Releases: ComplianceAsCode/content
Releases · ComplianceAsCode/content
Content 0.1.75
Important Highlights
- Add new product kylinserver10 (#12393)
- Create OL10 product (#12290)
- Update PCI-DSS control file for version 4.0.1 (#12435)
New Rules and Profiles
- [New Rule] Package kea removed (#12464)
- Add Ism profile for ol8 (#12493)
- Add Ism profile to OL9 (#12346)
- Create CIS rules for login banners (#12472)
- New rule tftp_uses_secure_mode_systemd (#12436)
- Update chrony rules for RHEL 10 (#12415)
- Update RHEL 9 STIG to V2R2 (#12551)
Updated Rules and Profiles
- Add to slmicro5 STIG pam pwhistory remember rule (#12255)
- Add CCI to
package_postfix_installed
(#12446) - Add hipaa reference to
sshd_use_directory_configuration
(#12437) - Add Ism profile for ol8 (#12493)
- Add Missing CPEs for RHEL10 (#12411)
- Add OL into jinja conditionals (#12461)
- Add package_rng-tools_installed to Fedora OSPP profile (#12244)
- Add RHEL 10 to Jinja if statements in firewalld_sshd_port_enabled (#12504)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add rule chronyd_or_ntpd_set_maxpoll to SLE Micro 5 STIG profile (#12499)
- Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
- Add rules removed from RHEL8/RHEL9 profiles back to datastream (#12572)
- Add STIG rules for slmicro5 covering lib dirs root ownership (#12252)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- Adjust FIPS enable_fips_mode for RHEL 10 (#12414)
- Adjust zipl_bls_entries_option template remedation to allow RHEL 10 (#12410)
- Change directory_permissions_etc_iptables to 700 (#12384)
- Change platform for rules related to partitions (#12562)
- Change platform in xwindows_runlevel_target (#12563)
- Consolidate ASCS RHEL profiles lastlog via sshd (#12249)
- convert more rules to sshd_lineinfile template (#12301)
- Create CIS rules for login banners (#12472)
- Fix a typo (#12275)
- Fix Audit related rules in RHEL 10 (#12359)
- Fix chronyd remote server filepath dir regex (#12312)
- fix for issue 11909 (#12318)
- Fix rules from the net-snmp component (#12391)
- grub2_vsyscall_argument should only be applicable to x86_64 (#12408)
- Hide CJIS profile for OL8 (#12357)
- Move daemon.* to /var/log/messages (#12433)
- Move package_rear_installed to related rules in e8 (#12456)
- Move RPM verify rules to use --restore (#12413)
- OCP4: Optimize ingress trusted ca remediation (#12268)
- Remove
sshd_enable_warning_banner_net
from HIPAA control file (#12534) - Remove Outdated GNOME Rules in RHEL 10 (#12460)
- Remove package_talk-server_removed from RHEL 10 ANSSI (#12457)
- Remove rng-tools package rules from RHEL 10 (#12455)
- Remove sendmail from RHEL 10 profiles (#12452)
- Remove sshd_allow_only_protocol2 from RHEL 10 (#12390)
- Remove ypbind rules from RHEL10 (#12450)
- Remove ypserv from RHEL 10 profiles (#12451)
- Rename
cron
package tocronie
for RHEL10 product (#12463) - Review PCI-DSS requirements and rules for RHEL 10 (#12347)
- Review sshd_set_maxstartups rule (#12419)
- RHEL 10 HIPAA Profile Updates (#12345)
- RHEL 10 ISM_O: add back enable_fips_mode rule (#12449)
- RHEL 10 STIG Update (#12348)
- RHEL 10 tmux changes (#12383)
- RHEL 9 STIG: change remediated Networkmanager DNS mode (#12448)
- Slmicro5 stig add accounts and amount rules support (#12353)
- Slmicro5 stig add accounts and software rules support (#12364)
- Slmicro5 stig add rules selinux ssh and audit (#12316)
- Slmicro5 stig add services and software rules support (#12395)
- Stabilization: update audit_ospp_general with the latest content (#12592)
- Two CIS RHEL 9 enhancements (#12453)
- Ubuntu 22.04 STIG V2R1 changes (#12298)
- Update ANSSI BP28 profiles in rhel10 product (#12351)
- Update CCI Numbers due to new STIG/SRG GPOS (#12374)
- Update chrony rules for RHEL 10 (#12415)
- Update e8 profile for RHEL 10 (#12402)
- Update file_permissions_etc_chrony_keys (#12521)
- Update file_permissions_etc_chrony_keys to 640 (#12577)
- Update install_smartcard_packages for RHEL10 (#12459)
- update ism_o profiles for RHEL 10 (#12418)
- Update Jinja for package_rsync_removed for RHEL 10 (#12480)
- Update networkmanager_dns_mode for bootable containers (#12574)
- Update of the rule encrypt_partitions to support SLEM (#12343)
- Update ol7 stig (#12544)
- Update ol8 stig (#12545)
- Update OSPP control file (#12369)
- Update PCI-DSS control file for version 4.0.1 (#12435)
- update pwd length requirements for ism_o profile (#12431)
- Update RHEL 10 STIG Selections (#12376)
- Update RHEL 8 STIG due to rule removal (#12559)
- Update RHEL 8 STIG to V2R1 (#12550)
- Update RHEL 9 STIG to V2R1 (#12373)
- Update RHEL 9 STIG to V2R2 (#12551)
- Update rsyslog_cron_logging for bootable containers (#12575)
- Update service_rngd_enabled for RHEL 10 (#12243)
- Update SLE12 STIG version to V3R1 (#12580)
- Update SLE15 STIG version to V2R2 (#12570)
- Update various openshift assertions (#12443)
- Updated 6 rules 2 for sle micro (#12331)
- Updated packages related to openssh to support slem (#12338)
- Updated rules based on template service_disabled to support slem (#12337)
- Updates for Debian 12.6 (#12432)
- Updates related to the rule permissions_local_var_log_audit (#12356)
- Various Bug Fixes for Debian (#12084)
Removed Products
- Remove uos20 (#12248)
Changes in Remediations
- Add ansible remediation configure_bind_crypto_policy (#12325)
- Add ansible remediation to ensure_oracle_gpgkey_installed rule (#12323)
- Add ansible remediation to mount_option_home template (#12546)
- Add ansible remediaton for rsyslog_cron_logging rule (#12326)
- Add insensitive option to ansible_lineinfile macro (#12314)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
- Add rules to support remote offload of journal logs (#12479)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- Added remediation and tests for the rule permissions_local_var_log_audit (#12360)
- Avoid tmpfiles override (#12218)
- Bring bash version in-sync with Ansible (#12398)
- Change flags cleanup (#12397)
- Create CIS rules for login banners (#12472)
- Don't autoremove packages on dnf package uninstall (#12389)
- Fix "unknown predicate -L" (#12305)
- Fix ansible remediation for audispd plugin UBTU-20-010216 (#12293)
- Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined (#12527)
- SLE15 related fixes in ntp and aide rules (#12548)
- Slmicro5 stig add accounts and software rules support (#12364)
- Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule (#12324)
- Update bash remediation to fix bug into account_disable_inactivity* (#12134)
- Update remedation for firewalld_sshd_port_enabled (#12522)
- Update select rules for RHEL not to modify systemd units in /usr (#12486)
- Update SLE12 STIG version to V3R1 (#12580)
- Update SLE15 STIG version to V2R2 (#12570)
Changes in Checks
- Add "is_substring" variable to grub2_bootloader_argument template (#12308)
- Add OL9 into installed_OS_is_vendor_supported (#12333)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- convert more rules to sshd_lineinfile template (#12301)
- Create CIS rules for login banners (#12472)
- enhance the grub2_argument template to cover more use cases (#12375)
- Fix Audit related rules in RHEL 10 (#12359)
- Fix inventory_test_kernel_installed for SLE (#12516)
- Remove redundant sshd oval macro (#12532)
- Slmicro5 stig add accounts and software rules support (#12364)
- Update SLE15 STIG version to V2R2 (#12570)
Changes in the Infrastructure
- Add ocp4 pci dss references (#12309)
- Add setuptools python package to Fedora (#12565)
- Add setuptools to ocp4 build (#12566)
- Build empty OVAL (#12262)
- Build SCE content by default in rhel9 and rhel10 products (#12488)
- Enable templated SCE checks (#12445)
- Ensure that platforms is valid in Automatus tests (#12505)
- Fix issue with ambiguity of control product (#12454)
- Fix thin data streams with SCE (#12503)
- Fix validation with OpenSCAP 1.4 (#12303)
- Fix Windows for OpenSCAP 1.4.0 release (#12304)
- Introduce bootc remediation type (#12497)
- Move data stream component references (#12557)
- Remove template option (#12341)
- Stop SCAP content validation if not necessary (#12523)
- Update Fedora in
install_vm.py
to F41 (#12567)
Changes in the Test Suite
- add debian12 automatus workflow (#12128)
- Add OCP and RHCOS assertion files for 4.17 (#12266)
- Add RHEL Platform to Select AIDE Tests (#12483)
- add rule sysctl_kernel_modules_disabled to unselect_rules_list (#12354)
- Fix automatus podman (#12230)
- Fix Automatus Sanity (#12188)
- Improve Benchmark detection in Automatus (#12554)
- Introduce
