Content 0.1.68

Important Highlights

• Bump OL8 STIG version to V1R6 (#10497)
• Introduce a Product class, make the project work with it (#10529)
• Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
• OL7 DISA STIG v2r11 update (#10498)
• Publish rendered policy artifacts (#10585)
• Update ANSSI BP-028 to version 2.0 (#10334)

New Rules and Profiles

• Add rule package_mailx_installed (#10495)
• Ensure access to the su command is restricted (#10386)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
• Introduce file_permissions_audit_configuration rule (#10489)
• Introduce rule to check if SELinux is not Disabled (#10575)
• Introduce rules to configure loopback traffic with Firewalld (#10573)
• New rules to complete CIS requirements for SSH Keys (#10552)
• New SLE 15 rule set_nftables_base_chain (#10180)
• Rebased hagenest set nftables loopback traffic (#10366)
• Restart postfix service and add rule has_nonlocal_mta (#10359)
• SLE15 add implementation of nftables_rules_permanent rule (#10201)
• SLE15 add nftables ensure default deny policy (#10249)
• Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)

Updated Rules and Profiles

• Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
• Add package_avahi_removed to ubuntu profiles (#10406)
• Add rules SLES-15-010375 and SLES-12-010375 (#10625)
• Add rules SLES-15-010419 and SLES-12-010499 (#10621)
• Add rules SLES-15-010420 and SLES-12-010500 (#10623)
• Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
• audit_rules_privileged commands: skip /proc directory (#10471)
• Bump OL8 STIG version to V1R6 (#10497)
• Complete CIS requirement for system accounts (#10627)
• Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
• delete rule SLES-15-040280 (#10383)
• Drop of some rules from SLE 12/15 profiles (#10527)
• Enable ensure_shadow_group_empty for RHEL7 (#10416)
• Enable service_nftables_disabled for RHEL (#10390)
• Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
• Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
• Ensure access to the su command is restricted (#10386)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
• Fix in sshd_use_approved_ciphers (#10535)
• Fix in sudo_require_reauthentication (#10216)
• Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
• Introduce rule to check if SELinux is not Disabled (#10575)
• Introduce rules to configure loopback traffic with Firewalld (#10573)
• Modify SLE remediation for ensure_logrotate_activated (#10481)
• No remediation warning for fapolicy_default_deny (#10433)
• OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
• OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
• OL7 DISA STIG v2r11 update (#10498)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• SLE 12/15 profile updates (#10577)
• SLE improve kernel module disabled rule (#10368)
• SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
• sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
• Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
• Ubuntu 22.04 CIS modify password remember rule (#10480)
• Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
• Update accounts_password_pam_retry yaml (#10496)
• Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
• Update ANSSI BP-028 to version 2.0 (#10334)
• Update CIS controls related to nftables table and chains (#10629)
• Update CIS requirement for SSH access limit (#10470)
• Update netrc requirement in CIS for RHEL8 (#10511)
• Update OL9 STIG profile (#10407)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
• Update pass aging rules to not ignore empty pass (#10633)
• update rule sles-15-040250 (#10492)

Changes in Remediations

• Add Ubuntu SCE checks for iptables rules (#10587)
• Ansible remediation for configure_bashrc_exec_tmux (#10584)
• audit_rules_privileged commands: skip /proc directory (#10471)
• Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
• Fix changes in Ansible tasks not expected to fail (#10427)
• Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
• Fix up RHEL kickstarts (#10499)
• fix: aide_string: drop nl at end (#10578)
• fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
• fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
• Modify SLE remediation for ensure_logrotate_activated (#10481)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• Replace grep command with ansible find (#10579)
• SLE add ability to configure emergency via dropin (#10482)
• SLE improve kernel module disabled rule (#10368)
• SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
• Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
• templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)

Changes in Checks

• audit_rules_privileged commands: skip /proc directory (#10471)
• bugfix: mount_option: handle commented lines (#10518)
• Ensure authentication required for single user mode for Ubuntu (#10415)
• Fix in sudo_require_reauthentication (#10216)
• Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
• Refactor audit_rules_privileged_commands to include in CIS (#10326)
• SLE improve kernel module disabled rule (#10368)
• Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
• Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
• Update pass aging rules to not ignore empty pass (#10633)
• Use specific name in private key groups instead of gid (#10622)

Changes in the Infrastructure

• Add a product stability test (#10606)
• Add CMakelint (#10468)
• Add controls the EOF checker (#10477)
• Automate and Fix Missing Newline at the of Files (#10361)
• Expand the list of rules skiped by Ansible Lint (#10485)
• Fix data stream component parsing (#10411)
• Implement a tool for parsing profiles and outputing rules (#10455)
• Introduce a Product class, make the project work with it (#10529)
• Publish rendered policy artifacts (#10585)
• Refactor the scapval test (#10611)
• Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
• Remove unused imports (#10384)
• Remove unused variables (#10382)
• Shell quote support for Jinja macros (#10524)
• Stabilization: Fix install_vm.py on older versions of Python (#10652)
• Stop using deprecated set-output in GitHub Actions (#10588)
• Update CI Repo for CTF (#10385)
• Update GitHub Action Versions (#10543)

Changes in the Test Suite

• Add a product stability test (#10606)
• Add a warning to AutoMatus (#10394)
• bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
• bugfix: packages: delim is comma (#10559)
• bugfix: ssg_test_suite: RuleResult eq (#10365)
• Fix template not found error in Automatus (#10631)
• Fix tests applicablity for ol8 product (#10570)
• Fix tests in sshd_lineinfile template (#10595)
• Fix typo in tests for sshd_limit_user_acess (#10478)
• install_vm refactor (#10607)
• install-vm fixes / features (#10562)
• Remove machine pruning from gating (#10453)
• Revert change in test scenario script for enable_authselect rule (#10430)
• Unused test code (#10558)
• Use bash_package_* (#10557)
• Use mkdir -p when creating directories (#10556)

Documentation

• Add Kickstarts to the changelog (#10512)
• add python3 to the list of build dependencies for RHEL-8+ (#10503)
• Bump version for 0.1.68 (#10372)
• Fix read the docs build (#10537)
• fix: Fix misspelled word infrastruture (#10531)
• Jinja macro doc fixes (#10599)
• Reduce Doc Warnings (#10528)
• Styleguide Update (#10466)
• Update Add Product Guide (#10533)
• Update release documentation about release_helper.py script (#10502)

Content 0.1.67

Important Highlights

• Add utils/controlrefcheck.py (#10096)
• RHEL 9 STIG Update Q1 2023 (#10185)
• Include warning for NetworkManager keyfiles in RHEL9 (#10330)
• OL7 stig v2r10 update (#10125)
• Bump version of OL8 STIG to V1R5 (#10123)

