Content 0.1.64

Important Highlights

• This is the last release to feature content with OVAL-5.10 (https://github.com/ComplianceAsCode/content/discussions/9451)
• Introduce ol9 stig profile (#9207)
• Introduce Ol9 anssi profiles (#9243)
• Update RHEL8 STIG to V1R7 (#9276)
• Introduce e8 profile for OL9 (#9284)
• Update RHEL7 STIG to V3R8 (#9317)

New Rules and Profiles

• Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
• add rule package_postfix_installed (#9191)
• add audit policy rules specific for ppc64le platform (#9124)
• Introduce ol9 stig profile (#9207)
• Introduce Ol9 anssi profiles (#9243)
• Introduce rule accounts_passwords_pam_faillock_audit (#9264)
• Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
• Introduced rules to disable accounts because of inactivity (#9244)
• Introduce e8 profile for OL9 (#9284)
• New sysctl ipv4 forwarding rule (#9277)
• Introduce hipaa profile for ol9 (#9478)

Updated Rules and Profiles

• Remove 3 crypto rules from RHEL 9 OSPP (#9181)
• Remove 3 package rules from RHEL 9 OSPP (#9182)
• Introduce new sebool description and ocil macros (#9184)
• Add to SLE ANSSI profile various sysctl rules (#9185)
• Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
• Add more ANSSI Intermediary Rules (#9203)
• Add more sysctl rules to intermediary profile (#9202)
• The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
• Remove 4 PAM related rules from RHEL9 OSPP (#9217)
• switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
• remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
• add audit policy rules specific for ppc64le platform (#9124)
• remove umask-related rules from RHEL9 OSPP (#9223)
• Make audit AArch64 specific rules RHEL9 only (#9188)
• Remove rules for package removal from RHEL 9 OSPP (#9233)
• remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
• Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
• remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
• Don't pass sssd rules when sssd.conf is absent (#9225)
• Update accounts_password_pam_retry behavior (#8880)
• System commands dir root or system account (#9258)
• SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
• Update RHEL8 STIG to V1R7 (#9276)
• Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
• Update few sysctl rules to accept multiple compliant values (#9286)
• Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
• Make OSPP profiles use minimal Authselect profile (#9298)
• add warning to audit_rules_for_ospp (#9303)
• add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
• Update RHEL7 STIG to V3R8 (#9317)
• change rules protecting boot in RHEL8 OSPP (#9306)
• Add the AUID filters on RHEL7 audit kernel module rules (#9290)
• add 4 rules back to RHEL9 datastream (#9334)
• Implement DISA check for auditing kmod on RHEL7 (#9338)
• Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
• Include warning about the pam_securetty.so PAM module (#9348)
• Add AUID filters on audit_rules_kernel_module_loading (#9371)
• Mask sensitive objects (#9364)
• Update RHEL9 STIG (#9378)
• add/remove fedora from privileged commands depending if exists or not (#9367)
• change way of disabling coredumps in RHEL9 OSPP (#9384)
• Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
• Bump version of OL8 to V1R3 and update STIG ids (#9457)
• Add missing SRG references for RHEL 9 STIG (#9428)
• Remove support for upstart init system (#9452)
• Updates RHEL 9 STIG: Part 3 (#9489)
• Add ol8 platform to existing required tests (#9485)
• Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
• Update account_password_selinux_faillock_dir rule (#9501)
• Remove audit_rules_execution_restorecon from SRG control files. (#9503)
• Add tests to file_ownership_binary_dirs (#9515)
• Update ocil and ocil_clause in display_login_attempts (#9522)
• Update some account rules according to RHEL9 STIG (#9499)
• Include checktest for banner_etc_issue rule (#9521)
• Update pam_faillock rules for RHEL9 STIG (#9520)
• Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
• Update clean_components_post_updating to align with RHEL9 STIG (#9510)
• Update accounts_umask_etc_profile (#9496)
• Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
• Update audit rules RHEL9 STIG metadata (#9513)
• Add tests to no_user_host_based_files (#9529)
• Add tests to dir_perms_world_writable_system_owned (#9517)
• Add tests to no_host_based_files (#9532)
• Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
• Add tests to clean_components_post_updating (#9530)
• Update macros from audit privileged commands (#9502)
• Update some PAM rules for RHEL9 STIG (#9514)
• Add variable for auditd freq (#9504)
• Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
• [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)

Changes in Remediations

• Allow two modes of SSH key ownership (#9094)
• Add oval and remediation for auditd_audispd_disk_full_action (#9195)
• include = sign in remediation of configure_openssl_crypto_policy (#9194)
• Condition run of newaliases to its availability (#9241)
• Update accounts_password_pam_retry behavior (#8880)
• Add DISA STIG ids to when conditions in ansible roles (#9029)
• Improve bash_ensure_pam_module_line macro (#9252)
• Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
• Fix rule sudo_custom_logfile (#9299)
• Fix ansible partition conditionals (#9339)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Add Kubernetes remediation for rule configure_crypto_policy (#9266)
• Fix 2 ctest shellcheck issues (#9398)
• Fix kernel_module_disabled remediation template (#9346)
• Conditional for Ansible remediation on RHEL7 (#9440)
• change parameter of findmnt used in bash partition conditional (#9480)
• Fix remediation of rules dealing with Audit watches (#9463)

Changes in Checks

• Update accounts_password_pam_retry behavior (#8880)
• Improve regex to match retry parameter in pwquality.conf (#9245)
• Fix rule sudo_custom_logfile (#9299)
• Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
• Mask sensitive objects (#9364)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
• Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
• Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
• [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)