/rpmbuild-ctest-fedora
CI for all Fedora versions (#12176) - modify test scenarios of grub2_argument template to handle variables (#12428)
- Remove
missing-references
ctest (#12434) - Remove template option (#12341)
- Review and update install_vm.py script (#12254)
Documentation
- Add UOS 20 removal to docs (#12257)
- Align release date calculation with documentation (#12240)
- Bump master version to 0.1.75 (#12235)
- Clarify stabilization dates process for more predictability (#12232)
- Include a section for fixed bugs in changelog (#12239)
- Remove old and broken tldp.org link (#12284)
- Update contributors for 0.1.75 (#12576)
Fixed Bugs
Content 0.1.74
Important Highlights
- Add Amazon Linux 2023 product (#12006)
- Introduce new remediation type Kickstart (#12144)
- Make PAM macros more flexible to variables (#12133)
- Remove Debian 10 Product (#12205)
- Remove Red Hat Enterprise Linux 7 product (#12093)
- Update CIS RHEL9 control file to v2.0.0 (#12067)
New Rules and Profiles
- Add initial RHEL 10 CIS profiles (#12075)
- Add new rule audit_rules_var_log_journal (#11920)
- Add new rule file_permissions_var_log_audit_stig (#11966)
- Add new rule install_endpoint_security_software (#11970)
- Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
- Add rule dir_groupowner_system_journal (#11838)
- Add rule dir_owner_system_journal (#11839)
- Add rule file_group_ownership_var_log_audit_stig (#11924)
- Add rule file_groupowner_journalctl (#11841)
- Add rule file_owner_journalctl (#11835)
- Add rule file_permissions_etc_audit_rules (#11959)
- Add rule file_permissions_journalctl (#11834)
- Check ufw is active (#11984)
- Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
- Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
- Initial HIPAA RHEL 10 Profile (#11915)
- Initial ISM O RHEL 10 Profile (#11994)
- Initial OSPP Control File (#11882)
- Initial RHEL 10 e8 Profile (#11976)
Updated Rules and Profiles
- Add package_rng-tools_installed to Fedora OSPP profile (#12246)
- Add
package_firewalld_installed
to CCN and enable CCN Advanced profile test in CI (#12139) - Add CCEs to RHEL 10 Rules (#12113)
- Add draft status to all RHEL 10 profiles (#12224)
- Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
- Add SSH related STIG rule to slmicro5 platform (#12193)
- Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
- Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
- Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
- Better description and test scenarios for set_nftables_table (#11991)
- CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
- CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
- CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
- Correct the platform for rule
package_iptables-persistent_removed
(#12195) - Disable OSPP Profile for RHEL 10 (#12223)
- Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
- Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
- Ensure code consistency by using aide_conf_path var (#12066)
- Ensure that security_patches_up_to_date is not built with remediations (#11995)
- Exclude package_screen_installed from RHEL 10 OSPP (#12179)
- Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
- Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
- Fix missing variable for Ubuntu 22.04 (#11973)
- Fix package name for libpam-pkcs11 on Ubuntu (#11854)
- Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
- Fix pwquality package name for Ubuntu 22.04 (#11919)
- Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
- Fix rule name in Ubuntu 22.04 STIG profile (#11971)
- Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
- Guide/anssi r45 (#12129)
- increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
- Make the behavior of chronyd_sync_clock rule more consistent (#12039)
- Modify rule file_groupowner_system_journal (#11836)
- Move to
default
crypto policy for RHEL10 for CIS Profiles (#12187) - OCPBUGS-1316: Add missing variable reference to rules (#12012)
- OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
- OCPBUGS-33945: select required SSHD timeout rule (#12091)
- OSPP profile, use Logind session timeout feature instead of tmux (#12212)
- Override few variables for Ubuntu 22.04 (#11928)
- remove logind_session_timeout from stig_gui profiles (#12086)
- Remove rhel7 only rules (#12112)
- Revert changes to no_empty_passwords for Ubuntu (#11918)
- Slmicro5 stig add privileged commands support (#12221)
- Support all boolean values in dnf.conf (#11965)
- Update rules related to PAM hashing algorithm (#12164)
- Update SLE15 STIG version to V1R13 (#11921)
- Updated 10 rules to support SLE Micro 5 (#12210)
Removed Products
Changes in Remediations
- Improve remediation for enable_authselect (#12038)
- Achieve consistent file and directory permissions for systemd journals (#11974)
- Add ansible automation for configure_usbguard_auditbackend (#12092)
- Add ansible remediation for account_password_selinux_faillock_dir (#12094)
- Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
- Add ansible remediation for no_tmux_in_shells rule (#12138)
- add namespace parameter for cluster-test (#11824)
- Add SCE check for ufw_rate_limit for Ubuntu (#11998)
- Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
- Adjust bash template (group)file_owner to follow symlinks (#12214)
- align template systemd_dropin_configuration (#12054)
- Create dconf db directory for local profile (#12079)
- Create file if it doesn't exist for coredump rules (#12181)
- Ensure that security_patches_up_to_date is not built with remediations (#11995)
- Fix bash_package_installed macro (#12140)
- Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
- Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
- Fix permissions for dconf db on Ubuntu (#12056)
- Fix Ubuntu faillock (#11932)
- Introduce new remediation type Kickstart (#12144)
- Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
- Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
- Simplify use of ansible_ensure_pam_module_option macro (#12159)
- Slmicro5 auth,security and audit STIG rules (#12192)
- templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
- Update ansible remediation CCE-85972-8 to support idempotency (#12152)
- Update rules related to PAM hashing algorithm (#12164)
Changes in Checks
- Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
- Fix broken OVAL metadata (#12151)
- Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
- Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
- Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
- Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
- Improve Rsyslog rules to support RainerScript syntax (#12010)
- Slmicro5 auth,security and audit STIG rules (#12192)
- templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
- Update OVAL check in accounts_password_last_change_is_in_past (#12177)
- Update rules related to PAM hashing algorithm (#12164)
Changes in the Infrastructure
- Add a script for finding unused rules (#12110)
- Add option to build per rule playbook via
build_product
script (#12105) - Allow multiple control files to add the same reference type (#12165)
- Ensure that RHEL 10 has CCEs (#12137)
- Expand CCE Available Test to OCP4 (#12114)
- Fix Filename for UBI test (#12115)
- Fix Nightly Build - Debian 12 (#12033)
- Improve error handling when loading yaml stream (#11962)
- Include product property in profile class (#12050)
- Install dependency "xmllint" package (#12080)
- Mark some scenarios as specific to SCE (#12052)
- OCP Update variable filter to consider go_template (#11906)
- Remove duplicate product (#12049)
- Review and reorganize CMakeLists.txt file (#12000)
- Show most used rules of component (#12001)
- Stop building -ds-1.2.xml data streams (#11990)
- Update Gating (#12041)
Changes in the Test Suite
- Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
- Add Ubuntu 22.04 Automatus workflow (#12058)
- Automatus to UBI 8 (#12100)
- Better description and test scenarios for set_nftables_table (#11991)
- Clean Up Tests Due to RHEL 7 Removal (#12101)
- Disable service_enabled templated test for service_bluetooth_disabled (#12211)
- Do not run
package_audit-libs_installed
package removal test scenarios (#12099) - Fix crypto policy in CIS test scenario (#12098)
- Fix OL7 GH Action (#12143)
- Fix platforms -> platform in test metadata (#12057)
- Fix regex in file_ownership_audit_configuration (#12029)
- Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
- Github Action Ansible
shell