New Rules and Profiles

• Add new rule package_systemd-journal-remote_installed (#10105)
• New SLE 15 rule service_nftables_enabled (#10113)
• Add CIS iptables rules (#10121)
• New SLE 15 rule set_nftables_new_connections (#10114)
• Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
• Add a new rule ssh_keys_passphrase_protected (#10017)
• Introduce new rule authconfig_config_files_symlinks (#10129)
• Added rule partition_for_dev_shm (#9984)
• New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
• New SLE 15 rule set_nftables_table (#10128)
• Add implementation for rsyslog_logging_configured rule (#10063)
• New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
• OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
• Added a new rule accounts_password_set_warn_age_existing (#10006)
• Add new rule socket_systemd-journal-remote_disabled (#10210)
• Introduce rule to remove nginx package (#10291)
• Introduce rule to remove cyrus-imapd package (#10292)
• Add package_dnsmasq_removed rule (#10293)
• Add package_ftp_removed rule (#10294)
• Add new rule rsyslog_filecreatemode (#10264)
• New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
• Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)

Updated Rules and Profiles

• accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
• Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
• Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
• Add CIS iptables rules (#10121)
• OL7 stig v2r10 update (#10125)
• Bump version of OL8 STIG to V1R5 (#10123)
• assign ntp_configure_restrictions to SLE12 (#10122)
• Update tmux rules and add them to OL8 STIG profiles (#10124)
• Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
• Add missing SRG to aide_build_database rule (for master branch) (#10150)
• remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update levels of some rules in RHEL8 CIS (#10157)
• Change custom zones check in firewalld_sshd_port_enabled (#10162)
• improve applicability of rule package_rear_installed (master branch) (#10156)
• Accept required and requisite control flag for pam_pwhistory (#10175)
• OCP4 Modify etcd encryption check rules for hypershift (#10179)
• Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
• Fix prefer_64bit_os for SLE platforms (#10178)
• remove rule logind_session_timeout and associated variable from profiles (#10202)
• Shorten rule title (#10196)
• products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
• Create OVAL macro to consistently identify Interactive Users (#10215)
• Include avahi related rules in RHEL CIS control files (#10233)
• Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
• Update CIS RHEL requirements for log files permissions (#10241)
• Include rule for checking password last change in RHEL (#10243)
• Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
• Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
• Update password hashing algorithm CIS requirement (#10271)
• Complete CIS requirements related to dot-files (#10279)
• Fix package names for some SUSE packages (#10283)
• Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
• Corrections in the rule package_openldap-clients_removed (#10273)
• Enable sshd_enable_warning_banner_net for RHEL (#10287)
• Add package_nginx_removed to Ubuntu CIS profiles (#10301)
• Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
• accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
• accounts_passwords_pam_tally2: depend on pam being installed (#10305)
• package_pam_pwquality_installed: depend on pam being installed (#10306)
• apparmor: apply only to platform machine (#10303)
• sudo_require_reauthentication: depend on sudo being installed (#10318)
• vlock_installed: apply only to platform machine (#10307)
• Remove VMM SRG References (#10336)
• Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
• Add some nftables rules to Ubuntu CIS profile (#10300)
• make accounts_password_last_change_is_in_past not applicable to containers (#10339)
• Align rhel7 dracut-fips-aesni remediations (#10352)
• Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
• NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)

Changes in Remediations

• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update sebool_secure_mode_insmod OL remediations (#9979)
• Enable rsyslog_filecreatemode rule for RHEL (#10328)
• kernel_module_disable template - regexp matches multiple lines (#10351)
• fix loops within ansible template for rsyslog_files (#10349)

Changes in Checks

• Update tmux rules and add them to OL8 STIG profiles (#10124)
• Remove check of /var/log/dmesg from OVAL (#10145)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Fix prefer_64bit_os for SLE platforms (#10178)
• postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
• Create OVAL macro to consistently identify Interactive Users (#10215)
• Add offline capability to the 'mount_option' OVAL template (#10200)

Changes in the Infrastructure

• Introduce script shorthand to OVAL (#10085)
• Remove utils/count_oval_objects.py (#10133)
• Update Rawhide Before Use (#10141)
• Move to Code Climate for PEP 8 Checking (#10158)
• Enable SCE integrity checks for RHEL8 (#10165)
• Refactor ssg.build_ovals module (#10048)
• Update srg diff (#10199)
• Require OVAL ID to match rule ID (#10346)
• Various python fixes (#10345)
• Move platform_mount to use cpe-oval vs oval (#10441)

Changes in the Test Suite

• Add utils/controlrefcheck.py (#10096)
• Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
• Update test scenarios for accounts_password_last_change_is_in_past (#10213)
• add cap_system_chroot capability to Automatus podman container (#10246)
• Fix Automatus on Python 3.6 (#10281)
• Disable logrotate timer in ensure_logrotate_activated tests (#10375)

Documentation

• Update Ansible section in project Style Guide (#10211)
• Fix broken link to statistics page (#10217)
• Introduce style guidelines for commit messages (#10220)
• Remove VMM SRG References (#10336)
• Add URL for ISM (#10337)
• Convert User Docs (#10214)
• Update Contributors for v0.1.67 (#10350)

Content 0.1.66

Important Highlights

• Ubuntu 22.04 CIS (#9953)
• OL7 stig v2r9 update (#9976)
• Bump OL8 STIG version to V1R4 (#9974)
• Update RHEL7 STIG to V3R10 (#10079)
• Update RHEL8 STIG to V1R9 (#10078)
• Introduce CIS RHEL9 profiles (#10091)

New Rules and Profiles

• Add nonessential services rule (#9912)
• Added a new rule package_firewalld_removed (#9937)
• Added a new SLE 12/15 rule package_rsync_removed (#9932)
• Added a new rule package_cups_removed (#9930)
• Added a new rule firewalld_service_disabled (#9941)
• Added a new SLE 15 rule package_nftables_installed (#9934)
• Add rule for no .forward files (#9990)
• Add new rule grub2_enable_apparmor (#9978)
• Added a new rule package_tcp_wrappers_removed (#9981)
• Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
• Add package prelink removed (#10062)
• add new rule audit_rules_immutable_login_uids (#10070)
• Added 2 rules for 15 related to nftables (#10068)
• New SLE 15 rule ensure_iptables_are_flushed (#10107)
• add new rule configure_bashrc_tmux (#10100)

Updated Rules and Profiles

• Include warning regarding quota options in XFS (#9879)
• Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
• Sync rules for RHEL 9 STIG (#9788)
• Changing a few harcoded OS names for full_name (#9936)
• Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
• SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
• Update sudo_require_reauthentication (#9923)
• Update kmod audit rule for OL7 (#9949)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Add rule to OL7 stig profile (#10028)
• Small corrections related to 3 rules (#9995)
• Add new rule grub2_enable_apparmor (#9978)
• Include Ubuntu products in package_rsync_removed (#10051)
• Include Ubuntu products in package_nftables_installed (#10052)
• Fix the service_telnet_disabled rule (#10033)
• Update package name for RHEL in package_rsync_removed (#10053)
• Include Ubuntu products in package_cups_removed (#10050)
• Include Ubuntu products in package_rpcbind_removed (#10055)
• Update link to NTP docs (#10056)
• Include Ubuntu products in package_prelink_removed (#10071)
• Add account_emergency_expire_date to OL7 stig (#10073)
• Add aide_build_database to STIG in OL and RHEL (#10094)
• Include Ubuntu products in two nftables rules (#10101)
• Move two rules to higher level in cis_rhel8 control file (#10109)
• add new rule configure_bashrc_tmux (#10100)
• add missing SRG to aide_build_database rule (#10136)
• change applicability of rules configuring idle session timeouts (#10127)
• Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
• improve applicability of rule package_rear_installed (#10144)
• stabilization: Update levels of some rules in RHEL8 CIS (#10155)

