Releases: ComplianceAsCode/content
Releases · ComplianceAsCode/content
Content 0.1.54
Highlights:
- Remove RHEL6 content (#6325)
- Add readthedocs documentation support (#6299)
- Introduce centralised policy definitions (#6499)
Profiles changed in this release:
- ocp4: moderate, cis-node, ncp, e8, cis
- rhel7: anssi_nt28_intermediary, cui, cjis, anssi_nt28_minimal, C2S, anssi_nt28_enhanced, stig, ncp, hipaa, e8, anssi_nt28_high, ospp
- ol7: stig
- rhel8: cui, cjis, anssi_bp28_high, cis, stig, pci-dss, anssi_bp28_intermediary, hipaa, anssi_bp28_minimal, anssi_bp28_enhanced, e8, ospp
- rhcos4: ospp, ncp, e8, moderate
- rhv4: rhvh-stig, rhvh-vpp
- sle12: stig
- ol8: e8
Profiles:
- Add xwindows_runlevel_target to RHEL7 STIG profile (#6420)
- Remove severity adjustments on OL7 STIG profile (#6403)
- Update SMEs and owners (#6448)
- Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml (#6438)
- Fix RHEL8 CIS Benchmark version (#6463)
- Use control selectors in RHEL8 ANSSI profiles (#6505)
- Update e8 profiles to use correct link to E8 Linux guide (#6497)
- Add initial artifacts to support RHEL8 STIG content (#6513)
- Update RHEL7 STIG profile with /var/log/audit related rules (#6430)
- Update ANSSI Minimal and Intermediary requirements (#6520)
- Add dconf_gnome_disable_automount to RHEL STIG profile (#5961)
Rules:
- Added simple lineinfile template (#6389)
- Generate the CPE Dictionary dynamically (#6304)
- Drop remediation for sudo_dedicated_group (#6556)
- ocp4: Add check for audit log forwarding (#6428)
- Change severity of rules according to STIG V3R1 (#6417)
- Add test to grub2_enable_fips_mode to check if /etc/system-fips exists (#6418)
- Moved OVAL CVE Feed metadata from the rule to individual products (#6419)
- Add new rule dir_perms_world_writable_system_owned_group (#6421)
- SRG for ssh_client_rekey_limit (#6409)
- OCP4/CIS: tidy etcd_unique_ca text (#6407)
- add rule ssh_client_use_strong_rng (#6404)
- ocp4/CIS 1.1.20: Fix references in rules (#6401)
- Add OCIL clauses to several openshift rules (#6457)
- compliance-operator: Prepare rules and profiles for productization (#6455)
- ocp4: ovs conf.db: tighten file permissions (#6445)
- fix oval of grub2_kernel_trust_cpu_rng (#6444)
- add ospp reference to configure_libreswan_crypto_policy (#6443)
- ocp4/CIS 1.2.10: Enable checks (#6436)
- Add OVAL for the second rule covering CIS 4.2.10 (#6489)
- Enable checks and remediations for SLES-12 STIGs (#6485)
- Several cleanup patches for CIS 1.2.x (#6480)
- Add new rules for ANSSI BP28 R22 (#6483)
- OCP4: Add CCEs to rules used by the CIS profile (#6478)
- OCP: Cleanup rules in section 1.1 of CIS profile (#6477)
- Add stricter permissions option to file permissions template (#6476)
- Implement a rule for sudoers - ANSSI R60 (#6473)
- CIS: Add two missing OCILs (#6474)
- Support SLES-12-010380, SLES-12-010110, and SLES-12-030150 (#6472)
- Fix some missing extend_definition dependencies (#6465)
- Add support for parameters in sudo_defaults_option template (#6508)
- Add SRG references for use_pam_wheel_for_su rule (#6356)
- update rule postfix_network_listening_disabled (#6509)
- add rules to anssi r12 (#6515)
- Create new rules for ANSSI R39 (#6495)
- Enable checks and remediations for SLES-12 STIGs (#6504)
- Fix jinja expansion on installed_OS_is_vendor_supported (#6511)
- Updates for Anssi requirement 49 (#6510)
- add rule checking if world writable directories are owned by root (#6507)
- Add rule to check if OS is 64-bit when supported by CPU (#6496)
- Add the sudoers_no_command_negation rule - ANSSI R62 (#6498)
- Add rules to enable sudoers options (#6369)
- Add rule to configure group owner of /usr/bin/sudo (#6352)
- Add RHEL8 CCE to ANSSI selected rules (#6494)
- Add rules for Anssi-bp-028 R23 (#6490)
- Add rule to drop sudo 'other' execution permisson (#6363)
- Add new pwquality.conf and faillock.conf rules (#6370)
- Add mount_option and partition rules (#6340)
- Add bios and uefi CPE applicability for grub2 rules (#6286)
- Add rule for password hashing rounds in pam_unix (#6334)
- OCP4/CIS 2.X: Fix descriptions and add checks (#6338)
- Disable OVAL backend from file_permissions grub2_cfg rules (#6277)
- add rule use_pam_wheel_for_su (#6256)
- OCP4/CIS 1.4.1: Remove invalid rule and add reference to actual check (#6329)
- fix remediation of audit_rules_privileged_commands (#6227)
- fix ansible remediation of dir_perms_world_writable_root_owned (#6574)
- fix remediations of dir_perms_world_writable_root_owned (#6558)
- fix selinux_policytype oval regex (#6530)
- ocp4: Add automatic remediation for etcd encryption provider (#6411)
- OCP4/CIS: kubelet_configure_event_creation e2e remediation (#6406)
- Add kubernetes remediation for sysctl_kernel_randomize_va_space (#6456)
- kubernetes: Fix kernel argument template (#6450)
- RHCOS4: Fix sysctl remediations and add tests (#6449)
- More precise modified time comparison in "configure_crypto_policy" (#6437)
- Propagated possibility to select the remediation backend (#6433)
- Fix FIPS checks for RHCOS (#6479)
- disable_ctrlaltdel_burstaction: Take into account
.d/
directory too (#6471) - Make rsyslog_remote_tls regex case insensitive for rsyslogs parameters (#6396)
- Fix bash_dconf_settings to grep whole keyword alike (#6364)
Tests:
- Extend list of rules of unselected rules for testing (#6573)
- Remove noauto for boot partition from test kickstart and ANSSI profiles (#6570)
- Update testing kickstart file partitions (#6555)
- Add cap_audit_write to be able to run sshd in containers (#6557)
- Move uefi_no_removeable_media tests to correct place (#6414)
- Introduce test suite script wrappers (#6405)
- ocp4: Add tests for rhcos4 kernel arguments (#6451)
- OCP: Add missing tests for two rules that are passing by default (#6466)
- configure_crypto_policy test scenario - ensure that both files have same timestamp (#6502)
- Add documentation for variables option in test scenarios. (#6377)
- Implement variable metadata for test scenarios (#6323)
- Remove capture_output option from subprocess.run in SSGTS (#6347)
- Refactored interaction with the tested machine (#6322)
Content 0.1.53
Highlights:
- Remove OCP3 content (#6296)
- Remove SLE11 (#6164)
- Remove Ubuntu 14.04 (#6154)
- Remove Debian8 (#6137)
- Remove JBoss EAP6 (#6119)
- Introduce machine and package platform conditionals to Bash remediations (#6061)
- Introduce package conditionals to Ansible remediations (#6025)
- OCP4: Enhance e2e tests to check individual rules (#6315)
Profiles changed in this release:
- example: example
- fedora: standard, pci-dss
- ol7: pci-dss
- ol8: cjis, pci-dss
- rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
- rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
- jre: stig
- ocp4: cis-node, cis, e8, moderate, ncp
- rhcos4: e8, moderate, ncp
- rhv4: rhvh-vpp, rhvh-stig
- sle15: cis
Profiles:
- Remove unused RHEL7 profiles (#6326)
- Specify the applicable OpenShift version for the CIS profiles (#6288)
- Update e8 references (#6306)
- Add commented section for OCP4 CIS etcd node checks (#6238)
- CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
- Add ocp4-node product (#6124)
- remove rngd related rules from rhcos profiles (#6159)
- Add policy tracking metadata (#6004)
- Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
- Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
- remove package_screen_installed from rhel7 stig (#6072)
- OCP4 CIS profile placeholder and comments (#6121)
- Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
- Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
- remove deprecated sshd config from e8 profile (#6120)
- remove package_tuned_removed from rhel8 ospp (#6191)
- remove rngd related rules from rhel8 ospp and stig (#6157)
- remove package_iptables_installed from rhel8 ospp and stig (#6155)
Rules:
- Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
- Added JRE update and clean prev version controls (#6324)
- fix conflicts of audit rules for privileged commands (#6279)
- Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
- Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
- Add machine platform for rule kernel_trust_cpu_rng (#6300)
- CIS 1.3.6 (#6225)
- Update jre content with more controls and minor fixes (#6295)
- Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
- ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
- Add OCP4 1.3.5 benchmark (#6198)
- ocp4: fix basic-auth check (#6158)
- CIS OCP4 benchmark: 1.3.3 (#6194)
- Fix rule api_server_token_auth for ocp4 (#6193)
- OCP4 - CIS 1.1.5 Add check (#6274)
- ocp4: Add check for CIS 1.2.20 (#6239)
- Cis 5.2.9 (#6250)
- ocp4: Add checkf or CIS 1.2.18 (#6232)
- ocp4: Add check for 1.2.17 (#6231)
- add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
- Updated rule api_server_service_account_public_key for OCP 4 (#6221)
- Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
- ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
- ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
- CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
- Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
- Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
- OCP4 - CIS 1.1.3 Add check (#6272)
- OCP4 - CIS 1.1.1 Add check (#6271)
- Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
- Adding rules for OCP4 CIS 1.2.5 (#6268)
- Api server etcd (#6266)
- Adding rules for OCP4 CIS 1.2.5 (#6268)
- Add rule for OCP4 CIS 1.3.2 (#6262)
- Cis 5.2.7 (#6245)
- Java JRE 8 draft update (#6282)
- fix srgs for new rhel8 stig rules (#6280)
- 1.2.32 add etcd-cafile check for ocp4 (#6253)
- 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
- add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
- Pull request for etcd-encrypt (#6259)
- OCP4 CIS 5.2.3 (#6244)
- Update api_server_audit_log_path to use different apiserver conf file (#6240)
- OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
- OCP4 CIS 5.2.4 (#6242)
- Add OCP4 1.3.7 Benchmark (#6220)
- ocp4: Add check for CIS 1.2.19 (#6236)
- Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
- Api server kubelet https (#6215)
- Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
- Add rule for CIS 4.1.9 (#6210)
- Cis node 4.1.8 (#6196)
- OCP CIS 1.2.7 (#6209)
- Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
- Fix duplicate assignment of CCE-83396-2 (#6224)
- Completed an existing ocp4 CIS 1.3.4 rule (#6202)
- Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
- add service_kdump_disabled to rhel8 ospp (#6190)
- Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
- fix typos in "references" section of RHEL7 rules (#6188)
- Add some more example content for ocp4 cis profile (#6182)
- Add ISM references (#6143)
- Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
- add mandatory packages to rhel8 ospp (#6181)
- Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
- add rsyslog rules to rhel8 ospp (#6167)
- Remove platform net-snmp from the group and use it in individual rules (#6166)
- Fix severity of RHEL 7 STIG rules (#6110)
- fix rules about sshd idle timeout (#6030)
- Update ANSSI refs (#6052)
- Move grub2_vsyscall_argument to grub2 group (#6129)
- Update rule install hips (#6039)
- Remove zIPL rule for PTI bootloader option (#6065)
- use xccdf variable in audit_audispd_network_failure_action (#6071)
- Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
- Drop "esc" package from install_smartcard_packages rule (#6083)
- Update snmpd_no_default_password (#6050)
- Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
- Fix missing CCE in rules selected by RHEL6 profiles (#6103)
- add ocil to rsyslog_nolisten (#6074)
- Remove extra ocil statement from service_cockpit_disabled (#6092)
- Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
- Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
- Update text of rule account_disable_post_pw_expiration (#6084)
- update srg for smartcard_configure_cert_checking (#6073)
- update accounts_logon_fail_delay (#6040)
- update rule disable_ctrlaltdel_reboot (#6043)
- Remove SRGs from accounts_password_pam_retry (#6045)
- Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
- Update tftpd_uses_secure_mode (#6051)
- Fix SRG mapping of audit rules (#6068)
- Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
- Minor ansible changes that fix failing rules after remediations (#6034)
- Fix typo in SLES12 STIG ID reference (#6036)
- Introduce ability to set check_existence to yaml template (#6177)
- Introduced macros for working with XCCDF values into the wide content (#6048)
- Anaconda moved to pykickstart (#6255)
- Create custom OVAL check for uefi_no_removeable_media (#6276)
- Parametrize rule for login.defs hashing algorithm (#6290)
- As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
- Fix regex in aide rules to consider first letter as uppercase (#6152)
- Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
- Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
- Use resolved profiles in rule playbooks (#6080)
- Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
- Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
- Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
- update accounts_maximum_age_login_defs (#6027)
Tests:
- Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
- OCP4: Add manual remediation capabilities to e2e tests (#6318)
- OCP4: Enhance e2e tests to check individual rules (#6315)
- Remove the option to enable/disable "mask" a service (#6298)
- Update ocp4 e2e test dependencies (#6128)
- Force shutdown of VM if it cannot be shutdown gracefully (#6098)
- e2e/ocp4: Display more verbose logs for e2e tests (#6192)
- ocp4: Don't fail on transcient error (#6161)
- ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
- ocp4: Use ScanSettingBindings for e2e tests (#6297)
- allow install_vm.py to create UEFI based machines (#6285)
- Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
- SSGTS various test scenarios metadata updates (#6136)
- Implemented packages metadata to the test suite (#6126)
- SSGTS combined mode: use all profile where applicable (#6146)
- SSGTS various test scenarios metadata updates (part 2) (#6145)
- SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
- Removed profile from test metadata where not needed (#6114)
- Add a test for missing CCEs (#6097)
- Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
- OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
- OCP4: Verify CIS 1.3 section (#6302)
Content 0.1.52
Highlights:
- huge update of rhel7 stig profile
- Introduced a minimal reference-rule mapping generator (#5946)
Profiles changed in this release:
- rhel7: ospp, hipaa, stig
- rhel8: ospp, hipaa, stig
- ocp4: moderate, e8
- ol8: ospp
- rhcos4: moderate, ncp
Profiles:
- Select sshd_disable_rhosts in RHEL7 STIG profile. (#6019)
- Select sshd_disable_user_known_hosts in RHEL7 STIG profile. (#6021)
- Update RHEL7 STIG profile to use pam unlock_time=900. (#6011)
- Remove rules that are not present on RHEL STIG v2r7 anymore. (#5975)
- Update hipaa description (#5957)
- Select uefi_no_removeable_media in DISA RHEL7 STIG profile (#5987)
- Update dconf_gnome_disable_ctrlaltdel_reboot and select it in RHEL7 STIG profile (#5993)
- Add new rule dconf_gnome_disable_ctrlaltdel_logout to RHEL7 STIG (#5992)
- Add a missing Crypto Policy rule to OSPP. (#6007)
Rules:
- Introduced rule to disable XDMCP in gdm (#5997)
- Update OVAL check and remediations for sshd_use_priv_separation. (#6022)
- Set sshd_do_not_permit_user_env to pass even with missing parameter. (#6018)
- Update network_sniffer_disabled (#6000)
- Add Fedora product to package_bind_removed rule prodtype (#6017)
- Fixed dconf_gnome_screensaver_idle_activation_enabled wrt RHEL7 STIG (#6016)
- Update sle15 product with specific package names and permissions (#6012)
- Update RHEL7 STIG id for grub2_uefi_password to match RHEL >= 7.2. (#6009)
- Added SRG to configure_ssh_crypto_policy (#6008)
- update severity of package_vsftpd_removed (#6002)
- remove srgs from package_openssh-server_installed (#6001)
- implement V-72095 for stig (#5985)
- remove nonexistent srg from audit_rules_usergroup_modification_opasswd (#5998)
- Fix minor description issue in dconf_gnome_login_banner_text (#5994)
- remove redundant srg from audit_rules_privileged_commands_umount (#5983)
- Add RHEL7 STIG ID to sysctl_net_ipv4_conf_default_rp_filter (#5990)
- Add RHEL7 STIG ID to sysctl_net_ipv4_conf_all_rp_filter (#5989)
- Remove extra zero on SRG ref mapping from kernel_module_dccp_disabled (#5991)
- Remove duplicated STIG ID entry in libreswan_approved_tunnels (#5988)
- Add an evaluation for OpenShift allowedRegistries (#5906)
- Add ansible remediation for accounts_have_homedir_login_defs (#5942)
- fix descriptions of rules audit_rules_privileged_command_* (#5980)
- fix descriptions and ocils of audit_rules_execution_* (#5981)
- Update DISA CCI for rpm_verify_hashes (#5979)
- Remove wrong CCI number from no_files_unowned_by_user (#5966)
- Fix typo in OCIL checking command for file_groupownership_home_directories (#5968)
- remove perm=x from rules about auditing of privileged commands (#5956)
- Update rule dconf_gnome_screensaver_lock_locked (#5959)
- Fix syntax in OCIL checking command for accounts_user_dot_no_world_writable_programs (#5969)
- remove SRG mapping from audit_rules_dac_modification_lsetxattr (#5962)
- Update kernel_module_disabled template to add modules into exclude list (#5963)
- Fix typo in grub password rules (#5964)
- Update dconf_gnome_banner_enabled to use local.d dconf database (#5951)
- Use full CCI and STIG identifiers (#5606)
- Add grub2 platform to grub2 kernel option rules (#5952)
- add xccdf variable into ocil of auditd_data_retention_action_mail_acct (#5953)
- Update rpm_verify_hashes according to STIG RHEL7 v2r7 (#5918)
- Remove OVAL check from rule install_antivirus (#5947)
- Update aide_verify_ext_attributes OVAL and Bash (#5945)
- Update aide_verify_acls (#5941)
- Reference relevant OSPP requirements that depend on correct crypto-policy selection via var_system_crypto_policy (#5935)
- The OSPP requirements for cryptographically verifying the integrity of updates are FPT_TUD_EXT.1.2 and FPT_TUD_EXT.2.2 (#5934)
- The CC/OSPP requirement for handling authentication failures is FIA_AFL.1 (#5933)
- The CC/OSPP requirement for the TOE access banner is FTA_TAB.1 (#5932)
- Harden OpenSSL crypto policy (#5925)
- Update file permissions/ownership/group bash template to better support "file_regex" parameter (#5921)
- Add template for zIPL boot entry option (#5908)
- fix rule selinux_all_devicefiles_labeled (#5911)
- Reorganize zIPL rules (#5888)
- add missing cces to rules in ism_o profile (#5913)
- Converted kube remediation to use the macro (#5904)
- Revert back OVAL check for sshd_disable_compression to use xccdf variable. (#6031)
- Update ansible additional when statement to fix issues with rules not being applied to vm's (#5995)
- Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services (#6014)
- Update accounts_passwords_pam_faillock_unlock_time to work with "never" as value (#6003)
- Cleanup audit_rules_login_events ansible remediation template (#5978)
- Update auditd audispd configure remote server (#5949)
- Add ansible remediation for dconf_gnome_screensaver_idle_activation_locked (#5960)
- Update OVAL check and remediation for aide_use_fips_hashes (#5972)
Tests:
- Remove Fedora platform from test scenarios working with FIPS:OSPP crypto policy (#6023)
- Introduce quick tests (#6013)
- Remove SCAP-1.3 SCAPVAL workarounds (#6005)
