Releases
v0.1.56
Highlights:
Align ism_o profile with latest ISM SSP (#6878 )
Align RHEL 7 STIG profile with DISA STIG V3R3
Creating new RHEL 7 STIG GUI profile (#6863 )
Creating new RHEL 8 STIG GUI profile (#6862 )
Add the RHEL9 product (#6801 )
Initial support for SUSE SLE-15 (#6666 )
add support for osbuild blueprint remediations (#6970 )
Profiles changed in this release:
sle12: stig
sle15: cis, stig
rhel7: stig_gui, stig
rhel8: stig_gui, stig, ism_o
rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
rhv4: pci-dss
ocp4: cis-node, cis
rhel9: pci-dss
Profiles:
Add updated manual DISA STIG XML reference files (#6903 )
rhcos4/e8: Use individual kernel module load audit rules (#6797 )
rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789 )
bump rhel7 stig version to v3r3 (#6951 )
remove no longer relevant rules from rhel7 stig (#6865 )
Aligning and updating RHEL 8 STIG w/ V1R2 (#6927 )
Update OL e8 profiles (#6840 )
Remove rules related to gnome/dconf (#6884 )
Ol cjis profiles (#6851 )
Add PCI-DSS profile to RHV4 (#6867 )
OL hipaa profiles (#6819 )
Update OL cui profiles (#6818 )
remove service_nfs_disabled sle15/profiles/cis.profile (#6803 )
RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784 )
rhcos4: Remove sssd configuration check from moderate profile (#6774 )
RHCOS4: Remove rules that use rpmverifypackage_test (#6776 )
RHCOS4: Remove instances of audit_rules_privileged_commands (#6769 )
RHCOS: Temporarily remove UEFI password rule (#6757 )
Add new rules to sle12/profiles/stig.profile (#6665 )
Remove package_gssproxy_removed
from STIG GUI profile (#6967 )
Updating RHEL8 STIG profile for readability changes (#6856 )
Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858 )
Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829 )
Rules:
Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993 )
Remove audit_privileged_commands from RHEL7 STIG profile (#7008 )
Fix grub2's /boot location for Debian, Ubuntu (#6986 )
Add rules to remove setroubleshoot server and plugin packages (#6969 )
SLES-15-010362 (#6968 )
Fix groupowner/permissions for ubuntu2004 (#6979 )
SLES-15-10352 rule (#6822 )
Enable RHEL9 for kernel-related rules (#6966 )
Enable SELinux rules for RHEL9 (#6959 )
Move rule grub2_enable_iommu_force to use template (#6956 )
Clarify what fixes for AiDE acl and xattrs do (#6960 )
Merge duplicate disa (CCI) reference in package_audit_installed (#6964 )
Adding new rule for RHEL-08-010294 (#6932 )
Add OCIL to sshd_limit_user_access (#6836 )
SLES-15-030390 add rule, remediation and test (#6802 )
Add Rule for SLES-15-040382 (#6811 )
RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796 )
RHCOS4: Add recommended chrony config (#6786 )
Address NIST SP 800-32 control CM-8(3) with usbguard (#6949 )
Prevent global references to use product-qualifiers (#6896 )
OCP: Fix description of kubelet TLS cipher suites (#6900 )
Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890 )
Update VSEL references to remove qualifier from global references (#6948 )
SLES-15-010250 add rule, remediation and tests (#6879 )
add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866 )
Add Rule for SLES-15-010140 & SLES-12-010100 (#6868 )
Add Rule,Remediation and Test for SLES-15-030760 (#6869 )
Revert STIG id for require_emergency_target_auth (#6928 )
Remove bogus nist: FOO-1(a) references (#6917 )
remove product specific disa and srg references (#6895 )
ocp4: Enhance group ownership checks openvswitch processes pid files (#6914 )
Fix usbguard match-all syntax for HID rule (#6909 )
RHEL8 - ensuring stigid's and references are set where appropriate (#6864 )
Notate that Ubuntu is a FIPS-certified OS (#6912 )
OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904 )
update require_emergency_target_auth (#6894 )
add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897 )
Add Rule,Test for SLES-15-020103 (#6881 )
Prevent unqualified CIS and STIGID references (#6871 )
SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877 )
Add rules related to permissions of /var/log
and /var/log/messages
(#6861 )
SLES-15-010220 updates for firewalld (#6831 )
Add OL anssi profiles (#6817 )
update accounts_tmout (#6839 )
SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826 )
add rule for disabling of GUI (#6860 )
Add rules for SLES-12-010060 (#6806 )
CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835 )
fix service_sshd_enabled for SLE-15 (#6830 )
RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827 )
Add HIPAA rules references (#6854 )
RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838 )