Changes in Remediations

• Fix indentation in Ansible shell module parameter (#9851)
• Recognize 64bit architectures in Ansible remediations (#9887)
• Make Ansible remediation less prone to fatal errors (#9914)
• Add bash and ansible remediation for set_loopback_traffic (#9939)
• Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
• Update sudo_require_reauthentication (#9923)
• Improve the arguments for Ansible command module (#9921)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Fix Jinja condition in macro for pam_faillock (#10009)
• Install NetworkManager as part of wireless_disable_interfaces remediation (#10018)
• aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
• Update accounts_password template for OL due to precedence confs (#9935)
• accounts_password_set_min_life_existing: Avoid system accounts (#9955)
• Improve service_disabled template (#10026)
• accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
• Rewrite remediations for rsyslog_remote_tls (#9866)
• Fix accounts_password template for OL (#10045)
• Using the Ansible shell actions is needed in package_prelink_remove (#10086)

Changes in Checks

• Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
• Update sudo_require_reauthentication (#9923)
• accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
• Update accounts_password template for OL due to precedence confs (#9935)
• accounts_password_set_min_life_existing: Avoid system accounts (#9955)
• accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)

Changes in the Infrastructure

• Refactor build_cpe.py (#9834)
• Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
• Refactor templates v2 (#9870)
• Add automatic detection of platform_package_overrides when using automatus (#9897)
• Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
• Introduce templated platforms (CPEs) (#9906)
• Sort conditional remediation platform checks (#9902)
• Add sanity tests for controleval.py (#9918)
• Add Refchecker to Tests (#9862)
• Wait for buffer flushes to finish writes (#9933)
• Fix the file param in rule_dir_json (#9928)
• Fix typing import in create_srg_export.py (#9929)
• Build all profiles on all CentOS and CentOS Streams (#9946)
• CTest Fixes (#9962)
• CPE AL: Introduce version specifiers support (#9945)
• Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
• Raise exception when parametrized platform receives invalid argument (#9996)
• Fix --datastream-only in ./build_product (#10020)
• Add sanity tests for compare_disa_xml.py (#10030)
• Add Ubuntu 22.04 to Gating (#9986)
• Fix a few isssues in test-compare-disa-xml (#10034)
• Update Ansible Lint Config (#10025)
• platforms: rewrite mechanism which parses version into EVR (#10038)
• Produce an understanable error when remediation collections goes wrong (#10027)
• Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
• Bump fedora version in Dockerfiles to 37 (#10036)
• Fix the generation of SCE checks in the output datastream (#10015)
• Scripts clean up (#10061)
• Clean up SRG export (#10067)

Changes in the Test Suite

• Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
• Add automatic detection of platform_package_overrides when using automatus (#9897)
• Add Refchecker to Tests (#9862)
• Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
• Improve service_disabled template (#10026)

Documentation

• Add Timezone to the Contributors Script (#9844)
• Add documentation about readthedocs.org integration (#9875)
• Update Upstream Release doc (#9952)
• Update contributors list for v0.1.66 release (#10108)

Content 0.1.65

Important Highlights

• Introduce cui profile for OL9 (#9638)
• Remove Support for OVAL 5.10 (#9604)
• Rename account_passwords_pam_faillock_audit (#9462)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Update contributors list for v0.1.65 release (#9843)

New Rules and Profiles

• Add profile for SUSE SAP Public Cloud Images (#9571)
• Introduce cui profile for OL9 (#9638)
• Created SLES 12 PCI DSS 4.0 profile and added rules to it (#9729)
• Add new rules related to system banners - /etc/issue.net (#9733)
• add new rule logind_session_timeout (#9475)
• Pci dss shadow rule (#9756)

Updated Rules and Profiles

• Update chronyd_no_chronyc_network to align with RHEL9 STIG (#9505)
• Update rules for RHEL 9 STIG (#9512)
• Update chronyd_client_only to align with RHEL9 STIG (#9500)
• Update rules for RHEL 9 STIG (#9527)
• RHEL9 stig_gui: don't remove GUI (#9581)
• Remove RPM verify rules from RHEL 9 STIG (#9591)
• Rule updates wrt RHEL9 STIG (#9509)
• Clarify instructions for implementing SCCs (#9569)
• Added SLES_15/12 CCE codes related to rules in the group restict_at_c… (#9643)
• Add pci-dss rules (#9627)
• Two small corrections (#9644)
• Added 6 SLES 15/12 CCE codes to the rules sshd_... (#9669)
• Add PCI-DSS rules (#9645)
• CIS RHEL8 gnome related requirements (#9670)
• Add dconf_gnome_disable_user_list to the RHEL 9 STIG (#9677)
• RHEL 9 STIG Fix Up (#9676)
• Added CCE number for SLES_15 in the rule sshd_use_approved_ciphers (#9680)
• Added 4 SLES 15/12 codes to the rules group_unique_id/name (#9682)
• Add support for PCI DSS v3.2.1 for SLE12 (#9613)
• service_ntp_enabled: Fix description as service name is ntp (#9707)
• Fix issue introduced in commit 1ba11cb (#9692)
• remove ospp-mls.profile (#9710)
• Add pcidss Req-ids (#9705)
• Ubuntu 20.04: fix grub2 password related rules (#9708)
• Fix rsyslog_remote_tls Remediations (#9711)
• Added 2 SLES 15/12 CCE codes to the rule disable_prelink (#9706)
• Assign RHEL-07-010271 to account_emergency_expire_date. (#9717)
• Ubuntu 20.04 CIS Level1 profile: add package_pam_pwquality_installed (#9721)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• install_smartcard_packages: Add Ubuntu specific remediation (#9720)
• Ubuntu 20.04: Make sure xatrr audit rules contains a check for root user (#9722)
• Added rules to PCI DSS 4.0 SLES 15 profile (#9716)
• Add pci-dss rules to SLE15 (#9728)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Added 4 rules to SLES 12/15 PCI DSS 4.0 profiles (#9735)
• Update SLE 15 SAP hardening profile (#9742)
• Update RHEL8 STIG to V1R8 (#9780)
• Update RHEL7 STIG to V3R9 (#9781)
• Align ClientAliveCountMax and ClientAliveInterval on RHEL8 STIG V1R8 (#9784)
• Removed wrong rule from hipaa.profile (#9840)
• Stabilization: Include warning regarding quota options in XFS (#9877)
• Stabilization: Update the sshd_set_keepalive regarding ClientAliveCountMax (#9868)

