SCAP Security Guide 0.1.27 Release Notes

Highlights:

• New CNSS No. 1253 Profile for Red Hat Enterprise Linux 6,
• New C2S (CIS) Profile for Red Hat Enterprise Linux 7,
• New Debian/8 (Jessie) product and initial benchmark for it,
• Improved (more granular) mapping of official PCI DSS v3 standard
  to the PCI DSS profile for Red Hat Enterprise Linux 7,
• Finished (OVALs, and selected remediations) for PCI DSS profile
  for Red Hat Enterprise Linux 6. More granular mapping of official
  rules to come yet.
• Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

• [RHEL/6] New CNSS No. 1253 Profile
• [RHEL/7] Granularize PCI-DSS profile rules mapping to official requirement (sub)
  section numbers in PCI DSS v3 standard
• [RHEL/7] New C2S / CIS Profile
• [Enhancement] Initial integration of Debian 8 in SSG

XCCDF changes / enhancements:

• [BugFix] [RHEL/6] Update LUKS Disk encryption URL
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Fix XCCDF descriptions for:
  • file_permissions_binary_dirs, and
  • file_ownership_binary_dirs
• [BugFix] [RHEL/5] Update XCCDF description for file_groupowner_binary_dirs
• [BugFix] [RHEL/6] Add noexec, nosuid, and nodev rules for removable
  partitions and /dev/shm into RHEL-6 STIG profile
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Drop clock_settime system call
  from the audit time rules examples suggesting multiple commands to be included
  into one audit rule
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for
  audit_rules_time_clock_settime rule
• [Enhancement][RHEL6/7] Add audit permission scripts and update XCCDF/OVAL content
• [BugFix][Fedora][RHEL6] remove pam_passwdqc references
• [BugFix] [RHEL/6] Update XCCDF prose for disable_interactive_boot rule
• [BugFix] [RHEL/6] Introduce entropy section of the RHEL-6 benchmark
  and include new rule -- kernel_disable_entropy_contribution_for_solid_state_drives
  into it
• [Enhancement] [RHEL/6] Start shipping CNSS No. 1253 Profile
• [Enhancement] RHEL7 - Added CIS mappings to disk partitioning/options XCCDF
• [BugFix] [RHEL/6] Fix HTTP 404 URL in XCCDF prose for smartcard_auth rule
• [Enhancement] [RHEL/6] [RHEL/7] Per:
  #879 (comment)
  add a into the RHEL-6 & RHEL-7 XCCDF prose for rpm_verify_permissions
• [BugFix] [RHEL/6] Fix invalid selectors in the RHEL-6's CNSS No.1253 profile

OVAL check changes / enhancements:

• [Enhancement][bugfix][Fedora][RHEL/7] standardize more XCCDF and OVAL IDs
• [Enhancement][RHEL6/7][Fedora] Standardize XCCDF and OVAL names
• [BugFix] [RHEL/6] [RHEL/7] [Fedora] Use correct SELinux type in selinux_all_devicefiles_labeled rule
• [Enhancement][RHEL6/7] Selinux and Kernel dmesg updates
• [Enhancement][Fedora] Add no_direct_root_logins OVAL check
• [Enhancement] [RHEL/7] Enable RHEL-7 OVAL check for enable_selinux_bootloader rule
• [BugFix] [shared] Fix OVAL checks for file_ownership_binary_dirs, and file_permissions_binary_dirs
• [BugFix] [RHEL/5] Update OVAL check for file_ownership_binary_dirs rule
• [BugFix] [RHEL/5] Replace RHEL-5 specific OVAL check for file_permissions_binary_dirs rule with
  calling of existing shared/ OVAL check for the very same rule
• [Enhancement][RHEL/7] Add time and faillock OVAL and remediations
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update existing OVALs for
  audit_rules_time_clock_settime rule
• [RHEL/7] Add some sysctl_net_ipv4 oval checks
• [Enhancement][RHEL7] Add missing RHEL7 services OVAL and remediations
• [BugFix] [RHEL/6] Update OVAL for disable_interactive_boot rule
• [Enhancement] [RHEL/6] Add RHEL-6 specific OVAL for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
• [BugFix] [Optimization] [RHEL/6] Optimize OVAL check for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
  for speed / efficiency
• [shared] [Enhancement] update file_ownership_var_log_audit.xml to check log_group in auditd.conf
• [shared] check that all_exist for non-root checks in file_ownership_var_log_audit.xml
• [BugFix] [RHEL/6] Modify / optimize OVAL check for audit_rules_privileged_commands rule
• [BugFix] [RHEL/6] Fix OVAL check for audit_rules_privileged_commands rule
• [Enhancement] [RHEL/7] Enhance the RHEL-7 OVAL for smartcard_auth
• [Enhancement] [RHEL/6] Modify the current RHEL-6 OVAL for smartcard_auth rule
• [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] Provide links to remote
  (offical Red Hat RHSA / CVE OVAL) for security_patches_up_to_date rule
• [BugFix] [RHEL/6] [RHEL/7] Fix the RHEL-6 & RHEL-7 OVALs for kernel_module_bluetooth_disabled rule
• [BugFix] [RHEL/6] [RHEL/7] Split the currently shared/ OVAL for the
  kernel_module_sctp_disabled rule into two separate OVALs

