SCAP Security Guide 0.1.28 Release Notes

Highlights (in order the changes have been merged):

• SCAP Security Guide build process refactoring
• New "OpenStack/RHEL-OSP/7/" to hold the SCAP
  content for Red Hat Enterprise Linux OpenStack Platform v7
• Improved (more granular) mapping of official PCI DSS v3 standard
  to the PCI DSS profile for Red Hat Enterprise Linux 7,
• The build process has been updated to produce STATIC rule IDs in the benchmarks
  (very handy for benchmark version diffs)
• Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes
  (see below for more concrete details)

Enhancements:

• OVAL for RHEL-6 benchmark will be produced in 5.11 version if underlying
  oscap version supports OVAL-5.11 version already
• New shared/oval/oval_5.11 directory to hold shared OVAL checks using
  OVAL-5.11 language constructs

XCCDF changes / enhancements:

• [BugFix] [Debian/8] Fix typos (in selected rules)
• [Debian/8] Cleaning on common profile. No more undefined ref
• [RHEL/7] Refine pcidss-req 'security_patches_up_to_date' -> 6.2
• [RHEL/7] Refine pcidss-req 'ensure_redhat_gpgkey_installed' -> 6.2
• [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_globally_activated' -> 6.2
• [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_never_disabled' -> 6.2
• [Debian/8] Add ssh basics to Debian 8 xccdf
• [BugFix] [Debian/8] Updated invalid href for rules refences. Add reference to Debian secrity manual
• [Enhancement] [Debian/8] Add dsg references
• [Debian/8] Clean dsg from official security guides. Updated ssh reference. Clean postbuild
• [Debian/8] Clean all references to dsg in xccdf. clean cis link (rhel specific).
  Updated validate while xccdf is not complete
• [Debian/8] Merge install xccdf part into system part for homogeneous content with other distros
• [Debian/8] Add support for logging XCCDF check
• [Debian/8] Add rsyslog basic check in common profile, without network part (client or server side)
• [Debian/8] Cleaning account files access right checks
• [RHEL/7] Added shm and sticky bits rules into RHEL7 standard profile
• [RHEL/7] Added package management related rules to RHEL7 standard profile
• [RHEL/6] Ported the RHEL7 standard profile over to RHEL6
• [RHEL/6] [RHEL/7] Added more rules to standard profiles for RHEL6 and 7

OVAL check changes / enhancements:

• [Debian/8] Updated CPE naming for nist conformity
• [Debian/8] CPE naming based on NIST NVD 2.2 naming
• [Debian/8] Cleaning CPE (emptyline)
• [BugFix] [Debian/8] Fix mistyped OVAL check name in the Debian 8 CPE
• [BugFix] [Debian/8] Fix tag for 'installed_OS_is_debian8' OVAL check
• [Enhancement] [Debian/8] Add support for ssh service shared oval files in Debian8
• [Enhancement] [Debian/8] Add disabled services support. Adding openssh (needed for shared oval)
• [BugFix] [shared] Updated RPM-based distribution specific shared oval file to RPM based platform only
• [BugFix] [shared] Updated other RPM-based distrib specific OVAL files
• [SHARED] Adding _all on ssh oval files
• [shared] Add SSH protocol v2 only check to multi_platform_debian also
• [shared] Add rhel-osp to previously multi_platform_all transformed into RPM specific multi-platform oval files
• [RHEL/6] Fix for issue #932
• [BugFix] [RHEL/5] Removed an unused idtranslate.py from RHEL5/input/oval
• [BugFix] [RHEL/6] Update the sysctl XCCDF value fix for ipv6 parameters as well
• [BugFix] [RHEL/7] Fix Ticket 932 on RHEL7
• [BugFix] [RHEL/7] Add missing generated files and doc changes for ticket 932
• [BugFix] [Debian/8] Updated template comment for correct path
• [RHEL/7] Update "RHEL/7/input/oval/oval_5.11/templates/services_disabled.csv"
  content to start using new daemon_name CSV value expected by 'create_services_disabled.py'
  helper script (prevent ValueError)
• [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
• [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_groupownership' rule (with OVAL-5.11)
• [Enhancement] [RHEL/7] [Fedora] Move former product specific oval for
  'rsyslog_files_groupownership' rule into shared/oval/oval_5.11 directory
• [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_ownership' rule (with OVAL-5.11)
• [Enhancement] [Debian/8] [RHEL/7] [Fedora] Move former per-product based
  'rsyslog_files_ownership' OVAL check into shared/oval/oval_5.11 directory
• [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_permissions' rule (with OVAL-5.11)
• [Enhancement] [RHEL/7] [Fedora] Move former per-product version of
  OVAL for 'rsyslog_files_permissions' rule into shared/oval/oval_5.11
• [BugFix] [RHEL/6] Enhance the RHEL-6 OVAL for 'package_openswan_installed' rule

