
• Add UBTU-20-010462 to lock accounts without passwords (#11060)
• Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
• Add variable support to auditd_name_format rule (#11019)
• Add version for OCP CIS (#11152)
• Add version for OCP STIG (#11153)
• Add version metadata to the OCP PCI-DSS profile (#11155)
• Add warning to network_configure_name_resolution (#10997)
• Allow default permission for user.cfg file in UEFI systems (#10884)
• ANSSI: add rules to enable auditing service (#11005)
• Build OCP STIG profiles by default (#11132)
• Change how example ROLE_LIST are formatted (#11123)
• Change rule to use variable when auditing faillock (#11007)
• Changes in SLE 12/15 profiles to support logrotate service (#10796)
• Couple of fixes in PAM related rules for SLE platforms (#11014)
• Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
• Deprecate UBTU-20-010180 (#11079)
• Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
• Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
• Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
• Enable logrotate.timer check on RHCOS4 (#11045)
• Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
• Express more accurate per package platform limitation for firewall rules (#10812)
• Fix excluded_files and recursive for UBTU-20-010416 (#11086)
• Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
• Fix into the rule sysctl_kernel_randomize_va_space (#10555)
• fix naming for UBTU-20-010430 (#11056)
• Fix package_audit-libs_installed rule.yml (#11127)
• Fix rule ubtu 20 010033 (#11065)
• Fix STIG references for SLE15 (#10850)
• Fix UBTU-20-010179 to use proper parameters and key (#11080)
• Fix UBTU-20-010267 and deprecate STIGs (#11084)
• Fix UBTU-20-10450 STIG (#11058)
• Fix variable selection when selecting the default value (#11015)
• Implement rules for CIS OCP Section 1.4 (#10840)
• Include new options in var_accounts_minimum_age_login_defs (#11052)
• Include RHEL indentifiers in logrotate related rules (#10904)
• Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
• iptables_ruleset_modifications: depend on iptables being installed (#11030)
• no_rsh_trust_files: depend on rsh-server being installed (#10809)
• OCP4 CIS: Re-add forgotten rules (#10864)
• OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
• OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
• OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
• OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
• OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
• OCPBUGS-7455: Hide API warning messages (#10971)
• OL7 DISA STIG v2r12 update (#10921)
• Port over etcd encryption rule from CIS 1.3 controls (#10753)
• Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
• Remove controller_rotate_kubelet_server_certs from OCP CIS v.1.4.0 (#10992)
• Remove CIS reference from image policy webhook rule (#10932)
• Remove DRAFT wording for OpenShift STIG (#11100)
• Remove protect kernel default and sysctl rules from CIS (#10931)
• remove rules not relevant to RHEL 9 from STIG profile (#10996)
• Remove rules that cannot be applied during image build (#10946)
• Remove sebool_secure_mode_insmod from anssi (#11001)
• Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
• Remove tickets from CIS control files (#10869)
• RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
• Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
• Standard Profile Improvements (#11109)
• Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
• Update CIS profiles to use control files (#10833)
• Update kubelet event creation limit to 50 (#10950)
• Update link to English version of ANSSI guide (#11038)
• Update metadata of OSPP profile in RHEL8/9 (#10984)
• Update OL8 STIG to V1R7 (#10918)
• Update platform on bios_enable_execution_restrictions (#10880)
• Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
• Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
• Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
• Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
• Version FedRAMP high and moderate profiles for OpenShift (#11154)

Changes in Remediations

• 0640 permission in permissions_local_var_log should only apply to files (#10856)
• accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
• Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
• Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
• Add RHEL as platform in su pam wheel group remidiation (#10995)
• Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
• Avoid Ansible shell module if not necessary (#10887)
• change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
• Couple of small fixes (#11004)
• Drop irrelevant return statement in bash remediation (#10988)
• Fix ansible remediation of configure_ssh_crypto_policy (#11008)
• Fix Ansible Tasks order (#11117)
• Fix bash_sshd_remediation macro on OL exclusive code (#10980)
• Fix into the rule sysctl_kernel_randomize_va_space (#10555)
• Fix path and add ansible remediation UBTU-20-010298 (#11087)
• Fix remediation of sssd_enable_smartcards (#10981)
• Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
• Fix umask bash and Ansible (#11108)
• Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
• improve bash remediation of mount_option template (#11009)
• Improve remediation for SSH global settings (#11032)
• Improve template macros for grub command line (#10989)
• Minor improvements in configure_opensc_nss_db (#11044)
• Modify adie db exist path for UBTU-20-010450 (#11064)
• OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
• Refactor Ansible remediations that search local file systems (#10912)
• Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
• SLE Add journald configuration droping remediations (#10671)
• SLE AIDE periodic check and remediation via systemd timer (#10589)
• SLE Service timesyncd configured rule (#10670)
• templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
• Update enable_fips_mode Ansible Remedation (#11026)
• Update no_legacy_plus_entries_* Ansible Remedations (#11027)
• Use parameter value in ansible lineinfile macro (#10958)
• Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)

