SCAP Security Guide 0.1.39 Release Notes

@yuumasato yuumasato released this May 2, 2018 · 961 commits to master since this release

Highlights

  • XCCDF Rules moved to yaml format
  • Jinja2 templating for Rules, Checks and remediation introduced
  • Profile IDs simplified
  • Product Oracle Linux 7 added
  • Common Profile removed in favor of Standard Profile
  • RHEL7 STIG reference updated to V1R4
  • RHEL6 STIG reference updated to V1R18

Profiles

  • [Bugfix] remove kernel IPv6 from RHEL6 STIG
  • [Bugfix] Remove disabling all usb devices in kernel for OSPP and HIPAA profile
  • [Bugfix] Add Missing DISA RHEL7 STIG XCCDF rules
  • [Bugfix] rhel7: fix titles/descriptions, indicate draft status (rebase of #2717)
  • update references to RHEL7 STIG release to V1R4
  • [Bugfix] Update RHEL 6 STIG Reference to V1R18
  • [Enhancement] Add profile sap to the product ol7
  • [Enhancement] OL7 standard profile extra rules
  • [Enhancement] Simplify profile ids
  • [Bugfix] RHEL 7 STIG V1R4
  • [Bugfix] Remove common profile and use standard profile instead
  • [Enhancement] Extra Apache STIG rules
  • [issue 2571] update OSPP profile name and description
  • [Bugfix] Added the forgotted ospp42 profile
  • [RHEL7] Initial OSPP v4.2 draft profile
  • [Bugfix] Removed duplicate sudo related selects in rhel7's HIPAA
  • [Enhancement] Hippaaahhh

Rules

  • [Enhancement] Fix missing elements and description in var_auditd_admin_space_left_action and var_auditd_space_left_action
  • [Bugfix] rhel6 dod banner prohibit whitespace
  • [Bugfix] update prose to reflect cron time shorthand codes
  • [Bugfix] Remove ignore option for auditing configuration
  • [Bugfix] Change ID of Rule that checks for IPV6 disabled
  • [Bugfix] Fix a mismatched tag issue in RHEL6 sudo.xml

OVAL

  • [Enhancement] Add Docker SELinux check in daemon.json
  • [Bugfix] fix faillock audit oval
  • [Enhancement] aide cron flex
  • audit_rules_privileged_commands: allow arbitrary key
  • ftp_present_banner: update pattern in oval file and add remediation
  • [Bugfix] Add disabled OVAL 5.11 services for SSHD for OpenSUSE
  • Fix Rule ensure logrotate activated
  • Fix #2618

Remediation

  • [Bugfix] Fix dconf_gnome_disable_geolocation script and add missing dconf remedation scripts
  • Removed an accidentally committed file in shared/fixes/bash
  • [Bugfix] Use include_dconf_settings bash remediation function
  • [Bugfix][Enhancement] Use new dconf bash functions for bash scripts and add some missing dconf scripts
  • [Bugfix] Make sure that dconf dirs exist
  • [Enhancement] Unify sshd disable empty passwords
  • [Enhancement] Added support for checks and remediation for mount_options.
  • [Bugfix] Add create_module and finit_module scripts
  • [Enhancement] Add Anaconda Kdump disable script
  • [Bugfix] Fix accounts_passwords_pam_faillock_deny.sh script
  • [Bugfix] Not escaping / character breaks perform_audit_rules_privileged_commands_remediation.sh
  • [Bugfix] Fix typo in set_faillock_option_to_value_in_pam_file.sh
  • updated rhel7/fixes/ansible/service_avahi-daemon_disabled.yml to match template_ANSIBLE_service_disabled
  • [Enhancement] Further improved replace_or_append
  • Improve remediation of auditd_data_disk_full_action
  • [Enhancement] Improved replace_or_append.
  • [Bugfix] Partition remediations
  • Improved bash syntax of bash remediations
  • [Bugfix] eaccess should actually be eacces

SSGTestSuite

  • [Ssgtestsuite] Add tests for verifying file permissions and hashes with RPM
  • [Ssgtestsuite] Added tests for checking for bootloader password protection.
  • Minor in size, but substantial test suite improvements.
  • [Ssgtestsuite] Tests and OVAL fix for Rule sssd_enable_pam_services
  • [Ssgtestsuite] Add remediation for ldap_client_start_tls

Infrastructure

  • [Bugfix] Change yaml.Loader to yaml.SafeLoader
  • Add benchmark metadata element to shorthand
  • Remove all references for dropped OVALs
  • [Infrastructure][Enhancement] Package command apt get
  • [Enhancement] Add minimum package version check with jinja2 template
  • [Bugfix] testoval_module.py not processing oval version correctly
  • [Bugfix] openSUSE CPE update and clean-up
  • [Enhancement] Use yaml.safe_load for build related yaml files
  • [Bugfix] Add python jinja2 package to build doc
  • [Enhancement] Add regex handling for SRG and STIG reference versions in CMake
  • [Infrastructure][Enhancement] jinja2 for fixes, checks and the opencontrol yaml
  • [Bugfix] Add external content to yaml
  • [Bugfix] Don't exit with 0 when product.yml loading fails
  • [Infrastructure][Enhancement] Template ubuntu packages
  • [Documentation] Docs directory cleanup
  • [Enhancement] Require the python yaml module, fatal error if it's not found
  • [Documentation] user_guide.adoc: updates
  • [Bugfix] Document minimum Ansible version in User/Developer Guides
  • [Bugfix] Don't load yaml booleans as python booleans
  • fix link in user guide
  • README.md: fix link
  • Fixed OVAL check exports.
  • [Infrastructure][Bugfix] Apply elements with relevant prodtype when generating xccdf xml
  • Mark draft profiles as "documentation_complete: false"
  • Refactoring of relabel-ids.py
  • Allow over 80 chars-long lines in Python scripts.
  • [Bugfix] Update build instructions to include PyYAML
  • Made the service disable command more complete.
  • [Infrastructure] Added print function support for Python2 where applicable.
  • [Infrastructure] Make it possible to build SSG with python3
  • [Infrastructure] shorthand.xml target should depend on the yaml-to-shorthand script
  • [Infrastructure] Configure python interpreter
  • [Infrastructure] Profile file extension is now ".profile"
  • [Enhancement] Moved stuff around so that the folder matches the Makefile target
  • Update COPR section
  • [Infrastructure] Make SSG easier to edit (the yaml project)
  • RHOSP7 now uses the shared guide
  • Use the shared benchmark for opensuse
  • [Bugfix] remediation functions xml is no longer in shared
  • OL7 was using one group outside of shared but everything else was shared
  • Add support for Oracle Linux 7
  • Updated parts of the project documentation.
  • Made Ubuntu14 and Ubuntu16 to use local content.
  • Move debian8 and rhel6 system and services locally
  • [Bugfix] Source only local shorthand XCCDF to build debian8 content
  • Remove the empty RHEVM3 benchmark
  • [Bugfix] RHEL6 to only use its local shorthand content
  • [Infrastructure][Enhancement] Fedora shared benchmark
  • Remove shared XCCDF from WRLinux for yaml prep
  • [Bugfix] Untangle shared shorthands
  • [Bugfix] Moved firefox shorthand XML to the firefox product folder from shared
  • [Bugfix] Chromium XCCDF was in shared even though it uses nothing else from sh…
  • [Bugfix] Moved the .gitkeep file to where the author most likely intended it
  • [Infrastructure][Bugfix] Fix install of PCI-DSS centric HTML guides

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.38 Release Notes

@yuumasato yuumasato released this Mar 2, 2018 · 1458 commits to master since this release

Highlights

  • New License - BSD-3 Clause
  • New Profiles introduced for development
    • ANSSI
    • HIPAA
    • C2S-Docker
  • Adoption of CTest for schema validation
  • Several remediation fixes

Profiles

  • [Enhancement] Add initial C2S Docker Profile
  • [Bugfix] This is a shorthand XCCDF, not the actual XCCDF 1.1, the xmlns makes …
  • [Bugfix] It's HIPAA, not HIPPA
  • Add some rules for protection of data in transit and adequate capacity to ensure availabity for HIPAA
  • Add anssi reference to rsyslog_service_enabled
  • [Enhancement] Add initial HIPPA profile
  • [Enhancement] Added "anssi" profile to the RHEL7 product
  • [Bugfix] Fix ID of RHEL6 DISA STIG Profile
  • Fixing reference to outdated PAM configuration manual

XCCDF

  • [Bugfix] Add override to C2S-docker Profile
  • [Bugfix] Fix kernel module loading and unloading rules
  • Grub2 password fix
  • [Bugfix] Specify default account expiration value
  • [Bugfix] Specify default LUKS cipher and minimum key size
  • [Bugfix] Reference real files instead of procfs and sysfs files

OVAL

  • update to match all supported EAP 6 releases
  • Improve OVAL filepath expressions.
  • Add check and remediation for RHEL-07-040550 (shosts.equiv)
  • Add check and remediation for RHEL-07-040540