New Remediations:

• [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
• [Enhancement] [RHEL/6] New RHEL-6 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

• [BugFix] [Debian/8] Cleaning remediation dir

Build System Bug Fixes:

• [BugFix] Fix failing RHEL-6 "make validate" target (2015-12-17)
• [BugFix] [BugFix] [Debian/8] Fix 'make validate' on Debian/8 content issue
  when content build on RHEL-6 with openscap-1.0.10-3.el6.* (2015-12-22)
• [BugFix] [Debian/8] Fix failing 'make' target when Debian/8 content build
  is attempted on a system using openscap-1.0.x version

Infrastructure:

• [Refactoring] Start using verify-references.py from the shared directory
• [Refactoring] Move the documentation close to the script
  (Also remove the documentation from previous locations)
• [Unification] Remove the support.sh script
• [Refactoring] Put common Makefile declarations to a single file
• [Refactoring] Make a use of product-make.include file
• [Refactoring] Put query for OVAL 5.11 into a common Makefile
• [Refactoring] Put query for guide-from-ds-oscap into a common Makefile
• [Refactoring] Put query for SVG support into a common Makefile
• [Enhancement] Create a shorthand target that emulates what jenkins runs
• [Debian/8] Updated templates recopy calls to correct places in Makefiles
• [Enhancement] Create a shorthand target that emulates what jenkins runs
• [Unification] Use $(OUT) variable consistently
• [Refactoring] Avoid changes in letter capitalization between the Makefiles
• [Correction] Fix python binary name
• [Refactoring] Refactor the very first make target: the guide.xml
• [Refactoring] Imperceptible makefile changes
• [Clarification] Amend documentation to mirror exactly what is going to happen
• [Refactoring] Consolidate filename of shorthand.xml
• [Refactoring] Move PHONY shorthand-guide to the common Makefile
• [BugFix] [Debian/8] Put xhtml:p into a correct namespace for Debian content
• [Refactoring] Spell-out all the dependencies of the guide.xml that exists
• [Refactoring] Refactor shorthand-guide phony target to non-phony variant
• [Refactoring] Create xccdf-unlinked-unresolved.xml as a separate target
• [Refactoring] Create xccdf-unlinked-empty-groups.xml as a separate target
• [Refactoring] Minor changes in webmin shorthand transformation
• [Refactoring] Minor changes in openstack shorthand transformation
• [BugFix] Fix broken xslt (causing "$ sudo chgrp root xsl:value-of select="@file"/>"
  in the HTML guides
• [Refactoring] Openstack and webmin makefiles should use xccdf-unlinked-unresolved target
• [Refactoring] [RHEVM3] Update shorthand to assign namespaces
• [Refactoring] [RHEVM3] Remove 'addprofiles.xslt' step
• [Refactoring] [RHEVM3] Resolve xccdf before proceeding
• [Refactoring] [OpenStack] Update shorthand to assign namespaces
• [Refactoring] [OpenStack] Remove addprofiles.xslt' step
• [Refactoring] [OpenStack] Resolve xccdf before proceeding
• [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transformation
• [Refactoring] Drop xccdf-addrefs.xslt
• [Refactoring] Create ocil-unlinked.xml as a separate target
• [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transform even more
• [Infrastructure] Temporarily allow the modified 'cpe_generate.py' transform
  to continue even if the intermediary OVAL is invalid
• [BugFix] [Main Makefile] Use updated Openstack/RHEL-OSP/7 location in
  the 'make clean' target of the main Makefile
• [BugFix] [OpenStack/RHEL-OSP/7] Makefile changes
• [Refactoring] Create xccdf-unlinked-ocilrefs as a separate target
• [BugFix] [Debian/8] Modify Debian/8 package_installed.csv template
• [Refactoring] Move shared constants to a separate file
• [Refactoring] Move xccdf-ocilheck2ref.xslt to the shared directory
• [Refactoring] Remove commented version and config include
• [Refactoring] Remove INCLUDE_TEST_PROFILE=0 setting
• [Refactoring] [BugFix] [Debian/8] Modify the 'validate' target in the similar
  way like it's modified in Fedora or RHEL/7 product case
• [Infrastructure] [Post PR#913 Cleanup] Make RHEL-OSP/7 content to use
  shared/ version of 'verify-references.py' script
• [Refactoring] Consolidate xccdf-unlinked-ocilrefs target, shared constants.xslt,
  and xccdf-ocilheck2ref.xslt transformation
• [Refactoring] [BugFix] [Infrastructure] Various "cpe_generate.py" shared/
  transform hardenings
• [Enhancement] Add support for multi_platform_debian. Requires some patches in shared/oval
• [Enhancement] Updated shared oval in order to avoid multi_platform_all oval
  extending multi_platform_(rhel|fedora) definitions
• [Enhancement] Keep a human readable hints in SSG IDs after relabelling
• [Enhancement] Produce stable IDs, no longer generate a mapping INI file
• [Bugfix][Debian/8] Update Debian Makefile and global makefile
• [Refactoring] Refactor BUILD_REMEDIATIONS variable to shared makefile
• [Refactoring] Remediations should be always sourced from the shared directories
• [BugFix] Add RHEVM to combineremediations.py
• [Refactoring] Create bash-remediations.xml as a separate target
• [Refactoring] bash-remediations.xml should not depend on oval.config
• [Enhancement] Make ocilrefs xccdf for Fedora as well
• [Refactoring] Move xccdf-create-ocil.xslt to the shared directory
• [Refactoring] Create xccdf-unlinked...

