Releases · ComplianceAsCode/content

06 Mar 15:57

github-actions

v0.1.80

a1b3236

Content 0.1.80 Latest

Latest

Important Highlights

[Ubuntu] Enable rules for sshd dropin files for cis (#14326)
Align OL8 to STIG V2R6 (#14234)
CMP-3978: Incorporate SSH version into obsolete parameter rules (#14189)
Enable dropin files in sysctl template for OL (#14277)
Move RHEL Control files to product files (#14257)
New Profile for RHEL10: BSI (#14197)
Remove rule configure_ssh_crypto_policy from RHEL 9 and 10 (#14263)
Remove XSLT templates (#14267)
RHEL: use dropin files when remediating sysctl rules (#14353)
SLE16 create hipaa profile (#14278)
SLE16 create PCI DSS 4 profile (#14338)
Update Fedora CIS profile (#14268)
Update hipaa profile for OL8 (#14125)
Update OL9 e8 profile to use control file (#14327)
Update OL9 STIG profile (#14334)
Update OL9 STIG V1R3 (#14233)
Update RHEL 8 CIS profile (#14269)
Update RHEL 8 STIG control file to align with DISA STIG v2r6 (#14375)
Update RHEL 9 CCN profile (#14321)
Update RHEL 9 STIG content to align with DISA STIG v2r7 (#14382)
Use Sequoia in RHEL 10 instead of GPG (#14193)

New Rules and Profiles

Add audit monitoring for SELinux policy changes in /var/lib/selinux (#14367)
Add new package rules for RHEL 8 CIS (#14284)
Add new rule accounts_passwords_pam_faillock_unlock_time_with_zero (#14188)
Add new rule disable_weak_deps (#14173)
Add new rule xwayland_disabled (#14183)
Add new rules for /etc/sysconfig/sshd (#14283)
Add rule accounts_user_interactive_home_directory_on_separate_partition (#14370)
Add rules for access to all files under /boot/grub2 (#14199)
New rule accounts_password_pam_modules_in_authselect_profile (#14279)
RHEL 10 CIS: Implement 6.2.1.4 (#14242)
SLE16 create hipaa profile (#14278)
SLE16 create PCI DSS 4 profile (#14338)
Use Sequoia in RHEL 10 instead of GPG (#14193)

Updated Rules and Profiles

[stab]: sysctl_kernel_core_pattern_empty_string: align with template (#14451)
accounts_password_pam_unix_no_remember: fix test scenarios and remediations (#14215)
Add available CCEs for SLE16 (#14167)
Add firewalld-backend to RHEL 10 CIS profile (#14205)
Add rule accounts_password_pam_pwhistory_enforce_for_root (#14264)
Add rule no_invalid_shell_accounts_unlocked to RHEL CIS (#14236)
CIS: implement controls so that "remember" is not used together with pam_unix (#14202)
drop controls no longer present in the latest RHEL 9 STIG (#14356)
expand chronyd_specify_remote_server to be aligned with CIS (#14241)
fix copy-paste errors in description (#14175)
Fixes for auditing rules in sle15 and sle16 previously disabled (#14132)
mount_option_nodev_nonroot_local_partitions: ignore vfat partitions (#14379)
Remove rule configure_ssh_crypto_policy from RHEL 9 and 10 (#14263)
Remove rule sshd_use_strong_kex from CIS profiles (#14262)
RHEL 10 CIS: align variable with control 5.4.1.5 (#14184)
RHEL 10 CIS: improve controls related to pwd hashing algos (#14247)
SLE 15/16 directory access var log audit (#14186)
SLE15 and SLE16 dconf related patches (#14153)
SLE16 fix for grub2_uefi_pass (#14330)
Sle16 libreswan approved tunnels (#14320)
Support journald drop-in config on Ubuntu (#14255)
Update hipaa profile for OL8 (#14125)
Update OL profiles for not applicable rules (#14126)
Update RHEL 8 CIS profile (#14269)
Update RHEL 8 STIG control file to align with DISA STIG v2r6 (#14375)
Update RHEL 9 CCN profile (#14321)
Update RHEL 9 STIG content to align with DISA STIG v2r7 (#14382)
Update RHEL8 STIG to V2R5 (#14198)
Use Sequoia in RHEL 10 instead of GPG (#14193)

