Releases: ComplianceAsCode/content
Releases · ComplianceAsCode/content
Content 0.1.72
Important Highlights
- ANSSI BP 028 profile for debian12 (#11368)
- Building on Windows (#11406)
- Control for BSI APP.4.4 (#11342)
- update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks
New Rules and Profiles
- Add alinux2/alinux3 support for pci-dss compliance (#11398)
- Add anolis23/anolis8 support for pci-dss compliance. (#11401)
- Add new rule file_cron_allow_exists (#11441)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
- ANSSI BP 028 profile for debian12 (#11368)
- Control for BSI APP.4.4 (#11342)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
Updated Rules and Profiles
- Review CIS RHEL8 v3.0.0 Section 3 (#11469)
- Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
- Add package_firewalld_installed to RHEL 9 CIS (#11351)
- align description of audit_rules_kernel_module_loading (#11443)
- Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
- Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
- align rule audit_rules_privileged_commands_kmod (#11320)
- Allow spaces in rule sudo_custom_logfile (#11433)
- Enable Rules For OSBuild (#11362)
- enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
- Fix a duplication of the code ID 3.5.2.1 (#11421)
- Fix ANSSI URL in control file and update RHEL profiles (#11365)
- Fix RHEL 8 STIG version (#11515)
- Fix Service Applicability for RHEL 9 Profiles (#11367)
- Handle rules trying to remove no longer existing packages (#11354)
- Improve Performance on rules probing the whole file system (#11319)
- Minor modifications to RHEL STIG profiles (#11327)
- Move to /bin/false for disabling kernel modules (#11475)
- Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
- Remove irrelevant rules from PCI-DSS profiles (#11338)
- Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
- Remove warning from kubelet rule (#11243)
- Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
- Review rpm_verify_hashes rule (#11332)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- RHEL 7: change how xwindows is disabled in CIS profile (#11466)
- RHEL 8: align with CIS 3, section 2 (#11457)
- RHEL7 CIS: align section 2 with the final version (#11453)
- Stablization: Update audit_ospp_general (#11520)
- Support drop-in config in journald rules on RHEL (#11440)
- Update CIS profiles descriptions (#11491)
- Update grub2_mitigation_argument (#11271)
- Update OL stig references (#11472)
- Update OL8 STIG id references (#11451)
- Update OL8 stig selection for OL08-00-040259 (#11312)
- Update Oracle Linux anssi profiles (#11313)
- Update RHEL 7 CIS Section 1 (#11449)
- Update RHEL 7 STIG to V3R14 (#11477)
- Update RHEL 8 STIG to V1R13 (#11478)
- Update RHEL 9 STIG to V1R2 (#11479)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
- Update STIG version for SLES 12 and SLES 15 (#11357)
- Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
- Use correct HTML element for inline code (#11408)
- various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
- xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)
Changes in Remediations
- [Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
- A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
- Add blueprint remedation for enable_fips_mode (#11363)
- Add check if to continue with ansible task (#11299)
- add explaining comment to mount_option bash template (#11444)
- Add support to disable wifi interfaces via wicked (#11428)
- Ansible: change the sysctl module fqcn for rhel7 product (#11465)
- configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
- Do not change comments by remediations (#11434)
- Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
- Fix in sebool ansible (#11245)
- Fix ShellCheck Issues in CPE Checks (#11322)
- fix: service_timesyncd_configured (#11410)
- Make some improvements to bash remediation template (#11361)
- Move to /bin/false for disabling kernel modules (#11475)
- Sle15 fix ansible cis remediations (#11258)
- Sle15 fix ansible hipaa remediation (#11264)
- Sle15 fix ansible pci-dss remediations in check mode (#11263)
- Stabilization - Fix Ansible compatibility with sysctl module (#11538)
- Support drop-in config in journald rules on RHEL (#11440)
- Turn off blueprint for package_MFEhiplsm_installed (#11350)
- Turn off remedations for
/dev/shm
(#11364) - Use commit hash for image tag (#11233)
Changes in Checks
- Add ocp platforms to some eks shared OVALs (#11436)
- Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
- Fix invoke parent's init function (#11400)
- Generate OVAL document for each rule (#11291)
- Improve Performance on rules probing the whole file system (#11319)
- Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
- Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- Support drop-in config in journald rules on RHEL (#11440)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
Changes in the Infrastructure
- Add Gate tests back to master (#11331)
- Add missing group.yml (#11373)
- Add Windows CI (#11412)
- add XSLT_PATH prefix with environment override (#11390)
- Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
- Building on Windows (#11406)
- Control Files'
level
key must be an array (#11417) - Fix Debian 10 CI (#11426)
- Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
- Fix invoke parent's init function (#11400)
- Fixes update-oscal.yml to remove env context from matrix variables (#11374)
- Generate OVAL document for each rule (#11291)
- Ignore mypy in the EOF Checker (#11323)
- OCP4: Update k8s action to build image on new PR (#11384)
- Refactoring: Remove 'prodtype' Mk.2 (#11378)
- Remove bogus specifier from
audit_rules_privileged_commands_unix2_chkpwd
(#11379) - remove the task which deletes artifacts from automatus GH workflows (#11482)
- Update GitHub Artifacts Action Steps to v4 (#11411)
- Validate levels in controls (#11427)
- We should raise NotImplementedError (#11414)
Changes in the Test Suite
- Allow tests/test_product_stability.py to be executed (#11464)
- Fix OpenEmbedded name in test stability (#11463)
- Fix Secure Boot Automatus VM Installs (#11239)
- Fix tests for sudo_require_authentication (#11315)
- OCP4: Fix e2e result on OCP 4.14 changes (#11207)
- Update test-check-eof for smoke test (#11402)
- Update Install VM to use Fedora 39 (#11418)
Documentation
- Add documentation of the steps that OVAL content goes through during the build (#11336)
- Add GitHub Actions Style Guide (#11330)
- Add STIG Tables for RHEL 9 (#11376)
- bump version to 0.1.72 (#11308)
- Finish rename to Automatus (#11404)
- Fix broken formatting (#11403)
- Remove all contributors file (#11317)
- Update contributors list for v0.1.72 release (#11483)
- Update SRG GPOS to V2R7 (#11480)
Content 0.1.71
Important Highlights
- Add RHEL 9 STIG (#11193)
- Add support for Debian 12 (#11228)
- Update PCI-DSS profile for RHEL (#11267)
New Rules and Profiles
- New Rule: networkmanager_dns_mode (#11160)
Updated Rules and Profiles
- Add remediation and OVAL for UBTU-20-010297 (#11098)
- Add SRG id to
file_owner_grub2_cfg
for RHEL 9 STIG (#11261) - Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
- Added missing variables to ubuntu profiles (#11227)
- Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
- Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
- Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
- daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
- Daily prod fix: return rhel7 prodtypes to some rules (#11303)
- Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
- Fix
audit_rules_privileged_commands_kmod
(#11277) - Fix multiple STIG IDs for RHEL8 (#11250)
- Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
- fix ssh-keysign path for UBTU-20-010141 (#11082)
- Fix ssh-keysign path for Ubuntu 22.04 (#11297)
- Fixes for kernel_config_security rules (#11259)
- Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
- Make selinux context elevation for sudo more flexible (#11224)
- Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
- Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