SCAP Security Guide 0.1.27 Release Notes

Highlights:

• New CNSS No. 1253 Profile for Red Hat Enterprise Linux 6,
• New C2S (CIS) Profile for Red Hat Enterprise Linux 7,
• New Debian/8 (Jessie) product and initial benchmark for it,
• Improved (more granular) mapping of official PCI DSS v3 standard
  to the PCI DSS profile for Red Hat Enterprise Linux 7,
• Finished (OVALs, and selected remediations) for PCI DSS profile
  for Red Hat Enterprise Linux 6. More granular mapping of official
  rules to come yet.
• Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

• [RHEL/6] New CNSS No. 1253 Profile
• [RHEL/7] Granularize PCI-DSS profile rules mapping to official requirement (sub)
  section numbers in PCI DSS v3 standard
• [RHEL/7] New C2S / CIS Profile
• [Enhancement] Initial integration of Debian 8 in SSG

XCCDF changes / enhancements:

• [BugFix] [RHEL/6] Update LUKS Disk encryption URL
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Fix XCCDF descriptions for:
  • file_permissions_binary_dirs, and
  • file_ownership_binary_dirs
• [BugFix] [RHEL/5] Update XCCDF description for file_groupowner_binary_dirs
• [BugFix] [RHEL/6] Add noexec, nosuid, and nodev rules for removable
  partitions and /dev/shm into RHEL-6 STIG profile
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Drop clock_settime system call
  from the audit time rules examples suggesting multiple commands to be included
  into one audit rule
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for
  audit_rules_time_clock_settime rule
• [Enhancement][RHEL6/7] Add audit permission scripts and update XCCDF/OVAL content
• [BugFix][Fedora][RHEL6] remove pam_passwdqc references
• [BugFix] [RHEL/6] Update XCCDF prose for disable_interactive_boot rule
• [BugFix] [RHEL/6] Introduce entropy section of the RHEL-6 benchmark
  and include new rule -- kernel_disable_entropy_contribution_for_solid_state_drives
  into it
• [Enhancement] [RHEL/6] Start shipping CNSS No. 1253 Profile
• [Enhancement] RHEL7 - Added CIS mappings to disk partitioning/options XCCDF
• [BugFix] [RHEL/6] Fix HTTP 404 URL in XCCDF prose for smartcard_auth rule
• [Enhancement] [RHEL/6] [RHEL/7] Per:
  #879 (comment)
  add a into the RHEL-6 & RHEL-7 XCCDF prose for rpm_verify_permissions
• [BugFix] [RHEL/6] Fix invalid selectors in the RHEL-6's CNSS No.1253 profile

OVAL check changes / enhancements:

• [Enhancement][bugfix][Fedora][RHEL/7] standardize more XCCDF and OVAL IDs
• [Enhancement][RHEL6/7][Fedora] Standardize XCCDF and OVAL names
• [BugFix] [RHEL/6] [RHEL/7] [Fedora] Use correct SELinux type in selinux_all_devicefiles_labeled rule
• [Enhancement][RHEL6/7] Selinux and Kernel dmesg updates
• [Enhancement][Fedora] Add no_direct_root_logins OVAL check
• [Enhancement] [RHEL/7] Enable RHEL-7 OVAL check for enable_selinux_bootloader rule
• [BugFix] [shared] Fix OVAL checks for file_ownership_binary_dirs, and file_permissions_binary_dirs
• [BugFix] [RHEL/5] Update OVAL check for file_ownership_binary_dirs rule
• [BugFix] [RHEL/5] Replace RHEL-5 specific OVAL check for file_permissions_binary_dirs rule with
  calling of existing shared/ OVAL check for the very same rule
• [Enhancement][RHEL/7] Add time and faillock OVAL and remediations
• [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update existing OVALs for
  audit_rules_time_clock_settime rule
• [RHEL/7] Add some sysctl_net_ipv4 oval checks
• [Enhancement][RHEL7] Add missing RHEL7 services OVAL and remediations
• [BugFix] [RHEL/6] Update OVAL for disable_interactive_boot rule
• [Enhancement] [RHEL/6] Add RHEL-6 specific OVAL for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
• [BugFix] [Optimization] [RHEL/6] Optimize OVAL check for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
  for speed / efficiency
• [shared] [Enhancement] update file_ownership_var_log_audit.xml to check log_group in auditd.conf
• [shared] check that all_exist for non-root checks in file_ownership_var_log_audit.xml
• [BugFix] [RHEL/6] Modify / optimize OVAL check for audit_rules_privileged_commands rule
• [BugFix] [RHEL/6] Fix OVAL check for audit_rules_privileged_commands rule
• [Enhancement] [RHEL/7] Enhance the RHEL-7 OVAL for smartcard_auth
• [Enhancement] [RHEL/6] Modify the current RHEL-6 OVAL for smartcard_auth rule
• [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] Provide links to remote
  (offical Red Hat RHSA / CVE OVAL) for security_patches_up_to_date rule
• [BugFix] [RHEL/6] [RHEL/7] Fix the RHEL-6 & RHEL-7 OVALs for kernel_module_bluetooth_disabled rule
• [BugFix] [RHEL/6] [RHEL/7] Split the currently shared/ OVAL for the
  kernel_module_sctp_disabled rule into two separate OVALs

New Remediations:

• [Enhancement][RHEL6/7] Add securetty XCCDF/OVAL checks and remediations
• [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
• [Enhancement] [RHEL/6] Add RHEL-6 remediation for
  kernel_disable_entropy_contribution_for_solid_state_drives rule
• [Enhancement] [RHEL/6] New RHEL-6 remediation for audit_rules_login_events rule
• [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
  auditd_audispd_syslog_plugin_activated rule to RHEL-6
• [Enhancement] [RHEL/6] Add new RHEL-6 remediation for accounts_password_pam_minlen rule
• [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
  aide_build_database rule to RHEL-6
• [Enhancement] [RHEL/6] Add RHEL-6 remediation for smartcard_auth rule
• [Enhancement] [RHEL/6] [RHEL/7] Add remediation for rpm_verify_permissions rule
• [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] New remediation for
  security_patches_up_to_date rule
• [Enhancement] Add a kickstart file for PCI DSS for RHEL6

Remediation fixes / other changes:

• [BugFix] [RHEL/7] smartcard_auth remediation - provide full path to the 'authconfig' executable
• [Bugfix][RHEL6/7] fix rememdiation script names
• [BugFix] [RHEL/6] [RHEL/7] Fix remediations for file_permissions_binary_dirs, and file_ownership_binary_dirs
• [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
• [BugFix] [RHEL/6] [RHEL/7] [Fedora] Fix existing remediations for audit_rules_time_clock_settime rule
• [BugFix] [RHEL/6] Fix remediation for disable_interactive_boot rule
• [shared] [Enhancement] Make the display_login_attempts.sh remediation script more robust
• [Enhancement] [RHEL/7] Enhance the RHEL-7 remediation script for smartcard_auth rule
• [BugFix] [RHEL/6] Modify the existing RHEL-6 remediation scripts
  for the following rules:
  • audit_rules_time_adjtimex,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_stime
• [shared] Edge case fix for var_password_pam_unix_remember
• [Enhancement] Add universal replace_or_append function
• [Various products] Update --follow-symlink --> --follow-symlinks
• [BugFix][RHEL/6] fix sed --follow-symlink typo in smartcard remediation script

Build System Bug Fixes:

• Fix make validate target for Fedora (2015-12-03)

Infrastructure:

• Rename fixes folder to remediations
• [Enhancement][Infrastructure] add XCCDF and OVAL id check
• Unify OVAL directory naming convention
• [Enhancement][Infrastructure] detect oscap version
• [Enhancement][Infrastructure] add id name to remediation scripts
• [bugfix] remove duplicate openscap python import
• [Enhancement][Infrastructure] Add openscap-python requirement to Build.md
• [BugFix] Declare XCCDF vars before its use
• Support for Fedora rawhide CPE
• [Enhancement] [Infrastructure] Modify the buildsystem to allow remotely referenced OVAL
• [BugFix] Fix regex in combineremediations.py
• [Test suite] [RHEL/6] Add initial version of check_instances_test.py Python testing script for RHEL-6 content
• [Enhancement] [Infrastructure] Enhance the various helper scripts creating OVAL checks from the templating
  files to support comment in the CSV files
• [Enhancement] Update list of CPEs for Fedora benchmark because F21 is end of life now