Changes in the Infrastructure

• Fix various bugs in utils (#9172)
• Remove CentOS 6 and SL 6 references from the project (#9211)
• Fix pre tag in ocil_mount_option (#9209)
• Remove unused build option (#9213)
• Update gitpod HTML preview extension. (#9261)
• Install ansible for the extra modules (#9273)
• Use DS to build Ansible Playbooks and Bash scripts (#9291)
• Stop validating ssg-product-xccdf.xml (#9292)
• Use data stream to verify profile titles and descriptions (#9294)
• Use data stream to verify references (#9293)
• Generate CCE tables from data stream (#9300)
• Fix CMake dependencies (#9328)
• Use XCCDF 1.2 to create STIG overlay (#9301)
• Specify output file names (#9361)
• Test missing references in a data stream (#9295)
• Add trim_trailing_whitespace to editorconfig (#9391)
• Sort check-export elements (#9397)
• Use data stream to generate statistics (#9296)
• Generate per profile testinfo tables from XCCDF 1.2 (#9325)
• Fix missing OCIL text and 800-53 references (#9415)
• Use XCCDF 1.2 to generate STIG HTML tables (#9406)
• Add a script to import SRG export changes (#9416)
• Make groups inherit platforms from parent groups (#9465)
• Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
• correct inheritance of platforms by rules from groups (#9491)
• Improve HTML for Table Templates (#9481)
• SRG Export: Improve vuldiscussion sourcing (#9493)
• Remove empty load operation (#9492)
• Add tests to rule no_tmux_in_shells (#9518)
• Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
• Avoid sed hack (#9363)

Changes in the Test Suite

• Automatus: close hanging tempfiles descriptors (#9199)
• Improve regex to match retry parameter in pwquality.conf (#9245)
• Support commas in variables (#9280)
• Refactor templated test scenarios (#9254)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Replace platform conditionals in whole remediation code (#9347)
• install_vm.py: add new option for disk size specification (#9479)
• correct inheritance of platforms by rules from groups (#9491)
• Add tests to audit privileged commands template (#9487)

Documentation

• Enable Security Content workshop into Gitpod environment (#9438)
• Add ordering to the platform key (#9488)

Content 0.1.63

Important Highlights

• Expand project guidelines (#8314)
• Add Draft OCP4 STIG profile (#8799)
• Add anssi_bp28_intermediary profile (#9045)
• add products/uos20 to support UnionTech OS Server 20 (#8779)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• Remove WRLinux Products (#9106)
• Update CIS RHEL8 Benchmark for v2.0.0 (#9154)

New Rules and Profiles

• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• Add anssi_bp28_intermediary profile (#9045)
• Introduce OL9 ospp profile (#9057)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• add Audit OSPP rules for AArch64 (#9091)
• Add grub2_systemd_debug-shell_argument_absent (#9100)
• CIS RHEL8 v2.0.0 small fixes (#9165)

Updated Rules and Profiles

• Make krb5 rules applicable only to older versions of certain package (#9003)
• RHEL8 STIG: Install redhat gpg key (#8993)
• Add anssi gshadow rules (#9022)
• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• remove support for external Audit files and cleanup test scenarios (#9073)
• Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
• Remove rule zip_vsyscall_argument (#9083)
• Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
• Make rule audit_access_success in OSPP profile unenforcing (#9082)
• Cleanup RHEL9 OSPP networking sysctl rules (#9092)
• Add two rules and some more CCEIDs (#9107)
• add Audit OSPP rules for AArch64 (#9091)
• remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
• remove Rsyslog related rules from RHEL9 OSPP (#9116)
• Anssi Rules Added (#9105)
• remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
• Update SLE15 DISA STIG from v1r6 (#9146)
• Remove yp-related rules from RHEL9 (#9148)
• Add Enable Auth Select to RHEL8/9 STIG (#9151)
• BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
• Relax chrony check and remediations (#9156)
• make RHEL-08-020231 automated again (#9125)
• Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
• Review and improve sssd_enable_smartcards rule (#9145)
• Amend OSPP references for some package_*_installed rules. (#9164)
• Add automation content to kernel_module_uvcvideo_disabled (#9162)
• Add missing rules to OL8 STIG profile (#9171)
• Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
• [Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
• Make Audit aarch64 rules specific to RHEL9 only (#9187)
• [stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
• Remove 3 package rules from RHEL 9 OSPP (#9228)
• Remove 3 crypto rules from RHEL 9 OSPP (#9227)
• [Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
• [stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
• [Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
• Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)

Removed Products

• Remove WRLinux Products (#9106)

Changes in Remediations

• Add whitespace in macro function so CTF can properly parse tokens (#9030)
• EKS: Fix typo (#9037)
• Fix regular expression in Ansible remediation (#9063)
• Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
• Ansible remediation for enable_authselect (#9085)
• Refactor bash macros for PAM (#9017)
• Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
• Fix ubuntu logic in display_login_attempts (#9110)
• Refactor Ansible macros for PAM (#9097)
• Add Ansible remediation (#9114)
• Create Ansible macro for authselect backup command (#9128)
• Align PAM Bash macros to equivalent in Ansible (#9127)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• fix bash remediation of configure_libreswan_crypto_policy (#9134)
• add Ansible conditionals to CPE platforms determining architecture (#9126)
• Set pipefail in Ansible shell commands with pipe (#9123)
• Update faillock related macros (#9139)
• Command 'chown', change from '.' to ':' separator (#9159)
• Review and improve sssd_enable_smartcards rule (#9145)
• SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)

Changes in Checks

• Add missing ocil_clause for audit rules (#9109)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• Reduce the list of FIPS crypto policies (#9149)
• Review and improve sssd_enable_smartcards rule (#9145)
• Store intermediate OVAL check files (#9157)

Changes in the Infrastructure

• Parametrize the file name of the container used by gitpod integration (#9043)
• Add python vscode extension to the gitpod environment (#9074)
• Add a markdown output target to create_srg_export (#9064)
• Update docker files (#9153)
• Remove the vendor-zipfile and redhat-zipfile targets (#9152)
• Add per profile filter of missing_cce test (#9155)
• Store intermediate OVAL check files (#9157)
• [Stabilization] Install ansible for the extra modules (#9274)

Changes in the Test Suite

• test_env.py: add more attempts when executing ssh command (#9015)
• Rework tarball generation (#8883)
• Add OL9 Dockerfile (#9099)
• Update CIS L2 test for configure_crypto_policy (#9163)
• Automatus: close hanging tempfiles descriptors (#9200)

Documentation

• A EditorConfig file (#9020)
• Add removed products to the changelog (#9108)
• Guidelines: Add the entry about one-off scripts (#9089)
• Fix typos in man page and profile descriptions (#9160)
• Fix man-page header for lexgrog (#9158)

