github-actions
released this
09 Aug 14:29
·
1140 commits
to master
since this release
Important Highlights
- Add Amazon Linux 2023 product (#12006)
- Introduce new remediation type Kickstart (#12144)
- Make PAM macros more flexible to variables (#12133)
- Remove Debian 10 Product (#12205)
- Remove Red Hat Enterprise Linux 7 product (#12093)
- Update CIS RHEL9 control file to v2.0.0 (#12067)
New Rules and Profiles
- Add initial RHEL 10 CIS profiles (#12075)
- Add new rule audit_rules_var_log_journal (#11920)
- Add new rule file_permissions_var_log_audit_stig (#11966)
- Add new rule install_endpoint_security_software (#11970)
- Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
- Add rule dir_groupowner_system_journal (#11838)
- Add rule dir_owner_system_journal (#11839)
- Add rule file_group_ownership_var_log_audit_stig (#11924)
- Add rule file_groupowner_journalctl (#11841)
- Add rule file_owner_journalctl (#11835)
- Add rule file_permissions_etc_audit_rules (#11959)
- Add rule file_permissions_journalctl (#11834)
- Check ufw is active (#11984)
- Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
- Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
- Initial HIPAA RHEL 10 Profile (#11915)
- Initial ISM O RHEL 10 Profile (#11994)
- Initial OSPP Control File (#11882)
- Initial RHEL 10 e8 Profile (#11976)
Updated Rules and Profiles
- Add package_rng-tools_installed to Fedora OSPP profile (#12246)
- Add
package_firewalld_installed
to CCN and enable CCN Advanced profile test in CI (#12139) - Add CCEs to RHEL 10 Rules (#12113)
- Add draft status to all RHEL 10 profiles (#12224)
- Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
- Add SSH related STIG rule to slmicro5 platform (#12193)
- Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
- Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
- Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
- Better description and test scenarios for set_nftables_table (#11991)
- CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
- CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
- CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
- Correct the platform for rule
package_iptables-persistent_removed
(#12195) - Disable OSPP Profile for RHEL 10 (#12223)
- Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
- Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
- Ensure code consistency by using aide_conf_path var (#12066)
- Ensure that security_patches_up_to_date is not built with remediations (#11995)
- Exclude package_screen_installed from RHEL 10 OSPP (#12179)
- Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
- Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
- Fix missing variable for Ubuntu 22.04 (#11973)
- Fix package name for libpam-pkcs11 on Ubuntu (#11854)
- Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
- Fix pwquality package name for Ubuntu 22.04 (#11919)
- Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
- Fix rule name in Ubuntu 22.04 STIG profile (#11971)
- Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
- Guide/anssi r45 (#12129)
- increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
- Make the behavior of chronyd_sync_clock rule more consistent (#12039)
- Modify rule file_groupowner_system_journal (#11836)
- Move to
default
crypto policy for RHEL10 for CIS Profiles (#12187) - OCPBUGS-1316: Add missing variable reference to rules (#12012)
- OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
- OCPBUGS-33945: select required SSHD timeout rule (#12091)
- OSPP profile, use Logind session timeout feature instead of tmux (#12212)
- Override few variables for Ubuntu 22.04 (#11928)
- remove logind_session_timeout from stig_gui profiles (#12086)
- Remove rhel7 only rules (#12112)
- Revert changes to no_empty_passwords for Ubuntu (#11918)
- Slmicro5 stig add privileged commands support (#12221)
- Support all boolean values in dnf.conf (#11965)
- Update rules related to PAM hashing algorithm (#12164)
- Update SLE15 STIG version to V1R13 (#11921)
- Updated 10 rules to support SLE Micro 5 (#12210)
Removed Products
Changes in Remediations
- Improve remediation for enable_authselect (#12038)
- Achieve consistent file and directory permissions for systemd journals (#11974)
- Add ansible automation for configure_usbguard_auditbackend (#12092)
- Add ansible remediation for account_password_selinux_faillock_dir (#12094)
- Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
- Add ansible remediation for no_tmux_in_shells rule (#12138)
- add namespace parameter for cluster-test (#11824)
- Add SCE check for ufw_rate_limit for Ubuntu (#11998)
- Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
- Adjust bash template (group)file_owner to follow symlinks (#12214)
- align template systemd_dropin_configuration (#12054)
- Create dconf db directory for local profile (#12079)
- Create file if it doesn't exist for coredump rules (#12181)
- Ensure that security_patches_up_to_date is not built with remediations (#11995)
- Fix bash_package_installed macro (#12140)
- Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
- Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
- Fix permissions for dconf db on Ubuntu (#12056)
- Fix Ubuntu faillock (#11932)
- Introduce new remediation type Kickstart (#12144)
- Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
- Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
- Simplify use of ansible_ensure_pam_module_option macro (#12159)
- Slmicro5 auth,security and audit STIG rules (#12192)
- templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
- Update ansible remediation CCE-85972-8 to support idempotency (#12152)
- Update rules related to PAM hashing algorithm (#12164)
Changes in Checks
- Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
- Fix broken OVAL metadata (#12151)
- Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
- Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
- Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
- Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
- Improve Rsyslog rules to support RainerScript syntax (#12010)
- Slmicro5 auth,security and audit STIG rules (#12192)
- templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
- Update OVAL check in accounts_password_last_change_is_in_past (#12177)
- Update rules related to PAM hashing algorithm (#12164)
Changes in the Infrastructure
- Add a script for finding unused rules (#12110)
- Add option to build per rule playbook via
build_product
script (#12105) - Allow multiple control files to add the same reference type (#12165)
- Ensure that RHEL 10 has CCEs (#12137)
- Expand CCE Available Test to OCP4 (#12114)
- Fix Filename for UBI test (#12115)
- Fix Nightly Build - Debian 12 (#12033)
- Improve error handling when loading yaml stream (#11962)
- Include product property in profile class (#12050)
- Install dependency "xmllint" package (#12080)
- Mark some scenarios as specific to SCE (#12052)
- OCP Update variable filter to consider go_template (#11906)
- Remove duplicate product (#12049)
- Review and reorganize CMakeLists.txt file (#12000)
- Show most used rules of component (#12001)
- Stop building -ds-1.2.xml data streams (#11990)
- Update Gating (#12041)
Changes in the Test Suite
- Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
- Add Ubuntu 22.04 Automatus workflow (#12058)
- Automatus to UBI 8 (#12100)
- Better description and test scenarios for set_nftables_table (#11991)
- Clean Up Tests Due to RHEL 7 Removal (#12101)
- Disable service_enabled templated test for service_bluetooth_disabled (#12211)
- Do not run
package_audit-libs_installed
package removal test scenarios (#12099) - Fix crypto policy in CIS test scenario (#12098)
- Fix OL7 GH Action (#12143)
- Fix platforms -> platform in test metadata (#12057)
- Fix regex in file_ownership_audit_configuration (#12029)
- Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
- Github Action Ansible
shell
module changes check (#12014) - Include test scenario for multiple partitions (#11950)
- Make Rawhide CI Green (#12065)
- OCP4: Add workflow to test ocp content (#11615)
- OCP4: use new assertion formate for OCP CI (#11790)
- Pin GitHub actions using Frizbee (#12082)
- Populate _rule_id virtual template parameter in Automatus (#11943)
- Remove the excluded_files (#12196)
- Validate Automatus Metadata (#12059)
Documentation
- Add script to Create a Control file from references (#11916)
- Additional updates in kernel_module_disabled template (#12160)
- Bump version after release (#12025)
- Fix a typo (#12017)
- Fix typos in notes for ocp4 controls (#11963)
- Update Contributors for v0.1.74 (#12225)
- Update control schema (#11942)
- Update RHEL 8 STIG SCAP Content to V1R13 (#12219)