Content 0.1.45 Release Notes

Highlights:

• Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
• RHEL7 ANSSI profiles are now enabled
• Improvements to profile statistics, check them out in stats job
• New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

• rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
• fedora: pci-dss, ospp
• rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
• ol8: hipaa, cjis, pci-dss, ospp
• wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
• wrlinux8: basic-embedded
• rhel6: C2S, CS2, nist-CL-IL-AL
• chromium: stig
• firefox: stig
• ol7: stig, pci-dss

Profiles:

• Remove unnecessary packages from ospp (#4632)
• Deduplicate profile files. (#4601)
• Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
• Update the RHEL8 profile (#4229)
• Add rhel7 ccc (Common Criteria Certification) profile (#4361)
• Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
• OL8 profiles update (#4374)
• Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
• Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
• misc updates to OSPP profile (#4586)
• RHVH/RHELH STIG mappings (#4033)

Rules:

• New rule dnf-automatic_security_updates_only (#4619)
• Pimp ANSSI up and enable it (#4615)
• New rule disable_tmux_status_line (#4631)
• Enable the fapolicyd service for OSPP. (#4623)
• Install fapolicyd for OSPP. (#4622)
• new rule dnf-automatic_apply_updates (#4613)
• Disable storing core dumps. (#4618)
• Enable the usbguard service in OSPP profiles. (#4611)
• Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
• Added a test for uniqueness of CCEs. (#4577)
• Add remaining rules from CC to OSPP (#4599)
• Disable the use of user namespaces. (#4569)
• Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
• Enable Kernel page-table isolation. (#4566)
• add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
• Update OSPP profile with required package checks (#4580)
• Disable CAN Support. (#4572)
• Disable ATM Support. (#4571)
• Disable IEEE 1394 (FireWire) Support. (#4573)
• update OSPP (#4446)
• Harden the kernel package filter just-in-time compiler operation. (#4564)
• Disable access to network bpf() syscall from unprivileged processes. (#4563)
• Disallow kernel profiling by unprivileged users. (#4547)
• Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
• Add nodev Option to /var. (#4542)
• Add nodev Option to /boot. (#4453)
• Add nosuid Option to /boot. (#4452)
• Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
• Disable chrony daemon from acting as server. (#4445)
• Disable network management of chrony daemon. (#4449)
• Map more rules into Anssi policy (#4439)
• ANSSI network sysctl (#4345)
• Fix typo. (#4423)
• Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
• Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
• Anssi updates (#4351)
• OSP13 Checks (#4364)
• Smartcards auth in OL8 should be done via sssd (#4377)
• Remove dconf_use_text_backend rule from profiles. (#4375)
• Make hardened containers smaller (#4357)
• Scap 1.3 content adjustments (#4353)
• Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
• Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
• Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
• Rename group sap to sap_host (#4332)

Tests:

• Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
• Add tests for kernel_module_firewire-core_disabled rule. (#4605)
• Document combined mode in tests/README.md (#4590)
• install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
• Remove ansible_playbook_set_hosts function from test suite (#4576)
• Add profile metadata override in rule mode (#4578)
• Fix test scenarios for mount option home nosuid (#4579)
• Fix minlen test scenarios and include RHEL8 platform (#4450)
• Print an error message when rule isn't found (#4454)
• Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
• Enable the (all) virtual profile in the rule-based test suite. (#4441)
• Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
• Install just things needed for the sssd service to run. (#4396)
• Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
• Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
• Fix audit rules openat_o_trunc_write test scenarios. (#4438)
• Add verbose output to the verbose logs (#4431)
• Fix broken test scenario name (#4426)
• Add option for extra repository in install_vm.py script. (#4421)
• Change test scenarios for rule rpm_verify_permissions (#4344)
• tests/install_vm.py: Do not abort if ostype detection fails (#4343)
• Use VM install repo URL on the installed system (#4338)
• Workaround SCAPVal 1.3.2 NullPointerException (#4339)
• Use separate partition for /var/tmp in tests/kickstart (#4337)
• Add test wrapper around SCAPVal tool (#4327)
• Fix-ups and remote host support for tests/install_vm.py (#4328)

