Skip to content

Content 0.1.52
Compare
Choose a tag to compare
@vojtapolasek vojtapolasek released this 18 Sep 14:36
v0.1.52
76406db

Highlights:

  • huge update of rhel7 stig profile
  • Introduced a minimal reference-rule mapping generator (#5946)

Profiles changed in this release:

  • rhel7: ospp, hipaa, stig
  • rhel8: ospp, hipaa, stig
  • ocp4: moderate, e8
  • ol8: ospp
  • rhcos4: moderate, ncp

Profiles:

  • Select sshd_disable_rhosts in RHEL7 STIG profile. (#6019)
  • Select sshd_disable_user_known_hosts in RHEL7 STIG profile. (#6021)
  • Update RHEL7 STIG profile to use pam unlock_time=900. (#6011)
  • Remove rules that are not present on RHEL STIG v2r7 anymore. (#5975)
  • Update hipaa description (#5957)
  • Select uefi_no_removeable_media in DISA RHEL7 STIG profile (#5987)
  • Update dconf_gnome_disable_ctrlaltdel_reboot and select it in RHEL7 STIG profile (#5993)
  • Add new rule dconf_gnome_disable_ctrlaltdel_logout to RHEL7 STIG (#5992)
  • Add a missing Crypto Policy rule to OSPP. (#6007)

Rules:

  • Introduced rule to disable XDMCP in gdm (#5997)
  • Update OVAL check and remediations for sshd_use_priv_separation. (#6022)
  • Set sshd_do_not_permit_user_env to pass even with missing parameter. (#6018)
  • Update network_sniffer_disabled (#6000)
  • Add Fedora product to package_bind_removed rule prodtype (#6017)
  • Fixed dconf_gnome_screensaver_idle_activation_enabled wrt RHEL7 STIG (#6016)
  • Update sle15 product with specific package names and permissions (#6012)
  • Update RHEL7 STIG id for grub2_uefi_password to match RHEL >= 7.2. (#6009)
  • Added SRG to configure_ssh_crypto_policy (#6008)
  • update severity of package_vsftpd_removed (#6002)
  • remove srgs from package_openssh-server_installed (#6001)
  • implement V-72095 for stig (#5985)
  • remove nonexistent srg from audit_rules_usergroup_modification_opasswd (#5998)
  • Fix minor description issue in dconf_gnome_login_banner_text (#5994)
  • remove redundant srg from audit_rules_privileged_commands_umount (#5983)
  • Add RHEL7 STIG ID to sysctl_net_ipv4_conf_default_rp_filter (#5990)
  • Add RHEL7 STIG ID to sysctl_net_ipv4_conf_all_rp_filter (#5989)
  • Remove extra zero on SRG ref mapping from kernel_module_dccp_disabled (#5991)
  • Remove duplicated STIG ID entry in libreswan_approved_tunnels (#5988)
  • Add an evaluation for OpenShift allowedRegistries (#5906)
  • Add ansible remediation for accounts_have_homedir_login_defs (#5942)
  • fix descriptions of rules audit_rules_privileged_command_* (#5980)
  • fix descriptions and ocils of audit_rules_execution_* (#5981)
  • Update DISA CCI for rpm_verify_hashes (#5979)
  • Remove wrong CCI number from no_files_unowned_by_user (#5966)
  • Fix typo in OCIL checking command for file_groupownership_home_directories (#5968)
  • remove perm=x from rules about auditing of privileged commands (#5956)
  • Update rule dconf_gnome_screensaver_lock_locked (#5959)
  • Fix syntax in OCIL checking command for accounts_user_dot_no_world_writable_programs (#5969)
  • remove SRG mapping from audit_rules_dac_modification_lsetxattr (#5962)
  • Update kernel_module_disabled template to add modules into exclude list (#5963)
  • Fix typo in grub password rules (#5964)
  • Update dconf_gnome_banner_enabled to use local.d dconf database (#5951)
  • Use full CCI and STIG identifiers (#5606)
  • Add grub2 platform to grub2 kernel option rules (#5952)
  • add xccdf variable into ocil of auditd_data_retention_action_mail_acct (#5953)
  • Update rpm_verify_hashes according to STIG RHEL7 v2r7 (#5918)
  • Remove OVAL check from rule install_antivirus (#5947)
  • Update aide_verify_ext_attributes OVAL and Bash (#5945)
  • Update aide_verify_acls (#5941)
  • Reference relevant OSPP requirements that depend on correct crypto-policy selection via var_system_crypto_policy (#5935)
  • The OSPP requirements for cryptographically verifying the integrity of updates are FPT_TUD_EXT.1.2 and FPT_TUD_EXT.2.2 (#5934)
  • The CC/OSPP requirement for handling authentication failures is FIA_AFL.1 (#5933)
  • The CC/OSPP requirement for the TOE access banner is FTA_TAB.1 (#5932)
  • Harden OpenSSL crypto policy (#5925)
  • Update file permissions/ownership/group bash template to better support "file_regex" parameter (#5921)
  • Add template for zIPL boot entry option (#5908)
  • fix rule selinux_all_devicefiles_labeled (#5911)
  • Reorganize zIPL rules (#5888)
  • add missing cces to rules in ism_o profile (#5913)
  • Converted kube remediation to use the macro (#5904)
  • Revert back OVAL check for sshd_disable_compression to use xccdf variable. (#6031)
  • Update ansible additional when statement to fix issues with rules not being applied to vm's (#5995)
  • Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services (#6014)
  • Update accounts_passwords_pam_faillock_unlock_time to work with "never" as value (#6003)
  • Cleanup audit_rules_login_events ansible remediation template (#5978)
  • Update auditd audispd configure remote server (#5949)
  • Add ansible remediation for dconf_gnome_screensaver_idle_activation_locked (#5960)
  • Update OVAL check and remediation for aide_use_fips_hashes (#5972)

Tests:

  • Remove Fedora platform from test scenarios working with FIPS:OSPP crypto policy (#6023)
  • Introduce quick tests (#6013)
  • Remove SCAP-1.3 SCAPVAL workarounds (#6005)
  • add tests to audit_rules_kernel_module_loading_finit (#5999)
  • add tests to audit_rules_usergroup_modification template (#5996)
  • Use helper functions to install dconf and gdm. (#5970)
  • Enabled support for both podman2 in the ssg test suite. (#5924)
  • Print different command to get IP address when using fish shell. (#5907)
Assets 5
Loading