Content 0.1.62

Important Highlights

• Update rhel8 stig to v1r6 (#8670)
• OL7 STIG v2r7 update (#8689)
• Initial definition of ANSSI BP28 minmal profile for SLE (#8540)

New Rules and Profiles

• New rules for network sysctls (#8371)
• Grub2 bootloader CPU mitigations (#8325)
• Add new template to check kernel build configurations (#8435)
• Kernel memory configs (#8477)
• Add rules for kernel memory allocators settings (#8488)
• Add rules for kernel data structure configs (#8483)
• Add rules for various kernel behaviors (#8502)
• Add rules to check kernel IP stack configs (#8501)
• Add rules for kernel compiler features (#8499)
• Add rules for kernel security options (#8498)
• Add rules for kernel module security (#8492)
• Add rules for ARM64 kernel (#8506)
• Add rules for 64b kernel (#8504)
• Add rules to configure Kernel panic behavior (#8503)

Updated Rules and Profiles

• gid_passwd_group_same oval does not allow ! in passwd field (#8296)
• Update SRG-OS-000028-GPOS-00009 for RHEL9 STIG (#8321)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Fix missing "to" in account restriction warnings (#8399)
• SLE15 add sysctl_kernel_exec_shield to HIPAA profile5 (#7891)
• Update SRG-OS-000480-GPOS-00229 for RHEL9 STIG (#8405)
• Update SRG-OS-000480-GPOS-00232 for RHEL9 STIG (#8403)
• Add sudoers_default_includedir rule support to SLE12 and SLE15 platforms (#8406)
• SUSE Group init_module and finit_module audit rules. (#8407)
• Update SRG-OS-000031-GPOS-00012 for RHEL9 STIG (#8414)
• Update SRG-OS-000445-GPOS-00199 for RHEL9 STIG (#8415)
• Update SRG-OS-000370-GPOS-00155 for RHEL9 STIG (#8422)
• Update SRG-OS-000437-GPOS-00194 for RHEL9 STIG (#8416)
• Update SRG-OS-000445-GPOS-00199 (#8439)
• Add a rule to STIG profile in OL8 and RHEL8 (#8447)
• SRG-OS-000349-GPOS-00137 for RHEL 9 STIG (#8471)
• Add auid criteria to rules related to syscall audit rules (#8327)
• remove redundant rule from HIPAA profiles (#8509)
• Update SRG-OS-000120-GPOS-00061 for RHEL 9 STIG (#8514)
• align RHEL8 OSPP with certification requirements (#8508)
• Fix broken Oracle Linux doc links. (#8538)
• For sle systems the etc shadow is group shadow (#8554)
• Enable for ansible and bash remediation for SLE15 and SLE12. (#8545)
• consistent perm_x product filtering (#8607)
• Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG (#8505)
• strip trailing blank lines for some templated audit rules (#8805)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Add auid criteria to rules related to syscall audit rules (#8327)

Changes in Remediations

• Use UID field for bash remediation of homedirs (#8398)
• SUSE disable_users_coredumps enable bash remediation for sle. (#8558)
• consistent perm_x product filtering (#8607)
• Remediation and improvement for file_permissions_home_dirs rule (#7963)
• fix ansible remediation of enable_dracut_fips_module (#8823)

Changes in the Infrastructure

• Add

   tag HTML element to STIG mapping tables (#8367)

• Remove reference to a nonexistent file (#8370)
• Unify a custom_command (#8357)
• Like the docs requirments GitPod should also use https vs the lagecy git protocol (#8440)
• Update utils/create_srg_export.py (#8437)
• Build data stream without OpenSCAP (#8364)
• Improve the list of HTML guides (#8460)
• Remove update_sds_version.py (#8369)
• Add new GH job to generate XLSX table and HTML page with SRG mapping (#8326)
• Fix index page generation for guides artifacts. (#8533)
• Organize fix text macros (#8529)
• Load any *.jinja file and organize macros (#8576)
• Add cce to srg export (#8571)
• Full Support Variables in SRG Export (#8635)
• utils/compare_results.py to work with --stig-viewer results and print rule identifiers (#8634)
• Fix variable substitution in SRG export (#8683)
• Add custom requirement (#8705)
• GH actions nightly builds (#8137)

Changes in the Test Suite

• Test template filtering (#8052)
• Fix same shadow field bug in tests (#8458)
• Add Centos Stream 8/9 support in install_vm script (#8481)
• Add templated tests for dconf_ini_file (#8740)
• Cleanup tests package installed or removed (#8752)
• Cleanup duplicate scenarios for sshd_lineinfile template (#8742)
• Include snapshot cleanup functions for SSGTS (#8729)
• test scenario adjustments for file_permissions template (#8750)
• Cleanup custom kernel_module_disabled scenarios (#8753)
• Add templated test scenarios for shell_lineinfile template (#8754)
• Remove similar test scenarios on rules templated by file_groupownership (#8755)
• SSGTS: Update to handle CentOS CPEs and fix prefix name of snapshots wrt podman limitation (#8767)
• Add template mode to SSGTS (#8730)
• Remove redundant custom test scenarios for service enabled/disabled rules (#8760)

Documentation

• Fix docs build (#8402)
• Document GHA release process (#8096)
• Add docuemntion for Pandas dependancy (#8544)
• Point the docs to new jinja macro files (#8577)
• Remove Link Checker from README (#8745)

Content 0.1.61

Important Highlights

• Stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Introduce OL9 product (#8102)
• Implement handling of logical expressions in platform definitions (#8043)

New Rules and Profiles

• Introduce OL9 product (#8102)
• RHEL9 OSPP boot parameter rules (#8092)
• Introduce stig_gui profile for OL8 (#8200)
• New rules related to pam_pwquality (#8185)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Add GRUB2 rule for slab_nomerge and mce (#8282)
• Include rule mount_option_proc_hidepid (#8288)
• New sysctl fs parameters (#8304)
• Parametrize configuration of kernel.kptr_restrict and add rule for kernel.panic_on_oops (#8285)

