Content 0.1.58

Important Highlights

• Add SCE Support to build system (#7075)
• Split RHEL 8 CIS profile using new controls file format (#6976)
• Introduce automated CCE adder (#7249)
• CIS Profiles for SLE12 (#7434)
• Add initial Ubuntu 20.04 STIG Profile (#7220)

New Rules and Profiles

• Add initial Ubuntu 20.04 STIG Profile (#7220)
• Add rules for RHEL-08-030610 (#7256)
• Add Ubuntu to cron.allow, at.allow rules for CIS (#7223)
• New rules for RHEL-08-010290 (#7151)
• New rules for RHEL-08-010291 (#7169)
• Add /var/log/audit individual ownership rules (#7129)
• New rule for RHEL-08-020270 (#7276)
• Add rule new for RHEL-08-030700 (#7264)
• Added new rule for RHEL-08-030710 (#7268)
• Add rule for RHEL-08-020300 (#7289)
• Add rule for RHEL-08-020090 (#7313)
• Introduce support for the distributed SSHd configuration (#6926)
• UBTU-20-010057: Add missing rules (#7363)
• Add new rule for RHEL-08-030720 (#7288)
• Add a new rules RHEL-08-010001 and RHEL-07-020019 (#7344)
• Add new rule for RHEL-07-030330 and RHEL-08-030730 (#7323)
• Added rule for RHEL-08-010400 (#7411)
• Sysctl disable ipv6 (#7460)
• CIS Profiles for SLE12 (#7434)

Updated Rules and Profiles

• fix problems with variables in rhel7 cis (#7237)
• Sort references, identifiers in rule.yml (#6882)
• Correct some issues with the CIS ICMP redirects rule on RHEL 7/8 (#7259)
• remove broken links to support.ntp.org (#7262)
• Mark as machine rules that collect password_object (#7263)
• OCP4: fips_mode_enabled rule relates to IA-7 (#7267)
• Enable dconf rules for RHEL9 (#7011)
• Enable generic rules for RHEL9 (#7147)
• Introduce support for the distributed SSHd configuration (#6926)
• Add service_pcscd_enabled to SLE15 PCI-DSS profile (#7322)
• update version of rhel7 stig_gui profile (#7340)
• Update References for RHEL8 STIG V1R3 (#7299)
• Suse sle15 fix reference sles 15 030350 assignment (#7346)
• Add to sle15 PCI-DSS profile rules for account uniqueness and grub config ownership (#7345)
• Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286 (#7354)
• Add SRGs for accounts_password_pam_dictcheck and sssd_enable_certmap (#7362)
• Update RHEL 8 CIS references to match benchmark 1.0.1 (#7356)
• Update CCEs and identifiers on rules that make up RHEL 8 CIS 4.1.15 (#7353)
• generic updates to rhel7 CIS (#7384)
• Update existing rule for RHEL-08-020320 (#7303)
• OCP4: Remove kubelet_disable_hostname_override rule (#7391)
• SLES-12-010599 - remove rule from the STIG (#7397)
• add kickstarts for rhel8 CIS profiles (#7383)
• add rhel7 kickstarts for CIS profiles (#7382)
• UBTU-20-010056: Use rule accounts_password_pam_dictcheck (#7366)
• Add ensure_logrotate_activated rule to SLES15 PCI-DSS (#7381)
• products/sle15/profiles/stig.profile: Update according to U_SLES_15_STIG_V1R3 Manual (#7388)
• Add PCI-DSS rules (#7373)
• Add PCI-DSS file Rules (#7417)
• Add PCI-DSS file rules (#7430)
• SUSE SLE15 service chronyd or ntpd enabled pci dss (#7425)
• Add rsyslog log file configuration rules to SUSE SLE15 PCI-DSS profile (#7420)
• Update existing rules for RHEL-07-010492 and RHEL-07-010482 (#7438)
• Add rule for SLES-12-030365 (#7177)
• SLE15 add package_aide_installed to PCI-DSS profile (#7476)
• SLE15 add package security rules to PCI-DSS profile (#7473)
• SLE15 Add password hashing rules to PCI DSS profile (#7474)
• SLE15 add audit data retnetion rules to PCI-DSS profile (#7475)
• SLE15 add sssd_enable_smartcards to PCI-DSS rule (#7472)
• PCI-DSS Add more auditd rules (#7477)
• OL7 DISA STIG v2r4 update (#7496)
• Pcidss Configure Crypto Rules (#7398)

Changes in Remediations

• Enable remediations for crypto policy settings (#7242)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• add / fix remediations for audit rules wrt modules (#7252)
• Fix possible issue in harden_openssl_crypto_policy remediation (#7178)
• Mount option template updates (#7081)
• Fix coverity problems (#7258)
• Fix ansible remediation of display_login_attempts (#7271)
• Fixed the remediations when there are no previous kernelopts (#7257)
• Remove specific metadata in shared Bash remediations (#7254)
• Update existing rule for RHEL-08-030650 (#7283)
• Remove kubelet_disable_hostname_override rule (#7400)
• Fix remaining audit rule files permissions. (#7440)

Changes in Checks

• Add oval check for bios_enable_execution_restrictions (#7227)
• Mount option template updates (#7081)
• Update existing rule for RHEL-08-030650 (#7283)

Changes in the Infrastructure

• Prioritize install_smartcard_packages like package_*_installed (#7224)
• Sort references, identifiers in rule.yml (#6882)
• Add SCE Support to build system (#7075)
• SSGTS: tests for shared/templates (#7211)
• Add new rule for RHEL-08-030720 (#7288)
• Introduce automated CCE adder (#7249)
• Add sort prodtypes to fix_rules (#7454)

Changes in the Test Suite

• Add rhel9 Dockerfile and distro choice into install_vm.py (#7235)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• install_vm.py: add --console option (#7186)
• Add some more tests (#7083)
• Add RHEL7 specific test kickstart (#7355)
• SSGTS: tests for shared/templates (#7211)
• Fix combined mode execution in SSGTS (#7395)
• Option --no-reports for SSGTS rule and combined modes (#7523)

Documentation

• Document rule.yml modification utilities (#6916)
• Update Mailing list location in docs (#7293)
• Fix links to repo: SSG->CaC (#7311)
• More documentation (#7406)
• Fix RHEL7 documentation links (#7409)
• Add readthedocs integration badge (#7407)
• Fix RHEL7 documentation link (#7443)
• Add bats to gating and docs (#7543)

Content 0.1.57

Highlights

• CIS profile for RHEL 7 is updated
• initial CIS profiles for Ubuntu 20.04
• Major improvement of RHEL 9 content
• new release process implemented using Github actions

