Skip to content

SCAP Security Guide 0.1.39 Release Notes
Compare
Choose a tag to compare
@yuumasato yuumasato released this 02 May 22:02
· 28432 commits to master since this release
v0.1.39
74e45ee
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Highlights

  • XCCDF Rules moved to yaml format
  • Jinja2 templating for Rules, Checks and remediation introduced
  • Profile IDs simplified
  • Product Oracle Linux 7 added
  • Common Profile removed in favor of Standard Profile
  • RHEL7 STIG reference updated to V1R4
  • RHEL6 STIG reference updated to V1R18

Profiles

  • [Bugfix] remove kernel IPv6 from RHEL6 STIG
  • [Bugfix] Remove disabling all usb devices in kernel for OSPP and HIPAA profile
  • [Bugfix] Add Missing DISA RHEL7 STIG XCCDF rules
  • [Bugfix] rhel7: fix titles/descriptions, indicate draft status (rebase of #2717)
  • update references to RHEL7 STIG release to V1R4
  • [Bugfix] Update RHEL 6 STIG Reference to V1R18
  • [Enhancement] Add profile sap to the product ol7
  • [Enhancement] OL7 standard profile extra rules
  • [Enhancement] Simplify profile ids
  • [Bugfix] RHEL 7 STIG V1R4
  • [Bugfix] Remove common profile and use standard profile instead
  • [Enhancement] Extra Apache STIG rules
  • [issue 2571] update OSPP profile name and description
  • [Bugfix] Added the forgotted ospp42 profile
  • [RHEL7] Initial OSPP v4.2 draft profile
  • [Bugfix] Removed duplicate sudo related selects in rhel7's HIPAA
  • [Enhancement] Hippaaahhh

Rules

  • [Enhancement] Fix missing elements and description in var_auditd_admin_space_left_action and var_auditd_space_left_action
  • [Bugfix] rhel6 dod banner prohibit whitespace
  • [Bugfix] update prose to reflect cron time shorthand codes
  • [Bugfix] Remove ignore option for auditing configuration
  • [Bugfix] Change ID of Rule that checks for IPV6 disabled
  • [Bugfix] Fix a mismatched tag issue in RHEL6 sudo.xml

OVAL

  • [Enhancement] Add Docker SELinux check in daemon.json
  • [Bugfix] fix faillock audit oval
  • [Enhancement] aide cron flex
  • audit_rules_privileged_commands: allow arbitrary key
  • ftp_present_banner: update pattern in oval file and add remediation
  • [Bugfix] Add disabled OVAL 5.11 services for SSHD for OpenSUSE
  • Fix Rule ensure logrotate activated
  • Fix #2618

Remediation

  • [Bugfix] Fix dconf_gnome_disable_geolocation script and add missing dconf remedation scripts
  • Removed an accidentally committed file in shared/fixes/bash
  • [Bugfix] Use include_dconf_settings bash remediation function
  • [Bugfix][Enhancement] Use new dconf bash functions for bash scripts and add some missing dconf scripts
  • [Bugfix] Make sure that dconf dirs exist
  • [Enhancement] Unify sshd disable empty passwords
  • [Enhancement] Added support for checks and remediation for mount_options.
  • [Bugfix] Add create_module and finit_module scripts
  • [Enhancement] Add Anaconda Kdump disable script
  • [Bugfix] Fix accounts_passwords_pam_faillock_deny.sh script
  • [Bugfix] Not escaping / character breaks perform_audit_rules_privileged_commands_remediation.sh
  • [Bugfix] Fix typo in set_faillock_option_to_value_in_pam_file.sh
  • updated rhel7/fixes/ansible/service_avahi-daemon_disabled.yml to match template_ANSIBLE_service_disabled
  • [Enhancement] Further improved replace_or_append
  • Improve remediation of auditd_data_disk_full_action
  • [Enhancement] Improved replace_or_append.
  • [Bugfix] Partition remediations
  • Improved bash syntax of bash remediations
  • [Bugfix] eaccess should actually be eacces