- add tests to audit_rules_kernel_module_loading_finit (#5999)
- add tests to audit_rules_usergroup_modification template (#5996)
- Use helper functions to install dconf and gdm. (#5970)
- Enabled support for both podman2 in the ssg test suite. (#5924)
- Print different command to get IP address when using fish shell. (#5907)
Content 0.1.51
Highlights:
- Add SSG content for McAfee VSEL (#5864)
- Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
- Add RHCOS4 product (#5775)
- Add ubuntu cis profile (#5750)
Profiles changed in this release:
- rhel8: ospp, cis, ism_o, stig
- ocp4: cis, moderate, platform-moderate, coreos-ncp, opencis-node, ncp, e8
- vsel: stig
- rhcos4: coreos-ncp, ncp, moderate, e8
- firefox: stig
- rhel7: cis, stig
- sle15: cis
- ubuntu1804: cis
Profiles:
- Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
- Attribute credit for CIS content (#5779)
- Update CoreOS profile to short name (#5834)
- rhcos4: Remove checks for nmcli permissions (#5826)
- Sle15 cis (#5807)
- Add ubuntu cis profile (#5750)
Rules:
- Add stigid reference to rpm_verify_ownership according to STIG RHEL7 v2r7 (#5919)
- Fix file regex in OCP3 content (#5920)
- Fix of issues seen with OpenShift 3.11 (#5860)
- Add zipl and grub2 CPEs (#5905)
- Add ocp rules to cis profile (#5872)
- Update RHEL7 documentation link for grub2_uefi_admin_username. (#5890)
- fix filename in configure_openssl_crypto_policy (#5885)
- Add SSG content for McAfee VSEL (#5864)
- Add 'bls_audit_option' rule (#5793)
- Add OCP XCCDF CIS policy rules (#5833)
- Updating Firefox content (#5858)
- OCP4 allowed registries (#5839)
- Template for yamlfilecontent checks (#5758)
- Remove grub documentation links from RHEL7 rationale (#5851)
- More CIS OCP checks (#5837)
- Update OCP permissions add master, worker, and general content changes (#5838)
- Add OCP4 CIS API server XCCDF content (#5843)
- Add support for blacklisting directories when doing system-wide file scans (#5804)
- Finish RHCOS product migration (#5835)
- Add missing CCEs for CIS RHEL8 (#5781)
- Update unowned user rule warning (#5806)
- Add dev_shm rules to rhel7 stig profile (#5830)
- add rule ssh_client_rekey_limit (#5788)
- pkgname@debian auditd (#5809)
- Add RHCOS4 product (#5775)
- Add rules to configure zIPL (#5784)
- Made the rule sshd_rekey_limit parametrized (#5772)
- Introduced a rule that uses non-standard yaml checks (#5326)
- Cis partitions rules (#5749)
- Add Ansible for ensure_logrotate_activated (#5753)
- Change oval check to verify if we're in OCP4 (#5824)
- Use templates to generate Machineconfigs (#5814)
- Simplify check for no_shelllogin_for_systemaccounts (#5810)
- change sshd rekey limit to 1G 1 hour in rhel8 ospp (#5782)
- Create macro for selinux ansible/bash remediation. (#5785)
- Fix ansible/bash remediation for rule grub2_enable_selinux. (#5787)
- fix rhel8 hipaa ansible playbook (#5777)
- Add Ansible for audit_rules_system_shutdown (#5761)
- Add Bash and Ansible remediations for sshd_set_max_sessions (#5757)
Tests:
- test_parse_affected.py: Handle empty rendered content (#5840)
- Add test scenario for sshd_rekey_limit to cover OSPP profile (#5827)
- add simple tests for sshd_do_not_permit_user_env (#5829)
- Remove result files when test scenarios pass (#5812)
- ocp4: Test amount of check results for scans (#5803)
- ocp4: Check for diminishing failures in e2e test (#5794)
- ocp4: Create complianceSuites in debug mode (#5798)
- OCP4: Add remediation equality unit tests (#5743)
Content 0.1.50
Highlights:
- Add initial macOS content (#5334)
- Feature suse 15 (#5305)
- Add RHEL 7 and RHEL8 CIS profiles
- Add SLE15 CIS Profile
- RHV4 product is now el8 based (#5352)
Profiles changed in this release:
- ocp4: moderate, coreos-ncp, e8
- rhel7: cis, rhelh-stig, C2S, stig
- rhv4: rhvh-vpp, rhvh-stig
- rhel8: cis, stig
- sle15: cis, standard
- ol7: stig
- macos1015: moderate
Profiles:
- ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
- Added warning about profile not working with GUI systems. (#5734)
- OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
- ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
- ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
- ocp4: enable sysctl security settings in moderate profile (#5591)
- ocp4: Enable sysctl file system settings in moderate profile (#5592)
- change rules for disabling ipv6 in CIS profile (#5574)
- macOS build fixes (#5347)
- ocp4: Remove the rule that disables user namespaces (#5268)
- fix rule sshd use approved macs (#5300)
- Feature suse 15 (#5305)
- Add Initial RHEL 7 CIS profile (#5306)
- Clear up coreos profile titles and descriptions (#5280)
Rules:
- Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
- Update sshd crypto policy for CC (#5742)
- Create machine configuration for the rule no tmux in shells (#5641)
- Fix several audit-related ignition remediations (#5651)
- Ubuntu1804/cis kernel module rules (#5722)
- update prodtype for sysctl_net_ipv4_ip_forward (#5679)
- Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
- ocp4: Add missing AC-1 checks to moderate profile (#5718)
- Add missing CCE for sshd_set_max_sessions rule (#5710)
- Fix audit_basic_configuration ignition remediation (#5642)
- Reference should not point to OS version. (#5660)
- Warn about only local user backends being considered (#5657)
- remove remediations for configure_etc_hosts_deny (#5652)
- New Ignition files for audit and SSHD (#5640)
- Fix template mount_option_removable_partitions (#5278)
- Added more SLES Support (#5613)
- Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
- Update ol7 stig references and severity values (#5575)
- Issue 5529 (#5579)
- add missing cce for sshd_disable_tcp_forwarding (#5614)
- Update sshd disable x11 forwarding (#5610)
- Allow tcp forwarding (#5607)
- update limit-related rules to allow limits.d (#5600)
- Feature suse15 cis (#5578)
- Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
- fix sshd_allow_only_protocol2 (#5582)
- Feature sle15 cis (#5567)
- Issue 5524 (#5554)
- Add e8 profile for ocp4 (#5560)
- Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
- Added OL product support to stig rules (#5556)
- Fix ol8 condition in accounts-physical rules (#5559)
- Move RHV4 product to be el8 based (#5352)
- Feature suse 15.1 (#5548)
- fix rule disabling ipv6 through grub2 (#5547)
- add rule ntpd_run_as_ntp_user (#5291)
- Add missing CCEs to rules from RHEL7 CIS profile (#5546)
- add ntpd_configure_restrictions for rhel7 (#5282)
- Update rhel7 CIS selections (#5349)