New Rules and Profiles

• Add rule sudo_add_passwd_timeout (#6984)
• SLES-12-010420 and SLES-15-010510 rules (#7028)
• SLES-15-010355 rule (#6947)
• New rsyslog rule per RHEL-08-010070 STIG (#7114)
• Add initial Ubuntu 20.04 CIS Profiles (#7181)

Updated Rules and Profiles

• Update ANSSI policy metadata and undraft High Level (#6997)
• Update cis sle15 profile to better represent the release version 1.0.0 (#7056)
• Start splitting of rhel7 CIS (#7108)
• Splitting rhel7 cis profile - section 2 (#7112)
• Splitting rhel7 cis profile - section 3 (#7111)
• splitting CIS rhel7 profile - section 4 (#7134)
• Split RHEL 7 CIS profile - section 5 (#7193)
• split CIS for rhel7 - section 6 (#7219)

Changes in Remediations

• Add bash package installated macro (#7032)
• Ansible playbook to role updates (#7042)
• Add option to enable installation of individual ansible playbooks per rule (#7039)
• Only enable ansible/yaml lint tests when playbooks are built (#7099)
• ensure_pam_module_options now fix empty option value (#7116)
• Fix bash remediation of sudo_defaults_option (#7146)
• Fix regex in dconf ansible remediation (#7150)

Changes in Checks

• Fix disable_users_coredumps's limits.d exists (#7030)
• Fix oval check in uefi_no_removeable_media (#7067)
• Add option_regex_suffix to sudo_defaults_option template (#7082)

Changes in the Infrastructure

• Fix bugs in rule_dir_json.py (#6911)
• Fix utilities after product move (#7113)
• Fix kernel module disable template (#7086)
• SSGTS: Jinja enablement for test cases (#7210)

Changes in the Test Suite

• Fix SSG test suite support for setting variables (#7097)
• SSGTS: Jinja enablement for test cases (#7210)

Content 0.1.56

Highlights:

• Align ism_o profile with latest ISM SSP (#6878)
• Align RHEL 7 STIG profile with DISA STIG V3R3
• Creating new RHEL 7 STIG GUI profile (#6863)
• Creating new RHEL 8 STIG GUI profile (#6862)
• Add the RHEL9 product (#6801)
• Initial support for SUSE SLE-15 (#6666)
• add support for osbuild blueprint remediations (#6970)

Profiles changed in this release:

• sle12: stig
• sle15: cis, stig
• rhel7: stig_gui, stig
• rhel8: stig_gui, stig, ism_o
• rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
• ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
• ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
• rhv4: pci-dss
• ocp4: cis-node, cis
• rhel9: pci-dss

Profiles:

• Add updated manual DISA STIG XML reference files (#6903)
• rhcos4/e8: Use individual kernel module load audit rules (#6797)
• rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
• bump rhel7 stig version to v3r3 (#6951)
• remove no longer relevant rules from rhel7 stig (#6865)
• Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
• Update OL e8 profiles (#6840)
• Remove rules related to gnome/dconf (#6884)
• Ol cjis profiles (#6851)
• Add PCI-DSS profile to RHV4 (#6867)
• OL hipaa profiles (#6819)
• Update OL cui profiles (#6818)
• remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
• RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
• rhcos4: Remove sssd configuration check from moderate profile (#6774)
• RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
• RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
• RHCOS: Temporarily remove UEFI password rule (#6757)
• Add new rules to sle12/profiles/stig.profile (#6665)
• Remove package_gssproxy_removed from STIG GUI profile (#6967)
• Updating RHEL8 STIG profile for readability changes (#6856)
• Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
• Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)

Rules:

• Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
• Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
• Fix grub2's /boot location for Debian, Ubuntu (#6986)
• Add rules to remove setroubleshoot server and plugin packages (#6969)
• SLES-15-010362 (#6968)
• Fix groupowner/permissions for ubuntu2004 (#6979)
• SLES-15-10352 rule (#6822)
• Enable RHEL9 for kernel-related rules (#6966)
• Enable SELinux rules for RHEL9 (#6959)
• Move rule grub2_enable_iommu_force to use template (#6956)
• Clarify what fixes for AiDE acl and xattrs do (#6960)
• Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
• Adding new rule for RHEL-08-010294 (#6932)
• Add OCIL to sshd_limit_user_access (#6836)
• SLES-15-030390 add rule, remediation and test (#6802)
• Add Rule for SLES-15-040382 (#6811)
• RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
• RHCOS4: Add recommended chrony config (#6786)
• Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
• Prevent global references to use product-qualifiers (#6896)
• OCP: Fix description of kubelet TLS cipher suites (#6900)
• Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
• Update VSEL references to remove qualifier from global references (#6948)
• SLES-15-010250 add rule, remediation and tests (#6879)
• add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
• Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
• Add Rule,Remediation and Test for SLES-15-030760 (#6869)
• Revert STIG id for require_emergency_target_auth (#6928)
• Remove bogus nist: FOO-1(a) references (#6917)
• remove product specific disa and srg references (#6895)
• ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
• Fix usbguard match-all syntax for HID rule (#6909)
• RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
• Notate that Ubuntu is a FIPS-certified OS (#6912)
• OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
• update require_emergency_target_auth (#6894)
• add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
• Add Rule,Test for SLES-15-020103 (#6881)
• Prevent unqualified CIS and STIGID references (#6871)
• SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
• Add rules related to permissions of /var/log and /var/log/messages (#6861)
• SLES-15-010220 updates for firewalld (#6831)
• Add OL anssi profiles (#6817)
• update accounts_tmout (#6839)
• SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
• add rule for disabling of GUI (#6860)
• Add rules for SLES-12-010060 (#6806)
• CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
• fix service_sshd_enabled for SLE-15 (#6830)
• RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
• Add HIPAA rules references (#6854)
• RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
• Add CCI reference to package_gssproxy_removed (#6846)
• Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
• SLES-15-010353 map rule file_ownership_library_dirs (#6820)
• Add CCEs for RHEL9 rsyslog rules (#6832)
• SLES-15-010030 rule (#6821)
• SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
• Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#6824)
• OCP4: Add applicability warnings (#6823)
• service_nfs_disabled - change name of nfs service to nfs-server (#6777)
• Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
• OCP4: Address flowschema version change by handling different OCP versions (#6813)
• Abort the build if an OVAL is not included due to extend_definition (#6402)
• Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
• service_rsyncd_disabled - update package name to rsync-daemon (#6783)
• Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
• RHCOS4: Fix require_singleuser_auth rule (#6780)
• ocp4: Add relevant description for protectKernelDefaults rule (#6705)
• CIS 5.2, 5.4, and 5.6 updates (#6704)
• Add documentation links for OL7 and OL8 (#6756)
• Update OL OSPP profiles (#6745)
• Change dhcp server package name to dhcp-server in rhel8 (#6762)
• SLES-15-020101 add rule and tests, no remediation (#6734)
• Add ansible and bash remediation for wireless_disable_interfaces (#6685)
• ocp4: Switch to using the platforms construct (#6759)
• Add rule for RHCOS to check for interactive boot being disabled (#6747)
• Fix oracle documentation links (#6740)
• implement support for multiple platforms connected with disjunction (#6661)
• rhcos4: Add check for nousb kernel argument (#6743)
• Add tests for no files unowned by user/group rules (#6738)
• Add rule for checking selinux is not disabled in coreos (#6737)
• ocp4/etcd: Fix rule checks for 4.8 (#6732)
• Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
• CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
• CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
• Updating macros to support idempotency when deduplicating values (#6953)
• Fix Rule CPE Name inheritance (#6943)
• Reorganize env and product yaml (#6754)
• RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#6787)
• rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
• RHCOS4: Add recommended auditd.conf remediation (#6782)
• Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
• Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
• rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
• RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
• mount_option ansible remediation - remediate when mount point is not in mounted (#6713)

