Skip to content

@vojtapolasek vojtapolasek released this Jul 17, 2020

Highlights:

  • Add SSG content for McAfee VSEL (#5864)
  • Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
  • Add RHCOS4 product (#5775)
  • Add ubuntu cis profile (#5750)

Profiles changed in this release:

  • rhel8: ospp, cis, ism_o, stig
  • ocp4: cis, moderate, platform-moderate, coreos-ncp, opencis-node, ncp, e8
  • vsel: stig
  • rhcos4: coreos-ncp, ncp, moderate, e8
  • firefox: stig
  • rhel7: cis, stig
  • sle15: cis
  • ubuntu1804: cis

Profiles:

  • Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
  • Attribute credit for CIS content (#5779)
  • Update CoreOS profile to short name (#5834)
  • rhcos4: Remove checks for nmcli permissions (#5826)
  • Sle15 cis (#5807)
  • Add ubuntu cis profile (#5750)

Rules:

  • Add stigid reference to rpm_verify_ownership according to STIG RHEL7 v2r7 (#5919)
  • Fix file regex in OCP3 content (#5920)
  • Fix of issues seen with OpenShift 3.11 (#5860)
  • Add zipl and grub2 CPEs (#5905)
  • Add ocp rules to cis profile (#5872)
  • Update RHEL7 documentation link for grub2_uefi_admin_username. (#5890)
  • fix filename in configure_openssl_crypto_policy (#5885)
  • Add SSG content for McAfee VSEL (#5864)
  • Add 'bls_audit_option' rule (#5793)
  • Add OCP XCCDF CIS policy rules (#5833)
  • Updating Firefox content (#5858)
  • OCP4 allowed registries (#5839)
  • Template for yamlfilecontent checks (#5758)
  • Remove grub documentation links from RHEL7 rationale (#5851)
  • More CIS OCP checks (#5837)
  • Update OCP permissions add master, worker, and general content changes (#5838)
  • Add OCP4 CIS API server XCCDF content (#5843)
  • Add support for blacklisting directories when doing system-wide file scans (#5804)
  • Finish RHCOS product migration (#5835)
  • Add missing CCEs for CIS RHEL8 (#5781)
  • Update unowned user rule warning (#5806)
  • Add dev_shm rules to rhel7 stig profile (#5830)
  • add rule ssh_client_rekey_limit (#5788)
  • pkgname@debian auditd (#5809)
  • Add RHCOS4 product (#5775)
  • Add rules to configure zIPL (#5784)
  • Made the rule sshd_rekey_limit parametrized (#5772)
  • Introduced a rule that uses non-standard yaml checks (#5326)
  • Cis partitions rules (#5749)
  • Add Ansible for ensure_logrotate_activated (#5753)
  • Change oval check to verify if we're in OCP4 (#5824)
  • Use templates to generate Machineconfigs (#5814)
  • Simplify check for no_shelllogin_for_systemaccounts (#5810)
  • change sshd rekey limit to 1G 1 hour in rhel8 ospp (#5782)
  • Create macro for selinux ansible/bash remediation. (#5785)
  • Fix ansible/bash remediation for rule grub2_enable_selinux. (#5787)
  • fix rhel8 hipaa ansible playbook (#5777)
  • Add Ansible for audit_rules_system_shutdown (#5761)
  • Add Bash and Ansible remediations for sshd_set_max_sessions (#5757)

Tests:

  • test_parse_affected.py: Handle empty rendered content (#5840)
  • Add test scenario for sshd_rekey_limit to cover OSPP profile (#5827)
  • add simple tests for sshd_do_not_permit_user_env (#5829)
  • Remove result files when test scenarios pass (#5812)
  • ocp4: Test amount of check results for scans (#5803)
  • ocp4: Check for diminishing failures in e2e test (#5794)
  • ocp4: Create complianceSuites in debug mode (#5798)
  • OCP4: Add remediation equality unit tests (#5743)
Assets 5

@vojtapolasek vojtapolasek released this May 15, 2020

Highlights:

  • Add initial macOS content (#5334)
  • Feature suse 15 (#5305)
  • Add RHEL 7 and RHEL8 CIS profiles
  • Add SLE15 CIS Profile
  • RHV4 product is now el8 based (#5352)

Profiles changed in this release:

  • ocp4: moderate, coreos-ncp, e8
  • rhel7: cis, rhelh-stig, C2S, stig
  • rhv4: rhvh-vpp, rhvh-stig
  • rhel8: cis, stig
  • sle15: cis, standard
  • ol7: stig
  • macos1015: moderate

Profiles:

  • ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
  • Added warning about profile not working with GUI systems. (#5734)
  • OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
  • ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
  • ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
  • ocp4: enable sysctl security settings in moderate profile (#5591)
  • ocp4: Enable sysctl file system settings in moderate profile (#5592)
  • change rules for disabling ipv6 in CIS profile (#5574)
  • macOS build fixes (#5347)
  • ocp4: Remove the rule that disables user namespaces (#5268)
  • fix rule sshd use approved macs (#5300)
  • Feature suse 15 (#5305)
  • Add Initial RHEL 7 CIS profile (#5306)
  • Clear up coreos profile titles and descriptions (#5280)

Rules:

  • Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
  • Update sshd crypto policy for CC (#5742)
  • Create machine configuration for the rule no tmux in shells (#5641)
  • Fix several audit-related ignition remediations (#5651)
  • Ubuntu1804/cis kernel module rules (#5722)
  • update prodtype for sysctl_net_ipv4_ip_forward (#5679)
  • Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
  • ocp4: Add missing AC-1 checks to moderate profile (#5718)
  • Add missing CCE for sshd_set_max_sessions rule (#5710)
  • Fix audit_basic_configuration ignition remediation (#5642)
  • Reference should not point to OS version. (#5660)
  • Warn about only local user backends being considered (#5657)
  • remove remediations for configure_etc_hosts_deny (#5652)
  • New Ignition files for audit and SSHD (#5640)
  • Fix template mount_option_removable_partitions (#5278)
  • Added more SLES Support (#5613)
  • Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
  • Update ol7 stig references and severity values (#5575)
  • Issue 5529 (#5579)
  • add missing cce for sshd_disable_tcp_forwarding (#5614)
  • Update sshd disable x11 forwarding (#5610)
  • Allow tcp forwarding (#5607)
  • update limit-related rules to allow limits.d (#5600)
  • Feature suse15 cis (#5578)
  • Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
  • fix sshd_allow_only_protocol2 (#5582)
  • Feature sle15 cis (#5567)
  • Issue 5524 (#5554)
  • Add e8 profile for ocp4 (#5560)
  • Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
  • Added OL product support to stig rules (#5556)
  • Fix ol8 condition in accounts-physical rules (#5559)
  • Move RHV4 product to be el8 based (#5352)
  • Feature suse 15.1 (#5548)
  • fix rule disabling ipv6 through grub2 (#5547)
  • add rule ntpd_run_as_ntp_user (#5291)
  • Add missing CCEs to rules from RHEL7 CIS profile (#5546)
  • add ntpd_configure_restrictions for rhel7 (#5282)
  • Update rhel7 CIS selections (#5349)
  • add rules for checking legacy "+" entries in passwd related files (#5339)
  • add grub2_disable_ipv6 (#5324)
  • Add initial macOS content (#5334)
  • Add rules to check permissions and owner of important backup account files (#5317)
  • Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
  • Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
  • Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
  • add rule configure_etc_hosts_deny (#5332)
  • Select new rules in RHEL 7CIS Profile (#5331)
  • Add missing CCEs for rules from CIS profile (#5329)
  • add rule package_openldap-clients_removed (#5316)
  • add rule package_libselinux_installed (#5312)
  • Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
  • Banner and cron permissions and owners (#5302)
  • Select rules for audit login events (#5296)
  • Select package_audit_installed (#5292)
  • Update audit data retention selects and variables (#5294)
  • remove ntp mention from rule title (#5309)
  • Feature suse 15 (#5311)
  • add rule service_rsyncd_disabled (#5318)
  • Select rules for system file permissions (#5301)
  • Select rules for SSH and add references (#5297)
  • Parametrized the sshd_use_approved_ciphers rule (#5308)
  • add chronyd_run_as_chrony_user (#5298)
  • Add rules for Chrony on rhel8 (#5273)
  • Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
  • Extracted a grub superuser username rule from the grub2_password rule (#5276)
  • Add XCCDF conflicts and requires (#5281)
  • Initial RHEL 8 CIS profile (#5236)
  • Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
  • fix grub2_bootloader_argument template (#5756)
  • Add Ansible for kernel_module_ipv6_option_disabled (#5737)
  • Ansible remediation and tests for audit_rules_immutable (#5609)
  • add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
  • Add Ansible fixes for audit time rules (#5720)
  • Add audit field to the Ansible syscall macros (#5724)
  • add Ansible remediation and tests for audit_rules_session_events (#5721)
  • Introduce Ansible macros for remediating Audit syscall rules (#5709)
  • fix ansible remediations to avoid creating duplicate entries (#5650)
  • Update Ansible when statement to handle only containers (#5052)
  • add ansible and tests to audit_rules_mac_modification (#5638)
  • Fix missing ignition remediations (#5644)
  • add ansible remediation to audit_rules_kernel_module_loading (#5594)
  • Fix audit_rules_privileged_commands remediation (#5569)
  • Fix rule banner_etc_motd (#5319)
  • Improved handling of grub2 password/admin checks. (#5313)
  • Ansible audit sysadmin actions (#5288)
  • Simplify banner text syntax and add utility to generate banner regular expression (#5050)

