Skip to content

SCAP Security Guide 0.1.38 Release Notes
Compare
Choose a tag to compare
@yuumasato yuumasato released this 02 Mar 15:03
· 28929 commits to master since this release
v0.1.38
137d2c1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Highlights

  • New License - BSD-3 Clause
  • New Profiles introduced for development
    • ANSSI
    • HIPAA
    • C2S-Docker
  • Adoption of CTest for schema validation
  • Several remediation fixes

Profiles

  • [Enhancement] Add initial C2S Docker Profile
  • [Bugfix] This is a shorthand XCCDF, not the actual XCCDF 1.1, the xmlns makes …
  • [Bugfix] It's HIPAA, not HIPPA
  • Add some rules for protection of data in transit and adequate capacity to ensure availabity for HIPAA
  • Add anssi reference to rsyslog_service_enabled
  • [Enhancement] Add initial HIPPA profile
  • [Enhancement] Added "anssi" profile to the RHEL7 product
  • [Bugfix] Fix ID of RHEL6 DISA STIG Profile
  • Fixing reference to outdated PAM configuration manual

XCCDF

  • [Bugfix] Add override to C2S-docker Profile
  • [Bugfix] Fix kernel module loading and unloading rules
  • Grub2 password fix
  • [Bugfix] Specify default account expiration value
  • [Bugfix] Specify default LUKS cipher and minimum key size
  • [Bugfix] Reference real files instead of procfs and sysfs files

OVAL

  • update to match all supported EAP 6 releases
  • Improve OVAL filepath expressions.
  • Add check and remediation for RHEL-07-040550 (shosts.equiv)
  • Add check and remediation for RHEL-07-040540

Remediation

  • [Enhancement] Introduced draft of SSG Bash scripting guidelines.
  • [Bugfix] Fixes #2607 - audit_rules_login_events
  • [Bugfix] Enable correct ansible templte for file modification audit rules
  • [Bugfix] Fix Ansible remediations broken by Ansible bug.
  • [Bugfix] Fixed the banner enablement option name.
  • [Bugfix] Add Ansible pre-task version checking for Ansible roles
  • [Bugfix] Remove duplicate install_smartcard_packages BASH script
  • [Enhancement] Ensure libsemanage-python is installed or Ansible SELinux boolean tas…
  • [Bugfix] Fix chronyd or ntpd set maxpoll
  • [Bugfix] fixed syntax issue with sed in auditd_data_retention_space_left.sh
  • [Ansible] Hooksie1 ansible pam faillock
  • [Bugfix] Add some of the missing BASH remediations
  • [Bugfix] Disable service remediation fails if service is not installed - ansible
  • [Bugfix] Check if prelink is installed before trying to disable
  • [Bugfix] updated kernel module loading init and delete to use b32 and b64
  • [Bugfix] fixed rpm_verify_permissions to use 4th field in cut statement
  • [Bugfix] Fix UsePrivilegeSeparation ansible remediation
  • [Bugfix] updated key variable to recognize both -k and -F key=
  • [Bugfix] reset IFS back to default in ensure_redhat_gpgkey_installed.sh
  • [Infrastructure][Bugfix] fixed template_BASH_sebool_var with valid bash syntax

SSG Test Suite

  • [Ssgtestsuite] Add tests for accounts_passwords_pam_faillock_deny
  • [Ssgtestsuite] Tests for ctrlaltdel burstaction and audit rules time
  • Changed test suite benchmark specification to use Ref-Id.
  • Update rule_sshd_use_priv_separation test to check for sandbox value
  • [Ssgtestsuite] Add test coverage for rule_accounts_have_homedir_login_defs
  • [Ssgtestsuite] Add test scenarios of rule_umask_for_daemons.
  • [Ssgtestsuite][Bugfix] Small test suite tweaks
  • [Ssgtestsuite] Better bash remediations tests.
  • Add tests accounts umask etc login defs
  • [Ssgtestsuite] Add scenario remediation parameter and fix sshd test scenarios

Infrastructure

  • Update Contributors list for release v0.1.38
  • [Infrastructure][Bugfix] Glob source xccdf files recursively
  • [Infrastructure][Ansible] Script to auto-upload / update ansible galaxy roles from SSG
  • cmake/SSGCommon.cmake: added check for override attribute
  • HTML table sanity check
  • [Easy Fix] Avoid 3 copy paste definitions of subprocess_check_output
  • Initial docs about ctest and adding tests to the cmake build system
  • [regression] Import ssgcommon in profile-stats
  • [Bugfix] New License
  • [Infrastructure][Enhancement] Use ctest instead of make validate
  • [Infrastructure][Bugfix][Enhancement] Update Vendor String in python files to ssgcommon.py
  • [Enhancement] Added description how to write new rules.
  • HTML tables for ANSSI Rules in RHEL7
  • [Bugfix] Fatal error if user attempts in-source build
  • [Infrastructure][Enhancement] Add common python module for centralizing reusable code
  • [Infrastructure][Bugfix] Apply to XCCDF file only the Rule and Group elements that apply to product being built
  • [Infrastructure] Added scanner of STIG IDs for rules in STIG profiles.

Full list of issues and pull requests closed in this release

Assets 7
Loading