Skip to content

@iankko iankko released this Jun 23, 2015 · 10184 commits to master since this release


  • Start porting of PCI-DSS profile from RHEL-6 to RHEL-7
  • Add OVAL-5.11 language support for RHEL-7 product if underlying system's oscap version supports OVAL-5.11 already
  • Start generating benchmarks for derivative OSes (CentOS, Scientific Linux)
  • Get rid of using symbolic links mechanism for OVAL checks shared across multiple products (RHEL/6, RHEL/7, and Fedora)
  • Enhance XML files validation performed via make validate target for all products (optimize speed, validate all XML files against schematron where possible etc.)


  • Add Chromium SCAP STIG content

  • Include Firefox, JRE, and Chromium content by default into Fedora's RPM

  • [Fedora] Add ShellCheck test as part of make validate for Fedora content

  • Ported OVAL checks:

    • audit_rules_mac_modification,
    • audit_rules_networkconfig_modification,
    • audit_rules_time_watch_localtime,
    • audit_rules_time_clock_settime,
    • audit_rules_time_stime,
    • audit_rules_time_settimeofday, and
    • audit_rules_time_adjtimex

    audit rules have been ported to RHEL-7 and Fedora products.

  • [RHEL/7] [Fedora] Port accounts_passwords_pam_faillock_unlock_time OVAL check to RHEL-7 && Fedora

  • [RHEL/7] [Fedora] Port audit_rules_immutable OVAL check to RHEL-7 and Fedora

  • [RHEL/7] [Fedora] Port audit_rules_login_events OVAL check to RHEL-7 and Fedora

  • [RHEL/7] [Fedora] Port audit_rules_session_events OVAL check to RHEL-7 && Fedora

  • [RHEL/7] Enable service_auditd_enabled and service_chronyd_enabled for RHEL-7's PCI-DSS profile

New OVAL checks:

  • [RHEL/7] Add RHEL-7 OVAL checks for service_rdisc_disabled and service_rsyslog_enabled
  • [RHEL/7] Add RHEL-7 OVAL checks for service_oddjobd_disabled and service_qpidd_disabled
  • [RHEL/7] Add RHEL-7 OVAL checks for service_autofs_disabled and service_ntpdate_disabled
  • [RHEL/7] Add RHEL-7 OVAL checks for service_atd_disabled and service_abrtd_disabled
  • [RHEL/7] [Fedora] Add display_login_attempts OVAL check for RHEL-7 and Fedora products

New remediations:

  • [RHEL/7] Implement remediation fix for RHEL-7's accounts_password_pam_maxrepeat rule

Bug Fixes:

  • [Infrastructure] Multiple fixes and enhancements:
    • De-duplicate OVAL entity identifiers
    • Enhance to return appropriate exit code depending on the exit status
      of the internally called oscap oval eval command
    • Add support for quiet mode (options -q | --quiet | --silent) to
    • Fix bug when dealing with external variables
  • Fix broken python modules in Git tree
  • [RHEL/6] [OVAL check fix] Fix accounts_passwords_pam_faillock_interval and accounts_passwords_pam_faillock_unlock_time to use preauth option instead of authsucc
  • Correct some of the remediation script issues reported by the ShellCheck tool for the remediation scripts for Firefox, JRE, RHEL-6, and RHEL-7 products
  • [RHEL/6] Fix OVAL checks for sysctl_net_ipv6_conf_default_accept_ra and sysctl_net_ipv6_conf_default_accept_redirects to report proper results if IPv6 is disabled on the underlying system
  • [RHEL/7] Fix missing selector values to selected PAM variables as required by PCI-DSS profile
  • [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for display_login_attempts rule for RHEL-7 and Fedora products to provide correct recommendation wrt to pam_lastlog settings on these products
  • [BugFix] [Infrastructure] Fix test_attestation links to be valid URLs (both for XCCDF and for OVAL)
  • [RHEL/7] Fix remediation script for accounts_password_pam_minclass
  • [BugFix] [RHEL/6] [RHEL/7] Don't include the test profile into the final benchmark by default, only upon request
  • [BugFix] [Chromium] [Firefox] [Java] [Webmin] Specify correct profile name when generating HTML guides for these products
  • [BugFix] Rename 'Java' product to be 'JRE' product (since JRE has been suggested as a more appropriate name for this benchmark)
  • [BugFix] [JRE] Fix trailing whitespace issues in the JRE content

Remediation fixes:

  • [RHEL/7] sshd_enable_warning_banner ensure the banner config appears on a line by itself
  • [RHEL/6] accounts_passwords_pam_faillock_interval remediation - use proper fail_interval option
Assets 2
You can’t perform that action at this time.