Tests:

  • Fix incomplete temporary file (#5747)
  • Add unit test for kubernetes object remediations (#5636)
  • ocp4: Expand unit tests to validate profile selections (#5648)
  • Flush the write buffers after write. (#5748)
  • Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
  • Added possibility of the test suite to expand platforms of the benchmark (#5550)
  • Fix SSGTS when running with python3 and writing binary data to file. (#5711)
  • shared/partition.sh: Increase the size of a test device (#5566)
  • ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
  • Skip generation of remediation when using special the default profile (#5571)
  • Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
  • Fix test scenarios for auditd_data_retention_flush rule (#5624)
  • ocp4/e2e: display remediations for second scan (#5585)
  • ocp4: e2e test continuation (#5354)
  • ssg test suite: wait 30 seconds for reboot to finish (#5572)
  • Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
  • ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
  • add configure_etc_hosts_deny to ignored rules (#5348)
  • ocp4: reset client in e2e tests after installing operator (#5344)
  • ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
  • ocp4: Add go dependencies to test directory (#5338)
  • Extend timeout for VM restarts (#5330)
  • ocp4: Add initial e2e test (#5321)
  • SSGTS: addressed incompatibilities with python2 (#5295)
  • SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)
Assets 5

@vojtapolasek vojtapolasek released this Mar 13, 2020

Highlights:

  • Add OL8 Essential Eight profile (#5211)
  • Add support to Ignition remediation type (#5137)

Profiles changed in this release:

  • ol8: pci-dss, e8, ospp
  • rhel8: pci-dss, stig, ospp
  • ocp4: coreos-ncp, moderate
  • sle12: stig
  • rhel7: stig

Profiles:

  • Add OL8 Essential Eight profile (#5211)
  • Remove ocp4 checks (#5216)
  • Update OL8 PCI-DSS profile (#5191)
  • Add rsyslog TLS configuration to STIG (#5167)
  • Re-add configure_firewalld_rate_limiting to rhel7 stig profile (#5168)
  • remove Rsyslog rules from OSPP for Rhel8 (#5158)
  • ocp4/moderate: Remove check for AIDE package (#5146)
  • PCI-DSS profile should install audispd plugins (#5124)
  • Adjust OL8 OSPP profile (#5210)
  • ocp4/moderate: Enable more kernel module checks (#5136)
  • ocp4: Add controls that cover AC-2 better (#5134)
  • rhel8: modify rule selections for OSPP and STIG to meet baselines (#5181)
  • Enable rules that cover AU-9 better in OCP4 moderate profile (#5138)
  • ocp4/moderate: Add CM-* checks (#5129)
  • Add moderate profile (#5128)
  • Add dconf_db_up_to_date to RHEL8 STIG profile. (#5274)

Rules:

  • Sort prodtypes lexicographicaly (#5130)
  • Added OL support to ospp profile rules (#5203)
  • Update rpm_verification group rules with OL support (#5204)
  • Add OL support to packages and services rules (#5198)
  • Add OL support to policy audit rules (#5197)
  • Add OL support to configuring_ipv6 rules (#5196)
  • Add OL support to the partitions mount rules (#5195)
  • Add OL support to accounts user_umask rules (#5194)
  • Also remove 389-ds LDAP server (#5186)
  • Add check for read-write SNMP users (#5185)
  • Add RADIUS group and rule to remove server (#5188)
  • Permit setting sshd GSSAPI to yes (#5184)
  • Stig sle12 security patches up to date (#5192)
  • network_host_and_router_parameters group as machine-only (#5190)
  • Remove krb5-server (#5187)
  • Permit enforcement of nosuid on /var (#5183)
  • Add CCE identifier for openssh-server installed (#5189)
  • create checks for (grub2|uefi)_no_removeable_media (#5178)
  • Map missing SRG rules (#5177)
  • Split rule for audit sample rules according to audit component (#5110)
  • Add and fix few entries of SRG mapping (#5170)
  • create new rule for ipv4 tcp rate limiting through sysctl (#5126)
  • Add a rule for the openssl strong entropy wrapper (#5127)
  • Update OVAL templates with oval_affected macro. (#5148)
  • Add CCE identifiers to OCP moderate profile rules (#5149)
  • Add ocp4 prod to grub2_enable_fips_mode (#5140)
  • Add CoreOS CCE for service_auditd_enabled (#5133)
  • Added a few NIST references to audit related rules (#5131)
  • Add a shell lineinfile template (#5109)
  • Check EKU in rsyslog remote configuration (#5119)
  • audit package on ubuntu* is auditd. (#5117)