Content 0.1.44 Release Notes

Highlights

• SCAP 1.3 DS generated along side SCAP 1.2 DS
• An Ansible Playbook is generated for each rule
• Remediation roles terminology fixed
  • Ansible "roles" are now called Playbooks
  • Bash "roles" are now called bash scripts
    Introduction of package CPEs for Rule applicability
• Content will detect Podman as a container environment
• Several fixes in Ansible snippets so that they don't error during execution

Products and Profiles

• Significant content additions and bugfixes for OpenShift
• Enable RHV-H and RHEL-H draft STIG profiles
• RHEL7 STIG profiles renamed to have shorter ID
• RHEL7 nist-800-171-cui renamed to cui
• New rules enabled for SLE12

Rules

• FIPS regulatory warning updated
• Rules not relevant for containers tagged as machine only
• Fixed duplicated CCEs

Documentation

• Documentation in Build.md merged into Developer Guide
• Mention profile_stats.py in Developer Guide
• Update Ansible section in Developer Guide
• Add documentation to build zipfile target

Infrastructure

• Rename profile_stats to profile_tool and update usage by CMake.
• CCE checksums are now validated
• Update ansible template, readme, and script to bring in line with Ansible Galaxy

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.43 Release Notes

This release features several profile updates, and improvements to the content Test Suite.

• Content updates
  • OpenShift - Miscellaneous updates
  • Added OL7 Draft DISA STIG profile
  • Added OL8 profiles:
    • Draft HIPAA
    • Draft CUI
    • Draft OSPP
    • CJIS security policy profile
  • Added RHEL7 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • Added RHV4 profiles:
    • RHVH FISMA Low profile
    • Draft RHVH STIG
  • RHEL8 profiles:
    • Updated RHEL8 OSPP
    • Update PCI-DSS profile
    • Added kickstart for OSPP and PCI-DSS profiles
• Minimum supported ansible version bumped to 2.5
• Ansible-lint fixes and remove some trailing whitespace
• TestSuite
  • Updated documentation
  • New Podman backend
  • Usability improvements
• Added build_product script to help build content

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.42 Release Notes

This release is mostly about improvements in content,
including lots of new rules, checks and remediations added and bugfixes to them.
This release features significant updates in content for

• Oracle Linux 7, OpenStack Platform 13
• OpenShift Container Platform 3
• and newly added product Red Hat Enterprise Linux 8.

Highlights

• Addition of RHEL8 product
• Content for OSP7 have been update for OSP13
• Contents for OCP3 have updated
• New contents are enabled for OL7
• Addition of rules that cover configuration of system-wide crypto policy
• Addition of Fedora 29 in place of Fedora 27
• Update of TestSuite to work with python3.7
• Introduction of platform dependent test scenarios

Known issues

• Building content for RHEL derivatives (CentOS and Scientific Linux) can sometimes fail on target man_page.
  This is a race condition issue caused by a missing dependency for man_page build target.
  The issue is fixed by following patch: #3662

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.41 Release Notes

This release continues with the fixes "under the hood", the checks and fixes are now better placed, in the same directory as the rule description.
We also feature new Products and new Profiles, test coverage for the rules was significantly improved, along with testing capabilities of SSGTestSuite.

Highlights

• Improved test scenario coverage of rules
• Improvements regarding content for Kubernetes for opencis-ocp-master Profile
• Introduction of concept of stable Profiles
• Addition of Ubuntu 1804 Product with ANSSI and standard Profiles
• Addition of OSPP 4.2 Profile for Fedora
• Addition of PCI-DSS Profile for Fedora
• Possibility to manually debug test scenarios
• Addition of Example Product
• Support to evaluate test scenarios on container images
• Introduction of SSG unit tests for build system functions
• Reorganization of checks and fixes into to be closer to rule description

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.40

SSG 0.1.40 Release Notes

The 0.1.40 release has most changes "under the hood". A huge amount of content was de-duplicated, similar checks for slightly different producsts were unified and merged. This has fixed a huge number of imperfections and subtle bugs.