- add rules for checking legacy "+" entries in passwd related files (#5339)
- add grub2_disable_ipv6 (#5324)
- Add initial macOS content (#5334)
- Add rules to check permissions and owner of important backup account files (#5317)
- Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
- Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
- Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
- add rule configure_etc_hosts_deny (#5332)
- Select new rules in RHEL 7CIS Profile (#5331)
- Add missing CCEs for rules from CIS profile (#5329)
- add rule package_openldap-clients_removed (#5316)
- add rule package_libselinux_installed (#5312)
- Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
- Banner and cron permissions and owners (#5302)
- Select rules for audit login events (#5296)
- Select package_audit_installed (#5292)
- Update audit data retention selects and variables (#5294)
- remove ntp mention from rule title (#5309)
- Feature suse 15 (#5311)
- add rule service_rsyncd_disabled (#5318)
- Select rules for system file permissions (#5301)
- Select rules for SSH and add references (#5297)
- Parametrized the sshd_use_approved_ciphers rule (#5308)
- add chronyd_run_as_chrony_user (#5298)
- Add rules for Chrony on rhel8 (#5273)
- Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
- Extracted a grub superuser username rule from the grub2_password rule (#5276)
- Add XCCDF conflicts and requires (#5281)
- Initial RHEL 8 CIS profile (#5236)
- Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
- fix grub2_bootloader_argument template (#5756)
- Add Ansible for kernel_module_ipv6_option_disabled (#5737)
- Ansible remediation and tests for audit_rules_immutable (#5609)
- add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
- Add Ansible fixes for audit time rules (#5720)
- Add audit field to the Ansible syscall macros (#5724)
- add Ansible remediation and tests for audit_rules_session_events (#5721)
- Introduce Ansible macros for remediating Audit syscall rules (#5709)
- fix ansible remediations to avoid creating duplicate entries (#5650)
- Update Ansible when statement to handle only containers (#5052)
- add ansible and tests to audit_rules_mac_modification (#5638)
- Fix missing ignition remediations (#5644)
- add ansible remediation to audit_rules_kernel_module_loading (#5594)
- Fix audit_rules_privileged_commands remediation (#5569)
- Fix rule
banner_etc_motd
(#5319) - Improved handling of grub2 password/admin checks. (#5313)
- Ansible audit sysadmin actions (#5288)
- Simplify banner text syntax and add utility to generate banner regular expression (#5050)
Tests:
- Fix incomplete temporary file (#5747)
- Add unit test for kubernetes object remediations (#5636)
- ocp4: Expand unit tests to validate profile selections (#5648)
- Flush the write buffers after write. (#5748)
- Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
- Added possibility of the test suite to expand platforms of the benchmark (#5550)
- Fix SSGTS when running with python3 and writing binary data to file. (#5711)
- shared/partition.sh: Increase the size of a test device (#5566)
- ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
- Skip generation of remediation when using special the default profile (#5571)
- Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
- Fix test scenarios for auditd_data_retention_flush rule (#5624)
- ocp4/e2e: display remediations for second scan (#5585)
- ocp4: e2e test continuation (#5354)
- ssg test suite: wait 30 seconds for reboot to finish (#5572)
- Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
- ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
- add configure_etc_hosts_deny to ignored rules (#5348)
- ocp4: reset client in e2e tests after installing operator (#5344)
- ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
- ocp4: Add go dependencies to test directory (#5338)
- Extend timeout for VM restarts (#5330)
- ocp4: Add initial e2e test (#5321)
- SSGTS: addressed incompatibilities with python2 (#5295)
- SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)
Content 0.1.49
Highlights:
Profiles changed in this release:
- ol8: pci-dss, e8, ospp
- rhel8: pci-dss, stig, ospp
- ocp4: coreos-ncp, moderate
- sle12: stig
- rhel7: stig
Profiles:
- Add OL8 Essential Eight profile (#5211)
- Remove ocp4 checks (#5216)
- Update OL8 PCI-DSS profile (#5191)
- Add rsyslog TLS configuration to STIG (#5167)
- Re-add configure_firewalld_rate_limiting to rhel7 stig profile (#5168)
- remove Rsyslog rules from OSPP for Rhel8 (#5158)
- ocp4/moderate: Remove check for AIDE package (#5146)
- PCI-DSS profile should install audispd plugins (#5124)
- Adjust OL8 OSPP profile (#5210)
- ocp4/moderate: Enable more kernel module checks (#5136)
- ocp4: Add controls that cover AC-2 better (#5134)
- rhel8: modify rule selections for OSPP and STIG to meet baselines (#5181)
- Enable rules that cover AU-9 better in OCP4 moderate profile (#5138)
- ocp4/moderate: Add CM-* checks (#5129)
- Add moderate profile (#5128)
- Add dconf_db_up_to_date to RHEL8 STIG profile. (#5274)
Rules:
- Sort prodtypes lexicographicaly (#5130)
- Added OL support to ospp profile rules (#5203)
- Update rpm_verification group rules with OL support (#5204)
- Add OL support to packages and services rules (#5198)
- Add OL support to policy audit rules (#5197)
- Add OL support to configuring_ipv6 rules (#5196)
- Add OL support to the partitions mount rules (#5195)
- Add OL support to accounts user_umask rules (#5194)
- Also remove 389-ds LDAP server (#5186)
- Add check for read-write SNMP users (#5185)
- Add RADIUS group and rule to remove server (#5188)
- Permit setting sshd GSSAPI to yes (#5184)
- Stig sle12 security patches up to date (#5192)
- network_host_and_router_parameters group as machine-only (#5190)
- Remove krb5-server (#5187)
- Permit enforcement of nosuid on /var (#5183)
- Add CCE identifier for openssh-server installed (#5189)
- create checks for (grub2|uefi)_no_removeable_media (#5178)
- Map missing SRG rules (#5177)
- Split rule for audit sample rules according to audit component (#5110)
- Add and fix few entries of SRG mapping (#5170)
- create new rule for ipv4 tcp rate limiting through sysctl (#5126)
- Add a rule for the openssl strong entropy wrapper (#5127)
- Update OVAL templates with oval_affected macro. (#5148)
- Add CCE identifiers to OCP moderate profile rules (#5149)
- Add ocp4 prod to grub2_enable_fips_mode (#5140)
- Add CoreOS CCE for service_auditd_enabled (#5133)
- Added a few NIST references to audit related rules (#5131)
- Add a shell lineinfile template (#5109)
