Skip to content

Content 0.1.47
Compare
Choose a tag to compare
@yuumasato yuumasato released this 05 Nov 15:16
v0.1.47
48db510
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Highlights:

  • New product added Debian 9 (debian9)
  • New product added OpenShift container Platform 4 (ocp4)
  • Add Essential Eight profiles
  • New templating system enabled by default
  • Move SSGTS test scenarios closer to rule definitions

Profiles changed in this release:

  • rhel7: e8, C2S, ospp
  • rhel8: e8, ospp
  • debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
  • ocp4: coreos-ncp, opencis-node
  • ocp3: opencis-master
  • fedora: ospp
  • rhel6: C2S, stig

Profiles:

  • Add Essential Eight profiles (#4859)
  • Remove openshift api_server_profiling check (#4944)
  • Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
  • Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
  • Add coreos NCP profile (#4865)
  • Add rules for FISMA Low to CoreOS NCP (#4873)

Rules:

  • SSG debian9 (#4928)
  • ocp4: Initial build system support for the OCP4 product (#4908)
  • Don't require that files exist when path is regex (#4960)
  • Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
  • Add missing CCEs (#4956)
  • Add missing prodtypes for apt rules (#4930)
  • Compare suid/sgid files with the RPM database (#4648)
  • Add check to set /etc/motd similar to /etc/issue (#4947)
  • Set default to match syslog default (#4948)
  • Add package rules to OSPP profile (#4953)
  • Fill in the samples with the value from our variable (#4949)
  • Add postfix relayhost check (#4950)
  • Add rule to check cockpit service status (#4939)
  • Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
  • Added missing CCEs. (#4919)
  • Fix missing OVAL in some of RHEL 8 rules (#4927)
  • Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
  • Generate OCIL check for cramfs kernel module (#4918)
  • Added OCIL for mount option-type of rules. (#4910)
  • Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
  • Ported the sysctl macros to the new system. (#4843)
  • Made the new templating system work with Python2.6. (#4897)
  • Add WRLinux 10.19 to prodtype (#4903)
  • Fix typo and add ocil clause to package_audit_installed. (#4827)
  • Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
  • Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
  • Map AC-17 (#4894)
  • Map AC-6(9) (#4895)
  • Map AC-17(2) to crypto SSH policies (#4892)
  • Add rule for NIST AC-18(4) (#4889)
  • Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
  • Map AU-7 and AU-10 to audit package (#4890)
  • Run tmux only right after sshd/login (#4885)
  • Fix missing content in datastreams generated by new templating system (#4883)
  • Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
  • Fix dnf timer rule (#4882)
  • Map AU-9(3) and AU-5(2) for CoreOS (#4880)
  • Update list of packages installed in RHEL8 OSPP (#4876)
  • Map OCP SCC to Kubernetes benchmark (#4867)
  • Merge SELinux Boolean templates and migrate them to new system (#4860)
  • Fix rhel6 nist mapping typo (#4872)
  • Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
  • Add require_emergency_target_auth and update require_singleuser_auth (#4850)
  • Enable file permissions templates in new templating system (#4857)
  • Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
  • Add checks for crontab and supporting cron directories (#4858)
  • Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
  • Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
  • Postfix network listening to loopback-only (#4832)
  • Update rsyslog rules description (#4839)
  • Updated the rule description of configure_fapolicyd_mounts (#4835)
  • Fix accounts password rules template name (#4836)
  • New templating system (#4809)
  • Break out api_server_service_account_key into multiple rules (#4831)
  • Add openvswitch permission rules (#4830)
  • AIDE periodic crontab check modification (#4824)
  • Disable Mounting of FAT filesystems (#4815)
  • insecure-port should not be configured (#4821)
  • Fix kubelet_enable_streaming_connections Rule (#4823)
  • Assign CCEs to SSH permission checks (#4819)
  • Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
  • Ensure proper permissions on /etc/ssh/sshd_config (#4812)
  • Fix /etc/shadow permissions documentation (#4813)
  • Improve template grub2 argument (#4786)
  • making hardening of sshd crypto policy alligned with OSPP (#4799)
  • Disable Kerberos by removing host keytab. (#4793)
  • Move audit rules to correct group (#4778)
  • Configure TLS for rsyslog remote logging. (#4781)

Tests:

  • Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
  • Use only first occurence from /etc/mtab (#4959)
  • ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
  • Add basic test scenarios for a few audit rules (#4907)
  • Made templates product-specific. (#4841)
  • Simplified the test_suite command-line. (#4808)
  • Changed owner of files in the test suite tarball. (#4797)
  • [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
  • Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
  • fix grub2_argument bash remediation (#4891)
  • Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
  • Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
  • SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
  • Add test scenarios for rsyslog_remote_tls (#4788)
  • SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
  • ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
  • Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
  • Clean up partition before performing test for mount_option_tmp_noexec (#4795)
  • Move SSGTS test scenarios closer to rule definitions (#4741)
Assets 5
Loading