Content 0.1.70
github-actions
released this
12 Oct 18:19
·
4876 commits
to master
since this release
Important Highlights
- Add openembedded distro support (#10793)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove test-function-check_playbook_file_removed_and_added test (#10982)
- scap-security-guide: Add Poky support (#11046)
New Rules and Profiles
- Add rule
package_s-nail-installed
(#11144) - Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
Updated Rules and Profiles
- A correction in the rule pam_disable_automatic_configuration (#10902)
- accounts_umask_etc_bashrc: depend on bash being installed (#10915)
- Add a two rules to RHEL 9 STIG (#10910)
- Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
- Add missing CIS references for SLE platforms (#11024)
- Add mount platform to mount_option_var_nosuid (#11037)
- Add rule logind_session_timeout to OL8 STIG (#10917)
- Add SELinux as platform (#11138)
- Add SRG ID to logind_session_timeout (#10936)
- Add tmux platform to tmux related rules (#11017)
- Add UBTU-20-010044 to existing ansible remediation (#11073)
- Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
- Add UBTU-20-010401 to restrict kernel message buffer (#11063)
- Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
- Add UBTU-20-010462 to lock accounts without passwords (#11060)
- Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
- Add variable support to
auditd_name_format
rule (#11019) - Add version for OCP CIS (#11152)
- Add version for OCP STIG (#11153)
- Add version metadata to the OCP PCI-DSS profile (#11155)
- Add warning to network_configure_name_resolution (#10997)
- Allow default permission for user.cfg file in UEFI systems (#10884)
- ANSSI: add rules to enable auditing service (#11005)
- Build OCP STIG profiles by default (#11132)
- Change how example ROLE_LIST are formatted (#11123)
- Change rule to use variable when auditing faillock (#11007)
- Changes in SLE 12/15 profiles to support logrotate service (#10796)
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
- Deprecate UBTU-20-010180 (#11079)
- Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
- Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
- Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
- Enable logrotate.timer check on RHCOS4 (#11045)
- Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
- Express more accurate per package platform limitation for firewall rules (#10812)
- Fix excluded_files and recursive for UBTU-20-010416 (#11086)
- Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- fix naming for UBTU-20-010430 (#11056)
- Fix package_audit-libs_installed rule.yml (#11127)
- Fix rule ubtu 20 010033 (#11065)
- Fix STIG references for SLE15 (#10850)
- Fix UBTU-20-010179 to use proper parameters and key (#11080)
- Fix UBTU-20-010267 and deprecate STIGs (#11084)
- Fix UBTU-20-10450 STIG (#11058)
- Fix variable selection when selecting the default value (#11015)
- Implement rules for CIS OCP Section 1.4 (#10840)
- Include new options in var_accounts_minimum_age_login_defs (#11052)
- Include RHEL indentifiers in logrotate related rules (#10904)
- Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
- iptables_ruleset_modifications: depend on iptables being installed (#11030)
- no_rsh_trust_files: depend on rsh-server being installed (#10809)
- OCP4 CIS: Re-add forgotten rules (#10864)
- OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
- OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
- OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
- OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
- OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
- OCPBUGS-7455: Hide API warning messages (#10971)
- OL7 DISA STIG v2r12 update (#10921)
- Port over etcd encryption rule from CIS 1.3 controls (#10753)
- Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
- Remove
controller_rotate_kubelet_server_certs
from OCP CIS v.1.4.0 (#10992) - Remove CIS reference from image policy webhook rule (#10932)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove protect kernel default and sysctl rules from CIS (#10931)
- remove rules not relevant to RHEL 9 from STIG profile (#10996)
- Remove rules that cannot be applied during image build (#10946)
- Remove sebool_secure_mode_insmod from anssi (#11001)
- Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
- Remove tickets from CIS control files (#10869)
- RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - Standard Profile Improvements (#11109)
- Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
- Update CIS profiles to use control files (#10833)
- Update kubelet event creation limit to 50 (#10950)
- Update link to English version of ANSSI guide (#11038)
- Update metadata of OSPP profile in RHEL8/9 (#10984)
- Update OL8 STIG to V1R7 (#10918)
- Update platform on bios_enable_execution_restrictions (#10880)
- Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
- Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
- Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
- Version FedRAMP high and moderate profiles for OpenShift (#11154)
Changes in Remediations
- 0640 permission in permissions_local_var_log should only apply to files (#10856)
- accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
- Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
- Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
- Add RHEL as platform in su pam wheel group remidiation (#10995)
- Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