Changes in Checks

• Couple of fixes in PAM related rules for SLE platforms (#11014)
• enhance OVAL for enable_fips_mode (#10897)
• Fix into the rule sysctl_kernel_randomize_va_space (#10555)
• Improve OVAL readability in enable_fips_mode (#10911)
• Improve sshd_use_approved_kex_ordered_stig (#11053)
• Minor improvements in configure_opensc_nss_db (#11044)
• Remove kernel cmdline check (#10961)
• Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
• SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
• Sysctl template remediations do not modify package files (#10881)

Changes in the Infrastructure

• Add a faster alternative for generating HTML guides (#11036)
• Add Dependabot (#11113)
• Add manifests to zipfile target (#10944)
• Add Merge Group Trigger to Required Jobs (#11162)
• Add product as parameter when building profile reports (#11023)
• Add SCAPVal to Stabilize task (#11043)
• Add tickets key to control validation (#10872)
• Add version to profile element in the data stream (#10909)
• Allow k8s-content workflow to write (#11020)
• Build profile bash scripts differently (#11028)
• Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
• Dependabot Preparation (#11112)
• Fail build if profiles or controls contain invalid rule selections (#11135)
• Fix Ansible Tasks order (#11117)
• Fix multiple STIG id table generation (#11016)
• Fix OrderedDict definition (#11121)
• Fix Rawhide Build (#10953)
• Fix scap delta tailoring (#11145)
• Fix stig overlay (#11114)
• Generate profile oriented Ansible Playbooks in a different way (#11033)
• G...

Content 0.1.69

Important Highlights

• Introduce a JSON build manifest (#10761)
• Introduce a script to compare ComplianceAsCode versions (#10768)
• Introduce CCN profiles for RHEL9 (#10860)
• Map rules to components (#10609)
• products/anolis23: supports Anolis OS 23 (#10548)
• Render components to HTML (#10709)
• Store rendered control files (#10656)
• Test and use rules to components mapping (#10693)
• Use distributed product properties (#10554)

New Rules and Profiles

• Add modified audit suid privilege function rule for CIS (#10729)
• Introduce CCN profiles for RHEL9 (#10860)
• Introduce network access control rule (#10596)
• New templated rule to remove iptables-services package (#10703)
• RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
• Include new kickstart files for CCN profiles (#10863)

Updated Rules and Profiles

• A change into sudoers_validate_passwd (#10861)
• Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
• Add modified audit suid privilege function rule for CIS (#10729)
• Add mount platforms (#10794)
• Add platform package variables for firewalld and iptables (#10740)
• Add warning to rsyslog_remote_tls_cacert (#10676)
• add-rules sles-15-010418 sles-12-010498 (#10711)
• Change rules related to /etc/shadow to check only local user configuration (#10838)
• Deprecate account_emergency_expire_date (#10829)
• ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
• Fix grub2 remediation instructions (#10717)
• Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
• Fixes of cron package/service for SLE 12/15 (#10549)
• Increase RHEL7 STIG Coverage (#10705)
• Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
• New applicability platform to check IPv6 state (#10830)
• OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
• pam_faillock rules: show XCCDF variables in rule description (#10824)
• Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
• Remove quotes from journald config parameters (#10790)
• service_apport_disabled: depend on apport being installed (#10805)
• Set package_iptables_installed as machine only (#10804)
• Set package_nftables_installed as machine only (#10803)
• Set package_rng-tools_installed as machine only (#10810)
• Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
• Update of anssi profile for SLE 12/15 (#10702)
• Update OL8 cjis profile (#10771)
• Update OL8 hipaa profile (#10822)
• Update RHEL 7 STIG to v3r11 (#10821)
• Update RHEL 8 STIG to V1R10 (#10826)
• update rule SLES-12-030250 (#10644)
• Update SLE 12/15 rule and change package name (#10580)
• Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
• use_pam_wheel_group_for_su: depend on pam being installed (#10807)
• Updates of the rule use_pam_wheel_group_for_su (#10714)