- Check EKU in rsyslog remote configuration (#5119)
- audit package on ubuntu* is auditd. (#5117)
Tests:
- fix wrong value in test scenario (#5214)
- Introduce resolved profiles, and test for profile stability (#5209)
- Fix newline discrepancies in jinja macros for file content (#5202)
- fix regex in accounts_passwords_pam_faillock_deny (#5166)
- Add support to Ignition remediation type (#5137)
- Update crypto policies ospp scenarios (#5121)
- Don't check for path length of logs directory (#5122)
Content 0.1.48
Highlights:
- New product added for Debian 10 (debian10)
- New product added for Red Hat OpenStack Platform 10 (rhosp10)
- New draft Profile for RHEL8 STIG
Profiles changed in this release:
- rhosp10: cui, stig
- debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
- rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
- rhel7: e8, sap
- ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
- sle12: stig
Profiles:
- Add security autoupdates to the RHEL8 E8 profile. (#5107)
- E8: ensure there is a single account with uid zero (#5105)
- Add draft RHELH content for rhel8 (#5040)
- Remove SSSD rules from RHEL8 OSPP Profile (#5032)
- Updated the e8 profile for RHEL8. (#5024)
- Add draft RHEL8 STIG profile (#4991)
- Remove coreos-fedramp profile (#4994)
Rules:
- Rhosp10 (#5019)
- Add debian10 content (#5058)
- Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
- Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
- Update NIST 800-53 mappings (#5083)
- NIST 800-53 Mapping Updates (#5079)
- Delete rules in favour of package_subscription-manager_installed (#5059)
- Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
- Add missing CCE for package_telnetd_removed rule (#5090)
- PermitUserEnvironment Checks For Incorrect Setting (#5087)
- Use the FIPS:OSPP Crypto Policy (#5072)
- Enable ansible template for service_fapolicyd_enable rule. (#5064)
- modify usbguard_allow_* rules to use new match-all keyword (#5055)
- Stig sle12 initial (#4847)
- Update api-server XCCDF and OVAL for ocp4-isms (#5039)
- Mark rules as platform: machine. (#5062)
- Fix OVAL applicability for RHV4 (#5053)
- Remove configure_fapolicyd_mounts rules from profiles. (#5057)
- Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
- Update api-server rules (#5034)
- Coreos build - enable more rules (#5018)
- Various minor fixes (#5025)
- Update etcd rules (#5008)
- [WIP] Add SAP profile to rhel (#3551)
- Add missing CCEs to rules from STIG profile (#5021)
- Add some NIST mappings for FISMA high (#4932)
- Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
- Ansible tasks fixes (#5004)
- make aide_periodic_cron_checking accepting broader array of time specs (#4989)
- SRG Mapping - misc rules (#4969)
- additional srg mappings (#4981)
- Verified that proper SRGs are in rules that need to be added (#4987)
- adding DISA SRG references to rules found in the OSPP profile (#4877)
- OCP4 content cleanup (#4970)
- Add Network Policies rule to OCP (#4934)
- Make coreos-ncp.profile buildable (#5001)
- Added SRG rule for auditd_audispd_configure_remote_server (#4988)
- DISA STIG SRG mappings (#4940)
- added SRG rule for Exec Shield (#4982)
- Day 2 - Yasir's Contributions (#4975)
- day 2 changes to rules with SRG info (#4974)
- add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
- Added SRG to rules (#4968)
- mapped ipv4 and ipv6 SRGs to rules (#4967)
- add SRG to rule (#4966)
- Updated to include SRG number (#4971)
Tests:
- oscap: modify using variables in the printf format (#5063)
- Improve fine-tuning of rule/group ordering (#5078)
- Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
- Extend waiting time till virtual machine is again in RUNNING state (#5041)
- SSGTS: Use wildcards instead of matching substring (#5029)
- Add waiting for RUNNING state of virtual machine (#5023)
- Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
- Fixed the remediation for rsyslog_files_permissions (#4906)
Content 0.1.47
Highlights:
- New product added Debian 9 (debian9)
- New product added OpenShift container Platform 4 (ocp4)
- Add Essential Eight profiles
- New templating system enabled by default
- Move SSGTS test scenarios closer to rule definitions
Profiles changed in this release:
- rhel7: e8, C2S, ospp
- rhel8: e8, ospp
- debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
- ocp4: coreos-ncp, opencis-node
- ocp3: opencis-master
- fedora: ospp
- rhel6: C2S, stig
Profiles:
- Add Essential Eight profiles (#4859)
- Remove openshift api_server_profiling check (#4944)
- Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
- Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
- Add coreos NCP profile (#4865)
- Add rules for FISMA Low to CoreOS NCP (#4873)
Rules:
- SSG debian9 (#4928)
- ocp4: Initial build system support for the OCP4 product (#4908)
- Don't require that files exist when path is regex (#4960)
- Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
- Add missing CCEs (#4956)
- Add missing prodtypes for apt rules (#4930)
- Compare suid/sgid files with the RPM database (#4648)
- Add check to set /etc/motd similar to /etc/issue (#4947)
- Set default to match syslog default (#4948)
- Add package rules to OSPP profile (#4953)
- Fill in the samples with the value from our variable (#4949)
- Add postfix relayhost check (#4950)
- Add rule to check cockpit service status (#4939)
- Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
- Added missing CCEs. (#4919)
- Fix missing OVAL in some of RHEL 8 rules (#4927)
- Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
- Generate OCIL check for cramfs kernel module (#4918)
- Added OCIL for mount option-type of rules. (#4910)
- Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
- Ported the sysctl macros to the new system. (#4843)
- Made the new templating system work with Python2.6. (#4897)
- Add WRLinux 10.19 to prodtype (#4903)
- Fix typo and add ocil clause to package_audit_installed. (#4827)
- Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
- Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
- Map AC-17 (#4894)
- Map AC-6(9) (#4895)
- Map AC-17(2) to crypto SSH policies (#4892)
- Add rule for NIST AC-18(4) (#4889)
- Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
- Map AU-7 and AU-10 to audit package (#4890)
- Run tmux only right after sshd/login (#4885)
- Fix missing content in datastreams generated by new templating system (#4883)
- Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
- Fix dnf timer rule (#4882)
- Map AU-9(3) and AU-5(2) for CoreOS (#4880)