Changes in Remediations

[stab]: sysctl_kernel_core_pattern_empty_string: align with template (#14451)
[Stabilization] Fix drop in template to ignore commented out lines (#14441)
accounts_password_pam_unix_no_remember: fix test scenarios and remediations (#14215)
Add python script to refresh the ansible galaxy roles on RedHatOfficial (#14190)
Drop unneeded sudo in bash remediation (#14396)
Fix ansible roles dependencies (#14303)
Fix Ansible sysctl template (#14161)
Fix conditional in no_shelllogin_for_systemaccounts remediation (#14206)
Fix Jinja filter in Ansible task in mount_option template (#14345)
Fix SELinux ansible variable name conflict (#14346)
Fixes for auditing rules in sle15 and sle16 previously disabled (#14132)
mount_option_nodev_nonroot_local_partitions: ignore vfat partitions (#14379)
pwquality and pwhistory fixes (#14095)
rhel kickstarts: decrease some partition sizes (#14381)
RHEL: increase /boot partition size in kickstarts (#14351)
Skip nodev mount option for polyinstantiated dirs (#14374)
SLE 15/16 directory access var log audit (#14186)
SLE related fixes for pam_faillock configuration file (#14131)
SLE15 and SLE16 dconf related patches (#14153)
Sle15 logind session timeout rule fixes (#14271)
SLE16 fix sysctl related ansible remediations (#14329)
stabilization: fix ansible of ensure_redhat_gpgkey_installed (#14518)
Update list of profiles in the ansible roles generation (#14191)

Changes in Checks

[stab]: sysctl_kernel_core_pattern_empty_string: align with template (#14451)
mount_option_nodev_nonroot_local_partitions: ignore vfat partitions (#14379)
pwquality and pwhistory fixes (#14095)
Sle15 logind session timeout rule fixes (#14271)
SLE16 fix for grub2_uefi_pass (#14330)

Changes in the Infrastructure

Fix controleval_metrics.py for having per product controls (#14166)
Remove pkg resources (#14142)
Remove trailing slash for Fedora gating (#14216)
Remove XSLT templates (#14267)
Use ATEX from PyPI + compress uploaded files (#14276)

Changes in the Test Suite

accounts_password_pam_unix_no_remember: fix test scenarios and remediations (#14215)
Add ATEX testing to the upstream CI workflows (#14203)
SLE15 and SLE16 dconf related patches (#14153)

Fixed Bugs

[stab]: sysctl_kernel_core_pattern_empty_string: align with template (#14451)
accounts_password_pam_unix_no_remember: fix test scenarios and remediations (#14215)
Add rule accounts_password_pam_pwhistory_enforce_for_root (#14264)
Adjust variables for banner_etc_issue (#14343)
build: wrap nested conditionals in braces if they contain logical operators (#14280)
Fix sshd param_conflict_directory.fail.sh tests (#14349)
mount_option_nodev_nonroot_local_partitions: ignore vfat partitions (#14379)
Move back to dhcp on RHEL 8 CIS (#14291)
Remove rule configure_ssh_crypto_policy from RHEL 9 and 10 (#14263)
Remove rule sshd_use_strong_kex from CIS profiles (#14262)
RHEL: increase /boot partition size in kickstarts (#14351)
Shadow test scenario - service_systemd-journal-upload_enabled (#14265)
stabilization: fix ansible of ensure_redhat_gpgkey_installed (#14518)
Update rules related to /var/log/audit (#14286)
Use architecture filter in audit_rules_privileged_commands (#14336)

Assets 8

28 Nov 14:23

github-actions

v0.1.79

f9596bd

Content 0.1.79

Important Highlights

Add rhcos4 Profile for BSI Grundschutz (#13121)
Create SLE15 general profile (#13882)
Fix crypto policy settings in RHEL CIS profiles (#14120)
Refresh CIS Control File for RHEL10 release 1.0 (#13870)
Remove deprecated CIS OpenShift 1.4.0 and 1.5.0 profiles (#13832)
Remove OCP STIG V1R1 (#13848)
Remove OCP STIG V2R1 (#13849)

New Rules and Profiles

Add rhcos4 Profile for BSI Grundschutz (#13121)
Create SLE15 general profile (#13882)
Fix crypto policy settings in RHEL CIS profiles (#14120)
Sle16 base control (#13965)