Tests:

  • fix wrong value in test scenario (#5214)
  • Introduce resolved profiles, and test for profile stability (#5209)
  • Fix newline discrepancies in jinja macros for file content (#5202)
  • fix regex in accounts_passwords_pam_faillock_deny (#5166)
  • Add support to Ignition remediation type (#5137)
  • Update crypto policies ospp scenarios (#5121)
  • Don't check for path length of logs directory (#5122)
Assets 5
  • v0.1.48
  • b3f50c3
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.1.48
  • b3f50c3
  • Compare
    Choose a tag to compare
    Search for a tag

@yuumasato yuumasato released this Jan 15, 2020

Highlights:

  • New product added for Debian 10 (debian10)
  • New product added for Red Hat OpenStack Platform 10 (rhosp10)
  • New draft Profile for RHEL8 STIG

Profiles changed in this release:

  • rhosp10: cui, stig
  • debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
  • rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
  • rhel7: e8, sap
  • ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
  • sle12: stig

Profiles:

  • Add security autoupdates to the RHEL8 E8 profile. (#5107)
  • E8: ensure there is a single account with uid zero (#5105)
  • Add draft RHELH content for rhel8 (#5040)
  • Remove SSSD rules from RHEL8 OSPP Profile (#5032)
  • Updated the e8 profile for RHEL8. (#5024)
  • Add draft RHEL8 STIG profile (#4991)
  • Remove coreos-fedramp profile (#4994)

Rules:

  • Rhosp10 (#5019)
  • Add debian10 content (#5058)
  • Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
  • Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
  • Update NIST 800-53 mappings (#5083)
  • NIST 800-53 Mapping Updates (#5079)
  • Delete rules in favour of package_subscription-manager_installed (#5059)
  • Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
  • Add missing CCE for package_telnetd_removed rule (#5090)
  • PermitUserEnvironment Checks For Incorrect Setting (#5087)
  • Use the FIPS:OSPP Crypto Policy (#5072)
  • Enable ansible template for service_fapolicyd_enable rule. (#5064)
  • modify usbguard_allow_* rules to use new match-all keyword (#5055)
  • Stig sle12 initial (#4847)
  • Update api-server XCCDF and OVAL for ocp4-isms (#5039)
  • Mark rules as platform: machine. (#5062)
  • Fix OVAL applicability for RHV4 (#5053)
  • Remove configure_fapolicyd_mounts rules from profiles. (#5057)
  • Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
  • Update api-server rules (#5034)
  • Coreos build - enable more rules (#5018)
  • Various minor fixes (#5025)
  • Update etcd rules (#5008)
  • [WIP] Add SAP profile to rhel (#3551)
  • Add missing CCEs to rules from STIG profile (#5021)
  • Add some NIST mappings for FISMA high (#4932)
  • Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
  • Ansible tasks fixes (#5004)
  • make aide_periodic_cron_checking accepting broader array of time specs (#4989)
  • SRG Mapping - misc rules (#4969)
  • additional srg mappings (#4981)
  • Verified that proper SRGs are in rules that need to be added (#4987)
  • adding DISA SRG references to rules found in the OSPP profile (#4877)
  • OCP4 content cleanup (#4970)
  • Add Network Policies rule to OCP (#4934)
  • Make coreos-ncp.profile buildable (#5001)
  • Added SRG rule for auditd_audispd_configure_remote_server (#4988)
  • DISA STIG SRG mappings (#4940)
  • added SRG rule for Exec Shield (#4982)
  • Day 2 - Yasir's Contributions (#4975)
  • day 2 changes to rules with SRG info (#4974)
  • add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
  • Added SRG to rules (#4968)
  • mapped ipv4 and ipv6 SRGs to rules (#4967)
  • add SRG to rule (#4966)
  • Updated to include SRG number (#4971)

Tests:

  • oscap: modify using variables in the printf format (#5063)
  • Improve fine-tuning of rule/group ordering (#5078)
  • Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
  • Extend waiting time till virtual machine is again in RUNNING state (#5041)
  • SSGTS: Use wildcards instead of matching substring (#5029)
  • Add waiting for RUNNING state of virtual machine (#5023)
  • Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
  • Fixed the remediation for rsyslog_files_permissions (#4906)
Assets 5
  • v0.1.47
  • 48db510
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.1.47
  • 48db510
  • Compare
    Choose a tag to compare
    Search for a tag

