Skip to content

Content 0.1.56

Compare
Choose a tag to compare
@vojtapolasek vojtapolasek released this 26 May 12:31

Highlights:

  • Align ism_o profile with latest ISM SSP (#6878)
  • Align RHEL 7 STIG profile with DISA STIG V3R3
  • Creating new RHEL 7 STIG GUI profile (#6863)
  • Creating new RHEL 8 STIG GUI profile (#6862)
  • Add the RHEL9 product (#6801)
  • Initial support for SUSE SLE-15 (#6666)
  • add support for osbuild blueprint remediations (#6970)

Profiles changed in this release:

  • sle12: stig
  • sle15: cis, stig
  • rhel7: stig_gui, stig
  • rhel8: stig_gui, stig, ism_o
  • rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
  • ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
  • ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
  • rhv4: pci-dss
  • ocp4: cis-node, cis
  • rhel9: pci-dss

Profiles:

  • Add updated manual DISA STIG XML reference files (#6903)
  • rhcos4/e8: Use individual kernel module load audit rules (#6797)
  • rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
  • bump rhel7 stig version to v3r3 (#6951)
  • remove no longer relevant rules from rhel7 stig (#6865)
  • Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
  • Update OL e8 profiles (#6840)
  • Remove rules related to gnome/dconf (#6884)
  • Ol cjis profiles (#6851)
  • Add PCI-DSS profile to RHV4 (#6867)
  • OL hipaa profiles (#6819)
  • Update OL cui profiles (#6818)
  • remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
  • RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
  • rhcos4: Remove sssd configuration check from moderate profile (#6774)
  • RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
  • RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
  • RHCOS: Temporarily remove UEFI password rule (#6757)
  • Add new rules to sle12/profiles/stig.profile (#6665)
  • Remove package_gssproxy_removed from STIG GUI profile (#6967)
  • Updating RHEL8 STIG profile for readability changes (#6856)
  • Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
  • Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)

Rules:

  • Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
  • Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
  • Fix grub2's /boot location for Debian, Ubuntu (#6986)
  • Add rules to remove setroubleshoot server and plugin packages (#6969)
  • SLES-15-010362 (#6968)
  • Fix groupowner/permissions for ubuntu2004 (#6979)
  • SLES-15-10352 rule (#6822)
  • Enable RHEL9 for kernel-related rules (#6966)
  • Enable SELinux rules for RHEL9 (#6959)
  • Move rule grub2_enable_iommu_force to use template (#6956)
  • Clarify what fixes for AiDE acl and xattrs do (#6960)
  • Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
  • Adding new rule for RHEL-08-010294 (#6932)
  • Add OCIL to sshd_limit_user_access (#6836)
  • SLES-15-030390 add rule, remediation and test (#6802)
  • Add Rule for SLES-15-040382 (#6811)
  • RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
  • RHCOS4: Add recommended chrony config (#6786)
  • Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
  • Prevent global references to use product-qualifiers (#6896)
  • OCP: Fix description of kubelet TLS cipher suites (#6900)
  • Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
  • Update VSEL references to remove qualifier from global references (#6948)
  • SLES-15-010250 add rule, remediation and tests (#6879)
  • add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
  • Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
  • Add Rule,Remediation and Test for SLES-15-030760 (#6869)
  • Revert STIG id for require_emergency_target_auth (#6928)
  • Remove bogus nist: FOO-1(a) references (#6917)
  • remove product specific disa and srg references (#6895)
  • ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
  • Fix usbguard match-all syntax for HID rule (#6909)
  • RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
  • Notate that Ubuntu is a FIPS-certified OS (#6912)
  • OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
  • update require_emergency_target_auth (#6894)
  • add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
  • Add Rule,Test for SLES-15-020103 (#6881)
  • Prevent unqualified CIS and STIGID references (#6871)
  • SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
  • Add rules related to permissions of /var/log and /var/log/messages (#6861)
  • SLES-15-010220 updates for firewalld (#6831)
  • Add OL anssi profiles (#6817)
  • update accounts_tmout (#6839)
  • SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
  • add rule for disabling of GUI (#6860)
  • Add rules for SLES-12-010060 (#6806)
  • CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
  • fix service_sshd_enabled for SLE-15 (#6830)
  • RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
  • Add HIPAA rules references (#6854)
  • RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
  • Add CCI reference to package_gssproxy_removed (#6846)
  • Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
  • SLES-15-010353 map rule file_ownership_library_dirs (#6820)
  • Add CCEs for RHEL9 rsyslog rules (#6832)
  • SLES-15-010030 rule (#6821)
  • SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
  • Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#6824)
  • OCP4: Add applicability warnings (#6823)
  • service_nfs_disabled - change name of nfs service to nfs-server (#6777)
  • Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
  • OCP4: Address flowschema version change by handling different OCP versions (#6813)
  • Abort the build if an OVAL is not included due to extend_definition (#6402)
  • Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
  • service_rsyncd_disabled - update package name to rsync-daemon (#6783)
  • Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
  • RHCOS4: Fix require_singleuser_auth rule (#6780)
  • ocp4: Add relevant description for protectKernelDefaults rule (#6705)
  • CIS 5.2, 5.4, and 5.6 updates (#6704)
  • Add documentation links for OL7 and OL8 (#6756)
  • Update OL OSPP profiles (#6745)
  • Change dhcp server package name to dhcp-server in rhel8 (#6762)
  • SLES-15-020101 add rule and tests, no remediation (#6734)
  • Add ansible and bash remediation for wireless_disable_interfaces (#6685)
  • ocp4: Switch to using the platforms construct (#6759)
  • Add rule for RHCOS to check for interactive boot being disabled (#6747)
  • Fix oracle documentation links (#6740)
  • implement support for multiple platforms connected with disjunction (#6661)
  • rhcos4: Add check for nousb kernel argument (#6743)
  • Add tests for no files unowned by user/group rules (#6738)
  • Add rule for checking selinux is not disabled in coreos (#6737)
  • ocp4/etcd: Fix rule checks for 4.8 (#6732)
  • Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
  • CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
  • CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
  • Updating macros to support idempotency when deduplicating values (#6953)
  • Fix Rule CPE Name inheritance (#6943)
  • Reorganize env and product yaml (#6754)
  • RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#6787)
  • rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
  • RHCOS4: Add recommended auditd.conf remediation (#6782)
  • Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
  • Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
  • rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
  • RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
  • mount_option ansible remediation - remediate when mount point is not in mounted (#6713)

Tests:

  • install_vm.py: add possibility to install GUI system (#7004)
  • Improve the test suite wrapper (#6944)
  • Remove code from OCP4 e2e tests (#6961)
  • Add test scenarios for service enable/disable rules from CIS profile (#6785)
  • Missing references test (#6849)
  • Fix RHEL8 STIG with GUI stable profile data (#6874)
  • increase /usr partition size in testing kicstart (#6808)
  • Add Ubuntu as a known platform for ssg_test_suite (#6794)
  • Add package_* test scenarios (#6752)
  • Add tests for rule accounts_password_pam_minlen (#6751)
  • Add tests for rule accounts_no_uid_except_zero (#6750)
  • Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
  • Update tests of accounts_tmout to work when overriding profiles (#6765)
  • Update tests of account_disable_post_pw_expiration (#6753)
  • Add tests for rule account_unique_name (#6749)
  • accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
  • Switch to generic python shebang (#6744)
  • Add tests for rule no_netrc_files (#6741)
  • Add tests for rule accounts_minimum_age_login_defs (#6735)
  • Updated test scenarios to work on containers (#6701)
  • Add tests for rule accounts_password_warn_age_login_defs (#6736)
  • Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
  • ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
  • Add test scenarios for rsyslog rules (#6712)
  • set_firewalld_default test scenarios (#6721)
  • sysctl_net_* test scenarios (#6696)
  • rpm_verify_ownership test scenarios (#6703)
  • postfix_network_listening_disabled tests (#6708)
  • Ignore trailing whitespaces in the unique references test (#6702)
  • Make test suite tests more accessible (#6675)
  • mount_option_* test scenarios (#6677)
  • file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#6687)
  • kernel_module_* test scenarios (#6684)
  • Added test scenarios for partition rules (#6676)