Skip to content

Content 0.1.68
Compare
Choose a tag to compare
@github-actions github-actions released this 15 Jun 08:49
· 4476 commits to master since this release
v0.1.68
513280d
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Important Highlights

  • Bump OL8 STIG version to V1R6 (#10497)
  • Introduce a Product class, make the project work with it (#10529)
  • Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
  • OL7 DISA STIG v2r11 update (#10498)
  • Publish rendered policy artifacts (#10585)
  • Update ANSSI BP-028 to version 2.0 (#10334)

New Rules and Profiles

  • Add rule package_mailx_installed (#10495)
  • Ensure access to the su command is restricted (#10386)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
  • Introduce file_permissions_audit_configuration rule (#10489)
  • Introduce rule to check if SELinux is not Disabled (#10575)
  • Introduce rules to configure loopback traffic with Firewalld (#10573)
  • New rules to complete CIS requirements for SSH Keys (#10552)
  • New SLE 15 rule set_nftables_base_chain (#10180)
  • Rebased hagenest set nftables loopback traffic (#10366)
  • Restart postfix service and add rule has_nonlocal_mta (#10359)
  • SLE15 add implementation of nftables_rules_permanent rule (#10201)
  • SLE15 add nftables ensure default deny policy (#10249)
  • Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)

Updated Rules and Profiles

  • Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
  • Add package_avahi_removed to ubuntu profiles (#10406)
  • Add rules SLES-15-010375 and SLES-12-010375 (#10625)
  • Add rules SLES-15-010419 and SLES-12-010499 (#10621)
  • Add rules SLES-15-010420 and SLES-12-010500 (#10623)
  • Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
  • audit_rules_privileged commands: skip /proc directory (#10471)
  • Bump OL8 STIG version to V1R6 (#10497)
  • Complete CIS requirement for system accounts (#10627)
  • Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
  • delete rule SLES-15-040280 (#10383)
  • Drop of some rules from SLE 12/15 profiles (#10527)
  • Enable ensure_shadow_group_empty for RHEL7 (#10416)
  • Enable service_nftables_disabled for RHEL (#10390)
  • Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
  • Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
  • Ensure access to the su command is restricted (#10386)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
  • Fix in sshd_use_approved_ciphers (#10535)
  • Fix in sudo_require_reauthentication (#10216)
  • Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
  • Introduce rule to check if SELinux is not Disabled (#10575)
  • Introduce rules to configure loopback traffic with Firewalld (#10573)
  • Modify SLE remediation for ensure_logrotate_activated (#10481)
  • No remediation warning for fapolicy_default_deny (#10433)
  • OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
  • OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
  • OL7 DISA STIG v2r11 update (#10498)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • SLE 12/15 profile updates (#10577)
  • SLE improve kernel module disabled rule (#10368)
  • SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
  • sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
  • Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
  • Ubuntu 22.04 CIS modify password remember rule (#10480)
  • Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
  • Update accounts_password_pam_retry yaml (#10496)
  • Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
  • Update ANSSI BP-028 to version 2.0 (#10334)
  • Update CIS controls related to nftables table and chains (#10629)
  • Update CIS requirement for SSH access limit (#10470)
  • Update netrc requirement in CIS for RHEL8 (#10511)
  • Update OL9 STIG profile (#10407)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
  • Update pass aging rules to not ignore empty pass (#10633)
  • update rule sles-15-040250 (#10492)

Changes in Remediations

  • Add Ubuntu SCE checks for iptables rules (#10587)
  • Ansible remediation for configure_bashrc_exec_tmux (#10584)
  • audit_rules_privileged commands: skip /proc directory (#10471)
  • Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
  • Fix changes in Ansible tasks not expected to fail (#10427)
  • Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
  • Fix up RHEL kickstarts (#10499)
  • fix: aide_string: drop nl at end (#10578)
  • fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
  • fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
  • Modify SLE remediation for ensure_logrotate_activated (#10481)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • Replace grep command with ansible find (#10579)
  • SLE add ability to configure emergency via dropin (#10482)
  • SLE improve kernel module disabled rule (#10368)
  • SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
  • Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
  • templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)

Changes in Checks

  • audit_rules_privileged commands: skip /proc directory (#10471)
  • bugfix: mount_option: handle commented lines (#10518)
  • Ensure authentication required for single user mode for Ubuntu (#10415)
  • Fix in sudo_require_reauthentication (#10216)
  • Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
  • Refactor audit_rules_privileged_commands to include in CIS (#10326)
  • SLE improve kernel module disabled rule (#10368)
  • Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
  • Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
  • Update pass aging rules to not ignore empty pass (#10633)
  • Use specific name in private key groups instead of gid (#10622)

Changes in the Infrastructure

  • Add a product stability test (#10606)
  • Add CMakelint (#10468)
  • Add controls the EOF checker (#10477)
  • Automate and Fix Missing Newline at the of Files (#10361)
  • Expand the list of rules skiped by Ansible Lint (#10485)
  • Fix data stream component parsing (#10411)
  • Implement a tool for parsing profiles and outputing rules (#10455)
  • Introduce a Product class, make the project work with it (#10529)
  • Publish rendered policy artifacts (#10585)
  • Refactor the scapval test (#10611)
  • Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
  • Remove unused imports (#10384)
  • Remove unused variables (#10382)
  • Shell quote support for Jinja macros (#10524)
  • Stabilization: Fix install_vm.py on older versions of Python (#10652)
  • Stop using deprecated set-output in GitHub Actions (#10588)
  • Update CI Repo for CTF (#10385)
  • Update GitHub Action Versions (#10543)

Changes in the Test Suite

  • Add a product stability test (#10606)
  • Add a warning to AutoMatus (#10394)
  • bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
  • bugfix: packages: delim is comma (#10559)
  • bugfix: ssg_test_suite: RuleResult eq (#10365)
  • Fix template not found error in Automatus (#10631)
  • Fix tests applicablity for ol8 product (#10570)
  • Fix tests in sshd_lineinfile template (#10595)
  • Fix typo in tests for sshd_limit_user_acess (#10478)
  • install_vm refactor (#10607)
  • install-vm fixes / features (#10562)
  • Remove machine pruning from gating (#10453)
  • Revert change in test scenario script for enable_authselect rule (#10430)
  • Unused test code (#10558)
  • Use bash_package_* (#10557)
  • Use mkdir -p when creating directories (#10556)

Documentation

  • Add Kickstarts to the changelog (#10512)
  • add python3 to the list of build dependencies for RHEL-8+ (#10503)
  • Bump version for 0.1.68 (#10372)
  • Fix read the docs build (#10537)
  • fix: Fix misspelled word infrastruture (#10531)
  • Jinja macro doc fixes (#10599)
  • Reduce Doc Warnings (#10528)
  • Styleguide Update (#10466)
  • Update Add Product Guide (#10533)
  • Update release documentation about release_helper.py script (#10502)
Assets 6