Updated Rules and Profiles

• Ol7 stig v2r5 (#7913)
• HIPAA Rules in test (#7916)
• Ubuntu specific bash and oval for dconf_gnome_login_banner_text (#7908)
• The audit package and auditd service are needed for FAU_GEN.1 SFR. (#8069)
• Clarify that log_format and name_format affects specifically information included in the audit records, not events for which audit records get generated. (#8071)
• Ensuring immutable UIDs is related to the subject identity required by FAU_GEN.1.2, it does not affect for wihch events audit records will be generated. (#8072)
• These auditd configurations affect the whole SFR, not just its specific parts. (#8070)
• RHEL9 OSPP: drop some rules disabling kernel module loading (#8093)
• The write_logs is related to where audit records end up stored, not what records get generated. (#8114)
• Amend OSPP references for rsyslog omfwd/gtls configuration. (#8113)
• On OSPP installation, the primary reason for having rsyslog installed… (#8111)
• Configuring the CA certificate targets the TLS "internal" requirements, so FTP_ITC_EXT.1.1 is not needed. (#8112)
• Ensure all processes are auditable and rules loaded for FAU_GEN.1 are applied. (#8098)
• Update OL8 stig profile rule selection (#8124)
• Requirement of not losing data at least to a limit comes from FAU_STG family. (#8133)
• RHEL9 OSPP boot parameter rules (#8092)
• Simple stig v2r6 updates for OL7 (#8162)
• Create OVAL check for selinux_context_elevation_for_sudo [OL7] (#8160)
• Update rule to only remove the graphical interface (#8170)
• drop not needed auditd.conf rules from rhel9 ospp (#8188)
• New rules related to pam_pwquality (#8185)
• Update configure_bashrc_exec_tmux to consider .d directory (#8146)
• align ospp audit rules with the latest upstream release (#8152)
• Align description of grub2 rules with checks and remediations (#8184)
• Update RHEL7 STIG items to V3R6 (#8225)
• update description of rhel9 ospp profile (#8232)
• Add sudoers_default_includedir to ol7 STIG (#8229)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Fix bug 1195521 (#8215)
• Fix for bug 1195523 (#8242)
• Extend package_pam_pwquality_installed rule for RHEL (#8186)
• make rule enable_fips_mode check only for technical state (#8255)
• UEFI booting requires FAT support. (#8269)
• Removed criteria in OVAL check of require_singleuser_auth (#8121)
• no iptables.service in sle15 (#8292)
• fix aide_build_database rule and remediation to work with sles 12 and 15 (#8287)
• SLE 12 and 15 merge auditd file modification rules STIG IDs (#8295)
• OL8 STIG severity adjustments (#8103)
• Oval update for two rules to only allow results from only one file [ol7] (#8161)
• Performance improvements for file permission and ownership templates (#8456)

Changes in Remediations

• HIPAA Rules in test (#7916)
• Fix handling of literal dollars in macros (#8252)
• Various bash fixes (#8253)
• Simplify generated augen bash expressions (#8254)
• Fix the firewalld remediation (#8251)
• Fix bash remediations of browsers (#8258)
• Introduce convenience macros for find and awk (#8257)
• Introduce a shellcheck test (#8032)
• Refactor pam_faillock remediation (#8347)

Changes in the Infrastructure

• Add condition to SCAPVal script that will trigger when SCAP standard is updated (#8062)
• stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Implement handling of logical expressions in platform definitions (#8043)
• Add backends attribute to template in rules schema (#8090)
• Add gitpod support (#8123)
• Added utils/compare_disa_xml.py (#8120)
• Gitpod: Build OpenSCAP 1.3.6 so it can build OCP4 and EKS content (#8206)
• Fix issue with getting STIG items in create_scap_delta_tailoring.py (#8245)
• Store OVAL of compiled platforms as string (#8238)
• Add a script to audit the SRG export CSV (#8077)
• Add version to delta tailoring file name (#8247)
• Various improvments to SRG Export Script (#8091)

Changes in the Test Suite

• align ospp audit rules with the latest upstream release (#8152)
• Remove grub2_pti_argument tests (#8310)
• Delete test scenario that removes SSH keys from machine (#8309)
• Remove RHEL7 platform from invalid_rescue.pass.sh (#8311)

Documentation

• Document boolean expressions in "platform" definitions (#8094)
• Add github workflow to publish statistics, guides and tables (#8136)
• Add missing rsync dependency to gh-pages workflow (#8151)
• Fix badges and remove Centos legacy CI integration (#8244)

Content 0.1.60

Important Highlights

• OL8 draft stig profile v1r1 (#7932)
• Add Amazon EKS platform and initial profiles for the CIS benchmark (#7579)
• Add CentOS Stream 9 derivative product from RHEL9 (#7878)

New Rules and Profiles

• Rename/remove rule for package abrt-addon-python (#7899)
• OL8 draft stig profile v1r1 (#7932)
• Add stig_gui profile for ol7 (#7939)

Updated Rules and Profiles

• update description of grub2_uefi_password (#7859)
• remove ABRT related rules from RHEL9 (#7906)
• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• add hint about audit backlog configuration (#7909)
• Update chronyd_or_ntpd_set_maxpoll to add maxpoll option to chrony pool directives (#7910)
• Clarify behaviour of SSHD rules (#7919)
• OL8 stig prodtype and platform (#7933)
• fix enable_fips_mode remediations (#7936)
• Removed OSPP MLS from RHEL9 (#8037)
• mark rhel9 ospp and cui as draft (#8042)
• fix problems with trailing blank lines in audit rules (#8047)
• fix wrong Jinja macro for audit_rules_execution_restorecon (#8073)
• Make rule network_nmcli_permissions applicable only when polkit is installed (#8110)
• remove configure_gnutls_tls_crypto_policy from rhel9 (#8116)

Changes in Remediations

• Use authselect to edit pam files if it is present (#8026)
• Use authselect and custom profile for pam_pwhistory (#8030)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)
• Use correct config file in ensure_gpgcheck_local_packages (#8105)
• sshd_lineinfile ansible macro dir support and directory check fix (#8109)

Changes in Checks

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)