Other highlighs

• SSG can be built by Python3
• SSG build system got unit tests setup.
• Syntax checks of Ansible playbooks have been added to the test suite.
• Project documentation has been updated, expanded, and restructured.
• Dropped support for XSLT in the content in favor of jinja2 macros that are nicer and easier to edit.
• Build system has become more predictable - strict validation for rule identifiers, CCEs and references at build time has been introduced.
• Improved user feedback on more build-time errors.
• Better support for rule checks that use multiple OVAL versions (5.10 and 5.11).
• Made the build system to deduce some properties of producs (e.g. pkg_system from pkg_manager)
• Updated Ansible playbooks, so they don't use deprecated constructs.
• Updated grep invocation to use LC_ALL=C, so it is faster and more predictable.
• anaconda-populate variable substitution has been fixed.
• Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
• Set up jinja2 cache for faster builds.
• Restructure of Python code, which has been divided into the core ssg package, build-scripts and utils.
• Improved the compare_generated.sh tool for inspection of generated content.
• The Dockerfile has been modernized, supports Ansible and started to use the Fedora baseimage.

Additions

• Added mcafee_antivirus_definitions_updated OVAL and XCCDF variables
• OpenSUSE Leap 15.0 CPE
• Rules in 0.1.39 that were missing warnings got them.
• Many OL7 additions (+ pci-dss profile stub).
• Added tests of auditd rules to SSG Test Suite.
• dod_banner selector added for RHEL6
• Support augenrules in RHEL6 for audit_rules_dac_modification

Removals

• Removed FIPS remediations as well as RHEL CCEs from CentOS.

SCAP Security Guide 0.1.39 Release Notes

Highlights

• XCCDF Rules moved to yaml format
• Jinja2 templating for Rules, Checks and remediation introduced
• Profile IDs simplified
• Product Oracle Linux 7 added
• Common Profile removed in favor of Standard Profile
• RHEL7 STIG reference updated to V1R4
• RHEL6 STIG reference updated to V1R18

Profiles

• [Bugfix] remove kernel IPv6 from RHEL6 STIG
• [Bugfix] Remove disabling all usb devices in kernel for OSPP and HIPAA profile
• [Bugfix] Add Missing DISA RHEL7 STIG XCCDF rules
• [Bugfix] rhel7: fix titles/descriptions, indicate draft status (rebase of #2717)
• update references to RHEL7 STIG release to V1R4
• [Bugfix] Update RHEL 6 STIG Reference to V1R18
• [Enhancement] Add profile sap to the product ol7
• [Enhancement] OL7 standard profile extra rules
• [Enhancement] Simplify profile ids
• [Bugfix] RHEL 7 STIG V1R4
• [Bugfix] Remove common profile and use standard profile instead
• [Enhancement] Extra Apache STIG rules
• [issue 2571] update OSPP profile name and description
• [Bugfix] Added the forgotted ospp42 profile
• [RHEL7] Initial OSPP v4.2 draft profile
• [Bugfix] Removed duplicate sudo related selects in rhel7's HIPAA
• [Enhancement] Hippaaahhh

Rules

• [Enhancement] Fix missing elements and description in var_auditd_admin_space_left_action and var_auditd_space_left_action
• [Bugfix] rhel6 dod banner prohibit whitespace
• [Bugfix] update prose to reflect cron time shorthand codes
• [Bugfix] Remove ignore option for auditing configuration
• [Bugfix] Change ID of Rule that checks for IPV6 disabled
• [Bugfix] Fix a mismatched tag issue in RHEL6 sudo.xml