Changes in Remediations

• Add a Playbook name to Ansible Playbooks (#10713)
• Add remediations for rule network_sniffer_disabled (#10659)
• configure_openssl_cryptopolicy: align remediations with rule description (#10828)
• Fix in service_autofs_disabled - ansible (#10521)
• Fix issue when adding fstab entries with iso9660 (#10572)
• fix: use grep -E instead of deprecated egrep (#10643)
• fixes in file_groupownership template (#10666)
• macros: bash: Avoid matching comments in fstab macros (#10754)
• Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
• SLE Add rsyslog_remote_loghost droping remediations (#10672)
• SLE Coredump configuration support dropin remediation (#10604)
• SLES15 use dropin configuration for issue banner (#10605)
• Various fixes for Ubuntu (#10755)

Changes in Checks

• enhance OVAL for enable_fips_mode (#10900)
• Check only local users home directories (#10825)
• Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)

Changes in the Infrastructure

• .github/workflows/gate.yaml:Add anolis8 product. (#10814)
• Add a sanity test of install_vm.py (#10684)
• Add validation for Keys in Controls (#10813)
• create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
• Fix CMakelint (#10701)
• Fix compare datastream check to correctly treat new line characters. (#10667)
• Fix traceback in release helper (#10718)
• Implement distributed product properties without applying them (#10648)
• Stop using "imp" module (#10819)
• utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)

Changes in the Test Suite

• Add a test for rule journald_compress (#10818)
• Add a test for rule journald_storage (#10817)
• Add Automatus Testing (#10678)
• Add SCAPVal to CTest (#10802)
• Fix grep for Automatus sanity (#10752)
• Fix install_vm.py on older versions of Python (#10651)
• fix: ssg_test_suite: warning when rule not in benchmark (#10642)
• Add requirements files for python dependencies (#10487)

Documentation

• Add a section guiding through the process of rule divergence (#10763)
• Add graphs to represent the life cycle of controls file (#1863
• Integrate manpage with CMake better (#10624)
• Move the most important links to a better place (#10745)
• update list of contributors before stabilizing 0.1.69 (#10844)

Content 0.1.68

Important Highlights

• Bump OL8 STIG version to V1R6 (#10497)
• Introduce a Product class, make the project work with it (#10529)
• Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
• OL7 DISA STIG v2r11 update (#10498)
• Publish rendered policy artifacts (#10585)
• Update ANSSI BP-028 to version 2.0 (#10334)

New Rules and Profiles

• Add rule package_mailx_installed (#10495)
• Ensure access to the su command is restricted (#10386)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
• Introduce file_permissions_audit_configuration rule (#10489)
• Introduce rule to check if SELinux is not Disabled (#10575)
• Introduce rules to configure loopback traffic with Firewalld (#10573)
• New rules to complete CIS requirements for SSH Keys (#10552)
• New SLE 15 rule set_nftables_base_chain (#10180)
• Rebased hagenest set nftables loopback traffic (#10366)
• Restart postfix service and add rule has_nonlocal_mta (#10359)
• SLE15 add implementation of nftables_rules_permanent rule (#10201)
• SLE15 add nftables ensure default deny policy (#10249)
• Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)

Updated Rules and Profiles

• Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
• Add package_avahi_removed to ubuntu profiles (#10406)
• Add rules SLES-15-010375 and SLES-12-010375 (#10625)
• Add rules SLES-15-010419 and SLES-12-010499 (#10621)
• Add rules SLES-15-010420 and SLES-12-010500 (#10623)
• Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
• audit_rules_privileged commands: skip /proc directory (#10471)
• Bump OL8 STIG version to V1R6 (#10497)
• Complete CIS requirement for system accounts (#10627)
• Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
• delete rule SLES-15-040280 (#10383)
• Drop of some rules from SLE 12/15 profiles (#10527)
• Enable ensure_shadow_group_empty for RHEL7 (#10416)
• Enable service_nftables_disabled for RHEL (#10390)
• Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
• Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
• Ensure access to the su command is restricted (#10386)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
• Fix in sshd_use_approved_ciphers (#10535)
• Fix in sudo_require_reauthentication (#10216)
• Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
• Introduce rule to check if SELinux is not Disabled (#10575)
• Introduce rules to configure loopback traffic with Firewalld (#10573)
• Modify SLE remediation for ensure_logrotate_activated (#10481)
• No remediation warning for fapolicy_default_deny (#10433)
• OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
• OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
• OL7 DISA STIG v2r11 update (#10498)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• SLE 12/15 profile updates (#10577)
• SLE improve kernel module disabled rule (#10368)
• SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
• sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
• Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
• Ubuntu 22.04 CIS modify password remember rule (#10480)
• Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
• Update accounts_password_pam_retry yaml (#10496)
• Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
• Update ANSSI BP-028 to version 2.0 (#10334)
• Update CIS controls related to nftables table and chains (#10629)
• Update CIS requirement for SSH access limit (#10470)
• Update netrc requirement in CIS for RHEL8 (#10511)
• Update OL9 STIG profile (#10407)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
• Update pass aging rules to not ignore empty pass (#10633)
• update rule sles-15-040250 (#10492)