module changes check (#12014) - Include test scenario for multiple partitions (#11950)
- Make Rawhide CI Green (#12065)
- OCP4: Add workflow to test ocp content (#11615)
- OCP4: use new assertion formate for OCP CI (#11790)
- Pin GitHub actions using Frizbee (#12082)
- Populate _rule_id virtual template parameter in Automatus (#11943)
- Remove the excluded_files (#12196)
- Validate Automatus Metadata (#12059)
Documentation
- Add script to Create a Control file from references (#11916)
- Additional updates in kernel_module_disabled template (#12160)
- Bump version after release (#12025)
- Fix a typo (#12017)
- Fix typos in notes for ocp4 controls (#11963)
- Update Contributors for v0.1.74 (#12225)
- Update control schema (#11942)
- Update RHEL 8 STIG SCAP Content to V1R13 (#12219)
Content 0.1.73
Important Highlights
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
- Generate rule references from control files (#11540)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
New Rules and Profiles
- Add and modify rules file/dir_permissions_system_journal (#11840)
- Add ANSSI Profiles for RHEL 10 (#11787)
- Add initial RHEL 10 PCI DSS profile (#11872)
- Add new rule file_permissions_sudo (#11584)
- Add new templated rules for System.map files (#11640)
- ANSSI R31 updates (#11560)
- Audit watch on /etc/sysconfig/network-scripts (#11724)
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Inital RHEL 10 STIG (#11793)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
- Openembedded fixes (#11652)
- Update ANSSI R50 (#11588)
Updated Rules and Profiles
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
- Add a note to ANSSI R23 (#11571)
- Add a warning to sshd_limit_user_access (#11507)
- Add automation to enable faillock rules (#11458)
- Add platform machine to systctl.d rules (#11622)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
- Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
- Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
- ANSSI R31 updates (#11560)
- api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
- CMP 2453 pci dss requirement 1 (#11725)
- CMP-2365: Fix check for rotating kubelet server certificates (#11543)
- CMP-2372: Remove info override for virtual syscall rules (#11544)
- CMP-2378: Fix OCP version regex (#11499)
- CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
- CMP-2471: Disable rules on s390x (#11743)
- Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
- Do not require existence of /var/tmp/tmp-inst (#11762)
- Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
- ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
- extend the explanation why ANSSI R52 requirement is manual (#11629)
- Fix #11895 issue (#11897)
- Fix #11898 issue (#11899)
- Fix #11902 issue (#11905)
- Fix dconf package name for Ubuntu (#11821)
- Fix description for auditd_max_log_file_action (#11585)
- Fix kdump service name on Ubuntu 22.04 (#11914)
- Fix OCP node OVN check (#11861)
- Fix rule for accounts_authorized_local_users in SLE15 (#11602)
- Fix SCE check for ip6tables_rules_for_open_ports (#11849)
- Fix SCE checks for iptables_loopback_traffic (#11850)
- HIPAA profile for SLE 15 - update (#11582)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Improve Rsyslog Rainer regex to find log files (#11808)
- Improve title of CCN profiles for RHEL9 (#11852)
- Make package installation for iptables and nftables mutually exclusive (#11191)
- mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
- Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
- oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
- OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
- OCP4: Add rule to check ACS sensor deployed (#11675)
- OCP4: Fix rules with both platform and platforms (#11760)
- OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
- OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
- OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
- OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
- Openembedded fixes (#11652)
- put exec back to configure_bashrc_exec_tmux (#11561)
- Remove
disabling_ipv6_autoconfig
rule (#11550) - Replace dead HTML links for the chronyd project (#11799)
- RHEL-09-232045: align with STIG (#11890)
- Rule had incorrect CRD reference rule.yml (#11823)
- Set the
requires
tosshd_set_keepalive
onsshd_set_idle_timeout
(#11815) - sysctl template: allow skipping of runtime checks (#11574)
- trivial: fix linting issue (#11711)
- trivial: Update link to audit profile documentation link (#11732)
- Try 4110 for file_permissions_sudo (#11805)
- ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
- Update ANSSI R29 requirement (#11633)
- Update ANSSI R32 (#11570)
- Update ANSSI R36 requirement (#11632)
- Update ANSSI R40 (#11563)
- Update ANSSI R50 (#11588)
- Update ANSSI R67 requirement (#11642)
- Update ANSSI R68 (#11580)
- Update ANSSI R71 (#11578)
- Update audit_ospp_general (#11519)
- Update CIS requirement status (#11784)
- Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
- Update CIS RHEL8 requirements related to crypto (#11506)
- update cryptopolicy used in CUI profile to fips (#11792)
- Update notes in ANSSI R3 (#11680)
- update notes of the R36 requirement for ANSSI (#11639)
- Update ol8 pcidss (#11867)
- Update ol8 profiles (#11829)
- Update ol8 stig (#11828)
- Update ol8 stig reference (#11884)
- Update ol9 pcidss (#11873)
- Update ol9 profiles (#11846)
- Update RHEL 8 STIG to V1R14 (#11878)
- Update RHEL9 STIG to V1R3 (#11877)
- Update SLE12 STIG to V2R13 (#11599)
- Update SLE15 STIG to V1R12 (#11598)
- update sles oval feed url (#11461)
- Update SRG GPOS Control File (#11634)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
- Update STIG PSC Content (#11664)
- Update sudo_dedicated_group (#11586)
- Use
string
instead ofnumber
in oauth variable (#11613) - Use controls to assign ANSSI references (#11556)
Changes in Remediations
- [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
- [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
- [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add Ansible remediation to sssd_enable_pam_services (#11796)
- Add Ansible Remediations (#11763)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align
securetty_root_login_console_only
remediations with OVAL/rule description (#11716) - Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
- Changes in template service_disabled - ansible part (#11645)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
- Fix ansible lint for SLE platforms (#11911)
- fix ansible SLES stig remediations in check mode (#11248)
- Fix Bash remediation of firewalld-based rules for offline mode (#11868)
- Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
- Fix non-idempotent bash remediation for sysctl template (#11671)
- fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
- Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
- Fix ubuntu remediation for pam_faildelay (#11532)
- Fix Ubuntu remediation for pam_faillock rules (#11488)
- Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
- Issue when using set -e with grep commands (#11712)
- Make Blueprint for service_disabled template to mask services (#11679)
- OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
- pam_options ansible template dry-run fix (#11677)
- Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
- remove prodtype from add_kubernetes_rule (#11500)
- Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
- Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
- set indent to 4 (#11530)
- Simplify output of ip link show command (#11657)
- update links and unify documentation in kickstart files (#11765)
- Update links for Ansible role (#11737)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- use
failed_when:false
for Ansibleregister:
checks (#11782)
Changes in Checks
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
- App armor oval check (#11273)
- Correction in oval part ensure_gpgcheck_globally_activated (#11709)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enforce explicit setting in password-auth (#11742)
- Enforce explicit setting in system-auth (#11740)
- Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
- Fix macro for extracting local interactive users (#11589)
- Fix regression in grub2_bootloader_argument (#11768)
- Make additional check if selinux is enabled and operational (#11510)
- Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
- Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
- Restrict the list of accepted shells in no_shelllogin_for_systemaccounts...