OVAL

• [Enhancement] Add Docker SELinux check in daemon.json
• [Bugfix] fix faillock audit oval
• [Enhancement] aide cron flex
• audit_rules_privileged_commands: allow arbitrary key
• ftp_present_banner: update pattern in oval file and add remediation
• [Bugfix] Add disabled OVAL 5.11 services for SSHD for OpenSUSE
• Fix Rule ensure logrotate activated
• Fix #2618

Remediation

• [Bugfix] Fix dconf_gnome_disable_geolocation script and add missing dconf remedation scripts
• Removed an accidentally committed file in shared/fixes/bash
• [Bugfix] Use include_dconf_settings bash remediation function
• [Bugfix][Enhancement] Use new dconf bash functions for bash scripts and add some missing dconf scripts
• [Bugfix] Make sure that dconf dirs exist
• [Enhancement] Unify sshd disable empty passwords
• [Enhancement] Added support for checks and remediation for mount_options.
• [Bugfix] Add create_module and finit_module scripts
• [Enhancement] Add Anaconda Kdump disable script
• [Bugfix] Fix accounts_passwords_pam_faillock_deny.sh script
• [Bugfix] Not escaping / character breaks perform_audit_rules_privileged_commands_remediation.sh
• [Bugfix] Fix typo in set_faillock_option_to_value_in_pam_file.sh
• updated rhel7/fixes/ansible/service_avahi-daemon_disabled.yml to match template_ANSIBLE_service_disabled
• [Enhancement] Further improved replace_or_append
• Improve remediation of auditd_data_disk_full_action
• [Enhancement] Improved replace_or_append.
• [Bugfix] Partition remediations
• Improved bash syntax of bash remediations
• [Bugfix] eaccess should actually be eacces

SSGTestSuite

• [Ssgtestsuite] Add tests for verifying file permissions and hashes with RPM
• [Ssgtestsuite] Added tests for checking for bootloader password protection.
• Minor in size, but substantial test suite improvements.
• [Ssgtestsuite] Tests and OVAL fix for Rule sssd_enable_pam_services
• [Ssgtestsuite] Add remediation for ldap_client_start_tls

Infrastructure

• [Bugfix] Change yaml.Loader to yaml.SafeLoader
• Add benchmark metadata element to shorthand
• Remove all references for dropped OVALs
• [Infrastructure][Enhancement] Package command apt get
• [Enhancement] Add minimum package version check with jinja2 template
• [Bugfix] testoval_module.py not processing oval version correctly
• [Bugfix] openSUSE CPE update and clean-up
• [Enhancement] Use yaml.safe_load for build related yaml files
• [Bugfix] Add python jinja2 package to build doc
• [Enhancement] Add regex handling for SRG and STIG reference versions in CMake
• [Infrastructure][Enhancement] jinja2 for fixes, checks and the opencontrol yaml
• [Bugfix] Add external content to yaml
• [Bugfix] Don't exit with 0 when product.yml loading fails
• [Infrastructure][Enhancement] Template ubuntu packages
• [Documentation] Docs directory cleanup
• [Enhancement] Require the python yaml module, fatal error if it's not found
• [Documentation] user_guide.adoc: updates
• [Bugfix] Document minimum Ansible version in User/Developer Guides
• [Bugfix] Don't load yaml booleans as python booleans
• fix link in user guide
• README.md: fix link
• Fixed OVAL check exports.
• [Infrastructure][Bugfix] Apply elements with relevant prodtype when generating xccdf xml
• Mark draft profiles as "documentation_complete: false"
• Refactoring of relabel-ids.py
• Allow over 80 chars-long lines in Python scripts.
• [Bugfix] Update build instructions to include PyYAML
• Made the service disable command more complete.
• [Infrastructure] Added print function support for Python2 where applicable.
• [Infrastructure] Make it possible to build SSG with python3
• [Infrastructure] shorthand.xml target should depend on the yaml-to-shorthand script
• [Infrastructure] Configure python interpreter
• [Infrastructure] Profile file extension is now ".profile"
• [Enhancement] Moved stuff around so that the folder matches the Makefile target
• Update COPR section
• [Infrastructure] Make SSG easier to edit (the yaml project)
• RHOSP7 now uses the shared guide
• Use the shared benchmark for opensuse
• [Bugfix] remediation functions xml is no longer in shared
• OL7 was using one group outside of shared but everything else was shared
• Add support for Oracle Linux 7
• Updated parts of the project documentation.
• Made Ubuntu14 and Ubuntu16 to use local content.
• Move debian8 and rhel6 system and services locally
• [Bugfix] Source only local shorthand XCCDF to build debian8 content
• Remove the empty RHEVM3 benchmark
• [Bugfix] RHEL6 to only use its local shorthand content
• [Infrastructure][Enhancement] Fedora shared benchmark
• Remove shared XCCDF from WRLinux for yaml prep
• [Bugfix] Untangle shared shorthands
• [Bugfix] Moved firefox shorthand XML to the firefox product folder from shared
• [Bugfix] Chromium XCCDF was in shared even though it uses nothing else from sh…
• [Bugfix] Moved the .gitkeep file to where the author most likely intended it
• [Infrastructure][Bugfix] Fix install of PCI-DSS centric HTML guides

