Skip to content

Releases: ComplianceAsCode/content

Content 0.1.54

03 Feb 12:14
Compare
Choose a tag to compare

Highlights:

  • Remove RHEL6 content (#6325)
  • Add readthedocs documentation support (#6299)
  • Introduce centralised policy definitions (#6499)

Profiles changed in this release:

  • ocp4: moderate, cis-node, ncp, e8, cis
  • rhel7: anssi_nt28_intermediary, cui, cjis, anssi_nt28_minimal, C2S, anssi_nt28_enhanced, stig, ncp, hipaa, e8, anssi_nt28_high, ospp
  • ol7: stig
  • rhel8: cui, cjis, anssi_bp28_high, cis, stig, pci-dss, anssi_bp28_intermediary, hipaa, anssi_bp28_minimal, anssi_bp28_enhanced, e8, ospp
  • rhcos4: ospp, ncp, e8, moderate
  • rhv4: rhvh-stig, rhvh-vpp
  • sle12: stig
  • ol8: e8

Profiles:

  • Add xwindows_runlevel_target to RHEL7 STIG profile (#6420)
  • Remove severity adjustments on OL7 STIG profile (#6403)
  • Update SMEs and owners (#6448)
  • Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml (#6438)
  • Fix RHEL8 CIS Benchmark version (#6463)
  • Use control selectors in RHEL8 ANSSI profiles (#6505)
  • Update e8 profiles to use correct link to E8 Linux guide (#6497)
  • Add initial artifacts to support RHEL8 STIG content (#6513)
  • Update RHEL7 STIG profile with /var/log/audit related rules (#6430)
  • Update ANSSI Minimal and Intermediary requirements (#6520)
  • Add dconf_gnome_disable_automount to RHEL STIG profile (#5961)

Rules:

  • Added simple lineinfile template (#6389)
  • Generate the CPE Dictionary dynamically (#6304)
  • Drop remediation for sudo_dedicated_group (#6556)
  • ocp4: Add check for audit log forwarding (#6428)
  • Change severity of rules according to STIG V3R1 (#6417)
  • Add test to grub2_enable_fips_mode to check if /etc/system-fips exists (#6418)
  • Moved OVAL CVE Feed metadata from the rule to individual products (#6419)
  • Add new rule dir_perms_world_writable_system_owned_group (#6421)
  • SRG for ssh_client_rekey_limit (#6409)
  • OCP4/CIS: tidy etcd_unique_ca text (#6407)
  • add rule ssh_client_use_strong_rng (#6404)
  • ocp4/CIS 1.1.20: Fix references in rules (#6401)
  • Add OCIL clauses to several openshift rules (#6457)
  • compliance-operator: Prepare rules and profiles for productization (#6455)
  • ocp4: ovs conf.db: tighten file permissions (#6445)
  • fix oval of grub2_kernel_trust_cpu_rng (#6444)
  • add ospp reference to configure_libreswan_crypto_policy (#6443)
  • ocp4/CIS 1.2.10: Enable checks (#6436)
  • Add OVAL for the second rule covering CIS 4.2.10 (#6489)
  • Enable checks and remediations for SLES-12 STIGs (#6485)
  • Several cleanup patches for CIS 1.2.x (#6480)
  • Add new rules for ANSSI BP28 R22 (#6483)
  • OCP4: Add CCEs to rules used by the CIS profile (#6478)
  • OCP: Cleanup rules in section 1.1 of CIS profile (#6477)
  • Add stricter permissions option to file permissions template (#6476)
  • Implement a rule for sudoers - ANSSI R60 (#6473)
  • CIS: Add two missing OCILs (#6474)
  • Support SLES-12-010380, SLES-12-010110, and SLES-12-030150 (#6472)
  • Fix some missing extend_definition dependencies (#6465)
  • Add support for parameters in sudo_defaults_option template (#6508)
  • Add SRG references for use_pam_wheel_for_su rule (#6356)
  • update rule postfix_network_listening_disabled (#6509)
  • add rules to anssi r12 (#6515)
  • Create new rules for ANSSI R39 (#6495)
  • Enable checks and remediations for SLES-12 STIGs (#6504)
  • Fix jinja expansion on installed_OS_is_vendor_supported (#6511)
  • Updates for Anssi requirement 49 (#6510)
  • add rule checking if world writable directories are owned by root (#6507)
  • Add rule to check if OS is 64-bit when supported by CPU (#6496)
  • Add the sudoers_no_command_negation rule - ANSSI R62 (#6498)
  • Add rules to enable sudoers options (#6369)
  • Add rule to configure group owner of /usr/bin/sudo (#6352)
  • Add RHEL8 CCE to ANSSI selected rules (#6494)
  • Add rules for Anssi-bp-028 R23 (#6490)
  • Add rule to drop sudo 'other' execution permisson (#6363)
  • Add new pwquality.conf and faillock.conf rules (#6370)
  • Add mount_option and partition rules (#6340)
  • Add bios and uefi CPE applicability for grub2 rules (#6286)
  • Add rule for password hashing rounds in pam_unix (#6334)
  • OCP4/CIS 2.X: Fix descriptions and add checks (#6338)
  • Disable OVAL backend from file_permissions grub2_cfg rules (#6277)
  • add rule use_pam_wheel_for_su (#6256)
  • OCP4/CIS 1.4.1: Remove invalid rule and add reference to actual check (#6329)
  • fix remediation of audit_rules_privileged_commands (#6227)
  • fix ansible remediation of dir_perms_world_writable_root_owned (#6574)
  • fix remediations of dir_perms_world_writable_root_owned (#6558)
  • fix selinux_policytype oval regex (#6530)
  • ocp4: Add automatic remediation for etcd encryption provider (#6411)
  • OCP4/CIS: kubelet_configure_event_creation e2e remediation (#6406)
  • Add kubernetes remediation for sysctl_kernel_randomize_va_space (#6456)
  • kubernetes: Fix kernel argument template (#6450)
  • RHCOS4: Fix sysctl remediations and add tests (#6449)
  • More precise modified time comparison in "configure_crypto_policy" (#6437)
  • Propagated possibility to select the remediation backend (#6433)
  • Fix FIPS checks for RHCOS (#6479)
  • disable_ctrlaltdel_burstaction: Take into account .d/ directory too (#6471)
  • Make rsyslog_remote_tls regex case insensitive for rsyslogs parameters (#6396)
  • Fix bash_dconf_settings to grep whole keyword alike (#6364)

Tests:

  • Extend list of rules of unselected rules for testing (#6573)
  • Remove noauto for boot partition from test kickstart and ANSSI profiles (#6570)
  • Update testing kickstart file partitions (#6555)
  • Add cap_audit_write to be able to run sshd in containers (#6557)
  • Move uefi_no_removeable_media tests to correct place (#6414)
  • Introduce test suite script wrappers (#6405)
  • ocp4: Add tests for rhcos4 kernel arguments (#6451)
  • OCP: Add missing tests for two rules that are passing by default (#6466)
  • configure_crypto_policy test scenario - ensure that both files have same timestamp (#6502)
  • Add documentation for variables option in test scenarios. (#6377)
  • Implement variable metadata for test scenarios (#6323)
  • Remove capture_output option from subprocess.run in SSGTS (#6347)
  • Refactored interaction with the tested machine (#6322)

Content 0.1.53

13 Nov 16:58
Compare
Choose a tag to compare

Highlights:

  • Remove OCP3 content (#6296)
  • Remove SLE11 (#6164)
  • Remove Ubuntu 14.04 (#6154)
  • Remove Debian8 (#6137)
  • Remove JBoss EAP6 (#6119)
  • Introduce machine and package platform conditionals to Bash remediations (#6061)
  • Introduce package conditionals to Ansible remediations (#6025)
  • OCP4: Enhance e2e tests to check individual rules (#6315)

Profiles changed in this release:

  • example: example
  • fedora: standard, pci-dss
  • ol7: pci-dss
  • ol8: cjis, pci-dss
  • rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
  • rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
  • jre: stig
  • ocp4: cis-node, cis, e8, moderate, ncp
  • rhcos4: e8, moderate, ncp
  • rhv4: rhvh-vpp, rhvh-stig
  • sle15: cis

Profiles:

  • Remove unused RHEL7 profiles (#6326)
  • Specify the applicable OpenShift version for the CIS profiles (#6288)
  • Update e8 references (#6306)
  • Add commented section for OCP4 CIS etcd node checks (#6238)
  • CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
  • Add ocp4-node product (#6124)
  • remove rngd related rules from rhcos profiles (#6159)
  • Add policy tracking metadata (#6004)
  • Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
  • Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
  • remove package_screen_installed from rhel7 stig (#6072)
  • OCP4 CIS profile placeholder and comments (#6121)
  • Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
  • Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
  • remove deprecated sshd config from e8 profile (#6120)
  • remove package_tuned_removed from rhel8 ospp (#6191)
  • remove rngd related rules from rhel8 ospp and stig (#6157)
  • remove package_iptables_installed from rhel8 ospp and stig (#6155)

Rules:

  • Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
  • Added JRE update and clean prev version controls (#6324)
  • fix conflicts of audit rules for privileged commands (#6279)
  • Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
  • Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
  • Add machine platform for rule kernel_trust_cpu_rng (#6300)
  • CIS 1.3.6 (#6225)
  • Update jre content with more controls and minor fixes (#6295)
  • Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
  • ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
  • Add OCP4 1.3.5 benchmark (#6198)
  • ocp4: fix basic-auth check (#6158)
  • CIS OCP4 benchmark: 1.3.3 (#6194)
  • Fix rule api_server_token_auth for ocp4 (#6193)
  • OCP4 - CIS 1.1.5 Add check (#6274)
  • ocp4: Add check for CIS 1.2.20 (#6239)
  • Cis 5.2.9 (#6250)
  • ocp4: Add checkf or CIS 1.2.18 (#6232)
  • ocp4: Add check for 1.2.17 (#6231)
  • add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
  • Updated rule api_server_service_account_public_key for OCP 4 (#6221)
  • Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
  • ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
  • ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
  • CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
  • Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
  • Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
  • OCP4 - CIS 1.1.3 Add check (#6272)
  • OCP4 - CIS 1.1.1 Add check (#6271)
  • Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
  • Adding rules for OCP4 CIS 1.2.5 (#6268)
  • Api server etcd (#6266)
  • Adding rules for OCP4 CIS 1.2.5 (#6268)
  • Add rule for OCP4 CIS 1.3.2 (#6262)
  • Cis 5.2.7 (#6245)
  • Java JRE 8 draft update (#6282)
  • fix srgs for new rhel8 stig rules (#6280)
  • 1.2.32 add etcd-cafile check for ocp4 (#6253)
  • 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
  • add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
  • Pull request for etcd-encrypt (#6259)
  • OCP4 CIS 5.2.3 (#6244)
  • Update api_server_audit_log_path to use different apiserver conf file (#6240)
  • OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
  • OCP4 CIS 5.2.4 (#6242)
  • Add OCP4 1.3.7 Benchmark (#6220)
  • ocp4: Add check for CIS 1.2.19 (#6236)
  • Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
  • Api server kubelet https (#6215)
  • Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
  • Add rule for CIS 4.1.9 (#6210)
  • Cis node 4.1.8 (#6196)
  • OCP CIS 1.2.7 (#6209)
  • Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
  • Fix duplicate assignment of CCE-83396-2 (#6224)
  • Completed an existing ocp4 CIS 1.3.4 rule (#6202)
  • Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
  • add service_kdump_disabled to rhel8 ospp (#6190)
  • Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
  • fix typos in "references" section of RHEL7 rules (#6188)
  • Add some more example content for ocp4 cis profile (#6182)
  • Add ISM references (#6143)
  • Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
  • add mandatory packages to rhel8 ospp (#6181)
  • Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
  • add rsyslog rules to rhel8 ospp (#6167)
  • Remove platform net-snmp from the group and use it in individual rules (#6166)
  • Fix severity of RHEL 7 STIG rules (#6110)
  • fix rules about sshd idle timeout (#6030)
  • Update ANSSI refs (#6052)
  • Move grub2_vsyscall_argument to grub2 group (#6129)
  • Update rule install hips (#6039)
  • Remove zIPL rule for PTI bootloader option (#6065)
  • use xccdf variable in audit_audispd_network_failure_action (#6071)
  • Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
  • Drop "esc" package from install_smartcard_packages rule (#6083)
  • Update snmpd_no_default_password (#6050)
  • Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
  • Fix missing CCE in rules selected by RHEL6 profiles (#6103)
  • add ocil to rsyslog_nolisten (#6074)
  • Remove extra ocil statement from service_cockpit_disabled (#6092)
  • Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
  • Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
  • Update text of rule account_disable_post_pw_expiration (#6084)
  • update srg for smartcard_configure_cert_checking (#6073)
  • update accounts_logon_fail_delay (#6040)
  • update rule disable_ctrlaltdel_reboot (#6043)
  • Remove SRGs from accounts_password_pam_retry (#6045)
  • Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
  • Update tftpd_uses_secure_mode (#6051)
  • Fix SRG mapping of audit rules (#6068)
  • Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
  • Minor ansible changes that fix failing rules after remediations (#6034)
  • Fix typo in SLES12 STIG ID reference (#6036)
  • Introduce ability to set check_existence to yaml template (#6177)
  • Introduced macros for working with XCCDF values into the wide content (#6048)
  • Anaconda moved to pykickstart (#6255)
  • Create custom OVAL check for uefi_no_removeable_media (#6276)
  • Parametrize rule for login.defs hashing algorithm (#6290)
  • As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
  • Fix regex in aide rules to consider first letter as uppercase (#6152)
  • Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
  • Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
  • Use resolved profiles in rule playbooks (#6080)
  • Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
  • Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
  • Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
  • update accounts_maximum_age_login_defs (#6027)