Other changes:

• Adding OSPP Kickstart file
• Adding FedRAMP High Baseline

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.26 Release Notes

Table of Contents

1. Highlights
2. Enhancements
3. XCCDF changes / enhancements
4. OVAL check changes / enhancements
5. New Remediations
6. Remediation fixes / other changes
7. Bug Fixes
8. Infrastructure
9. Other changes
10. Full list of issues and pull requests closed in this release

Highlights:

• New OS Protection Profile for Red Hat Enterprise Linux 7 Server,
• PCI-DSS profile implementation (all OVALs, remediations, and official
  ID mappings) for Red Hat Enterprise Linux 7 Server finished,
• Remediation scripts now support multi_platform tags (replacement for
  former use of symbolic links),
• The version of SCAP Security Guide is now included in the RHEL/5, RHEL/6, RHEL/7,
  Chromium, Fedora, JRE, RHEVM3, Webmin, and Firefox benchmarks,
• Numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

• [OSPP-RHEL7-SERVER] OS Protection Profile for RHEL7 Server
  Profile based off FMT_MOF_EXT1.1 https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#FMT_MOF_EXT.1
• Assign CCE identifiers to RHEL-7 OSPP profile rules
• [RHEL/7] Perform PCI-DSS profile rules mapping to official requirement numbers in the PCI-DSS v3 standard
• [RHEL/7] Added OSPP/NIAP NIST table to Makefile

XCCDF changes / enhancements:

• [RHEL/7] Update XCCDF prose for 'ntpd_specify_remote_server' rule (add support for chronyd)
• [RHEL/7] Update XCCDF prose for 'ntpd_specify_multiple_servers' rule (add support for chronyd)
• [Fedora] add kernel XCCDF
• [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for 'audit_rules_login_events' rule
• [RHEL/7] Updated XCCDF name disable_ypbind --> service_ypbind_disabled
• [RHEL/6] [RHEL/7] [Fedora] accounts_password_pam_unix_remember rule -- update XCCDF prose && add
  pam_pwhistory support
• [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

OVAL check changes / enhancements:

• [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_remote_server' rule
• [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_multiple_servers'
• [RHEL/5] [RHEL/6] Fix OVAL for 'mount_option_nodev_removable_filesystems'
  to allow hyphens in hostnames and mountpoints and ipv6 addresses
• [RHEL/7] [Fedora] Add new OVAL check for 'rsyslog_files_permissions' rule
• [RHEL/7] [Fedora] New OVAL check for 'rsyslog_files_ownership' rule
• [RHEL/7] [Fedora] New OVAL for 'rsyslog_files_groupownership' rule
• [RHEL/7] Update the template_kernel_module_disabled
• [RHEL/6] Fix ldap client TLS checks
• [RHEL/7] Add RHEL/7 kernel OVAL checks and remediation scripts:
  • Added check for install_PAE_kernel_on_x86-32 for RHEL/7,
  • Added check for kernel_module_usb-storage_disabled for RHEL/7 and Fedora
  • Added remediations for kernel_module_usb-storage_disabled,
    package_kernel-PAE_installed, and sysctl_kernel_exec_shield
• [RHEL/5] fix accounts_unique_uid.xml OVAL check
• [RHEL/6] [RHEL/7] [Fedora] [Enhancement] Update sshd and cron XCCDF and OVAL content
  • Add sshd_disable_rhosts and sshd_use_approved_macs to RHEL/7
  • Add cron XCCDF and OVAL to Fedora
  • Update RHEL/7 XCCDF and stig_overlay to match OVAL naming convention
• [RHEL/6] [RHEL/7] RHEL7 obsolete services and bluetooth checks/remediations
  • Add template_socket_disabled for any future socket checks
  • Add OVAL and remediation scripts for obsolete and bluetooth services
  • Update XCCDF content for obsolete services
  • Add socket macros
• [RHEL/6] [RHEL/7] [Fedora] Add new /shared OVAL for 'account_unique_name' rule
• [RHEL/6] [RHEL/7] [Fedora] Modify former RHEL-5 specific OVAL check for
  'gid_passwd_group_same' rule to be more universal (usable also for RHEL-6,
  RHEL-7 && Fedora systems)
• [RHEL/6] [RHEL/7] [Fedora] New OVAL for 'aide_build_database' rule
• [RHEL/6] Update existing RHEL-6 OVAL check for 'audit_rules_login_events' rule
• [RHEL/7] [Fedora] Update existing OVAL check for 'audit_rules_login_events'
• [RHEL/7] New OVAL check for 'smartcard_auth' rule
• [RHEL/7] Add service_xinetd_disabled OVAL to RHEL/7
• [RHEL/7] Switch on referencing / using of OVAL for 'dconf_gnome_screensaver_mode_blank' rule
• [RHEL/7] OVAL for RHEL7 no_rsh_trust_files
• [RHEL/7] OVAL for RHEL7 disable_interactive_boot
• [RHEL/7] Switch on use of 'install_hids' rule
• [shared] Add CentOS gpgkey to OVAL check
• [shared] Update 'dconf_gnome_screensaver_idle_delay' shared/ OVAL definition to
  require proper unsigned int datatype setting when configuring 'idle-delay' value
• [shared] Require proper datatype (unsigned integer) to be specified for 'lock-delay'
  key of [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_lock_enabled' OVAL check
• [RHEL/7] Require 'string' datatype specifier to be provided when setting 'picture-uri'
  key of the [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_mode_blank' OVAL
• [shared] Make rpmverifyfile_test consistent with "rpm -V" output
• [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

