Content 0.1.48

Highlights:

• New product added for Debian 10 (debian10)
• New product added for Red Hat OpenStack Platform 10 (rhosp10)
• New draft Profile for RHEL8 STIG

Profiles changed in this release:

• rhosp10: cui, stig
• debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
• rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
• rhel7: e8, sap
• ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
• sle12: stig

Profiles:

• Add security autoupdates to the RHEL8 E8 profile. (#5107)
• E8: ensure there is a single account with uid zero (#5105)
• Add draft RHELH content for rhel8 (#5040)
• Remove SSSD rules from RHEL8 OSPP Profile (#5032)
• Updated the e8 profile for RHEL8. (#5024)
• Add draft RHEL8 STIG profile (#4991)
• Remove coreos-fedramp profile (#4994)

Rules:

• Rhosp10 (#5019)
• Add debian10 content (#5058)
• Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
• Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
• Update NIST 800-53 mappings (#5083)
• NIST 800-53 Mapping Updates (#5079)
• Delete rules in favour of package_subscription-manager_installed (#5059)
• Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
• Add missing CCE for package_telnetd_removed rule (#5090)
• PermitUserEnvironment Checks For Incorrect Setting (#5087)
• Use the FIPS:OSPP Crypto Policy (#5072)
• Enable ansible template for service_fapolicyd_enable rule. (#5064)
• modify usbguard_allow_* rules to use new match-all keyword (#5055)
• Stig sle12 initial (#4847)
• Update api-server XCCDF and OVAL for ocp4-isms (#5039)
• Mark rules as platform: machine. (#5062)
• Fix OVAL applicability for RHV4 (#5053)
• Remove configure_fapolicyd_mounts rules from profiles. (#5057)
• Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
• Update api-server rules (#5034)
• Coreos build - enable more rules (#5018)
• Various minor fixes (#5025)
• Update etcd rules (#5008)
• [WIP] Add SAP profile to rhel (#3551)
• Add missing CCEs to rules from STIG profile (#5021)
• Add some NIST mappings for FISMA high (#4932)
• Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
• Ansible tasks fixes (#5004)
• make aide_periodic_cron_checking accepting broader array of time specs (#4989)
• SRG Mapping - misc rules (#4969)
• additional srg mappings (#4981)
• Verified that proper SRGs are in rules that need to be added (#4987)
• adding DISA SRG references to rules found in the OSPP profile (#4877)
• OCP4 content cleanup (#4970)
• Add Network Policies rule to OCP (#4934)
• Make coreos-ncp.profile buildable (#5001)
• Added SRG rule for auditd_audispd_configure_remote_server (#4988)
• DISA STIG SRG mappings (#4940)
• added SRG rule for Exec Shield (#4982)
• Day 2 - Yasir's Contributions (#4975)
• day 2 changes to rules with SRG info (#4974)
• add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
• Added SRG to rules (#4968)
• mapped ipv4 and ipv6 SRGs to rules (#4967)
• add SRG to rule (#4966)
• Updated to include SRG number (#4971)

Tests:

• oscap: modify using variables in the printf format (#5063)
• Improve fine-tuning of rule/group ordering (#5078)
• Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
• Extend waiting time till virtual machine is again in RUNNING state (#5041)
• SSGTS: Use wildcards instead of matching substring (#5029)
• Add waiting for RUNNING state of virtual machine (#5023)
• Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
• Fixed the remediation for rsyslog_files_permissions (#4906)

Content 0.1.47

Highlights:

• New product added Debian 9 (debian9)
• New product added OpenShift container Platform 4 (ocp4)
• Add Essential Eight profiles
• New templating system enabled by default
• Move SSGTS test scenarios closer to rule definitions

Profiles changed in this release:

• rhel7: e8, C2S, ospp
• rhel8: e8, ospp
• debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
• ocp4: coreos-ncp, opencis-node
• ocp3: opencis-master
• fedora: ospp
• rhel6: C2S, stig

Profiles:

• Add Essential Eight profiles (#4859)
• Remove openshift api_server_profiling check (#4944)
• Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
• Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
• Add coreos NCP profile (#4865)
• Add rules for FISMA Low to CoreOS NCP (#4873)

Rules:

• SSG debian9 (#4928)
• ocp4: Initial build system support for the OCP4 product (#4908)
• Don't require that files exist when path is regex (#4960)
• Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
• Add missing CCEs (#4956)
• Add missing prodtypes for apt rules (#4930)
• Compare suid/sgid files with the RPM database (#4648)
• Add check to set /etc/motd similar to /etc/issue (#4947)
• Set default to match syslog default (#4948)
• Add package rules to OSPP profile (#4953)
• Fill in the samples with the value from our variable (#4949)
• Add postfix relayhost check (#4950)
• Add rule to check cockpit service status (#4939)
• Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
• Added missing CCEs. (#4919)
• Fix missing OVAL in some of RHEL 8 rules (#4927)
• Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
• Generate OCIL check for cramfs kernel module (#4918)
• Added OCIL for mount option-type of rules. (#4910)
• Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
• Ported the sysctl macros to the new system. (#4843)
• Made the new templating system work with Python2.6. (#4897)
• Add WRLinux 10.19 to prodtype (#4903)
• Fix typo and add ocil clause to package_audit_installed. (#4827)
• Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
• Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
• Map AC-17 (#4894)
• Map AC-6(9) (#4895)
• Map AC-17(2) to crypto SSH policies (#4892)
• Add rule for NIST AC-18(4) (#4889)
• Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
• Map AU-7 and AU-10 to audit package (#4890)
• Run tmux only right after sshd/login (#4885)
• Fix missing content in datastreams generated by new templating system (#4883)
• Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
• Fix dnf timer rule (#4882)
• Map AU-9(3) and AU-5(2) for CoreOS (#4880)
• Update list of packages installed in RHEL8 OSPP (#4876)
• Map OCP SCC to Kubernetes benchmark (#4867)
• Merge SELinux Boolean templates and migrate them to new system (#4860)
• Fix rhel6 nist mapping typo (#4872)
• Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
• Add require_emergency_target_auth and update require_singleuser_auth (#4850)
• Enable file permissions templates in new templating system (#4857)
• Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
• Add checks for crontab and supporting cron directories (#4858)
• Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
• Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
• Postfix network listening to loopback-only (#4832)
• Update rsyslog rules description (#4839)
• Updated the rule description of configure_fapolicyd_mounts (#4835)
• Fix accounts password rules template name (#4836)
• New templating system (#4809)
• Break out api_server_service_account_key into multiple rules (#4831)
• Add openvswitch permission rules (#4830)
• AIDE periodic crontab check modification (#4824)
• Disable Mounting of FAT filesystems (#4815)
• insecure-port should not be configured (#4821)
• Fix kubelet_enable_streaming_connections Rule (#4823)
• Assign CCEs to SSH permission checks (#4819)
• Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
• Ensure proper permissions on /etc/ssh/sshd_config (#4812)
• Fix /etc/shadow permissions documentation (#4813)
• Improve template grub2 argument (#4786)
• making hardening of sshd crypto policy alligned with OSPP (#4799)
• Disable Kerberos by removing host keytab. (#4793)
• Move audit rules to correct group (#4778)
• Configure TLS for rsyslog remote logging. (#4781)

Tests:

• Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
• Use only first occurence from /etc/mtab (#4959)
• ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
• Add basic test scenarios for a few audit rules (#4907)
• Made templates product-specific. (#4841)
• Simplified the test_suite command-line. (#4808)
• Changed owner of files in the test suite tarball. (#4797)
• [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
• Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
• fix grub2_argument bash remediation (#4891)
• Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
• Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
• SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
• Add test scenarios for rsyslog_remote_tls (#4788)
• SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
• ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
• Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
• Clean up partition before performing test for mount_option_tmp_noexec (#4795)
• Move SSGTS test scenarios closer to rule definitions (#4741)

Content 0.1.46

Highlights:

• SCAP 1.3 Data Streams are now the default (#4755)
  • 1.2 Data Streams are suffixed with -1.2.xml
• OSPP consolidation (#4705)
  • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
  • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
  • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

• rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
• wrlinux1019: draft_stig_wrlinux_disa
• rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
• rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
• rhv4: rhvh-stig, rhvh-vpp
• debian8: standard, anssi_np_nt28_restrictive
• ubuntu1404: standard, anssi_np_nt28_restrictive
• ubuntu1604: standard, anssi_np_nt28_restrictive
• ubuntu1804: standard, anssi_np_nt28_restrictive
• ol8: ospp, cjis, hipaa, pci-dss
• fedora: ospp, pci-dss
• ol7: stig, pci-dss