Content 0.1.72
Important Highlights
- ANSSI BP 028 profile for debian12 (#11368)
- Building on Windows (#11406)
- Control for BSI APP.4.4 (#11342)
- update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks
New Rules and Profiles
- Add alinux2/alinux3 support for pci-dss compliance (#11398)
- Add anolis23/anolis8 support for pci-dss compliance. (#11401)
- Add new rule file_cron_allow_exists (#11441)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
- ANSSI BP 028 profile for debian12 (#11368)
- Control for BSI APP.4.4 (#11342)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
Updated Rules and Profiles
- Review CIS RHEL8 v3.0.0 Section 3 (#11469)
- Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
- Add package_firewalld_installed to RHEL 9 CIS (#11351)
- align description of audit_rules_kernel_module_loading (#11443)
- Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
- Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
- align rule audit_rules_privileged_commands_kmod (#11320)
- Allow spaces in rule sudo_custom_logfile (#11433)
- Enable Rules For OSBuild (#11362)
- enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
- Fix a duplication of the code ID 3.5.2.1 (#11421)
- Fix ANSSI URL in control file and update RHEL profiles (#11365)
- Fix RHEL 8 STIG version (#11515)
- Fix Service Applicability for RHEL 9 Profiles (#11367)
- Handle rules trying to remove no longer existing packages (#11354)
- Improve Performance on rules probing the whole file system (#11319)
- Minor modifications to RHEL STIG profiles (#11327)
- Move to /bin/false for disabling kernel modules (#11475)
- Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
- Remove irrelevant rules from PCI-DSS profiles (#11338)
- Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
- Remove warning from kubelet rule (#11243)
- Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
- Review rpm_verify_hashes rule (#11332)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- RHEL 7: change how xwindows is disabled in CIS profile (#11466)
- RHEL 8: align with CIS 3, section 2 (#11457)
- RHEL7 CIS: align section 2 with the final version (#11453)
- Stablization: Update audit_ospp_general (#11520)
- Support drop-in config in journald rules on RHEL (#11440)
- Update CIS profiles descriptions (#11491)
- Update grub2_mitigation_argument (#11271)
- Update OL stig references (#11472)
- Update OL8 STIG id references (#11451)
- Update OL8 stig selection for OL08-00-040259 (#11312)
- Update Oracle Linux anssi profiles (#11313)
- Update RHEL 7 CIS Section 1 (#11449)
- Update RHEL 7 STIG to V3R14 (#11477)
- Update RHEL 8 STIG to V1R13 (#11478)
- Update RHEL 9 STIG to V1R2 (#11479)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
- Update STIG version for SLES 12 and SLES 15 (#11357)
- Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
- Use correct HTML element for inline code (#11408)
- various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
- xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)
Changes in Remediations
- [Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
- A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
- Add blueprint remedation for enable_fips_mode (#11363)
- Add check if to continue with ansible task (#11299)
- add explaining comment to mount_option bash template (#11444)
- Add support to disable wifi interfaces via wicked (#11428)
- Ansible: change the sysctl module fqcn for rhel7 product (#11465)
- configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
- Do not change comments by remediations (#11434)
- Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
- Fix in sebool ansible (#11245)
- Fix ShellCheck Issues in CPE Checks (#11322)
- fix: service_timesyncd_configured (#11410)
- Make some improvements to bash remediation template (#11361)
- Move to /bin/false for disabling kernel modules (#11475)
- Sle15 fix ansible cis remediations (#11258)
- Sle15 fix ansible hipaa remediation (#11264)
- Sle15 fix ansible pci-dss remediations in check mode (#11263)
- Stabilization - Fix Ansible compatibility with sysctl module (#11538)
- Support drop-in config in journald rules on RHEL (#11440)
- Turn off blueprint for package_MFEhiplsm_installed (#11350)
- Turn off remedations for
/dev/shm
(#11364) - Use commit hash for image tag (#11233)
Changes in Checks
- Add ocp platforms to some eks shared OVALs (#11436)
- Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
- Fix invoke parent's init function (#11400)
- Generate OVAL document for each rule (#11291)
- Improve Performance on rules probing the whole file system (#11319)
- Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
- Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- Support drop-in config in journald rules on RHEL (#11440)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
Changes in the Infrastructure
- Add Gate tests back to master (#11331)
- Add missing group.yml (#11373)
- Add Windows CI (#11412)
- add XSLT_PATH prefix with environment override (#11390)
- Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
- Building on Windows (#11406)
- Control Files'
level
key must be an array (#11417) - Fix Debian 10 CI (#11426)
- Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
- Fix invoke parent's init function (#11400)
- Fixes update-oscal.yml to remove env context from matrix variables (#11374)
- Generate OVAL document for each rule (#11291)
- Ignore mypy in the EOF Checker (#11323)
- OCP4: Update k8s action to build image on new PR (#11384)
- Refactoring: Remove 'prodtype' Mk.2 (#11378)
- Remove bogus specifier from
audit_rules_privileged_commands_unix2_chkpwd
(#11379) - remove the task which deletes artifacts from automatus GH workflows (#11482)
- Update GitHub Artifacts Action Steps to v4 (#11411)
- Validate levels in controls (#11427)
- We should raise NotImplementedError (#11414)
Changes in the Test Suite
- Allow tests/test_product_stability.py to be executed (#11464)
- Fix OpenEmbedded name in test stability (#11463)
- Fix Secure Boot Automatus VM Installs (#11239)
- Fix tests for sudo_require_authentication (#11315)
- OCP4: Fix e2e result on OCP 4.14 changes (#11207)
- Update test-check-eof for smoke test (#11402)
- Update Install VM to use Fedora 39 (#11418)
Documentation
- Add documentation of the steps that OVAL content goes through during the build (#11336)
- Add GitHub Actions Style Guide (#11330)
- Add STIG Tables for RHEL 9 (#11376)
- bump version to 0.1.72 (#11308)
- Finish rename to Automatus (#11404)
- Fix broken formatting (#11403)
- Remove all contributors file (#11317)
- Update contributors list for v0.1.72 release (#11483)
- Update SRG GPOS to V2R7 (#11480)
Content 0.1.71
Important Highlights
- Add RHEL 9 STIG (#11193)
- Add support for Debian 12 (#11228)
- Update PCI-DSS profile for RHEL (#11267)
New Rules and Profiles
- New Rule: networkmanager_dns_mode (#11160)
Updated Rules and Profiles
- Add remediation and OVAL for UBTU-20-010297 (#11098)
- Add SRG id to
file_owner_grub2_cfg
for RHEL 9 STIG (#11261) - Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
- Added missing variables to ubuntu profiles (#11227)
- Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
- Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
- Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
- daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
- Daily prod fix: return rhel7 prodtypes to some rules (#11303)
- Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
- Fix
audit_rules_privileged_commands_kmod
(#11277) - Fix multiple STIG IDs for RHEL8 (#11250)
- Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
- fix ssh-keysign path for UBTU-20-010141 (#11082)
- Fix ssh-keysign path for Ubuntu 22.04 (#11297)
- Fixes for kernel_config_security rules (#11259)
- Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
- Make selinux context elevation for sudo more flexible (#11224)
- Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
- Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
- remove sle15 from package_samba_common_installed (#11231)
- Review and Update pcidss_4 control file (#11214)
- Update PCI-DSS profile for RHEL (#11267)
- Update RHEL 7 STIG V3R13 (#11223)
- Update RHEL 8 STIG to V1R12 (#11219)
Changes in Remediations
- Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
- Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
- Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
- Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