Removed Products

• Remove the VSEL Product (#9547)
• Remove the fuse6 product (#9544)
• Remove the Debian 9 Product (#9546)
• Remove the JRE product (#9545)

Changes in Remediations

• Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
• Improve ansible remediation of accounts_umask_etc_login_defs (#9490)
• Add bash and ansible remediation for rsyslog_remote_tls (#9484)
• Fix rsyslog_remote_tls Remediations (#9711)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• install_smartcard_packages: Add Ubuntu specific remediation (#9720)
• Fix config file and interpreter check control flow (#9695)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Dconf macros update to align them with OVAL expectation (#9751)
• rsyslog_files_permissions: Consider the last field in the config line the log file path (#9750)
• Fix nmcli bug (#9773)
• Align service_disabled template to service_enabled (#9806)
• Remove deprecated warn parameter from Ansible command module (#9807)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Stabilization: Make Ansible remediation less prone to fatal errors (#9911)

Changes in Checks

• Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
• Update accounts_password template's OVAL (#9459)
• OCP4: Fix OCIL of machine_volume_encrypted (#9597)
• Clarify instructions for implementing SCCs (#9569)
• Remove jinja condition to make rule applicability to all products in Kerberos rules (#9412)
• Ubuntu 20.04: fix grub2 password related rules (#9708)
• Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Dconf macros update to align them with OVAL expectation (#9751)

Changes in the Infrastructure

• Remove superflous check of rule ID consistency (#9539)
• Add tests to auditd_lineinfile template (#9519)
• Generate XCCDF 1.2 directly (#9464)
• Add support for regulated fields (#9553)
• SRG Import/Export Uses Policy Specific Content (#9570)
• Add Git Mail Map (#9573)
• Remove ident_size for .py files from editorconfig (#9603)
• Make CodeClimate to use .editorconfig (#9630)
• Remove function drop_oval_definitions (#9629)
• Add mypy to CI (#9430)
• Remove shorthand.xml from the build process (#9548)
• Remove XCCDF 1.1 from enable_derivatives.py (#9654)
• Remove XCCDF 1.1 from profile tool (#9655)
• Remove unused import (#9656)
• Remove XCCDF 1.1 from ssg/xccdf.py (#9657)
• Remove Support for OVAL 5.10 (#9604)
• Import SRG content for RHEL9 (#9574)
• Don't use editorconfig to check for indentation (#9653)
• Remove get_fixgroup_for_type (#9661)
• Remove superfluous XML namespaces from HTML tables (#9662)
• Update sysctl template's OVAL and tests to align with STIG (#9458)
• Remove unused XSLT xccdf2table-profileanssirefs.xslt (#9659)
• CMake Improvements (#9646)
• Remove Travis CI (#9683)
• Remove comparison utilities (#9688)
• Create unit tests for ssg.id_translate (#9624)
• Add unit tests of XCCDF 1.2 elements (#9617)
• Add unit tests for warnings and sub elements (#9637)
• Refactor and speed up combine_ovals.py (#9689)
• Fix unit tests to work with CentOS 7 (#9727)
• make CPE items compiled during the build process (#9700)
• SRG Diff: Add section for rows without a CCE (#9763)
• Make the utils/srg_diff.py more generic (#9767)
• parametrize methods for getting remediation conditionals of XCCDF platforms (#9777)
• build_remediations.py: deduplicate code which retrieves conditionals (#9779)
• Add sorted results to srg_diff (#9778)
• Add Smoke Tests for Some Scripts (#9787)
• Platforms can accept parameters and pass them to underlying CPE items (#9799)
• Do not remove blank lines when building profile playbook (#9809)
• SRG Export XLSX in CMake (#9811)
• Add config for Ansible lint (#9838)

Changes in the Test Suite

• [Master] add accounts_password_set_max_life_existing to unselect_rules_list (#9554)
• Fix issue introduced in commit 1ba11cb (#9692)
• Add tests to rule dconf_gnome_screensaver_idle_activation_enabled (#9701)
• Refactor firewalld_sshd_port_enabled rule (#9712)
• Complete tests to validate Ol9 pci dss profile (#9739)
• Add tests to accounts_password template (#9743)
• Do not instantiate Builder() when running Automatus (#9755)
• Fix Automatus --duplicate-templates (#9766)
• accounts_password_pam_retry: Add test for dupes and conflicts (#9805)
• accounts_passwords: Add tests for value conflicts and duplicates (#9804)
• sshd_lineinfile: Add tests for duplicated params (#9802)
• CI ansible hardening and rename of existing Bash hardening (#9796)
• Stabilization: Ensure pwquality.conf.d dir exists on test scenarios (#9864)

Documentation

• Doc fix up (#9596)
• Add PR gating guideline (#9611)
• Move to MyST as recommonmark and CommonMark are not supported (#9560)
• Fix docs refs (#9704)
• Include SLE products into the CCE tooling for auto assignment (#9714)
• Docs/developer: Mention that rules will inherit its group(s) platforms (#9635)
• Reformulate the release process documentation (#9736)
• Update gitignore (#9810)
• Document rule deprecation instructions and agreements (#9797)
• Update contributors list for v0.1.65 release (#9843)
• Add Sanity Test for generate_contributors.py (#9845)

Content 0.1.64

Important Highlights

• This is the last release to feature content with OVAL-5.10 (https://github.com/ComplianceAsCode/content/discussions/9451)
• Introduce ol9 stig profile (#9207)
• Introduce Ol9 anssi profiles (#9243)
• Update RHEL8 STIG to V1R7 (#9276)
• Introduce e8 profile for OL9 (#9284)
• Update RHEL7 STIG to V3R8 (#9317)

New Rules and Profiles

• Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
• add rule package_postfix_installed (#9191)
• add audit policy rules specific for ppc64le platform (#9124)
• Introduce ol9 stig profile (#9207)
• Introduce Ol9 anssi profiles (#9243)
• Introduce rule accounts_passwords_pam_faillock_audit (#9264)
• Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
• Introduced rules to disable accounts because of inactivity (#9244)
• Introduce e8 profile for OL9 (#9284)
• New sysctl ipv4 forwarding rule (#9277)
• Introduce hipaa profile for ol9 (#9478)