New Remediations:

• [RHEL/7] New RHEL-7 specific remediation for aide_build_database rule
• [RHEL/7] New remediation for service_bluetooth_disabled rule
• [RHEL/7] Remediation for RHEL7 uninstall_talk-server
• [RHEL/7] Remediation for RHEL7 no_rsh_trust_files
• [RHEL/7] Remediation for RHEL7 disable_interactive_boot
• [RHEL/7] Remediation for RHEL7 require_singleuser_auth
• [RHEL/7] Add RHEL-7 specific remediation functions for the following three audit rules:
  • audit_rules_time_adjtimex,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_stime.
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_delay' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_activation_enabled' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_lock_enabled' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_mode_blank' rule
• [RHEL/7] [Fedora] New RHEL-7 and Fedora remediation for 'audit_rules_login_events' rule
• [RHEL/7] [Fedora] Add new RHEL-7 and Fedora remediation for 'audit_rules_immutable' rule
• [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

• [RHEL7] Updated package_remove remediation macro
  • Created bash remove package script
  • Added remediations for talk, ypbind, rsh, rsh-server, telnet
  • Updated bash package_removed remediation language to include a CAUTION note
• [RHEL/6] Fix type in RHEL/6 uninstall_ypserv.sh

Bug Fixes:

• Fix failing 'make validate' for Fedora (2015-08-24),
• Fix Fedora's 'make validate' target when run on RHEL-6 system (2015-09-10),
• Fix multiple duplicate RHEL-6 vs RHEL-7 CCEs issue,
• Fix make-validate on Fedora (2015-09-17),
• [RHEL/5] fix make validate failures for RHEL/5 (2015-09-21),
• [Fedora] Fix failing 'make validate' for Fedora product
  when Fedora content is built & validated on RHEL-6 system (2015-09-26),
• [RHEL/5] Disable 'make validate' target for RHEL-5 content for now (2015-09-26),

Infrastructure:

• Enhance RHEL/5's Makefile to look into /shared OVAL directory for possible OVAL definitions applicable to RHEL-5 product too
• [Enhancement][RHEL/6][RHEL/7][Fedora] add functions for services and packages
  • Add function that can enable/disable service in RHEL and Fedora
  • Add function that can install/uninstall packages in RHEL and Fedora
  • Update services enabled/disabled templates
  • Update packages installed/removed templates
• [Enhancement] add multi_platform checks to remediation scripts
• [Enhancement] add platform tag to remediation scripts
• [Enhancement][RHEL6/7][Fedora] remove remediation script symlinks
• [Infrastructure] Fix cpe_generate.py FutureWarning error
• Modified zipfile Makefile target to make a release ZIP to upload to Github

Other changes:

• [RHEL/7] New DSS ODAA default banner

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.25 Release Notes

v0.1.25

[Tag New Release] Create tag for the new 0.1.25 release

SCAP Security Guide 0.1.24 Release Notes

Highlights:

• Add initial draft of Standard Security Profile for RHEL-7 to serve as base to ensure common security sanity of various flavous of Red Hat Enterprise Linux 7 system ("traditional", virtualized / containerized, RHEL-7 Atomic host etc.),
• Dozen of new remediation scripts for various audit rules of Red Hat Enterprise Linux 7 system,
• HTML formatted guides enhancements (start building HTML guide for each profile, minimize the HTML guide size by unselecting empty groups). Thanks to Martin Preisler for contributing these!