- remove sle15 from package_samba_common_installed (#11231)
- Review and Update pcidss_4 control file (#11214)
- Update PCI-DSS profile for RHEL (#11267)
- Update RHEL 7 STIG V3R13 (#11223)
- Update RHEL 8 STIG to V1R12 (#11219)
Changes in Remediations
- Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
- Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
- Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
- Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
- Fix sudo_require_reauthentication remediations edge case (#11279)
- Improve stability of timesyncd based remediation (#11247)
- Include remediation for fapolicy_default_deny rule (#11211)
- Refactor ensure_pam_wheel_group_empty rule (#11192)
- remove duplicated multi_platform_sle in bash.template (#11244)
- Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
- SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
- Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
- Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
- Update sshd lineinfile (#11151)
Changes in Checks
- Fix kernel_module_disabled template for Ubuntu (#11294)
- Include dracut filter to audit_rules_privileged_commands (#11246)
- Integration of the OVAL object model into the
combine_ovals.py
script (#11236) - Modification of the OVAL linker to use the OVAL object model (#11290)
- Prepare OVAL object model for integration (#11206)
- Refactor ensure_pam_wheel_group_empty rule (#11192)
- Reference validation in OVAL document object (#11235)
- SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
Changes in the Infrastructure
- Access to enable the logging of the
combine_oval.py
script (#11260) - Add .github to EOF checker (#11287)
- Add a better Error Message For Undefined Identifier Types (#11213)
- Add alternatives to mandatory keys (#11268)
- Add Better a Error Message For Undefined Reference Types (#11159)
- Avoid duplicate loading of component files (#11195)
- controleval.py: Return empty list when parameter is not found (#11300)
- Fix CI job after Fedora 39 release (#11256)
- Integration of the OVAL object model into the
combine_ovals.py
script (#11236) - Make
prodtype
Required in JSON Schema (#11281) - Modification of the OVAL linker to use the OVAL object model (#11290)
- Move jqfilter parameter to common parser (#11232)
- Reference validation in OVAL document object (#11235)
- remove some unnecessary imports (#11175)
- remove unused code (#11187)
- Update Ansible Lint Config (#11283)
- Use up to date
build_ds_container
script inadd_platform_rule.py
(#11042)
Changes in the Test Suite
- Add package requirement for auditctl tests (#11181)
- Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
- Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
- Enable PCI-DSS in test-farm tests (#11257)
- Fix rpm python package SLE15 Automatus docker file (#11212)
- Fix SLE15 tests (#11172)
- Include dracut filter to audit_rules_privileged_commands (#11246)
- Include remediation for fapolicy_default_deny rule (#11211)
- New Rules Must Have a
prodtype
(#11252) - Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
- Require SRG Reference for Rules with STIG Reference (#11265)
Documentation
- Add stabilization phase description to developers guide (#11234)
- Bump version for 0.1.71 (#11168)
- Documentation for tool
tox
(#11165) - Fix docs for utils.add_kubernetes_rule (#11238)
- update list of contributors before 0.1.71 release (#11307)
- Update Style Guide to Ensure that PR Titles are Useful (#11284)
Content 0.1.70
Important Highlights
- Add openembedded distro support (#10793)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove test-function-check_playbook_file_removed_and_added test (#10982)
- scap-security-guide: Add Poky support (#11046)
New Rules and Profiles
- Add rule
package_s-nail-installed
(#11144) - Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
Updated Rules and Profiles
- A correction in the rule pam_disable_automatic_configuration (#10902)
- accounts_umask_etc_bashrc: depend on bash being installed (#10915)
- Add a two rules to RHEL 9 STIG (#10910)
- Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
- Add missing CIS references for SLE platforms (#11024)
- Add mount platform to mount_option_var_nosuid (#11037)
- Add rule logind_session_timeout to OL8 STIG (#10917)
- Add SELinux as platform (#11138)
- Add SRG ID to logind_session_timeout (#10936)
- Add tmux platform to tmux related rules (#11017)
- Add UBTU-20-010044 to existing ansible remediation (#11073)
- Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
- Add UBTU-20-010401 to restrict kernel message buffer (#11063)
- Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
- Add UBTU-20-010462 to lock accounts without passwords (#11060)
- Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
- Add variable support to
auditd_name_format
rule (#11019) - Add version for OCP CIS (#11152)
- Add version for OCP STIG (#11153)
- Add version metadata to the OCP PCI-DSS profile (#11155)
- Add warning to network_configure_name_resolution (#10997)
- Allow default permission for user.cfg file in UEFI systems (#10884)
- ANSSI: add rules to enable auditing service (#11005)
- Build OCP STIG profiles by default (#11132)
- Change how example ROLE_LIST are formatted (#11123)
- Change rule to use variable when auditing faillock (#11007)
- Changes in SLE 12/15 profiles to support logrotate service (#10796)
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
- Deprecate UBTU-20-010180 (#11079)
- Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
- Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
- Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
- Enable logrotate.timer check on RHCOS4 (#11045)
- Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
- Express more accurate per package platform limitation for firewall rules (#10812)
- Fix excluded_files and recursive for UBTU-20-010416 (#11086)
- Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- fix naming for UBTU-20-010430 (#11056)
- Fix package_audit-libs_installed rule.yml (#11127)
- Fix rule ubtu 20 010033 (#11065)
- Fix STIG references for SLE15 (#10850)
- Fix UBTU-20-010179 to use proper parameters and key (#11080)
- Fix UBTU-20-010267 and deprecate STIGs (#11084)
- Fix UBTU-20-10450 STIG (#11058)
- Fix variable selection when selecting the default value (#11015)
- Implement rules for CIS OCP Section 1.4 (#10840)
- Include new options in var_accounts_minimum_age_login_defs (#11052)
- Include RHEL indentifiers in logrotate related rules (#10904)
- Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
- iptables_ruleset_modifications: depend on iptables being installed (#11030)
- no_rsh_trust_files: depend on rsh-server being installed (#10809)
- OCP4 CIS: Re-add forgotten rules (#10864)
- OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
- OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
- OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
- OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
- OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
- OCPBUGS-7455: Hide API warning messages (#10971)
- OL7 DISA STIG v2r12 update (#10921)
- Port over etcd encryption rule from CIS 1.3 controls (#10753)
- Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
- Remove
controller_rotate_kubelet_server_certs
from OCP CIS v.1.4.0 (#10992) - Remove CIS reference from image policy webhook rule (#10932)
- Remove DRAFT wording for OpenShift STIG (#11100)
- Remove protect kernel default and sysctl rules from CIS (#10931)
- remove rules not relevant to RHEL 9 from STIG profile (#10996)
- Remove rules that cannot be applied during image build (#10946)
- Remove sebool_secure_mode_insmod from anssi (#11001)
- Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
- Remove tickets from CIS control files (#10869)
- RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - Standard Profile Improvements (#11109)
- Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
- Update CIS profiles to use control files (#10833)
- Update kubelet event creation limit to 50 (#10950)
- Update link to English version of ANSSI guide (#11038)