Remediation

  • [Enhancement] Introduced draft of SSG Bash scripting guidelines.
  • [Bugfix] Fixes #2607 - audit_rules_login_events
  • [Bugfix] Enable correct ansible templte for file modification audit rules
  • [Bugfix] Fix Ansible remediations broken by Ansible bug.
  • [Bugfix] Fixed the banner enablement option name.
  • [Bugfix] Add Ansible pre-task version checking for Ansible roles
  • [Bugfix] Remove duplicate install_smartcard_packages BASH script
  • [Enhancement] Ensure libsemanage-python is installed or Ansible SELinux boolean tas…
  • [Bugfix] Fix chronyd or ntpd set maxpoll
  • [Bugfix] fixed syntax issue with sed in auditd_data_retention_space_left.sh
  • [Ansible] Hooksie1 ansible pam faillock
  • [Bugfix] Add some of the missing BASH remediations
  • [Bugfix] Disable service remediation fails if service is not installed - ansible
  • [Bugfix] Check if prelink is installed before trying to disable
  • [Bugfix] updated kernel module loading init and delete to use b32 and b64
  • [Bugfix] fixed rpm_verify_permissions to use 4th field in cut statement
  • [Bugfix] Fix UsePrivilegeSeparation ansible remediation
  • [Bugfix] updated key variable to recognize both -k and -F key=
  • [Bugfix] reset IFS back to default in ensure_redhat_gpgkey_installed.sh
  • [Infrastructure][Bugfix] fixed template_BASH_sebool_var with valid bash syntax

SSG Test Suite

  • [Ssgtestsuite] Add tests for accounts_passwords_pam_faillock_deny
  • [Ssgtestsuite] Tests for ctrlaltdel burstaction and audit rules time
  • Changed test suite benchmark specification to use Ref-Id.
  • Update rule_sshd_use_priv_separation test to check for sandbox value
  • [Ssgtestsuite] Add test coverage for rule_accounts_have_homedir_login_defs
  • [Ssgtestsuite] Add test scenarios of rule_umask_for_daemons.
  • [Ssgtestsuite][Bugfix] Small test suite tweaks
  • [Ssgtestsuite] Better bash remediations tests.
  • Add tests accounts umask etc login defs
  • [Ssgtestsuite] Add scenario remediation parameter and fix sshd test scenarios

Infrastructure

  • Update Contributors list for release v0.1.38
  • [Infrastructure][Bugfix] Glob source xccdf files recursively
  • [Infrastructure][Ansible] Script to auto-upload / update ansible galaxy roles from SSG
  • cmake/SSGCommon.cmake: added check for override attribute
  • HTML table sanity check
  • [Easy Fix] Avoid 3 copy paste definitions of subprocess_check_output
  • Initial docs about ctest and adding tests to the cmake build system
  • [regression] Import ssgcommon in profile-stats
  • [Bugfix] New License
  • [Infrastructure][Enhancement] Use ctest instead of make validate
  • [Infrastructure][Bugfix][Enhancement] Update Vendor String in python files to ssgcommon.py
  • [Enhancement] Added description how to write new rules.
  • HTML tables for ANSSI Rules in RHEL7
  • [Bugfix] Fatal error if user attempts in-source build
  • [Infrastructure][Enhancement] Add common python module for centralizing reusable code
  • [Infrastructure][Bugfix] Apply to XCCDF file only the Rule and Group elements that apply to product being built
  • [Infrastructure] Added scanner of STIG IDs for rules in STIG profiles.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.37 Release Notes

@yuumasato yuumasato released this Jan 3, 2018 · 1712 commits to master since this release

Highlights

  • New Profile DISA STIG for Apache HTTP for RHEL7 (#2474)
  • Support for Ansible remediations in SSG Test Suite (#2468)
  • Better content support for DISA STIG Viewer (#2418)

Profile

  • [Bugfix] Disable pt_chown rule
  • [Bugfix] Fix title of DISA STIG profile in RHEL6 DS.
  • [Enhancement] Add HTTP STIG and new RHT Product STIGs
  • Add GDM login banner checks to C2S profile.

XCCDF

  • [Bugfix] Deprecate RhostsRSAAuthentication as it have been deprecated in 7.4
  • [Bugfix] Fix two stigid mappings
  • [Bugfix] Remove references to pam_ldap.conf

OVAL

  • Add OVAL check and fix for RHEL-07-041001 rule.
  • [Bugfix] Fix gpgcheck OVAL to validate Scientific Linux gpg keys
  • [Bugfix] Check state of openssh-server package when sshd_required is unset
  • [Bugfix] Do not check library ownership in libexec
  • [Bugfix] RHBZ #1520493: Fix umask_for_daemons
  • [Bugfix] Fix StrictModes and KerberosAuthentication checks
  • [Bugfix] Fix typo in auditd OVAL files

Remediation

  • [Bugfix] Ansible: don't use spaces in custom.conf
  • [Bugfix] Added --follow-symlinks to sed commands in display_login_attempts.sh
  • [Bugfix] Updated aide_scan_notification remediation to run cron job as root
  • [Ansible][Enhancement] Add ansible content for accounts_password_pam_retry and accounts_password_pam_unix_remember
  • [Bugfix] Fix accounts_umask_etc_login_defs remediation
  • [Bugfix] Fix typos "local/d" -> "local.d"
  • [Bugfix] Fixed few remediation errors caused by missing include.
  • Fixes ansible remediations
  • Fix rhel7 ansible role

Infrastructure

  • Support for Ansible remediations in SSG Test Suite
  • Move build examples to rhel7
  • [Bugfix] Remove OVAL conf file usage and use ArgParse instead of sys.argv
  • Added pull request creation and workflow suggestions.
  • [Enhancement] Add STIG Rule ID to rules
  • [Bugfix][Infrastructure] Update CMake and python scripts to use OVAL versioning
  • [Bugfix][Infrastructure] Remove CCI formatting from shared table-srgmap XSLT
  • [Enhancement] Add test scenarios for whole permissions_important_account_files group.

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.36 Release Notes

@yuumasato yuumasato released this Oct 31, 2017 · 1796 commits to master since this release

Highlights

  • Introduction of SCAP Security Guide Test Suite
  • Better alignment of RHEL6 and RHEL7 with DISA STIG
  • Remove JBoss EAP5 content due to being End-of-Life
  • New STIG Profile for JBOSS EAP 6
  • Updates in C2S Profile for RHEL 7
  • Variables can be directly tailored in Ansible roles
  • Content presents less false positives in containers
  • Major changes in directory layout
    • oval_5.11 directory removed
    • oval definitions moved to checks/oval
    • static checks are not in templates/static anymore

Profile

  • [Bugfix][Enhancement] Add remaining STIG XCCDF content for RHEL6 and RHEL7
  • [Bugfix] Remove rules no longer in rhel6 STIG profile
  • [Bugfix] Remove RHEL6 tests directory
  • [Enhancement] Add initial OCP3 structure, C2S Profiles, and CPE content
  • [Bugfix][Enhancement] SSG RHEL6 STIG alignment
  • [Bugfix] Add more rules to the C2S profile
  • [Bugfix] Fix XML in rhel7/profiles/C2S.xml
  • [Bugfix] C2S profile updates
  • [Bugfix] Align RHEL6 STIG profiles
  • [Bugfix] Update RHEL6 STIG References to the latest release
  • CJIS profile updates
  • [Enhancement] Add JBoss EAP 6 Rough Draft
  • [Enhancement] Updating C2S profile and CIS reference numbers with existing checks.

XCCDF

  • [Bugfix] Fixing CIS reference number for noexec on /tmp partition
  • [Bugfix] Remove old/automated references
  • [Bugfix] Mcafee related rules as machine only
  • [Bugfix] Add rpm_verify_ownership to rhel7 XCCDF
  • [Bugfix] Add XCCDF Value sshd_required to other products
  • [Bugfix] Add EFI specific permissions content
  • [Bugfix] Fix lock-delay variable description
  • [Enhancement] Adding /home nodev check for CIS rule 1.1.14
  • [Bugfix][Enhancement] Add JBoss Configuration Profile Variable
  • [Bugfix] Remove STIG idents
  • [Enhancement] Remove APPSRG in JBoss XCCDF
  • [Enhancement] Services are machine only
  • [Bugfix][Enhancement] Update RHEL6 references
  • [Bugfix] Assign CCEs to EAP6 content
  • [Bugfix] Add JBoss EAP 6 Titles
  • [Bugfix] Add missing RHEL6 STIGIDs
  • [Bugfix] Fix typo in SSH checklist
  • [Bugfix] Fix ntp/chrony maxpoll value description