Updated Rules and Profiles

• Remove 3 crypto rules from RHEL 9 OSPP (#9181)
• Remove 3 package rules from RHEL 9 OSPP (#9182)
• Introduce new sebool description and ocil macros (#9184)
• Add to SLE ANSSI profile various sysctl rules (#9185)
• Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
• Add more ANSSI Intermediary Rules (#9203)
• Add more sysctl rules to intermediary profile (#9202)
• The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
• Remove 4 PAM related rules from RHEL9 OSPP (#9217)
• switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
• remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
• add audit policy rules specific for ppc64le platform (#9124)
• remove umask-related rules from RHEL9 OSPP (#9223)
• Make audit AArch64 specific rules RHEL9 only (#9188)
• Remove rules for package removal from RHEL 9 OSPP (#9233)
• remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
• Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
• remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
• Don't pass sssd rules when sssd.conf is absent (#9225)
• Update accounts_password_pam_retry behavior (#8880)
• System commands dir root or system account (#9258)
• SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
• Update RHEL8 STIG to V1R7 (#9276)
• Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
• Update few sysctl rules to accept multiple compliant values (#9286)
• Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
• Make OSPP profiles use minimal Authselect profile (#9298)
• add warning to audit_rules_for_ospp (#9303)
• add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
• Update RHEL7 STIG to V3R8 (#9317)
• change rules protecting boot in RHEL8 OSPP (#9306)
• Add the AUID filters on RHEL7 audit kernel module rules (#9290)
• add 4 rules back to RHEL9 datastream (#9334)
• Implement DISA check for auditing kmod on RHEL7 (#9338)
• Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
• Include warning about the pam_securetty.so PAM module (#9348)
• Add AUID filters on audit_rules_kernel_module_loading (#9371)
• Mask sensitive objects (#9364)
• Update RHEL9 STIG (#9378)
• add/remove fedora from privileged commands depending if exists or not (#9367)
• change way of disabling coredumps in RHEL9 OSPP (#9384)
• Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
• Bump version of OL8 to V1R3 and update STIG ids (#9457)
• Add missing SRG references for RHEL 9 STIG (#9428)
• Remove support for upstart init system (#9452)
• Updates RHEL 9 STIG: Part 3 (#9489)
• Add ol8 platform to existing required tests (#9485)
• Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
• Update account_password_selinux_faillock_dir rule (#9501)
• Remove audit_rules_execution_restorecon from SRG control files. (#9503)
• Add tests to file_ownership_binary_dirs (#9515)
• Update ocil and ocil_clause in display_login_attempts (#9522)
• Update some account rules according to RHEL9 STIG (#9499)
• Include checktest for banner_etc_issue rule (#9521)
• Update pam_faillock rules for RHEL9 STIG (#9520)
• Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
• Update clean_components_post_updating to align with RHEL9 STIG (#9510)
• Update accounts_umask_etc_profile (#9496)
• Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
• Update audit rules RHEL9 STIG metadata (#9513)
• Add tests to no_user_host_based_files (#9529)
• Add tests to dir_perms_world_writable_system_owned (#9517)
• Add tests to no_host_based_files (#9532)
• Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
• Add tests to clean_components_post_updating (#9530)
• Update macros from audit privileged commands (#9502)
• Update some PAM rules for RHEL9 STIG (#9514)
• Add variable for auditd freq (#9504)
• Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
• [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)

Changes in Remediations

• Allow two modes of SSH key ownership (#9094)
• Add oval and remediation for auditd_audispd_disk_full_action (#9195)
• include = sign in remediation of configure_openssl_crypto_policy (#9194)
• Condition run of newaliases to its availability (#9241)
• Update accounts_password_pam_retry behavior (#8880)
• Add DISA STIG ids to when conditions in ansible roles (#9029)
• Improve bash_ensure_pam_module_line macro (#9252)
• Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
• Fix rule sudo_custom_logfile (#9299)
• Fix ansible partition conditionals (#9339)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Add Kubernetes remediation for rule configure_crypto_policy (#9266)
• Fix 2 ctest shellcheck issues (#9398)
• Fix kernel_module_disabled remediation template (#9346)
• Conditional for Ansible remediation on RHEL7 (#9440)
• change parameter of findmnt used in bash partition conditional (#9480)
• Fix remediation of rules dealing with Audit watches (#9463)

Changes in Checks

• Update accounts_password_pam_retry behavior (#8880)
• Improve regex to match retry parameter in pwquality.conf (#9245)
• Fix rule sudo_custom_logfile (#9299)
• Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
• Mask sensitive objects (#9364)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
• Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
• Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
• [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)

Changes in the Infrastructure

• Fix various bugs in utils (#9172)
• Remove CentOS 6 and SL 6 references from the project (#9211)
• Fix pre tag in ocil_mount_option (#9209)
• Remove unused build option (#9213)
• Update gitpod HTML preview extension. (#9261)
• Install ansible for the extra modules (#9273)
• Use DS to build Ansible Playbooks and Bash scripts (#9291)
• Stop validating ssg-product-xccdf.xml (#9292)
• Use data stream to verify profile titles and descriptions (#9294)
• Use data stream to verify references (#9293)
• Generate CCE tables from data stream (#9300)
• Fix CMake dependencies (#9328)
• Use XCCDF 1.2 to create STIG overlay (#9301)
• Specify output file names (#9361)
• Test missing references in a data stream (#9295)
• Add trim_trailing_whitespace to editorconfig (#9391)
• Sort check-export elements (#9397)
• Use data stream to generate statistics (#9296)
• Generate per profile testinfo tables from XCCDF 1.2 (#9325)
• Fix missing OCIL text and 800-53 references (#9415)
• Use XCCDF 1.2 to generate STIG HTML tables (#9406)
• Add a script to import SRG export changes (#9416)
• Make groups inherit platforms from parent groups (#9465)
• Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
• correct inheritance of platforms by rules from groups (#9491)
• Improve HTML for Table Templates (#9481)
• SRG Export: Improve vuldiscussion sourcing (#9493)
• Remove empty load operation (#9492)
• Add tests to rule no_tmux_in_shells (#9518)
• Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
• Avoid sed hack (#9363)

Changes in the Test Suite

• Automatus: close hanging tempfiles descriptors (#9199)
• Improve regex to match retry parameter in pwquality.conf (#9245)
• Support commas in variables (#9280)
• Refactor templated test scenarios (#9254)
• Fix account_password_selinux_faillock_dir rule (#9381)
• Replace platform conditionals in whole remediation code (#9347)
• install_vm.py: add new option for disk size specification (#9479)
• correct inheritance of platforms by rules from groups (#9491)
• Add tests to audit privileged commands template (#9487)

Documentation

• Enable Security Content workshop into Gitpod environment (#9438)
• Add ordering to the platform key (#9488)

Content 0.1.63

Important Highlights

• Expand project guidelines (#8314)
• Add Draft OCP4 STIG profile (#8799)
• Add anssi_bp28_intermediary profile (#9045)
• add products/uos20 to support UnionTech OS Server 20 (#8779)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• Remove WRLinux Products (#9106)
• Update CIS RHEL8 Benchmark for v2.0.0 (#9154)

New Rules and Profiles

• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• Add anssi_bp28_intermediary profile (#9045)
• Introduce OL9 ospp profile (#9057)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• add Audit OSPP rules for AArch64 (#9091)
• Add grub2_systemd_debug-shell_argument_absent (#9100)
• CIS RHEL8 v2.0.0 small fixes (#9165)