Tests:

  • Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
  • OCP4: Add manual remediation capabilities to e2e tests (#6318)
  • OCP4: Enhance e2e tests to check individual rules (#6315)
  • Remove the option to enable/disable "mask" a service (#6298)
  • Update ocp4 e2e test dependencies (#6128)
  • Force shutdown of VM if it cannot be shutdown gracefully (#6098)
  • e2e/ocp4: Display more verbose logs for e2e tests (#6192)
  • ocp4: Don't fail on transcient error (#6161)
  • ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
  • ocp4: Use ScanSettingBindings for e2e tests (#6297)
  • allow install_vm.py to create UEFI based machines (#6285)
  • Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
  • SSGTS various test scenarios metadata updates (#6136)
  • Implemented packages metadata to the test suite (#6126)
  • SSGTS combined mode: use all profile where applicable (#6146)
  • SSGTS various test scenarios metadata updates (part 2) (#6145)
  • SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
  • Removed profile from test metadata where not needed (#6114)
  • Add a test for missing CCEs (#6097)
  • Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
  • OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
  • OCP4: Verify CIS 1.3 section (#6302)

Content 0.1.52

18 Sep 14:36
Compare
Choose a tag to compare

Highlights:

  • huge update of rhel7 stig profile
  • Introduced a minimal reference-rule mapping generator (#5946)

Profiles changed in this release:

  • rhel7: ospp, hipaa, stig
  • rhel8: ospp, hipaa, stig
  • ocp4: moderate, e8
  • ol8: ospp
  • rhcos4: moderate, ncp

Profiles:

  • Select sshd_disable_rhosts in RHEL7 STIG profile. (#6019)
  • Select sshd_disable_user_known_hosts in RHEL7 STIG profile. (#6021)
  • Update RHEL7 STIG profile to use pam unlock_time=900. (#6011)
  • Remove rules that are not present on RHEL STIG v2r7 anymore. (#5975)
  • Update hipaa description (#5957)
  • Select uefi_no_removeable_media in DISA RHEL7 STIG profile (#5987)
  • Update dconf_gnome_disable_ctrlaltdel_reboot and select it in RHEL7 STIG profile (#5993)
  • Add new rule dconf_gnome_disable_ctrlaltdel_logout to RHEL7 STIG (#5992)
  • Add a missing Crypto Policy rule to OSPP. (#6007)

Rules:

  • Introduced rule to disable XDMCP in gdm (#5997)
  • Update OVAL check and remediations for sshd_use_priv_separation. (#6022)
  • Set sshd_do_not_permit_user_env to pass even with missing parameter. (#6018)
  • Update network_sniffer_disabled (#6000)
  • Add Fedora product to package_bind_removed rule prodtype (#6017)
  • Fixed dconf_gnome_screensaver_idle_activation_enabled wrt RHEL7 STIG (#6016)
  • Update sle15 product with specific package names and permissions (#6012)
  • Update RHEL7 STIG id for grub2_uefi_password to match RHEL >= 7.2. (#6009)
  • Added SRG to configure_ssh_crypto_policy (#6008)
  • update severity of package_vsftpd_removed (#6002)
  • remove srgs from package_openssh-server_installed (#6001)
  • implement V-72095 for stig (#5985)
  • remove nonexistent srg from audit_rules_usergroup_modification_opasswd (#5998)
  • Fix minor description issue in dconf_gnome_login_banner_text (#5994)
  • remove redundant srg from audit_rules_privileged_commands_umount (#5983)
  • Add RHEL7 STIG ID to sysctl_net_ipv4_conf_default_rp_filter (#5990)
  • Add RHEL7 STIG ID to sysctl_net_ipv4_conf_all_rp_filter (#5989)
  • Remove extra zero on SRG ref mapping from kernel_module_dccp_disabled (#5991)
  • Remove duplicated STIG ID entry in libreswan_approved_tunnels (#5988)
  • Add an evaluation for OpenShift allowedRegistries (#5906)
  • Add ansible remediation for accounts_have_homedir_login_defs (#5942)
  • fix descriptions of rules audit_rules_privileged_command_* (#5980)
  • fix descriptions and ocils of audit_rules_execution_* (#5981)
  • Update DISA CCI for rpm_verify_hashes (#5979)
  • Remove wrong CCI number from no_files_unowned_by_user (#5966)
  • Fix typo in OCIL checking command for file_groupownership_home_directories (#5968)
  • remove perm=x from rules about auditing of privileged commands (#5956)
  • Update rule dconf_gnome_screensaver_lock_locked (#5959)
  • Fix syntax in OCIL checking command for accounts_user_dot_no_world_writable_programs (#5969)
  • remove SRG mapping from audit_rules_dac_modification_lsetxattr (#5962)
  • Update kernel_module_disabled template to add modules into exclude list (#5963)
  • Fix typo in grub password rules (#5964)
  • Update dconf_gnome_banner_enabled to use local.d dconf database (#5951)
  • Use full CCI and STIG identifiers (#5606)
  • Add grub2 platform to grub2 kernel option rules (#5952)
  • add xccdf variable into ocil of auditd_data_retention_action_mail_acct (#5953)
  • Update rpm_verify_hashes according to STIG RHEL7 v2r7 (#5918)
  • Remove OVAL check from rule install_antivirus (#5947)
  • Update aide_verify_ext_attributes OVAL and Bash (#5945)
  • Update aide_verify_acls (#5941)
  • Reference relevant OSPP requirements that depend on correct crypto-policy selection via var_system_crypto_policy (#5935)
  • The OSPP requirements for cryptographically verifying the integrity of updates are FPT_TUD_EXT.1.2 and FPT_TUD_EXT.2.2 (#5934)
  • The CC/OSPP requirement for handling authentication failures is FIA_AFL.1 (#5933)
  • The CC/OSPP requirement for the TOE access banner is FTA_TAB.1 (#5932)
  • Harden OpenSSL crypto policy (#5925)
  • Update file permissions/ownership/group bash template to better support "file_regex" parameter (#5921)
  • Add template for zIPL boot entry option (#5908)
  • fix rule selinux_all_devicefiles_labeled (#5911)
  • Reorganize zIPL rules (#5888)
  • add missing cces to rules in ism_o profile (#5913)
  • Converted kube remediation to use the macro (#5904)
  • Revert back OVAL check for sshd_disable_compression to use xccdf variable. (#6031)
  • Update ansible additional when statement to fix issues with rules not being applied to vm's (#5995)
  • Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services (#6014)
  • Update accounts_passwords_pam_faillock_unlock_time to work with "never" as value (#6003)
  • Cleanup audit_rules_login_events ansible remediation template (#5978)
  • Update auditd audispd configure remote server (#5949)
  • Add ansible remediation for dconf_gnome_screensaver_idle_activation_locked (#5960)
  • Update OVAL check and remediation for aide_use_fips_hashes (#5972)