- Update metadata of OSPP profile in RHEL8/9 (#10984)
- Update OL8 STIG to V1R7 (#10918)
- Update platform on bios_enable_execution_restrictions (#10880)
- Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
- Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
- Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
- Version FedRAMP high and moderate profiles for OpenShift (#11154)
Changes in Remediations
- 0640 permission in permissions_local_var_log should only apply to files (#10856)
- accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
- Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
- Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
- Add RHEL as platform in su pam wheel group remidiation (#10995)
- Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
- Avoid Ansible shell module if not necessary (#10887)
- change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
- Couple of small fixes (#11004)
- Drop irrelevant return statement in bash remediation (#10988)
- Fix ansible remediation of configure_ssh_crypto_policy (#11008)
- Fix Ansible Tasks order (#11117)
- Fix bash_sshd_remediation macro on OL exclusive code (#10980)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Fix path and add ansible remediation UBTU-20-010298 (#11087)
- Fix remediation of sssd_enable_smartcards (#10981)
- Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
- Fix umask bash and Ansible (#11108)
- Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
- improve bash remediation of mount_option template (#11009)
- Improve remediation for SSH global settings (#11032)
- Improve template macros for grub command line (#10989)
- Minor improvements in configure_opensc_nss_db (#11044)
- Modify adie db exist path for UBTU-20-010450 (#11064)
- OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
- Refactor Ansible remediations that search local file systems (#10912)
- Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
- SLE Add journald configuration droping remediations (#10671)
- SLE AIDE periodic check and remediation via systemd timer (#10589)
- SLE Service timesyncd configured rule (#10670)
- templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
- Update enable_fips_mode Ansible Remedation (#11026)
- Update no_legacy_plus_entries_* Ansible Remedations (#11027)
- Use parameter value in ansible lineinfile macro (#10958)
- Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
Changes in Checks
- Couple of fixes in PAM related rules for SLE platforms (#11014)
- enhance OVAL for enable_fips_mode (#10897)
- Fix into the rule sysctl_kernel_randomize_va_space (#10555)
- Improve OVAL readability in enable_fips_mode (#10911)
- Improve sshd_use_approved_kex_ordered_stig (#11053)
- Minor improvements in configure_opensc_nss_db (#11044)
- Remove kernel cmdline check (#10961)
- Select the
var_accounts_passwords_pam_faillock_dir=run
in RHEL7 profiles (#11163) - SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
- Sysctl template remediations do not modify package files (#10881)
Changes in the Infrastructure
- Add a faster alternative for generating HTML guides (#11036)
- Add Dependabot (#11113)
- Add manifests to zipfile target (#10944)
- Add Merge Group Trigger to Required Jobs (#11162)
- Add product as parameter when building profile reports (#11023)
- Add SCAPVal to Stabilize task (#11043)
- Add tickets key to control validation (#10872)
- Add version to profile element in the data stream (#10909)
- Allow k8s-content workflow to write (#11020)
- Build profile bash scripts differently (#11028)
- Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
- Dependabot Preparation (#11112)
- Fail build if profiles or controls contain invalid rule selections (#11135)
- Fix Ansible Tasks order (#11117)
- Fix multiple STIG id table generation (#11016)
- Fix OrderedDict definition (#11121)
- Fix Rawhide Build (#10953)
- Fix scap delta tailoring (#11145)
- Fix stig overlay (#11114)
- Generate profile oriented Ansible Playbooks in a different way (#11033)
- G...
Content 0.1.69
Important Highlights
- Introduce a JSON build manifest (#10761)
- Introduce a script to compare ComplianceAsCode versions (#10768)
- Introduce CCN profiles for RHEL9 (#10860)
- Map rules to components (#10609)
- products/anolis23: supports Anolis OS 23 (#10548)
- Render components to HTML (#10709)
- Store rendered control files (#10656)
- Test and use rules to components mapping (#10693)
- Use distributed product properties (#10554)
New Rules and Profiles
- Add modified audit suid privilege function rule for CIS (#10729)
- Introduce CCN profiles for RHEL9 (#10860)
- Introduce network access control rule (#10596)
- New templated rule to remove iptables-services package (#10703)
- RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
- Include new kickstart files for CCN profiles (#10863)
Updated Rules and Profiles
- A change into sudoers_validate_passwd (#10861)
- Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
- Add modified audit suid privilege function rule for CIS (#10729)
- Add mount platforms (#10794)
- Add platform package variables for firewalld and iptables (#10740)
- Add warning to rsyslog_remote_tls_cacert (#10676)
- add-rules sles-15-010418 sles-12-010498 (#10711)
- Change rules related to /etc/shadow to check only local user configuration (#10838)
- Deprecate account_emergency_expire_date (#10829)
- ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
- Fix grub2 remediation instructions (#10717)
- Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
- Fixes of cron package/service for SLE 12/15 (#10549)
- Increase RHEL7 STIG Coverage (#10705)
- Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
- New applicability platform to check IPv6 state (#10830)
- OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
- pam_faillock rules: show XCCDF variables in rule description (#10824)
- Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
- Remove quotes from journald config parameters (#10790)
- service_apport_disabled: depend on apport being installed (#10805)
- Set package_iptables_installed as machine only (#10804)
- Set package_nftables_installed as machine only (#10803)
- Set package_rng-tools_installed as machine only (#10810)
- Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
- Update of anssi profile for SLE 12/15 (#10702)
- Update OL8 cjis profile (#10771)
- Update OL8 hipaa profile (#10822)
- Update RHEL 7 STIG to v3r11 (#10821)
- Update RHEL 8 STIG to V1R10 (#10826)
- update rule SLES-12-030250 (#10644)
- Update SLE 12/15 rule and change package name (#10580)
- Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
- use_pam_wheel_group_for_su: depend on pam being installed (#10807)
- Updates of the rule use_pam_wheel_group_for_su (#10714)
Changes in Remediations
- Add a Playbook name to Ansible Playbooks (#10713)
- Add remediations for rule network_sniffer_disabled (#10659)
- configure_openssl_cryptopolicy: align remediations with rule description (#10828)
- Fix in service_autofs_disabled - ansible (#10521)
- Fix issue when adding fstab entries with iso9660 (#10572)
- fix: use grep -E instead of deprecated egrep (#10643)
- fixes in file_groupownership template (#10666)
- macros: bash: Avoid matching comments in fstab macros (#10754)
- Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
- SLE Add rsyslog_remote_loghost droping remediations (#10672)
- SLE Coredump configuration support dropin remediation (#10604)
- SLES15 use dropin configuration for issue banner (#10605)
- Various fixes for Ubuntu (#10755)
Changes in Checks
- enhance OVAL for enable_fips_mode (#10900)
- Check only local users home directories (#10825)
- Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)
Changes in the Infrastructure
- .github/workflows/gate.yaml:Add anolis8 product. (#10814)
- Add a sanity test of install_vm.py (#10684)
- Add validation for Keys in Controls (#10813)
- create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
- Fix CMakelint (#10701)
- Fix compare datastream check to correctly treat new line characters. (#10667)