Profiles:

• Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
• Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
• RHEL OSPP Profile Restructuring (#4754)
• NCP Profile extends OSPP profile (#4764)
• Rule grub2_vsyscall_argument is informational in OSPP (#4763)
• Add suport for XCCDF rule-refine (#4750)
• Profile Restructuring (#4736)
• Update OL8 HIPAA profile (#4718)
• Update OL8 CJIS profile (#4719)
• Adding SELinux rules into OSPP profile (#4735)
• Fix section titles. (#4738)
• Remove GNOME rules from rhel7/ospp (#4724)
• The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
• When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
• Cleanup the RHEL7 ccc.profile, minimally (#4691)
• Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

• Enable fapolicyd to watch all system mountpoints. (#4773)
• Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
• Ensure rsyslog-gnutls is installed. (#4775)
• IASE was migrated to DOD Cyber Exchange (#4768)
• Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
• Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
• Update CSRF cookie secure (#4761)
• Add mask_service parameter to services disabled template. (#4633)
• Add new rhel8 aux gpg pubkey (#4675)
• Add new package installed rule specific for RHEL8. (#4673)
• Delete unused/unwanted dconf_use_text_backend rule. (#4684)
• Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
• extend oval check of configure_crypto_policy (#4757)
• Update STIG Antivirus Language (#4745)
• Log USBGuard daemon audit events using Linux Audit. (#4747)
• Harden ssh client crypto policy (#4681)
• Expanded and cleaned up csv templates. (#4739)
• SSH service rules for SLE12 (#4289)
• Single rule to configure audit rules for OSPP (#4680)
• update STIG antivirus language (#4341)
• Configure tmux to lock session after inactivity (#4737)
• Prevent user from disabling the screen lock. (#4742)
• Support session locking with tmux. (#4740)
• Remove watches since syscall rules cover all cases. (#4706)
• Update OL8 OSPP profile (#4717)
• OSPP requirements and selections (#4662)
• Enable the rngd service for OSPP. (#4733)
• Move some system-tools rules to organized with their respective configuration rules (#4726)
• Harden sshd crypto policy (#4663)
• Set number of records to cause an explicit flush to audit logs. (#4697)
• Set hostname as computer node name in audit logs. (#4701)
• Force frequent session key renegotiation. (#4711)
• Resolve information before writing to audit logs. (#4695)
• Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
• Fix typos in auditd_local_events texts. (#4698)
• Preprocess references and identifiers during the build time. (#4063)
• Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
• Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
• Disable storing core dumps. (#4650)
• Add new rule auditd_write_logs (#4649)
• new rule timer_dnf-automatic_enabled (#4614)
• New rule auditd_local_events (#4636)
• Start using oval_sshd_config jinja macros for sshd rules (#4624)
• Simplify regexp (#4762)

Tests:

• Fix _check_rule method call in SSG test suite. (#4767)
• Test suite: set bash and ansible remediation to verbose mode. (#4652)
• Fix disk configuration in OSPP anaconda kickstart file. (#4716)
• Add documentation to known issue in the test suite. (#4730)
• SSG Test suite: Add function to find remediation in the datastream. (#4714)
• Add test scenarios for configure_usbguard_auditbackend rule (#4753)
• Fix STIG IDs reference processing (#4725)
• Add syslog_files rules test scenarios (#4743)
• ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
• Add test scenarios for sshd_set_keepalive rule (#4712)
• Enable unit-testing of bash shared jinja macros (#4702)
• Parameterize Red Hat's GPG release public key. (#4683)
• Added stripping of new line when obtaining IP addr by podman inspect (#4692)
• Fixed an omission. (#4658)
• Test suite autodetect datastream. (#4657)
• Testing of set_config_file function with BATS 2 (#4659)
• Introduce tests for macro that generates OVAL (#4660)
• Test suite change logging prefix to warning (#4688)
• Test suite: Set additional SSH options when testing ansible remediations (#4674)
• Document where test scenarios are located (#4654)
• Document --url and --extra-repo of install_vm.py script (#4653)
• Quick fix for CombinedMode _modify_parameters() (#4664)
• Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
• Fix regex which looks for line in file configuration. (#4646)

