Skip to content

Content 0.1.74

Latest
Compare
Choose a tag to compare
@github-actions github-actions released this 09 Aug 14:29
· 1140 commits to master since this release
1bf21b0

Important Highlights

  • Add Amazon Linux 2023 product (#12006)
  • Introduce new remediation type Kickstart (#12144)
  • Make PAM macros more flexible to variables (#12133)
  • Remove Debian 10 Product (#12205)
  • Remove Red Hat Enterprise Linux 7 product (#12093)
  • Update CIS RHEL9 control file to v2.0.0 (#12067)

New Rules and Profiles

  • Add initial RHEL 10 CIS profiles (#12075)
  • Add new rule audit_rules_var_log_journal (#11920)
  • Add new rule file_permissions_var_log_audit_stig (#11966)
  • Add new rule install_endpoint_security_software (#11970)
  • Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
  • Add rule dir_groupowner_system_journal (#11838)
  • Add rule dir_owner_system_journal (#11839)
  • Add rule file_group_ownership_var_log_audit_stig (#11924)
  • Add rule file_groupowner_journalctl (#11841)
  • Add rule file_owner_journalctl (#11835)
  • Add rule file_permissions_etc_audit_rules (#11959)
  • Add rule file_permissions_journalctl (#11834)
  • Check ufw is active (#11984)
  • Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
  • Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
  • Initial HIPAA RHEL 10 Profile (#11915)
  • Initial ISM O RHEL 10 Profile (#11994)
  • Initial OSPP Control File (#11882)
  • Initial RHEL 10 e8 Profile (#11976)

Updated Rules and Profiles

  • Add package_rng-tools_installed to Fedora OSPP profile (#12246)
  • Add package_firewalld_installed to CCN and enable CCN Advanced profile test in CI (#12139)
  • Add CCEs to RHEL 10 Rules (#12113)
  • Add draft status to all RHEL 10 profiles (#12224)
  • Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
  • Add SSH related STIG rule to slmicro5 platform (#12193)
  • Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
  • Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
  • Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
  • Better description and test scenarios for set_nftables_table (#11991)
  • CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
  • CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
  • CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
  • Correct the platform for rule package_iptables-persistent_removed (#12195)
  • Disable OSPP Profile for RHEL 10 (#12223)
  • Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
  • Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
  • Ensure code consistency by using aide_conf_path var (#12066)
  • Ensure that security_patches_up_to_date is not built with remediations (#11995)
  • Exclude package_screen_installed from RHEL 10 OSPP (#12179)
  • Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
  • Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
  • Fix missing variable for Ubuntu 22.04 (#11973)
  • Fix package name for libpam-pkcs11 on Ubuntu (#11854)
  • Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
  • Fix pwquality package name for Ubuntu 22.04 (#11919)
  • Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
  • Fix rule name in Ubuntu 22.04 STIG profile (#11971)
  • Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
  • Guide/anssi r45 (#12129)
  • increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
  • Make the behavior of chronyd_sync_clock rule more consistent (#12039)
  • Modify rule file_groupowner_system_journal (#11836)
  • Move to default crypto policy for RHEL10 for CIS Profiles (#12187)
  • OCPBUGS-1316: Add missing variable reference to rules (#12012)
  • OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
  • OCPBUGS-33945: select required SSHD timeout rule (#12091)
  • OSPP profile, use Logind session timeout feature instead of tmux (#12212)
  • Override few variables for Ubuntu 22.04 (#11928)
  • remove logind_session_timeout from stig_gui profiles (#12086)
  • Remove rhel7 only rules (#12112)
  • Revert changes to no_empty_passwords for Ubuntu (#11918)
  • Slmicro5 stig add privileged commands support (#12221)
  • Support all boolean values in dnf.conf (#11965)
  • Update rules related to PAM hashing algorithm (#12164)
  • Update SLE15 STIG version to V1R13 (#11921)
  • Updated 10 rules to support SLE Micro 5 (#12210)

Removed Products

  • Remove Debian 10 Product (#12205)
  • Remove Red Hat Enterprise Linux 7 product (#12093)