Tests:

  • Remove Fedora platform from test scenarios working with FIPS:OSPP crypto policy (#6023)
  • Introduce quick tests (#6013)
  • Remove SCAP-1.3 SCAPVAL workarounds (#6005)
  • add tests to audit_rules_kernel_module_loading_finit (#5999)
  • add tests to audit_rules_usergroup_modification template (#5996)
  • Use helper functions to install dconf and gdm. (#5970)
  • Enabled support for both podman2 in the ssg test suite. (#5924)
  • Print different command to get IP address when using fish shell. (#5907)

Content 0.1.51

17 Jul 09:42
Compare
Choose a tag to compare

Highlights:

  • Add SSG content for McAfee VSEL (#5864)
  • Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
  • Add RHCOS4 product (#5775)
  • Add ubuntu cis profile (#5750)

Profiles changed in this release:

  • rhel8: ospp, cis, ism_o, stig
  • ocp4: cis, moderate, platform-moderate, coreos-ncp, opencis-node, ncp, e8
  • vsel: stig
  • rhcos4: coreos-ncp, ncp, moderate, e8
  • firefox: stig
  • rhel7: cis, stig
  • sle15: cis
  • ubuntu1804: cis

Profiles:

  • Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
  • Attribute credit for CIS content (#5779)
  • Update CoreOS profile to short name (#5834)
  • rhcos4: Remove checks for nmcli permissions (#5826)
  • Sle15 cis (#5807)
  • Add ubuntu cis profile (#5750)

Rules:

  • Add stigid reference to rpm_verify_ownership according to STIG RHEL7 v2r7 (#5919)
  • Fix file regex in OCP3 content (#5920)
  • Fix of issues seen with OpenShift 3.11 (#5860)
  • Add zipl and grub2 CPEs (#5905)
  • Add ocp rules to cis profile (#5872)
  • Update RHEL7 documentation link for grub2_uefi_admin_username. (#5890)
  • fix filename in configure_openssl_crypto_policy (#5885)
  • Add SSG content for McAfee VSEL (#5864)
  • Add 'bls_audit_option' rule (#5793)
  • Add OCP XCCDF CIS policy rules (#5833)
  • Updating Firefox content (#5858)
  • OCP4 allowed registries (#5839)
  • Template for yamlfilecontent checks (#5758)
  • Remove grub documentation links from RHEL7 rationale (#5851)
  • More CIS OCP checks (#5837)
  • Update OCP permissions add master, worker, and general content changes (#5838)
  • Add OCP4 CIS API server XCCDF content (#5843)
  • Add support for blacklisting directories when doing system-wide file scans (#5804)
  • Finish RHCOS product migration (#5835)
  • Add missing CCEs for CIS RHEL8 (#5781)
  • Update unowned user rule warning (#5806)
  • Add dev_shm rules to rhel7 stig profile (#5830)
  • add rule ssh_client_rekey_limit (#5788)
  • pkgname@debian auditd (#5809)
  • Add RHCOS4 product (#5775)
  • Add rules to configure zIPL (#5784)
  • Made the rule sshd_rekey_limit parametrized (#5772)
  • Introduced a rule that uses non-standard yaml checks (#5326)
  • Cis partitions rules (#5749)
  • Add Ansible for ensure_logrotate_activated (#5753)
  • Change oval check to verify if we're in OCP4 (#5824)
  • Use templates to generate Machineconfigs (#5814)
  • Simplify check for no_shelllogin_for_systemaccounts (#5810)
  • change sshd rekey limit to 1G 1 hour in rhel8 ospp (#5782)
  • Create macro for selinux ansible/bash remediation. (#5785)
  • Fix ansible/bash remediation for rule grub2_enable_selinux. (#5787)
  • fix rhel8 hipaa ansible playbook (#5777)
  • Add Ansible for audit_rules_system_shutdown (#5761)
  • Add Bash and Ansible remediations for sshd_set_max_sessions (#5757)

Tests:

  • test_parse_affected.py: Handle empty rendered content (#5840)
  • Add test scenario for sshd_rekey_limit to cover OSPP profile (#5827)
  • add simple tests for sshd_do_not_permit_user_env (#5829)
  • Remove result files when test scenarios pass (#5812)
  • ocp4: Test amount of check results for scans (#5803)
  • ocp4: Check for diminishing failures in e2e test (#5794)
  • ocp4: Create complianceSuites in debug mode (#5798)
  • OCP4: Add remediation equality unit tests (#5743)

Content 0.1.50

15 May 11:56
Compare
Choose a tag to compare

Highlights:

  • Add initial macOS content (#5334)
  • Feature suse 15 (#5305)
  • Add RHEL 7 and RHEL8 CIS profiles
  • Add SLE15 CIS Profile
  • RHV4 product is now el8 based (#5352)

Profiles changed in this release:

  • ocp4: moderate, coreos-ncp, e8
  • rhel7: cis, rhelh-stig, C2S, stig
  • rhv4: rhvh-vpp, rhvh-stig
  • rhel8: cis, stig
  • sle15: cis, standard
  • ol7: stig
  • macos1015: moderate

Profiles:

  • ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
  • Added warning about profile not working with GUI systems. (#5734)
  • OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
  • ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
  • ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
  • ocp4: enable sysctl security settings in moderate profile (#5591)
  • ocp4: Enable sysctl file system settings in moderate profile (#5592)
  • change rules for disabling ipv6 in CIS profile (#5574)
  • macOS build fixes (#5347)
  • ocp4: Remove the rule that disables user namespaces (#5268)
  • fix rule sshd use approved macs (#5300)
  • Feature suse 15 (#5305)
  • Add Initial RHEL 7 CIS profile (#5306)
  • Clear up coreos profile titles and descriptions (#5280)

Rules:

  • Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
  • Update sshd crypto policy for CC (#5742)
  • Create machine configuration for the rule no tmux in shells (#5641)
  • Fix several audit-related ignition remediations (#5651)
  • Ubuntu1804/cis kernel module rules (#5722)
  • update prodtype for sysctl_net_ipv4_ip_forward (#5679)
  • Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
  • ocp4: Add missing AC-1 checks to moderate profile (#5718)
  • Add missing CCE for sshd_set_max_sessions rule (#5710)
  • Fix audit_basic_configuration ignition remediation (#5642)
  • Reference should not point to OS version. (#5660)
  • Warn about only local user backends being considered (#5657)
  • remove remediations for configure_etc_hosts_deny (#5652)
  • New Ignition files for audit and SSHD (#5640)
  • Fix template mount_option_removable_partitions (#5278)
  • Added more SLES Support (#5613)
  • Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
  • Update ol7 stig references and severity values (#5575)
  • Issue 5529 (#5579)
  • add missing cce for sshd_disable_tcp_forwarding (#5614)
  • Update sshd disable x11 forwarding (#5610)
  • Allow tcp forwarding (#5607)
  • update limit-related rules to allow limits.d (#5600)
  • Feature suse15 cis (#5578)
  • Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
  • fix sshd_allow_only_protocol2 (#5582)
  • Feature sle15 cis (#5567)
  • Issue 5524 (#5554)
  • Add e8 profile for ocp4 (#5560)
  • Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
  • Added OL product support to stig rules (#5556)
  • Fix ol8 condition in accounts-physical rules (#5559)
  • Move RHV4 product to be el8 based (#5352)
  • Feature suse 15.1 (#5548)
  • fix rule disabling ipv6 through grub2 (#5547)
  • add rule ntpd_run_as_ntp_user (#5291)
  • Add missing CCEs to rules from RHEL7 CIS profile (#5546)
  • add ntpd_configure_restrictions for rhel7 (#5282)
  • Update rhel7 CIS selections (#5349)
  • add rules for checking legacy "+" entries in passwd related files (#5339)
  • add grub2_disable_ipv6 (#5324)
  • Add initial macOS content (#5334)
  • Add rules to check permissions and owner of important backup account files (#5317)
  • Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
  • Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
  • Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
  • add rule configure_etc_hosts_deny (#5332)
  • Select new rules in RHEL 7CIS Profile (#5331)
  • Add missing CCEs for rules from CIS profile (#5329)
  • add rule package_openldap-clients_removed (#5316)
  • add rule package_libselinux_installed (#5312)
  • Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
  • Banner and cron permissions and owners (#5302)
  • Select rules for audit login events (#5296)
  • Select package_audit_installed (#5292)
  • Update audit data retention selects and variables (#5294)
  • remove ntp mention from rule title (#5309)
  • Feature suse 15 (#5311)
  • add rule service_rsyncd_disabled (#5318)
  • Select rules for system file permissions (#5301)
  • Select rules for SSH and add references (#5297)
  • Parametrized the sshd_use_approved_ciphers rule (#5308)
  • add chronyd_run_as_chrony_user (#5298)
  • Add rules for Chrony on rhel8 (#5273)
  • Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
  • Extracted a grub superuser username rule from the grub2_password rule (#5276)
  • Add XCCDF conflicts and requires (#5281)
  • Initial RHEL 8 CIS profile (#5236)
  • Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
  • fix grub2_bootloader_argument template (#5756)
  • Add Ansible for kernel_module_ipv6_option_disabled (#5737)
  • Ansible remediation and tests for audit_rules_immutable (#5609)
  • add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
  • Add Ansible fixes for audit time rules (#5720)
  • Add audit field to the Ansible syscall macros (#5724)
  • add Ansible remediation and tests for audit_rules_session_events (#5721)
  • Introduce Ansible macros for remediating Audit syscall rules (#5709)
  • fix ansible remediations to avoid creating duplicate entries (#5650)
  • Update Ansible when statement to handle only containers (#5052)
  • add ansible and tests to audit_rules_mac_modification (#5638)
  • Fix missing ignition remediations (#5644)
  • add ansible remediation to audit_rules_kernel_module_loading (#5594)
  • Fix audit_rules_privileged_commands remediation (#5569)
  • Fix rule banner_etc_motd (#5319)
  • Improved handling of grub2 password/admin checks. (#5313)
  • Ansible audit sysadmin actions (#5288)
  • Simplify banner text syntax and add utility to generate banner regular expression (#5050)

Tests:

  • Fix incomplete temporary file (#5747)
  • Add unit test for kubernetes object remediations (#5636)
  • ocp4: Expand unit tests to validate profile selections (#5648)
  • Flush the write buffers after write. (#5748)
  • Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
  • Added possibility of the test suite to expand platforms of the benchmark (#5550)
  • Fix SSGTS when running with python3 and writing binary data to file. (#5711)
  • shared/partition.sh: Increase the size of a test device (#5566)
  • ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
  • Skip generation of remediation when using special the default profile (#5571)
  • Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
  • Fix test scenarios for auditd_data_retention_flush rule (#5624)
  • ocp4/e2e: display remediations for second scan (#5585)
  • ocp4: e2e test continuation (#5354)
  • ssg test suite: wait 30 seconds for reboot to finish (#5572)
  • Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
  • ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
  • add configure_etc_hosts_deny to ignored rules (#5348)
  • ocp4: reset client in e2e tests after installing operator (#5344)
  • ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
  • ocp4: Add go dependencies to test directory (#5338)
  • Extend timeout for VM restarts (#5330)
  • ocp4: Add initial e2e test (#5321)
  • SSGTS: addressed incompatibilities with python2 (#5295)
  • SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)

Content 0.1.49

13 Mar 12:46
Compare
Choose a tag to compare

Highlights:

  • Add OL8 Essential Eight profile (#5211)
  • Add support to Ignition remediation type (#5137)

Profiles changed in this release:

  • ol8: pci-dss, e8, ospp
  • rhel8: pci-dss, stig, ospp
  • ocp4: coreos-ncp, moderate
  • sle12: stig
  • rhel7: stig

Profiles:

  • Add OL8 Essential Eight profile (#5211)
  • Remove ocp4 checks (#5216)
  • Update OL8 PCI-DSS profile (#5191)
  • Add rsyslog TLS configuration to STIG (#5167)
  • Re-add configure_firewalld_rate_limiting to rhel7 stig profile (#5168)
  • remove Rsyslog rules from OSPP for Rhel8 (#5158)
  • ocp4/moderate: Remove check for AIDE package (#5146)
  • PCI-DSS profile should install audispd plugins (#5124)
  • Adjust OL8 OSPP profile (#5210)
  • ocp4/moderate: Enable more kernel module checks (#5136)
  • ocp4: Add controls that cover AC-2 better (#5134)
  • rhel8: modify rule selections for OSPP and STIG to meet baselines (#5181)
  • Enable rules that cover AU-9 better in OCP4 moderate profile (#5138)
  • ocp4/moderate: Add CM-* checks (#5129)
  • Add moderate profile (#5128)
  • Add dconf_db_up_to_date to RHEL8 STIG profile. (#5274)

Rules:

  • Sort prodtypes lexicographicaly (#5130)
  • Added OL support to ospp profile rules (#5203)
  • Update rpm_verification group rules with OL support (#5204)
  • Add OL support to packages and services rules (#5198)
  • Add OL support to policy audit rules (#5197)
  • Add OL support to configuring_ipv6 rules (#5196)
  • Add OL support to the partitions mount rules (#5195)
  • Add OL support to accounts user_umask rules (#5194)
  • Also remove 389-ds LDAP server (#5186)
  • Add check for read-write SNMP users (#5185)
  • Add RADIUS group and rule to remove server (#5188)
  • Permit setting sshd GSSAPI to yes (#5184)
  • Stig sle12 security patches up to date (#5192)
  • network_host_and_router_parameters group as machine-only (#5190)
  • Remove krb5-server (#5187)
  • Permit enforcement of nosuid on /var (#5183)
  • Add CCE identifier for openssh-server installed (#5189)
  • create checks for (grub2|uefi)_no_removeable_media (#5178)
  • Map missing SRG rules (#5177)
  • Split rule for audit sample rules according to audit component (#5110)
  • Add and fix few entries of SRG mapping (#5170)
  • create new rule for ipv4 tcp rate limiting through sysctl (#5126)
  • Add a rule for the openssl strong entropy wrapper (#5127)
  • Update OVAL templates with oval_affected macro. (#5148)
  • Add CCE identifiers to OCP moderate profile rules (#5149)
  • Add ocp4 prod to grub2_enable_fips_mode (#5140)
  • Add CoreOS CCE for service_auditd_enabled (#5133)
  • Added a few NIST references to audit related rules (#5131)
  • Add a shell lineinfile template (#5109)
  • Check EKU in rsyslog remote configuration (#5119)
  • audit package on ubuntu* is auditd. (#5117)

Tests:

  • fix wrong value in test scenario (#5214)
  • Introduce resolved profiles, and test for profile stability (#5209)
  • Fix newline discrepancies in jinja macros for file content (#5202)
  • fix regex in accounts_passwords_pam_faillock_deny (#5166)
  • Add support to Ignition remediation type (#5137)
  • Update crypto policies ospp scenarios (#5121)
  • Don't check for path length of logs directory (#5122)

Content 0.1.48

15 Jan 19:37
b3f50c3
Compare
Choose a tag to compare

Highlights:

  • New product added for Debian 10 (debian10)
  • New product added for Red Hat OpenStack Platform 10 (rhosp10)
  • New draft Profile for RHEL8 STIG

Profiles changed in this release:

  • rhosp10: cui, stig
  • debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
  • rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
  • rhel7: e8, sap
  • ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
  • sle12: stig

Profiles:

  • Add security autoupdates to the RHEL8 E8 profile. (#5107)
  • E8: ensure there is a single account with uid zero (#5105)
  • Add draft RHELH content for rhel8 (#5040)
  • Remove SSSD rules from RHEL8 OSPP Profile (#5032)
  • Updated the e8 profile for RHEL8. (#5024)
  • Add draft RHEL8 STIG profile (#4991)
  • Remove coreos-fedramp profile (#4994)

Rules:

  • Rhosp10 (#5019)
  • Add debian10 content (#5058)
  • Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
  • Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
  • Update NIST 800-53 mappings (#5083)
  • NIST 800-53 Mapping Updates (#5079)
  • Delete rules in favour of package_subscription-manager_installed (#5059)
  • Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
  • Add missing CCE for package_telnetd_removed rule (#5090)
  • PermitUserEnvironment Checks For Incorrect Setting (#5087)
  • Use the FIPS:OSPP Crypto Policy (#5072)
  • Enable ansible template for service_fapolicyd_enable rule. (#5064)
  • modify usbguard_allow_* rules to use new match-all keyword (#5055)
  • Stig sle12 initial (#4847)
  • Update api-server XCCDF and OVAL for ocp4-isms (#5039)
  • Mark rules as platform: machine. (#5062)
  • Fix OVAL applicability for RHV4 (#5053)
  • Remove configure_fapolicyd_mounts rules from profiles. (#5057)
  • Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
  • Update api-server rules (#5034)
  • Coreos build - enable more rules (#5018)
  • Various minor fixes (#5025)
  • Update etcd rules (#5008)
  • [WIP] Add SAP profile to rhel (#3551)
  • Add missing CCEs to rules from STIG profile (#5021)
  • Add some NIST mappings for FISMA high (#4932)
  • Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
  • Ansible tasks fixes (#5004)
  • make aide_periodic_cron_checking accepting broader array of time specs (#4989)
  • SRG Mapping - misc rules (#4969)
  • additional srg mappings (#4981)
  • Verified that proper SRGs are in rules that need to be added (#4987)
  • adding DISA SRG references to rules found in the OSPP profile (#4877)
  • OCP4 content cleanup (#4970)
  • Add Network Policies rule to OCP (#4934)
  • Make coreos-ncp.profile buildable (#5001)
  • Added SRG rule for auditd_audispd_configure_remote_server (#4988)
  • DISA STIG SRG mappings (#4940)
  • added SRG rule for Exec Shield (#4982)
  • Day 2 - Yasir's Contributions (#4975)
  • day 2 changes to rules with SRG info (#4974)
  • add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
  • Added SRG to rules (#4968)
  • mapped ipv4 and ipv6 SRGs to rules (#4967)
  • add SRG to rule (#4966)
  • Updated to include SRG number (#4971)

Tests:

  • oscap: modify using variables in the printf format (#5063)
  • Improve fine-tuning of rule/group ordering (#5078)
  • Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
  • Extend waiting time till virtual machine is again in RUNNING state (#5041)
  • SSGTS: Use wildcards instead of matching substring (#5029)
  • Add waiting for RUNNING state of virtual machine (#5023)
  • Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
  • Fixed the remediation for rsyslog_files_permissions (#4906)

Content 0.1.47

05 Nov 15:16
48db510
Compare
Choose a tag to compare

Highlights:

  • New product added Debian 9 (debian9)
  • New product added OpenShift container Platform 4 (ocp4)
  • Add Essential Eight profiles
  • New templating system enabled by default
  • Move SSGTS test scenarios closer to rule definitions

Profiles changed in this release:

  • rhel7: e8, C2S, ospp
  • rhel8: e8, ospp
  • debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
  • ocp4: coreos-ncp, opencis-node
  • ocp3: opencis-master
  • fedora: ospp
  • rhel6: C2S, stig

Profiles:

  • Add Essential Eight profiles (#4859)
  • Remove openshift api_server_profiling check (#4944)
  • Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
  • Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
  • Add coreos NCP profile (#4865)
  • Add rules for FISMA Low to CoreOS NCP (#4873)

Rules:

  • SSG debian9 (#4928)
  • ocp4: Initial build system support for the OCP4 product (#4908)
  • Don't require that files exist when path is regex (#4960)
  • Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
  • Add missing CCEs (#4956)
  • Add missing prodtypes for apt rules (#4930)
  • Compare suid/sgid files with the RPM database (#4648)
  • Add check to set /etc/motd similar to /etc/issue (#4947)
  • Set default to match syslog default (#4948)
  • Add package rules to OSPP profile (#4953)
  • Fill in the samples with the value from our variable (#4949)
  • Add postfix relayhost check (#4950)
  • Add rule to check cockpit service status (#4939)
  • Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
  • Added missing CCEs. (#4919)
  • Fix missing OVAL in some of RHEL 8 rules (#4927)
  • Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
  • Generate OCIL check for cramfs kernel module (#4918)
  • Added OCIL for mount option-type of rules. (#4910)
  • Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
  • Ported the sysctl macros to the new system. (#4843)
  • Made the new templating system work with Python2.6. (#4897)
  • Add WRLinux 10.19 to prodtype (#4903)
  • Fix typo and add ocil clause to package_audit_installed. (#4827)
  • Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
  • Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
  • Map AC-17 (#4894)
  • Map AC-6(9) (#4895)
  • Map AC-17(2) to crypto SSH policies (#4892)
  • Add rule for NIST AC-18(4) (#4889)
  • Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
  • Map AU-7 and AU-10 to audit package (#4890)
  • Run tmux only right after sshd/login (#4885)
  • Fix missing content in datastreams generated by new templating system (#4883)
  • Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
  • Fix dnf timer rule (#4882)
  • Map AU-9(3) and AU-5(2) for CoreOS (#4880)
  • Update list of packages installed in RHEL8 OSPP (#4876)
  • Map OCP SCC to Kubernetes benchmark (#4867)
  • Merge SELinux Boolean templates and migrate them to new system (#4860)
  • Fix rhel6 nist mapping typo (#4872)
  • Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
  • Add require_emergency_target_auth and update require_singleuser_auth (#4850)
  • Enable file permissions templates in new templating system (#4857)
  • Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
  • Add checks for crontab and supporting cron directories (#4858)
  • Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
  • Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
  • Postfix network listening to loopback-only (#4832)
  • Update rsyslog rules description (#4839)
  • Updated the rule description of configure_fapolicyd_mounts (#4835)
  • Fix accounts password rules template name (#4836)
  • New templating system (#4809)
  • Break out api_server_service_account_key into multiple rules (#4831)
  • Add openvswitch permission rules (#4830)
  • AIDE periodic crontab check modification (#4824)
  • Disable Mounting of FAT filesystems (#4815)
  • insecure-port should not be configured (#4821)
  • Fix kubelet_enable_streaming_connections Rule (#4823)
  • Assign CCEs to SSH permission checks (#4819)
  • Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
  • Ensure proper permissions on /etc/ssh/sshd_config (#4812)
  • Fix /etc/shadow permissions documentation (#4813)
  • Improve template grub2 argument (#4786)
  • making hardening of sshd crypto policy alligned with OSPP (#4799)
  • Disable Kerberos by removing host keytab. (#4793)
  • Move audit rules to correct group (#4778)
  • Configure TLS for rsyslog remote logging. (#4781)

Tests:

  • Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
  • Use only first occurence from /etc/mtab (#4959)
  • ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
  • Add basic test scenarios for a few audit rules (#4907)
  • Made templates product-specific. (#4841)
  • Simplified the test_suite command-line. (#4808)
  • Changed owner of files in the test suite tarball. (#4797)
  • [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
  • Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
  • fix grub2_argument bash remediation (#4891)
  • Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
  • Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
  • SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
  • Add test scenarios for rsyslog_remote_tls (#4788)
  • SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
  • ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
  • Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
  • Clean up partition before performing test for mount_option_tmp_noexec (#4795)
  • Move SSGTS test scenarios closer to rule definitions (#4741)

Content 0.1.46

02 Sep 08:21
54aa233
Compare
Choose a tag to compare

Highlights:

  • SCAP 1.3 Data Streams are now the default (#4755)
    • 1.2 Data Streams are suffixed with -1.2.xml
  • OSPP consolidation (#4705)
    • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
    • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
    • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

  • rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
  • wrlinux1019: draft_stig_wrlinux_disa
  • rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
  • rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
  • rhv4: rhvh-stig, rhvh-vpp
  • debian8: standard, anssi_np_nt28_restrictive
  • ubuntu1404: standard, anssi_np_nt28_restrictive
  • ubuntu1604: standard, anssi_np_nt28_restrictive
  • ubuntu1804: standard, anssi_np_nt28_restrictive
  • ol8: ospp, cjis, hipaa, pci-dss
  • fedora: ospp, pci-dss
  • ol7: stig, pci-dss

Profiles:

  • Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
  • Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
  • RHEL OSPP Profile Restructuring (#4754)
  • NCP Profile extends OSPP profile (#4764)
  • Rule grub2_vsyscall_argument is informational in OSPP (#4763)
  • Add suport for XCCDF rule-refine (#4750)
  • Profile Restructuring (#4736)
  • Update OL8 HIPAA profile (#4718)
  • Update OL8 CJIS profile (#4719)
  • Adding SELinux rules into OSPP profile (#4735)
  • Fix section titles. (#4738)
  • Remove GNOME rules from rhel7/ospp (#4724)
  • The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
  • When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
  • Cleanup the RHEL7 ccc.profile, minimally (#4691)
  • Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

  • Enable fapolicyd to watch all system mountpoints. (#4773)
  • Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
  • Ensure rsyslog-gnutls is installed. (#4775)
  • IASE was migrated to DOD Cyber Exchange (#4768)
  • Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
  • Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
  • Update CSRF cookie secure (#4761)
  • Add mask_service parameter to services disabled template. (#4633)
  • Add new rhel8 aux gpg pubkey (#4675)
  • Add new package installed rule specific for RHEL8. (#4673)
  • Delete unused/unwanted dconf_use_text_backend rule. (#4684)
  • Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
  • extend oval check of configure_crypto_policy (#4757)
  • Update STIG Antivirus Language (#4745)
  • Log USBGuard daemon audit events using Linux Audit. (#4747)
  • Harden ssh client crypto policy (#4681)
  • Expanded and cleaned up csv templates. (#4739)
  • SSH service rules for SLE12 (#4289)
  • Single rule to configure audit rules for OSPP (#4680)
  • update STIG antivirus language (#4341)
  • Configure tmux to lock session after inactivity (#4737)
  • Prevent user from disabling the screen lock. (#4742)
  • Support session locking with tmux. (#4740)
  • Remove watches since syscall rules cover all cases. (#4706)
  • Update OL8 OSPP profile (#4717)
  • OSPP requirements and selections (#4662)
  • Enable the rngd service for OSPP. (#4733)
  • Move some system-tools rules to organized with their respective configuration rules (#4726)
  • Harden sshd crypto policy (#4663)
  • Set number of records to cause an explicit flush to audit logs. (#4697)
  • Set hostname as computer node name in audit logs. (#4701)
  • Force frequent session key renegotiation. (#4711)
  • Resolve information before writing to audit logs. (#4695)
  • Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
  • Fix typos in auditd_local_events texts. (#4698)
  • Preprocess references and identifiers during the build time. (#4063)
  • Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
  • Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
  • Disable storing core dumps. (#4650)
  • Add new rule auditd_write_logs (#4649)
  • new rule timer_dnf-automatic_enabled (#4614)
  • New rule auditd_local_events (#4636)
  • Start using oval_sshd_config jinja macros for sshd rules (#4624)
  • Simplify regexp (#4762)