- Fix sudo_require_reauthentication remediations edge case (#11279)
- Improve stability of timesyncd based remediation (#11247)
- Include remediation for fapolicy_default_deny rule (#11211)
- Refactor ensure_pam_wheel_group_empty rule (#11192)
- remove duplicated multi_platform_sle in bash.template (#11244)
- Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
- SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
- Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
- Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
- Update sshd lineinfile (#11151)
Changes in Checks
- Fix kernel_module_disabled template for Ubuntu (#11294)
- Include dracut filter to audit_rules_privileged_commands (#11246)
- Integration of the OVAL object model into the
combine_ovals.py
script (#11236) - Modification of the OVAL linker to use the OVAL object model (#11290)
- Prepare OVAL object model for integration (#11206)
- Refactor ensure_pam_wheel_group_empty rule (#11192)
- Reference validation in OVAL document object (#11235)
- SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
Changes in the Infrastructure
- Access to enable the logging of the
combine_oval.py
script (#11260) - Add .github to EOF checker (#11287)
- Add a better Error Message For Undefined Identifier Types (#11213)
- Add alternatives to mandatory keys (#11268)
- Add Better a Error Message For Undefined Reference Types (#11159)
- Avoid duplicate loading of component files (#11195)
- controleval.py: Return empty list when parameter is not found (#11300)
- Fix CI job after Fedora 39 release (#11256)
- Integration of the OVAL object model into the
combine_ovals.py
script (#11236) - Make
prodtype
Required in JSON Schema (#11281) - Modification of the OVAL linker to use the OVAL object model (#11290)
- Move jqfilter parameter to common parser (#11232)
- Reference validation in OVAL document object (#11235)
- remove some unnecessary imports (#11175)
- remove unused code (#11187)
- Update Ansible Lint Config (#11283)
- Use up to date
build_ds_container
script inadd_platform_rule.py
(#11042)
Changes in the Test Suite
- Add package requirement for auditctl tests (#11181)
- Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
- Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
- Enable PCI-DSS in test-farm tests (#11257)
- Fix rpm python package SLE15 Automatus docker file (#11212)
- Fix SLE15 tests (#11172)
- Include dracut filter to audit_rules_privileged_commands (#11246)
- Include remediation for fapolicy_default_deny rule (#11211)
- New Rules Must Have a
prodtype
(#11252) - Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
- Require SRG Reference for Rules with STIG Reference (#11265)
Documentation
- Add stabilization phase description to developers guide (#11234)
- Bump version for 0.1.71 (#11168)
- Documentation for tool
tox
(#11165) - Fix docs for utils.add_kubernetes_rule (#11238)
- update list of contributors before 0.1.71 release (#11307)
- Update Style Guide to Ensure that PR Titles are Useful (#11284)
Content 0.1.70
Important Highlights
- Add openembedded distro support (#10793)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove test-function-check_playbook_file_removed_and_added test (#10982)
- scap-security-guide: Add Poky support (#11046)
New Rules and Profiles
- Add rule
package_s-nail-installed
(#11144) - Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
Updated Rules and Profiles
- A correction in the rule pam_disable_automatic_configuration (#10902)
- accounts_umask_etc_bashrc: depend on bash being installed (#10915)
- Add a two rules to RHEL 9 STIG (#10910)
- Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
- Add missing CIS references for SLE platforms (#11024)
- Add mount platform to mount_option_var_nosuid (#11037)
- Add rule logind_session_timeout to OL8 STIG (#10917)
- Add SELinux as platform (#11138)
- Add SRG ID to logind_session_timeout (#10936)
- Add tmux platform to tmux related rules (#11017)
- Add UBTU-20-010044 to existing ansible remediation (#11073)
- Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
- Add UBTU-20-010401 to restrict kernel message buffer (#11063)
- Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
- Add UBTU-20-010462 to lock accounts without passwords (#11060)
- Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
- Add variable support to
auditd_name_format
rule (#11019) - Add version for OCP CIS (#11152)
- Add version for OCP STIG (#11153)
- Add version metadata to the OCP PCI-DSS profile (#11155)
- Add warning to network_configure_name_resolution (#10997)
- Allow default permission for user.cfg file in UEFI systems (#10884)
- ANSSI: add rules to enable auditing service (#11005)
- Build OCP STIG profiles by default (#11132)
- Change how example ROLE_LIST are formatted (#11123)
- Change rule to use variable when auditing faillock (#11007)
- Changes in SLE 12/15 profiles to support logrotate service (#10796)
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
- Deprecate UBTU-20-010180 (#11079)
- Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
- Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
- Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
- Enable logrotate.timer check on RHCOS4 (#11045)
- Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
- Express more accurate per package platform limitation for firewall rules (#10812)
- Fix excluded_files and recursive for UBTU-20-010416 (#11086)
- Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- fix naming for UBTU-20-010430 (#11056)
- Fix package_audit-libs_installed rule.yml (#11127)
- Fix rule ubtu 20 010033 (#11065)
- Fix STIG references for SLE15 (#10850)
- Fix UBTU-20-010179 to use proper parameters and key (#11080)
- Fix UBTU-20-010267 and deprecate STIGs (#11084)
- Fix UBTU-20-10450 STIG (#11058)
- Fix variable selection when selecting the default value (#11015)
- Implement rules for CIS OCP Section 1.4 (#10840)
- Include new options in var_accounts_minimum_age_login_defs (#11052)
- Include RHEL indentifiers in logrotate related rules (#10904)
- Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
- iptables_ruleset_modifications: depend on iptables being installed (#11030)
- no_rsh_trust_files: depend on rsh-server being installed (#10809)
- OCP4 CIS: Re-add forgotten rules (#10864)
- OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
- OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
- OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
- OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
- OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
- OCPBUGS-7455: Hide API warning messages (#10971)
- OL7 DISA STIG v2r12 update (#10921)
- Port over etcd encryption rule from CIS 1.3 controls (#10753)
- Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
- Remove
controller_rotate_kubelet_server_certs
from OCP CIS v.1.4.0 (#10992) - Remove CIS reference from image policy webhook rule (#10932)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove protect kernel default and sysctl rules from CIS (#10931)
- remove rules not relevant to RHEL 9 from STIG profile (#10996)
- Remove rules that cannot be applied during image build (#10946)
- Remove sebool_secure_mode_insmod from anssi (#11001)
- Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
- Remove tickets from CIS control files (#10869)
- RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - Standard Profile Improvements (#11109)
- Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
- Update CIS profiles to use control files (#10833)
- Update kubelet event creation limit to 50 (#10950)
- Update link to English version of ANSSI guide (#11038)
- Update metadata of OSPP profile in RHEL8/9 (#10984)
- Update OL8 STIG to V1R7 (#10918)
- Update platform on bios_enable_execution_restrictions (#10880)
- Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
- Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
- Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
- Version FedRAMP high and moderate profiles for OpenShift (#11154)
Changes in Remediations
- 0640 permission in permissions_local_var_log should only apply to files (#10856)
- accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
- Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
- Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
- Add RHEL as platform in su pam wheel group remidiation (#10995)
- Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
