Skip to content

Content 0.1.70

Compare
Choose a tag to compare
@github-actions github-actions released this 12 Oct 18:19
· 4876 commits to master since this release
28b7817

Important Highlights

  • Add openembedded distro support (#10793)
  • Remove DRAFT wording for OpenShift STIG (#11100)
  • Remove test-function-check_playbook_file_removed_and_added test (#10982)
  • scap-security-guide: Add Poky support (#11046)

New Rules and Profiles

  • Add rule package_s-nail-installed (#11144)
  • Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)

Updated Rules and Profiles

  • A correction in the rule pam_disable_automatic_configuration (#10902)
  • accounts_umask_etc_bashrc: depend on bash being installed (#10915)
  • Add a two rules to RHEL 9 STIG (#10910)
  • Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
  • Add missing CIS references for SLE platforms (#11024)
  • Add mount platform to mount_option_var_nosuid (#11037)
  • Add rule logind_session_timeout to OL8 STIG (#10917)
  • Add SELinux as platform (#11138)
  • Add SRG ID to logind_session_timeout (#10936)
  • Add tmux platform to tmux related rules (#11017)
  • Add UBTU-20-010044 to existing ansible remediation (#11073)
  • Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
  • Add UBTU-20-010401 to restrict kernel message buffer (#11063)
  • Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
  • Add UBTU-20-010462 to lock accounts without passwords (#11060)
  • Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
  • Add variable support to auditd_name_format rule (#11019)
  • Add version for OCP CIS (#11152)
  • Add version for OCP STIG (#11153)
  • Add version metadata to the OCP PCI-DSS profile (#11155)
  • Add warning to network_configure_name_resolution (#10997)
  • Allow default permission for user.cfg file in UEFI systems (#10884)
  • ANSSI: add rules to enable auditing service (#11005)
  • Build OCP STIG profiles by default (#11132)
  • Change how example ROLE_LIST are formatted (#11123)
  • Change rule to use variable when auditing faillock (#11007)
  • Changes in SLE 12/15 profiles to support logrotate service (#10796)
  • Couple of fixes in PAM related rules for SLE platforms (#11014)
  • Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
  • Deprecate UBTU-20-010180 (#11079)
  • Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
  • Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
  • Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
  • Enable logrotate.timer check on RHCOS4 (#11045)
  • Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
  • Express more accurate per package platform limitation for firewall rules (#10812)
  • Fix excluded_files and recursive for UBTU-20-010416 (#11086)
  • Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • fix naming for UBTU-20-010430 (#11056)
  • Fix package_audit-libs_installed rule.yml (#11127)
  • Fix rule ubtu 20 010033 (#11065)
  • Fix STIG references for SLE15 (#10850)
  • Fix UBTU-20-010179 to use proper parameters and key (#11080)
  • Fix UBTU-20-010267 and deprecate STIGs (#11084)
  • Fix UBTU-20-10450 STIG (#11058)
  • Fix variable selection when selecting the default value (#11015)
  • Implement rules for CIS OCP Section 1.4 (#10840)
  • Include new options in var_accounts_minimum_age_login_defs (#11052)
  • Include RHEL indentifiers in logrotate related rules (#10904)
  • Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
  • iptables_ruleset_modifications: depend on iptables being installed (#11030)
  • no_rsh_trust_files: depend on rsh-server being installed (#10809)
  • OCP4 CIS: Re-add forgotten rules (#10864)
  • OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
  • OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
  • OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
  • OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
  • OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
  • OCPBUGS-7455: Hide API warning messages (#10971)
  • OL7 DISA STIG v2r12 update (#10921)
  • Port over etcd encryption rule from CIS 1.3 controls (#10753)
  • Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
  • Remove controller_rotate_kubelet_server_certs from OCP CIS v.1.4.0 (#10992)
  • Remove CIS reference from image policy webhook rule (#10932)
  • Remove DRAFT wording for OpenShift STIG (#11100)
  • Remove protect kernel default and sysctl rules from CIS (#10931)
  • remove rules not relevant to RHEL 9 from STIG profile (#10996)
  • Remove rules that cannot be applied during image build (#10946)
  • Remove sebool_secure_mode_insmod from anssi (#11001)
  • Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
  • Remove tickets from CIS control files (#10869)
  • RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
  • Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
  • Standard Profile Improvements (#11109)
  • Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
  • Update CIS profiles to use control files (#10833)
  • Update kubelet event creation limit to 50 (#10950)
  • Update link to English version of ANSSI guide (#11038)
  • Update metadata of OSPP profile in RHEL8/9 (#10984)
  • Update OL8 STIG to V1R7 (#10918)
  • Update platform on bios_enable_execution_restrictions (#10880)
  • Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
  • Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
  • Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
  • Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
  • Version FedRAMP high and moderate profiles for OpenShift (#11154)

