Skip to content

Content 0.1.45 Release Notes

Compare
Choose a tag to compare
@yuumasato yuumasato released this 25 Jul 00:03
· 19303 commits to master since this release
v0.1.45
b59a21d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23
Learn about vigilant mode.

Highlights:

  • Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
  • RHEL7 ANSSI profiles are now enabled
  • Improvements to profile statistics, check them out in stats job
  • New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

  • rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
  • fedora: pci-dss, ospp
  • rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
  • ol8: hipaa, cjis, pci-dss, ospp
  • wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
  • wrlinux8: basic-embedded
  • rhel6: C2S, CS2, nist-CL-IL-AL
  • chromium: stig
  • firefox: stig
  • ol7: stig, pci-dss

Profiles:

  • Remove unnecessary packages from ospp (#4632)
  • Deduplicate profile files. (#4601)
  • Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
  • Update the RHEL8 profile (#4229)
  • Add rhel7 ccc (Common Criteria Certification) profile (#4361)
  • Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
  • OL8 profiles update (#4374)
  • Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
  • Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
  • misc updates to OSPP profile (#4586)
  • RHVH/RHELH STIG mappings (#4033)

Rules:

  • New rule dnf-automatic_security_updates_only (#4619)
  • Pimp ANSSI up and enable it (#4615)
  • New rule disable_tmux_status_line (#4631)
  • Enable the fapolicyd service for OSPP. (#4623)
  • Install fapolicyd for OSPP. (#4622)
  • new rule dnf-automatic_apply_updates (#4613)
  • Disable storing core dumps. (#4618)
  • Enable the usbguard service in OSPP profiles. (#4611)
  • Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
  • Added a test for uniqueness of CCEs. (#4577)
  • Add remaining rules from CC to OSPP (#4599)
  • Disable the use of user namespaces. (#4569)
  • Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
  • Enable Kernel page-table isolation. (#4566)
  • add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
  • Update OSPP profile with required package checks (#4580)
  • Disable CAN Support. (#4572)
  • Disable ATM Support. (#4571)
  • Disable IEEE 1394 (FireWire) Support. (#4573)
  • update OSPP (#4446)
  • Harden the kernel package filter just-in-time compiler operation. (#4564)
  • Disable access to network bpf() syscall from unprivileged processes. (#4563)
  • Disallow kernel profiling by unprivileged users. (#4547)
  • Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
  • Add nodev Option to /var. (#4542)
  • Add nodev Option to /boot. (#4453)
  • Add nosuid Option to /boot. (#4452)
  • Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
  • Disable chrony daemon from acting as server. (#4445)
  • Disable network management of chrony daemon. (#4449)
  • Map more rules into Anssi policy (#4439)
  • ANSSI network sysctl (#4345)
  • Fix typo. (#4423)
  • Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
  • Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
  • Anssi updates (#4351)
  • OSP13 Checks (#4364)
  • Smartcards auth in OL8 should be done via sssd (#4377)
  • Remove dconf_use_text_backend rule from profiles. (#4375)
  • Make hardened containers smaller (#4357)
  • Scap 1.3 content adjustments (#4353)
  • Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
  • Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
  • Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
  • Rename group sap to sap_host (#4332)

Tests:

  • Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
  • Add tests for kernel_module_firewire-core_disabled rule. (#4605)
  • Document combined mode in tests/README.md (#4590)
  • install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
  • Remove ansible_playbook_set_hosts function from test suite (#4576)
  • Add profile metadata override in rule mode (#4578)
  • Fix test scenarios for mount option home nosuid (#4579)
  • Fix minlen test scenarios and include RHEL8 platform (#4450)
  • Print an error message when rule isn't found (#4454)
  • Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
  • Enable the (all) virtual profile in the rule-based test suite. (#4441)
  • Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
  • Install just things needed for the sssd service to run. (#4396)
  • Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
  • Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
  • Fix audit rules openat_o_trunc_write test scenarios. (#4438)
  • Add verbose output to the verbose logs (#4431)
  • Fix broken test scenario name (#4426)
  • Add option for extra repository in install_vm.py script. (#4421)
  • Change test scenarios for rule rpm_verify_permissions (#4344)
  • tests/install_vm.py: Do not abort if ostype detection fails (#4343)
  • Use VM install repo URL on the installed system (#4338)
  • Workaround SCAPVal 1.3.2 NullPointerException (#4339)
  • Use separate partition for /var/tmp in tests/kickstart (#4337)
  • Add test wrapper around SCAPVal tool (#4327)
  • Fix-ups and remote host support for tests/install_vm.py (#4328)
Assets 5