Changes in Remediations

  • Improve remediation for enable_authselect (#12038)
  • Achieve consistent file and directory permissions for systemd journals (#11974)
  • Add ansible automation for configure_usbguard_auditbackend (#12092)
  • Add ansible remediation for account_password_selinux_faillock_dir (#12094)
  • Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
  • Add ansible remediation for no_tmux_in_shells rule (#12138)
  • add namespace parameter for cluster-test (#11824)
  • Add SCE check for ufw_rate_limit for Ubuntu (#11998)
  • Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
  • Adjust bash template (group)file_owner to follow symlinks (#12214)
  • align template systemd_dropin_configuration (#12054)
  • Create dconf db directory for local profile (#12079)
  • Create file if it doesn't exist for coredump rules (#12181)
  • Ensure that security_patches_up_to_date is not built with remediations (#11995)
  • Fix bash_package_installed macro (#12140)
  • Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
  • Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
  • Fix permissions for dconf db on Ubuntu (#12056)
  • Fix Ubuntu faillock (#11932)
  • Introduce new remediation type Kickstart (#12144)
  • Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
  • Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
  • Simplify use of ansible_ensure_pam_module_option macro (#12159)
  • Slmicro5 auth,security and audit STIG rules (#12192)
  • templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
  • Update ansible remediation CCE-85972-8 to support idempotency (#12152)
  • Update rules related to PAM hashing algorithm (#12164)

Changes in Checks

  • Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
  • Fix broken OVAL metadata (#12151)
  • Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
  • Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
  • Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
  • Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
  • Improve Rsyslog rules to support RainerScript syntax (#12010)
  • Slmicro5 auth,security and audit STIG rules (#12192)
  • templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
  • Update OVAL check in accounts_password_last_change_is_in_past (#12177)
  • Update rules related to PAM hashing algorithm (#12164)

Changes in the Infrastructure

  • Add a script for finding unused rules (#12110)
  • Add option to build per rule playbook via build_product script (#12105)
  • Allow multiple control files to add the same reference type (#12165)
  • Ensure that RHEL 10 has CCEs (#12137)
  • Expand CCE Available Test to OCP4 (#12114)
  • Fix Filename for UBI test (#12115)
  • Fix Nightly Build - Debian 12 (#12033)
  • Improve error handling when loading yaml stream (#11962)
  • Include product property in profile class (#12050)
  • Install dependency "xmllint" package (#12080)
  • Mark some scenarios as specific to SCE (#12052)
  • OCP Update variable filter to consider go_template (#11906)
  • Remove duplicate product (#12049)
  • Review and reorganize CMakeLists.txt file (#12000)
  • Show most used rules of component (#12001)
  • Stop building -ds-1.2.xml data streams (#11990)
  • Update Gating (#12041)

Changes in the Test Suite

  • Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
  • Add Ubuntu 22.04 Automatus workflow (#12058)
  • Automatus to UBI 8 (#12100)
  • Better description and test scenarios for set_nftables_table (#11991)
  • Clean Up Tests Due to RHEL 7 Removal (#12101)
  • Disable service_enabled templated test for service_bluetooth_disabled (#12211)
  • Do not run package_audit-libs_installed package removal test scenarios (#12099)
  • Fix crypto policy in CIS test scenario (#12098)
  • Fix OL7 GH Action (#12143)
  • Fix platforms -> platform in test metadata (#12057)
  • Fix regex in file_ownership_audit_configuration (#12029)
  • Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
  • Github Action Ansible shell module changes check (#12014)
  • Include test scenario for multiple partitions (#11950)
  • Make Rawhide CI Green (#12065)
  • OCP4: Add workflow to test ocp content (#11615)
  • OCP4: use new assertion formate for OCP CI (#11790)
  • Pin GitHub actions using Frizbee (#12082)
  • Populate _rule_id virtual template parameter in Automatus (#11943)
  • Remove the excluded_files (#12196)
  • Validate Automatus Metadata (#12059)

Documentation

  • Add script to Create a Control file from references (#11916)
  • Additional updates in kernel_module_disabled template (#12160)
  • Bump version after release (#12025)
  • Fix a typo (#12017)
  • Fix typos in notes for ocp4 controls (#11963)
  • Update Contributors for v0.1.74 (#12225)
  • Update control schema (#11942)
  • Update RHEL 8 STIG SCAP Content to V1R13 (#12219)