Updated Rules and Profiles

• Make krb5 rules applicable only to older versions of certain package (#9003)
• RHEL8 STIG: Install redhat gpg key (#8993)
• Add anssi gshadow rules (#9022)
• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• remove support for external Audit files and cleanup test scenarios (#9073)
• Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
• Remove rule zip_vsyscall_argument (#9083)
• Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
• Make rule audit_access_success in OSPP profile unenforcing (#9082)
• Cleanup RHEL9 OSPP networking sysctl rules (#9092)
• Add two rules and some more CCEIDs (#9107)
• add Audit OSPP rules for AArch64 (#9091)
• remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
• remove Rsyslog related rules from RHEL9 OSPP (#9116)
• Anssi Rules Added (#9105)
• remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
• Update SLE15 DISA STIG from v1r6 (#9146)
• Remove yp-related rules from RHEL9 (#9148)
• Add Enable Auth Select to RHEL8/9 STIG (#9151)
• BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
• Relax chrony check and remediations (#9156)
• make RHEL-08-020231 automated again (#9125)
• Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
• Review and improve sssd_enable_smartcards rule (#9145)
• Amend OSPP references for some package_*_installed rules. (#9164)
• Add automation content to kernel_module_uvcvideo_disabled (#9162)
• Add missing rules to OL8 STIG profile (#9171)
• Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
• [Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
• Make Audit aarch64 rules specific to RHEL9 only (#9187)
• [stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
• Remove 3 package rules from RHEL 9 OSPP (#9228)
• Remove 3 crypto rules from RHEL 9 OSPP (#9227)
• [Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
• [stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
• [Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
• Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)

Removed Products

• Remove WRLinux Products (#9106)

Changes in Remediations

• Add whitespace in macro function so CTF can properly parse tokens (#9030)
• EKS: Fix typo (#9037)
• Fix regular expression in Ansible remediation (#9063)
• Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
• Ansible remediation for enable_authselect (#9085)
• Refactor bash macros for PAM (#9017)
• Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
• Fix ubuntu logic in display_login_attempts (#9110)
• Refactor Ansible macros for PAM (#9097)
• Add Ansible remediation (#9114)
• Create Ansible macro for authselect backup command (#9128)
• Align PAM Bash macros to equivalent in Ansible (#9127)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• fix bash remediation of configure_libreswan_crypto_policy (#9134)
• add Ansible conditionals to CPE platforms determining architecture (#9126)
• Set pipefail in Ansible shell commands with pipe (#9123)
• Update faillock related macros (#9139)
• Command 'chown', change from '.' to ':' separator (#9159)
• Review and improve sssd_enable_smartcards rule (#9145)
• SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)

Changes in Checks

• Add missing ocil_clause for audit rules (#9109)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• Reduce the list of FIPS crypto policies (#9149)
• Review and improve sssd_enable_smartcards rule (#9145)
• Store intermediate OVAL check files (#9157)

Changes in the Infrastructure

• Parametrize the file name of the container used by gitpod integration (#9043)
• Add python vscode extension to the gitpod environment (#9074)
• Add a markdown output target to create_srg_export (#9064)
• Update docker files (#9153)
• Remove the vendor-zipfile and redhat-zipfile targets (#9152)
• Add per profile filter of missing_cce test (#9155)
• Store intermediate OVAL check files (#9157)
• [Stabilization] Install ansible for the extra modules (#9274)

Changes in the Test Suite

• test_env.py: add more attempts when executing ssh command (#9015)
• Rework tarball generation (#8883)
• Add OL9 Dockerfile (#9099)
• Update CIS L2 test for configure_crypto_policy (#9163)
• Automatus: close hanging tempfiles descriptors (#9200)

Documentation

• A EditorConfig file (#9020)
• Add removed products to the changelog (#9108)
• Guidelines: Add the entry about one-off scripts (#9089)
• Fix typos in man page and profile descriptions (#9160)
• Fix man-page header for lexgrog (#9158)

Content 0.1.62

Important Highlights

• Update rhel8 stig to v1r6 (#8670)
• OL7 STIG v2r7 update (#8689)
• Initial definition of ANSSI BP28 minmal profile for SLE (#8540)

New Rules and Profiles

• New rules for network sysctls (#8371)
• Grub2 bootloader CPU mitigations (#8325)
• Add new template to check kernel build configurations (#8435)
• Kernel memory configs (#8477)
• Add rules for kernel memory allocators settings (#8488)
• Add rules for kernel data structure configs (#8483)
• Add rules for various kernel behaviors (#8502)
• Add rules to check kernel IP stack configs (#8501)
• Add rules for kernel compiler features (#8499)
• Add rules for kernel security options (#8498)
• Add rules for kernel module security (#8492)
• Add rules for ARM64 kernel (#8506)
• Add rules for 64b kernel (#8504)
• Add rules to configure Kernel panic behavior (#8503)

Updated Rules and Profiles

• gid_passwd_group_same oval does not allow ! in passwd field (#8296)
• Update SRG-OS-000028-GPOS-00009 for RHEL9 STIG (#8321)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Fix missing "to" in account restriction warnings (#8399)
• SLE15 add sysctl_kernel_exec_shield to HIPAA profile5 (#7891)
• Update SRG-OS-000480-GPOS-00229 for RHEL9 STIG (#8405)
• Update SRG-OS-000480-GPOS-00232 for RHEL9 STIG (#8403)
• Add sudoers_default_includedir rule support to SLE12 and SLE15 platforms (#8406)
• SUSE Group init_module and finit_module audit rules. (#8407)
• Update SRG-OS-000031-GPOS-00012 for RHEL9 STIG (#8414)
• Update SRG-OS-000445-GPOS-00199 for RHEL9 STIG (#8415)
• Update SRG-OS-000370-GPOS-00155 for RHEL9 STIG (#8422)
• Update SRG-OS-000437-GPOS-00194 for RHEL9 STIG (#8416)
• Update SRG-OS-000445-GPOS-00199 (#8439)
• Add a rule to STIG profile in OL8 and RHEL8 (#8447)
• SRG-OS-000349-GPOS-00137 for RHEL 9 STIG (#8471)
• Add auid criteria to rules related to syscall audit rules (#8327)
• remove redundant rule from HIPAA profiles (#8509)
• Update SRG-OS-000120-GPOS-00061 for RHEL 9 STIG (#8514)
• align RHEL8 OSPP with certification requirements (#8508)
• Fix broken Oracle Linux doc links. (#8538)
• For sle systems the etc shadow is group shadow (#8554)
• Enable for ansible and bash remediation for SLE15 and SLE12. (#8545)
• consistent perm_x product filtering (#8607)
• Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG (#8505)
• strip trailing blank lines for some templated audit rules (#8805)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Add auid criteria to rules related to syscall audit rules (#8327)

Changes in Remediations

• Use UID field for bash remediation of homedirs (#8398)
• SUSE disable_users_coredumps enable bash remediation for sle. (#8558)
• consistent perm_x product filtering (#8607)
• Remediation and improvement for file_permissions_home_dirs rule (#7963)
• fix ansible remediation of enable_dracut_fips_module (#8823)