OVAL

  • [Bugfix] OVAL service templates should check if service is running/not running
  • [Bugfix] Add disable_ctrlaltdel_burstaction OVAL
  • [Bugfix] Fix OVAL for chronyd_or_ntpd_set_maxpoll and add remediation
  • [Bugfix] Check both .socket and .service unit files in service templates
  • [Bugfix] OpenSSH 7.4 allows only Protocol 2
  • Check if sshd is expected by Profiles
  • [Bugfix] Allow time_clock_settime key to be set to any string
  • [Enhancement] Implemented a check for JBoss EAP6 file permissions
  • [Enhancement] Implemented logging directory permission checks for JBoss EAP6
  • [Enhancement] Added check to verify vault is present in config file
  • [Bugfix][Enhancement] Check for standalone-openshift.xml
  • [Bugfix][Enhancement] Eap64 jmx check
  • [Enhancement] Implemented more EAP 6 checks
  • [Enhancement] Implemented check to ensure that the JBoss EAP6 ROOT logger is at a valid Level
  • [Enhancement] implemented checks for JBoss EAP6 for silent authentication
  • [Bugfix] Update JBoss install OVAL check
  • [Enhancement] Implemented security manager check fixed other checks
  • [Bugfix] Implementation of configuration check for JBoss EAP6 Audit Log Configuration
  • [Enhancement] Add JBoss Vendor Supported OVAL File
  • [Bugfix] Update JBoss EAP CPEs and installed JBoss version OVAL check
  • [Infrastructure] [WIP] Remove .service from service OVAL template files

Remediation

  • [Bugfix] Enable chronyd_or_ntpd_set_maxpoll remediation to fix incorrect values of maxpoll
  • [Bugfix] gpgcheck_globally and gpgcheck_local fail on CentOS
  • [Bugfix] Ansible variable rework
  • [Bugfix] Add remote_src option to aide build db remediation - ansible
  • [Bugfix] Removed extra quotes in ansible audit_rules templates
  • [Bugfix] Login banners regex
  • [Ansible] Aide cron check
  • [Bugfix] Drop firewalld default zone and sshd port fixes
  • [Ansible] PR 2283 from Shawn
  • [Bugfix] Firewalld open sshd port
  • Add task to disable prelinking
  • PR 2245 from Shawn
  • [Ansible][Enhancement] ansible: ensure_gpgcheck_local_packages

Infrastructure

  • [Enhancement][Infrastructure] Remove oval_5.11 dir checks usage
  • [Enhancement] Add OVAL version to oval files
  • [Bugfix][Infrastructure] Add OpenSCAP XSL CMake Variable
  • [Bugfix] Remediations fixes refactoring
  • [Enhancement][Infrastructure] Include roles zipfile
  • [Bugfix][Infrastructure] Update create-stig-overlay.py
  • [Bugfix][Infrastructure] Update docs for new directory structure
  • [Bugfix][Infrastructure] Remove local utils directory
  • [Enhancement][Infrastructure] Move deprecated content list to User Guide
  • [Bugfix] Fix Application SRG web url to be more fine-grained
  • [Enhancement][Infrastructure] Flatten out product name directories
  • [Enhancement][Infrastructure] Move oval directory under the checks directory
  • [Bugfix][Infrastructure] Rename remediations directory to fixes
  • [Infrastructure] Rename and move platform/ directory
  • [Bugfix][Infrastructure] Rename auxiliary directory to overlays
  • [Enhancement][Infrastructure] Add Pull Request Template
  • [Bugfix][Infrastructure] Remove usage of templates/static/ directory
  • [Enhancement] Create issue template for future issues
  • [Enhancement] Increments developer-guide.adoc with information on how to contribute to SSG
  • [Bugfix] RHEL6 build fixes
  • [Bugfix][Infrastructure] Clean up OVAL versioning in combine-ovals.py
  • [Bugfix] Update JBoss STIG Overlay
  • [Enhancement][Infrastructure] Add creation of ${ZIPNAME}-nist.zip to new nist-zipfile target
  • [Bugfix] Improved document formatting
  • [Bugfix] Add realpath to testoval.py
  • [Bugfix] Updated regex to ignore some other filetypes
  • [Bugfix][Infrastructure] Update references transforms
  • [Bugfix][Infrastructure] Replace OSSRG with SRG
  • [Enhancement] Add JBoss stig_overlay.xml
  • [Enhancement] Update JBoss EAP CMakeLists.txt
  • [Enhancement][Infrastructure] Handle different SRG reference types in CMake
  • [Enhancement] HTML guide switcher fix for narrow screens
  • [Enhancement] Add JBoss STIG reference
  • [Bugfix][Infrastructure] Fix expansion of multiple bash populate instances
  • [Bugfix] template_BASH_sebool_var: Fix template missing remediation functions
  • start with a template for centos ci
  • PR 2286 from Shawn
  • [Enhancement] Rule title and other subs
  • SSG Test Suite

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.35 Release Notes

@yuumasato yuumasato released this Aug 29, 2017 · 2275 commits to master since this release

Highlights

  • Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
  • Added several templates for OVAL checks
  • Removal of input directory
  • Many optimizations in build process
  • Different title for PCI-DSS Benchmark variants

Profile

  • [Bugfix] Refix selector for var_time_service_set_maxpoll
  • [Bugfix] Fix selector for var_time_service_set_maxpoll
  • [Bugfix] Removed extra whitespace around RHEL6 STIG profile titles
  • updated profiles to properly use description override
  • [Bugfix] update profiles to accept either DoD banner
  • [Bugfix] Fix refined value typo in RHEL6 FISMA profile

XCCDF

  • [Enhancement] Add firewalld and LDAP checks
  • [Bugfix] Fix for Issue 2264
  • [Bugfix] update ntpd maxpoll to align with DISA
  • [Bugfix] update severity of RHEL-07-021350 (fips=1) to HIGH to align w/DISA
  • [Bugfix] Add variable for dconf_gnome_screensaver_lock_delay
  • [Bugfix] Maxpoll should be set if chronyd is in use
  • Add dod_banners option to banner_login_text
  • [Bugfix][Enhancement] Package firewalld installed
  • [Bugfix] Use profile variable settings for login.defs to clear up scan results confusion
  • STIG Updates
  • RHEL-07-040460 - UsePrivilegeSeparation sandbox
  • [Bugfix] CCE for insmod auditing

OVAL

  • [Bugfix] change to also check inside of /etc/security/limits.d to verify core …
  • [Bugfix] Check if SSH keys are present before validating file permissions
  • [Bugfix] Update accounts_passwords_pam_faillock_deny to handle line skipping
  • [Bugfix] Check if aide is installed in OVAL and remediation scripts

Remediations

  • [Bugfix] Fixing issue 2205
  • [Bugfix] Ansible branch for issue 2205 RHEL 7.3 error: rpm_verify_permissi..
  • [Bugfix] re-enable remediation for net.ipv6.conf.all.disable_ipv6 = 1
  • [Ansible] ansible: account_disable_post_pw_expiration
  • Ansible accounts umask etc login defs
  • [Ansible] ansible: sssd_*
  • [Enhancement] dconf_gnome_screensaver_* ansible scripts
  • [Enhancement] GDM ansible scripts
  • [Enhancement] Set rsyslog_remote_loghost_address to default value "logcollector"
  • [Ansible] Creates file_permissions_* ANSIBLE remediation
  • [Ansible] Creates file_owner_* ANSIBLE remediation
  • [Ansible] ansible: dconf_gnome_disable_*
  • [Enhancement] Creates file_groupowner_* Ansible remediation
  • [Bugfix] Removes silent from the pam.d deny_root search/replace pattern
  • [Bugfix] fix audit syscall rule sed needs an escape character to properly run
  • [Bugfix] Adding update to fix_audit_syscall_rule to not use slashes
  • [Ansible] Creates audit_rules_privileged_commands ANSIBLE remediation
  • Disable remediation for "repo_gpgcheck=1"
  • Additional Ansible Scripts
  • [Bugfix] remove nullok, handle links
  • [Ansible][Enhancement] Firewalld ansible fixes
  • [Ansible][Enhancement] [ansible] security_patches_up_to_date