Content 0.1.45 Release Notes

Highlights:

• Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
• RHEL7 ANSSI profiles are now enabled
• Improvements to profile statistics, check them out in stats job
• New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

• rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
• fedora: pci-dss, ospp
• rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
• ol8: hipaa, cjis, pci-dss, ospp
• wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
• wrlinux8: basic-embedded
• rhel6: C2S, CS2, nist-CL-IL-AL
• chromium: stig
• firefox: stig
• ol7: stig, pci-dss

Profiles:

• Remove unnecessary packages from ospp (#4632)
• Deduplicate profile files. (#4601)
• Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
• Update the RHEL8 profile (#4229)
• Add rhel7 ccc (Common Criteria Certification) profile (#4361)
• Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
• OL8 profiles update (#4374)
• Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
• Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
• misc updates to OSPP profile (#4586)
• RHVH/RHELH STIG mappings (#4033)

Rules:

• New rule dnf-automatic_security_updates_only (#4619)
• Pimp ANSSI up and enable it (#4615)
• New rule disable_tmux_status_line (#4631)
• Enable the fapolicyd service for OSPP. (#4623)
• Install fapolicyd for OSPP. (#4622)
• new rule dnf-automatic_apply_updates (#4613)
• Disable storing core dumps. (#4618)
• Enable the usbguard service in OSPP profiles. (#4611)
• Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
• Added a test for uniqueness of CCEs. (#4577)
• Add remaining rules from CC to OSPP (#4599)
• Disable the use of user namespaces. (#4569)
• Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
• Enable Kernel page-table isolation. (#4566)
• add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
• Update OSPP profile with required package checks (#4580)
• Disable CAN Support. (#4572)
• Disable ATM Support. (#4571)
• Disable IEEE 1394 (FireWire) Support. (#4573)
• update OSPP (#4446)
• Harden the kernel package filter just-in-time compiler operation. (#4564)
• Disable access to network bpf() syscall from unprivileged processes. (#4563)
• Disallow kernel profiling by unprivileged users. (#4547)
• Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
• Add nodev Option to /var. (#4542)
• Add nodev Option to /boot. (#4453)
• Add nosuid Option to /boot. (#4452)
• Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
• Disable chrony daemon from acting as server. (#4445)
• Disable network management of chrony daemon. (#4449)
• Map more rules into Anssi policy (#4439)
• ANSSI network sysctl (#4345)
• Fix typo. (#4423)
• Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
• Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
• Anssi updates (#4351)
• OSP13 Checks (#4364)
• Smartcards auth in OL8 should be done via sssd (#4377)
• Remove dconf_use_text_backend rule from profiles. (#4375)
• Make hardened containers smaller (#4357)
• Scap 1.3 content adjustments (#4353)
• Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
• Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
• Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
• Rename group sap to sap_host (#4332)

Tests:

• Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
• Add tests for kernel_module_firewire-core_disabled rule. (#4605)
• Document combined mode in tests/README.md (#4590)
• install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
• Remove ansible_playbook_set_hosts function from test suite (#4576)
• Add profile metadata override in rule mode (#4578)
• Fix test scenarios for mount option home nosuid (#4579)
• Fix minlen test scenarios and include RHEL8 platform (#4450)
• Print an error message when rule isn't found (#4454)
• Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
• Enable the (all) virtual profile in the rule-based test suite. (#4441)
• Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
• Install just things needed for the sssd service to run. (#4396)
• Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
• Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
• Fix audit rules openat_o_trunc_write test scenarios. (#4438)
• Add verbose output to the verbose logs (#4431)
• Fix broken test scenario name (#4426)
• Add option for extra repository in install_vm.py script. (#4421)
• Change test scenarios for rule rpm_verify_permissions (#4344)
• tests/install_vm.py: Do not abort if ostype detection fails (#4343)
• Use VM install repo URL on the installed system (#4338)
• Workaround SCAPVal 1.3.2 NullPointerException (#4339)
• Use separate partition for /var/tmp in tests/kickstart (#4337)
• Add test wrapper around SCAPVal tool (#4327)
• Fix-ups and remote host support for tests/install_vm.py (#4328)