Changes in the Infrastructure

• Add

   tag HTML element to STIG mapping tables (#8367)

• Remove reference to a nonexistent file (#8370)
• Unify a custom_command (#8357)
• Like the docs requirments GitPod should also use https vs the lagecy git protocol (#8440)
• Update utils/create_srg_export.py (#8437)
• Build data stream without OpenSCAP (#8364)
• Improve the list of HTML guides (#8460)
• Remove update_sds_version.py (#8369)
• Add new GH job to generate XLSX table and HTML page with SRG mapping (#8326)
• Fix index page generation for guides artifacts. (#8533)
• Organize fix text macros (#8529)
• Load any *.jinja file and organize macros (#8576)
• Add cce to srg export (#8571)
• Full Support Variables in SRG Export (#8635)
• utils/compare_results.py to work with --stig-viewer results and print rule identifiers (#8634)
• Fix variable substitution in SRG export (#8683)
• Add custom requirement (#8705)
• GH actions nightly builds (#8137)

Changes in the Test Suite

• Test template filtering (#8052)
• Fix same shadow field bug in tests (#8458)
• Add Centos Stream 8/9 support in install_vm script (#8481)
• Add templated tests for dconf_ini_file (#8740)
• Cleanup tests package installed or removed (#8752)
• Cleanup duplicate scenarios for sshd_lineinfile template (#8742)
• Include snapshot cleanup functions for SSGTS (#8729)
• test scenario adjustments for file_permissions template (#8750)
• Cleanup custom kernel_module_disabled scenarios (#8753)
• Add templated test scenarios for shell_lineinfile template (#8754)
• Remove similar test scenarios on rules templated by file_groupownership (#8755)
• SSGTS: Update to handle CentOS CPEs and fix prefix name of snapshots wrt podman limitation (#8767)
• Add template mode to SSGTS (#8730)
• Remove redundant custom test scenarios for service enabled/disabled rules (#8760)

Documentation

• Fix docs build (#8402)
• Document GHA release process (#8096)
• Add docuemntion for Pandas dependancy (#8544)
• Point the docs to new jinja macro files (#8577)
• Remove Link Checker from README (#8745)

Content 0.1.61

Important Highlights

• Stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Introduce OL9 product (#8102)
• Implement handling of logical expressions in platform definitions (#8043)

New Rules and Profiles

• Introduce OL9 product (#8102)
• RHEL9 OSPP boot parameter rules (#8092)
• Introduce stig_gui profile for OL8 (#8200)
• New rules related to pam_pwquality (#8185)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Add GRUB2 rule for slab_nomerge and mce (#8282)
• Include rule mount_option_proc_hidepid (#8288)
• New sysctl fs parameters (#8304)
• Parametrize configuration of kernel.kptr_restrict and add rule for kernel.panic_on_oops (#8285)

Updated Rules and Profiles

• Ol7 stig v2r5 (#7913)
• HIPAA Rules in test (#7916)
• Ubuntu specific bash and oval for dconf_gnome_login_banner_text (#7908)
• The audit package and auditd service are needed for FAU_GEN.1 SFR. (#8069)
• Clarify that log_format and name_format affects specifically information included in the audit records, not events for which audit records get generated. (#8071)
• Ensuring immutable UIDs is related to the subject identity required by FAU_GEN.1.2, it does not affect for wihch events audit records will be generated. (#8072)
• These auditd configurations affect the whole SFR, not just its specific parts. (#8070)
• RHEL9 OSPP: drop some rules disabling kernel module loading (#8093)
• The write_logs is related to where audit records end up stored, not what records get generated. (#8114)
• Amend OSPP references for rsyslog omfwd/gtls configuration. (#8113)
• On OSPP installation, the primary reason for having rsyslog installed… (#8111)
• Configuring the CA certificate targets the TLS "internal" requirements, so FTP_ITC_EXT.1.1 is not needed. (#8112)
• Ensure all processes are auditable and rules loaded for FAU_GEN.1 are applied. (#8098)
• Update OL8 stig profile rule selection (#8124)
• Requirement of not losing data at least to a limit comes from FAU_STG family. (#8133)
• RHEL9 OSPP boot parameter rules (#8092)
• Simple stig v2r6 updates for OL7 (#8162)
• Create OVAL check for selinux_context_elevation_for_sudo [OL7] (#8160)
• Update rule to only remove the graphical interface (#8170)
• drop not needed auditd.conf rules from rhel9 ospp (#8188)
• New rules related to pam_pwquality (#8185)
• Update configure_bashrc_exec_tmux to consider .d directory (#8146)
• align ospp audit rules with the latest upstream release (#8152)
• Align description of grub2 rules with checks and remediations (#8184)
• Update RHEL7 STIG items to V3R6 (#8225)
• update description of rhel9 ospp profile (#8232)
• Add sudoers_default_includedir to ol7 STIG (#8229)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Fix bug 1195521 (#8215)
• Fix for bug 1195523 (#8242)
• Extend package_pam_pwquality_installed rule for RHEL (#8186)
• make rule enable_fips_mode check only for technical state (#8255)
• UEFI booting requires FAT support. (#8269)
• Removed criteria in OVAL check of require_singleuser_auth (#8121)
• no iptables.service in sle15 (#8292)
• fix aide_build_database rule and remediation to work with sles 12 and 15 (#8287)
• SLE 12 and 15 merge auditd file modification rules STIG IDs (#8295)
• OL8 STIG severity adjustments (#8103)
• Oval update for two rules to only allow results from only one file [ol7] (#8161)
• Performance improvements for file permission and ownership templates (#8456)

Changes in Remediations

• HIPAA Rules in test (#7916)
• Fix handling of literal dollars in macros (#8252)
• Various bash fixes (#8253)
• Simplify generated augen bash expressions (#8254)
• Fix the firewalld remediation (#8251)
• Fix bash remediations of browsers (#8258)
• Introduce convenience macros for find and awk (#8257)
• Introduce a shellcheck test (#8032)
• Refactor pam_faillock remediation (#8347)

Changes in the Infrastructure

• Add condition to SCAPVal script that will trigger when SCAP standard is updated (#8062)
• stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Implement handling of logical expressions in platform definitions (#8043)
• Add backends attribute to template in rules schema (#8090)
• Add gitpod support (#8123)
• Added utils/compare_disa_xml.py (#8120)
• Gitpod: Build OpenSCAP 1.3.6 so it can build OCP4 and EKS content (#8206)
• Fix issue with getting STIG items in create_scap_delta_tailoring.py (#8245)
• Store OVAL of compiled platforms as string (#8238)
• Add a script to audit the SRG export CSV (#8077)
• Add version to delta tailoring file name (#8247)
• Various improvments to SRG Export Script (#8091)