Infrastructure

  • Update Fedora CPEs
  • update manpage to have --oval-results in example
  • Removes platform column from file_groupowner csv
  • [Bugfix] add container_build to gitignore
  • [Enhancement] Add "PCI-DSS variant" suffix to every title of the PCI-DSS benchmark
  • [Enhancement] Remove input directory
  • [Enhancement] docs: How to create stig_overlay.xml
  • [Ansible][Enhancement] Creates templates for audit_rules_execution OVAL checks, BASH and ANSIBLE remediations
  • [Bugfix] Functions use return, "exit" exits whole script
  • [Bugfix][Infrastructure] Don't generate roles for empty profiles
  • Minor idtranslate fixes
  • [Bugfix][Enhancement] Minor PEP8 fixes in map_product_module.py
  • Skip non-bash remediation function script files
  • [Bugfix] Rebuild PCI-DSS XCCDF benchmark if the script or PCI-DSS ID json change.
  • [Bugfix] Use str.replace instead of re.sub in create_audit_rules_..
  • [Enhancement][Infrastructure] Creates template for audit_rules_usergroup_modification OVAL checks
  • [Ansible][Infrastructure] Template for audit_rules_privileged_commands
  • [Enhancement] Check that a trimmed key is not part of the result string after template sub
  • Creates template for audit_rules_login_events OVAL checks and BASH remediations
  • [Bugfix] Evaluate sed command
  • Creates template for audit_rules_file_deletion_events OVAL and BASH
  • [Bugfix] Fixed the variable substitution in template_OVAL_permissions
  • Creates template for audit_rules_unsuccessful_file_modification OVAL and BASH
  • Sorts the output of option --missing-fix in profile-stats.py
  • Fixes bug in relabel-ids.py regarding missing OVAL definitions
  • Adds CMakeLists.txt.user to .gitignore
  • [Bugfix][Infrastructure] %VAR% for template replace, @var@ for build system replace
  • [Bugfix] Dockerfile fixes
  • [Infrastructure] Updates python shebangs for virtualenv support.
  • [Infrastructure] Pci dss cjis ansible tags
  • [Infrastructure] Only consider PCI-DSS related rules when constructing the PCI-DSS tree
  • [Infrastructure] Ansible tags improvements
  • [Enhancement][Infrastructure] Minor speedups in templates
  • [Enhancement][Infrastructure] Minor cmake improvements
  • [Enhancement][Infrastructure] Version bump
  • [Bugfix][Enhancement][Infrastructure] Improved OVAL and OCIL generator elements
  • [Bugfix][Infrastructure] Combine ovals namespace fixes
  • [Bugfix] Pass the correct variable to the template in create services disabled
  • [Infrastructure] Make schematron OVAL validation optional but still default it to true (build time optimization)
  • [Infrastructure] Very minor optimization in srgmap XSLT (build time optimization)
  • [Infrastructure] Make SSG build more portable
  • [Bugfix][Disa Content Issues] Include AIDE installed in the STIG profile for RHEL7
  • [Infrastructure] Make stats
  • [Infrastructure] Generate roles from xccdf
  • [Infrastructure] Don't list templating file outputs as explicit deps for the targets (build time optimization)

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.34 Release Notes

@yuumasato yuumasato released this Jun 29, 2017 · 2644 commits to master since this release

Highlights

  • Unification of where templates and csv reside
  • Optimization and clean up of build system
  • Lots of Ansible remediations added
  • Bash remediation functions file is now generated by build system

Profile

  • [Bugfix] Remove RHEL STIG in Debian content
  • fixed typo in OSPP profile
  • [Bugfix] Updating STIG References for RHEL7
  • [Enhancement] Add SUSE11 stig_overlay.xml
  • [Bugfix] Use @override for NIST 800 171 CUI profile

XCCDF

  • [Bugfix] Fix typo in mount_option_home_nosuid
  • [Enhancement] Add 'requires' and 'conflicts' to Rules and Groups in XCCDF XSLT templates
  • [Enhancement] Move OpenStack XCCDF to shared XCCDF
  • add support for NT28(R5) for Debian & Ubuntu
  • [Enhancement] Update SUSE11 and 12 XCCDF content to use shared XCCDF content
  • Fixed some SSSD related references
  • Fix more redhat guide links
  • [Bugfix] Update link to RHEL SysAdmin Guide - GRUB2 PW protection

OVAL

  • [Bugfix] Fix Webmin OVAL content by removing unnecessary definition check
  • [Bugfix] Check pam_retry OVAL check for cracklib configuration only for OS versions under 7
  • [Bugfix] Handle new Oracle JRE RPM naming scheme
  • [Bugfix] Fix prelink OVAL check
  • [Bugfix] Remove EAP5 references in EAP6 content and add temp OVAL file for builds to pass
  • [Enhancement] Provide a comment for network_sniffer_disabled
  • [Bugfix] Added OVALs for SSSD in RHEL6
  • [Bugfix] Fix accounts_have_homedir_login_defs false positive

Remediations

  • Initial work on audit_rules_dac_modification templating
  • [Bugfix] Fix remediation of commented line of account_disable_post_pw_expiration
  • [Enhancement] Update disable post password expiration remediation
  • Added ansible fix for rsyslog_remote_loghost
  • [Enhancement] Use templates for ANACONDA mount options remediation scripts
  • Added an ansible remediation for sshd print last log
  • Added ansible remediation for accounts_logon_fail_delay
  • Added missing file name needed for checking if aide fix is already done
  • [Bugfix] Make the aide_periodic_cron_checking bash remediation idempotent
  • [Bugfix] RHBZ#1461330: Add Anaconda remediation for rule "smartcard_auth"
  • [Enhancement] SELinux booleans bash and ansible remediation coverage
  • [Enhancement] Do not use jinja separators in when statements in ansible
  • [Bugfix] Fixed unterminated quotes in approved MACs ansible remediation
  • Few more ansible
  • [Infrastructure] Generate remediation functions
  • Fixing sed confusion for auditd remediation template
  • [Enhancement] Ansible coverage for sysctl remediations
  • Shared templates that are applicable everywhere should be marked as such
  • [Enhancement] Ansible coverage of accounts password
  • [Bugfix] Fix errors in audit remediation bash scripts
  • [Bugfix] Fix no rsh trust files bash remediation
  • SSH Ansible Content
  • [Bugfix] Fix typo in ANACONDA static templates
  • [Bugfix] Use double dash instead of a single dash in ANACONDA remediation temp…
  • Ansible RHEL7 scripts to shared/

Infrastructure

  • [Infrastructure] Import template generators (build time optimization)
  • [Infrastructure] Sds move ocils optimization (build time optimization)
  • [Infrastructure] Use element id cache instead of O(n^2) in combine-ovals.py (build time optimization)
  • [Infrastructure] Use xmllint nsclean (build time optimization)
  • [Infrastructure] Make build easier, improve error messages
  • [Bugfix] Evaluate $sed_command
  • [Bugfix] Remove multi-mount option capabilities in mount templates
  • [Enhancement] Using create_mount_options.py for RHEL7 rules
  • [Infrastructure] --skip-valid when composing datastreams (build optimization)
  • [Infrastructure] Optimized relabel ids (build time optimization)
  • [Enhancement][Infrastructure] Avoid repeatedly validating input when generating all roles (build time optimization)
  • [Infrastructure] Renamed the all roles timestamp marker file
  • [Bugfix] Ansible sshd protocol2 extension should be yml, otherwise it won't get picked up
  • [Enhancement][Infrastructure] Benchmark stats and CSV output in profile_stats.py
  • [Bugfix][Infrastructure] Reset parsed remediation attributes in combine-remediations.py correctly
  • Avoid warning about being unable to open output/unlinked-*-oval.xml
  • Better profile stats
  • Fix 'small' element namespace
  • [Bugfix][Infrastructure] Fix JBoss EAP platform mapping
  • SubElement would cause 2 appends which is not what we want
  • [Infrastructure] Look into parent for oval511 templates
  • [Infrastructure] Install remediation roles in content directory
  • [Infrastructure] Cmake delete checks remediations
  • [Bugfix][Infrastructure] Fix drop of OVAL checks extending non-existing definitions
  • [Infrastructure] Build only one test package
  • The great move
  • [Infrastructure] Removed product-make.include
  • combine-remediations and combine-ovals improvements
  • [Infrastructure] Use inbuilt python element tree
  • [Infrastructure] OVAL templating clean-up
  • [Infrastructure] use daemon_name instead of service_name if daemon_name differs
  • [Bugfix][Infrastructure] Escape the CMAKE_INSTALL_PREFIX again
  • [Bugfix][Infrastructure] Build table for ospp-rhel7, not ospp-rhel7-server
  • [Bugfix] Generate all roles, not just the last one
  • Fix installation path of guides and roles
  • [Infrastructure] @ANSIBLE_TAGS@ replacement for ansible fixes
  • [Infrastructure] Use a separate template for OVAL sebool when using a variable

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.33 Release Notes

@yuumasato yuumasato released this Apr 29, 2017 · 3009 commits to master since this release

Highlights:

  • DISA RHEL7 STIG profile alignment improved
  • Introduction of remediation roles
  • RPM and DEB test packages are built by CMake with CPack
  • Lots of remediation fixes

Profile:

  • adding initial SELinux booleans to OSPP
  • [Bugfix] Fix user login in RHEL7-OSPP kickstart
  • [Enhancement] Sorted rule names in OSPP profile
  • Update ftp profile title to proper form
  • [RHEL7] Update STIG profile names
  • [Bugfix] Fixed a typo in title of the FISMA profile for RHEL6
  • [Enhancement][SSG-DISA RHEL7 STIG Alignment] Additional DISA STIG alignments
  • Debian 8: ntpd service name is "ntp"
  • [RHEL7][SSG-DISA RHEL7 STIG Alignment] DISA STIG refactoring

XCCDF:

  • [issue 1842] nosuid on /home
  • update SSH checks with full list of FIPS Ciphers and MACs
  • update sshd xccdf/oval rules
  • XCCDF profile descr <= 80 chars, added periods, assigned missing CCEs

OVAL:

  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Evaluate if var_ntp_set_maxpoll is less than or equal
  • [Enhancement][RHEL7] Use variables in SELinux boolean OVAL content and enable in XCCDF
  • [Bugfix][RHEL7] update enable_dconf_user_profile to check if dconf installed
  • [Bugfix] Make rsyslog_remote_loghost scapval compliant
  • [Bugfix] Change external_variable accounts_umask_etc_login_defs
  • [Bugfix] Fix file_owner_cron_allow and file_groupowner_cron_allow checks

Remediations:

  • fix for ensure_redhat_gpgkey_installed remediation
  • Improve reliability of smartcard_auth remediation
  • Added remediation for aide_scan_notification rule.
  • [Bugfix] Fix remediation for accounts_logon_fail_delay
  • [Bugfix] Use unset IFS instead of unset $IFS
  • [Enhancement] Relabel when SELinux state is changed
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1875: Add a remediation script for aide_verify_ext_attributes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1874: Add a remediation script for aide_verify_acls
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1876: Add remediation script for aide_use_fips_hashes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1886: Add a remediation for rsyslog_remote_loghost
  • [Bugfix] [issue 1930] remove double quote from audit_rules_* remediations
  • [Bugfix] Fixed pam_faillock_deny_root remediation for RHEL 7.
  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Disable prelink in grub2_enable_fips_mode.sh
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1889: remediation sshd_use_approved_macs
  • [SSG-DISA RHEL7 STIG Alignment] Remediations for /etc/cron.allow ownership
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1880: Fix remediation for grub2_enable_fips_mode
  • [SSG-DISA RHEL7 STIG Alignment] Add remediations for mount options of removable partitions
  • [SSG-DISA RHEL7 STIG Alignment] missing and broken remediations
  • [Bugfix] RHBZ #1403905: Fix rules for removable media properties

Infrastructure

  • Use @ccenum@ instead of $CCENUM for the token replacement
  • [Infrastructure] Remove stig-integration-stats.sh in favor of profile_stats.py
  • [Infrastructure] Build remediation roles
  • Re-enable generation of SELinux booleans OVAL checks from templates
  • [Bugfix] Protect variable expansion in replace_or_append
  • [Bugfix] Fix variable expansion in sysctl templates
  • Update manual on how to build a tarball, package and zipfile
  • [Infrastructure] Self implement subprocess.check_output for python 2.6
  • [Infrastructure] Bring shellcheck back
  • [Infrastructure] Fix svg detection
  • [Infrastructure] Build guides into build/guides instead of directly into build/
  • [Infrastructure] Build tables into build/tables
  • [Infrastructure] Remove global Makefile as cmake is the build system now
  • [Infrastructure] Drop OVAL checks whose extend_definition refs don't exist
  • [Infrastructure] Build zipfiles through CMake
  • updated README for Debian installation procedure
  • [Infrastructure] Enable building of RPM and DEB packages with CPack
  • [Bugfix][Infrastructure] Remove refresh-stig-refs.sh as it is replaced by create-stig-overlay.py
  • [Enhancement][Infrastructure] Update User and Developer guides to asciidoc format
  • [Infrastructure] Install kickstarts
  • [Infrastructure] Depend on the CPE dict when generating CPE files
  • [Enhancement] Add create-stig-overlay.py for STIG overlay generation

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.32 Release Notes

@yuumasato yuumasato released this Mar 29, 2017 · 3287 commits to master since this release

Highlights:

  • New CMake build system
  • Improved NIST 800-171 profile
  • Initial RHVH profile
  • New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
  • Template clean up in lots of remediations

Profile

  • [Enhancement] Standard profile container
  • [Bugfix][Enhancement][Infrastructure] Add stig_overlay to CMAKE build
  • [Bugfix][Enhancement] Update RHEL7 Manual STIG references to release version 1
  • [Bugfix][Enhancement] Update RHEL7 STIG overlay to map to official DISA STIG release
  • [Enhancement] Add service_atd_disabled to RHEL6 STIG profile
  • [Bugfix] Remove ldap_client_start_tls check in RHEL7 STIG profile
  • [Enhancement] Debs: support for apt unauthenticated repository config check (ANSSI NT-28 - R15)
  • [Bugfix] Add RHEL6/PCI-DSS centric-benchmark
  • [RHEL7] Further NIST 800-171 profile work
  • [Bugfix][Draft RHEL7 STIG] Update RHEL/7 STIG content to match latest STIG ID mapping
  • [Enhancement][RHEL7] Add Initial RHVH profile
  • [Bugfix] Remove RHEL7 CCEs and STIGIDs from SUSE/12
  • Continuing NIST 800-171 profile development
  • [RHEL7] [issue 391] NIST mappings for restrict_nfs_clients_to_privileged_port…
  • [Bugfix] Fixed mismatched tags in RHEL7 nist_support.xml

XCCDF:

  • [Bugfix] Fix RHEL7 CCE-25892-0 typo
  • [Bugfix] Added description to file_ownership_var_log_audit rule.
  • [Enhancement] Adding Container and Machine-only CPEs in RHEL6 CPE dict.
  • [Enhancement] Marked RHEL 6 XCCDF Rules as machine-only when applicable.
  • [Enhancement] Marking more machine only rules
  • [Enhancement] Continue marking machine specific rules
  • [Bugfix][Draft RHEL7 STIG][RHEL7] [issue 1688] update XCCDF for selinux audit
  • Start marking rules that apply only for baremetal / VM environment or only for container environment
  • [Bugfix] Add missing minlen value for RHEL6 password variable
  • [Enhancement] Add PCIDSS mapping to RHEL6 XCCDF
  • [Enhancement][RHEL7] Add new audit rules to STIG profile and update auditing XCCDF ids
  • [Bugfix] Expand some XCCDF descriptions and fixes
  • [Enhancement] Add new httpd file permissions content
  • [Bugfix] Fix DConf typos and update gnome banners descriptions
  • Fixed wording in min password age description text
  • [Draft RHEL7 STIG] [Enhancement][RHEL/7] Update pam_faillock content to use and check for unlock_time=never
  • [bugfix] Fix 'cups_disable_browsing' XCCDF rule

OVAL:

  • [Bugfix] Support pam faillock with sssd enabled
  • [Bugfix] Another check for /var/tmp bind mounted to /tmp
  • [Bugfix] Check more paths with verify_rpm_hashes
  • [Bugfix] Fixing default value for secure_redirects.
  • [Bugfix] Passwd file password field shadowed value
  • [Bugfix] Fix file_ownership_library_dirs.xml
  • [Bugfix] Update smartcard auth OVAL to not require the esc package for non-GUI environments
  • [Enhancement] Added shared/oval/is_a_container.xml to further enable SSG
  • [Bugfix] Update RHEL/7 PAE OVAL check
  • [Bugfix][RHEL6] Fix xpath to handle empty element in gconf_gnome_disable_ctrlaltdel_reboot
  • [Bugfix][Draft RHEL7 STIG][Enhancement] Update Audit Rules OVAL
  • [Bugfix] Fix DConf OVAL typos
  • [Enhancement][RHEL6][RHEL7] Use https:// for CVE OVALs

Remediations

  • [Enhancement] Improve sysctl remediations to use replace_or_append functions
  • [Bugfix] RHBZ #1413494: Fix the regular expression for SSHD Ciphers
  • [Bugfix] Allow audit to log read and write
  • [Bugfix][RHEL7] Added a new remediation to rule rsyslog_files_permissions, now it doe…
  • [Bugfix] Fixed ensure_gpgcheck_globally_activated rule remediation.
  • [Bugfix] bash remediations cleanup & fix
  • [Ansible][Enhancement] Add ansible remediations
  • [Enhancement] Misc audit remediations
  • [Enhancement] Remediation for sshd checks
  • [Bugfix] Don't limit Fedora template generation
  • [Enhancement] Use openscap-scanner instead of openscap-utils in RHEL/6 kickstarts
  • [Bugfix] Fix so we don't leave remedied config files without trailing newline.
  • [Bugfix] Fix Anaconda package install template typo
  • [Bugfix] typo in policy setting
  • [Bugfix] Use a more specific pattern match in the fix for require_singleuser_auth
  • [bugfix][RHEL/6] Fix kickstarts to use distribution content

