Skip to content

Content 0.1.64
Compare
Choose a tag to compare
@github-actions github-actions released this 30 Sep 16:38
· 8218 commits to master since this release
v0.1.64
14bd2e7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Important Highlights

New Rules and Profiles

  • Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
  • add rule package_postfix_installed (#9191)
  • add audit policy rules specific for ppc64le platform (#9124)
  • Introduce ol9 stig profile (#9207)
  • Introduce Ol9 anssi profiles (#9243)
  • Introduce rule accounts_passwords_pam_faillock_audit (#9264)
  • Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
  • Introduced rules to disable accounts because of inactivity (#9244)
  • Introduce e8 profile for OL9 (#9284)
  • New sysctl ipv4 forwarding rule (#9277)
  • Introduce hipaa profile for ol9 (#9478)

Updated Rules and Profiles

  • Remove 3 crypto rules from RHEL 9 OSPP (#9181)
  • Remove 3 package rules from RHEL 9 OSPP (#9182)
  • Introduce new sebool description and ocil macros (#9184)
  • Add to SLE ANSSI profile various sysctl rules (#9185)
  • Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
  • Add more ANSSI Intermediary Rules (#9203)
  • Add more sysctl rules to intermediary profile (#9202)
  • The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
  • Remove 4 PAM related rules from RHEL9 OSPP (#9217)
  • switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
  • remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
  • add audit policy rules specific for ppc64le platform (#9124)
  • remove umask-related rules from RHEL9 OSPP (#9223)
  • Make audit AArch64 specific rules RHEL9 only (#9188)
  • Remove rules for package removal from RHEL 9 OSPP (#9233)
  • remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
  • Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
  • remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
  • Don't pass sssd rules when sssd.conf is absent (#9225)
  • Update accounts_password_pam_retry behavior (#8880)
  • System commands dir root or system account (#9258)
  • SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
  • Update RHEL8 STIG to V1R7 (#9276)
  • Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
  • Update few sysctl rules to accept multiple compliant values (#9286)
  • Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
  • Make OSPP profiles use minimal Authselect profile (#9298)
  • add warning to audit_rules_for_ospp (#9303)
  • add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
  • Update RHEL7 STIG to V3R8 (#9317)
  • change rules protecting boot in RHEL8 OSPP (#9306)
  • Add the AUID filters on RHEL7 audit kernel module rules (#9290)
  • add 4 rules back to RHEL9 datastream (#9334)
  • Implement DISA check for auditing kmod on RHEL7 (#9338)
  • Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
  • Include warning about the pam_securetty.so PAM module (#9348)
  • Add AUID filters on audit_rules_kernel_module_loading (#9371)
  • Mask sensitive objects (#9364)
  • Update RHEL9 STIG (#9378)
  • add/remove fedora from privileged commands depending if exists or not (#9367)
  • change way of disabling coredumps in RHEL9 OSPP (#9384)
  • Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
  • Bump version of OL8 to V1R3 and update STIG ids (#9457)
  • Add missing SRG references for RHEL 9 STIG (#9428)
  • Remove support for upstart init system (#9452)
  • Updates RHEL 9 STIG: Part 3 (#9489)
  • Add ol8 platform to existing required tests (#9485)
  • Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
  • Update account_password_selinux_faillock_dir rule (#9501)
  • Remove audit_rules_execution_restorecon from SRG control files. (#9503)
  • Add tests to file_ownership_binary_dirs (#9515)
  • Update ocil and ocil_clause in display_login_attempts (#9522)
  • Update some account rules according to RHEL9 STIG (#9499)
  • Include checktest for banner_etc_issue rule (#9521)
  • Update pam_faillock rules for RHEL9 STIG (#9520)
  • Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
  • Update clean_components_post_updating to align with RHEL9 STIG (#9510)
  • Update accounts_umask_etc_profile (#9496)
  • Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
  • Update audit rules RHEL9 STIG metadata (#9513)
  • Add tests to no_user_host_based_files (#9529)
  • Add tests to dir_perms_world_writable_system_owned (#9517)
  • Add tests to no_host_based_files (#9532)
  • Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
  • Add tests to clean_components_post_updating (#9530)
  • Update macros from audit privileged commands (#9502)
  • Update some PAM rules for RHEL9 STIG (#9514)
  • Add variable for auditd freq (#9504)
  • Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
  • [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)