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.38 Release Notes

Highlights

• New License - BSD-3 Clause
• New Profiles introduced for development
  • ANSSI
  • HIPAA
  • C2S-Docker
• Adoption of CTest for schema validation
• Several remediation fixes

Profiles

• [Enhancement] Add initial C2S Docker Profile
• [Bugfix] This is a shorthand XCCDF, not the actual XCCDF 1.1, the xmlns makes …
• [Bugfix] It's HIPAA, not HIPPA
• Add some rules for protection of data in transit and adequate capacity to ensure availabity for HIPAA
• Add anssi reference to rsyslog_service_enabled
• [Enhancement] Add initial HIPPA profile
• [Enhancement] Added "anssi" profile to the RHEL7 product
• [Bugfix] Fix ID of RHEL6 DISA STIG Profile
• Fixing reference to outdated PAM configuration manual

XCCDF

• [Bugfix] Add override to C2S-docker Profile
• [Bugfix] Fix kernel module loading and unloading rules
• Grub2 password fix
• [Bugfix] Specify default account expiration value
• [Bugfix] Specify default LUKS cipher and minimum key size
• [Bugfix] Reference real files instead of procfs and sysfs files

OVAL

• update to match all supported EAP 6 releases
• Improve OVAL filepath expressions.
• Add check and remediation for RHEL-07-040550 (shosts.equiv)
• Add check and remediation for RHEL-07-040540

Remediation

• [Enhancement] Introduced draft of SSG Bash scripting guidelines.
• [Bugfix] Fixes #2607 - audit_rules_login_events
• [Bugfix] Enable correct ansible templte for file modification audit rules
• [Bugfix] Fix Ansible remediations broken by Ansible bug.
• [Bugfix] Fixed the banner enablement option name.
• [Bugfix] Add Ansible pre-task version checking for Ansible roles
• [Bugfix] Remove duplicate install_smartcard_packages BASH script
• [Enhancement] Ensure libsemanage-python is installed or Ansible SELinux boolean tas…
• [Bugfix] Fix chronyd or ntpd set maxpoll
• [Bugfix] fixed syntax issue with sed in auditd_data_retention_space_left.sh
• [Ansible] Hooksie1 ansible pam faillock
• [Bugfix] Add some of the missing BASH remediations
• [Bugfix] Disable service remediation fails if service is not installed - ansible
• [Bugfix] Check if prelink is installed before trying to disable
• [Bugfix] updated kernel module loading init and delete to use b32 and b64
• [Bugfix] fixed rpm_verify_permissions to use 4th field in cut statement
• [Bugfix] Fix UsePrivilegeSeparation ansible remediation
• [Bugfix] updated key variable to recognize both -k and -F key=
• [Bugfix] reset IFS back to default in ensure_redhat_gpgkey_installed.sh
• [Infrastructure][Bugfix] fixed template_BASH_sebool_var with valid bash syntax