Tests:

• install_vm.py: add possibility to install GUI system (#7004)
• Improve the test suite wrapper (#6944)
• Remove code from OCP4 e2e tests (#6961)
• Add test scenarios for service enable/disable rules from CIS profile (#6785)
• Missing references test (#6849)
• Fix RHEL8 STIG with GUI stable profile data (#6874)
• increase /usr partition size in testing kicstart (#6808)
• Add Ubuntu as a known platform for ssg_test_suite (#6794)
• Add package_* test scenarios (#6752)
• Add tests for rule accounts_password_pam_minlen (#6751)
• Add tests for rule accounts_no_uid_except_zero (#6750)
• Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
• Update tests of accounts_tmout to work when overriding profiles (#6765)
• Update tests of account_disable_post_pw_expiration (#6753)
• Add tests for rule account_unique_name (#6749)
• accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
• Switch to generic python shebang (#6744)
• Add tests for rule no_netrc_files (#6741)
• Add tests for rule accounts_minimum_age_login_defs (#6735)
• Updated test scenarios to work on containers (#6701)
• Add tests for rule accounts_password_warn_age_login_defs (#6736)
• Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
• ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
• Add test scenarios for rsyslog rules (#6712)
• set_firewalld_default test scenarios (#6721)
• sysctl_net_* test scenarios (#6696)
• rpm_verify_ownership test scenarios (#6703)
• postfix_network_listening_disabled tests (#6708)
• Ignore trailing whitespaces in...

Content 0.1.55

Highlights:

• big update of rules used in SLES-12 STIG profile
• Render policy to HTML (#6532)
• Add variable support to yamlfile_value template (#6563)
• Introduce new template for dconf configuration files (#6118)

Profiles changed in this release:

• ocp4: cis-node, cis, e8, moderate
• rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
• rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
• sle15: cis, standard
• debian10: anssi_np_nt28_average, standard
• debian9: anssi_np_nt28_average, standard
• fedora: pci-dss, standard
• ol7: pci-dss, stig, standard
• ol8: ospp, hipaa, standard, pci-dss, cjis
• rhcos4: e8, ospp, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ubuntu1604: anssi_np_nt28_average, standard
• ubuntu1804: cis, anssi_np_nt28_average, standard
• ubuntu2004: standard
• wrlinux1019: draft_stig_wrlinux_disa

Profiles:

• remove ensure_logrotate_configured from CIS profiles (#6693)
• configure_crypto_policy update for CIS profile (#6673)
• remove kernel_module_vfat_disabled from CIS profiles (#6613)
• E8 ocp revisions (#6587)
• Update ANSSI profile descriptions (#6592)
• Bump RHEL7 STIG version to v3r2 (#6576)
• OL7 DISA STIG v2r1 update (#6538)
• Select RHEL8 STIG V1R1 existing content (#6579)
• OL7 DISA STIG v2r2 update (#6607)
• Update OL standard profiles (#6604)
• Update OL pci-dss profiles (#6605)
• Remove auditd_data_retention_space_left from RHEL8 STIG profile (#6615)
• remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#6528)

Rules:

• Update selinux_confinement_of_daemons rule (#6695)
• Adds classification-banner rule (#6652)
• CIS 5.1 changes (#6678)
• ocp4: Fix audit log forwarding rule (#6680)
• CIS 5.1 and 5.2: More ocil updates (#6689)
• Change instances of cis to cis@ocp4 for openshift (#6654)
• Revert hardcoding of ClientAliveCountMax to 0 (#6434)
• SLES-12 add checks and remediations (#6635)
• Update ANSSI references (#6662)
• Add missing CIS references (#6660)
• move ssh_client_rekey_limit to correct group (#6612)
• Fix STIG id reference for sshd_x11_use_localhost (#6628)
• fix wrong description of sshd_limit_user_access (#6623)
• mark some CIS rules as machine-only (#6611)
• CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#6435)
• ocp4: Add link to documentation for etcd encryption (#6590)
• Drop remediation for sysctl_kernel_modules_disabled (#6586)
• OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#6547)
• CIS: Update api_server_request_timeout description and check (#6572)
• add rhel7 stig specific rule for sshd approved macs (#6546)
• Reassign a new unique CCE identifier to approved macs STIG rule (#6564)
• add rhel7 stig specific rule for ssh ciphers (#6541)
• sshd_set_keepalive PCI DSS requirement reference (#6531)
• add rule sysctl_kernel_modules_disabled (#6533)
• RHEL-07-040710 now configures X11Forwarding to disable (#6537)
• add rule sshd_x11_use_localhost (#6534)
• Added a rule for having commands with arguments in sudoers - ANSSI R63 (#6525)
• fix remediations of ensure_logrotate_activated (#6710)
• ocp4/e2e: fix classification_banner remediation (#6679)
• ocp4: Add e2e for no_direct_root_logins (#6621)
• rhcos4: Add remediations and rules to enable usbguard (#6452)
• Require separate filesystem for /var/tmp (#6523)
• Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#6606)

Tests:

• fix test for smartcard_auth (#6694)
• Fix test scenario of rpm_verify_permissions rule (#6671)
• Supress Ansible lint error 503 (#6542)
• Add test to check for duplicated STIG ids (#6135)

Content 0.1.54

Highlights:

• Remove RHEL6 content (#6325)
• Add readthedocs documentation support (#6299)
• Introduce centralised policy definitions (#6499)

Profiles changed in this release:

• ocp4: moderate, cis-node, ncp, e8, cis
• rhel7: anssi_nt28_intermediary, cui, cjis, anssi_nt28_minimal, C2S, anssi_nt28_enhanced, stig, ncp, hipaa, e8, anssi_nt28_high, ospp
• ol7: stig
• rhel8: cui, cjis, anssi_bp28_high, cis, stig, pci-dss, anssi_bp28_intermediary, hipaa, anssi_bp28_minimal, anssi_bp28_enhanced, e8, ospp
• rhcos4: ospp, ncp, e8, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ol8: e8

Profiles:

• Add xwindows_runlevel_target to RHEL7 STIG profile (#6420)
• Remove severity adjustments on OL7 STIG profile (#6403)
• Update SMEs and owners (#6448)
• Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml (#6438)
• Fix RHEL8 CIS Benchmark version (#6463)
• Use control selectors in RHEL8 ANSSI profiles (#6505)
• Update e8 profiles to use correct link to E8 Linux guide (#6497)
• Add initial artifacts to support RHEL8 STIG content (#6513)
• Update RHEL7 STIG profile with /var/log/audit related rules (#6430)
• Update ANSSI Minimal and Intermediary requirements (#6520)
• Add dconf_gnome_disable_automount to RHEL STIG profile (#5961)

Rules:

• Added simple lineinfile template (#6389)
• Generate the CPE Dictionary dynamically (#6304)
• Drop remediation for sudo_dedicated_group (#6556)
• ocp4: Add check for audit log forwarding (#6428)
• Change severity of rules according to STIG V3R1 (#6417)
• Add test to grub2_enable_fips_mode to check if /etc/system-fips exists (#6418)
• Moved OVAL CVE Feed metadata from the rule to individual products (#6419)
• Add new rule dir_perms_world_writable_system_owned_group (#6421)
• SRG for ssh_client_rekey_limit (#6409)
• OCP4/CIS: tidy etcd_unique_ca text (#6407)
• add rule ssh_client_use_strong_rng (#6404)
• ocp4/CIS 1.1.20: Fix references in rules (#6401)
• Add OCIL clauses to several openshift rules (#6457)
• compliance-operator: Prepare rules and profiles for productization (#6455)
• ocp4: ovs conf.db: tighten file permissions (#6445)
• fix oval of grub2_kernel_trust_cpu_rng (#6444)
• add ospp reference to configure_libreswan_crypto_policy (#6443)
• ocp4/CIS 1.2.10: Enable checks (#6436)
• Add OVAL for the second rule covering CIS 4.2.10 (#6489)
• Enable checks and remediations for SLES-12 STIGs (#6485)
• Several cleanup patches for CIS 1.2.x (#6480)
• Add new rules for ANSSI BP28 R22 (#6483)
• OCP4: Add CCEs to rules used by the CIS profile (#6478)
• OCP: Cleanup rules in section 1.1 of CIS profile (#6477)
• Add stricter permissions option to file permissions template (#6476)
• Implement a rule for sudoers - ANSSI R60 (#6473)
• CIS: Add two missing OCILs (#6474)
• Support SLES-12-010380, SLES-12-010110, and SLES-12-030150 (#6472)
• Fix some missing extend_definition dependencies (#6465)
• Add support for parameters in sudo_defaults_option template (#6508)
• Add SRG references for use_pam_wheel_for_su rule (#6356)
• update rule postfix_network_listening_disabled (#6509)
• add rules to anssi r12 (#6515)
• Create new rules for ANSSI R39 (#6495)
• Enable checks and remediations for SLES-12 STIGs (#6504)
• Fix jinja expansion on installed_OS_is_vendor_supported (#6511)
• Updates for Anssi requirement 49 (#6510)
• add rule checking if world writable directories are owned by root (#6507)
• Add rule to check if OS is 64-bit when supported by CPU (#6496)
• Add the sudoers_no_command_negation rule - ANSSI R62 (#6498)
• Add rules to enable sudoers options (#6369)
• Add rule to configure group owner of /usr/bin/sudo (#6352)
• Add RHEL8 CCE to ANSSI selected rules (#6494)
• Add rules for Anssi-bp-028 R23 (#6490)
• Add rule to drop sudo 'other' execution permisson (#6363)
• Add new pwquality.conf and faillock.conf rules (#6370)
• Add mount_option and partition rules (#6340)
• Add bios and uefi CPE applicability for grub2 rules (#6286)
• Add rule for password hashing rounds in pam_unix (#6334)
• OCP4/CIS 2.X: Fix descriptions and add checks (#6338)
• Disable OVAL backend from file_permissions grub2_cfg rules (#6277)
• add rule use_pam_wheel_for_su (#6256)
• OCP4/CIS 1.4.1: Remove invalid rule and add reference to actual check (#6329)
• fix remediation of audit_rules_privileged_commands (#6227)
• fix ansible remediation of dir_perms_world_writable_root_owned (#6574)
• fix remediations of dir_perms_world_writable_root_owned (#6558)
• fix selinux_policytype oval regex (#6530)
• ocp4: Add automatic remediation for etcd encryption provider (#6411)
• OCP4/CIS: kubelet_configure_event_creation e2e remediation (#6406)
• Add kubernetes remediation for sysctl_kernel_randomize_va_space (#6456)
• kubernetes: Fix kernel argument template (#6450)
• RHCOS4: Fix sysctl remediations and add tests (#6449)
• More precise modified time comparison in "configure_crypto_policy" (#6437)
• Propagated possibility to select the remediation backend (#6433)
• Fix FIPS checks for RHCOS (#6479)
• disable_ctrlaltdel_burstaction: Take into account .d/ directory too (#6471)
• Make rsyslog_remote_tls regex case insensitive for rsyslogs parameters (#6396)
• Fix bash_dconf_settings to grep whole keyword alike (#6364)

Tests:

• Extend list of rules of unselected rules for testing (#6573)
• Remove noauto for boot partition from test kickstart and ANSSI profiles (#6570)
• Update testing kickstart file partitions (#6555)
• Add cap_audit_write to be able to run sshd in containers (#6557)
• Move uefi_no_removeable_media tests to correct place (#6414)
• Introduce test suite script wrappers (#6405)
• ocp4: Add tests for rhcos4 kernel arguments (#6451)
• OCP: Add missing tests for two rules that are passing by default (#6466)
• configure_crypto_policy test scenario - ensure that both files have same timestamp (#6502)
• Add documentation for variables option in test scenarios. (#6377)
• Implement variable metadata for test scenarios (#6323)
• Remove capture_output option from subprocess.run in SSGTS (#6347)
• Refactored interaction with the tested machine (#6322)

Content 0.1.53

Highlights:

• Remove OCP3 content (#6296)
• Remove SLE11 (#6164)
• Remove Ubuntu 14.04 (#6154)
• Remove Debian8 (#6137)
• Remove JBoss EAP6 (#6119)
• Introduce machine and package platform conditionals to Bash remediations (#6061)
• Introduce package conditionals to Ansible remediations (#6025)
• OCP4: Enhance e2e tests to check individual rules (#6315)

Profiles changed in this release:

• example: example
• fedora: standard, pci-dss
• ol7: pci-dss
• ol8: cjis, pci-dss
• rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
• rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
• jre: stig
• ocp4: cis-node, cis, e8, moderate, ncp
• rhcos4: e8, moderate, ncp
• rhv4: rhvh-vpp, rhvh-stig
• sle15: cis

Profiles:

• Remove unused RHEL7 profiles (#6326)
• Specify the applicable OpenShift version for the CIS profiles (#6288)
• Update e8 references (#6306)
• Add commented section for OCP4 CIS etcd node checks (#6238)
• CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
• Add ocp4-node product (#6124)
• remove rngd related rules from rhcos profiles (#6159)
• Add policy tracking metadata (#6004)
• Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
• Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
• remove package_screen_installed from rhel7 stig (#6072)
• OCP4 CIS profile placeholder and comments (#6121)
• Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
• Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
• remove deprecated sshd config from e8 profile (#6120)
• remove package_tuned_removed from rhel8 ospp (#6191)
• remove rngd related rules from rhel8 ospp and stig (#6157)
• remove package_iptables_installed from rhel8 ospp and stig (#6155)

Rules:

• Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
• Added JRE update and clean prev version controls (#6324)
• fix conflicts of audit rules for privileged commands (#6279)
• Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
• Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
• Add machine platform for rule kernel_trust_cpu_rng (#6300)
• CIS 1.3.6 (#6225)
• Update jre content with more controls and minor fixes (#6295)
• Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
• ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
• Add OCP4 1.3.5 benchmark (#6198)
• ocp4: fix basic-auth check (#6158)
• CIS OCP4 benchmark: 1.3.3 (#6194)
• Fix rule api_server_token_auth for ocp4 (#6193)
• OCP4 - CIS 1.1.5 Add check (#6274)
• ocp4: Add check for CIS 1.2.20 (#6239)
• Cis 5.2.9 (#6250)
• ocp4: Add checkf or CIS 1.2.18 (#6232)
• ocp4: Add check for 1.2.17 (#6231)
• add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
• Updated rule api_server_service_account_public_key for OCP 4 (#6221)
• Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
• ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
• ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
• CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
• Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
• Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
• OCP4 - CIS 1.1.3 Add check (#6272)
• OCP4 - CIS 1.1.1 Add check (#6271)
• Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Api server etcd (#6266)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Add rule for OCP4 CIS 1.3.2 (#6262)
• Cis 5.2.7 (#6245)
• Java JRE 8 draft update (#6282)
• fix srgs for new rhel8 stig rules (#6280)
• 1.2.32 add etcd-cafile check for ocp4 (#6253)
• 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
• add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
• Pull request for etcd-encrypt (#6259)
• OCP4 CIS 5.2.3 (#6244)
• Update api_server_audit_log_path to use different apiserver conf file (#6240)
• OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
• OCP4 CIS 5.2.4 (#6242)
• Add OCP4 1.3.7 Benchmark (#6220)
• ocp4: Add check for CIS 1.2.19 (#6236)
• Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
• Api server kubelet https (#6215)
• Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
• Add rule for CIS 4.1.9 (#6210)
• Cis node 4.1.8 (#6196)
• OCP CIS 1.2.7 (#6209)
• Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
• Fix duplicate assignment of CCE-83396-2 (#6224)
• Completed an existing ocp4 CIS 1.3.4 rule (#6202)
• Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
• add service_kdump_disabled to rhel8 ospp (#6190)
• Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
• fix typos in "references" section of RHEL7 rules (#6188)
• Add some more example content for ocp4 cis profile (#6182)
• Add ISM references (#6143)
• Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
• add mandatory packages to rhel8 ospp (#6181)
• Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
• add rsyslog rules to rhel8 ospp (#6167)
• Remove platform net-snmp from the group and use it in individual rules (#6166)
• Fix severity of RHEL 7 STIG rules (#6110)
• fix rules about sshd idle timeout (#6030)
• Update ANSSI refs (#6052)
• Move grub2_vsyscall_argument to grub2 group (#6129)
• Update rule install hips (#6039)
• Remove zIPL rule for PTI bootloader option (#6065)
• use xccdf variable in audit_audispd_network_failure_action (#6071)
• Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
• Drop "esc" package from install_smartcard_packages rule (#6083)
• Update snmpd_no_default_password (#6050)
• Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
• Fix missing CCE in rules selected by RHEL6 profiles (#6103)
• add ocil to rsyslog_nolisten (#6074)
• Remove extra ocil statement from service_cockpit_disabled (#6092)
• Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
• Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
• Update text of rule account_disable_post_pw_expiration (#6084)
• update srg for smartcard_configure_cert_checking (#6073)
• update accounts_logon_fail_delay (#6040)
• update rule disable_ctrlaltdel_reboot (#6043)
• Remove SRGs from accounts_password_pam_retry (#6045)
• Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
• Update tftpd_uses_secure_mode (#6051)
• Fix SRG mapping of audit rules (#6068)
• Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
• Minor ansible changes that fix failing rules after remediations (#6034)
• Fix typo in SLES12 STIG ID reference (#6036)
• Introduce ability to set check_existence to yaml template (#6177)
• Introduced macros for working with XCCDF values into the wide content (#6048)
• Anaconda moved to pykickstart (#6255)
• Create custom OVAL check for uefi_no_removeable_media (#6276)
• Parametrize rule for login.defs hashing algorithm (#6290)
• As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
• Fix regex in aide rules to consider first letter as uppercase (#6152)
• Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
• Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
• Use resolved profiles in rule playbooks (#6080)
• Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
• Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
• Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
• update accounts_maximum_age_login_defs (#6027)

Tests:

• Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
• OCP4: Add manual remediation capabilities to e2e tests (#6318)
• OCP4: Enhance e2e tests to check individual rules (#6315)
• Remove the option to enable/disable "mask" a service (#6298)
• Update ocp4 e2e test dependencies (#6128)
• Force shutdown of VM if it cannot be shutdown gracefully (#6098)
• e2e/ocp4: Display more verbose logs for e2e tests (#6192)
• ocp4: Don't fail on transcient error (#6161)
• ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
• ocp4: Use ScanSettingBindings for e2e tests (#6297)
• allow install_vm.py to create UEFI based machines (#6285)
• Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
• SSGTS various test scenarios metadata updates (#6136)
• Implemented packages metadata to the test suite (#6126)
• SSGTS combined mode: use all profile where applicable (#6146)
• SSGTS various test scenarios metadata updates (part 2) (#6145)
• SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
• Removed profile from test metadata where not needed (#6114)
• Add a test for missing CCEs (#6097)
• Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
• OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
• OCP4: Verify CIS 1.3 section (#6302)