Tests:

  • Fix _check_rule method call in SSG test suite. (#4767)
  • Test suite: set bash and ansible remediation to verbose mode. (#4652)
  • Fix disk configuration in OSPP anaconda kickstart file. (#4716)
  • Add documentation to known issue in the test suite. (#4730)
  • SSG Test suite: Add function to find remediation in the datastream. (#4714)
  • Add test scenarios for configure_usbguard_auditbackend rule (#4753)
  • Fix STIG IDs reference processing (#4725)
  • Add syslog_files rules test scenarios (#4743)
  • ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
  • Add test scenarios for sshd_set_keepalive rule (#4712)
  • Enable unit-testing of bash shared jinja macros (#4702)
  • Parameterize Red Hat's GPG release public key. (#4683)
  • Added stripping of new line when obtaining IP addr by podman inspect (#4692)
  • Fixed an omission. (#4658)
  • Test suite autodetect datastream. (#4657)
  • Testing of set_config_file function with BATS 2 (#4659)
  • Introduce tests for macro that generates OVAL (#4660)
  • Test suite change logging prefix to warning (#4688)
  • Test suite: Set additional SSH options when testing ansible remediations (#4674)
  • Document where test scenarios are located (#4654)
  • Document --url and --extra-repo of install_vm.py script (#4653)
  • Quick fix for CombinedMode _modify_parameters() (#4664)
  • Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
  • Fix regex which looks for line in file configuration. (#4646)

Content 0.1.45 Release Notes

25 Jul 00:03
b59a21d
Compare
Choose a tag to compare

Highlights:

  • Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
  • RHEL7 ANSSI profiles are now enabled
  • Improvements to profile statistics, check them out in stats job
  • New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

  • rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
  • fedora: pci-dss, ospp
  • rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
  • ol8: hipaa, cjis, pci-dss, ospp
  • wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
  • wrlinux8: basic-embedded
  • rhel6: C2S, CS2, nist-CL-IL-AL
  • chromium: stig
  • firefox: stig
  • ol7: stig, pci-dss

Profiles:

  • Remove unnecessary packages from ospp (#4632)
  • Deduplicate profile files. (#4601)
  • Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
  • Update the RHEL8 profile (#4229)
  • Add rhel7 ccc (Common Criteria Certification) profile (#4361)
  • Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
  • OL8 profiles update (#4374)
  • Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
  • Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
  • misc updates to OSPP profile (#4586)
  • RHVH/RHELH STIG mappings (#4033)

Rules:

  • New rule dnf-automatic_security_updates_only (#4619)
  • Pimp ANSSI up and enable it (#4615)
  • New rule disable_tmux_status_line (#4631)
  • Enable the fapolicyd service for OSPP. (#4623)
  • Install fapolicyd for OSPP. (#4622)
  • new rule dnf-automatic_apply_updates (#4613)
  • Disable storing core dumps. (#4618)
  • Enable the usbguard service in OSPP profiles. (#4611)
  • Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
  • Added a test for uniqueness of CCEs. (#4577)
  • Add remaining rules from CC to OSPP (#4599)
  • Disable the use of user namespaces. (#4569)
  • Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
  • Enable Kernel page-table isolation. (#4566)
  • add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
  • Update OSPP profile with required package checks (#4580)
  • Disable CAN Support. (#4572)
  • Disable ATM Support. (#4571)
  • Disable IEEE 1394 (FireWire) Support. (#4573)
  • update OSPP (#4446)
  • Harden the kernel package filter just-in-time compiler operation. (#4564)
  • Disable access to network bpf() syscall from unprivileged processes. (#4563)
  • Disallow kernel profiling by unprivileged users. (#4547)
  • Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
  • Add nodev Option to /var. (#4542)
  • Add nodev Option to /boot. (#4453)
  • Add nosuid Option to /boot. (#4452)
  • Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
  • Disable chrony daemon from acting as server. (#4445)
  • Disable network management of chrony daemon. (#4449)
  • Map more rules into Anssi policy (#4439)
  • ANSSI network sysctl (#4345)
  • Fix typo. (#4423)
  • Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
  • Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
  • Anssi updates (#4351)
  • OSP13 Checks (#4364)
  • Smartcards auth in OL8 should be done via sssd (#4377)
  • Remove dconf_use_text_backend rule from profiles. (#4375)
  • Make hardened containers smaller (#4357)
  • Scap 1.3 content adjustments (#4353)
  • Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
  • Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
  • Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
  • Rename group sap to sap_host (#4332)

Tests:

  • Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
  • Add tests for kernel_module_firewire-core_disabled rule. (#4605)
  • Document combined mode in tests/README.md (#4590)
  • install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
  • Remove ansible_playbook_set_hosts function from test suite (#4576)
  • Add profile metadata override in rule mode (#4578)
  • Fix test scenarios for mount option home nosuid (#4579)
  • Fix minlen test scenarios and include RHEL8 platform (#4450)
  • Print an error message when rule isn't found (#4454)
  • Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
  • Enable the (all) virtual profile in the rule-based test suite. (#4441)
  • Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
  • Install just things needed for the sssd service to run. (#4396)
  • Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
  • Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
  • Fix audit rules openat_o_trunc_write test scenarios. (#4438)
  • Add verbose output to the verbose logs (#4431)
  • Fix broken test scenario name (#4426)
  • Add option for extra repository in install_vm.py script. (#4421)
  • Change test scenarios for rule rpm_verify_permissions (#4344)
  • tests/install_vm.py: Do not abort if ostype detection fails (#4343)
  • Use VM install repo URL on the installed system (#4338)
  • Workaround SCAPVal 1.3.2 NullPointerException (#4339)
  • Use separate partition for /var/tmp in tests/kickstart (#4337)
  • Add test wrapper around SCAPVal tool (#4327)
  • Fix-ups and remote host support for tests/install_vm.py (#4328)