SSG Test Suite

• [Ssgtestsuite] Add tests for accounts_passwords_pam_faillock_deny
• [Ssgtestsuite] Tests for ctrlaltdel burstaction and audit rules time
• Changed test suite benchmark specification to use Ref-Id.
• Update rule_sshd_use_priv_separation test to check for sandbox value
• [Ssgtestsuite] Add test coverage for rule_accounts_have_homedir_login_defs
• [Ssgtestsuite] Add test scenarios of rule_umask_for_daemons.
• [Ssgtestsuite][Bugfix] Small test suite tweaks
• [Ssgtestsuite] Better bash remediations tests.
• Add tests accounts umask etc login defs
• [Ssgtestsuite] Add scenario remediation parameter and fix sshd test scenarios

Infrastructure

• Update Contributors list for release v0.1.38
• [Infrastructure][Bugfix] Glob source xccdf files recursively
• [Infrastructure][Ansible] Script to auto-upload / update ansible galaxy roles from SSG
• cmake/SSGCommon.cmake: added check for override attribute
• HTML table sanity check
• [Easy Fix] Avoid 3 copy paste definitions of subprocess_check_output
• Initial docs about ctest and adding tests to the cmake build system
• [regression] Import ssgcommon in profile-stats
• [Bugfix] New License
• [Infrastructure][Enhancement] Use ctest instead of make validate
• [Infrastructure][Bugfix][Enhancement] Update Vendor String in python files to ssgcommon.py
• [Enhancement] Added description how to write new rules.
• HTML tables for ANSSI Rules in RHEL7
• [Bugfix] Fatal error if user attempts in-source build
• [Infrastructure][Enhancement] Add common python module for centralizing reusable code
• [Infrastructure][Bugfix] Apply to XCCDF file only the Rule and Group elements that apply to product being built
• [Infrastructure] Added scanner of STIG IDs for rules in STIG profiles.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.37 Release Notes

Highlights

• New Profile DISA STIG for Apache HTTP for RHEL7 (#2474)
• Support for Ansible remediations in SSG Test Suite (#2468)
• Better content support for DISA STIG Viewer (#2418)

Profile

• [Bugfix] Disable pt_chown rule
• [Bugfix] Fix title of DISA STIG profile in RHEL6 DS.
• [Enhancement] Add HTTP STIG and new RHT Product STIGs
• Add GDM login banner checks to C2S profile.

XCCDF

• [Bugfix] Deprecate RhostsRSAAuthentication as it have been deprecated in 7.4
• [Bugfix] Fix two stigid mappings
• [Bugfix] Remove references to pam_ldap.conf

OVAL

• Add OVAL check and fix for RHEL-07-041001 rule.
• [Bugfix] Fix gpgcheck OVAL to validate Scientific Linux gpg keys
• [Bugfix] Check state of openssh-server package when sshd_required is unset
• [Bugfix] Do not check library ownership in libexec
• [Bugfix] RHBZ #1520493: Fix umask_for_daemons
• [Bugfix] Fix StrictModes and KerberosAuthentication checks
• [Bugfix] Fix typo in auditd OVAL files

Remediation

• [Bugfix] Ansible: don't use spaces in custom.conf
• [Bugfix] Added --follow-symlinks to sed commands in display_login_attempts.sh
• [Bugfix] Updated aide_scan_notification remediation to run cron job as root
• [Ansible][Enhancement] Add ansible content for accounts_password_pam_retry and accounts_password_pam_unix_remember
• [Bugfix] Fix accounts_umask_etc_login_defs remediation
• [Bugfix] Fix typos "local/d" -> "local.d"
• [Bugfix] Fixed few remediation errors caused by missing include.
• Fixes ansible remediations
• Fix rhel7 ansible role