Enhancements:

• Add initial draft of Standard Security Profile for RHEL-7,
• Use XCCDF's override inheritance model when extend-ing profiles,
• Enhance the former fix_audit_watch_rule and fix_audit_syscall_rule remediation functions to work properly also on RHEL-7 and Fedora systems,
• Start building HTML formatted guide for every profile for every benchmark (product),
• Apply that build-all-guides change to Fedora, Chromium, Firefox, JRE, OpenStack, RHEL/5, RHEL/6, RHEL/7, Chromium, and Webmin products,
• Implement HTML index file to ease browsing across the HTML guides produced,
• Implement non-JavaScript option for HTML index files,
• Build default profile as part of build-all-guides effort,
• Changed logic when building the HTML formatted guides in the sense now the XCCDF:groups not having at least one rule selected in them, would not be visible in the final HTML guide (though they would still be accessible when tailoring the content),
• Added CentOS6 CPE to CPE dictionary for RHEL-6 and variants,
• Added CentOS7 CPE to CPE dictionary for RHEL-7 and variants,
• Added Scientific Linux 6 CPE to CPE dictionary for RHEL-6 and variants,
• Added Scientific Linux 7 CPE to CPE dictionary for RHEL-7 and variants,
• Add draft / example PCI-DSS' profile kickstart for Red Hat Enterprise Linux 7 Server system using the Oscap Anaconda Addon tool,

XCCDF changes / enhancements:

• [RHEL/7] Update the XCCDF prose for Enable the NTP Daemon rule to properly deal with chronyd daemon,

OVAL check changes:

• [RHEL/7] Update the existing OVAL check for Enable the NTP Daemon rule to return PASS if at least one of chronyd, or ntpd services are enabled (besides other things the patch for this issue fixed also one invalid selector RHEL-7 PCI-DSS profile issue),

New Remediations:

• [RHEL/7] audit_rules_file_deletion_events,
• [RHEL/7] audit_rules_kernel_module_loading,
• [RHEL/7] audit_rules_sysadmin_actions,
• [RHEL/7] audit_rules_media_export,
• [RHEL/7] audit_rules_unsuccessful_file_modification,
• [RHEL/6] [RHEL/7] audit_rules_session_events,
• [RHEL/7] audit_rules_dac_modification_setxattr,
• [RHEL/7] audit_rules_dac_modification_removexattr,
• [RHEL/7] audit_rules_dac_modification_lsetxattr,
• [RHEL/7] audit_rules_dac_modification_lremovexattr,
• [RHEL/7] audit_rules_dac_modification_fsetxattr,
• [RHEL/7] audit_rules_dac_modification_fremovexattr,
• [RHEL/7] audit_rules_dac_modification_chown,
• [RHEL/7] audit_rules_dac_modification_fchown,
• [RHEL/7] audit_rules_dac_modification_fchownat,
• [RHEL/7] audit_rules_dac_modification_lchown,
• [RHEL/7] audit_rules_dac_modification_chmod,
• [RHEL/7] audit_rules_dac_modification_fchmod,
• [RHEL/7] audit_rules_dac_modification_fchmodat,
• [RHEL/7] audit_rules_mac_modification,
• [RHEL/7] audit_rules_networkconfig_modification,
• [RHEL/7] audit_rules_usergroup_modification,
• [RHEL/7] audit_rules_time_watch_localtime,

Remediation fixes / other changes:

• [RHEL/6] Rewrite audit_rules_dac_modification_setxattr remediation to start using fix_audit_syscall_rule remediation function,
• [RHEL/6] Rewrite existing RHEL-6 audit_rules_dac_modification_chown, audit_rules_dac_modification_fchown, audit_rules_dac_modification_fchownat, and audit_rules_dac_modification_lchown remediation scripts to start using fix_audit_syscall_rule function,
• [RHEL/6] Rewrite audit_rules_dac_modification_chmod, audit_rules_dac_modification_fchmod, audit_rules_dac_modification_fchmodat to start using fix_audit_syscall_rule function,

Bug Fixes:

• Fix broken make dist target,
• [RHEL/7] [Fedora] Fix false positive in disable_prelink OVAL check in certain circumstances,
• Fix out missing CentOS6 and CentOS7 CPEs when building CentOS content with older versions of oscap,
• Don't include the Fedora OVAL-5.11 checks into the benchmark by default, only upon request This fixes failing make target when building Fedora content on RHEL-6 system against oscap not supporting OVAL-5.11 language version yet,

