Skip to content

SCAP Security Guide 0.1.30 Release Notes

Compare
Choose a tag to compare
@iankko iankko released this 24 Jun 13:48
· 32237 commits to master since this release

Highlights (in order the changes have been merged):

  • [Enhancement] [RHEL/7] Port existing CNSS No.1253 (nist-CL-IL-AL) profile from RHEL-6 to RHEL-7 (Fixes #858)
  • [Enhancement] [RHEL/7] Content passes ScapVal-1.2.14.1 requirements
  • [Enhancement] [RHEL/7] Assign CCE identifiers to RHEL-7 rules
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement] [Debian/8] Add profile for each ANSSI hardning level for NP targets (ansi_np_nt28_eleve, ansi_np_nt28_intermediaire, ansi_np_nt28_minimal, ansi_np_nt28_restreint)
  • [Enhancement] Don't rely on absolute path of the shell remediation functions library to be able to perform remediations (remediations are now part of benchmarks themselves)

XCCDF changes / enhancements:

  • [Fedora] Separate dconf settings into dedicated 'Gnome Desktop Environment' XCCDF section
  • [RHEL/6] Move most GNOME checks into their own file, Add new GNOME XCCDF and OVAL content (Fixes #1205)
  • [Enhancement][RHEL/7] Create a STIG for GUI-enabled systems (Create a RHEL7 GUI STIG, Create a RHEL7 Workstation STIG for future use, Remove DConf checks from the stig-rhel7-server-upstream profile and add to the new stig-rhel7-server-gui-upstream profile) (Fixes #481)
  • [BugFix] [RHEL/7] Fix multiple invalid selector warnings when scanning against "stig-rhel7-server-upstream" profile
  • [BugFix] [RHEL/6] [RHEL/7] Add warning note for ctrl-alt-delete key sequence
  • [Enhancement][RHEL/6] Add STIG GUI profiles for RHEL6
  • [Enhancement][RHEL/7] Disable CTRL-ALT-DEL in GUI profile
  • [Enhancement][RHEL/7] Add SELinux boolean XSLT macros (Add a single enable/disable SELinux boolean macro, Add a single enable/disable SELinux boolean check macro)
  • [Enhancement][RHEL/7] STIG updates for yum (Fixes #1122, Fixes #1123, Fixes #1124)
  • [Enhancement][RHEL/7] STIG update for sssd content (Add new SSSD content, Fixes #1158, Fixes #1157, Fixes #1156, Fixes #1017)
  • [Enhancement][RHEL/7] stig update for pam settings (Fixes #1136, Fixes #1155, Fixes #1159)
  • [Enhancement][RHEL/7] Add RHEL/7 STIG Reference Identifiers (Add RHEL/7 STIG identifier, Add RHEL/7 OS URI Link)
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement][RHEL/7] Add initial sudoers content (Add initial sudo content to check for NOPASSWD and !authenticate in sudoers for RHEL7 STIG, Fixes #1015)
  • [Enhancement][RHEL6/7] Add FIPS XCCDF and OVAL content (Adds FIPS GRUB & GRUB2 XCCDF and OVAL content, Fixes #998)
  • [Enhancement][Fedora][RHEL/7] Add UEFI XCCDF/OVAL content (Add new UEFI XCCDF/OVAL content, Make sure that if /boot/grub2.cfg or /boot/efi/EFI//grub.cfg does not exist to not fail the check, Fixes #1162)
  • [BugFix] [RHEL/7] [Fedora] Update form of 'disable_interactive_boot' rule for Systemd (RHEL/7, Fedora) based systems (update all XCCDF, OVAL, and remediations)
  • [Bugfix] Move Chromium XCCDF content to XCCDF directory
  • [Bugfix] FIPS grub XCCDF and OVAL
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Rewrite XCCDF prose for 'no_shelllogin_for_systemaccounts' rule not to mention hardcoded UIDs (use UID_MIN instead)
  • [BugFix] Fix unreferenced 'file_permissions_ungroupowned' OVAL for Fedora content (https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/400/label=node-el6-openscap-new/consoleFull)
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Modify 'standard' profiles to comment out the rules currently returning 'notapplicable' result (needs investigation of reasons why it's behaving so, and fixing the issues prior re-enabling them back)

OVAL check changes / enhancements:

  • [BugFix] [RHEL/7] Fix for issue #1227
  • [Enhancement][RHEL/7] Add SELinux OVAL templates (Add initial sebool OVAL templates, Create new shared/template folder for future template consolidation work)
  • [BugFix] updating RHEL5 file_permissions_ungroupowned to use shared/version
  • [Enhancement] Add PPC and PPC64LE System Architecture (Add PPC and PPC64LE OVAL checking support)
  • [Enhancement] Examine /etc/profile.d/*.sh for TMOUT
  • [Bugfix][RHEL6/7] Add IPv6 equivalents to IPv4 sysctl (Adds IPv6 XCCDF/OVAL content that is equivalent to IPv4 sysctl XCCDF/OVAL content NOTE: Not all IPv4 sysctl XCCDF/OVAL content has correspond IPv6 sysctl equivalents, Fixes #1214)
  • [RHEL/7] [bugfix] Check for FIPS in DEFAULT grub line if DEFAULT line exists
  • [BugFix] [shared] Rewrite OVAL for 'no_shelllogin_for_systemaccounts' rule so it wouldn't always perform the check on hardcoded <0, 499> UID range
  • [BugFix] [RHEL/7] Modify RHEL-7 OVAL for 'install_PAE_kernel_on_x86-32' rule not to fail on 64-bit (any not 32-bit system)
  • [BugFix] Fix indentation issue for file_permissions_ungroupowned OVAL (https://github.com/OpenSCAP/scap-security-guide/pull/1296/files#r67556952)

Build System Bug Fixes:

  • [Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements (Part of #1046)
  • [BugFix] Minor JBoss 6 build fixes
  • [BugFix] [RHEL/7] Generate xccdf:metadata (Dublin Core , , (s), and elements) dynamically for RHEL-7 benchmark from the content of Contributors.md file (and other internal variables)
  • [BugFix] [Debian/8] [Fedora] [Firefox] [Chromium] [JBoss/Fuse/6] [JRE] [OpenStack/RHEL-OSP/7] [RHEL/5] [RHEL/6] [RHEVM3] [Webmin] Generate xccdf:metadata element of Debian/8 benchmark dynamically (from content of Contributors.md and value of selected internal values)
  • [Enhancement] [RHEL/7] Apply the newly introduced shell variables and remediation functions XCCDF expansion (translation into XCCDF <sub> elements) against RHEL-7 benchmark
  • [Enhancement][Infrastructure] Apply the new remediations as xccdf:Value functionality to the remaining benchmarks too (Webmin, RHEVM3, RHEL/6, RHEL/5, OpenStack/RHEL-OSP/7, JRE, JBoss/Fuse/6, JBoss/EAP/5, Firefox, Fedora, Debian/8, and Chromium)
  • [BugFix] Multiple fixes in expand_xccdf_subs() routine of the combineremediations.py helper
  • [BugFix] [Infrastructure] Fix currently failing 'make content' for RHEL/6 content due to undefined 'cisuri' variable (Fixes #1288)

Infrastructure:

  • [Fedora] Add Fedora 25 CPE to Fedora benchmark
  • [BugFix] [Infrastructure] add_cce_id_refs_to_oval_checks routine - When propagating CCE identifiers from XCCDF to specific OVAL verify particular CCE ID has correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X') (Fixes #1228, #1229, #1230)
  • [BugFix] [Infrastructure] Verify if CCE identifiers listed in various SSG XCCDF benchmarks have the correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X')
  • [BugFix] Use proper rule names in various RHEL/5, RHEL/6, RHEL/7, and RHEVM3 profiles
  • [Bugfix][Infrastructure] Print message for unused remediation scripts during build
  • [Enhancement] Don't rely on the absolute path of the remediation functions library when performing remediations (Instead of that transform necessary shell variables and remediation functions calls into corresponding XCCDF <sub> elements to be present directly in the benchmark, Fixes #590, Fixes #1055)
  • [Enhancement][Infrastructure] Remove Red Hat identifiers from derivatives
  • [Enhancement][Bugfix][Infrastructure] Update constants XSLT
  • [Enhancement][Infrastructure] Add new shared_shorthand2xccdf.xslt
  • [Enhancement][Infrastructure] Update more content to use shared_shorthand2xccdf.xslt (Enhances Fedora, Debian, RHEL-OSP, and RHEL5/7 to use the new shared_shorthand2xccdf.xslt)
  • [Enhancement][Infrastructure] Add auditctl-syscall macro
  • [BugFix] [Infrastructure] Introduce $(SHARED)/$(OUT) directory
  • [Enhancement] [Infrastructure] Use "hidden" and "prohibitChanges" attributes set to "true" for xccdf:Values representing remediation routines
  • [BugFix] [Infrastructure] Perform a sanity check while performing XCCDF <sub idref=...> substitution for remediation functions (Exit with failure (1) if some of the functions wasn't substituted properly)
  • [BugFix] [Infrastructure] When performing XCCDF <sub> substitution expand also functions not having some arguments in the function call
  • [BugFix] [Infrastructure] If some of the remediation functions recursively calls another remediation function, we need to define also the called function

Full list of issues and pull requests closed in this release