Content 0.1.63

Important Highlights

• Expand project guidelines (#8314)
• Add Draft OCP4 STIG profile (#8799)
• Add anssi_bp28_intermediary profile (#9045)
• add products/uos20 to support UnionTech OS Server 20 (#8779)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• Remove WRLinux Products (#9106)
• Update CIS RHEL8 Benchmark for v2.0.0 (#9154)

New Rules and Profiles

• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• Add anssi_bp28_intermediary profile (#9045)
• Introduce OL9 ospp profile (#9057)
• products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
• add Audit OSPP rules for AArch64 (#9091)
• Add grub2_systemd_debug-shell_argument_absent (#9100)
• CIS RHEL8 v2.0.0 small fixes (#9165)

Updated Rules and Profiles

• Make krb5 rules applicable only to older versions of certain package (#9003)
• RHEL8 STIG: Install redhat gpg key (#8993)
• Add anssi gshadow rules (#9022)
• Fill gaps in the RHEL8/RHEL9 STIG (#9016)
• remove support for external Audit files and cleanup test scenarios (#9073)
• Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
• Remove rule zip_vsyscall_argument (#9083)
• Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
• Make rule audit_access_success in OSPP profile unenforcing (#9082)
• Cleanup RHEL9 OSPP networking sysctl rules (#9092)
• Add two rules and some more CCEIDs (#9107)
• add Audit OSPP rules for AArch64 (#9091)
• remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
• remove Rsyslog related rules from RHEL9 OSPP (#9116)
• Anssi Rules Added (#9105)
• remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
• Update SLE15 DISA STIG from v1r6 (#9146)
• Remove yp-related rules from RHEL9 (#9148)
• Add Enable Auth Select to RHEL8/9 STIG (#9151)
• BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
• Relax chrony check and remediations (#9156)
• make RHEL-08-020231 automated again (#9125)
• Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
• Review and improve sssd_enable_smartcards rule (#9145)
• Amend OSPP references for some package_*_installed rules. (#9164)
• Add automation content to kernel_module_uvcvideo_disabled (#9162)
• Add missing rules to OL8 STIG profile (#9171)
• Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
• [Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
• Make Audit aarch64 rules specific to RHEL9 only (#9187)
• [stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
• Remove 3 package rules from RHEL 9 OSPP (#9228)
• Remove 3 crypto rules from RHEL 9 OSPP (#9227)
• [Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
• [stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
• [Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
• Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)

Removed Products

• Remove WRLinux Products (#9106)

Changes in Remediations

• Add whitespace in macro function so CTF can properly parse tokens (#9030)
• EKS: Fix typo (#9037)
• Fix regular expression in Ansible remediation (#9063)
• Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
• Ansible remediation for enable_authselect (#9085)
• Refactor bash macros for PAM (#9017)
• Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
• Fix ubuntu logic in display_login_attempts (#9110)
• Refactor Ansible macros for PAM (#9097)
• Add Ansible remediation (#9114)
• Create Ansible macro for authselect backup command (#9128)
• Align PAM Bash macros to equivalent in Ansible (#9127)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• fix bash remediation of configure_libreswan_crypto_policy (#9134)
• add Ansible conditionals to CPE platforms determining architecture (#9126)
• Set pipefail in Ansible shell commands with pipe (#9123)
• Update faillock related macros (#9139)
• Command 'chown', change from '.' to ':' separator (#9159)
• Review and improve sssd_enable_smartcards rule (#9145)
• SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
• add new rule package_postfix_installed (stabilization) (#9214)
• [Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)

Changes in Checks

• Add missing ocil_clause for audit rules (#9109)
• SLE15 SP4 audit_rules_augenrules broken. (#9130)
• Reduce the list of FIPS crypto policies (#9149)
• Review and improve sssd_enable_smartcards rule (#9145)
• Store intermediate OVAL check files (#9157)

Changes in the Infrastructure

• Parametrize the file name of the container used by gitpod integration (#9043)
• Add python vscode extension to the gitpod environment (#9074)
• Add a markdown output target to create_srg_export (#9064)
• Update docker files (#9153)
• Remove the vendor-zipfile and redhat-zipfile targets (#9152)
• Add per profile filter of missing_cce test (#9155)
• Store intermediate OVAL check files (#9157)
• [Stabilization] Install ansible for the extra modules (#9274)

Changes in the Test Suite

• test_env.py: add more attempts when executing ssh command (#9015)
• Rework tarball generation (#8883)
• Add OL9 Dockerfile (#9099)
• Update CIS L2 test for configure_crypto_policy (#9163)
• Automatus: close hanging tempfiles descriptors (#9200)

Documentation

• A EditorConfig file (#9020)
• Add removed products to the changelog (#9108)
• Guidelines: Add the entry about one-off scripts (#9089)
• Fix typos in man page and profile descriptions (#9160)
• Fix man-page header for lexgrog (#9158)