Infrastructure

• Support for Ansible remediations in SSG Test Suite
• Move build examples to rhel7
• [Bugfix] Remove OVAL conf file usage and use ArgParse instead of sys.argv
• Added pull request creation and workflow suggestions.
• [Enhancement] Add STIG Rule ID to rules
• [Bugfix][Infrastructure] Update CMake and python scripts to use OVAL versioning
• [Bugfix][Infrastructure] Remove CCI formatting from shared table-srgmap XSLT
• [Enhancement] Add test scenarios for whole permissions_important_account_files group.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.36 Release Notes

Highlights

• Introduction of SCAP Security Guide Test Suite
• Better alignment of RHEL6 and RHEL7 with DISA STIG
• Remove JBoss EAP5 content due to being End-of-Life
• New STIG Profile for JBOSS EAP 6
• Updates in C2S Profile for RHEL 7
• Variables can be directly tailored in Ansible roles
• Content presents less false positives in containers
• Major changes in directory layout
  • oval_5.11 directory removed
  • oval definitions moved to checks/oval
  • static checks are not in templates/static anymore

Profile

• [Bugfix][Enhancement] Add remaining STIG XCCDF content for RHEL6 and RHEL7
• [Bugfix] Remove rules no longer in rhel6 STIG profile
• [Bugfix] Remove RHEL6 tests directory
• [Enhancement] Add initial OCP3 structure, C2S Profiles, and CPE content
• [Bugfix][Enhancement] SSG RHEL6 STIG alignment
• [Bugfix] Add more rules to the C2S profile
• [Bugfix] Fix XML in rhel7/profiles/C2S.xml
• [Bugfix] C2S profile updates
• [Bugfix] Align RHEL6 STIG profiles
• [Bugfix] Update RHEL6 STIG References to the latest release
• CJIS profile updates
• [Enhancement] Add JBoss EAP 6 Rough Draft
• [Enhancement] Updating C2S profile and CIS reference numbers with existing checks.

XCCDF

• [Bugfix] Fixing CIS reference number for noexec on /tmp partition
• [Bugfix] Remove old/automated references
• [Bugfix] Mcafee related rules as machine only
• [Bugfix] Add rpm_verify_ownership to rhel7 XCCDF
• [Bugfix] Add XCCDF Value sshd_required to other products
• [Bugfix] Add EFI specific permissions content
• [Bugfix] Fix lock-delay variable description
• [Enhancement] Adding /home nodev check for CIS rule 1.1.14
• [Bugfix][Enhancement] Add JBoss Configuration Profile Variable
• [Bugfix] Remove STIG idents
• [Enhancement] Remove APPSRG in JBoss XCCDF
• [Enhancement] Services are machine only
• [Bugfix][Enhancement] Update RHEL6 references
• [Bugfix] Assign CCEs to EAP6 content
• [Bugfix] Add JBoss EAP 6 Titles
• [Bugfix] Add missing RHEL6 STIGIDs
• [Bugfix] Fix typo in SSH checklist
• [Bugfix] Fix ntp/chrony maxpoll value description

OVAL

• [Bugfix] OVAL service templates should check if service is running/not running
• [Bugfix] Add disable_ctrlaltdel_burstaction OVAL
• [Bugfix] Fix OVAL for chronyd_or_ntpd_set_maxpoll and add remediation
• [Bugfix] Check both .socket and .service unit files in service templates
• [Bugfix] OpenSSH 7.4 allows only Protocol 2
• Check if sshd is expected by Profiles
• [Bugfix] Allow time_clock_settime key to be set to any string
• [Enhancement] Implemented a check for JBoss EAP6 file permissions
• [Enhancement] Implemented logging directory permission checks for JBoss EAP6
• [Enhancement] Added check to verify vault is present in config file
• [Bugfix][Enhancement] Check for standalone-openshift.xml
• [Bugfix][Enhancement] Eap64 jmx check
• [Enhancement] Implemented more EAP 6 checks
• [Enhancement] Implemented check to ensure that the JBoss EAP6 ROOT logger is at a valid Level
• [Enhancement] implemented checks for JBoss EAP6 for silent authentication
• [Bugfix] Update JBoss install OVAL check
• [Enhancement] Implemented security manager check fixed other checks
• [Bugfix] Implementation of configuration check for JBoss EAP6 Audit Log Configuration
• [Enhancement] Add JBoss Vendor Supported OVAL File
• [Bugfix] Update JBoss EAP CPEs and installed JBoss version OVAL check
• [Infrastructure] [WIP] Remove .service from service OVAL template files