Content 0.1.44 Release Notes

Highlights

• SCAP 1.3 DS generated along side SCAP 1.2 DS
• An Ansible Playbook is generated for each rule
• Remediation roles terminology fixed
  • Ansible "roles" are now called Playbooks
  • Bash "roles" are now called bash scripts
    Introduction of package CPEs for Rule applicability
• Content will detect Podman as a container environment
• Several fixes in Ansible snippets so that they don't error during execution

Products and Profiles

• Significant content additions and bugfixes for OpenShift
• Enable RHV-H and RHEL-H draft STIG profiles
• RHEL7 STIG profiles renamed to have shorter ID
• RHEL7 nist-800-171-cui renamed to cui
• New rules enabled for SLE12

Rules

• FIPS regulatory warning updated
• Rules not relevant for containers tagged as machine only
• Fixed duplicated CCEs

Documentation

• Documentation in Build.md merged into Developer Guide
• Mention profile_stats.py in Developer Guide
• Update Ansible section in Developer Guide
• Add documentation to build zipfile target

Infrastructure

• Rename profile_stats to profile_tool and update usage by CMake.
• CCE checksums are now validated
• Update ansible template, readme, and script to bring in line with Ansible Galaxy

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.43 Release Notes

This release features several profile updates, and improvements to the content Test Suite.

• Content updates
  • OpenShift - Miscellaneous updates
  • Added OL7 Draft DISA STIG profile
  • Added OL8 profiles:
    • Draft HIPAA
    • Draft CUI
    • Draft OSPP
    • CJIS security policy profile
  • Added RHEL7 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • Added RHV4 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • RHEL8 profiles:
    • Updated RHEL8 OSPP
    • Update PCI-DSS profile
    • Added kickstart for OSPP and PCI-DSS profiles
• Minimum supported ansible version bumped to 2.5
• Ansible-lint fixes and remove some trailing whitespace
• TestSuite
  • Updated documentation
  • New Podman backend
  • Usability improvements
• Added build_product script to help build content

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.42 Release Notes

This release is mostly about improvements in content,
including lots of new rules, checks and remediations added and bugfixes to them.
This release features significant updates in content for

• Oracle Linux 7, OpenStack Platform 13
• OpenShift Container Platform 3
• and newly added product Red Hat Enterprise Linux 8.

Highlights

• Addition of RHEL8 product
• Content for OSP7 have been update for OSP13
• Contents for OCP3 have updated
• New contents are enabled for OL7
• Addition of rules that cover configuration of system-wide crypto policy
• Addition of Fedora 29 in place of Fedora 27
• Update of TestSuite to work with python3.7
• Introduction of platform dependent test scenarios

Known issues

• Building content for RHEL derivatives (CentOS and Scientific Linux) can sometimes fail on target man_page.
  This is a race condition issue caused by a missing dependency for man_page build target.
  The issue is fixed by following patch: #3662

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.41 Release Notes

This release continues with the fixes "under the hood", the checks and fixes are now better placed, in the same directory as the rule description.
We also feature new Products and new Profiles, test coverage for the rules was significantly improved, along with testing capabilities of SSGTestSuite.

Highlights

• Improved test scenario coverage of rules
• Improvements regarding content for Kubernetes for opencis-ocp-master Profile
• Introduction of concept of stable Profiles
• Addition of Ubuntu 1804 Product with ANSSI and standard Profiles
• Addition of OSPP 4.2 Profile for Fedora
• Addition of PCI-DSS Profile for Fedora
• Possibility to manually debug test scenarios
• Addition of Example Product
• Support to evaluate test scenarios on container images
• Introduction of SSG unit tests for build system functions
• Reorganization of checks and fixes into to be closer to rule description

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.40

SSG 0.1.40 Release Notes

The 0.1.40 release has most changes "under the hood". A huge amount of content was de-duplicated, similar checks for slightly different producsts were unified and merged. This has fixed a huge number of imperfections and subtle bugs.

