Skip to content

Content 0.1.46
Compare
Choose a tag to compare
@yuumasato yuumasato released this 02 Sep 08:21
v0.1.46
54aa233
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Highlights:

  • SCAP 1.3 Data Streams are now the default (#4755)
    • 1.2 Data Streams are suffixed with -1.2.xml
  • OSPP consolidation (#4705)
    • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
    • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
    • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

  • rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
  • wrlinux1019: draft_stig_wrlinux_disa
  • rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
  • rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
  • rhv4: rhvh-stig, rhvh-vpp
  • debian8: standard, anssi_np_nt28_restrictive
  • ubuntu1404: standard, anssi_np_nt28_restrictive
  • ubuntu1604: standard, anssi_np_nt28_restrictive
  • ubuntu1804: standard, anssi_np_nt28_restrictive
  • ol8: ospp, cjis, hipaa, pci-dss
  • fedora: ospp, pci-dss
  • ol7: stig, pci-dss

Profiles:

  • Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
  • Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
  • RHEL OSPP Profile Restructuring (#4754)
  • NCP Profile extends OSPP profile (#4764)
  • Rule grub2_vsyscall_argument is informational in OSPP (#4763)
  • Add suport for XCCDF rule-refine (#4750)
  • Profile Restructuring (#4736)
  • Update OL8 HIPAA profile (#4718)
  • Update OL8 CJIS profile (#4719)
  • Adding SELinux rules into OSPP profile (#4735)
  • Fix section titles. (#4738)
  • Remove GNOME rules from rhel7/ospp (#4724)
  • The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
  • When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
  • Cleanup the RHEL7 ccc.profile, minimally (#4691)
  • Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

  • Enable fapolicyd to watch all system mountpoints. (#4773)
  • Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
  • Ensure rsyslog-gnutls is installed. (#4775)
  • IASE was migrated to DOD Cyber Exchange (#4768)
  • Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
  • Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
  • Update CSRF cookie secure (#4761)
  • Add mask_service parameter to services disabled template. (#4633)
  • Add new rhel8 aux gpg pubkey (#4675)
  • Add new package installed rule specific for RHEL8. (#4673)
  • Delete unused/unwanted dconf_use_text_backend rule. (#4684)
  • Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
  • extend oval check of configure_crypto_policy (#4757)
  • Update STIG Antivirus Language (#4745)
  • Log USBGuard daemon audit events using Linux Audit. (#4747)
  • Harden ssh client crypto policy (#4681)
  • Expanded and cleaned up csv templates. (#4739)
  • SSH service rules for SLE12 (#4289)
  • Single rule to configure audit rules for OSPP (#4680)
  • update STIG antivirus language (#4341)
  • Configure tmux to lock session after inactivity (#4737)
  • Prevent user from disabling the screen lock. (#4742)
  • Support session locking with tmux. (#4740)
  • Remove watches since syscall rules cover all cases. (#4706)
  • Update OL8 OSPP profile (#4717)
  • OSPP requirements and selections (#4662)
  • Enable the rngd service for OSPP. (#4733)
  • Move some system-tools rules to organized with their respective configuration rules (#4726)
  • Harden sshd crypto policy (#4663)
  • Set number of records to cause an explicit flush to audit logs. (#4697)
  • Set hostname as computer node name in audit logs. (#4701)
  • Force frequent session key renegotiation. (#4711)
  • Resolve information before writing to audit logs. (#4695)
  • Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
  • Fix typos in auditd_local_events texts. (#4698)
  • Preprocess references and identifiers during the build time. (#4063)
  • Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
  • Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
  • Disable storing core dumps. (#4650)
  • Add new rule auditd_write_logs (#4649)
  • new rule timer_dnf-automatic_enabled (#4614)
  • New rule auditd_local_events (#4636)
  • Start using oval_sshd_config jinja macros for sshd rules (#4624)
  • Simplify regexp (#4762)

Tests:

  • Fix _check_rule method call in SSG test suite. (#4767)
  • Test suite: set bash and ansible remediation to verbose mode. (#4652)
  • Fix disk configuration in OSPP anaconda kickstart file. (#4716)
  • Add documentation to known issue in the test suite. (#4730)
  • SSG Test suite: Add function to find remediation in the datastream. (#4714)
  • Add test scenarios for configure_usbguard_auditbackend rule (#4753)
  • Fix STIG IDs reference processing (#4725)
  • Add syslog_files rules test scenarios (#4743)
  • ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
  • Add test scenarios for sshd_set_keepalive rule (#4712)
  • Enable unit-testing of bash shared jinja macros (#4702)
  • Parameterize Red Hat's GPG release public key. (#4683)
  • Added stripping of new line when obtaining IP addr by podman inspect (#4692)
  • Fixed an omission. (#4658)
  • Test suite autodetect datastream. (#4657)
  • Testing of set_config_file function with BATS 2 (#4659)
  • Introduce tests for macro that generates OVAL (#4660)
  • Test suite change logging prefix to warning (#4688)
  • Test suite: Set additional SSH options when testing ansible remediations (#4674)
  • Document where test scenarios are located (#4654)
  • Document --url and --extra-repo of install_vm.py script (#4653)
  • Quick fix for CombinedMode _modify_parameters() (#4664)
  • Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
  • Fix regex which looks for line in file configuration. (#4646)
Assets 5
Loading