Infrastructure

  • [Bugfix][Infrastructure] Enable OSP product
  • Build zip archive and update usage
  • [Bugfix] Update path where compare_generated.sh looks for datastreams
  • [Bugfix] Enable more products with CMake
  • [Bugfix] Fix path of oval.config in testoval.py script
  • [Infrastructure] Let's go back to the old path /usr/share/xml/scap/ssg/content
  • [Infrastructure] template_common.py/create*py: Use classes
  • [Infrastructure] Change interface of create_*py
  • [Infrastructure] compare_generated.sh: Update for cmake structure
  • [Bugfix][Infrastructure] Move OVAL_5.11 static files
  • [Bugfix] RHBZ #1420038: Identify Red Hat Enterprise Virtualization Host as RHEL7
  • [Bugfix][RHEL7] Fix stig testinfo tables for RHEL6 and 7
  • [Infrastructure] Build HTML tables and guides when building product specific content
  • [Enhancement] oscap mangles paths of SDS components so we need to add them by relative path
  • [Enhancement][Infrastructure] Cmake build system
  • [Bugfix][Infrastructure] Issue #1718: Fix build using docker
  • [Infrastructure] Remove testoval.py clones
  • [Infrastructure] RHEL7: remove generated OVAL_5.11 package*installed.xml
  • [Infrastructure] RHEL6: Remove unused package_removed*xml
  • [Infrastructure] RHEL6: cleanup sysctl
  • [Infrastructure] RHEL6: Remove generated kernel module OVAL & Fix remediations to be idempotent
  • [Infrastructure] Fedora cleanup
  • [Bugfix][Enhancement] Add RHEL Client Variant Support
  • [Infrastructure] Debian8: clean generated files
  • [Infrastructure] Wrlinux: Remove old/unused files
  • [Bugfix][Infrastructure] Fix build without SVG
  • [Infrastructure] Webmin: Remove templates
  • [Infrastructure] Chromium: Remove puppet example
  • [Enhancement][Infrastructure] update Makefile to clean dist/tables
  • [Enhancement] Debs: add iommu=force check NT28(R11)
  • [Infrastructure] RHEL6 cleanup packages installed/removed
  • [Infrastructure] RHEL6: cleanup service_disabled & fix templace_common.py: regex_replace
  • [Infrastructure] RHEL6: service*enabled cleanup
  • [Enhancement] Add support for both plain and regex file names in create_permission.py
  • [Bugfix] generate-from-templates: fix error when key does not exist
  • [Infrastructure][RHEL7] Cleanup rhel7 sysctl
  • [Infrastructure] RHEL7: remove package*installed.xml
  • [Infrastructure][RHEL7] Cleanup rhel7 kernel modules
  • [Infrastructure][RHEL7] Cleanup rhel7 package removed 5.11
  • [Infrastructure] Disable overriding of OVAL_5.11 by OVAL_5.10
  • [Enhancement] Add support for Ubuntu/trusty (14.04)
  • [Enhancement] Added to XCCDf shared transformations, so it will
  • [Enhancement] Docker build
  • [Bugfix] replace failing %doc glob
  • [issue 1607] Replenished Red Hat CCEs
  • [Enhancement][Infrastructure] Add JBoss/Fuse/6 to global Makefile
  • [Bugfix] Fix SUSE/11 and Webmin content build issues
  • [Bugfix][Enhancement] Generate guides outputs
  • Removed the old JBossFuse6 content, this content is obsolete and does…
  • [bugfix] Fix remaining duplicate ids
  • [bugfix] Fix some of the duplicate OVAL IDs
  • [Enhancement] [bugfix][Infrastructure] combine-ovals.py: print missing directory message
  • [bugfix][Infrastructure] combine-remediations.py: print missing directory message
  • [Infrastructure] make rpm to be consistent with Fedora's spec

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.31 Release Notes

@yuumasato yuumasato released this Nov 28, 2016 · 3956 commits to master since this release

Highlights (in order the changes have been merged):

  • New Wind River Linux profiles
  • Various STIG profile enhancements
  • Support for Ubuntu Xenial
  • Support for Ansible remediations
  • Refactored build process, with more shared content
  • Cleaner build system for RPM
  • Content passing NIST SCAP Content Validation Tool 1.2.1.15 requirements

XCCDF changes / enhancements:

  • [Bugfix][Fedora][RHEL/7] Fix grub XCCDF to reference 01_users for password/admin account
  • [BugFix][RHEL/6] Fix for issue #1319
  • [Enhancement][RHEL/7] Add Supported/Certified Vendor XCCDF
  • [Enhancement][RHEL/7] Update check-content-ref to use .bz2 version
  • [RHEL/7][Enhancement] Update DISA STIG references for existing content
  • [RHEL7] Updating SSG to align with DoD RHEL7 STIG Draft v2, where appropriate
  • [Enhancement] Additional STIG updates
  • [Enhancement][RHEL/7] Add SELinux Boolean XCCDF
  • [Enhancement][Infrastructure] Add XCCDF weblink macro
  • [RHEL7] Renamed the docker profile to "docker host"
  • [RHEL7] Suggest using SELinux to harden the container host
  • [Enhancement] Issue #1346: Add a check for configuration of Docker storage driver
  • [Enhancement] JBoss EAP 5 XCCDF and OVAL updates
  • [Enhancement] Initial WRLinux support
  • [Enhancement] Move Chromium, JRE, and Firefox XCCDF content to sharec/xccdf
  • [Enhancement][RHEL/7] Add sshd port check content for firewalld
  • [RHEL6][RHEL7][Bugfix] Add content for samba-common package
  • [Enhancement] Organize Wind River Linux profiles
  • [Enhancement] Migrate more XCCDF to shared content
  • [RHEL7] Update RHEL/7 STIG profiles and add some missing CCEs
  • [Enhancement][Infrastructure][RHEL/7] Create shared_guide.xslt and move RHEL/7 XCCDF content to shared/xccdf
  • [Enhancement][Bugfix][RHEL/7] Various RHEL/7 STIG fixes
  • [Bugfix][Enhancement] Break out HBSS Rules and update integrity groups
  • [Bugfix][Enhancement][RHEL7] STIG update for RHEL/7 add additional dconf settings
  • [Bugfix][Infrastructure] Don't include @platform in element
  • [Bugfix] Add missing element to group
  • [RHEL7] DISA usage
  • [RHEL6][RHEL7] updating DoD STIG profile language to include DISA FAQ
  • [Bugfix] Rename PCI-DSS centric profile ID
  • [Enhancement][RHEL7] Converted XML comment DISA STIG note to XHTML
  • [Bugfix] Align SSG to DISA RHEL6 V1R13 content
  • [RHEL6] RHEL6 CCI updates
  • [RHEL7][Bugfix] Fix SSH private key permissions
  • [Enhancement] add support for Ubuntu Xenial in SSG. Based on Debian 8
  • [Fedora][RHEL7][Bugfix][shared] Fix paths in bootloader password check
  • [RHEL7][BugFix] Fix for downstream RH BZ#1344581
  • [Enhancement][RHEL7] Fix description and title in sshd_disable_rhosts_rsa
  • [Enhancement][RHEL7] Fix regex in sshd_disable_user_known_hosts
  • [Bugfix] Fix and Build FISMA RHEL/6 profile
  • [Bugfix][RHEL6] Fix FTP server profile ID

OVAL check changes / enhancements:

  • [RHEL6][RHEL7][Bugfix] Add installed_OS_is_certified OVAL for RHEL systems
  • [Enhancement][shared] Examine limits.d/*.conf for maxlogins
  • [BugFix][Debian/8] When extending ANSSI profiles don't inherit the title and description from the parent profile
  • [RHEL/6] Replace double space in selected elements with single one
  • [BugFix][Infrastructure] Fix for issue #1275 Also fix couple of instances of issue #50
  • [Bugfix] verify-references.py - use proper OVAL paths, unused OVALs are no longer an error
  • [RHEL6][RHEL7][Bugfix] Check for ssl = required or ssl = yes in dovecot/conf.d/10-ssl.conf
  • [Bugfix] Revisit OVAL for "accounts_max_concurrent_login_sessions" ru…
  • [Enhancement][Bugfix] Allow multiple maxlogin specifications in /etc/security/limi…
  • [Bugfix] Fix build-remediations for oval_5.11
  • [Bugfix] Move SSSD OVAL content to oval_5.11
  • [Enhancement] add /etc/cron.daily check to aide_periodic_cron_checking
  • [Bugfix][RHEL7] Correct default and other values in var_password_pam_difok
  • [Bugfix][RHEL7] Add STIG default value to var_accounts_password_minlen_login_defs
  • [Enhancement][RHEL7] STIG Update RHEL/7: Add new SSHD and AIDE XCCDF content
  • [Enhancement][RHEL7] RHEL/7 STIG update: Add new cron content
  • [Enhancement][Bugfix][RHEL7] Add AIDE OVAL content for new AIDE XCCDF
  • [Bugfix] Add OS Certification check for AIDE FIPS OVAL

Ansible changes / enhancements:

  • [Ansible][Enhancement] Initial ansible support (rhel7)
  • [Ansible][Enhancement] ansible service disabled (rhel7)
  • [Ansible][Enhancement] RHEL7: Add ANSIBLE_kernel_module_disabled
  • [Ansible] Disable POST password expiration
  • [Ansible] create_permission: merge & add ansible
  • [Ansible] another ansible scripts

Remediations:

  • [BugFix][RHEL/7] RHEL-7 remediation for 'no_empty_passwords' rule is missing --follow-symlinks currently. Fix that and unify the remediations
  • [Fedora][RHEL6][RHEL7][BugFix] Fix remediations without platforms
  • [BugFix][RHEL/7] Rewrite RHEL-7 remediation for 'smartcard_auth' rule
  • [RHEL7] MollyJoBault remediation scripts + fixes by Shawn
  • [Bugfix][RHEL6][RHEL7] Added newline to MACs remediation
  • [Enhancement][Infrastructure] Enhance remediation attributes
  • [Bugfix][RHEL/7] Various remediation script fixes
  • [Bugfix] Don't bleed remediation content into irrelevant other remediations in…
  • [Infrastructure] RHEL7 generate accounts_password
  • [Enhancement][Infrastructure] Add CCE identifiers to scripts that contain the 'CCENUM' keyword
  • [Enhancement][Infrastructure] Addremediations xslt simplification
  • [Infrastructure] Build remediations refactoring
  • [Enhancement][Infrastructure] Add Anaconda Remediation Scripts
  • [Enhancement][Infrastructure] Add Puppet Remediation scripts
  • [Enhancement] [issue 1369]idempotent kernel modules

Infrastructure:

  • [BugFix][Infrastructure] Fix parallel make
  • [Enhancement][Infastructure][RHEL/7] Migrate more local XSLT to shared XSLT
  • [Infrastructure][Enhancement][RHEL/6][RHEL/7] Fix for #1297 (include the HTML tables and available kickstarts) into produced RPM
  • [Bugfix][Enhancement][Infrastructure] Map OSSRG to DISA SRG URI
  • [Enhancement][Infrastructure] Add vendor variable
  • [Enhancement][Infrastructure] Add custom CCE and Reference capability for Corporate Policies
  • [Enhancement][RHEL/7] Finished moving RHEL7 XSLT to shared XSLT
  • [Infrastructure][Bugfix][infrastructure] Add product stig name variable to shared_xccdf2stigformat.xslt
  • [Enhancement][Infrastructure] Update local XLST content to use shared XSLT
  • [Bugfix] Update SSG project web URL in content
  • [Fedora][Infrastructure] Remove Fedora 22 support
  • [Bugfix][Infrastructure] Fix various testoval.py issues
  • [Enhancement][EAP/5] Add build capability and cleanup
  • [BugFix][Infrastructure] Get rid of duplicate definition of selected OVAL entities (fix for part of #50)
  • [Infrastructure] Utils transforms refactoring
  • [Enhancement] PCI-DSS centric benchmarks for RHEL6 and 7
  • [Infrastructure][BugFix] Add missing <title> and elements for the 'certified-vendor' xccdf:Group
  • [Infrastructure][Bugfix][infrastructure] Remove rhel5 naming from table generation
  • [Infrastructure] Default to the number of CPUs in build-all-guides.py for the number of jobs
  • [Infrastructure][RHEL7] Update rhel7-cpe-dictionary.xml
  • [Infrastructure] Update files by generated versions
  • [Enhancement] Add initial OpenSUSE and SUSE build directories
  • [Bugfix] Makefile fixes
  • [Infrastructure] Refactor template - create_*.py
  • [Infrastructure] Move validate-bash to shared makefile
  • [Infrastructure][Enhancement][Infrastucture] Update disa references
  • [Infrastructure] Don't destroy targets, cp instead of mv. That way rebuilds are faster.
  • [Infrastructure] combineremediations.py to support multiple directories as input
  • [Infrastructure] Use os.path.join instead of string concat for better sanity checks
  • [Infrastructure] Move generated scripts
  • [Bugfix] Fix doubled fixes
  • [Infrastructure] combineovals: remove deprecated branch of code
  • [Infrastructure] Parallelize the "validate" target
  • [Enhancement][Infrastructure] Introduce "profile-stats.py" helper
  • [Infrastructure][Enhancement] Enhance the 'profile-stats.py' helper yet
  • [Infrastructure] End with fatal error if the remediations XML doc can't be loaded
  • [Infrastructure] Combine OVAL - stop copying generated oval
  • [Infrastructure] Move templates & split generations
  • [Infrastructure] RHEL5/Fedora use bash templates
  • [Infrastructure] shared: add template for BASH permission [SMALL]
  • [Infrastructure] Shared: Generate bash - init version
  • [Infrastructure] Fix prefix path for shared remediations
  • [Bugfix] Fix minor mkdir issue
  • [Enhancement] Consolidate common README files and update
  • [Infrastructure] xccdf-addremediations.xslt: Refactor
  • [Infrastructure] Rhel6 use generated bash
  • [Infrastructure] create_BASH_permission.py: Remove forgotten print()
  • [Infrastructure] Shared: generate package_removed
  • [Infrastructure] Shared: generate kernel_module_disabled
  • [Infrastructure] Shared: generate package_installed
  • [Infrastructure] Templates rhel7 permissions
  • [Infrastructure] Templates rhel7
  • [Infrastructure] rhel6 permissions
  • [Infrastructure] rhel5: Generate file permissions
  • [Infrastructure] Remove duplicates remediations
  • [Infrastructure] Fix remediations
  • [Infrastructure] Introduce file generator
  • [Enhancement][Infrastructure] Use shared_guide.xml for content and additional fixes
  • [Infrastructure] compare_remediations
  • [Infrastructure] create_package_(removed_installed) merge
  • [Infrastructure] Remove duplicates templates
  • [Infrastructure] Duplicates finder
  • [Infrastructure] Add support to restrict targets in csv file
  • [Enhancement] share architecture rules more easily
  • [Bugfix][Infrastructure] Remove RHEL idents for derivative OSes
  • [Bugfix] Fix RHEL7 CCP idrefs
  • [Enhancement][Infrastructure] Add shared intro XCCDF
  • [Bugfix][Infrastructure] .gitignore all files in templates/output
  • [Bugfix] Correct filenames for EL7 derivatives in OSP confgurations.
  • [Bugfix] Various Fixes
  • [Infrastructure][Bugfix] Ignore 'THIS FILE IS GENERATED' comments when combining remediation scripts
  • [Enhancement] Check dangling references in all products
  • [Bugfix][Infrastructure] fix ansible xccdf sub
  • [Enhancement] Add CPE for WRLinux
  • [Bugfix][Enhancement] Python transformation scripts refactoring
  • [Enhancement] Add complexity, disruption, reboot, and strategy attributes to script templates
  • [Bugfix] Remove remaining chkconfig scripts from RHEL7
  • [Bugfix][Infrastructure] Remove old "suse" mapping.
  • [Bugfix][Infrastructure] Various SUSE build fixes
  • [Infrastructure] Auto-generate contributor lists
  • [Bugfix] Fixed build issues in SUSE and added sample rules.
  • [Infrastructure] Introduce build_remediations.py
  • [Bugfix] Correct minor typo
  • [Bugfix] fix cut-n-paste error in SE Linux daemon rule comment
  • [Infrastructure] Get rid of attestation references
  • [Bugfix] Fix minor typoe (sic)
  • [Infrastructure][Bugfix][RHEL\6] Fix build-remediations.py when cleaning on RHEL/6
  • [Infrastructure] Remove underused targets (mainly building upstream RPMs)
  • [Infrastructure] Do not install the shared remediation_functions file
  • [Infrastructure] Clean old remediation files
  • [Infrastructure] Compare generated - add oval
  • [Enhancement][Infrastructure] Utils transforms move refactor
  • [Bugfix] Fix zipfile tarball
  • [Infrastructure] Deduplicate remediation templates
  • [Infrastructure] Move built remediations away from templates
  • [Infrastructure] Split shared generate-from-templates calls into bash, ansible and oval
  • [Enhancement][Infrastructure] New install location
  • [Enhancement][Infrastructure] Purge mistery unused files
  • [Infrastructure][Bugfix][infrastructure] Don't fail make install if soft link already exists
  • [Infrastructure] RPM building is back!
  • [Infrastructure][Bugfix] Update append_or_replace sed in remediation_functions.xml
  • [Bugfix] Updating invalid e-mail in Author list
  • [Bugfix][Infrastructure] Fix Philippe Thierry's email mapping in generate-contributors.py
  • [Bugfix] Add 'DO NOT EDIT' comments to Contributors files
  • [Bugfix][RHEL6][RHEL7] Add Fedora and RHEL profiles descriptions to man
  • [Infrastructure] Simplify Makefile clean target $(OUT) file/directory removal
  • [Bugfix] Build RHEL6 guides for profiles desktop and ftp
  • [Enhancement] Ubuntu build packages

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.30 Release Notes

@iankko iankko released this Jun 24, 2016 · 4858 commits to master since this release


Highlights (in order the changes have been merged):