- Fix traceback in release helper (#10718)
- Implement distributed product properties without applying them (#10648)
- Stop using "imp" module (#10819)
- utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)
Changes in the Test Suite
- Add a test for rule journald_compress (#10818)
- Add a test for rule journald_storage (#10817)
- Add Automatus Testing (#10678)
- Add SCAPVal to CTest (#10802)
- Fix grep for Automatus sanity (#10752)
- Fix install_vm.py on older versions of Python (#10651)
- fix: ssg_test_suite: warning when rule not in benchmark (#10642)
- Add requirements files for python dependencies (#10487)
Documentation
Content 0.1.68
Important Highlights
- Bump OL8 STIG version to V1R6 (#10497)
- Introduce a Product class, make the project work with it (#10529)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- OL7 DISA STIG v2r11 update (#10498)
- Publish rendered policy artifacts (#10585)
- Update ANSSI BP-028 to version 2.0 (#10334)
New Rules and Profiles
- Add rule package_mailx_installed (#10495)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
- Introduce file_permissions_audit_configuration rule (#10489)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- New rules to complete CIS requirements for SSH Keys (#10552)
- New SLE 15 rule set_nftables_base_chain (#10180)
- Rebased hagenest set nftables loopback traffic (#10366)
- Restart postfix service and add rule has_nonlocal_mta (#10359)
- SLE15 add implementation of nftables_rules_permanent rule (#10201)
- SLE15 add nftables ensure default deny policy (#10249)
- Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)
Updated Rules and Profiles
- Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
- Add package_avahi_removed to ubuntu profiles (#10406)
- Add rules SLES-15-010375 and SLES-12-010375 (#10625)
- Add rules SLES-15-010419 and SLES-12-010499 (#10621)
- Add rules SLES-15-010420 and SLES-12-010500 (#10623)
- Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Bump OL8 STIG version to V1R6 (#10497)
- Complete CIS requirement for system accounts (#10627)
- Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
- delete rule SLES-15-040280 (#10383)
- Drop of some rules from SLE 12/15 profiles (#10527)
- Enable ensure_shadow_group_empty for RHEL7 (#10416)
- Enable service_nftables_disabled for RHEL (#10390)
- Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
- Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
- Ensure access to the su command is restricted (#10386)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
- Fix in sshd_use_approved_ciphers (#10535)
- Fix in sudo_require_reauthentication (#10216)
- Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
- Introduce rule to check if SELinux is not Disabled (#10575)
- Introduce rules to configure loopback traffic with Firewalld (#10573)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- No remediation warning for
fapolicy_default_deny
(#10433) - OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
- OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
- OL7 DISA STIG v2r11 update (#10498)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE 12/15 profile updates (#10577)
- SLE improve kernel module disabled rule (#10368)
- SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
- sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
- Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
- Ubuntu 22.04 CIS modify password remember rule (#10480)
- Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
- Update accounts_password_pam_retry yaml (#10496)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update ANSSI BP-028 to version 2.0 (#10334)
- Update CIS controls related to nftables table and chains (#10629)
- Update CIS requirement for SSH access limit (#10470)
- Update netrc requirement in CIS for RHEL8 (#10511)
- Update OL9 STIG profile (#10407)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- update rule sles-15-040250 (#10492)
Changes in Remediations
- Add Ubuntu SCE checks for iptables rules (#10587)
- Ansible remediation for configure_bashrc_exec_tmux (#10584)
- audit_rules_privileged commands: skip /proc directory (#10471)
- Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
- Fix changes in Ansible tasks not expected to fail (#10427)
- Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
- Fix up RHEL kickstarts (#10499)
- fix: aide_string: drop nl at end (#10578)
- fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
- fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
- Modify SLE remediation for ensure_logrotate_activated (#10481)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- Replace grep command with ansible find (#10579)
- SLE add ability to configure emergency via dropin (#10482)
- SLE improve kernel module disabled rule (#10368)
- SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
- Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
- templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
Changes in Checks
- audit_rules_privileged commands: skip /proc directory (#10471)
- bugfix: mount_option: handle commented lines (#10518)
- Ensure authentication required for single user mode for Ubuntu (#10415)
- Fix in sudo_require_reauthentication (#10216)
- Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
- Refactor audit_rules_privileged_commands to include in CIS (#10326)
- SLE improve kernel module disabled rule (#10368)
- Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
- Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
- Update pass aging rules to not ignore empty pass (#10633)
- Use specific name in private key groups instead of gid (#10622)
Changes in the Infrastructure
- Add a product stability test (#10606)
- Add CMakelint (#10468)
- Add controls the EOF checker (#10477)
- Automate and Fix Missing Newline at the of Files (#10361)
- Expand the list of rules skiped by Ansible Lint (#10485)
- Fix data stream component parsing (#10411)
- Implement a tool for parsing profiles and outputing rules (#10455)
- Introduce a Product class, make the project work with it (#10529)
- Publish rendered policy artifacts (#10585)
- Refactor the scapval test (#10611)
- Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
- Remove unused imports (#10384)
- Remove unused variables (#10382)
- Shell quote support for Jinja macros (#10524)
- Stabilization: Fix install_vm.py on older versions of Python (#10652)
- Stop using deprecated
set-output
in GitHub Actions (#10588) - Update CI Repo for CTF (#10385)
- Update GitHub Action Versions (#10543)
Changes in the Test Suite
- Add a product stability test (#10606)
- Add a warning to AutoMatus (#10394)
- bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
- bugfix: packages: delim is comma (#10559)
- bugfix: ssg_test_suite: RuleResult eq (#10365)
- Fix template not found error in Automatus (#10631)
- Fix tests applicablity for ol8 product (#10570)
- Fix tests in sshd_lineinfile template (#10595)
- Fix typo in tests for sshd_limit_user_acess (#10478)
- install_vm refactor (#10607)
- install-vm fixes / features (#10562)
- Remove machine pruning from gating (#10453)
- Revert change in test scenario script for enable_authselect rule (#10430)
- Unused test code (#10558)
- Use bash_package_* (#10557)
- Use mkdir -p when creating directories (#10556)
Documentation
- Add Kickstarts to the changelog (#10512)
- add python3 to the list of build dependencies for RHEL-8+ (#10503)
- Bump version for 0.1.68 (#10372)
- Fix read the docs build (#10537)
- fix: Fix misspelled word infrastruture (#10531)
- Jinja macro doc fixes (#10599)
- Reduce Doc Warnings (#10528)
- Styleguide Update (#10466)
- Update Add Product Guide (#10533)
- Update release documentation about release_helper.py script (#10502)
Content 0.1.67
Important Highlights
- Add utils/controlrefcheck.py (#10096)
- RHEL 9 STIG Update Q1 2023 (#10185)
- Include warning for NetworkManager keyfiles in RHEL9 (#10330)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
New Rules and Profiles
- Add new rule package_systemd-journal-remote_installed (#10105)
- New SLE 15 rule service_nftables_enabled (#10113)