Changes in the Infrastructure

• Add the ability to load controls from folder (#7876)
• Add utils/compare_results.py (#7894)
• Introduce handling of versioned Boolean algebra expressions (#7873)
• Add a split option to utils/build_stig_control.py (#7904)
• Upgrade to F34 in Gating (#7826)
• Control to csv (#7775)
• Fix issues with dividing a str by str in utils/render-policy.py (#7960)
• Improve create_srg_export.py (#7959)
• Add rationale to controls (#7975)
• Clarify controleval.py help text (#8034)
• Add better error messages to utils/controleval.py and add does not meet to stats output (#8038)
• Improvements to controls and STIG export (#8039)
• Generate release artifacts' checksums (#8087)

Changes in the Test Suite

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• fix problems with trailing blank lines in audit rules (#8047)
• override two more tests for grub2_kernel_trust_cpu_rng (#8067)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)

Documentation

• add hint about audit backlog configuration (#7909)
• Add docs for create srg export (#7976)

Content 0.1.59

Important Highlights

• Add support for Debian 11 (#7715)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Ground work for implementation of CPE applicability language (#7613)
• Add HIPAA profile to SLE15 platform (#7776)
• Add Delta Tailoring Files to the Build System (#7851)

New Rules and Profiles

• Add rule only_allow_dod_certs (#7658)
• Add new rule "service_ypserv_disabled" (#7679)
• Add rule "Ensure All Groups on the System Have Unique Group Name" (#7676)
• Add SSH LoginGraceTime rule (#7678)
• Add rule accounts_root_gid_zero (#7685)
• Add new rules for CIS Journald Config (#7682)
• Add rule service_slapd_disabled (#7694)
• Add rule group_unique_id (#7683)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Add HIPAA profile to SLE15 platform (#7776)

Updated Rules and Profiles

• locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml: sles15 fix (#7389)
• remove rule disable_prelink from rhel7 cis (#7621)
• Make package_mcafeetp_installed work on Ubuntu (#7656)
• Add rule to stig.profiles (#7664)
• SLE bash remediation accounts_passwords_pam_faildelay_delay (#7661)
• Add rule for RHEL8 CIS 5.2.16 (#7677)
• remove old rule from rhel7 stig (#7710)
• More flexibility for login banners (#7690)
• Align rsyslog_remote_loghost to benchmarks (#7692)
• Rework bash remediation for accounts_password_pam_unix_remember (#7660)
• Return rule package_rsyslog-gnutls_installed to RHEL7 (#7731)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add var_sshd_set_keepalive to Ubuntu 20.04 STIG profile (#7771)
• SLE15 Add rsh and talk server remove rules to HIPAA profile (#7813)
• Change sshd_set_idle_timeout to require sshd_set_keepalive_0 (#7751)
• SLE15 add service related rules to HIPAA profile (#7852)

Changes in Remediations

• Add remaining Blueprint templates (#7609)
• Make sure files have newline during bash lineinfile remediation (#7787)
• accounts_no_uid_except_zero: Don't run passwd if awk returns nothing (#7779)
• Make FIPS mode check idempotent (#7318)

Changes in the Infrastructure

• Automated STIG Control File Creation (#7324)
• Added Build, Test on OpenSUSE Leap 15 on pull requests (#7666)
• Handle references with commas in utils/build_stig_control.py (#7697)
• Add utils/create_scap_delta_tailoring.py (#7717)
• Multi-file templates: file_permissions/file_groupowner/file_owner (#7405)
• Ground work for implementation of CPE applicability language (#7613)
• Fix utils/fix_rules.py exit codes (#7821)
• Add Delta Tailoring Files to the Build System (#7851)
• Add CentOS 7 build to CI (#7879)

Changes in the Test Suite

• Test scenarios updates for gpgcheck rules (#7638)
• service_enabled test scenarios templates (#7632)
• Create test scenarios for rule gid_passwd_group_same (#7637)
• ntp/chrony remove server remediations and test scenarios (#7631)
• Add a fail test for accounts_password_all_shadowed (#7642)
• Add test scenarios specific for CIS (#7634)
• Implementing test ssh_set_max_sessions for rhel7 profiles (#7641)
• Created pass/fail scripts for rule sshd_use_approved_macs (#7650)
• Update SSGTS so it can use mount in containers (#7680)
• Added ability to slice SSGTS rule checking runs (#7667)
• Update tests for package_crypto-policies_installed (#7858)

Documentation

• Add Styleguide (#7515)
• improve documentation (#7063)
• Add sphinx missing dependency in the developer guide (#7645)
• Update CONTRIBUTING.md (#7722)
• Add type hints to style guide (#7773)
• Fix directories count in docs/manual/developer/03_creating_content.md (#7805)
• Improve jinja docs (#7785)
• Introduced graphs in the documentation (#7825)
• Add rule schema (#7796)

Content 0.1.58

Important Highlights

• Add SCE Support to build system (#7075)
• Split RHEL 8 CIS profile using new controls file format (#6976)
• Introduce automated CCE adder (#7249)
• CIS Profiles for SLE12 (#7434)
• Add initial Ubuntu 20.04 STIG Profile (#7220)

New Rules and Profiles

• Add initial Ubuntu 20.04 STIG Profile (#7220)
• Add rules for RHEL-08-030610 (#7256)
• Add Ubuntu to cron.allow, at.allow rules for CIS (#7223)
• New rules for RHEL-08-010290 (#7151)
• New rules for RHEL-08-010291 (#7169)
• Add /var/log/audit individual ownership rules (#7129)
• New rule for RHEL-08-020270 (#7276)
• Add rule new for RHEL-08-030700 (#7264)
• Added new rule for RHEL-08-030710 (#7268)
• Add rule for RHEL-08-020300 (#7289)
• Add rule for RHEL-08-020090 (#7313)
• Introduce support for the distributed SSHd configuration (#6926)
• UBTU-20-010057: Add missing rules (#7363)
• Add new rule for RHEL-08-030720 (#7288)
• Add a new rules RHEL-08-010001 and RHEL-07-020019 (#7344)
• Add new rule for RHEL-07-030330 and RHEL-08-030730 (#7323)
• Added rule for RHEL-08-010400 (#7411)
• Sysctl disable ipv6 (#7460)
• CIS Profiles for SLE12 (#7434)