New Remediations:

• [Enhancement][RHEL6/7] Add securetty XCCDF/OVAL checks and remediations
• [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
• [Enhancement] [RHEL/6] Add RHEL-6 remediation for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
• [Enhancement] [RHEL/6] New RHEL-6 remediation for audit_rules_login_events rule
• [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
  auditd_audispd_syslog_plugin_activated rule to RHEL-6
• [Enhancement] [RHEL/6] Add new RHEL-6 remediation for accounts_password_pam_minlen rule
• [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
  aide_build_database rule to RHEL-6
• [Enhancement] [RHEL/6] Add RHEL-6 remediation for smartcard_auth rule
• [Enhancement] [RHEL/6] [RHEL/7] Add remediation for rpm_verify_permissions rule
• [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] New remediation for
  security_patches_up_to_date rule
• [Enhancement] Add a kickstart file for PCI DSS for RHEL6

Remediation fixes / other changes:

• [BugFix] [RHEL/7] smartcard_auth remediation - provide full path to the 'authconfig' executable
• [Bugfix][RHEL6/7] fix rememdiation script names
• [BugFix] [RHEL/6] [RHEL/7] Fix remediations for file_permissions_binary_dirs, and file_ownership_binary_dirs
• [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
• [BugFix] [RHEL/6] [RHEL/7] [Fedora] Fix existing remediations for audit_rules_time_clock_settime rule
• [BugFix] [RHEL/6] Fix remediation for disable_interactive_boot rule
• [shared] [Enhancement] Make the display_login_attempts.sh remediation script more robust
• [Enhancement] [RHEL/7] Enhance the RHEL-7 remediation script for smartcard_auth rule
• [BugFix] [RHEL/6] Modify the existing RHEL-6 remediation scripts
  for the following rules:
  • audit_rules_time_adjtimex,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_stime
• [shared] Edge case fix for var_password_pam_unix_remember
• [Enhancement] Add universal replace_or_append function
• [Various products] Update --follow-symlink --> --follow-symlinks
• [BugFix][RHEL/6] fix sed --follow-symlink typo in smartcard remediation script

Build System Bug Fixes:

• Fix make validate target for Fedora (2015-12-03)

Infrastructure:

• Rename fixes folder to remediations
• [Enhancement][Infrastructure] add XCCDF and OVAL id check
• Unify OVAL directory naming convention
• [Enhancement][Infrastructure] detect oscap version
• [Enhancement][Infrastructure] add id name to remediation scripts
• [bugfix] remove duplicate openscap python import
• [Enhancement][Infrastructure] Add openscap-python requirement to Build.md
• [BugFix] Declare XCCDF vars before its use
• Support for Fedora rawhide CPE
• [Enhancement] [Infrastructure] Modify the buildsystem to allow remotely referenced OVAL
• [BugFix] Fix regex in combineremediations.py
• [Test suite] [RHEL/6] Add initial version of check_instances_test.py Python testing script for RHEL-6 content
• [Enhancement] [Infrastructure] Enhance the various helper scripts creating OVAL checks from the templating
  files to support comment in the CSV files
• [Enhancement] Update list of CPEs for Fedora benchmark because F21 is end of life now

Other changes:

• Adding OSPP Kickstart file
• Adding FedRAMP High Baseline

Full list of issues and pull requests closed in this release