- Add CIS iptables rules (#10121)
- New SLE 15 rule set_nftables_new_connections (#10114)
- Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
- Add a new rule ssh_keys_passphrase_protected (#10017)
- Introduce new rule authconfig_config_files_symlinks (#10129)
- Added rule partition_for_dev_shm (#9984)
- New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
- New SLE 15 rule set_nftables_table (#10128)
- Add implementation for rsyslog_logging_configured rule (#10063)
- New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
- OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
- Added a new rule accounts_password_set_warn_age_existing (#10006)
- Add new rule socket_systemd-journal-remote_disabled (#10210)
- Introduce rule to remove nginx package (#10291)
- Introduce rule to remove cyrus-imapd package (#10292)
- Add package_dnsmasq_removed rule (#10293)
- Add package_ftp_removed rule (#10294)
- Add new rule rsyslog_filecreatemode (#10264)
- New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
- Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)
Updated Rules and Profiles
- accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
- Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
- Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
- Add CIS iptables rules (#10121)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
- assign ntp_configure_restrictions to SLE12 (#10122)
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
- Add missing SRG to aide_build_database rule (for master branch) (#10150)
- remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update levels of some rules in RHEL8 CIS (#10157)
- Change custom zones check in firewalld_sshd_port_enabled (#10162)
- improve applicability of rule package_rear_installed (master branch) (#10156)
- Accept required and requisite control flag for pam_pwhistory (#10175)
- OCP4 Modify etcd encryption check rules for hypershift (#10179)
- Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
- Fix prefer_64bit_os for SLE platforms (#10178)
- remove rule logind_session_timeout and associated variable from profiles (#10202)
- Shorten rule title (#10196)
- products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Include avahi related rules in RHEL CIS control files (#10233)
- Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
- Update CIS RHEL requirements for log files permissions (#10241)
- Include rule for checking password last change in RHEL (#10243)
- Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
- Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
- Update password hashing algorithm CIS requirement (#10271)
- Complete CIS requirements related to dot-files (#10279)
- Fix package names for some SUSE packages (#10283)
- Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
- Corrections in the rule package_openldap-clients_removed (#10273)
- Enable sshd_enable_warning_banner_net for RHEL (#10287)
- Add package_nginx_removed to Ubuntu CIS profiles (#10301)
- Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
- accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
- accounts_passwords_pam_tally2: depend on pam being installed (#10305)
- package_pam_pwquality_installed: depend on pam being installed (#10306)
- apparmor: apply only to platform machine (#10303)
- sudo_require_reauthentication: depend on sudo being installed (#10318)
- vlock_installed: apply only to platform machine (#10307)
- Remove VMM SRG References (#10336)
- Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
- Add some nftables rules to Ubuntu CIS profile (#10300)
- make accounts_password_last_change_is_in_past not applicable to containers (#10339)
- Align rhel7 dracut-fips-aesni remediations (#10352)
- Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
- NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)
Changes in Remediations
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update sebool_secure_mode_insmod OL remediations (#9979)
- Enable rsyslog_filecreatemode rule for RHEL (#10328)
- kernel_module_disable template - regexp matches multiple lines (#10351)
- fix loops within ansible template for rsyslog_files (#10349)
Changes in Checks
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Remove check of /var/log/dmesg from OVAL (#10145)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Fix prefer_64bit_os for SLE platforms (#10178)
- postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Add offline capability to the 'mount_option' OVAL template (#10200)
Changes in the Infrastructure
- Introduce script shorthand to OVAL (#10085)
- Remove utils/count_oval_objects.py (#10133)
- Update Rawhide Before Use (#10141)
- Move to Code Climate for PEP 8 Checking (#10158)
- Enable SCE integrity checks for RHEL8 (#10165)
- Refactor ssg.build_ovals module (#10048)
- Update srg diff (#10199)
- Require OVAL ID to match rule ID (#10346)
- Various python fixes (#10345)
- Move platform_mount to use cpe-oval vs oval (#10441)
Changes in the Test Suite
- Add utils/controlrefcheck.py (#10096)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update test scenarios for accounts_password_last_change_is_in_past (#10213)
- add cap_system_chroot capability to Automatus podman container (#10246)
- Fix Automatus on Python 3.6 (#10281)
- Disable logrotate timer in ensure_logrotate_activated tests (#10375)
Documentation
Content 0.1.66
Important Highlights
- Ubuntu 22.04 CIS (#9953)
- OL7 stig v2r9 update (#9976)
- Bump OL8 STIG version to V1R4 (#9974)
- Update RHEL7 STIG to V3R10 (#10079)
- Update RHEL8 STIG to V1R9 (#10078)
- Introduce CIS RHEL9 profiles (#10091)
New Rules and Profiles
- Add nonessential services rule (#9912)
- Added a new rule package_firewalld_removed (#9937)
- Added a new SLE 12/15 rule package_rsync_removed (#9932)
- Added a new rule package_cups_removed (#9930)
- Added a new rule firewalld_service_disabled (#9941)
- Added a new SLE 15 rule package_nftables_installed (#9934)
- Add rule for no .forward files (#9990)
- Add new rule grub2_enable_apparmor (#9978)
- Added a new rule package_tcp_wrappers_removed (#9981)
- Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
- Add package prelink removed (#10062)
- add new rule audit_rules_immutable_login_uids (#10070)
- Added 2 rules for 15 related to nftables (#10068)
- New SLE 15 rule ensure_iptables_are_flushed (#10107)
- add new rule configure_bashrc_tmux (#10100)
Updated Rules and Profiles
- Include warning regarding quota options in XFS (#9879)
- Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
- Sync rules for RHEL 9 STIG (#9788)
- Changing a few harcoded OS names for full_name (#9936)
- Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
- SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
- Update sudo_require_reauthentication (#9923)
- Update kmod audit rule for OL7 (#9949)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Add rule to OL7 stig profile (#10028)
- Small corrections related to 3 rules (#9995)
- Add new rule grub2_enable_apparmor (#9978)
- Include Ubuntu products in package_rsync_removed (#10051)
- Include Ubuntu products in package_nftables_installed (#10052)
- Fix the service_telnet_disabled rule (#10033)
- Update package name for RHEL in package_rsync_removed (#10053)
- Include Ubuntu products in package_cups_removed (#10050)
- Include Ubuntu products in package_rpcbind_removed (#10055)
- Update link to NTP docs (#10056)
- Include Ubuntu products in package_prelink_removed (#10071)
- Add account_emergency_expire_date to OL7 stig (#10073)
- Add aide_build_database to STIG in OL and RHEL (#10094)
- Include Ubuntu products in two nftables rules (#10101)
- Move two rules to higher level in cis_rhel8 control file (#10109)
- add new rule configure_bashrc_tmux (#10100)
- add missing SRG to aide_build_database rule (#10136)
- change applicability of rules configuring idle session timeouts (#10127)
- Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
- improve applicability of rule package_rear_installed (#10144)
- stabilization: Update levels of some rules in RHEL8 CIS (#10155)
Changes in Remediations