Changes in Remediations

  • 0640 permission in permissions_local_var_log should only apply to files (#10856)
  • accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
  • Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
  • Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
  • Add RHEL as platform in su pam wheel group remidiation (#10995)
  • Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
  • Avoid Ansible shell module if not necessary (#10887)
  • change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
  • Couple of small fixes (#11004)
  • Drop irrelevant return statement in bash remediation (#10988)
  • Fix ansible remediation of configure_ssh_crypto_policy (#11008)
  • Fix Ansible Tasks order (#11117)
  • Fix bash_sshd_remediation macro on OL exclusive code (#10980)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • Fix path and add ansible remediation UBTU-20-010298 (#11087)
  • Fix remediation of sssd_enable_smartcards (#10981)
  • Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
  • Fix umask bash and Ansible (#11108)
  • Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
  • improve bash remediation of mount_option template (#11009)
  • Improve remediation for SSH global settings (#11032)
  • Improve template macros for grub command line (#10989)
  • Minor improvements in configure_opensc_nss_db (#11044)
  • Modify adie db exist path for UBTU-20-010450 (#11064)
  • OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
  • Refactor Ansible remediations that search local file systems (#10912)
  • Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
  • SLE Add journald configuration droping remediations (#10671)
  • SLE AIDE periodic check and remediation via systemd timer (#10589)
  • SLE Service timesyncd configured rule (#10670)
  • templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
  • Update enable_fips_mode Ansible Remedation (#11026)
  • Update no_legacy_plus_entries_* Ansible Remedations (#11027)
  • Use parameter value in ansible lineinfile macro (#10958)
  • Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)

Changes in Checks

  • Couple of fixes in PAM related rules for SLE platforms (#11014)
  • enhance OVAL for enable_fips_mode (#10897)
  • Fix into the rule sysctl_kernel_randomize_va_space (#10555)
  • Improve OVAL readability in enable_fips_mode (#10911)
  • Improve sshd_use_approved_kex_ordered_stig (#11053)
  • Minor improvements in configure_opensc_nss_db (#11044)
  • Remove kernel cmdline check (#10961)
  • Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
  • SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
  • Sysctl template remediations do not modify package files (#10881)

Changes in the Infrastructure

  • Add a faster alternative for generating HTML guides (#11036)
  • Add Dependabot (#11113)
  • Add manifests to zipfile target (#10944)
  • Add Merge Group Trigger to Required Jobs (#11162)
  • Add product as parameter when building profile reports (#11023)
  • Add SCAPVal to Stabilize task (#11043)
  • Add tickets key to control validation (#10872)
  • Add version to profile element in the data stream (#10909)
  • Allow k8s-content workflow to write (#11020)
  • Build profile bash scripts differently (#11028)
  • Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
  • Dependabot Preparation (#11112)
  • Fail build if profiles or controls contain invalid rule selections (#11135)
  • Fix Ansible Tasks order (#11117)
  • Fix multiple STIG id table generation (#11016)
  • Fix OrderedDict definition (#11121)
  • Fix Rawhide Build (#10953)
  • Fix scap delta tailoring (#11145)
  • Fix stig overlay (#11114)
  • Generate profile oriented Ansible Playbooks in a different way (#11033)
  • Grant packages write permissions to k8s-content workflow (#11021)
  • Introduce controleval_metrics.py tool to generate metrics in Prometheus format (#11040)
  • Make CCN references more flexible (#10871)
  • Move master to use merge groups (#11131)
  • OVAL object model (#11041)
  • Reduce the number of times we build all of the products in CI (#10977)
  • Remove dnf5 from Rawhide job (#11122)
  • Remove override-true-all-profile-* tests (#11077)
  • Remove superseded script compare_disa_xml.py (#10875)
  • Remove unused code (#11039)
  • Remove unused logging (#11125)
  • Remove yamlpath (#10985)
  • Running locally unit tests of ssg module using python2 and 3 (#11146)
  • Sanitize lines for clean YAML output when generating profiles (#10870)
  • Unify file saving (#11126)
  • Update Packit Config (#11147)

Changes in the Test Suite

  • Add a test for pcre2 compatibility (#11022)
  • Add refchecker tests to RHEL 9 (#10969)
  • Add support of derivatives to Automatus (#11129)
  • Ensure Python dependencies in Gate tests (#11048)
  • Fix Automatus traceback (#11111)
  • Fix Gate Test on Fedora Rawhide (#11047)
  • Fix scenario applicability in Automatus combined mode (#11140)
  • Include test scenario scripts in timer_enabled template (#10947)
  • Optimize tests that run fix_rules.py (#10968)
  • Remove duplicate builds for GitHub Actions (#10991)
  • Remove override-true-all-profile-* tests (#11077)
  • Remove test "validate-parse-platform" (#10990)
  • Remove test validate-parse-affected (#10959)
  • Remove test-function-check_playbook_file_removed_and_added test (#10982)
  • Skip OVAL schematron validation in CI (#10960)
  • test_machine_only_rules: allow multiple blank characters (#10983)
  • Update expected result of e2e tests for sysctls already defined in /usr/lib/sysctl.d (#10930)
  • Use distributed product properties in Automatus (#10878)

Documentation

  • Add JSON schema for controls (#11157)
  • Add JSON schema for variables (#11156)
  • Add libvirt-dev to read the docs apt packages (#11142)
  • Documentation Clean Up (#11006)
  • Expand Docs for SRG Spreadsheets (#11076)
  • Expose Prometheus metrics on GitHub Pages (#11055)
  • Improve rendering controls to HTML (#10994)
  • Include metrics for rules and variables selected in Controls (#11128)
  • Remove "not available" message (#10998)
  • Sphinx apidocs (#10928)
  • Update Build System Docs (#10955)
  • Update contributors for 0.1.70 (#11150)
  • Update editor config (#11161)
  • update version to 0.1.70 (#10865)