Content 0.1.52

Highlights:

• huge update of rhel7 stig profile
• Introduced a minimal reference-rule mapping generator (#5946)

Profiles changed in this release:

• rhel7: ospp, hipaa, stig
• rhel8: ospp, hipaa, stig
• ocp4: moderate, e8
• ol8: ospp
• rhcos4: moderate, ncp

Profiles:

• Select sshd_disable_rhosts in RHEL7 STIG profile. (#6019)
• Select sshd_disable_user_known_hosts in RHEL7 STIG profile. (#6021)
• Update RHEL7 STIG profile to use pam unlock_time=900. (#6011)
• Remove rules that are not present on RHEL STIG v2r7 anymore. (#5975)
• Update hipaa description (#5957)
• Select uefi_no_removeable_media in DISA RHEL7 STIG profile (#5987)
• Update dconf_gnome_disable_ctrlaltdel_reboot and select it in RHEL7 STIG profile (#5993)
• Add new rule dconf_gnome_disable_ctrlaltdel_logout to RHEL7 STIG (#5992)
• Add a missing Crypto Policy rule to OSPP. (#6007)

Rules:

• Introduced rule to disable XDMCP in gdm (#5997)
• Update OVAL check and remediations for sshd_use_priv_separation. (#6022)
• Set sshd_do_not_permit_user_env to pass even with missing parameter. (#6018)
• Update network_sniffer_disabled (#6000)
• Add Fedora product to package_bind_removed rule prodtype (#6017)
• Fixed dconf_gnome_screensaver_idle_activation_enabled wrt RHEL7 STIG (#6016)
• Update sle15 product with specific package names and permissions (#6012)
• Update RHEL7 STIG id for grub2_uefi_password to match RHEL >= 7.2. (#6009)
• Added SRG to configure_ssh_crypto_policy (#6008)
• update severity of package_vsftpd_removed (#6002)
• remove srgs from package_openssh-server_installed (#6001)
• implement V-72095 for stig (#5985)
• remove nonexistent srg from audit_rules_usergroup_modification_opasswd (#5998)
• Fix minor description issue in dconf_gnome_login_banner_text (#5994)
• remove redundant srg from audit_rules_privileged_commands_umount (#5983)
• Add RHEL7 STIG ID to sysctl_net_ipv4_conf_default_rp_filter (#5990)
• Add RHEL7 STIG ID to sysctl_net_ipv4_conf_all_rp_filter (#5989)
• Remove extra zero on SRG ref mapping from kernel_module_dccp_disabled (#5991)
• Remove duplicated STIG ID entry in libreswan_approved_tunnels (#5988)
• Add an evaluation for OpenShift allowedRegistries (#5906)
• Add ansible remediation for accounts_have_homedir_login_defs (#5942)
• fix descriptions of rules audit_rules_privileged_command_* (#5980)
• fix descriptions and ocils of audit_rules_execution_* (#5981)
• Update DISA CCI for rpm_verify_hashes (#5979)
• Remove wrong CCI number from no_files_unowned_by_user (#5966)
• Fix typo in OCIL checking command for file_groupownership_home_directories (#5968)
• remove perm=x from rules about auditing of privileged commands (#5956)
• Update rule dconf_gnome_screensaver_lock_locked (#5959)
• Fix syntax in OCIL checking command for accounts_user_dot_no_world_writable_programs (#5969)
• remove SRG mapping from audit_rules_dac_modification_lsetxattr (#5962)
• Update kernel_module_disabled template to add modules into exclude list (#5963)
• Fix typo in grub password rules (#5964)
• Update dconf_gnome_banner_enabled to use local.d dconf database (#5951)
• Use full CCI and STIG identifiers (#5606)
• Add grub2 platform to grub2 kernel option rules (#5952)
• add xccdf variable into ocil of auditd_data_retention_action_mail_acct (#5953)
• Update rpm_verify_hashes according to STIG RHEL7 v2r7 (#5918)
• Remove OVAL check from rule install_antivirus (#5947)
• Update aide_verify_ext_attributes OVAL and Bash (#5945)
• Update aide_verify_acls (#5941)
• Reference relevant OSPP requirements that depend on correct crypto-policy selection via var_system_crypto_policy (#5935)
• The OSPP requirements for cryptographically verifying the integrity of updates are FPT_TUD_EXT.1.2 and FPT_TUD_EXT.2.2 (#5934)
• The CC/OSPP requirement for handling authentication failures is FIA_AFL.1 (#5933)
• The CC/OSPP requirement for the TOE access banner is FTA_TAB.1 (#5932)
• Harden OpenSSL crypto policy (#5925)
• Update file permissions/ownership/group bash template to better support "file_regex" parameter (#5921)
• Add template for zIPL boot entry option (#5908)
• fix rule selinux_all_devicefiles_labeled (#5911)
• Reorganize zIPL rules (#5888)
• add missing cces to rules in ism_o profile (#5913)
• Converted kube remediation to use the macro (#5904)
• Revert back OVAL check for sshd_disable_compression to use xccdf variable. (#6031)
• Update ansible additional when statement to fix issues with rules not being applied to vm's (#5995)
• Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services (#6014)
• Update accounts_passwords_pam_faillock_unlock_time to work with "never" as value (#6003)
• Cleanup audit_rules_login_events ansible remediation template (#5978)
• Update auditd audispd configure remote server (#5949)
• Add ansible remediation for dconf_gnome_screensaver_idle_activation_locked (#5960)
• Update OVAL check and remediation for aide_use_fips_hashes (#5972)

Tests:

• Remove Fedora platform from test scenarios working with FIPS:OSPP crypto policy (#6023)
• Introduce quick tests (#6013)
• Remove SCAP-1.3 SCAPVAL workarounds (#6005)
• add tests to audit_rules_kernel_module_loading_finit (#5999)
• add tests to audit_rules_usergroup_modification template (#5996)
• Use helper functions to install dconf and gdm. (#5970)
• Enabled support for both podman2 in the ssg test suite. (#5924)
• Print different command to get IP address when using fish shell. (#5907)

Content 0.1.51

Highlights:

• Add SSG content for McAfee VSEL (#5864)
• Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
• Add RHCOS4 product (#5775)
• Add ubuntu cis profile (#5750)

Profiles changed in this release:

• rhel8: ospp, cis, ism_o, stig
• ocp4: cis, moderate, platform-moderate, coreos-ncp, opencis-node, ncp, e8
• vsel: stig
• rhcos4: coreos-ncp, ncp, moderate, e8
• firefox: stig
• rhel7: cis, stig
• sle15: cis
• ubuntu1804: cis

Profiles:

• Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
• Attribute credit for CIS content (#5779)
• Update CoreOS profile to short name (#5834)
• rhcos4: Remove checks for nmcli permissions (#5826)
• Sle15 cis (#5807)
• Add ubuntu cis profile (#5750)

Rules:

• Add stigid reference to rpm_verify_ownership according to STIG RHEL7 v2r7 (#5919)
• Fix file regex in OCP3 content (#5920)
• Fix of issues seen with OpenShift 3.11 (#5860)
• Add zipl and grub2 CPEs (#5905)
• Add ocp rules to cis profile (#5872)
• Update RHEL7 documentation link for grub2_uefi_admin_username. (#5890)
• fix filename in configure_openssl_crypto_policy (#5885)
• Add SSG content for McAfee VSEL (#5864)
• Add 'bls_audit_option' rule (#5793)
• Add OCP XCCDF CIS policy rules (#5833)
• Updating Firefox content (#5858)
• OCP4 allowed registries (#5839)
• Template for yamlfilecontent checks (#5758)
• Remove grub documentation links from RHEL7 rationale (#5851)
• More CIS OCP checks (#5837)
• Update OCP permissions add master, worker, and general content changes (#5838)
• Add OCP4 CIS API server XCCDF content (#5843)
• Add support for blacklisting directories when doing system-wide file scans (#5804)
• Finish RHCOS product migration (#5835)
• Add missing CCEs for CIS RHEL8 (#5781)
• Update unowned user rule warning (#5806)
• Add dev_shm rules to rhel7 stig profile (#5830)
• add rule ssh_client_rekey_limit (#5788)
• pkgname@debian auditd (#5809)
• Add RHCOS4 product (#5775)
• Add rules to configure zIPL (#5784)
• Made the rule sshd_rekey_limit parametrized (#5772)
• Introduced a rule that uses non-standard yaml checks (#5326)
• Cis partitions rules (#5749)
• Add Ansible for ensure_logrotate_activated (#5753)
• Change oval check to verify if we're in OCP4 (#5824)
• Use templates to generate Machineconfigs (#5814)
• Simplify check for no_shelllogin_for_systemaccounts (#5810)
• change sshd rekey limit to 1G 1 hour in rhel8 ospp (#5782)
• Create macro for selinux ansible/bash remediation. (#5785)
• Fix ansible/bash remediation for rule grub2_enable_selinux. (#5787)
• fix rhel8 hipaa ansible playbook (#5777)
• Add Ansible for audit_rules_system_shutdown (#5761)
• Add Bash and Ansible remediations for sshd_set_max_sessions (#5757)

Tests:

• test_parse_affected.py: Handle empty rendered content (#5840)
• Add test scenario for sshd_rekey_limit to cover OSPP profile (#5827)
• add simple tests for sshd_do_not_permit_user_env (#5829)
• Remove result files when test scenarios pass (#5812)
• ocp4: Test amount of check results for scans (#5803)
• ocp4: Check for diminishing failures in e2e test (#5794)
• ocp4: Create complianceSuites in debug mode (#5798)
• OCP4: Add remediation equality unit tests (#5743)

Content 0.1.50

Highlights:

• Add initial macOS content (#5334)
• Feature suse 15 (#5305)
• Add RHEL 7 and RHEL8 CIS profiles
• Add SLE15 CIS Profile
• RHV4 product is now el8 based (#5352)

Profiles changed in this release:

• ocp4: moderate, coreos-ncp, e8
• rhel7: cis, rhelh-stig, C2S, stig
• rhv4: rhvh-vpp, rhvh-stig
• rhel8: cis, stig
• sle15: cis, standard
• ol7: stig
• macos1015: moderate

Profiles:

• ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
• Added warning about profile not working with GUI systems. (#5734)
• OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
• ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
• ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
• ocp4: enable sysctl security settings in moderate profile (#5591)
• ocp4: Enable sysctl file system settings in moderate profile (#5592)
• change rules for disabling ipv6 in CIS profile (#5574)
• macOS build fixes (#5347)
• ocp4: Remove the rule that disables user namespaces (#5268)
• fix rule sshd use approved macs (#5300)
• Feature suse 15 (#5305)
• Add Initial RHEL 7 CIS profile (#5306)
• Clear up coreos profile titles and descriptions (#5280)

Rules:

• Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
• Update sshd crypto policy for CC (#5742)
• Create machine configuration for the rule no tmux in shells (#5641)
• Fix several audit-related ignition remediations (#5651)
• Ubuntu1804/cis kernel module rules (#5722)
• update prodtype for sysctl_net_ipv4_ip_forward (#5679)
• Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
• ocp4: Add missing AC-1 checks to moderate profile (#5718)
• Add missing CCE for sshd_set_max_sessions rule (#5710)
• Fix audit_basic_configuration ignition remediation (#5642)
• Reference should not point to OS version. (#5660)
• Warn about only local user backends being considered (#5657)
• remove remediations for configure_etc_hosts_deny (#5652)
• New Ignition files for audit and SSHD (#5640)
• Fix template mount_option_removable_partitions (#5278)
• Added more SLES Support (#5613)
• Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
• Update ol7 stig references and severity values (#5575)
• Issue 5529 (#5579)
• add missing cce for sshd_disable_tcp_forwarding (#5614)
• Update sshd disable x11 forwarding (#5610)
• Allow tcp forwarding (#5607)
• update limit-related rules to allow limits.d (#5600)
• Feature suse15 cis (#5578)
• Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
• fix sshd_allow_only_protocol2 (#5582)
• Feature sle15 cis (#5567)
• Issue 5524 (#5554)
• Add e8 profile for ocp4 (#5560)
• Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
• Added OL product support to stig rules (#5556)
• Fix ol8 condition in accounts-physical rules (#5559)
• Move RHV4 product to be el8 based (#5352)
• Feature suse 15.1 (#5548)
• fix rule disabling ipv6 through grub2 (#5547)
• add rule ntpd_run_as_ntp_user (#5291)
• Add missing CCEs to rules from RHEL7 CIS profile (#5546)
• add ntpd_configure_restrictions for rhel7 (#5282)
• Update rhel7 CIS selections (#5349)
• add rules for checking legacy "+" entries in passwd related files (#5339)
• add grub2_disable_ipv6 (#5324)
• Add initial macOS content (#5334)
• Add rules to check permissions and owner of important backup account files (#5317)
• Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
• Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
• Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
• add rule configure_etc_hosts_deny (#5332)
• Select new rules in RHEL 7CIS Profile (#5331)
• Add missing CCEs for rules from CIS profile (#5329)
• add rule package_openldap-clients_removed (#5316)
• add rule package_libselinux_installed (#5312)
• Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
• Banner and cron permissions and owners (#5302)
• Select rules for audit login events (#5296)
• Select package_audit_installed (#5292)
• Update audit data retention selects and variables (#5294)
• remove ntp mention from rule title (#5309)
• Feature suse 15 (#5311)
• add rule service_rsyncd_disabled (#5318)
• Select rules for system file permissions (#5301)
• Select rules for SSH and add references (#5297)
• Parametrized the sshd_use_approved_ciphers rule (#5308)
• add chronyd_run_as_chrony_user (#5298)
• Add rules for Chrony on rhel8 (#5273)
• Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
• Extracted a grub superuser username rule from the grub2_password rule (#5276)
• Add XCCDF conflicts and requires (#5281)
• Initial RHEL 8 CIS profile (#5236)
• Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
• fix grub2_bootloader_argument template (#5756)
• Add Ansible for kernel_module_ipv6_option_disabled (#5737)
• Ansible remediation and tests for audit_rules_immutable (#5609)
• add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
• Add Ansible fixes for audit time rules (#5720)
• Add audit field to the Ansible syscall macros (#5724)
• add Ansible remediation and tests for audit_rules_session_events (#5721)
• Introduce Ansible macros for remediating Audit syscall rules (#5709)
• fix ansible remediations to avoid creating duplicate entries (#5650)
• Update Ansible when statement to handle only containers (#5052)
• add ansible and tests to audit_rules_mac_modification (#5638)
• Fix missing ignition remediations (#5644)
• add ansible remediation to audit_rules_kernel_module_loading (#5594)
• Fix audit_rules_privileged_commands remediation (#5569)
• Fix rule banner_etc_motd (#5319)
• Improved handling of grub2 password/admin checks. (#5313)
• Ansible audit sysadmin actions (#5288)
• Simplify banner text syntax and add utility to generate banner regular expression (#5050)