- Avoid Ansible shell module if not necessary (#10887)
- change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
- Couple of small fixes (#11004)
- Drop irrelevant return statement in bash remediation (#10988)
- Fix ansible remediation of configure_ssh_crypto_policy (#11008)
- Fix Ansible Tasks order (#11117)
- Fix bash_sshd_remediation macro on OL exclusive code (#10980)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Fix path and add ansible remediation UBTU-20-010298 (#11087)
- Fix remediation of sssd_enable_smartcards (#10981)
- Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
- Fix umask bash and Ansible (#11108)
- Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
- improve bash remediation of mount_option template (#11009)
- Improve remediation for SSH global settings (#11032)
- Improve template macros for grub command line (#10989)
- Minor improvements in configure_opensc_nss_db (#11044)
- Modify adie db exist path for UBTU-20-010450 (#11064)
- OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
- Refactor Ansible remediations that search local file systems (#10912)
- Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
- SLE Add journald configuration droping remediations (#10671)
- SLE AIDE periodic check and remediation via systemd timer (#10589)
- SLE Service timesyncd configured rule (#10670)
- templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
- Update enable_fips_mode Ansible Remedation (#11026)
- Update no_legacy_plus_entries_* Ansible Remedations (#11027)
- Use parameter value in ansible lineinfile macro (#10958)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
Changes in Checks
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- enhance OVAL for enable_fips_mode (#10897)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Improve OVAL readability in enable_fips_mode (#10911)
- Improve sshd_use_approved_kex_ordered_stig (#11053)
- Minor improvements in configure_opensc_nss_db (#11044)
- Remove kernel cmdline check (#10961)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
- Sysctl template remediations do not modify package files (#10881)
Changes in the Infrastructure
- Add a faster alternative for generating HTML guides (#11036)
- Add Dependabot (#11113)
- Add manifests to zipfile target (#10944)
- Add Merge Group Trigger to Required Jobs (#11162)
- Add product as parameter when building profile reports (#11023)
- Add SCAPVal to Stabilize task (#11043)
- Add tickets key to control validation (#10872)
- Add version to profile element in the data stream (#10909)
- Allow k8s-content workflow to write (#11020)
- Build profile bash scripts differently (#11028)
- Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
- Dependabot Preparation (#11112)
- Fail build if profiles or controls contain invalid rule selections (#11135)
- Fix Ansible Tasks order (#11117)
- Fix multiple STIG id table generation (#11016)
- Fix OrderedDict definition (#11121)
- Fix Rawhide Build (#10953)
- Fix scap delta tailoring (#11145)
- Fix stig overlay (#11114)
- Generate profile oriented Ansible Playbooks in a different way (#11033)
- G...
Content 0.1.69
Important Highlights
- Introduce a JSON build manifest (#10761)
- Introduce a script to compare ComplianceAsCode versions (#10768)
- Introduce CCN profiles for RHEL9 (#10860)
- Map rules to components (#10609)
- products/anolis23: supports Anolis OS 23 (#10548)
- Render components to HTML (#10709)
- Store rendered control files (#10656)
- Test and use rules to components mapping (#10693)
- Use distributed product properties (#10554)
New Rules and Profiles
- Add modified audit suid privilege function rule for CIS (#10729)
- Introduce CCN profiles for RHEL9 (#10860)
- Introduce network access control rule (#10596)
- New templated rule to remove iptables-services package (#10703)
- RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
- Include new kickstart files for CCN profiles (#10863)
Updated Rules and Profiles
- A change into sudoers_validate_passwd (#10861)
- Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
- Add modified audit suid privilege function rule for CIS (#10729)
- Add mount platforms (#10794)
- Add platform package variables for firewalld and iptables (#10740)
- Add warning to rsyslog_remote_tls_cacert (#10676)
- add-rules sles-15-010418 sles-12-010498 (#10711)
- Change rules related to /etc/shadow to check only local user configuration (#10838)
- Deprecate account_emergency_expire_date (#10829)
- ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
- Fix grub2 remediation instructions (#10717)
- Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
- Fixes of cron package/service for SLE 12/15 (#10549)
- Increase RHEL7 STIG Coverage (#10705)
- Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
- New applicability platform to check IPv6 state (#10830)
- OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
- pam_faillock rules: show XCCDF variables in rule description (#10824)
- Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
- Remove quotes from journald config parameters (#10790)
- service_apport_disabled: depend on apport being installed (#10805)
- Set package_iptables_installed as machine only (#10804)
- Set package_nftables_installed as machine only (#10803)
- Set package_rng-tools_installed as machine only (#10810)
- Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
- Update of anssi profile for SLE 12/15 (#10702)
- Update OL8 cjis profile (#10771)
- Update OL8 hipaa profile (#10822)
- Update RHEL 7 STIG to v3r11 (#10821)
- Update RHEL 8 STIG to V1R10 (#10826)
- update rule SLES-12-030250 (#10644)
- Update SLE 12/15 rule and change package name (#10580)
- Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
- use_pam_wheel_group_for_su: depend on pam being installed (#10807)
- Updates of the rule use_pam_wheel_group_for_su (#10714)
Changes in Remediations
- Add a Playbook name to Ansible Playbooks (#10713)
- Add remediations for rule network_sniffer_disabled (#10659)
- configure_openssl_cryptopolicy: align remediations with rule description (#10828)
- Fix in service_autofs_disabled - ansible (#10521)
- Fix issue when adding fstab entries with iso9660 (#10572)
- fix: use grep -E instead of deprecated egrep (#10643)
- fixes in file_groupownership template (#10666)
- macros: bash: Avoid matching comments in fstab macros (#10754)
- Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
- SLE Add rsyslog_remote_loghost droping remediations (#10672)
- SLE Coredump configuration support dropin remediation (#10604)
- SLES15 use dropin configuration for issue banner (#10605)
- Various fixes for Ubuntu (#10755)
Changes in Checks
- enhance OVAL for enable_fips_mode (#10900)
- Check only local users home directories (#10825)
- Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)
Changes in the Infrastructure
- .github/workflows/gate.yaml:Add anolis8 product. (#10814)
- Add a sanity test of install_vm.py (#10684)
- Add validation for Keys in Controls (#10813)
- create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
- Fix CMakelint (#10701)
- Fix compare datastream check to correctly treat new line characters. (#10667)
- Fix traceback in release helper (#10718)
- Implement distributed product properties without applying them (#10648)
- Stop using "imp" module (#10819)
- utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)
Changes in the Test Suite
- Add a test for rule journald_compress (#10818)
- Add a test for rule journald_storage (#10817)
- Add Automatus Testing (#10678)
- Add SCAPVal to CTest (#10802)
- Fix grep for Automatus sanity (#10752)
- Fix install_vm.py on older versions of Python (#10651)
- fix: ssg_test_suite: warning when rule not in benchmark (#10642)
- Add requirements files for python dependencies (#10487)
Documentation
Content 0.1.68
Important Highlights
- Bump OL8 STIG version to V1R6 (#10497)
- Introduce a Product class, make the project work with it (#10529)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- OL7 DISA STIG v2r11 update (#10498)
- Publish rendered policy artifacts (#10585)
- Update ANSSI BP-028 to version 2.0 (#10334)
New Rules and Profiles
- Add rule package_mailx_installed (#10495)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- Introduce file_permissions_audit_configuration rule (#10489)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- New rules to complete CIS requirements for SSH Keys (#10552)
- New SLE 15 rule set_nftables_base_chain (#10180)