  • [Enhancement] [RHEL/7] Port existing CNSS No.1253 (nist-CL-IL-AL) profile from RHEL-6 to RHEL-7 (Fixes #858)
  • [Enhancement] [RHEL/7] Content passes ScapVal-1.2.14.1 requirements
  • [Enhancement] [RHEL/7] Assign CCE identifiers to RHEL-7 rules
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement] [Debian/8] Add profile for each ANSSI hardning level for NP targets (ansi_np_nt28_eleve, ansi_np_nt28_intermediaire, ansi_np_nt28_minimal, ansi_np_nt28_restreint)
  • [Enhancement] Don't rely on absolute path of the shell remediation functions library to be able to perform remediations (remediations are now part of benchmarks themselves)

XCCDF changes / enhancements:

  • [Fedora] Separate dconf settings into dedicated 'Gnome Desktop Environment' XCCDF section
  • [RHEL/6] Move most GNOME checks into their own file, Add new GNOME XCCDF and OVAL content (Fixes #1205)
  • [Enhancement][RHEL/7] Create a STIG for GUI-enabled systems (Create a RHEL7 GUI STIG, Create a RHEL7 Workstation STIG for future use, Remove DConf checks from the stig-rhel7-server-upstream profile and add to the new stig-rhel7-server-gui-upstream profile) (Fixes #481)
  • [BugFix] [RHEL/7] Fix multiple invalid selector warnings when scanning against "stig-rhel7-server-upstream" profile
  • [BugFix] [RHEL/6] [RHEL/7] Add warning note for ctrl-alt-delete key sequence
  • [Enhancement][RHEL/6] Add STIG GUI profiles for RHEL6
  • [Enhancement][RHEL/7] Disable CTRL-ALT-DEL in GUI profile
  • [Enhancement][RHEL/7] Add SELinux boolean XSLT macros (Add a single enable/disable SELinux boolean macro, Add a single enable/disable SELinux boolean check macro)
  • [Enhancement][RHEL/7] STIG updates for yum (Fixes #1122, Fixes #1123, Fixes #1124)
  • [Enhancement][RHEL/7] STIG update for sssd content (Add new SSSD content, Fixes #1158, Fixes #1157, Fixes #1156, Fixes #1017)
  • [Enhancement][RHEL/7] stig update for pam settings (Fixes #1136, Fixes #1155, Fixes #1159)
  • [Enhancement][RHEL/7] Add RHEL/7 STIG Reference Identifiers (Add RHEL/7 STIG identifier, Add RHEL/7 OS URI Link)
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement][RHEL/7] Add initial sudoers content (Add initial sudo content to check for NOPASSWD and !authenticate in sudoers for RHEL7 STIG, Fixes #1015)
  • [Enhancement][RHEL6/7] Add FIPS XCCDF and OVAL content (Adds FIPS GRUB & GRUB2 XCCDF and OVAL content, Fixes #998)
  • [Enhancement][Fedora][RHEL/7] Add UEFI XCCDF/OVAL content (Add new UEFI XCCDF/OVAL content, Make sure that if /boot/grub2.cfg or /boot/efi/EFI//grub.cfg does not exist to not fail the check, Fixes #1162)
  • [BugFix] [RHEL/7] [Fedora] Update form of 'disable_interactive_boot' rule for Systemd (RHEL/7, Fedora) based systems (update all XCCDF, OVAL, and remediations)
  • [Bugfix] Move Chromium XCCDF content to XCCDF directory
  • [Bugfix] FIPS grub XCCDF and OVAL
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Rewrite XCCDF prose for 'no_shelllogin_for_systemaccounts' rule not to mention hardcoded UIDs (use UID_MIN instead)
  • [BugFix] Fix unreferenced 'file_permissions_ungroupowned' OVAL for Fedora content (https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/400/label=node-el6-openscap-new/consoleFull)
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Modify 'standard' profiles to comment out the rules currently returning 'notapplicable' result (needs investigation of reasons why it's behaving so, and fixing the issues prior re-enabling them back)

OVAL check changes / enhancements:

  • [BugFix] [RHEL/7] Fix for issue #1227
  • [Enhancement][RHEL/7] Add SELinux OVAL templates (Add initial sebool OVAL templates, Create new shared/template folder for future template consolidation work)
  • [BugFix] updating RHEL5 file_permissions_ungroupowned to use shared/version
  • [Enhancement] Add PPC and PPC64LE System Architecture (Add PPC and PPC64LE OVAL checking support)
  • [Enhancement] Examine /etc/profile.d/*.sh for TMOUT
  • [Bugfix][RHEL6/7] Add IPv6 equivalents to IPv4 sysctl (Adds IPv6 XCCDF/OVAL content that is equivalent to IPv4 sysctl XCCDF/OVAL content NOTE: Not all IPv4 sysctl XCCDF/OVAL content has correspond IPv6 sysctl equivalents, Fixes #1214)
  • [RHEL/7] [bugfix] Check for FIPS in DEFAULT grub line if DEFAULT line exists
  • [BugFix] [shared] Rewrite OVAL for 'no_shelllogin_for_systemaccounts' rule so it wouldn't always perform the check on hardcoded <0, 499> UID range
  • [BugFix] [RHEL/7] Modify RHEL-7 OVAL for 'install_PAE_kernel_on_x86-32' rule not to fail on 64-bit (any not 32-bit system)
  • [BugFix] Fix indentation issue for file_permissions_ungroupowned OVAL (https://github.com/OpenSCAP/scap-security-guide/pull/1296/files#r67556952)

Build System Bug Fixes:

  • [Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements (Part of #1046)
  • [BugFix] Minor JBoss 6 build fixes
  • [BugFix] [RHEL/7] Generate xccdf:metadata (Dublin Core , , (s), and elements) dynamically for RHEL-7 benchmark from the content of Contributors.md file (and other internal variables)
  • [BugFix] [Debian/8] [Fedora] [Firefox] [Chromium] [JBoss/Fuse/6] [JRE] [OpenStack/RHEL-OSP/7] [RHEL/5] [RHEL/6] [RHEVM3] [Webmin] Generate xccdf:metadata element of Debian/8 benchmark dynamically (from content of Contributors.md and value of selected internal values)
  • [Enhancement] [RHEL/7] Apply the newly introduced shell variables and remediation functions XCCDF expansion (translation into XCCDF <sub> elements) against RHEL-7 benchmark
  • [Enhancement][Infrastructure] Apply the new remediations as xccdf:Value functionality to the remaining benchmarks too (Webmin, RHEVM3, RHEL/6, RHEL/5, OpenStack/RHEL-OSP/7, JRE, JBoss/Fuse/6, JBoss/EAP/5, Firefox, Fedora, Debian/8, and Chromium)
  • [BugFix] Multiple fixes in expand_xccdf_subs() routine of the combineremediations.py helper
  • [BugFix] [Infrastructure] Fix currently failing 'make content' for RHEL/6 content due to undefined 'cisuri' variable (Fixes #1288)

Infrastructure:

  • [Fedora] Add Fedora 25 CPE to Fedora benchmark
  • [BugFix] [Infrastructure] add_cce_id_refs_to_oval_checks routine - When propagating CCE identifiers from XCCDF to specific OVAL verify particular CCE ID has correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X') (Fixes #1228, #1229, #1230)
  • [BugFix] [Infrastructure] Verify if CCE identifiers listed in various SSG XCCDF benchmarks have the correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X')
  • [BugFix] Use proper rule names in various RHEL/5, RHEL/6, RHEL/7, and RHEVM3 profiles
  • [Bugfix][Infrastructure] Print message for unused remediation scripts during build
  • [Enhancement] Don't rely on the absolute path of the remediation functions library when performing remediations (Instead of that transform necessary shell variables and remediation functions calls into corresponding XCCDF <sub> elements to be present directly in the benchmark, Fixes #590, Fixes #1055)
  • [Enhancement][Infrastructure] Remove Red Hat identifiers from derivatives
  • [Enhancement][Bugfix][Infrastructure] Update constants XSLT
  • [Enhancement][Infrastructure] Add new shared_shorthand2xccdf.xslt
  • [Enhancement][Infrastructure] Update more content to use shared_shorthand2xccdf.xslt (Enhances Fedora, Debian, RHEL-OSP, and RHEL5/7 to use the new shared_shorthand2xccdf.xslt)
  • [Enhancement][Infrastructure] Add auditctl-syscall macro
  • [BugFix] [Infrastructure] Introduce $(SHARED)/$(OUT) directory
  • [Enhancement] [Infrastructure] Use "hidden" and "prohibitChanges" attributes set to "true" for xccdf:Values representing remediation routines
  • [BugFix] [Infrastructure] Perform a sanity check while performing XCCDF <sub idref=...> substitution for remediation functions (Exit with failure (1) if some of the functions wasn't substituted properly)
  • [BugFix] [Infrastructure] When performing XCCDF <sub> substitution expand also functions not having some arguments in the function call
  • [BugFix] [Infrastructure] If some of the remediation functions recursively calls another remediation function, we need to define also the called function

Full list of issues and pull requests closed in this release