Skip to content

Content 0.1.73

Latest
Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 16 May 18:44
· 345 commits to master since this release
v0.1.73
2bf9d43
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Important Highlights

  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
  • Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
  • Generate rule references from control files (#11540)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)

New Rules and Profiles

  • Add and modify rules file/dir_permissions_system_journal (#11840)
  • Add ANSSI Profiles for RHEL 10 (#11787)
  • Add initial RHEL 10 PCI DSS profile (#11872)
  • Add new rule file_permissions_sudo (#11584)
  • Add new templated rules for System.map files (#11640)
  • ANSSI R31 updates (#11560)
  • Audit watch on /etc/sysconfig/network-scripts (#11724)
  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
  • CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
  • Implement ANSSI requirement R69 for RHEL (#11663)
  • Improve ANSSI R28 (#11626)
  • Inital RHEL 10 STIG (#11793)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
  • Openembedded fixes (#11652)
  • Update ANSSI R50 (#11588)

Updated Rules and Profiles

  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
  • accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
  • Add a note to ANSSI R23 (#11571)
  • Add a warning to sshd_limit_user_access (#11507)
  • Add automation to enable faillock rules (#11458)
  • Add platform machine to systctl.d rules (#11622)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • Additional updates in kernel_module_disabled template (#11508)
  • Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
  • Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
  • Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
  • ANSSI R31 updates (#11560)
  • api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
  • CMP 2453 pci dss requirement 1 (#11725)
  • CMP-2365: Fix check for rotating kubelet server certificates (#11543)
  • CMP-2372: Remove info override for virtual syscall rules (#11544)
  • CMP-2378: Fix OCP version regex (#11499)
  • CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
  • CMP-2471: Disable rules on s390x (#11743)
  • Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
  • Do not require existence of /var/tmp/tmp-inst (#11762)
  • Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
  • ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
  • extend the explanation why ANSSI R52 requirement is manual (#11629)
  • Fix #11895 issue (#11897)
  • Fix #11898 issue (#11899)
  • Fix #11902 issue (#11905)
  • Fix dconf package name for Ubuntu (#11821)
  • Fix description for auditd_max_log_file_action (#11585)
  • Fix kdump service name on Ubuntu 22.04 (#11914)
  • Fix OCP node OVN check (#11861)
  • Fix rule for accounts_authorized_local_users in SLE15 (#11602)
  • Fix SCE check for ip6tables_rules_for_open_ports (#11849)
  • Fix SCE checks for iptables_loopback_traffic (#11850)
  • HIPAA profile for SLE 15 - update (#11582)
  • Implement ANSSI requirement R69 for RHEL (#11663)
  • Improve ANSSI R28 (#11626)
  • Improve Rsyslog Rainer regex to find log files (#11808)
  • Improve title of CCN profiles for RHEL9 (#11852)
  • Make package installation for iptables and nftables mutually exclusive (#11191)
  • mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
  • Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
  • oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
  • OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
  • OCP4: Add rule to check ACS sensor deployed (#11675)
  • OCP4: Fix rules with both platform and platforms (#11760)
  • OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
  • OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
  • OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
  • OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
  • Openembedded fixes (#11652)
  • put exec back to configure_bashrc_exec_tmux (#11561)
  • Remove disabling_ipv6_autoconfig rule (#11550)
  • Replace dead HTML links for the chronyd project (#11799)
  • RHEL-09-232045: align with STIG (#11890)
  • Rule had incorrect CRD reference rule.yml (#11823)
  • Set the requires to sshd_set_keepalive on sshd_set_idle_timeout (#11815)
  • sysctl template: allow skipping of runtime checks (#11574)
  • trivial: fix linting issue (#11711)
  • trivial: Update link to audit profile documentation link (#11732)
  • Try 4110 for file_permissions_sudo (#11805)
  • ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
  • Update ANSSI R29 requirement (#11633)
  • Update ANSSI R32 (#11570)
  • Update ANSSI R36 requirement (#11632)
  • Update ANSSI R40 (#11563)
  • Update ANSSI R50 (#11588)
  • Update ANSSI R67 requirement (#11642)
  • Update ANSSI R68 (#11580)
  • Update ANSSI R71 (#11578)
  • Update audit_ospp_general (#11519)
  • Update CIS requirement status (#11784)
  • Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
  • Update CIS RHEL8 requirements related to crypto (#11506)
  • update cryptopolicy used in CUI profile to fips (#11792)
  • Update notes in ANSSI R3 (#11680)
  • update notes of the R36 requirement for ANSSI (#11639)
  • Update ol8 pcidss (#11867)
  • Update ol8 profiles (#11829)
  • Update ol8 stig (#11828)
  • Update ol8 stig reference (#11884)
  • Update ol9 pcidss (#11873)
  • Update ol9 profiles (#11846)
  • Update RHEL 8 STIG to V1R14 (#11878)
  • Update RHEL9 STIG to V1R3 (#11877)
  • Update SLE12 STIG to V2R13 (#11599)
  • Update SLE15 STIG to V1R12 (#11598)
  • update sles oval feed url (#11461)
  • Update SRG GPOS Control File (#11634)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
  • Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
  • Update STIG PSC Content (#11664)
  • Update sudo_dedicated_group (#11586)
  • Use string instead of number in oauth variable (#11613)
  • Use controls to assign ANSSI references (#11556)