Updated Rules and Profiles

• fix problems with variables in rhel7 cis (#7237)
• Sort references, identifiers in rule.yml (#6882)
• Correct some issues with the CIS ICMP redirects rule on RHEL 7/8 (#7259)
• remove broken links to support.ntp.org (#7262)
• Mark as machine rules that collect password_object (#7263)
• OCP4: fips_mode_enabled rule relates to IA-7 (#7267)
• Enable dconf rules for RHEL9 (#7011)
• Enable generic rules for RHEL9 (#7147)
• Introduce support for the distributed SSHd configuration (#6926)
• Add service_pcscd_enabled to SLE15 PCI-DSS profile (#7322)
• update version of rhel7 stig_gui profile (#7340)
• Update References for RHEL8 STIG V1R3 (#7299)
• Suse sle15 fix reference sles 15 030350 assignment (#7346)
• Add to sle15 PCI-DSS profile rules for account uniqueness and grub config ownership (#7345)
• Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286 (#7354)
• Add SRGs for accounts_password_pam_dictcheck and sssd_enable_certmap (#7362)
• Update RHEL 8 CIS references to match benchmark 1.0.1 (#7356)
• Update CCEs and identifiers on rules that make up RHEL 8 CIS 4.1.15 (#7353)
• generic updates to rhel7 CIS (#7384)
• Update existing rule for RHEL-08-020320 (#7303)
• OCP4: Remove kubelet_disable_hostname_override rule (#7391)
• SLES-12-010599 - remove rule from the STIG (#7397)
• add kickstarts for rhel8 CIS profiles (#7383)
• add rhel7 kickstarts for CIS profiles (#7382)
• UBTU-20-010056: Use rule accounts_password_pam_dictcheck (#7366)
• Add ensure_logrotate_activated rule to SLES15 PCI-DSS (#7381)
• products/sle15/profiles/stig.profile: Update according to U_SLES_15_STIG_V1R3 Manual (#7388)
• Add PCI-DSS rules (#7373)
• Add PCI-DSS file Rules (#7417)
• Add PCI-DSS file rules (#7430)
• SUSE SLE15 service chronyd or ntpd enabled pci dss (#7425)
• Add rsyslog log file configuration rules to SUSE SLE15 PCI-DSS profile (#7420)
• Update existing rules for RHEL-07-010492 and RHEL-07-010482 (#7438)
• Add rule for SLES-12-030365 (#7177)
• SLE15 add package_aide_installed to PCI-DSS profile (#7476)
• SLE15 add package security rules to PCI-DSS profile (#7473)
• SLE15 Add password hashing rules to PCI DSS profile (#7474)
• SLE15 add audit data retnetion rules to PCI-DSS profile (#7475)
• SLE15 add sssd_enable_smartcards to PCI-DSS rule (#7472)
• PCI-DSS Add more auditd rules (#7477)
• OL7 DISA STIG v2r4 update (#7496)
• Pcidss Configure Crypto Rules (#7398)

Changes in Remediations

• Enable remediations for crypto policy settings (#7242)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• add / fix remediations for audit rules wrt modules (#7252)
• Fix possible issue in harden_openssl_crypto_policy remediation (#7178)
• Mount option template updates (#7081)
• Fix coverity problems (#7258)
• Fix ansible remediation of display_login_attempts (#7271)
• Fixed the remediations when there are no previous kernelopts (#7257)
• Remove specific metadata in shared Bash remediations (#7254)
• Update existing rule for RHEL-08-030650 (#7283)
• Remove kubelet_disable_hostname_override rule (#7400)
• Fix remaining audit rule files permissions. (#7440)

Changes in Checks

• Add oval check for bios_enable_execution_restrictions (#7227)
• Mount option template updates (#7081)
• Update existing rule for RHEL-08-030650 (#7283)

Changes in the Infrastructure

• Prioritize install_smartcard_packages like package_*_installed (#7224)
• Sort references, identifiers in rule.yml (#6882)
• Add SCE Support to build system (#7075)
• SSGTS: tests for shared/templates (#7211)
• Add new rule for RHEL-08-030720 (#7288)
• Introduce automated CCE adder (#7249)
• Add sort prodtypes to fix_rules (#7454)

Changes in the Test Suite

• Add rhel9 Dockerfile and distro choice into install_vm.py (#7235)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• install_vm.py: add --console option (#7186)
• Add some more tests (#7083)
• Add RHEL7 specific test kickstart (#7355)
• SSGTS: tests for shared/templates (#7211)
• Fix combined mode execution in SSGTS (#7395)
• Option --no-reports for SSGTS rule and combined modes (#7523)

Documentation

• Document rule.yml modification utilities (#6916)
• Update Mailing list location in docs (#7293)
• Fix links to repo: SSG->CaC (#7311)
• More documentation (#7406)
• Fix RHEL7 documentation links (#7409)
• Add readthedocs integration badge (#7407)
• Fix RHEL7 documentation link (#7443)
• Add bats to gating and docs (#7543)

Content 0.1.57

Highlights

• CIS profile for RHEL 7 is updated
• initial CIS profiles for Ubuntu 20.04
• Major improvement of RHEL 9 content
• new release process implemented using Github actions

New Rules and Profiles

• Add rule sudo_add_passwd_timeout (#6984)
• SLES-12-010420 and SLES-15-010510 rules (#7028)
• SLES-15-010355 rule (#6947)
• New rsyslog rule per RHEL-08-010070 STIG (#7114)
• Add initial Ubuntu 20.04 CIS Profiles (#7181)

Updated Rules and Profiles

• Update ANSSI policy metadata and undraft High Level (#6997)
• Update cis sle15 profile to better represent the release version 1.0.0 (#7056)
• Start splitting of rhel7 CIS (#7108)
• Splitting rhel7 cis profile - section 2 (#7112)
• Splitting rhel7 cis profile - section 3 (#7111)
• splitting CIS rhel7 profile - section 4 (#7134)
• Split RHEL 7 CIS profile - section 5 (#7193)
• split CIS for rhel7 - section 6 (#7219)