Add CCI reference to package_gssproxy_removed (#6846 )
Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845 )
SLES-15-010353 map rule file_ownership_library_dirs (#6820 )
Add CCEs for RHEL9 rsyslog rules (#6832 )
SLES-15-010030 rule (#6821 )
SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767 )
Add dconf_gnome_lock_screen_on_smartcard_removal
to cover RHEL-08-020050 (#6824 )
OCP4: Add applicability warnings (#6823 )
service_nfs_disabled - change name of nfs service to nfs-server (#6777 )
Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770 )
OCP4: Address flowschema version change by handling different OCP versions (#6813 )
Abort the build if an OVAL is not included due to extend_definition (#6402 )
Add more SLE-15 stigs and CCE IDs to existing rules (#6778 )
service_rsyncd_disabled - update package name to rsync-daemon (#6783 )
Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725 )
RHCOS4: Fix require_singleuser_auth
rule (#6780 )
ocp4: Add relevant description for protectKernelDefaults rule (#6705 )
CIS 5.2, 5.4, and 5.6 updates (#6704 )
Add documentation links for OL7 and OL8 (#6756 )
Update OL OSPP profiles (#6745 )
Change dhcp server package name to dhcp-server in rhel8 (#6762 )
SLES-15-020101 add rule and tests, no remediation (#6734 )
Add ansible and bash remediation for wireless_disable_interfaces (#6685 )
ocp4: Switch to using the platforms
construct (#6759 )
Add rule for RHCOS to check for interactive boot being disabled (#6747 )
Fix oracle documentation links (#6740 )
implement support for multiple platforms connected with disjunction (#6661 )
rhcos4: Add check for nousb kernel argument (#6743 )
Add tests for no files unowned by user/group rules (#6738 )
Add rule for checking selinux is not disabled in coreos (#6737 )
ocp4/etcd: Fix rule checks for 4.8 (#6732 )
Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718 )
CIS 1.2.12: Add check and test for AlwaysPullImages (#6714 )
CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715 )
Updating macros to support idempotency when deduplicating values (#6953 )
Fix Rule CPE Name inheritance (#6943 )
Reorganize env and product yaml (#6754 )
RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot
(#6787 )
rhcos4: Add recommended configuration and e2e test for logrotate (#6788 )
RHCOS4: Add recommended auditd.conf remediation (#6782 )
Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453 )
Unmask service in service enable remediation, add test scenarios for service enable rules (#6761 )
rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773 )
RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771 )
mount_option ansible remediation - remediate when mount point is not in mounted (#6713 )
Tests:
install_vm.py: add possibility to install GUI system (#7004 )
Improve the test suite wrapper (#6944 )
Remove code from OCP4 e2e tests (#6961 )
Add test scenarios for service enable/disable rules from CIS profile (#6785 )
Missing references test (#6849 )
Fix RHEL8 STIG with GUI stable profile data (#6874 )
increase /usr partition size in testing kicstart (#6808 )
Add Ubuntu as a known platform for ssg_test_suite (#6794 )
Add package_* test scenarios (#6752 )
Add tests for rule accounts_password_pam_minlen (#6751 )
Add tests for rule accounts_no_uid_except_zero (#6750 )
Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775 )
Update tests of accounts_tmout to work when overriding profiles (#6765 )
Update tests of account_disable_post_pw_expiration (#6753 )
Add tests for rule account_unique_name (#6749 )
accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728 )
Switch to generic python shebang (#6744 )
Add tests for rule no_netrc_files (#6741 )
Add tests for rule accounts_minimum_age_login_defs (#6735 )
Updated test scenarios to work on containers (#6701 )
Add tests for rule accounts_password_warn_age_login_defs (#6736 )
Add tests for rule set_password_hashing_algorithm_systemauth (#6733 )
ocp4/moderate: Add e2e tests for rules that pass by default (#6731 )
Add test scenarios for rsyslog rules (#6712 )
set_firewalld_default test scenarios (#6721 )
sysctl_net_* test scenarios (#6696 )
rpm_verify_ownership test scenarios (#6703 )
postfix_network_listening_disabled tests (#6708 )
Ignore trailing whitespaces in the unique references test (#6702 )
Make test suite tests more accessible (#6675 )
mount_option_* test scenarios (#6677 )
file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#6687 )
kernel_module_* test scenarios (#6684 )
Added test scenarios for partition rules (#6676 )
You can’t perform that action at this time.