SSGTestSuite

  • [Ssgtestsuite] Add tests for verifying file permissions and hashes with RPM
  • [Ssgtestsuite] Added tests for checking for bootloader password protection.
  • Minor in size, but substantial test suite improvements.
  • [Ssgtestsuite] Tests and OVAL fix for Rule sssd_enable_pam_services
  • [Ssgtestsuite] Add remediation for ldap_client_start_tls

Infrastructure

  • [Bugfix] Change yaml.Loader to yaml.SafeLoader
  • Add benchmark metadata element to shorthand
  • Remove all references for dropped OVALs
  • [Infrastructure][Enhancement] Package command apt get
  • [Enhancement] Add minimum package version check with jinja2 template
  • [Bugfix] testoval_module.py not processing oval version correctly
  • [Bugfix] openSUSE CPE update and clean-up
  • [Enhancement] Use yaml.safe_load for build related yaml files
  • [Bugfix] Add python jinja2 package to build doc
  • [Enhancement] Add regex handling for SRG and STIG reference versions in CMake
  • [Infrastructure][Enhancement] jinja2 for fixes, checks and the opencontrol yaml
  • [Bugfix] Add external content to yaml
  • [Bugfix] Don't exit with 0 when product.yml loading fails
  • [Infrastructure][Enhancement] Template ubuntu packages
  • [Documentation] Docs directory cleanup
  • [Enhancement] Require the python yaml module, fatal error if it's not found
  • [Documentation] user_guide.adoc: updates
  • [Bugfix] Document minimum Ansible version in User/Developer Guides
  • [Bugfix] Don't load yaml booleans as python booleans
  • fix link in user guide
  • README.md: fix link
  • Fixed OVAL check exports.
  • [Infrastructure][Bugfix] Apply elements with relevant prodtype when generating xccdf xml
  • Mark draft profiles as "documentation_complete: false"
  • Refactoring of relabel-ids.py
  • Allow over 80 chars-long lines in Python scripts.
  • [Bugfix] Update build instructions to include PyYAML
  • Made the service disable command more complete.
  • [Infrastructure] Added print function support for Python2 where applicable.
  • [Infrastructure] Make it possible to build SSG with python3
  • [Infrastructure] shorthand.xml target should depend on the yaml-to-shorthand script
  • [Infrastructure] Configure python interpreter
  • [Infrastructure] Profile file extension is now ".profile"
  • [Enhancement] Moved stuff around so that the folder matches the Makefile target
  • Update COPR section
  • [Infrastructure] Make SSG easier to edit (the yaml project)
  • RHOSP7 now uses the shared guide
  • Use the shared benchmark for opensuse
  • [Bugfix] remediation functions xml is no longer in shared
  • OL7 was using one group outside of shared but everything else was shared
  • Add support for Oracle Linux 7
  • Updated parts of the project documentation.
  • Made Ubuntu14 and Ubuntu16 to use local content.
  • Move debian8 and rhel6 system and services locally
  • [Bugfix] Source only local shorthand XCCDF to build debian8 content
  • Remove the empty RHEVM3 benchmark
  • [Bugfix] RHEL6 to only use its local shorthand content
  • [Infrastructure][Enhancement] Fedora shared benchmark
  • Remove shared XCCDF from WRLinux for yaml prep
  • [Bugfix] Untangle shared shorthands
  • [Bugfix] Moved firefox shorthand XML to the firefox product folder from shared
  • [Bugfix] Chromium XCCDF was in shared even though it uses nothing else from sh…
  • [Bugfix] Moved the .gitkeep file to where the author most likely intended it
  • [Infrastructure][Bugfix] Fix install of PCI-DSS centric HTML guides

Full list of issues and pull requests closed in this release

Assets 5
Loading