Changes in Remediations

• Add bash package installated macro (#7032)
• Ansible playbook to role updates (#7042)
• Add option to enable installation of individual ansible playbooks per rule (#7039)
• Only enable ansible/yaml lint tests when playbooks are built (#7099)
• ensure_pam_module_options now fix empty option value (#7116)
• Fix bash remediation of sudo_defaults_option (#7146)
• Fix regex in dconf ansible remediation (#7150)

Changes in Checks

• Fix disable_users_coredumps's limits.d exists (#7030)
• Fix oval check in uefi_no_removeable_media (#7067)
• Add option_regex_suffix to sudo_defaults_option template (#7082)

Changes in the Infrastructure

• Fix bugs in rule_dir_json.py (#6911)
• Fix utilities after product move (#7113)
• Fix kernel module disable template (#7086)
• SSGTS: Jinja enablement for test cases (#7210)

Changes in the Test Suite

• Fix SSG test suite support for setting variables (#7097)
• SSGTS: Jinja enablement for test cases (#7210)

Content 0.1.56

Highlights:

• Align ism_o profile with latest ISM SSP (#6878)
• Align RHEL 7 STIG profile with DISA STIG V3R3
• Creating new RHEL 7 STIG GUI profile (#6863)
• Creating new RHEL 8 STIG GUI profile (#6862)
• Add the RHEL9 product (#6801)
• Initial support for SUSE SLE-15 (#6666)
• add support for osbuild blueprint remediations (#6970)

Profiles changed in this release:

• sle12: stig
• sle15: cis, stig
• rhel7: stig_gui, stig
• rhel8: stig_gui, stig, ism_o
• rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
• ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
• ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
• rhv4: pci-dss
• ocp4: cis-node, cis
• rhel9: pci-dss

Profiles:

• Add updated manual DISA STIG XML reference files (#6903)
• rhcos4/e8: Use individual kernel module load audit rules (#6797)
• rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
• bump rhel7 stig version to v3r3 (#6951)
• remove no longer relevant rules from rhel7 stig (#6865)
• Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
• Update OL e8 profiles (#6840)
• Remove rules related to gnome/dconf (#6884)
• Ol cjis profiles (#6851)
• Add PCI-DSS profile to RHV4 (#6867)
• OL hipaa profiles (#6819)
• Update OL cui profiles (#6818)
• remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
• RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
• rhcos4: Remove sssd configuration check from moderate profile (#6774)
• RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
• RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
• RHCOS: Temporarily remove UEFI password rule (#6757)
• Add new rules to sle12/profiles/stig.profile (#6665)
• Remove package_gssproxy_removed from STIG GUI profile (#6967)
• Updating RHEL8 STIG profile for readability changes (#6856)
• Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
• Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)

Rules:

• Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
• Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
• Fix grub2's /boot location for Debian, Ubuntu (#6986)
• Add rules to remove setroubleshoot server and plugin packages (#6969)
• SLES-15-010362 (#6968)
• Fix groupowner/permissions for ubuntu2004 (#6979)
• SLES-15-10352 rule (#6822)
• Enable RHEL9 for kernel-related rules (#6966)
• Enable SELinux rules for RHEL9 (#6959)
• Move rule grub2_enable_iommu_force to use template (#6956)
• Clarify what fixes for AiDE acl and xattrs do (#6960)
• Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
• Adding new rule for RHEL-08-010294 (#6932)
• Add OCIL to sshd_limit_user_access (#6836)
• SLES-15-030390 add rule, remediation and test (#6802)
• Add Rule for SLES-15-040382 (#6811)
• RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
• RHCOS4: Add recommended chrony config (#6786)
• Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
• Prevent global references to use product-qualifiers (#6896)
• OCP: Fix description of kubelet TLS cipher suites (#6900)
• Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
• Update VSEL references to remove qualifier from global references (#6948)
• SLES-15-010250 add rule, remediation and tests (#6879)
• add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
• Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
• Add Rule,Remediation and Test for SLES-15-030760 (#6869)
• Revert STIG id for require_emergency_target_auth (#6928)
• Remove bogus nist: FOO-1(a) references (#6917)
• remove product specific disa and srg references (#6895)
• ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
• Fix usbguard match-all syntax for HID rule (#6909)
• RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
• Notate that Ubuntu is a FIPS-certified OS (#6912)
• OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
• update require_emergency_target_auth (#6894)
• add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
• Add Rule,Test for SLES-15-020103 (#6881)
• Prevent unqualified CIS and STIGID references (#6871)
• SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
• Add rules related to permissions of /var/log and /var/log/messages (#6861)
• SLES-15-010220 updates for firewalld (#6831)
• Add OL anssi profiles (#6817)
• update accounts_tmout (#6839)
• SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
• add rule for disabling of GUI (#6860)
• Add rules for SLES-12-010060 (#6806)
• CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
• fix service_sshd_enabled for SLE-15 (#6830)
• RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
• Add HIPAA rules references (#6854)
• RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
• Add CCI reference to package_gssproxy_removed (#6846)
• Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
• SLES-15-010353 map rule file_ownership_library_dirs (#6820)
• Add CCEs for RHEL9 rsyslog rules (#6832)
• SLES-15-010030 rule (#6821)
• SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
• Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#6824)
• OCP4: Add applicability warnings (#6823)
• service_nfs_disabled - change name of nfs service to nfs-server (#6777)
• Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
• OCP4: Address flowschema version change by handling different OCP versions (#6813)
• Abort the build if an OVAL is not included due to extend_definition (#6402)
• Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
• service_rsyncd_disabled - update package name to rsync-daemon (#6783)
• Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
• RHCOS4: Fix require_singleuser_auth rule (#6780)
• ocp4: Add relevant description for protectKernelDefaults rule (#6705)
• CIS 5.2, 5.4, and 5.6 updates (#6704)
• Add documentation links for OL7 and OL8 (#6756)
• Update OL OSPP profiles (#6745)
• Change dhcp server package name to dhcp-server in rhel8 (#6762)
• SLES-15-020101 add rule and tests, no remediation (#6734)
• Add ansible and bash remediation for wireless_disable_interfaces (#6685)
• ocp4: Switch to using the platforms construct (#6759)
• Add rule for RHCOS to check for interactive boot being disabled (#6747)
• Fix oracle documentation links (#6740)
• implement support for multiple platforms connected with disjunction (#6661)
• rhcos4: Add check for nousb kernel argument (#6743)
• Add tests for no files unowned by user/group rules (#6738)
• Add rule for checking selinux is not disabled in coreos (#6737)
• ocp4/etcd: Fix rule checks for 4.8 (#6732)
• Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
• CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
• CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
• Updating macros to support idempotency when deduplicating values (#6953)
• Fix Rule CPE Name inheritance (#6943)
• Reorganize env and product yaml (#6754)
• RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#6787)
• rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
• RHCOS4: Add recommended auditd.conf remediation (#6782)
• Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
• Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
• rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
• RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
• mount_option ansible remediation - remediate when mount point is not in mounted (#6713)