- Update list of packages installed in RHEL8 OSPP (#4876)
- Map OCP SCC to Kubernetes benchmark (#4867)
- Merge SELinux Boolean templates and migrate them to new system (#4860)
- Fix rhel6 nist mapping typo (#4872)
- Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
- Add require_emergency_target_auth and update require_singleuser_auth (#4850)
- Enable file permissions templates in new templating system (#4857)
- Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
- Add checks for crontab and supporting cron directories (#4858)
- Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
- Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
- Postfix network listening to loopback-only (#4832)
- Update rsyslog rules description (#4839)
- Updated the rule description of configure_fapolicyd_mounts (#4835)
- Fix accounts password rules template name (#4836)
- New templating system (#4809)
- Break out api_server_service_account_key into multiple rules (#4831)
- Add openvswitch permission rules (#4830)
- AIDE periodic crontab check modification (#4824)
- Disable Mounting of FAT filesystems (#4815)
- insecure-port should not be configured (#4821)
- Fix kubelet_enable_streaming_connections Rule (#4823)
- Assign CCEs to SSH permission checks (#4819)
- Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
- Ensure proper permissions on /etc/ssh/sshd_config (#4812)
- Fix /etc/shadow permissions documentation (#4813)
- Improve template grub2 argument (#4786)
- making hardening of sshd crypto policy alligned with OSPP (#4799)
- Disable Kerberos by removing host keytab. (#4793)
- Move audit rules to correct group (#4778)
- Configure TLS for rsyslog remote logging. (#4781)
Tests:
- Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
- Use only first occurence from /etc/mtab (#4959)
- ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
- Add basic test scenarios for a few audit rules (#4907)
- Made templates product-specific. (#4841)
- Simplified the test_suite command-line. (#4808)
- Changed owner of files in the test suite tarball. (#4797)
- [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
- Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
- fix grub2_argument bash remediation (#4891)
- Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
- Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
- SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
- Add test scenarios for rsyslog_remote_tls (#4788)
- SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
- ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
- Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
- Clean up partition before performing test for mount_option_tmp_noexec (#4795)
- Move SSGTS test scenarios closer to rule definitions (#4741)
Content 0.1.46
Highlights:
- SCAP 1.3 Data Streams are now the default (#4755)
- 1.2 Data Streams are suffixed with
-1.2.xml
- 1.2 Data Streams are suffixed with
- OSPP consolidation (#4705)
- RHEL7
ospp
Profile renamed to NIST National Checklist Program Profile, under IDncp
. - RHEL7
ccc
Profile is renamed toospp
, as it is better aligned with OSPP 4.2.1. - RHEL7
ospp42
Profile is deprecated.
- RHEL7
Profiles changed in this release:
- rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
- wrlinux1019: draft_stig_wrlinux_disa
- rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
- rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
- rhv4: rhvh-stig, rhvh-vpp
- debian8: standard, anssi_np_nt28_restrictive
- ubuntu1404: standard, anssi_np_nt28_restrictive
- ubuntu1604: standard, anssi_np_nt28_restrictive
- ubuntu1804: standard, anssi_np_nt28_restrictive
- ol8: ospp, cjis, hipaa, pci-dss
- fedora: ospp, pci-dss
- ol7: stig, pci-dss
Profiles:
- Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
- Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
- RHEL OSPP Profile Restructuring (#4754)
- NCP Profile extends OSPP profile (#4764)
- Rule grub2_vsyscall_argument is informational in OSPP (#4763)
- Add suport for XCCDF rule-refine (#4750)
- Profile Restructuring (#4736)
- Update OL8 HIPAA profile (#4718)
- Update OL8 CJIS profile (#4719)
- Adding SELinux rules into OSPP profile (#4735)
- Fix section titles. (#4738)
- Remove GNOME rules from rhel7/ospp (#4724)
- The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
- When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
- Cleanup the RHEL7 ccc.profile, minimally (#4691)
- Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)
Rules:
- Enable fapolicyd to watch all system mountpoints. (#4773)
- Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
- Ensure rsyslog-gnutls is installed. (#4775)
- IASE was migrated to DOD Cyber Exchange (#4768)
- Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
- Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
- Update CSRF cookie secure (#4761)
- Add mask_service parameter to services disabled template. (#4633)
- Add new rhel8 aux gpg pubkey (#4675)
- Add new package installed rule specific for RHEL8. (#4673)
- Delete unused/unwanted dconf_use_text_backend rule. (#4684)
- Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
- extend oval check of configure_crypto_policy (#4757)
- Update STIG Antivirus Language (#4745)
- Log USBGuard daemon audit events using Linux Audit. (#4747)
- Harden ssh client crypto policy (#4681)
- Expanded and cleaned up csv templates. (#4739)
- SSH service rules for SLE12 (#4289)
- Single rule to configure audit rules for OSPP (#4680)
- update STIG antivirus language (#4341)
- Configure tmux to lock session after inactivity (#4737)
- Prevent user from disabling the screen lock. (#4742)
- Support session locking with tmux. (#4740)
- Remove watches since syscall rules cover all cases. (#4706)
- Update OL8 OSPP profile (#4717)
- OSPP requirements and selections (#4662)
- Enable the rngd service for OSPP. (#4733)
- Move some system-tools rules to organized with their respective configuration rules (#4726)
- Harden sshd crypto policy (#4663)
- Set number of records to cause an explicit flush to audit logs. (#4697)
- Set hostname as computer node name in audit logs. (#4701)
- Force frequent session key renegotiation. (#4711)
- Resolve information before writing to audit logs. (#4695)
- Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
- Fix typos in auditd_local_events texts. (#4698)
- Preprocess references and identifiers during the build time. (#4063)
- Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
- Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