Changes in Remediations

• Add Ubuntu SCE checks for iptables rules (#10587)
• Ansible remediation for configure_bashrc_exec_tmux (#10584)
• audit_rules_privileged commands: skip /proc directory (#10471)
• Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
• Fix changes in Ansible tasks not expected to fail (#10427)
• Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
• Fix up RHEL kickstarts (#10499)
• fix: aide_string: drop nl at end (#10578)
• fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
• fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
• Modify SLE remediation for ensure_logrotate_activated (#10481)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• Replace grep command with ansible find (#10579)
• SLE add ability to configure emergency via dropin (#10482)
• SLE improve kernel module disabled rule (#10368)
• SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
• Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
• templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)

Changes in Checks

• audit_rules_privileged commands: skip /proc directory (#10471)
• bugfix: mount_option: handle commented lines (#10518)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix in sudo_require_reauthentication (#10216)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• SLE improve kernel module disabled rule (#10368)
• Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
• Update pass aging rules to not ignore empty pass (#10633)
• Use specific name in private key groups instead of gid (#10622)

Changes in the Infrastructure

• Add a product stability test (#10606)
• Add CMakelint (#10468)
• Add controls the EOF checker (#10477)
• Automate and Fix Missing Newline at the of Files (#10361)
• Expand the list of rules skiped by Ansible Lint (#10485)
• Fix data stream component parsing (#10411)
• Implement a tool for parsing profiles and outputing rules (#10455)
• Introduce a Product class, make the project work with it (#10529)
• Publish rendered policy artifacts (#10585)
• Refactor the scapval test (#10611)
• Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
• Remove unused imports (#10384)
• Remove unused variables (#10382)
• Shell quote support for Jinja macros (#10524)
• Stabilization: Fix install_vm.py on older versions of Python (#10652)
• Stop using deprecated set-output in GitHub Actions (#10588)
• Update CI Repo for CTF (#10385)
• Update GitHub Action Versions (#10543)

Changes in the Test Suite

• Add a product stability test (#10606)
• Add a warning to AutoMatus (#10394)
• bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
• bugfix: packages: delim is comma (#10559)
• bugfix: ssg_test_suite: RuleResult eq (#10365)
• Fix template not found error in Automatus (#10631)
• Fix tests applicablity for ol8 product (#10570)
• Fix tests in sshd_lineinfile template (#10595)
• Fix typo in tests for sshd_limit_user_acess (#10478)
• install_vm refactor (#10607)
• install-vm fixes / features (#10562)
• Remove machine pruning from gating (#10453)
• Revert change in test scenario script for enable_authselect rule (#10430)
• Unused test code (#10558)
• Use bash_package_* (#10557)
• Use mkdir -p when creating directories (#10556)

Documentation

• Add Kickstarts to the changelog (#10512)
• add python3 to the list of build dependencies for RHEL-8+ (#10503)
• Bump version for 0.1.68 (#10372)
• Fix read the docs build (#10537)
• fix: Fix misspelled word infrastruture (#10531)
• Jinja macro doc fixes (#10599)
• Reduce Doc Warnings (#10528)
• Styleguide Update (#10466)
• Update Add Product Guide (#10533)
• Update release documentation about release_helper.py script (#10502)

Content 0.1.67

Important Highlights

• Add utils/controlrefcheck.py (#10096)
• RHEL 9 STIG Update Q1 2023 (#10185)
• Include warning for NetworkManager keyfiles in RHEL9 (#10330)
• OL7 stig v2r10 update (#10125)
• Bump version of OL8 STIG to V1R5 (#10123)

New Rules and Profiles

• Add new rule package_systemd-journal-remote_installed (#10105)
• New SLE 15 rule service_nftables_enabled (#10113)
• Add CIS iptables rules (#10121)
• New SLE 15 rule set_nftables_new_connections (#10114)
• Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
• Add a new rule ssh_keys_passphrase_protected (#10017)
• Introduce new rule authconfig_config_files_symlinks (#10129)
• Added rule partition_for_dev_shm (#9984)
• New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
• New SLE 15 rule set_nftables_table (#10128)
• Add implementation for rsyslog_logging_configured rule (#10063)
• New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
• OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
• Added a new rule accounts_password_set_warn_age_existing (#10006)
• Add new rule socket_systemd-journal-remote_disabled (#10210)
• Introduce rule to remove nginx package (#10291)
• Introduce rule to remove cyrus-imapd package (#10292)
• Add package_dnsmasq_removed rule (#10293)
• Add package_ftp_removed rule (#10294)
• Add new rule rsyslog_filecreatemode (#10264)
• New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
• Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)