Other highlighs

• SSG can be built by Python3
• SSG build system got unit tests setup.
• Syntax checks of Ansible playbooks have been added to the test suite.
• Project documentation has been updated, expanded, and restructured.
• Dropped support for XSLT in the content in favor of jinja2 macros that are nicer and easier to edit.
• Build system has become more predictable - strict validation for rule identifiers, CCEs and references at build time has been introduced.
• Improved user feedback on more build-time errors.
• Better support for rule checks that use multiple OVAL versions (5.10 and 5.11).
• Made the build system to deduce some properties of producs (e.g. pkg_system from pkg_manager)
• Updated Ansible playbooks, so they don't use deprecated constructs.
• Updated grep invocation to use LC_ALL=C, so it is faster and more predictable.
• anaconda-populate variable substitution has been fixed.
• Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
• Set up jinja2 cache for faster builds.
• Restructure of Python code, which has been divided into the core ssg package, build-scripts and utils.
• Improved the compare_generated.sh tool for inspection of generated content.
• The Dockerfile has been modernized, supports Ansible and started to use the Fedora baseimage.

Additions

• Added mcafee_antivirus_definitions_updated OVAL and XCCDF variables
• OpenSUSE Leap 15.0 CPE
• Rules in 0.1.39 that were missing warnings got them.
• Many OL7 additions (+ pci-dss profile stub).
• Added tests of auditd rules to SSG Test Suite.
• dod_banner selector added for RHEL6
• Support augenrules in RHEL6 for audit_rules_dac_modification

Removals

• Removed FIPS remediations as well as RHEL CCEs from CentOS.

SCAP Security Guide 0.1.39 Release Notes

Highlights

• XCCDF Rules moved to yaml format
• Jinja2 templating for Rules, Checks and remediation introduced
• Profile IDs simplified
• Product Oracle Linux 7 added
• Common Profile removed in favor of Standard Profile
• RHEL7 STIG reference updated to V1R4
• RHEL6 STIG reference updated to V1R18

Profiles

• [Bugfix] remove kernel IPv6 from RHEL6 STIG
• [Bugfix] Remove disabling all usb devices in kernel for OSPP and HIPAA profile
• [Bugfix] Add Missing DISA RHEL7 STIG XCCDF rules
• [Bugfix] rhel7: fix titles/descriptions, indicate draft status (rebase of #2717)
• update references to RHEL7 STIG release to V1R4
• [Bugfix] Update RHEL 6 STIG Reference to V1R18
• [Enhancement] Add profile sap to the product ol7
• [Enhancement] OL7 standard profile extra rules
• [Enhancement] Simplify profile ids
• [Bugfix] RHEL 7 STIG V1R4
• [Bugfix] Remove common profile and use standard profile instead
• [Enhancement] Extra Apache STIG rules
• [issue 2571] update OSPP profile name and description
• [Bugfix] Added the forgotted ospp42 profile
• [RHEL7] Initial OSPP v4.2 draft profile
• [Bugfix] Removed duplicate sudo related selects in rhel7's HIPAA
• [Enhancement] Hippaaahhh

Rules

• [Enhancement] Fix missing elements and description in var_auditd_admin_space_left_action and var_auditd_space_left_action
• [Bugfix] rhel6 dod banner prohibit whitespace
• [Bugfix] update prose to reflect cron time shorthand codes
• [Bugfix] Remove ignore option for auditing configuration
• [Bugfix] Change ID of Rule that checks for IPV6 disabled
• [Bugfix] Fix a mismatched tag issue in RHEL6 sudo.xml

OVAL

• [Enhancement] Add Docker SELinux check in daemon.json
• [Bugfix] fix faillock audit oval
• [Enhancement] aide cron flex
• audit_rules_privileged_commands: allow arbitrary key
• ftp_present_banner: update pattern in oval file and add remediation
• [Bugfix] Add disabled OVAL 5.11 services for SSHD for OpenSUSE
• Fix Rule ensure logrotate activated
• Fix #2618

