Skip to content

Content 0.1.53
Compare
Choose a tag to compare
@vojtapolasek vojtapolasek released this 13 Nov 16:58
v0.1.53
e352ee7

Highlights:

  • Remove OCP3 content (#6296)
  • Remove SLE11 (#6164)
  • Remove Ubuntu 14.04 (#6154)
  • Remove Debian8 (#6137)
  • Remove JBoss EAP6 (#6119)
  • Introduce machine and package platform conditionals to Bash remediations (#6061)
  • Introduce package conditionals to Ansible remediations (#6025)
  • OCP4: Enhance e2e tests to check individual rules (#6315)

Profiles changed in this release:

  • example: example
  • fedora: standard, pci-dss
  • ol7: pci-dss
  • ol8: cjis, pci-dss
  • rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
  • rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
  • jre: stig
  • ocp4: cis-node, cis, e8, moderate, ncp
  • rhcos4: e8, moderate, ncp
  • rhv4: rhvh-vpp, rhvh-stig
  • sle15: cis

Profiles:

  • Remove unused RHEL7 profiles (#6326)
  • Specify the applicable OpenShift version for the CIS profiles (#6288)
  • Update e8 references (#6306)
  • Add commented section for OCP4 CIS etcd node checks (#6238)
  • CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
  • Add ocp4-node product (#6124)
  • remove rngd related rules from rhcos profiles (#6159)
  • Add policy tracking metadata (#6004)
  • Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
  • Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
  • remove package_screen_installed from rhel7 stig (#6072)
  • OCP4 CIS profile placeholder and comments (#6121)
  • Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
  • Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
  • remove deprecated sshd config from e8 profile (#6120)
  • remove package_tuned_removed from rhel8 ospp (#6191)
  • remove rngd related rules from rhel8 ospp and stig (#6157)
  • remove package_iptables_installed from rhel8 ospp and stig (#6155)

Rules:

  • Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
  • Added JRE update and clean prev version controls (#6324)
  • fix conflicts of audit rules for privileged commands (#6279)
  • Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
  • Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
  • Add machine platform for rule kernel_trust_cpu_rng (#6300)
  • CIS 1.3.6 (#6225)
  • Update jre content with more controls and minor fixes (#6295)
  • Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
  • ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
  • Add OCP4 1.3.5 benchmark (#6198)
  • ocp4: fix basic-auth check (#6158)
  • CIS OCP4 benchmark: 1.3.3 (#6194)
  • Fix rule api_server_token_auth for ocp4 (#6193)
  • OCP4 - CIS 1.1.5 Add check (#6274)
  • ocp4: Add check for CIS 1.2.20 (#6239)
  • Cis 5.2.9 (#6250)
  • ocp4: Add checkf or CIS 1.2.18 (#6232)
  • ocp4: Add check for 1.2.17 (#6231)
  • add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
  • Updated rule api_server_service_account_public_key for OCP 4 (#6221)
  • Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
  • ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
  • ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
  • CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
  • Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
  • Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
  • OCP4 - CIS 1.1.3 Add check (#6272)
  • OCP4 - CIS 1.1.1 Add check (#6271)
  • Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
  • Adding rules for OCP4 CIS 1.2.5 (#6268)
  • Api server etcd (#6266)
  • Adding rules for OCP4 CIS 1.2.5 (#6268)
  • Add rule for OCP4 CIS 1.3.2 (#6262)
  • Cis 5.2.7 (#6245)
  • Java JRE 8 draft update (#6282)
  • fix srgs for new rhel8 stig rules (#6280)
  • 1.2.32 add etcd-cafile check for ocp4 (#6253)
  • 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
  • add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
  • Pull request for etcd-encrypt (#6259)
  • OCP4 CIS 5.2.3 (#6244)
  • Update api_server_audit_log_path to use different apiserver conf file (#6240)
  • OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
  • OCP4 CIS 5.2.4 (#6242)
  • Add OCP4 1.3.7 Benchmark (#6220)
  • ocp4: Add check for CIS 1.2.19 (#6236)
  • Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
  • Api server kubelet https (#6215)
  • Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
  • Add rule for CIS 4.1.9 (#6210)
  • Cis node 4.1.8 (#6196)
  • OCP CIS 1.2.7 (#6209)
  • Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
  • Fix duplicate assignment of CCE-83396-2 (#6224)
  • Completed an existing ocp4 CIS 1.3.4 rule (#6202)
  • Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
  • add service_kdump_disabled to rhel8 ospp (#6190)
  • Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
  • fix typos in "references" section of RHEL7 rules (#6188)
  • Add some more example content for ocp4 cis profile (#6182)
  • Add ISM references (#6143)
  • Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
  • add mandatory packages to rhel8 ospp (#6181)
  • Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
  • add rsyslog rules to rhel8 ospp (#6167)
  • Remove platform net-snmp from the group and use it in individual rules (#6166)
  • Fix severity of RHEL 7 STIG rules (#6110)
  • fix rules about sshd idle timeout (#6030)
  • Update ANSSI refs (#6052)
  • Move grub2_vsyscall_argument to grub2 group (#6129)
  • Update rule install hips (#6039)
  • Remove zIPL rule for PTI bootloader option (#6065)
  • use xccdf variable in audit_audispd_network_failure_action (#6071)
  • Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
  • Drop "esc" package from install_smartcard_packages rule (#6083)
  • Update snmpd_no_default_password (#6050)
  • Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
  • Fix missing CCE in rules selected by RHEL6 profiles (#6103)
  • add ocil to rsyslog_nolisten (#6074)
  • Remove extra ocil statement from service_cockpit_disabled (#6092)
  • Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
  • Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
  • Update text of rule account_disable_post_pw_expiration (#6084)
  • update srg for smartcard_configure_cert_checking (#6073)
  • update accounts_logon_fail_delay (#6040)
  • update rule disable_ctrlaltdel_reboot (#6043)
  • Remove SRGs from accounts_password_pam_retry (#6045)
  • Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
  • Update tftpd_uses_secure_mode (#6051)
  • Fix SRG mapping of audit rules (#6068)
  • Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
  • Minor ansible changes that fix failing rules after remediations (#6034)
  • Fix typo in SLES12 STIG ID reference (#6036)
  • Introduce ability to set check_existence to yaml template (#6177)
  • Introduced macros for working with XCCDF values into the wide content (#6048)
  • Anaconda moved to pykickstart (#6255)
  • Create custom OVAL check for uefi_no_removeable_media (#6276)
  • Parametrize rule for login.defs hashing algorithm (#6290)
  • As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
  • Fix regex in aide rules to consider first letter as uppercase (#6152)
  • Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
  • Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
  • Use resolved profiles in rule playbooks (#6080)
  • Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
  • Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
  • Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
  • update accounts_maximum_age_login_defs (#6027)

Tests:

  • Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
  • OCP4: Add manual remediation capabilities to e2e tests (#6318)
  • OCP4: Enhance e2e tests to check individual rules (#6315)
  • Remove the option to enable/disable "mask" a service (#6298)
  • Update ocp4 e2e test dependencies (#6128)
  • Force shutdown of VM if it cannot be shutdown gracefully (#6098)
  • e2e/ocp4: Display more verbose logs for e2e tests (#6192)
  • ocp4: Don't fail on transcient error (#6161)
  • ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
  • ocp4: Use ScanSettingBindings for e2e tests (#6297)
  • allow install_vm.py to create UEFI based machines (#6285)
  • Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
  • SSGTS various test scenarios metadata updates (#6136)
  • Implemented packages metadata to the test suite (#6126)
  • SSGTS combined mode: use all profile where applicable (#6146)
  • SSGTS various test scenarios metadata updates (part 2) (#6145)
  • SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
  • Removed profile from test metadata where not needed (#6114)
  • Add a test for missing CCEs (#6097)
  • Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
  • OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
  • OCP4: Verify CIS 1.3 section (#6302)
Assets 5
Loading