Updated Rules and Profiles

• accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
• Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
• Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
• Add CIS iptables rules (#10121)
• OL7 stig v2r10 update (#10125)
• Bump version of OL8 STIG to V1R5 (#10123)
• assign ntp_configure_restrictions to SLE12 (#10122)
• Update tmux rules and add them to OL8 STIG profiles (#10124)
• Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
• Add missing SRG to aide_build_database rule (for master branch) (#10150)
• remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update levels of some rules in RHEL8 CIS (#10157)
• Change custom zones check in firewalld_sshd_port_enabled (#10162)
• improve applicability of rule package_rear_installed (master branch) (#10156)
• Accept required and requisite control flag for pam_pwhistory (#10175)
• OCP4 Modify etcd encryption check rules for hypershift (#10179)
• Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
• Fix prefer_64bit_os for SLE platforms (#10178)
• remove rule logind_session_timeout and associated variable from profiles (#10202)
• Shorten rule title (#10196)
• products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
• Create OVAL macro to consistently identify Interactive Users (#10215)
• Include avahi related rules in RHEL CIS control files (#10233)
• Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
• Update CIS RHEL requirements for log files permissions (#10241)
• Include rule for checking password last change in RHEL (#10243)
• Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
• Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
• Update password hashing algorithm CIS requirement (#10271)
• Complete CIS requirements related to dot-files (#10279)
• Fix package names for some SUSE packages (#10283)
• Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
• Corrections in the rule package_openldap-clients_removed (#10273)
• Enable sshd_enable_warning_banner_net for RHEL (#10287)
• Add package_nginx_removed to Ubuntu CIS profiles (#10301)
• Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
• accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
• accounts_passwords_pam_tally2: depend on pam being installed (#10305)
• package_pam_pwquality_installed: depend on pam being installed (#10306)
• apparmor: apply only to platform machine (#10303)
• sudo_require_reauthentication: depend on sudo being installed (#10318)
• vlock_installed: apply only to platform machine (#10307)
• Remove VMM SRG References (#10336)
• Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
• Add some nftables rules to Ubuntu CIS profile (#10300)
• make accounts_password_last_change_is_in_past not applicable to containers (#10339)
• Align rhel7 dracut-fips-aesni remediations (#10352)
• Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
• NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)

Changes in Remediations

• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update sebool_secure_mode_insmod OL remediations (#9979)
• Enable rsyslog_filecreatemode rule for RHEL (#10328)
• kernel_module_disable template - regexp matches multiple lines (#10351)
• fix loops within ansible template for rsyslog_files (#10349)

Changes in Checks

• Update tmux rules and add them to OL8 STIG profiles (#10124)
• Remove check of /var/log/dmesg from OVAL (#10145)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Fix prefer_64bit_os for SLE platforms (#10178)
• postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
• Create OVAL macro to consistently identify Interactive Users (#10215)
• Add offline capability to the 'mount_option' OVAL template (#10200)

Changes in the Infrastructure

• Introduce script shorthand to OVAL (#10085)
• Remove utils/count_oval_objects.py (#10133)
• Update Rawhide Before Use (#10141)
• Move to Code Climate for PEP 8 Checking (#10158)
• Enable SCE integrity checks for RHEL8 (#10165)
• Refactor ssg.build_ovals module (#10048)
• Update srg diff (#10199)
• Require OVAL ID to match rule ID (#10346)
• Various python fixes (#10345)
• Move platform_mount to use cpe-oval vs oval (#10441)

Changes in the Test Suite

• Add utils/controlrefcheck.py (#10096)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update test scenarios for accounts_password_last_change_is_in_past (#10213)
• add cap_system_chroot capability to Automatus podman container (#10246)
• Fix Automatus on Python 3.6 (#10281)
• Disable logrotate timer in ensure_logrotate_activated tests (#10375)

Documentation

• Update Ansible section in project Style Guide (#10211)
• Fix broken link to statistics page (#10217)
• Introduce style guidelines for commit messages (#10220)
• Remove VMM SRG References (#10336)
• Add URL for ISM (#10337)
• Convert User Docs (#10214)
• Update Contributors for v0.1.67 (#10350)

Content 0.1.66

Important Highlights

• Ubuntu 22.04 CIS (#9953)
• OL7 stig v2r9 update (#9976)
• Bump OL8 STIG version to V1R4 (#9974)
• Update RHEL7 STIG to V3R10 (#10079)
• Update RHEL8 STIG to V1R9 (#10078)
• Introduce CIS RHEL9 profiles (#10091)