- Fix indentation in Ansible shell module parameter (#9851)
- Recognize 64bit architectures in Ansible remediations (#9887)
- Make Ansible remediation less prone to fatal errors (#9914)
- Add bash and ansible remediation for set_loopback_traffic (#9939)
- Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
- Update sudo_require_reauthentication (#9923)
- Improve the arguments for Ansible command module (#9921)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Fix Jinja condition in macro for pam_faillock (#10009)
- Install NetworkManager as part of
wireless_disable_interfaces
remediation (#10018) - aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- Improve service_disabled template (#10026)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
- Rewrite remediations for rsyslog_remote_tls (#9866)
- Fix accounts_password template for OL (#10045)
- Using the Ansible shell actions is needed in package_prelink_remove (#10086)
Changes in Checks
- Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
- Update sudo_require_reauthentication (#9923)
- accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
Changes in the Infrastructure
- Refactor build_cpe.py (#9834)
- Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
- Refactor templates v2 (#9870)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
- Introduce templated platforms (CPEs) (#9906)
- Sort conditional remediation platform checks (#9902)
- Add sanity tests for controleval.py (#9918)
- Add Refchecker to Tests (#9862)
- Wait for buffer flushes to finish writes (#9933)
- Fix the file param in rule_dir_json (#9928)
- Fix typing import in
create_srg_export.py
(#9929) - Build all profiles on all CentOS and CentOS Streams (#9946)
- CTest Fixes (#9962)
- CPE AL: Introduce version specifiers support (#9945)
- Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
- Raise exception when parametrized platform receives invalid argument (#9996)
- Fix
--datastream-only
in./build_product
(#10020) - Add sanity tests for compare_disa_xml.py (#10030)
- Add Ubuntu 22.04 to Gating (#9986)
- Fix a few isssues in test-compare-disa-xml (#10034)
- Update Ansible Lint Config (#10025)
- platforms: rewrite mechanism which parses version into EVR (#10038)
- Produce an understanable error when remediation collections goes wrong (#10027)
- Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
- Bump fedora version in Dockerfiles to 37 (#10036)
- Fix the generation of SCE checks in the output datastream (#10015)
- Scripts clean up (#10061)
- Clean up SRG export (#10067)
Changes in the Test Suite
- Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Refchecker to Tests (#9862)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Improve service_disabled template (#10026)
Documentation
Content 0.1.65
Important Highlights
- Introduce cui profile for OL9 (#9638)
- Remove Support for OVAL 5.10 (#9604)
- Rename account_passwords_pam_faillock_audit (#9462)
- CI ansible hardening and rename of existing Bash hardening (#9796)
- Update contributors list for v0.1.65 release (#9843)
New Rules and Profiles
- Add profile for SUSE SAP Public Cloud Images (#9571)
- Introduce cui profile for OL9 (#9638)
- Created SLES 12 PCI DSS 4.0 profile and added rules to it (#9729)
- Add new rules related to system banners - /etc/issue.net (#9733)
- add new rule logind_session_timeout (#9475)
- Pci dss shadow rule (#9756)
Updated Rules and Profiles
- Update chronyd_no_chronyc_network to align with RHEL9 STIG (#9505)
- Update rules for RHEL 9 STIG (#9512)
- Update chronyd_client_only to align with RHEL9 STIG (#9500)
- Update rules for RHEL 9 STIG (#9527)
- RHEL9 stig_gui: don't remove GUI (#9581)
- Remove RPM verify rules from RHEL 9 STIG (#9591)
- Rule updates wrt RHEL9 STIG (#9509)
- Clarify instructions for implementing SCCs (#9569)
- Added SLES_15/12 CCE codes related to rules in the group restict_at_c… (#9643)
- Add pci-dss rules (#9627)
- Two small corrections (#9644)
- Added 6 SLES 15/12 CCE codes to the rules sshd_... (#9669)
- Add PCI-DSS rules (#9645)
- CIS RHEL8 gnome related requirements (#9670)
- Add dconf_gnome_disable_user_list to the RHEL 9 STIG (#9677)
- RHEL 9 STIG Fix Up (#9676)
- Added CCE number for SLES_15 in the rule sshd_use_approved_ciphers (#9680)
- Added 4 SLES 15/12 codes to the rules group_unique_id/name (#9682)
- Add support for PCI DSS v3.2.1 for SLE12 (#9613)
- service_ntp_enabled: Fix description as service name is ntp (#9707)
- Fix issue introduced in commit 1ba11cb (#9692)
- remove ospp-mls.profile (#9710)
- Add pcidss Req-ids (#9705)
- Ubuntu 20.04: fix grub2 password related rules (#9708)
- Fix rsyslog_remote_tls Remediations (#9711)
- Added 2 SLES 15/12 CCE codes to the rule disable_prelink (#9706)
- Assign RHEL-07-010271 to account_emergency_expire_date. (#9717)
- Ubuntu 20.04 CIS Level1 profile: add package_pam_pwquality_installed (#9721)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- install_smartcard_packages: Add Ubuntu specific remediation (#9720)
- Ubuntu 20.04: Make sure xatrr audit rules contains a check for root user (#9722)
- Added rules to PCI DSS 4.0 SLES 15 profile (#9716)
- Add pci-dss rules to SLE15 (#9728)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Added 4 rules to SLES 12/15 PCI DSS 4.0 profiles (#9735)
- Update SLE 15 SAP hardening profile (#9742)
- Update RHEL8 STIG to V1R8 (#9780)
- Update RHEL7 STIG to V3R9 (#9781)
- Align ClientAliveCountMax and ClientAliveInterval on RHEL8 STIG V1R8 (#9784)
- Removed wrong rule from hipaa.profile (#9840)
- Stabilization: Include warning regarding quota options in XFS (#9877)
- Stabilization: Update the sshd_set_keepalive regarding ClientAliveCountMax (#9868)
Removed Products
- Remove the VSEL Product (#9547)
- Remove the fuse6 product (#9544)
- Remove the Debian 9 Product (#9546)
- Remove the JRE product (#9545)
Changes in Remediations
- Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
- Improve ansible remediation of accounts_umask_etc_login_defs (#9490)
- Add bash and ansible remediation for rsyslog_remote_tls (#9484)
- Fix rsyslog_remote_tls Remediations (#9711)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- install_smartcard_packages: Add Ubuntu specific remediation (#9720)
- Fix config file and interpreter check control flow (#9695)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Dconf macros update to align them with OVAL expectation (#9751)
- rsyslog_files_permissions: Consider the last field in the config line the log file path (#9750)
- Fix nmcli bug (#9773)
- Align
service_disabled
template toservice_enabled
(#9806) - Remove deprecated
warn
parameter from Ansible command module (#9807) - CI ansible hardening and rename of existing Bash hardening (#9796)
- Stabilization: Make Ansible remediation less prone to fatal errors (#9911)
Changes in Checks
- Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
- Update accounts_password template's OVAL (#9459)
- OCP4: Fix OCIL of machine_volume_encrypted (#9597)
- Clarify instructions for implementing SCCs (#9569)
- Remove jinja condition to make rule applicability to all products in Kerberos rules (#9412)
- Ubuntu 20.04: fix grub2 password related rules (#9708)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Dconf macros update to align them with OVAL expectation (#9751)
Changes in the Infrastructure
- Remove superflous check of rule ID consistency (#9539)
- Add tests to auditd_lineinfile template (#9519)
- Generate XCCDF 1.2 directly (#9464)
- Add support for regulated fields (#9553)
- SRG Import/Export Uses Policy Specific Content (#9570)
- Add Git Mail Map (#9573)
- Remove ident_size for .py files from editorconfig (#9603)
- Make CodeClimate to use .editorconfig (#9630)
- Remove function drop_oval_definitions (#9629)
- Add mypy to CI (#9430)
- Remove shorthand.xml from the build process (#9548)
- Remove XCCDF 1.1 from enable_derivatives.py (#9654)
- Remove XCCDF 1.1 from profile tool (#9655)
- Remove unused import (#9656)
- Remove XCCDF 1.1 from ssg/xccdf.py (#9657)
- Remove Support for OVAL 5.10 (#9604)
- Import SRG content for RHEL9 (#9574)