Tests:

• Fix incomplete temporary file (#5747)
• Add unit test for kubernetes object remediations (#5636)
• ocp4: Expand unit tests to validate profile selections (#5648)
• Flush the write buffers after write. (#5748)
• Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
• Added possibility of the test suite to expand platforms of the benchmark (#5550)
• Fix SSGTS when running with python3 and writing binary data to file. (#5711)
• shared/partition.sh: Increase the size of a test device (#5566)
• ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
• Skip generation of remediation when using special the default profile (#5571)
• Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
• Fix test scenarios for auditd_data_retention_flush rule (#5624)
• ocp4/e2e: display remediations for second scan (#5585)
• ocp4: e2e test continuation (#5354)
• ssg test suite: wait 30 seconds for reboot to finish (#5572)
• Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
• ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
• add configure_etc_hosts_deny to ignored rules (#5348)
• ocp4: reset client in e2e tests after installing operator (#5344)
• ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
• ocp4: Add go dependencies to test directory (#5338)
• Extend timeout for VM restarts (#5330)
• ocp4: Add initial e2e test (#5321)
• SSGTS: addressed incompatibilities with python2 (#5295)
• SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)

Content 0.1.49

Highlights:

• Add OL8 Essential Eight profile (#5211)
• Add support to Ignition remediation type (#5137)

Profiles changed in this release:

• ol8: pci-dss, e8, ospp
• rhel8: pci-dss, stig, ospp
• ocp4: coreos-ncp, moderate
• sle12: stig
• rhel7: stig

Profiles:

• Add OL8 Essential Eight profile (#5211)
• Remove ocp4 checks (#5216)
• Update OL8 PCI-DSS profile (#5191)
• Add rsyslog TLS configuration to STIG (#5167)
• Re-add configure_firewalld_rate_limiting to rhel7 stig profile (#5168)
• remove Rsyslog rules from OSPP for Rhel8 (#5158)
• ocp4/moderate: Remove check for AIDE package (#5146)
• PCI-DSS profile should install audispd plugins (#5124)
• Adjust OL8 OSPP profile (#5210)
• ocp4/moderate: Enable more kernel module checks (#5136)
• ocp4: Add controls that cover AC-2 better (#5134)
• rhel8: modify rule selections for OSPP and STIG to meet baselines (#5181)
• Enable rules that cover AU-9 better in OCP4 moderate profile (#5138)
• ocp4/moderate: Add CM-* checks (#5129)
• Add moderate profile (#5128)
• Add dconf_db_up_to_date to RHEL8 STIG profile. (#5274)

Rules:

• Sort prodtypes lexicographicaly (#5130)
• Added OL support to ospp profile rules (#5203)
• Update rpm_verification group rules with OL support (#5204)
• Add OL support to packages and services rules (#5198)
• Add OL support to policy audit rules (#5197)
• Add OL support to configuring_ipv6 rules (#5196)
• Add OL support to the partitions mount rules (#5195)
• Add OL support to accounts user_umask rules (#5194)
• Also remove 389-ds LDAP server (#5186)
• Add check for read-write SNMP users (#5185)
• Add RADIUS group and rule to remove server (#5188)
• Permit setting sshd GSSAPI to yes (#5184)
• Stig sle12 security patches up to date (#5192)
• network_host_and_router_parameters group as machine-only (#5190)
• Remove krb5-server (#5187)
• Permit enforcement of nosuid on /var (#5183)
• Add CCE identifier for openssh-server installed (#5189)
• create checks for (grub2|uefi)_no_removeable_media (#5178)
• Map missing SRG rules (#5177)
• Split rule for audit sample rules according to audit component (#5110)
• Add and fix few entries of SRG mapping (#5170)
• create new rule for ipv4 tcp rate limiting through sysctl (#5126)
• Add a rule for the openssl strong entropy wrapper (#5127)
• Update OVAL templates with oval_affected macro. (#5148)
• Add CCE identifiers to OCP moderate profile rules (#5149)
• Add ocp4 prod to grub2_enable_fips_mode (#5140)
• Add CoreOS CCE for service_auditd_enabled (#5133)
• Added a few NIST references to audit related rules (#5131)
• Add a shell lineinfile template (#5109)
• Check EKU in rsyslog remote configuration (#5119)
• audit package on ubuntu* is auditd. (#5117)

Tests:

• fix wrong value in test scenario (#5214)
• Introduce resolved profiles, and test for profile stability (#5209)
• Fix newline discrepancies in jinja macros for file content (#5202)
• fix regex in accounts_passwords_pam_faillock_deny (#5166)
• Add support to Ignition remediation type (#5137)
• Update crypto policies ospp scenarios (#5121)
• Don't check for path length of logs directory (#5122)