New Rules and Profiles

• Add nonessential services rule (#9912)
• Added a new rule package_firewalld_removed (#9937)
• Added a new SLE 12/15 rule package_rsync_removed (#9932)
• Added a new rule package_cups_removed (#9930)
• Added a new rule firewalld_service_disabled (#9941)
• Added a new SLE 15 rule package_nftables_installed (#9934)
• Add rule for no .forward files (#9990)
• Add new rule grub2_enable_apparmor (#9978)
• Added a new rule package_tcp_wrappers_removed (#9981)
• Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
• Add package prelink removed (#10062)
• add new rule audit_rules_immutable_login_uids (#10070)
• Added 2 rules for 15 related to nftables (#10068)
• New SLE 15 rule ensure_iptables_are_flushed (#10107)
• add new rule configure_bashrc_tmux (#10100)

Updated Rules and Profiles

• Include warning regarding quota options in XFS (#9879)
• Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
• Sync rules for RHEL 9 STIG (#9788)
• Changing a few harcoded OS names for full_name (#9936)
• Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
• SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
• Update sudo_require_reauthentication (#9923)
• Update kmod audit rule for OL7 (#9949)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Add rule to OL7 stig profile (#10028)
• Small corrections related to 3 rules (#9995)
• Add new rule grub2_enable_apparmor (#9978)
• Include Ubuntu products in package_rsync_removed (#10051)
• Include Ubuntu products in package_nftables_installed (#10052)
• Fix the service_telnet_disabled rule (#10033)
• Update package name for RHEL in package_rsync_removed (#10053)
• Include Ubuntu products in package_cups_removed (#10050)
• Include Ubuntu products in package_rpcbind_removed (#10055)
• Update link to NTP docs (#10056)
• Include Ubuntu products in package_prelink_removed (#10071)
• Add account_emergency_expire_date to OL7 stig (#10073)
• Add aide_build_database to STIG in OL and RHEL (#10094)
• Include Ubuntu products in two nftables rules (#10101)
• Move two rules to higher level in cis_rhel8 control file (#10109)
• add new rule configure_bashrc_tmux (#10100)
• add missing SRG to aide_build_database rule (#10136)
• change applicability of rules configuring idle session timeouts (#10127)
• Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
• improve applicability of rule package_rear_installed (#10144)
• stabilization: Update levels of some rules in RHEL8 CIS (#10155)

Changes in Remediations

• Fix indentation in Ansible shell module parameter (#9851)
• Recognize 64bit architectures in Ansible remediations (#9887)
• Make Ansible remediation less prone to fatal errors (#9914)
• Add bash and ansible remediation for set_loopback_traffic (#9939)
• Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
• Update sudo_require_reauthentication (#9923)
• Improve the arguments for Ansible command module (#9921)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Fix Jinja condition in macro for pam_faillock (#10009)
• Install NetworkManager as part of wireless_disable_interfaces remediation (#10018)
• aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
• Update accounts_password template for OL due to precedence confs (#9935)
• accounts_password_set_min_life_existing: Avoid system accounts (#9955)
• Improve service_disabled template (#10026)
• accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
• Rewrite remediations for rsyslog_remote_tls (#9866)
• Fix accounts_password template for OL (#10045)
• Using the Ansible shell actions is needed in package_prelink_remove (#10086)

Changes in Checks

• Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
• Update sudo_require_reauthentication (#9923)
• accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
• Update accounts_password template for OL due to precedence confs (#9935)
• accounts_password_set_min_life_existing: Avoid system accounts (#9955)
• accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)

Changes in the Infrastructure

• Refactor build_cpe.py (#9834)
• Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
• Refactor templates v2 (#9870)
• Add automatic detection of platform_package_overrides when using automatus (#9897)
• Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
• Introduce templated platforms (CPEs) (#9906)
• Sort conditional remediation platform checks (#9902)
• Add sanity tests for controleval.py (#9918)
• Add Refchecker to Tests (#9862)
• Wait for buffer flushes to finish writes (#9933)
• Fix the file param in rule_dir_json (#9928)
• Fix typing import in create_srg_export.py (#9929)
• Build all profiles on all CentOS and CentOS Streams (#9946)
• CTest Fixes (#9962)
• CPE AL: Introduce version specifiers support (#9945)
• Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
• Raise exception when parametrized platform receives invalid argument (#9996)
• Fix --datastream-only in ./build_product (#10020)
• Add sanity tests for compare_disa_xml.py (#10030)
• Add Ubuntu 22.04 to Gating (#9986)
• Fix a few isssues in test-compare-disa-xml (#10034)
• Update Ansible Lint Config (#10025)
• platforms: rewrite mechanism which parses version into EVR (#10038)
• Produce an understanable error when remediation collections goes wrong (#10027)
• Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
• Bump fedora version in Dockerfiles to 37 (#10036)
• Fix the generation of SCE checks in the output datastream (#10015)
• Scripts clean up (#10061)
• Clean up SRG export (#10067)