Tests:

• install_vm.py: add possibility to install GUI system (#7004)
• Improve the test suite wrapper (#6944)
• Remove code from OCP4 e2e tests (#6961)
• Add test scenarios for service enable/disable rules from CIS profile (#6785)
• Missing references test (#6849)
• Fix RHEL8 STIG with GUI stable profile data (#6874)
• increase /usr partition size in testing kicstart (#6808)
• Add Ubuntu as a known platform for ssg_test_suite (#6794)
• Add package_* test scenarios (#6752)
• Add tests for rule accounts_password_pam_minlen (#6751)
• Add tests for rule accounts_no_uid_except_zero (#6750)
• Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
• Update tests of accounts_tmout to work when overriding profiles (#6765)
• Update tests of account_disable_post_pw_expiration (#6753)
• Add tests for rule account_unique_name (#6749)
• accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
• Switch to generic python shebang (#6744)
• Add tests for rule no_netrc_files (#6741)
• Add tests for rule accounts_minimum_age_login_defs (#6735)
• Updated test scenarios to work on containers (#6701)
• Add tests for rule accounts_password_warn_age_login_defs (#6736)
• Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
• ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
• Add test scenarios for rsyslog rules (#6712)
• set_firewalld_default test scenarios (#6721)
• sysctl_net_* test scenarios (#6696)
• rpm_verify_ownership test scenarios (#6703)
• postfix_network_listening_disabled tests (#6708)
• Ignore trailing whitespaces in...

Content 0.1.55

Highlights:

• big update of rules used in SLES-12 STIG profile
• Render policy to HTML (#6532)
• Add variable support to yamlfile_value template (#6563)
• Introduce new template for dconf configuration files (#6118)

Profiles changed in this release:

• ocp4: cis-node, cis, e8, moderate
• rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
• rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
• sle15: cis, standard
• debian10: anssi_np_nt28_average, standard
• debian9: anssi_np_nt28_average, standard
• fedora: pci-dss, standard
• ol7: pci-dss, stig, standard
• ol8: ospp, hipaa, standard, pci-dss, cjis
• rhcos4: e8, ospp, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ubuntu1604: anssi_np_nt28_average, standard
• ubuntu1804: cis, anssi_np_nt28_average, standard
• ubuntu2004: standard
• wrlinux1019: draft_stig_wrlinux_disa

Profiles:

• remove ensure_logrotate_configured from CIS profiles (#6693)
• configure_crypto_policy update for CIS profile (#6673)
• remove kernel_module_vfat_disabled from CIS profiles (#6613)
• E8 ocp revisions (#6587)
• Update ANSSI profile descriptions (#6592)
• Bump RHEL7 STIG version to v3r2 (#6576)
• OL7 DISA STIG v2r1 update (#6538)
• Select RHEL8 STIG V1R1 existing content (#6579)
• OL7 DISA STIG v2r2 update (#6607)
• Update OL standard profiles (#6604)
• Update OL pci-dss profiles (#6605)
• Remove auditd_data_retention_space_left from RHEL8 STIG profile (#6615)
• remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#6528)

Rules:

• Update selinux_confinement_of_daemons rule (#6695)
• Adds classification-banner rule (#6652)
• CIS 5.1 changes (#6678)
• ocp4: Fix audit log forwarding rule (#6680)
• CIS 5.1 and 5.2: More ocil updates (#6689)
• Change instances of cis to cis@ocp4 for openshift (#6654)
• Revert hardcoding of ClientAliveCountMax to 0 (#6434)
• SLES-12 add checks and remediations (#6635)
• Update ANSSI references (#6662)
• Add missing CIS references (#6660)
• move ssh_client_rekey_limit to correct group (#6612)
• Fix STIG id reference for sshd_x11_use_localhost (#6628)
• fix wrong description of sshd_limit_user_access (#6623)
• mark some CIS rules as machine-only (#6611)
• CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#6435)
• ocp4: Add link to documentation for etcd encryption (#6590)
• Drop remediation for sysctl_kernel_modules_disabled (#6586)
• OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#6547)
• CIS: Update api_server_request_timeout description and check (#6572)
• add rhel7 stig specific rule for sshd approved macs (#6546)
• Reassign a new unique CCE identifier to approved macs STIG rule (#6564)
• add rhel7 stig specific rule for ssh ciphers (#6541)
• sshd_set_keepalive PCI DSS requirement reference (#6531)
• add rule sysctl_kernel_modules_disabled (#6533)
• RHEL-07-040710 now configures X11Forwarding to disable (#6537)
• add rule sshd_x11_use_localhost (#6534)
• Added a rule for having commands with arguments in sudoers - ANSSI R63 (#6525)
• fix remediations of ensure_logrotate_activated (#6710)
• ocp4/e2e: fix classification_banner remediation (#6679)
• ocp4: Add e2e for no_direct_root_logins (#6621)
• rhcos4: Add remediations and rules to enable usbguard (#6452)
• Require separate filesystem for /var/tmp (#6523)
• Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#6606)

Tests:

• fix test for smartcard_auth (#6694)
• Fix test scenario of rpm_verify_permissions rule (#6671)
• Supress Ansible lint error 503 (#6542)
• Add test to check for duplicated STIG ids (#6135)