- Rebased hagenest set nftables loopback traffic (#10366)
- Restart postfix service and add rule has_nonlocal_mta (#10359)
- SLE15 add implementation of nftables_rules_permanent rule (#10201)
- SLE15 add nftables ensure default deny policy (#10249)
- Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)
Updated Rules and Profiles
- Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
- Add package_avahi_removed to ubuntu profiles (#10406)
- Add rules SLES-15-010375 and SLES-12-010375 (#10625)
- Add rules SLES-15-010419 and SLES-12-010499 (#10621)
- Add rules SLES-15-010420 and SLES-12-010500 (#10623)
- Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Bump OL8 STIG version to V1R6 (#10497)
- Complete CIS requirement for system accounts (#10627)
- Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
- delete rule SLES-15-040280 (#10383)
- Drop of some rules from SLE 12/15 profiles (#10527)
- Enable ensure_shadow_group_empty for RHEL7 (#10416)
- Enable service_nftables_disabled for RHEL (#10390)
- Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
- Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
- Fix in sshd_use_approved_ciphers (#10535)
- Fix in sudo_require_reauthentication (#10216)
- Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- No remediation warning for
fapolicy_default_deny
(#10433) - OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
- OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
- OL7 DISA STIG v2r11 update (#10498)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE 12/15 profile updates (#10577)
- SLE improve kernel module disabled rule (#10368)
- SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
- sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
- Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
- Ubuntu 22.04 CIS modify password remember rule (#10480)
- Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
- Update accounts_password_pam_retry yaml (#10496)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update ANSSI BP-028 to version 2.0 (#10334)
- Update CIS controls related to nftables table and chains (#10629)
- Update CIS requirement for SSH access limit (#10470)
- Update netrc requirement in CIS for RHEL8 (#10511)
- Update OL9 STIG profile (#10407)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- update rule sles-15-040250 (#10492)
Changes in Remediations
- Add Ubuntu SCE checks for iptables rules (#10587)
- Ansible remediation for configure_bashrc_exec_tmux (#10584)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
- Fix changes in Ansible tasks not expected to fail (#10427)
- Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
- Fix up RHEL kickstarts (#10499)
- fix: aide_string: drop nl at end (#10578)
- fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
- fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- Replace grep command with ansible find (#10579)
- SLE add ability to configure emergency via dropin (#10482)
- SLE improve kernel module disabled rule (#10368)
- SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
- Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
- templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
Changes in Checks
- audit_rules_privileged commands: skip /proc directory (#10471)
- bugfix: mount_option: handle commented lines (#10518)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in sudo_require_reauthentication (#10216)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE improve kernel module disabled rule (#10368)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- Use specific name in private key groups instead of gid (#10622)
Changes in the Infrastructure
- Add a product stability test (#10606)
- Add CMakelint (#10468)
- Add controls the EOF checker (#10477)
- Automate and Fix Missing Newline at the of Files (#10361)
- Expand the list of rules skiped by Ansible Lint (#10485)
- Fix data stream component parsing (#10411)
- Implement a tool for parsing profiles and outputing rules (#10455)
- Introduce a Product class, make the project work with it (#10529)
- Publish rendered policy artifacts (#10585)
- Refactor the scapval test (#10611)
- Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
- Remove unused imports (#10384)
- Remove unused variables (#10382)
- Shell quote support for Jinja macros (#10524)
- Stabilization: Fix install_vm.py on older versions of Python (#10652)
- Stop using deprecated
set-output
in GitHub Actions (#10588) - Update CI Repo for CTF (#10385)
- Update GitHub Action Versions (#10543)
Changes in the Test Suite
- Add a product stability test (#10606)
- Add a warning to AutoMatus (#10394)
- bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
- bugfix: packages: delim is comma (#10559)
- bugfix: ssg_test_suite: RuleResult eq (#10365)
- Fix template not found error in Automatus (#10631)
- Fix tests applicablity for ol8 product (#10570)
- Fix tests in sshd_lineinfile template (#10595)
- Fix typo in tests for sshd_limit_user_acess (#10478)
- install_vm refactor (#10607)
- install-vm fixes / features (#10562)
- Remove machine pruning from gating (#10453)
- Revert change in test scenario script for enable_authselect rule (#10430)
- Unused test code (#10558)
- Use bash_package_* (#10557)
- Use mkdir -p when creating directories (#10556)
Documentation
- Add Kickstarts to the changelog (#10512)
- add python3 to the list of build dependencies for RHEL-8+ (#10503)
- Bump version for 0.1.68 (#10372)
- Fix read the docs build (#10537)
- fix: Fix misspelled word infrastruture (#10531)
- Jinja macro doc fixes (#10599)
- Reduce Doc Warnings (#10528)
- Styleguide Update (#10466)
- Update Add Product Guide (#10533)
- Update release documentation about release_helper.py script (#10502)
Content 0.1.67
Important Highlights
- Add utils/controlrefcheck.py (#10096)
- RHEL 9 STIG Update Q1 2023 (#10185)
- Include warning for NetworkManager keyfiles in RHEL9 (#10330)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
New Rules and Profiles
- Add new rule package_systemd-journal-remote_installed (#10105)
- New SLE 15 rule service_nftables_enabled (#10113)
- Add CIS iptables rules (#10121)
- New SLE 15 rule set_nftables_new_connections (#10114)
- Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
- Add a new rule ssh_keys_passphrase_protected (#10017)
- Introduce new rule authconfig_config_files_symlinks (#10129)
- Added rule partition_for_dev_shm (#9984)
- New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
- New SLE 15 rule set_nftables_table (#10128)
- Add implementation for rsyslog_logging_configured rule (#10063)
- New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
- OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
- Added a new rule accounts_password_set_warn_age_existing (#10006)
- Add new rule socket_systemd-journal-remote_disabled (#10210)
- Introduce rule to remove nginx package (#10291)
- Introduce rule to remove cyrus-imapd package (#10292)
- Add package_dnsmasq_removed rule (#10293)
- Add package_ftp_removed rule (#10294)
- Add new rule rsyslog_filecreatemode (#10264)
- New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
- Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)
Updated Rules and Profiles
- accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
- Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
- Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
- Add CIS iptables rules (#10121)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
- assign ntp_configure_restrictions to SLE12 (#10122)
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
- Add missing SRG to aide_build_database rule (for master branch) (#10150)
- remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update levels of some rules in RHEL8 CIS (#10157)
- Change custom zones check in firewalld_sshd_port_enabled (#10162)
- improve applicability of rule package_rear_installed (master branch) (#10156)
- Accept required and requisite control flag for pam_pwhistory (#10175)
- OCP4 Modify etcd encryption check rules for hypershift (#10179)
- Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
- Fix prefer_64bit_os for SLE platforms (#10178)
- remove rule logind_session_timeout and associated variable from profiles (#10202)
- Shorten rule title (#10196)
- products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Include avahi related rules in RHEL CIS control files (#10233)
- Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
- Update CIS RHEL requirements for log files permissions (#10241)