- Disable storing core dumps. (#4650)
- Add new rule auditd_write_logs (#4649)
- new rule timer_dnf-automatic_enabled (#4614)
- New rule auditd_local_events (#4636)
- Start using oval_sshd_config jinja macros for sshd rules (#4624)
- Simplify regexp (#4762)
Tests:
- Fix _check_rule method call in SSG test suite. (#4767)
- Test suite: set bash and ansible remediation to verbose mode. (#4652)
- Fix disk configuration in OSPP anaconda kickstart file. (#4716)
- Add documentation to known issue in the test suite. (#4730)
- SSG Test suite: Add function to find remediation in the datastream. (#4714)
- Add test scenarios for configure_usbguard_auditbackend rule (#4753)
- Fix STIG IDs reference processing (#4725)
- Add syslog_files rules test scenarios (#4743)
- ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
- Add test scenarios for sshd_set_keepalive rule (#4712)
- Enable unit-testing of bash shared jinja macros (#4702)
- Parameterize Red Hat's GPG release public key. (#4683)
- Added stripping of new line when obtaining IP addr by podman inspect (#4692)
- Fixed an omission. (#4658)
- Test suite autodetect datastream. (#4657)
- Testing of set_config_file function with BATS 2 (#4659)
- Introduce tests for macro that generates OVAL (#4660)
- Test suite change logging prefix to warning (#4688)
- Test suite: Set additional SSH options when testing ansible remediations (#4674)
- Document where test scenarios are located (#4654)
- Document --url and --extra-repo of install_vm.py script (#4653)
- Quick fix for CombinedMode _modify_parameters() (#4664)
- Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
- Fix regex which looks for line in file configuration. (#4646)
Content 0.1.45 Release Notes
Highlights:
- Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
- RHEL7 ANSSI profiles are now enabled
- Improvements to profile statistics, check them out in stats job
- New OVAL, Bash and Ansible macros for rules that check for parameter and value
Profiles changed in this release:
- rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
- fedora: pci-dss, ospp
- rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
- ol8: hipaa, cjis, pci-dss, ospp
- wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
- wrlinux8: basic-embedded
- rhel6: C2S, CS2, nist-CL-IL-AL
- chromium: stig
- firefox: stig
- ol7: stig, pci-dss
Profiles:
- Remove unnecessary packages from ospp (#4632)
- Deduplicate profile files. (#4601)
- Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
- Update the RHEL8 profile (#4229)
- Add rhel7 ccc (Common Criteria Certification) profile (#4361)
- Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
- OL8 profiles update (#4374)
- Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
- Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
- misc updates to OSPP profile (#4586)
- RHVH/RHELH STIG mappings (#4033)
Rules:
- New rule dnf-automatic_security_updates_only (#4619)
- Pimp ANSSI up and enable it (#4615)
- New rule disable_tmux_status_line (#4631)
- Enable the fapolicyd service for OSPP. (#4623)
- Install fapolicyd for OSPP. (#4622)
- new rule dnf-automatic_apply_updates (#4613)
- Disable storing core dumps. (#4618)
- Enable the usbguard service in OSPP profiles. (#4611)
- Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
- Added a test for uniqueness of CCEs. (#4577)
- Add remaining rules from CC to OSPP (#4599)
- Disable the use of user namespaces. (#4569)
- Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
- Enable Kernel page-table isolation. (#4566)
- add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
- Update OSPP profile with required package checks (#4580)
- Disable CAN Support. (#4572)
- Disable ATM Support. (#4571)
- Disable IEEE 1394 (FireWire) Support. (#4573)
- update OSPP (#4446)
- Harden the kernel package filter just-in-time compiler operation. (#4564)
- Disable access to network bpf() syscall from unprivileged processes. (#4563)
- Disallow kernel profiling by unprivileged users. (#4547)
- Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
- Add nodev Option to /var. (#4542)
- Add nodev Option to /boot. (#4453)
- Add nosuid Option to /boot. (#4452)
- Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
- Disable chrony daemon from acting as server. (#4445)
- Disable network management of chrony daemon. (#4449)
- Map more rules into Anssi policy (#4439)
- ANSSI network sysctl (#4345)
- Fix typo. (#4423)
- Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
- Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
- Anssi updates (#4351)
- OSP13 Checks (#4364)
- Smartcards auth in OL8 should be done via sssd (#4377)
- Remove dconf_use_text_backend rule from profiles. (#4375)
- Make hardened containers smaller (#4357)
- Scap 1.3 content adjustments (#4353)
- Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
- Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
- Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
- Rename group sap to sap_host (#4332)
Tests:
- Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
- Add tests for kernel_module_firewire-core_disabled rule. (#4605)
- Document combined mode in tests/README.md (#4590)
- install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
- Remove ansible_playbook_set_hosts function from test suite (#4576)
- Add profile metadata override in rule mode (#4578)
- Fix test scenarios for mount option home nosuid (#4579)
- Fix minlen test scenarios and include RHEL8 platform (#4450)
- Print an error message when rule isn't found (#4454)
- Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
- Enable the (all) virtual profile in the rule-based test suite. (#4441)
- Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
- Install just things needed for the sssd service to run. (#4396)
- Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
- Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
- Fix audit rules openat_o_trunc_write test scenarios. (#4438)
- Add verbose output to the verbose logs (#4431)
- Fix broken test scenario name (#4426)
- Add option for extra repository in install_vm.py script. (#4421)
- Change test scenarios for rule rpm_verify_permissions (#4344)
- tests/install_vm.py: Do not abort if ostype detection fails (#4343)
- Use VM install repo URL on the installed system (#4338)
- Workaround SCAPVal 1.3.2 NullPointerException (#4339)
- Use separate partition for /var/tmp in tests/kickstart (#4337)
- Add test wrapper around SCAPVal tool (#4327)
- Fix-ups and remote host support for tests/install_vm.py (#4328)