Changes in the Test Suite

• align ospp audit rules with the latest upstream release (#8152)
• Remove grub2_pti_argument tests (#8310)
• Delete test scenario that removes SSH keys from machine (#8309)
• Remove RHEL7 platform from invalid_rescue.pass.sh (#8311)

Documentation

• Document boolean expressions in "platform" definitions (#8094)
• Add github workflow to publish statistics, guides and tables (#8136)
• Add missing rsync dependency to gh-pages workflow (#8151)
• Fix badges and remove Centos legacy CI integration (#8244)

Content 0.1.60

Important Highlights

• OL8 draft stig profile v1r1 (#7932)
• Add Amazon EKS platform and initial profiles for the CIS benchmark (#7579)
• Add CentOS Stream 9 derivative product from RHEL9 (#7878)

New Rules and Profiles

• Rename/remove rule for package abrt-addon-python (#7899)
• OL8 draft stig profile v1r1 (#7932)
• Add stig_gui profile for ol7 (#7939)

Updated Rules and Profiles

• update description of grub2_uefi_password (#7859)
• remove ABRT related rules from RHEL9 (#7906)
• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• add hint about audit backlog configuration (#7909)
• Update chronyd_or_ntpd_set_maxpoll to add maxpoll option to chrony pool directives (#7910)
• Clarify behaviour of SSHD rules (#7919)
• OL8 stig prodtype and platform (#7933)
• fix enable_fips_mode remediations (#7936)
• Removed OSPP MLS from RHEL9 (#8037)
• mark rhel9 ospp and cui as draft (#8042)
• fix problems with trailing blank lines in audit rules (#8047)
• fix wrong Jinja macro for audit_rules_execution_restorecon (#8073)
• Make rule network_nmcli_permissions applicable only when polkit is installed (#8110)
• remove configure_gnutls_tls_crypto_policy from rhel9 (#8116)

Changes in Remediations

• Use authselect to edit pam files if it is present (#8026)
• Use authselect and custom profile for pam_pwhistory (#8030)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)
• Use correct config file in ensure_gpgcheck_local_packages (#8105)
• sshd_lineinfile ansible macro dir support and directory check fix (#8109)

Changes in Checks

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)

Changes in the Infrastructure

• Add the ability to load controls from folder (#7876)
• Add utils/compare_results.py (#7894)
• Introduce handling of versioned Boolean algebra expressions (#7873)
• Add a split option to utils/build_stig_control.py (#7904)
• Upgrade to F34 in Gating (#7826)
• Control to csv (#7775)
• Fix issues with dividing a str by str in utils/render-policy.py (#7960)
• Improve create_srg_export.py (#7959)
• Add rationale to controls (#7975)
• Clarify controleval.py help text (#8034)
• Add better error messages to utils/controleval.py and add does not meet to stats output (#8038)
• Improvements to controls and STIG export (#8039)
• Generate release artifacts' checksums (#8087)

Changes in the Test Suite

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• fix problems with trailing blank lines in audit rules (#8047)
• override two more tests for grub2_kernel_trust_cpu_rng (#8067)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)

Documentation

• add hint about audit backlog configuration (#7909)
• Add docs for create srg export (#7976)

Content 0.1.59

Important Highlights

• Add support for Debian 11 (#7715)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Ground work for implementation of CPE applicability language (#7613)
• Add HIPAA profile to SLE15 platform (#7776)
• Add Delta Tailoring Files to the Build System (#7851)

New Rules and Profiles

• Add rule only_allow_dod_certs (#7658)
• Add new rule "service_ypserv_disabled" (#7679)
• Add rule "Ensure All Groups on the System Have Unique Group Name" (#7676)
• Add SSH LoginGraceTime rule (#7678)
• Add rule accounts_root_gid_zero (#7685)
• Add new rules for CIS Journald Config (#7682)
• Add rule service_slapd_disabled (#7694)
• Add rule group_unique_id (#7683)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Add HIPAA profile to SLE15 platform (#7776)

Updated Rules and Profiles

• locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml: sles15 fix (#7389)
• remove rule disable_prelink from rhel7 cis (#7621)
• Make package_mcafeetp_installed work on Ubuntu (#7656)
• Add rule to stig.profiles (#7664)
• SLE bash remediation accounts_passwords_pam_faildelay_delay (#7661)
• Add rule for RHEL8 CIS 5.2.16 (#7677)
• remove old rule from rhel7 stig (#7710)
• More flexibility for login banners (#7690)
• Align rsyslog_remote_loghost to benchmarks (#7692)
• Rework bash remediation for accounts_password_pam_unix_remember (#7660)
• Return rule package_rsyslog-gnutls_installed to RHEL7 (#7731)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add var_sshd_set_keepalive to Ubuntu 20.04 STIG profile (#7771)
• SLE15 Add rsh and talk server remove rules to HIPAA profile (#7813)
• Change sshd_set_idle_timeout to require sshd_set_keepalive_0 (#7751)
• SLE15 add service related rules to HIPAA profile (#7852)

Changes in Remediations

• Add remaining Blueprint templates (#7609)
• Make sure files have newline during bash lineinfile remediation (#7787)
• accounts_no_uid_except_zero: Don't run passwd if awk returns nothing (#7779)
• Make FIPS mode check idempotent (#7318)

Changes in the Infrastructure

• Automated STIG Control File Creation (#7324)
• Added Build, Test on OpenSUSE Leap 15 on pull requests (#7666)
• Handle references with commas in utils/build_stig_control.py (#7697)
• Add utils/create_scap_delta_tailoring.py (#7717)
• Multi-file templates: file_permissions/file_groupowner/file_owner (#7405)
• Ground work for implementation of CPE applicability language (#7613)
• Fix utils/fix_rules.py exit codes (#7821)
• Add Delta Tailoring Files to the Build System (#7851)
• Add CentOS 7 build to CI (#7879)

Changes in the Test Suite

• Test scenarios updates for gpgcheck rules (#7638)
• service_enabled test scenarios templates (#7632)
• Create test scenarios for rule gid_passwd_group_same (#7637)
• ntp/chrony remove server remediations and test scenarios (#7631)
• Add a fail test for accounts_password_all_shadowed (#7642)
• Add test scenarios specific for CIS (#7634)
• Implementing test ssh_set_max_sessions for rhel7 profiles (#7641)
• Created pass/fail scripts for rule sshd_use_approved_macs (#7650)
• Update SSGTS so it can use mount in containers (#7680)
• Added ability to slice SSGTS rule checking runs (#7667)
• Update tests for package_crypto-policies_installed (#7858)

Documentation

• Add Styleguide (#7515)
• improve documentation (#7063)
• Add sphinx missing dependency in the developer guide (#7645)
• Update CONTRIBUTING.md (#7722)
• Add type hints to style guide (#7773)
• Fix directories count in docs/manual/developer/03_creating_content.md (#7805)
• Improve jinja docs (#7785)
• Introduced graphs in the documentation (#7825)
• Add rule schema (#7796)