- Include rule for checking password last change in RHEL (#10243)
- Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
- Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
- Update password hashing algorithm CIS requirement (#10271)
- Complete CIS requirements related to dot-files (#10279)
- Fix package names for some SUSE packages (#10283)
- Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
- Corrections in the rule package_openldap-clients_removed (#10273)
- Enable sshd_enable_warning_banner_net for RHEL (#10287)
- Add package_nginx_removed to Ubuntu CIS profiles (#10301)
- Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
- accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
- accounts_passwords_pam_tally2: depend on pam being installed (#10305)
- package_pam_pwquality_installed: depend on pam being installed (#10306)
- apparmor: apply only to platform machine (#10303)
- sudo_require_reauthentication: depend on sudo being installed (#10318)
- vlock_installed: apply only to platform machine (#10307)
- Remove VMM SRG References (#10336)
- Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
- Add some nftables rules to Ubuntu CIS profile (#10300)
- make accounts_password_last_change_is_in_past not applicable to containers (#10339)
- Align rhel7 dracut-fips-aesni remediations (#10352)
- Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
- NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)
Changes in Remediations
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update sebool_secure_mode_insmod OL remediations (#9979)
- Enable rsyslog_filecreatemode rule for RHEL (#10328)
- kernel_module_disable template - regexp matches multiple lines (#10351)
- fix loops within ansible template for rsyslog_files (#10349)
Changes in Checks
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Remove check of /var/log/dmesg from OVAL (#10145)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Fix prefer_64bit_os for SLE platforms (#10178)
- postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Add offline capability to the 'mount_option' OVAL template (#10200)
Changes in the Infrastructure
- Introduce script shorthand to OVAL (#10085)
- Remove utils/count_oval_objects.py (#10133)
- Update Rawhide Before Use (#10141)
- Move to Code Climate for PEP 8 Checking (#10158)
- Enable SCE integrity checks for RHEL8 (#10165)
- Refactor ssg.build_ovals module (#10048)
- Update srg diff (#10199)
- Require OVAL ID to match rule ID (#10346)
- Various python fixes (#10345)
- Move platform_mount to use cpe-oval vs oval (#10441)
Changes in the Test Suite
- Add utils/controlrefcheck.py (#10096)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update test scenarios for accounts_password_last_change_is_in_past (#10213)
- add cap_system_chroot capability to Automatus podman container (#10246)
- Fix Automatus on Python 3.6 (#10281)
- Disable logrotate timer in ensure_logrotate_activated tests (#10375)
Documentation
Content 0.1.66
Important Highlights
- Ubuntu 22.04 CIS (#9953)
- OL7 stig v2r9 update (#9976)
- Bump OL8 STIG version to V1R4 (#9974)
- Update RHEL7 STIG to V3R10 (#10079)
- Update RHEL8 STIG to V1R9 (#10078)
- Introduce CIS RHEL9 profiles (#10091)
New Rules and Profiles
- Add nonessential services rule (#9912)
- Added a new rule package_firewalld_removed (#9937)
- Added a new SLE 12/15 rule package_rsync_removed (#9932)
- Added a new rule package_cups_removed (#9930)
- Added a new rule firewalld_service_disabled (#9941)
- Added a new SLE 15 rule package_nftables_installed (#9934)
- Add rule for no .forward files (#9990)
- Add new rule grub2_enable_apparmor (#9978)
- Added a new rule package_tcp_wrappers_removed (#9981)
- Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
- Add package prelink removed (#10062)
- add new rule audit_rules_immutable_login_uids (#10070)
- Added 2 rules for 15 related to nftables (#10068)
- New SLE 15 rule ensure_iptables_are_flushed (#10107)
- add new rule configure_bashrc_tmux (#10100)
Updated Rules and Profiles
- Include warning regarding quota options in XFS (#9879)
- Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
- Sync rules for RHEL 9 STIG (#9788)
- Changing a few harcoded OS names for full_name (#9936)
- Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
- SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
- Update sudo_require_reauthentication (#9923)
- Update kmod audit rule for OL7 (#9949)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Add rule to OL7 stig profile (#10028)
- Small corrections related to 3 rules (#9995)
- Add new rule grub2_enable_apparmor (#9978)
- Include Ubuntu products in package_rsync_removed (#10051)
- Include Ubuntu products in package_nftables_installed (#10052)
- Fix the service_telnet_disabled rule (#10033)
- Update package name for RHEL in package_rsync_removed (#10053)
- Include Ubuntu products in package_cups_removed (#10050)
- Include Ubuntu products in package_rpcbind_removed (#10055)
- Update link to NTP docs (#10056)
- Include Ubuntu products in package_prelink_removed (#10071)
- Add account_emergency_expire_date to OL7 stig (#10073)
- Add aide_build_database to STIG in OL and RHEL (#10094)
- Include Ubuntu products in two nftables rules (#10101)
- Move two rules to higher level in cis_rhel8 control file (#10109)
- add new rule configure_bashrc_tmux (#10100)
- add missing SRG to aide_build_database rule (#10136)
- change applicability of rules configuring idle session timeouts (#10127)
- Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
- improve applicability of rule package_rear_installed (#10144)
- stabilization: Update levels of some rules in RHEL8 CIS (#10155)
Changes in Remediations
- Fix indentation in Ansible shell module parameter (#9851)
- Recognize 64bit architectures in Ansible remediations (#9887)
- Make Ansible remediation less prone to fatal errors (#9914)
- Add bash and ansible remediation for set_loopback_traffic (#9939)
- Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
- Update sudo_require_reauthentication (#9923)
- Improve the arguments for Ansible command module (#9921)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Fix Jinja condition in macro for pam_faillock (#10009)
- Install NetworkManager as part of
wireless_disable_interfaces
remediation (#10018) - aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- Improve service_disabled template (#10026)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
- Rewrite remediations for rsyslog_remote_tls (#9866)
- Fix accounts_password template for OL (#10045)
- Using the Ansible shell actions is needed in package_prelink_remove (#10086)
Changes in Checks
- Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
- Update sudo_require_reauthentication (#9923)
- accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
Changes in the Infrastructure
- Refactor build_cpe.py (#9834)
- Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
- Refactor templates v2 (#9870)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
- Introduce templated platforms (CPEs) (#9906)
- Sort conditional remediation platform checks (#9902)
- Add sanity tests for controleval.py (#9918)
- Add Refchecker to Tests (#9862)
- Wait for buffer flushes to finish writes (#9933)
- Fix the file param in rule_dir_json (#9928)
- Fix typing import in
create_srg_export.py
(#9929) - Build all profiles on all CentOS and CentOS Streams (#9946)
- CTest Fixes (#9962)
- CPE AL: Introduce version specifiers support (#9945)
- Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
- Raise exception when parametrized platform receives invalid argument (#9996)
- Fix
--datastream-only
in./build_product
(#10020) - Add sanity tests for compare_disa_xml.py (#10030)
- Add Ubuntu 22.04 to Gating (#9986)
- Fix a few isssues in test-compare-disa-xml (#10034)
- Update Ansible Lint Config (#10025)
- platforms: rewrite mechanism which parses version into EVR (#10038)
- Produce an understanable error when remediation collections goes wrong (#10027)
- Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
- Bump fedora version in Dockerfiles to 37 (#10036)
- Fix the generation of SCE checks in the output datastream (#10015)
- Scripts clean up (#10061)
- Clean up SRG export (#10067)
Changes in the Test Suite
- Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Refchecker to Tests (#9862)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Improve service_disabled template (#10026)