@yuumasato yuumasato released this Nov 5, 2019

Highlights:

  • New product added Debian 9 (debian9)
  • New product added OpenShift container Platform 4 (ocp4)
  • Add Essential Eight profiles
  • New templating system enabled by default
  • Move SSGTS test scenarios closer to rule definitions

Profiles changed in this release:

  • rhel7: e8, C2S, ospp
  • rhel8: e8, ospp
  • debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
  • ocp4: coreos-ncp, opencis-node
  • ocp3: opencis-master
  • fedora: ospp
  • rhel6: C2S, stig

Profiles:

  • Add Essential Eight profiles (#4859)
  • Remove openshift api_server_profiling check (#4944)
  • Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
  • Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
  • Add coreos NCP profile (#4865)
  • Add rules for FISMA Low to CoreOS NCP (#4873)

Rules:

  • SSG debian9 (#4928)
  • ocp4: Initial build system support for the OCP4 product (#4908)
  • Don't require that files exist when path is regex (#4960)
  • Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
  • Add missing CCEs (#4956)
  • Add missing prodtypes for apt rules (#4930)
  • Compare suid/sgid files with the RPM database (#4648)
  • Add check to set /etc/motd similar to /etc/issue (#4947)
  • Set default to match syslog default (#4948)
  • Add package rules to OSPP profile (#4953)
  • Fill in the samples with the value from our variable (#4949)
  • Add postfix relayhost check (#4950)
  • Add rule to check cockpit service status (#4939)
  • Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
  • Added missing CCEs. (#4919)
  • Fix missing OVAL in some of RHEL 8 rules (#4927)
  • Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
  • Generate OCIL check for cramfs kernel module (#4918)
  • Added OCIL for mount option-type of rules. (#4910)
  • Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
  • Ported the sysctl macros to the new system. (#4843)
  • Made the new templating system work with Python2.6. (#4897)
  • Add WRLinux 10.19 to prodtype (#4903)
  • Fix typo and add ocil clause to package_audit_installed. (#4827)
  • Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
  • Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
  • Map AC-17 (#4894)
  • Map AC-6(9) (#4895)
  • Map AC-17(2) to crypto SSH policies (#4892)
  • Add rule for NIST AC-18(4) (#4889)
  • Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
  • Map AU-7 and AU-10 to audit package (#4890)
  • Run tmux only right after sshd/login (#4885)
  • Fix missing content in datastreams generated by new templating system (#4883)
  • Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
  • Fix dnf timer rule (#4882)
  • Map AU-9(3) and AU-5(2) for CoreOS (#4880)
  • Update list of packages installed in RHEL8 OSPP (#4876)
  • Map OCP SCC to Kubernetes benchmark (#4867)
  • Merge SELinux Boolean templates and migrate them to new system (#4860)
  • Fix rhel6 nist mapping typo (#4872)
  • Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
  • Add require_emergency_target_auth and update require_singleuser_auth (#4850)
  • Enable file permissions templates in new templating system (#4857)
  • Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
  • Add checks for crontab and supporting cron directories (#4858)
  • Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
  • Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
  • Postfix network listening to loopback-only (#4832)
  • Update rsyslog rules description (#4839)
  • Updated the rule description of configure_fapolicyd_mounts (#4835)
  • Fix accounts password rules template name (#4836)
  • New templating system (#4809)
  • Break out api_server_service_account_key into multiple rules (#4831)
  • Add openvswitch permission rules (#4830)
  • AIDE periodic crontab check modification (#4824)
  • Disable Mounting of FAT filesystems (#4815)
  • insecure-port should not be configured (#4821)
  • Fix kubelet_enable_streaming_connections Rule (#4823)
  • Assign CCEs to SSH permission checks (#4819)
  • Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
  • Ensure proper permissions on /etc/ssh/sshd_config (#4812)
  • Fix /etc/shadow permissions documentation (#4813)
  • Improve template grub2 argument (#4786)
  • making hardening of sshd crypto policy alligned with OSPP (#4799)
  • Disable Kerberos by removing host keytab. (#4793)
  • Move audit rules to correct group (#4778)
  • Configure TLS for rsyslog remote logging. (#4781)

Tests:

  • Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
  • Use only first occurence from /etc/mtab (#4959)
  • ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
  • Add basic test scenarios for a few audit rules (#4907)
  • Made templates product-specific. (#4841)
  • Simplified the test_suite command-line. (#4808)
  • Changed owner of files in the test suite tarball. (#4797)
  • [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
  • Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
  • fix grub2_argument bash remediation (#4891)
  • Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
  • Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
  • SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
  • Add test scenarios for rsyslog_remote_tls (#4788)
  • SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
  • ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
  • Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
  • Clean up partition before performing test for mount_option_tmp_noexec (#4795)
  • Move SSGTS test scenarios closer to rule definitions (#4741)
Assets 5
  • v0.1.46
  • 54aa233
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.1.46
  • 54aa233
  • Compare
    Choose a tag to compare
    Search for a tag

@yuumasato yuumasato released this Sep 2, 2019

Highlights:

  • SCAP 1.3 Data Streams are now the default (#4755)
    • 1.2 Data Streams are suffixed with -1.2.xml
  • OSPP consolidation (#4705)
    • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
    • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
    • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

  • rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
  • wrlinux1019: draft_stig_wrlinux_disa
  • rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
  • rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
  • rhv4: rhvh-stig, rhvh-vpp
  • debian8: standard, anssi_np_nt28_restrictive
  • ubuntu1404: standard, anssi_np_nt28_restrictive
  • ubuntu1604: standard, anssi_np_nt28_restrictive
  • ubuntu1804: standard, anssi_np_nt28_restrictive
  • ol8: ospp, cjis, hipaa, pci-dss
  • fedora: ospp, pci-dss
  • ol7: stig, pci-dss

Profiles:

  • Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
  • Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
  • RHEL OSPP Profile Restructuring (#4754)
  • NCP Profile extends OSPP profile (#4764)
  • Rule grub2_vsyscall_argument is informational in OSPP (#4763)
  • Add suport for XCCDF rule-refine (#4750)
  • Profile Restructuring (#4736)
  • Update OL8 HIPAA profile (#4718)
  • Update OL8 CJIS profile (#4719)
  • Adding SELinux rules into OSPP profile (#4735)
  • Fix section titles. (#4738)
  • Remove GNOME rules from rhel7/ospp (#4724)
  • The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
  • When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
  • Cleanup the RHEL7 ccc.profile, minimally (#4691)
  • Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

  • Enable fapolicyd to watch all system mountpoints. (#4773)
  • Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
  • Ensure rsyslog-gnutls is installed. (#4775)
  • IASE was migrated to DOD Cyber Exchange (#4768)
  • Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
  • Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
  • Update CSRF cookie secure (#4761)
  • Add mask_service parameter to services disabled template. (#4633)
  • Add new rhel8 aux gpg pubkey (#4675)
  • Add new package installed rule specific for RHEL8. (#4673)
  • Delete unused/unwanted dconf_use_text_backend rule. (#4684)
  • Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
  • extend oval check of configure_crypto_policy (#4757)
  • Update STIG Antivirus Language (#4745)
  • Log USBGuard daemon audit events using Linux Audit. (#4747)
  • Harden ssh client crypto policy (#4681)
  • Expanded and cleaned up csv templates. (#4739)
  • SSH service rules for SLE12 (#4289)
  • Single rule to configure audit rules for OSPP (#4680)
  • update STIG antivirus language (#4341)
  • Configure tmux to lock session after inactivity (#4737)
  • Prevent user from disabling the screen lock. (#4742)
  • Support session locking with tmux. (#4740)
  • Remove watches since syscall rules cover all cases. (#4706)
  • Update OL8 OSPP profile (#4717)
  • OSPP requirements and selections (#4662)
  • Enable the rngd service for OSPP. (#4733)
  • Move some system-tools rules to organized with their respective configuration rules (#4726)
  • Harden sshd crypto policy (#4663)
  • Set number of records to cause an explicit flush to audit logs. (#4697)
  • Set hostname as computer node name in audit logs. (#4701)
  • Force frequent session key renegotiation. (#4711)
  • Resolve information before writing to audit logs. (#4695)
  • Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
  • Fix typos in auditd_local_events texts. (#4698)
  • Preprocess references and identifiers during the build time. (#4063)
  • Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
  • Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
  • Disable storing core dumps. (#4650)
  • Add new rule auditd_write_logs (#4649)
  • new rule timer_dnf-automatic_enabled (#4614)
  • New rule auditd_local_events (#4636)
  • Start using oval_sshd_config jinja macros for sshd rules (#4624)
  • Simplify regexp (#4762)

Tests:

  • Fix _check_rule method call in SSG test suite. (#4767)
  • Test suite: set bash and ansible remediation to verbose mode. (#4652)
  • Fix disk configuration in OSPP anaconda kickstart file. (#4716)
  • Add documentation to known issue in the test suite. (#4730)
  • SSG Test suite: Add function to find remediation in the datastream. (#4714)
  • Add test scenarios for configure_usbguard_auditbackend rule (#4753)
  • Fix STIG IDs reference processing (#4725)
  • Add syslog_files rules test scenarios (#4743)
  • ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
  • Add test scenarios for sshd_set_keepalive rule (#4712)
  • Enable unit-testing of bash shared jinja macros (#4702)
  • Parameterize Red Hat's GPG release public key. (#4683)
  • Added stripping of new line when obtaining IP addr by podman inspect (#4692)
  • Fixed an omission. (#4658)
  • Test suite autodetect datastream. (#4657)
  • Testing of set_config_file function with BATS 2 (#4659)
  • Introduce tests for macro that generates OVAL (#4660)
  • Test suite change logging prefix to warning (#4688)
  • Test suite: Set additional SSH options when testing ansible remediations (#4674)
  • Document where test scenarios are located (#4654)
  • Document --url and --extra-repo of install_vm.py script (#4653)
  • Quick fix for CombinedMode _modify_parameters() (#4664)
  • Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
  • Fix regex which looks for line in file configuration. (#4646)
Assets 5

@yuumasato yuumasato released this Jul 25, 2019 · 3654 commits to master since this release

Highlights:

  • Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
  • RHEL7 ANSSI profiles are now enabled
  • Improvements to profile statistics, check them out in stats job
  • New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

  • rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
  • fedora: pci-dss, ospp
  • rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
  • ol8: hipaa, cjis, pci-dss, ospp
  • wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
  • wrlinux8: basic-embedded
  • rhel6: C2S, CS2, nist-CL-IL-AL
  • chromium: stig
  • firefox: stig
  • ol7: stig, pci-dss

Profiles:

  • Remove unnecessary packages from ospp (#4632)
  • Deduplicate profile files. (#4601)
  • Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
  • Update the RHEL8 profile (#4229)
  • Add rhel7 ccc (Common Criteria Certification) profile (#4361)
  • Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
  • OL8 profiles update (#4374)
  • Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
  • Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
  • misc updates to OSPP profile (#4586)
  • RHVH/RHELH STIG mappings (#4033)

Rules:

  • New rule dnf-automatic_security_updates_only (#4619)
  • Pimp ANSSI up and enable it (#4615)
  • New rule disable_tmux_status_line (#4631)
  • Enable the fapolicyd service for OSPP. (#4623)
  • Install fapolicyd for OSPP. (#4622)
  • new rule dnf-automatic_apply_updates (#4613)
  • Disable storing core dumps. (#4618)
  • Enable the usbguard service in OSPP profiles. (#4611)
  • Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
  • Added a test for uniqueness of CCEs. (#4577)
  • Add remaining rules from CC to OSPP (#4599)
  • Disable the use of user namespaces. (#4569)
  • Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
  • Enable Kernel page-table isolation. (#4566)
  • add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
  • Update OSPP profile with required package checks (#4580)
  • Disable CAN Support. (#4572)
  • Disable ATM Support. (#4571)
  • Disable IEEE 1394 (FireWire) Support. (#4573)
  • update OSPP (#4446)
  • Harden the kernel package filter just-in-time compiler operation. (#4564)
  • Disable access to network bpf() syscall from unprivileged processes. (#4563)
  • Disallow kernel profiling by unprivileged users. (#4547)
  • Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
  • Add nodev Option to /var. (#4542)
  • Add nodev Option to /boot. (#4453)
  • Add nosuid Option to /boot. (#4452)
  • Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
  • Disable chrony daemon from acting as server. (#4445)
  • Disable network management of chrony daemon. (#4449)
  • Map more rules into Anssi policy (#4439)
  • ANSSI network sysctl (#4345)
  • Fix typo. (#4423)
  • Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
  • Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
  • Anssi updates (#4351)
  • OSP13 Checks (#4364)
  • Smartcards auth in OL8 should be done via sssd (#4377)
  • Remove dconf_use_text_backend rule from profiles. (#4375)
  • Make hardened containers smaller (#4357)
  • Scap 1.3 content adjustments (#4353)
  • Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
  • Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
  • Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
  • Rename group sap to sap_host (#4332)

Tests:

  • Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
  • Add tests for kernel_module_firewire-core_disabled rule. (#4605)
  • Document combined mode in tests/README.md (#4590)
  • install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
  • Remove ansible_playbook_set_hosts function from test suite (#4576)
  • Add profile metadata override in rule mode (#4578)
  • Fix test scenarios for mount option home nosuid (#4579)
  • Fix minlen test scenarios and include RHEL8 platform (#4450)
  • Print an error message when rule isn't found (#4454)
  • Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
  • Enable the (all) virtual profile in the rule-based test suite. (#4441)
  • Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
  • Install just things needed for the sssd service to run. (#4396)
  • Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
  • Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
  • Fix audit rules openat_o_trunc_write test scenarios. (#4438)
  • Add verbose output to the verbose logs (#4431)
  • Fix broken test scenario name (#4426)
  • Add option for extra repository in install_vm.py script. (#4421)
  • Change test scenarios for rule rpm_verify_permissions (#4344)
  • tests/install_vm.py: Do not abort if ostype detection fails (#4343)
  • Use VM install repo URL on the installed system (#4338)
  • Workaround SCAPVal 1.3.2 NullPointerException (#4339)
  • Use separate partition for /var/tmp in tests/kickstart (#4337)
  • Add test wrapper around SCAPVal tool (#4327)
  • Fix-ups and remote host support for tests/install_vm.py (#4328)
Assets 5

@yuumasato yuumasato released this May 3, 2019 · 4272 commits to master since this release

Highlights

  • SCAP 1.3 DS generated along side SCAP 1.2 DS
  • An Ansible Playbook is generated for each rule
  • Remediation roles terminology fixed
    • Ansible "roles" are now called Playbooks
    • Bash "roles" are now called bash scripts
      Introduction of package CPEs for Rule applicability
  • Content will detect Podman as a container environment
  • Several fixes in Ansible snippets so that they don't error during execution

Products and Profiles

  • Significant content additions and bugfixes for OpenShift
  • Enable RHV-H and RHEL-H draft STIG profiles
  • RHEL7 STIG profiles renamed to have shorter ID
  • RHEL7 nist-800-171-cui renamed to cui
  • New rules enabled for SLE12

Rules

  • FIPS regulatory warning updated
  • Rules not relevant for containers tagged as machine only
  • Fixed duplicated CCEs

Documentation

  • Documentation in Build.md merged into Developer Guide
  • Mention profile_stats.py in Developer Guide
  • Update Ansible section in Developer Guide
  • Add documentation to build zipfile target

Infrastructure

  • Rename profile_stats to profile_tool and update usage by CMake.
  • CCE checksums are now validated
  • Update ansible template, readme, and script to bring in line with Ansible Galaxy

Full list of issues and pull requests closed in this release

Assets 9

@yuumasato yuumasato released this Feb 21, 2019 · 4803 commits to master since this release

This release features several profile updates, and improvements to the content Test Suite.

  • Content updates
    • OpenShift - Miscellaneous updates
    • Added OL7 Draft DISA STIG profile
    • Added OL8 profiles:
      • Draft HIPAA
      • Draft CUI
      • Draft OSPP
      • CJIS security policy profile
    • Added RHEL7 profiles:
      • RHVH FISMA Low profile
      • Draft RHVH STIG
    • Added RHV4 profiles:
      • RHVH FISMA Low profile
      • Draft RHVH STIG
    • RHEL8 profiles:
      • Updated RHEL8 OSPP
      • Update PCI-DSS profile
      • Added kickstart for OSPP and PCI-DSS profiles
  • Minimum supported ansible version bumped to 2.5
  • Ansible-lint fixes and remove some trailing whitespace
  • TestSuite
    • Updated documentation
    • New Podman backend
    • Usability improvements
  • Added build_product script to help build content

Full list of issues and pull requests closed in this release

Assets 7

@yuumasato yuumasato released this Dec 11, 2018 · 5202 commits to master since this release

This release is mostly about improvements in content,
including lots of new rules, checks and remediations added and bugfixes to them.
This release features significant updates in content for

  • Oracle Linux 7, OpenStack Platform 13
  • OpenShift Container Platform 3
  • and newly added product Red Hat Enterprise Linux 8.

Highlights

  • Addition of RHEL8 product
  • Content for OSP7 have been update for OSP13
  • Contents for OCP3 have updated
  • New contents are enabled for OL7
  • Addition of rules that cover configuration of system-wide crypto policy
  • Addition of Fedora 29 in place of Fedora 27
  • Update of TestSuite to work with python3.7
  • Introduction of platform dependent test scenarios

Known issues

  • Building content for RHEL derivatives (CentOS and Scientific Linux) can sometimes fail on target man_page.
    This is a race condition issue caused by a missing dependency for man_page build target.
    The issue is fixed by following patch: #3662

Full list of issues and pull requests closed in this release

Assets 7
You can’t perform that action at this time.