Content 0.1.68
github-actions
released this
15 Jun 08:49
·
6366 commits
to master
since this release
Important Highlights
- Bump OL8 STIG version to V1R6 (#10497)
- Introduce a Product class, make the project work with it (#10529)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- OL7 DISA STIG v2r11 update (#10498)
- Publish rendered policy artifacts (#10585)
- Update ANSSI BP-028 to version 2.0 (#10334)
New Rules and Profiles
- Add rule package_mailx_installed (#10495)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- Introduce file_permissions_audit_configuration rule (#10489)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- New rules to complete CIS requirements for SSH Keys (#10552)
- New SLE 15 rule set_nftables_base_chain (#10180)
- Rebased hagenest set nftables loopback traffic (#10366)
- Restart postfix service and add rule has_nonlocal_mta (#10359)
- SLE15 add implementation of nftables_rules_permanent rule (#10201)
- SLE15 add nftables ensure default deny policy (#10249)
- Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)
Updated Rules and Profiles
- Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
- Add package_avahi_removed to ubuntu profiles (#10406)
- Add rules SLES-15-010375 and SLES-12-010375 (#10625)
- Add rules SLES-15-010419 and SLES-12-010499 (#10621)
- Add rules SLES-15-010420 and SLES-12-010500 (#10623)
- Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Bump OL8 STIG version to V1R6 (#10497)
- Complete CIS requirement for system accounts (#10627)
- Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
- delete rule SLES-15-040280 (#10383)
- Drop of some rules from SLE 12/15 profiles (#10527)
- Enable ensure_shadow_group_empty for RHEL7 (#10416)
- Enable service_nftables_disabled for RHEL (#10390)
- Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
- Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
- Fix in sshd_use_approved_ciphers (#10535)
- Fix in sudo_require_reauthentication (#10216)
- Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- No remediation warning for
fapolicy_default_deny
(#10433) - OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
- OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
- OL7 DISA STIG v2r11 update (#10498)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE 12/15 profile updates (#10577)
- SLE improve kernel module disabled rule (#10368)
- SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
- sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
- Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
- Ubuntu 22.04 CIS modify password remember rule (#10480)
- Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
- Update accounts_password_pam_retry yaml (#10496)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update ANSSI BP-028 to version 2.0 (#10334)
- Update CIS controls related to nftables table and chains (#10629)
- Update CIS requirement for SSH access limit (#10470)
- Update netrc requirement in CIS for RHEL8 (#10511)
- Update OL9 STIG profile (#10407)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- update rule sles-15-040250 (#10492)
Changes in Remediations
- Add Ubuntu SCE checks for iptables rules (#10587)
- Ansible remediation for configure_bashrc_exec_tmux (#10584)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
- Fix changes in Ansible tasks not expected to fail (#10427)
- Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
- Fix up RHEL kickstarts (#10499)
- fix: aide_string: drop nl at end (#10578)
- fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
- fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- Replace grep command with ansible find (#10579)
- SLE add ability to configure emergency via dropin (#10482)
- SLE improve kernel module disabled rule (#10368)
- SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
- Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
- templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
Changes in Checks
- audit_rules_privileged commands: skip /proc directory (#10471)
- bugfix: mount_option: handle commented lines (#10518)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in sudo_require_reauthentication (#10216)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE improve kernel module disabled rule (#10368)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- Use specific name in private key groups instead of gid (#10622)
Changes in the Infrastructure
- Add a product stability test (#10606)
- Add CMakelint (#10468)
- Add controls the EOF checker (#10477)
- Automate and Fix Missing Newline at the of Files (#10361)
- Expand the list of rules skiped by Ansible Lint (#10485)
- Fix data stream component parsing (#10411)
- Implement a tool for parsing profiles and outputing rules (#10455)
- Introduce a Product class, make the project work with it (#10529)
- Publish rendered policy artifacts (#10585)
- Refactor the scapval test (#10611)
- Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
- Remove unused imports (#10384)
- Remove unused variables (#10382)
- Shell quote support for Jinja macros (#10524)
- Stabilization: Fix install_vm.py on older versions of Python (#10652)
- Stop using deprecated
set-output
in GitHub Actions (#10588) - Update CI Repo for CTF (#10385)
- Update GitHub Action Versions (#10543)
Changes in the Test Suite
- Add a product stability test (#10606)
- Add a warning to AutoMatus (#10394)
- bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
- bugfix: packages: delim is comma (#10559)
- bugfix: ssg_test_suite: RuleResult eq (#10365)
- Fix template not found error in Automatus (#10631)
- Fix tests applicablity for ol8 product (#10570)
- Fix tests in sshd_lineinfile template (#10595)
- Fix typo in tests for sshd_limit_user_acess (#10478)
- install_vm refactor (#10607)
- install-vm fixes / features (#10562)
- Remove machine pruning from gating (#10453)
- Revert change in test scenario script for enable_authselect rule (#10430)
- Unused test code (#10558)
- Use bash_package_* (#10557)
- Use mkdir -p when creating directories (#10556)
Documentation
- Add Kickstarts to the changelog (#10512)
- add python3 to the list of build dependencies for RHEL-8+ (#10503)
- Bump version for 0.1.68 (#10372)
- Fix read the docs build (#10537)
- fix: Fix misspelled word infrastruture (#10531)
- Jinja macro doc fixes (#10599)
- Reduce Doc Warnings (#10528)
- Styleguide Update (#10466)
- Update Add Product Guide (#10533)
- Update release documentation about release_helper.py script (#10502)