Changes in the Test Suite

• Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
• Add automatic detection of platform_package_overrides when using automatus (#9897)
• Add Refchecker to Tests (#9862)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Improve service_disabled template (#10026)

Documentation

• Add Timezone to the Contributors Script (#9844)
• Add documentation about readthedocs.org integration (#9875)
• Update Upstream Release doc (#9952)
• Update contributors list for v0.1.66 release (#10108)

Content 0.1.65

Important Highlights

• Introduce cui profile for OL9 (#9638)
• Remove Support for OVAL 5.10 (#9604)
• Rename account_passwords_pam_faillock_audit (#9462)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Update contributors list for v0.1.65 release (#9843)

New Rules and Profiles

• Add profile for SUSE SAP Public Cloud Images (#9571)
• Introduce cui profile for OL9 (#9638)
• Created SLES 12 PCI DSS 4.0 profile and added rules to it (#9729)
• Add new rules related to system banners - /etc/issue.net (#9733)
• add new rule logind_session_timeout (#9475)
• Pci dss shadow rule (#9756)

Updated Rules and Profiles

• Update chronyd_no_chronyc_network to align with RHEL9 STIG (#9505)
• Update rules for RHEL 9 STIG (#9512)
• Update chronyd_client_only to align with RHEL9 STIG (#9500)
• Update rules for RHEL 9 STIG (#9527)
• RHEL9 stig_gui: don't remove GUI (#9581)
• Remove RPM verify rules from RHEL 9 STIG (#9591)
• Rule updates wrt RHEL9 STIG (#9509)
• Clarify instructions for implementing SCCs (#9569)
• Added SLES_15/12 CCE codes related to rules in the group restict_at_c… (#9643)
• Add pci-dss rules (#9627)
• Two small corrections (#9644)
• Added 6 SLES 15/12 CCE codes to the rules sshd_... (#9669)
• Add PCI-DSS rules (#9645)
• CIS RHEL8 gnome related requirements (#9670)
• Add dconf_gnome_disable_user_list to the RHEL 9 STIG (#9677)
• RHEL 9 STIG Fix Up (#9676)
• Added CCE number for SLES_15 in the rule sshd_use_approved_ciphers (#9680)
• Added 4 SLES 15/12 codes to the rules group_unique_id/name (#9682)
• Add support for PCI DSS v3.2.1 for SLE12 (#9613)
• service_ntp_enabled: Fix description as service name is ntp (#9707)
• Fix issue introduced in commit 1ba11cb (#9692)
• remove ospp-mls.profile (#9710)
• Add pcidss Req-ids (#9705)
• Ubuntu 20.04: fix grub2 password related rules (#9708)
• Fix rsyslog_remote_tls Remediations (#9711)
• Added 2 SLES 15/12 CCE codes to the rule disable_prelink (#9706)
• Assign RHEL-07-010271 to account_emergency_expire_date. (#9717)
• Ubuntu 20.04 CIS Level1 profile: add package_pam_pwquality_installed (#9721)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• install_smartcard_packages: Add Ubuntu specific remediation (#9720)
• Ubuntu 20.04: Make sure xatrr audit rules contains a check for root user (#9722)
• Added rules to PCI DSS 4.0 SLES 15 profile (#9716)
• Add pci-dss rules to SLE15 (#9728)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Added 4 rules to SLES 12/15 PCI DSS 4.0 profiles (#9735)
• Update SLE 15 SAP hardening profile (#9742)
• Update RHEL8 STIG to V1R8 (#9780)
• Update RHEL7 STIG to V3R9 (#9781)
• Align ClientAliveCountMax and ClientAliveInterval on RHEL8 STIG V1R8 (#9784)
• Removed wrong rule from hipaa.profile (#9840)
• Stabilization: Include warning regarding quota options in XFS (#9877)
• Stabilization: Update the sshd_set_keepalive regarding ClientAliveCountMax (#9868)

Removed Products

• Remove the VSEL Product (#9547)
• Remove the fuse6 product (#9544)
• Remove the Debian 9 Product (#9546)
• Remove the JRE product (#9545)