Changes in Remediations

  • [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
  • [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
  • [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
  • accounts_passwords_pam_tally2_deny_root fix (#11676)
  • Add Ansible remediation to sssd_enable_pam_services (#11796)
  • Add Ansible Remediations (#11763)
  • Add root user to interactive users (#11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • Additional updates in kernel_module_disabled template (#11508)
  • Align securetty_root_login_console_only remediations with OVAL/rule description (#11716)
  • Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
  • Changes in template service_disabled - ansible part (#11645)
  • Disallow spaces in SSSD certificate_verification option (#11728)
  • Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
  • Fix ansible lint for SLE platforms (#11911)
  • fix ansible SLES stig remediations in check mode (#11248)
  • Fix Bash remediation of firewalld-based rules for offline mode (#11868)
  • Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
  • Fix non-idempotent bash remediation for sysctl template (#11671)
  • fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
  • Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
  • Fix ubuntu remediation for pam_faildelay (#11532)
  • Fix Ubuntu remediation for pam_faillock rules (#11488)
  • Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
  • Issue when using set -e with grep commands (#11712)
  • Make Blueprint for service_disabled template to mask services (#11679)
  • OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
  • pam_options ansible template dry-run fix (#11677)
  • Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
  • remove prodtype from add_kubernetes_rule (#11500)
  • Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
  • Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
  • set indent to 4 (#11530)
  • Simplify output of ip link show command (#11657)
  • update links and unify documentation in kickstart files (#11765)
  • Update links for Ansible role (#11737)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
  • use failed_when:false for Ansible register: checks (#11782)

Changes in Checks

  • accounts_passwords_pam_tally2_deny_root fix (#11676)
  • Add root user to interactive users (#11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
  • all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
  • App armor oval check (#11273)
  • Correction in oval part ensure_gpgcheck_globally_activated (#11709)
  • Disallow spaces in SSSD certificate_verification option (#11728)
  • Enforce explicit setting in password-auth (#11742)
  • Enforce explicit setting in system-auth (#11740)
  • Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
  • Fix macro for extracting local interactive users (#11589)
  • Fix regression in grub2_bootloader_argument (#11768)
  • Make additional check if selinux is enabled and operational (#11510)
  • Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
  • Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
  • Restrict the list of accepted shells in no_shelllogin_for_systemaccounts (#11896)
  • Revert PR 11816 (#11917)
  • Update ANSSI R67 requirement (#11642)
  • Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)

