Skip to content

@mpreisler mpreisler released this Jul 8, 2015 · 10084 commits to master since this release


  • Add initial draft of Standard Security Profile for RHEL-7 to serve as base to ensure common security sanity of various flavous of Red Hat Enterprise Linux 7 system ("traditional", virtualized / containerized, RHEL-7 Atomic host etc.),
  • Dozen of new remediation scripts for various audit rules of Red Hat Enterprise Linux 7 system,
  • HTML formatted guides enhancements (start building HTML guide for each profile, minimize the HTML guide size by unselecting empty groups). Thanks to Martin Preisler for contributing these!


  • Add initial draft of Standard Security Profile for RHEL-7,
  • Use XCCDF's override inheritance model when extend-ing profiles,
  • Enhance the former fix_audit_watch_rule and fix_audit_syscall_rule remediation functions to work properly also on RHEL-7 and Fedora systems,
  • Start building HTML formatted guide for every profile for every benchmark (product),
  • Apply that build-all-guides change to Fedora, Chromium, Firefox, JRE, OpenStack, RHEL/5, RHEL/6, RHEL/7, Chromium, and Webmin products,
  • Implement HTML index file to ease browsing across the HTML guides produced,
  • Implement non-JavaScript option for HTML index files,
  • Build default profile as part of build-all-guides effort,
  • Changed logic when building the HTML formatted guides in the sense now the XCCDF:groups not having at least one rule selected in them, would not be visible in the final HTML guide (though they would still be accessible when tailoring the content),
  • Added CentOS6 CPE to CPE dictionary for RHEL-6 and variants,
  • Added CentOS7 CPE to CPE dictionary for RHEL-7 and variants,
  • Added Scientific Linux 6 CPE to CPE dictionary for RHEL-6 and variants,
  • Added Scientific Linux 7 CPE to CPE dictionary for RHEL-7 and variants,
  • Add draft / example PCI-DSS' profile kickstart for Red Hat Enterprise Linux 7 Server system using the Oscap Anaconda Addon tool,

XCCDF changes / enhancements:

  • [RHEL/7] Update the XCCDF prose for Enable the NTP Daemon rule to properly deal with chronyd daemon,

OVAL check changes:

  • [RHEL/7] Update the existing OVAL check for Enable the NTP Daemon rule to return PASS if at least one of chronyd, or ntpd services are enabled (besides other things the patch for this issue fixed also one invalid selector RHEL-7 PCI-DSS profile issue),

New Remediations:

  • [RHEL/7] audit_rules_file_deletion_events,
  • [RHEL/7] audit_rules_kernel_module_loading,
  • [RHEL/7] audit_rules_sysadmin_actions,
  • [RHEL/7] audit_rules_media_export,
  • [RHEL/7] audit_rules_unsuccessful_file_modification,
  • [RHEL/6] [RHEL/7] audit_rules_session_events,
  • [RHEL/7] audit_rules_dac_modification_setxattr,
  • [RHEL/7] audit_rules_dac_modification_removexattr,
  • [RHEL/7] audit_rules_dac_modification_lsetxattr,
  • [RHEL/7] audit_rules_dac_modification_lremovexattr,
  • [RHEL/7] audit_rules_dac_modification_fsetxattr,
  • [RHEL/7] audit_rules_dac_modification_fremovexattr,
  • [RHEL/7] audit_rules_dac_modification_chown,
  • [RHEL/7] audit_rules_dac_modification_fchown,
  • [RHEL/7] audit_rules_dac_modification_fchownat,
  • [RHEL/7] audit_rules_dac_modification_lchown,
  • [RHEL/7] audit_rules_dac_modification_chmod,
  • [RHEL/7] audit_rules_dac_modification_fchmod,
  • [RHEL/7] audit_rules_dac_modification_fchmodat,
  • [RHEL/7] audit_rules_mac_modification,
  • [RHEL/7] audit_rules_networkconfig_modification,
  • [RHEL/7] audit_rules_usergroup_modification,
  • [RHEL/7] audit_rules_time_watch_localtime,

Remediation fixes / other changes:

  • [RHEL/6] Rewrite audit_rules_dac_modification_setxattr remediation to start using fix_audit_syscall_rule remediation function,
  • [RHEL/6] Rewrite existing RHEL-6 audit_rules_dac_modification_chown, audit_rules_dac_modification_fchown, audit_rules_dac_modification_fchownat, and audit_rules_dac_modification_lchown remediation scripts to start using fix_audit_syscall_rule function,
  • [RHEL/6] Rewrite audit_rules_dac_modification_chmod, audit_rules_dac_modification_fchmod, audit_rules_dac_modification_fchmodat to start using fix_audit_syscall_rule function,

Bug Fixes:


  • Drop Fedora 20 support in Fedora benchmark since EOL,
  • Multiple ShellCheck warnings fixed across the content,
  • Multiple simplifications,
  • Unified all LICENSE files into just one ./LICENSE,
Assets 3
You can’t perform that action at this time.