Remediation

• [Bugfix] Fix dconf_gnome_disable_geolocation script and add missing dconf remedation scripts
• Removed an accidentally committed file in shared/fixes/bash
• [Bugfix] Use include_dconf_settings bash remediation function
• [Bugfix][Enhancement] Use new dconf bash functions for bash scripts and add some missing dconf scripts
• [Bugfix] Make sure that dconf dirs exist
• [Enhancement] Unify sshd disable empty passwords
• [Enhancement] Added support for checks and remediation for mount_options.
• [Bugfix] Add create_module and finit_module scripts
• [Enhancement] Add Anaconda Kdump disable script
• [Bugfix] Fix accounts_passwords_pam_faillock_deny.sh script
• [Bugfix] Not escaping / character breaks perform_audit_rules_privileged_commands_remediation.sh
• [Bugfix] Fix typo in set_faillock_option_to_value_in_pam_file.sh
• updated rhel7/fixes/ansible/service_avahi-daemon_disabled.yml to match template_ANSIBLE_service_disabled
• [Enhancement] Further improved replace_or_append
• Improve remediation of auditd_data_disk_full_action
• [Enhancement] Improved replace_or_append.
• [Bugfix] Partition remediations
• Improved bash syntax of bash remediations
• [Bugfix] eaccess should actually be eacces

SSGTestSuite

• [Ssgtestsuite] Add tests for verifying file permissions and hashes with RPM
• [Ssgtestsuite] Added tests for checking for bootloader password protection.
• Minor in size, but substantial test suite improvements.
• [Ssgtestsuite] Tests and OVAL fix for Rule sssd_enable_pam_services
• [Ssgtestsuite] Add remediation for ldap_client_start_tls

Infrastructure

• [Bugfix] Change yaml.Loader to yaml.SafeLoader
• Add benchmark metadata element to shorthand
• Remove all references for dropped OVALs
• [Infrastructure][Enhancement] Package command apt get
• [Enhancement] Add minimum package version check with jinja2 template
• [Bugfix] testoval_module.py not processing oval version correctly
• [Bugfix] openSUSE CPE update and clean-up
• [Enhancement] Use yaml.safe_load for build related yaml files
• [Bugfix] Add python jinja2 package to build doc
• [Enhancement] Add regex handling for SRG and STIG reference versions in CMake
• [Infrastructure][Enhancement] jinja2 for fixes, checks and the opencontrol yaml
• [Bugfix] Add external content to yaml
• [Bugfix] Don't exit with 0 when product.yml loading fails
• [Infrastructure][Enhancement] Template ubuntu packages
• [Documentation] Docs directory cleanup
• [Enhancement] Require the python yaml module, fatal error if it's not found
• [Documentation] user_guide.adoc: updates
• [Bugfix] Document minimum Ansible version in User/Developer Guides
• [Bugfix] Don't load yaml booleans as python booleans
• fix link in user guide
• README.md: fix link
• Fixed OVAL check exports.
• [Infrastructure][Bugfix] Apply elements with relevant prodtype when generating xccdf xml
• Mark draft profiles as "documentation_complete: false"
• Refactoring of relabel-ids.py
• Allow over 80 chars-long lines in Python scripts.
• [Bugfix] Update build instructions to include PyYAML
• Made the service disable command more complete.
• [Infrastructure] Added print function support for Python2 where applicable.
• [Infrastructure] Make it possible to build SSG with python3
• [Infrastructure] shorthand.xml target should depend on the yaml-to-shorthand script
• [Infrastructure] Configure python interpreter
• [Infrastructure] Profile file extension is now ".profile"
• [Enhancement] Moved stuff around so that the folder matches the Makefile target
• Update COPR section
• [Infrastructure] Make SSG easier to edit (the yaml project)
• RHOSP7 now uses the shared guide
• Use the shared benchmark for opensuse
• [Bugfix] remediation functions xml is no longer in shared
• OL7 was using one group outside of shared but everything else was shared
• Add support for Oracle Linux 7
• Updated parts of the project documentation.
• Made Ubuntu14 and Ubuntu16 to use local content.
• Move debian8 and rhel6 system and services locally
• [Bugfix] Source only local shorthand XCCDF to build debian8 content
• Remove the empty RHEVM3 benchmark
• [Bugfix] RHEL6 to only use its local shorthand content
• [Infrastructure][Enhancement] Fedora shared benchmark
• Remove shared XCCDF from WRLinux for yaml prep
• [Bugfix] Untangle shared shorthands
• [Bugfix] Moved firefox shorthand XML to the firefox product folder from shared
• [Bugfix] Chromium XCCDF was in shared even though it uses nothing else from sh…
• [Bugfix] Moved the .gitkeep file to where the author most likely intended it
• [Infrastructure][Bugfix] Fix install of PCI-DSS centric HTML guides

Full list of issues and pull requests closed in this release