Changes in Remediations

  • Allow two modes of SSH key ownership (#9094)
  • Add oval and remediation for auditd_audispd_disk_full_action (#9195)
  • include = sign in remediation of configure_openssl_crypto_policy (#9194)
  • Condition run of newaliases to its availability (#9241)
  • Update accounts_password_pam_retry behavior (#8880)
  • Add DISA STIG ids to when conditions in ansible roles (#9029)
  • Improve bash_ensure_pam_module_line macro (#9252)
  • Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
  • Fix rule sudo_custom_logfile (#9299)
  • Fix ansible partition conditionals (#9339)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Add Kubernetes remediation for rule configure_crypto_policy (#9266)
  • Fix 2 ctest shellcheck issues (#9398)
  • Fix kernel_module_disabled remediation template (#9346)
  • Conditional for Ansible remediation on RHEL7 (#9440)
  • change parameter of findmnt used in bash partition conditional (#9480)
  • Fix remediation of rules dealing with Audit watches (#9463)

Changes in Checks

  • Update accounts_password_pam_retry behavior (#8880)
  • Improve regex to match retry parameter in pwquality.conf (#9245)
  • Fix rule sudo_custom_logfile (#9299)
  • Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
  • Mask sensitive objects (#9364)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
  • Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
  • Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
  • [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)

Changes in the Infrastructure

  • Fix various bugs in utils (#9172)
  • Remove CentOS 6 and SL 6 references from the project (#9211)
  • Fix pre tag in ocil_mount_option (#9209)
  • Remove unused build option (#9213)
  • Update gitpod HTML preview extension. (#9261)
  • Install ansible for the extra modules (#9273)
  • Use DS to build Ansible Playbooks and Bash scripts (#9291)
  • Stop validating ssg-product-xccdf.xml (#9292)
  • Use data stream to verify profile titles and descriptions (#9294)
  • Use data stream to verify references (#9293)
  • Generate CCE tables from data stream (#9300)
  • Fix CMake dependencies (#9328)
  • Use XCCDF 1.2 to create STIG overlay (#9301)
  • Specify output file names (#9361)
  • Test missing references in a data stream (#9295)
  • Add trim_trailing_whitespace to editorconfig (#9391)
  • Sort check-export elements (#9397)
  • Use data stream to generate statistics (#9296)
  • Generate per profile testinfo tables from XCCDF 1.2 (#9325)
  • Fix missing OCIL text and 800-53 references (#9415)
  • Use XCCDF 1.2 to generate STIG HTML tables (#9406)
  • Add a script to import SRG export changes (#9416)
  • Make groups inherit platforms from parent groups (#9465)
  • Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
  • correct inheritance of platforms by rules from groups (#9491)
  • Improve HTML for Table Templates (#9481)
  • SRG Export: Improve vuldiscussion sourcing (#9493)
  • Remove empty load operation (#9492)
  • Add tests to rule no_tmux_in_shells (#9518)
  • Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
  • Avoid sed hack (#9363)

Changes in the Test Suite

  • Automatus: close hanging tempfiles descriptors (#9199)
  • Improve regex to match retry parameter in pwquality.conf (#9245)
  • Support commas in variables (#9280)
  • Refactor templated test scenarios (#9254)
  • Fix account_password_selinux_faillock_dir rule (#9381)
  • Replace platform conditionals in whole remediation code (#9347)
  • install_vm.py: add new option for disk size specification (#9479)
  • correct inheritance of platforms by rules from groups (#9491)
  • Add tests to audit privileged commands template (#9487)

Documentation

  • Enable Security Content workshop into Gitpod environment (#9438)
  • Add ordering to the platform key (#9488)
Assets 8