- Don't use editorconfig to check for indentation (#9653)
- Remove get_fixgroup_for_type (#9661)
- Remove superfluous XML namespaces from HTML tables (#9662)
- Update sysctl template's OVAL and tests to align with STIG (#9458)
- Remove unused XSLT xccdf2table-profileanssirefs.xslt (#9659)
- CMake Improvements (#9646)
- Remove Travis CI (#9683)
- Remove comparison utilities (#9688)
- Create unit tests for ssg.id_translate (#9624)
- Add unit tests of XCCDF 1.2 elements (#9617)
- Add unit tests for warnings and sub elements (#9637)
- Refactor and speed up combine_ovals.py (#9689)
- Fix unit tests to work with CentOS 7 (#9727)
- make CPE items compiled during the build process (#9700)
- SRG Diff: Add section for rows without a CCE (#9763)
- Make the utils/srg_diff.py more generic (#9767)
- parametrize methods for getting remediation conditionals of XCCDF platforms (#9777)
- build_remediations.py: deduplicate code which retrieves conditionals (#9779)
- Add sorted results to srg_diff (#9778)
- Add Smoke Tests for Some Scripts (#9787)
- Platforms can accept parameters and pass them to underlying CPE items (#9799)
- Do not remove blank lines when building profile playbook (#9809)
- SRG Export XLSX in CMake (#9811)
- Add config for Ansible lint (#9838)
Changes in the Test Suite
- [Master] add accounts_password_set_max_life_existing to unselect_rules_list (#9554)
- Fix issue introduced in commit 1ba11cb (#9692)
- Add tests to rule dconf_gnome_screensaver_idle_activation_enabled (#9701)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Complete tests to validate Ol9 pci dss profile (#9739)
- Add tests to accounts_password template (#9743)
- Do not instantiate Builder() when running Automatus (#9755)
- Fix Automatus --duplicate-templates (#9766)
- accounts_password_pam_retry: Add test for dupes and conflicts (#9805)
- accounts_passwords: Add tests for value conflicts and duplicates (#9804)
- sshd_lineinfile: Add tests for duplicated params (#9802)
- CI ansible hardening and rename of existing Bash hardening (#9796)
- Stabilization: Ensure pwquality.conf.d dir exists on test scenarios (#9864)
Documentation
- Doc fix up (#9596)
- Add PR gating guideline (#9611)
- Move to MyST as recommonmark and CommonMark are not supported (#9560)
- Fix docs refs (#9704)
- Include SLE products into the CCE tooling for auto assignment (#9714)
- Docs/developer: Mention that rules will inherit its group(s) platforms (#9635)
- Reformulate the release process documentation (#9736)
- Update gitignore (#9810)
- Document rule deprecation instructions and agreements (#9797)
- Update contributors list for v0.1.65 release (#9843)
- Add Sanity Test for generate_contributors.py (#9845)
Content 0.1.64
Important Highlights
- This is the last release to feature content with OVAL-5.10 (https://github.com/ComplianceAsCode/content/discussions/9451)
- Introduce ol9 stig profile (#9207)
- Introduce Ol9 anssi profiles (#9243)
- Update RHEL8 STIG to V1R7 (#9276)
- Introduce e8 profile for OL9 (#9284)
- Update RHEL7 STIG to V3R8 (#9317)
New Rules and Profiles
- Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
- add rule package_postfix_installed (#9191)
- add audit policy rules specific for ppc64le platform (#9124)
- Introduce ol9 stig profile (#9207)
- Introduce Ol9 anssi profiles (#9243)
- Introduce rule accounts_passwords_pam_faillock_audit (#9264)
- Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
- Introduced rules to disable accounts because of inactivity (#9244)
- Introduce e8 profile for OL9 (#9284)
- New sysctl ipv4 forwarding rule (#9277)
- Introduce hipaa profile for ol9 (#9478)
Updated Rules and Profiles
- Remove 3 crypto rules from RHEL 9 OSPP (#9181)
- Remove 3 package rules from RHEL 9 OSPP (#9182)
- Introduce new sebool description and ocil macros (#9184)
- Add to SLE ANSSI profile various sysctl rules (#9185)
- Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
- Add more ANSSI Intermediary Rules (#9203)
- Add more sysctl rules to intermediary profile (#9202)
- The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
- Remove 4 PAM related rules from RHEL9 OSPP (#9217)
- switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
- remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
- add audit policy rules specific for ppc64le platform (#9124)
- remove umask-related rules from RHEL9 OSPP (#9223)
- Make audit AArch64 specific rules RHEL9 only (#9188)
- Remove rules for package removal from RHEL 9 OSPP (#9233)
- remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
- Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
- remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
- Don't pass sssd rules when sssd.conf is absent (#9225)
- Update accounts_password_pam_retry behavior (#8880)
- System commands dir root or system account (#9258)
- SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
- Update RHEL8 STIG to V1R7 (#9276)
- Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
- Update few sysctl rules to accept multiple compliant values (#9286)
- Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
- Make OSPP profiles use minimal Authselect profile (#9298)
- add warning to audit_rules_for_ospp (#9303)
- add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
- Update RHEL7 STIG to V3R8 (#9317)
- change rules protecting boot in RHEL8 OSPP (#9306)
- Add the AUID filters on RHEL7 audit kernel module rules (#9290)
- add 4 rules back to RHEL9 datastream (#9334)
- Implement DISA check for auditing kmod on RHEL7 (#9338)
- Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
- Include warning about the pam_securetty.so PAM module (#9348)
- Add AUID filters on audit_rules_kernel_module_loading (#9371)
- Mask sensitive objects (#9364)
- Update RHEL9 STIG (#9378)
- add/remove fedora from privileged commands depending if exists or not (#9367)
- change way of disabling coredumps in RHEL9 OSPP (#9384)
- Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
- Bump version of OL8 to V1R3 and update STIG ids (#9457)
- Add missing SRG references for RHEL 9 STIG (#9428)
- Remove support for upstart init system (#9452)
- Updates RHEL 9 STIG: Part 3 (#9489)
- Add ol8 platform to existing required tests (#9485)
- Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
- Update account_password_selinux_faillock_dir rule (#9501)
- Remove audit_rules_execution_restorecon from SRG control files. (#9503)
- Add tests to file_ownership_binary_dirs (#9515)
- Update ocil and ocil_clause in display_login_attempts (#9522)
- Update some account rules according to RHEL9 STIG (#9499)
- Include checktest for banner_etc_issue rule (#9521)
- Update pam_faillock rules for RHEL9 STIG (#9520)
- Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
- Update clean_components_post_updating to align with RHEL9 STIG (#9510)
- Update accounts_umask_etc_profile (#9496)
- Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
- Update audit rules RHEL9 STIG metadata (#9513)
- Add tests to no_user_host_based_files (#9529)
- Add tests to dir_perms_world_writable_system_owned (#9517)
- Add tests to no_host_based_files (#9532)
- Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
- Add tests to clean_components_post_updating (#9530)
- Update macros from audit privileged commands (#9502)
- Update some PAM rules for RHEL9 STIG (#9514)
- Add variable for auditd freq (#9504)
- Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
- [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)
Changes in Remediations
- Allow two modes of SSH key ownership (#9094)
- Add oval and remediation for auditd_audispd_disk_full_action (#9195)
- include = sign in remediation of configure_openssl_crypto_policy (#9194)
- Condition run of newaliases to its availability (#9241)
- Update accounts_password_pam_retry behavior (#8880)
- Add DISA STIG ids to
when
conditions in ansible roles (#9029) - Improve bash_ensure_pam_module_line macro (#9252)
- Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
- Fix rule sudo_custom_logfile (#9299)
- Fix ansible partition conditionals (#9339)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Add Kubernetes remediation for rule configure_crypto_policy (#9266)