Changes in Remediations

• Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
• Improve ansible remediation of accounts_umask_etc_login_defs (#9490)
• Add bash and ansible remediation for rsyslog_remote_tls (#9484)
• Fix rsyslog_remote_tls Remediations (#9711)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• install_smartcard_packages: Add Ubuntu specific remediation (#9720)
• Fix config file and interpreter check control flow (#9695)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Dconf macros update to align them with OVAL expectation (#9751)
• rsyslog_files_permissions: Consider the last field in the config line the log file path (#9750)
• Fix nmcli bug (#9773)
• Align service_disabled template to service_enabled (#9806)
• Remove deprecated warn parameter from Ansible command module (#9807)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Stabilization: Make Ansible remediation less prone to fatal errors (#9911)

Changes in Checks

• Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
• Update accounts_password template's OVAL (#9459)
• OCP4: Fix OCIL of machine_volume_encrypted (#9597)
• Clarify instructions for implementing SCCs (#9569)
• Remove jinja condition to make rule applicability to all products in Kerberos rules (#9412)
• Ubuntu 20.04: fix grub2 password related rules (#9708)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Dconf macros update to align them with OVAL expectation (#9751)

Changes in the Infrastructure

• Remove superflous check of rule ID consistency (#9539)
• Add tests to auditd_lineinfile template (#9519)
• Generate XCCDF 1.2 directly (#9464)
• Add support for regulated fields (#9553)
• SRG Import/Export Uses Policy Specific Content (#9570)
• Add Git Mail Map (#9573)
• Remove ident_size for .py files from editorconfig (#9603)
• Make CodeClimate to use .editorconfig (#9630)
• Remove function drop_oval_definitions (#9629)
• Add mypy to CI (#9430)
• Remove shorthand.xml from the build process (#9548)
• Remove XCCDF 1.1 from enable_derivatives.py (#9654)
• Remove XCCDF 1.1 from profile tool (#9655)
• Remove unused import (#9656)
• Remove XCCDF 1.1 from ssg/xccdf.py (#9657)
• Remove Support for OVAL 5.10 (#9604)
• Import SRG content for RHEL9 (#9574)
• Don't use editorconfig to check for indentation (#9653)
• Remove get_fixgroup_for_type (#9661)
• Remove superfluous XML namespaces from HTML tables (#9662)
• Update sysctl template's OVAL and tests to align with STIG (#9458)
• Remove unused XSLT xccdf2table-profileanssirefs.xslt (#9659)
• CMake Improvements (#9646)
• Remove Travis CI (#9683)
• Remove comparison utilities (#9688)
• Create unit tests for ssg.id_translate (#9624)
• Add unit tests of XCCDF 1.2 elements (#9617)
• Add unit tests for warnings and sub elements (#9637)
• Refactor and speed up combine_ovals.py (#9689)
• Fix unit tests to work with CentOS 7 (#9727)
• make CPE items compiled during the build process (#9700)
• SRG Diff: Add section for rows without a CCE (#9763)
• Make the utils/srg_diff.py more generic (#9767)
• parametrize methods for getting remediation conditionals of XCCDF platforms (#9777)
• build_remediations.py: deduplicate code which retrieves conditionals (#9779)
• Add sorted results to srg_diff (#9778)
• Add Smoke Tests for Some Scripts (#9787)
• Platforms can accept parameters and pass them to underlying CPE items (#9799)
• Do not remove blank lines when building profile playbook (#9809)
• SRG Export XLSX in CMake (#9811)
• Add config for Ansible lint (#9838)

Changes in the Test Suite

• [Master] add accounts_password_set_max_life_existing to unselect_rules_list (#9554)
• Fix issue introduced in commit 1ba11cb (#9692)
• Add tests to rule dconf_gnome_screensaver_idle_activation_enabled (#9701)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Complete tests to validate Ol9 pci dss profile (#9739)
• Add tests to accounts_password template (#9743)
• Do not instantiate Builder() when running Automatus (#9755)
• Fix Automatus --duplicate-templates (#9766)
• accounts_password_pam_retry: Add test for dupes and conflicts (#9805)
• accounts_passwords: Add tests for value conflicts and duplicates (#9804)
• sshd_lineinfile: Add tests for duplicated params (#9802)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Stabilization: Ensure pwquality.conf.d dir exists on test scenarios (#9864)

Documentation

• Doc fix up (#9596)
• Add PR gating guideline (#9611)
• Move to MyST as recommonmark and CommonMark are not supported (#9560)
• Fix docs refs (#9704)
• Include SLE products into the CCE tooling for auto assignment (#9714)
• Docs/developer: Mention that rules will inherit its group(s) platforms (#9635)
• Reformulate the release process documentation (#9736)
• Update gitignore (#9810)
• Document rule deprecation instructions and agreements (#9797)
• Update contributors list for v0.1.65 release (#9843)
• Add Sanity Test for generate_contributors.py (#9845)