Remediation

• [Bugfix] Enable chronyd_or_ntpd_set_maxpoll remediation to fix incorrect values of maxpoll
• [Bugfix] gpgcheck_globally and gpgcheck_local fail on CentOS
• [Bugfix] Ansible variable rework
• [Bugfix] Add remote_src option to aide build db remediation - ansible
• [Bugfix] Removed extra quotes in ansible audit_rules templates
• [Bugfix] Login banners regex
• [Ansible] Aide cron check
• [Bugfix] Drop firewalld default zone and sshd port fixes
• [Ansible] PR 2283 from Shawn
• [Bugfix] Firewalld open sshd port
• Add task to disable prelinking
• PR 2245 from Shawn
• [Ansible][Enhancement] ansible: ensure_gpgcheck_local_packages

Infrastructure

• [Enhancement][Infrastructure] Remove oval_5.11 dir checks usage
• [Enhancement] Add OVAL version to oval files
• [Bugfix][Infrastructure] Add OpenSCAP XSL CMake Variable
• [Bugfix] Remediations fixes refactoring
• [Enhancement][Infrastructure] Include roles zipfile
• [Bugfix][Infrastructure] Update create-stig-overlay.py
• [Bugfix][Infrastructure] Update docs for new directory structure
• [Bugfix][Infrastructure] Remove local utils directory
• [Enhancement][Infrastructure] Move deprecated content list to User Guide
• [Bugfix] Fix Application SRG web url to be more fine-grained
• [Enhancement][Infrastructure] Flatten out product name directories
• [Enhancement][Infrastructure] Move oval directory under the checks directory
• [Bugfix][Infrastructure] Rename remediations directory to fixes
• [Infrastructure] Rename and move platform/ directory
• [Bugfix][Infrastructure] Rename auxiliary directory to overlays
• [Enhancement][Infrastructure] Add Pull Request Template
• [Bugfix][Infrastructure] Remove usage of templates/static/ directory
• [Enhancement] Create issue template for future issues
• [Enhancement] Increments developer-guide.adoc with information on how to contribute to SSG
• [Bugfix] RHEL6 build fixes
• [Bugfix][Infrastructure] Clean up OVAL versioning in combine-ovals.py
• [Bugfix] Update JBoss STIG Overlay
• [Enhancement][Infrastructure] Add creation of ${ZIPNAME}-nist.zip to new nist-zipfile target
• [Bugfix] Improved document formatting
• [Bugfix] Add realpath to testoval.py
• [Bugfix] Updated regex to ignore some other filetypes
• [Bugfix][Infrastructure] Update references transforms
• [Bugfix][Infrastructure] Replace OSSRG with SRG
• [Enhancement] Add JBoss stig_overlay.xml
• [Enhancement] Update JBoss EAP CMakeLists.txt
• [Enhancement][Infrastructure] Handle different SRG reference types in CMake
• [Enhancement] HTML guide switcher fix for narrow screens
• [Enhancement] Add JBoss STIG reference
• [Bugfix][Infrastructure] Fix expansion of multiple bash populate instances
• [Bugfix] template_BASH_sebool_var: Fix template missing remediation functions
• start with a template for centos ci
• PR 2286 from Shawn
• [Enhancement] Rule title and other subs
• SSG Test Suite

Full list of issues and pull requests closed in this release