- Fix 2 ctest shellcheck issues (#9398)
- Fix kernel_module_disabled remediation template (#9346)
- Conditional for Ansible remediation on RHEL7 (#9440)
- change parameter of findmnt used in bash partition conditional (#9480)
- Fix remediation of rules dealing with Audit watches (#9463)
Changes in Checks
- Update accounts_password_pam_retry behavior (#8880)
- Improve regex to match retry parameter in pwquality.conf (#9245)
- Fix rule sudo_custom_logfile (#9299)
- Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
- Mask sensitive objects (#9364)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
- Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
- Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
- [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)
Changes in the Infrastructure
- Fix various bugs in utils (#9172)
- Remove CentOS 6 and SL 6 references from the project (#9211)
- Fix pre tag in ocil_mount_option (#9209)
- Remove unused build option (#9213)
- Update gitpod HTML preview extension. (#9261)
- Install ansible for the extra modules (#9273)
- Use DS to build Ansible Playbooks and Bash scripts (#9291)
- Stop validating ssg-product-xccdf.xml (#9292)
- Use data stream to verify profile titles and descriptions (#9294)
- Use data stream to verify references (#9293)
- Generate CCE tables from data stream (#9300)
- Fix CMake dependencies (#9328)
- Use XCCDF 1.2 to create STIG overlay (#9301)
- Specify output file names (#9361)
- Test missing references in a data stream (#9295)
- Add trim_trailing_whitespace to editorconfig (#9391)
- Sort check-export elements (#9397)
- Use data stream to generate statistics (#9296)
- Generate per profile testinfo tables from XCCDF 1.2 (#9325)
- Fix missing OCIL text and 800-53 references (#9415)
- Use XCCDF 1.2 to generate STIG HTML tables (#9406)
- Add a script to import SRG export changes (#9416)
- Make groups inherit platforms from parent groups (#9465)
- Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
- correct inheritance of platforms by rules from groups (#9491)
- Improve HTML for Table Templates (#9481)
- SRG Export: Improve vuldiscussion sourcing (#9493)
- Remove empty load operation (#9492)
- Add tests to rule no_tmux_in_shells (#9518)
- Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
- Avoid sed hack (#9363)
Changes in the Test Suite
- Automatus: close hanging tempfiles descriptors (#9199)
- Improve regex to match retry parameter in pwquality.conf (#9245)
- Support commas in variables (#9280)
- Refactor templated test scenarios (#9254)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Replace platform conditionals in whole remediation code (#9347)
- install_vm.py: add new option for disk size specification (#9479)
- correct inheritance of platforms by rules from groups (#9491)
- Add tests to audit privileged commands template (#9487)
Documentation
Content 0.1.63
Important Highlights
- Expand project guidelines (#8314)
- Add Draft OCP4 STIG profile (#8799)
- Add anssi_bp28_intermediary profile (#9045)
- add products/uos20 to support UnionTech OS Server 20 (#8779)
- products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
- Remove WRLinux Products (#9106)
- Update CIS RHEL8 Benchmark for v2.0.0 (#9154)
New Rules and Profiles
- Fill gaps in the RHEL8/RHEL9 STIG (#9016)
- Add anssi_bp28_intermediary profile (#9045)
- Introduce OL9 ospp profile (#9057)
- products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
- add Audit OSPP rules for AArch64 (#9091)
- Add grub2_systemd_debug-shell_argument_absent (#9100)
- CIS RHEL8 v2.0.0 small fixes (#9165)
Updated Rules and Profiles
- Make krb5 rules applicable only to older versions of certain package (#9003)
- RHEL8 STIG: Install redhat gpg key (#8993)
- Add anssi gshadow rules (#9022)
- Fill gaps in the RHEL8/RHEL9 STIG (#9016)
- remove support for external Audit files and cleanup test scenarios (#9073)
- Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
- Remove rule zip_vsyscall_argument (#9083)
- Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
- Make rule audit_access_success in OSPP profile unenforcing (#9082)
- Cleanup RHEL9 OSPP networking sysctl rules (#9092)
- Add two rules and some more CCEIDs (#9107)
- add Audit OSPP rules for AArch64 (#9091)
- remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
- remove Rsyslog related rules from RHEL9 OSPP (#9116)
- Anssi Rules Added (#9105)
- remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
- Update SLE15 DISA STIG from v1r6 (#9146)
- Remove yp-related rules from RHEL9 (#9148)
- Add Enable Auth Select to RHEL8/9 STIG (#9151)
- BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
- Relax chrony check and remediations (#9156)
- make RHEL-08-020231 automated again (#9125)
- Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
- Review and improve sssd_enable_smartcards rule (#9145)
- Amend OSPP references for some package_*_installed rules. (#9164)
- Add automation content to kernel_module_uvcvideo_disabled (#9162)
- Add missing rules to OL8 STIG profile (#9171)
- Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
- [Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
- Make Audit aarch64 rules specific to RHEL9 only (#9187)
- [stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
- Remove 3 package rules from RHEL 9 OSPP (#9228)
- Remove 3 crypto rules from RHEL 9 OSPP (#9227)
- [Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
- add new rule package_postfix_installed (stabilization) (#9214)
- [Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
- [stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
- [Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
- Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)
Removed Products
- Remove WRLinux Products (#9106)
Changes in Remediations
- Add whitespace in macro function so CTF can properly parse tokens (#9030)
- EKS: Fix typo (#9037)
- Fix regular expression in Ansible remediation (#9063)
- Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
- Ansible remediation for
enable_authselect
(#9085) - Refactor bash macros for PAM (#9017)
- Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
- Fix ubuntu logic in display_login_attempts (#9110)
- Refactor Ansible macros for PAM (#9097)
- Add Ansible remediation (#9114)
- Create Ansible macro for authselect backup command (#9128)
- Align PAM Bash macros to equivalent in Ansible (#9127)
- SLE15 SP4 audit_rules_augenrules broken. (#9130)
- fix bash remediation of configure_libreswan_crypto_policy (#9134)
- add Ansible conditionals to CPE platforms determining architecture (#9126)
- Set pipefail in Ansible shell commands with pipe (#9123)
- Update faillock related macros (#9139)
- Command 'chown', change from '.' to ':' separator (#9159)
- Review and improve sssd_enable_smartcards rule (#9145)
- SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
- add new rule package_postfix_installed (stabilization) (#9214)
- [Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)
Changes in Checks
- Add missing ocil_clause for audit rules (#9109)
- SLE15 SP4 audit_rules_augenrules broken. (#9130)
- Reduce the list of FIPS crypto policies (#9149)
- Review and improve sssd_enable_smartcards rule (#9145)
- Store intermediate OVAL check files (#9157)
Changes in the Infrastructure
- Parametrize the file name of the container used by gitpod integration (#9043)
- Add python vscode extension to the gitpod environment (#9074)
- Add a markdown output target to create_srg_export (#9064)
- Update docker files (#9153)
- Remove the vendor-zipfile and redhat-zipfile targets (#9152)
- Add per profile filter of missing_cce test (#9155)
- Store intermediate OVAL check files (#9157)
- [Stabilization] Install ansible for the extra modules (#9274)
Changes in the Test Suite
- test_env.py: add more attempts when executing ssh command (#9015)
- Rework tarball generation (#8883)
- Add OL9 Dockerfile (#9099)
- Update CIS L2 test for configure_crypto_policy (#9163)
- Automatus: close hanging tempfiles descriptors (#9200)