Infrastructure:

• Drop Fedora 20 support in Fedora benchmark since EOL,
• Multiple ShellCheck warnings fixed across the content,
• Multiple scap-security-guide.spec.in simplifications,
• Unified all LICENSE files into just one ./LICENSE,

SCAP Security Guide 0.1.23 Release Notes

Highlights:

• Start porting of PCI-DSS profile from RHEL-6 to RHEL-7
• Add OVAL-5.11 language support for RHEL-7 product if underlying system's oscap version supports OVAL-5.11 already
• Start generating benchmarks for derivative OSes (CentOS, Scientific Linux)
• Get rid of using symbolic links mechanism for OVAL checks shared across multiple products (RHEL/6, RHEL/7, and Fedora)
• Enhance XML files validation performed via make validate target for all products (optimize speed, validate all XML files against schematron where possible etc.)

Enhancements:

• Add Chromium SCAP STIG content

• Include Firefox, JRE, and Chromium content by default into Fedora's RPM

• [Fedora] Add ShellCheck test as part of make validate for Fedora content

• Ported OVAL checks:

  • audit_rules_mac_modification,
  • audit_rules_networkconfig_modification,
  • audit_rules_time_watch_localtime,
  • audit_rules_time_clock_settime,
  • audit_rules_time_stime,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_adjtimex

  audit rules have been ported to RHEL-7 and Fedora products.

• [RHEL/7] [Fedora] Port accounts_passwords_pam_faillock_unlock_time OVAL check to RHEL-7 && Fedora

• [RHEL/7] [Fedora] Port audit_rules_immutable OVAL check to RHEL-7 and Fedora

• [RHEL/7] [Fedora] Port audit_rules_login_events OVAL check to RHEL-7 and Fedora

• [RHEL/7] [Fedora] Port audit_rules_session_events OVAL check to RHEL-7 && Fedora

• [RHEL/7] Enable service_auditd_enabled and service_chronyd_enabled for RHEL-7's PCI-DSS profile

New OVAL checks:

• [RHEL/7] Add RHEL-7 OVAL checks for service_rdisc_disabled and service_rsyslog_enabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_oddjobd_disabled and service_qpidd_disabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_autofs_disabled and service_ntpdate_disabled
• [RHEL/7] Add RHEL-7 OVAL checks for service_atd_disabled and service_abrtd_disabled
• [RHEL/7] [Fedora] Add display_login_attempts OVAL check for RHEL-7 and Fedora products

New remediations:

• [RHEL/7] Implement remediation fix for RHEL-7's accounts_password_pam_maxrepeat rule

Bug Fixes:

• [Infrastructure] Multiple testcheck.py fixes and enhancements:
  • De-duplicate OVAL entity identifiers
  • Enhance testcheck.py to return appropriate exit code depending on the exit status
    of the internally called oscap oval eval command
  • Add support for quiet mode (options -q | --quiet | --silent) to testcheck.py
  • Fix testcheck.py bug when dealing with external variables
• Fix broken python modules in Git tree
• [RHEL/6] [OVAL check fix] Fix accounts_passwords_pam_faillock_interval and accounts_passwords_pam_faillock_unlock_time to use preauth option instead of authsucc
• Correct some of the remediation script issues reported by the ShellCheck tool for the remediation scripts for Firefox, JRE, RHEL-6, and RHEL-7 products
• [RHEL/6] Fix OVAL checks for sysctl_net_ipv6_conf_default_accept_ra and sysctl_net_ipv6_conf_default_accept_redirects to report proper results if IPv6 is disabled on the underlying system
• [RHEL/7] Fix missing selector values to selected PAM variables as required by PCI-DSS profile
• [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for display_login_attempts rule for RHEL-7 and Fedora products to provide correct recommendation wrt to pam_lastlog settings on these products
• [BugFix] [Infrastructure] Fix test_attestation links to be valid URLs (both for XCCDF and for OVAL)
• [RHEL/7] Fix remediation script for accounts_password_pam_minclass
• [BugFix] [RHEL/6] [RHEL/7] Don't include the test profile into the final benchmark by default, only upon request
• [BugFix] [Chromium] [Firefox] [Java] [Webmin] Specify correct profile name when generating HTML guides for these products
• [BugFix] Rename 'Java' product to be 'JRE' product (since JRE has been suggested as a more appropriate name for this benchmark)
• [BugFix] [JRE] Fix trailing whitespace issues in the JRE content

Remediation fixes:

• [RHEL/7] sshd_enable_warning_banner ensure the banner config appears on a line by itself
• [RHEL/6] accounts_passwords_pam_faillock_interval remediation - use proper fail_interval option