Changes in the Infrastructure

  • Account for non-existent 'build' dir in build_product (#11606)
  • Add new test to ensure that CCEs are removed from the avail file (#11590)
  • Add RHEL 9 support for playbook to role conversion utility (#11542)
  • Add RHEL 9 to Ansible Gating (#11624)
  • Add Script to Import DISA STIG to Policy Specific Content (#11611)
  • Add stigrefs after references from controls (#11591)
  • add the "components" test among quick tests (#11668)
  • Bump paambaati/codeclimate-action from 5.0.0 to 6.0.0 (#11912)
  • Change the metric of the most-used-components (#11738)
  • Clean up check_eof (#11757)
  • Disable RHEL 10 content for 0.1.73 release (#11989)
  • Ensure that components not in datastream are not mentioned by profiles (#11811)
  • Extend the stable-profiles test (#11617)
  • Extension of the most-used-rules and most-used-components subcommands of the profile_tool.py script to specify a list of products to be considered (#11733)
  • Fix broken exception message (#11842)
  • Fix content_diff when a rule is removed (#11855)
  • Fix deprecation warning in ssg/build_derivatives.py (#11666)
  • Fix SCE finding XPath to allow nesting with OCILs (#11682)
  • Fix TypeError in get_implemented_stigs (#11596)
  • Improve github workflow for building OCP PR image (#11492)
  • Improve playbook script and documention (#11747)
  • k8s content image: Image from PR should not be tagged latest (#11643)
  • k8s image content from PRs: Fix id in job step (#11604)
  • k8s image content from PRs: remove token from action parameters (#11608)
  • Move auditing group (#11789)
  • Move to use main branch and OpenSCAP 1.4.0 for building on Windows (#11734)
  • OCP: Fix e2e remediation for container_security_operator_exists (#11545)
  • OCP4: Fix pr image workflow (#11533)
  • OCP4: use utf-8 as default xml encoding (#11614)
  • Prevent conflicts in references (#11555)
  • profile_tool.py: Fix traceback in sub command (#11637)
  • Re-organize tests/fmf-plans into a more concise format (#11809)
  • Reduce OCIL size (#11577)
  • Reduce XCCDF (#11800)
  • Reduce XML reformatting (#11641)
  • Reduction of CPE content in DS (#11648)
  • Refactoring: Remove all references to prodtype (code/tests/docs) (#11505)
  • Remove CNSS REF URL (#11714)
  • Removing unused variables from the datastream (#11858)
  • Rework of cpe_generate.py (#11644)
  • Run Contest test instead of Fedora project beakerlib tests (#11419)
  • Speed up build of thin data streams (#11618)
  • Stabilize resolved profiles (#11727)
  • Test that all rules have references (#11610)
  • Thin DS: Command Line Interface (#11549)
  • Tool for identifying the most used components (#11730)
  • Tool for identifying the most used rules (#11439)
  • Update entities/common.py to use CDumper (#11541)
  • Update PR workflow actions to run only on latest push (#11616)
  • Use control files to generate references (#11594)
  • utils/gen_rendered_policies_index.py: read compiled control files (#11667)

Changes in the Test Suite

  • Add RHEL 10 Install Command to Automatus (#11797)
  • CMP-2366: Update service_autofs_disabled default e2e result (#11546)
  • Disallow spaces in SSSD certificate_verification option (#11728)
  • extend misleading Automatus error message (#11658)
  • Fix ANSSI Ansible fmf test plan (#11791)
  • Fix Automatus in CI (#11494)
  • Fix tests for file_permissions, file_owner, file_groupowner (#11814)
  • Flush automatus test logs before outputting results (#11605)
  • OCP4: Fix rules with both platform and platforms (#11760)
  • Split out TMT plans to separate Packit jobs (#11860)
  • Thin DS tests (#11755)
  • Update crypto_policy test scenario for CIS RHEL8 (#11513)

Documentation

  • Add docs how to build thin ds (#11900)
  • Add RHEL 10 to SRG Mapping Table Action (#11881)
  • Bump master branch version to 0.1.73 (#11496)
  • Improve playbook script and documention (#11747)
  • release_helper script updates (#11504)
  • Remove prodtype from rule schema (#11493)
  • Update links for Ansible role (#11737)
  • update list of contributors before releasing 0.1.73 (#11888)
  • update meaning of the "automated" status in control files (#11646)
  • Update RHEL 9 SCAP references to V1R1 (#11673)
Assets 6