- Avoid Ansible shell module if not necessary (#10887)
- change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
- Couple of small fixes (#11004)
- Drop irrelevant return statement in bash remediation (#10988)
- Fix ansible remediation of configure_ssh_crypto_policy (#11008)
- Fix Ansible Tasks order (#11117)
- Fix bash_sshd_remediation macro on OL exclusive code (#10980)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Fix path and add ansible remediation UBTU-20-010298 (#11087)
- Fix remediation of sssd_enable_smartcards (#10981)
- Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
- Fix umask bash and Ansible (#11108)
- Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
- improve bash remediation of mount_option template (#11009)
- Improve remediation for SSH global settings (#11032)
- Improve template macros for grub command line (#10989)
- Minor improvements in configure_opensc_nss_db (#11044)
- Modify adie db exist path for UBTU-20-010450 (#11064)
- OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
- Refactor Ansible remediations that search local file systems (#10912)
- Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
- SLE Add journald configuration droping remediations (#10671)
- SLE AIDE periodic check and remediation via systemd timer (#10589)
- SLE Service timesyncd configured rule (#10670)
- templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
- Update enable_fips_mode Ansible Remedation (#11026)
- Update no_legacy_plus_entries_* Ansible Remedations (#11027)
- Use parameter value in ansible lineinfile macro (#10958)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
Changes in Checks
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- enhance OVAL for enable_fips_mode (#10897)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Improve OVAL readability in enable_fips_mode (#10911)
- Improve sshd_use_approved_kex_ordered_stig (#11053)
- Minor improvements in configure_opensc_nss_db (#11044)
- Remove kernel cmdline check (#10961)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
- Sysctl template remediations do not modify package files (#10881)
Changes in the Infrastructure
- Add a faster alternative for generating HTML guides (#11036)
- Add Dependabot (#11113)
- Add manifests to zipfile target (#10944)
- Add Merge Group Trigger to Required Jobs (#11162)
- Add product as parameter when building profile reports (#11023)
- Add SCAPVal to Stabilize task (#11043)
- Add tickets key to control validation (#10872)
- Add version to profile element in the data stream (#10909)
- Allow k8s-content workflow to write (#11020)
- Build profile bash scripts differently (#11028)
- Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
- Dependabot Preparation (#11112)
- Fail build if profiles or controls contain invalid rule selections (#11135)
- Fix Ansible Tasks order (#11117)
- Fix multiple STIG id table generation (#11016)
- Fix OrderedDict definition (#11121)
- Fix Rawhide Build (#10953)
- Fix scap delta tailoring (#11145)
- Fix stig overlay (#11114)
- Generate profile oriented Ansible Playbooks in a different way (#11033)
- Grant packages write permissions to k8s-content workflow (#11021)
- Introduce controleval_metrics.py tool to generate metrics in Prometheus format (#11040)
- Make CCN references more flexible (#10871)
- Move master to use merge groups (#11131)
- OVAL object model (#11041)
- Reduce the number of times we build all of the products in CI (#10977)
- Remove dnf5 from Rawhide job (#11122)
- Remove override-true-all-profile-* tests (#11077)
- Remove superseded script compare_disa_xml.py (#10875)
- Remove unused code (#11039)
- Remove unused logging (#11125)
- Remove yamlpath (#10985)
- Running locally unit tests of
ssg
module using python2 and 3 (#11146) - Sanitize lines for clean YAML output when generating profiles (#10870)
- Unify file saving (#11126)
- Update Packit Config (#11147)
Changes in the Test Suite
- Add a test for pcre2 compatibility (#11022)
- Add refchecker tests to RHEL 9 (#10969)
- Add support of derivatives to Automatus (#11129)
- Ensure Python dependencies in Gate tests (#11048)
- Fix Automatus traceback (#11111)
- Fix Gate Test on Fedora Rawhide (#11047)
- Fix scenario applicability in Automatus combined mode (#11140)
- Include test scenario scripts in timer_enabled template (#10947)
- Optimize tests that run fix_rules.py (#10968)
- Remove duplicate builds for GitHub Actions (#10991)
- Remove override-true-all-profile-* tests (#11077)
- Remove test "validate-parse-platform" (#10990)
- Remove test validate-parse-affected (#10959)
- Remove test-function-check_playbook_file_removed_and_added test (#10982)
- Skip OVAL schematron validation in CI (#10960)
- test_machine_only_rules: allow multiple blank characters (#10983)
- Update expected result of e2e tests for sysctls already defined in
/usr/lib/sysctl.d
(#10930) - Use distributed product properties in Automatus (#10878)
Documentation
- Add JSON schema for controls (#11157)
- Add JSON schema for variables (#11156)
- Add libvirt-dev to read the docs apt packages (#11142)
- Documentation Clean Up (#11006)
- Expand Docs for SRG Spreadsheets (#11076)
- Expose Prometheus metrics on GitHub Pages (#11055)
- Improve rendering controls to HTML (#10994)
- Include metrics for rules and variables selected in Controls (#11128)
- Remove "not available" message (#10998)
- Sphinx apidocs (#10928)
- Update Build System Docs (#10955)
- Update contributors for 0.1.70 (#11150)
- Update editor config (#11161)
- update version to 0.1.70 (#10865)