Updated Rules and Profiles

[Ubuntu] Remove xserver-common (#13893)
[Ubuntu] Allow sys uid and empty user group (#13825)
[Ubuntu] Enable guard var for time sync and firewall rules (#13881)
[Ubuntu2404] Fix root_unlock_time value (#13884)
Add a warning for aide_build_database (#13868)
Add e8 rules to ism control so that references work (#14022)
Add GUI to title for RHEL 10 GUI STIG Profile title (#14054)
Add rule file_at_allow_exists to RHEL CIS profiles (#14137)
Add rules to check sshd drop in permissions to RHEL 10 CIS 5.1.1 (#14063)
Add rules to RHEL 10 CIS 7.1.10 (#14064)
Add SRG to SSSD package and service rules (#13872)
automate controls regarding maxseq in RHEL 8 and 9 CIS (#14135)
Ensure that all rules in RHEL ANSSI have references (#13867)
Fix bug in gdm banner deregexify (#14092)
Fix crypto policy settings in RHEL CIS profiles (#14120)
Fix SLE15 pam tally2 rules (#14039)
Move ISM O references to the control file (#13922)
On RHEL for library dirs rules only check *.so files (#13921)
Refresh CIS Control File for RHEL10 release 1.0 (#13870)
RHEL 9 STIG: align login timeout with the STIG policy (#13830)
SLE15 iptables service rules related fixes (#13896)
small fixes to ensure_logrotate_activated (#14013)
sysctl_kernel_exec_shield: make applicable only on x86_64 (#14115)
Update ccn profile for OL9 (#14123)
Update e8 and ism_o profiles for OL8 (#14107)
Update hipaa profile for OL9 (#14124)
Update OL8 profiles (#13986)
Update OL9 profiles (#13973)
Update ospp profile for OL8 (#14106)
Update STIG for RHEL 9 to allow for FIPS:STIG (#13834)
Use platform specific audit binaries (#13786)

Removed Products

Remove chromium (#14043)

Changes in Remediations

[stabilization] Prevent Ansible fail in check mode (#14170)
Add changed_when and check_mode keys (#13996)
Add support for file_group_ownership_var_log_audit in SLE platform (#13804)
Fix aide periodic check remediation for sle15/sle16 (#14121)
Fix linux disable network sniffer ansible syntax for non-standard interfaces (#14076)
Fix some ansible remediation jinja substitution and remove obsolete code from ensure_redhat_gpgkey_installed (#13931)
Improve ansible remediation of configure_crypto_policy (#13932)
Make Ansible file_existence template idempotent (#13952)
Make Ansible in account_password_selinux_faillock_dir idempotent (#14002)
Make Ansible in accounts_passwords_pam_faillock_dir idempotent (#14005)
Make Ansible in aide_build_database idempotent (#13944)
Make Ansible in audit_rules_immutable idempotent (#13950)
Make Ansible in dconf_db_up_to_date idempotent (#13997)
Make Ansible in dconf_gnome_screensaver_lock_enabled idempotent (#13998)
Make Ansible in dconf_ini_file idempotent (#13978)
Make Ansible in file_etc_security_opasswd idempotent (#13958)
Make Ansible in file_groupownership_system_commands_dirs idempotent (#13971)
Make Ansible in fips_custom_stig_sub_policy idempotent (#13945)
Make Ansible in GRUB rules idempotent (#13957)
Make Ansible in grub2_argument_absent template idempotent (#13976)
Make Ansible in SELinux rules idempotent (#13963)
Make Ansible in sshd_lineinfile template idempotent (#14006)
Make Ansible in sysctl_kernel_core_pattern_empty_string idempotent (#14021)
Make Ansible in the sysctl template idempotent (#14004)
Make Ansible Tasks in GRUB rules idempotent (#13927)
Make Ansible Tasks in postfix rules idempotent (#13930)
Make hardening crypto policies by Ansible idempotent (#14001)
Make sure ansible task is properly executed when no variable is defined (#13970)
Only run dconf when there is an actual change in previous tasks for dconf gnome ansible remediations (#13933)
Prevent Ansible errors in accounts_user_dot_user_ownership (#13955)
Remove custom Ansible remediation from service_pcscd_enabled (#13926)
Remove Jinja from when statement (#13993)
replacing systemd_service with systemd in system_enabled_guard_var (#14058)
Rework Ansible remediation in accounts_umask_interactive_users (#13934)
Rewrite Ansible remediation in accounts_user_dot_group_ownership (#13943)
Rewrite Ansible remediation in accounts_user_dot_user_ownership (#13941)
SLE15 directory permissions and file ownership rules for var log audit (#13862)
SLE15 iptables service rules related fixes (#13896)
SLE15 pam faillock related fixes (#13876)
SLE16 enable aide and display_login rules (#14046)
SLE16 enable selinux and grub rules (#14045)
Sle16 fix rsyslog remote loghost (#14032)
Sle16 restrict serial port logins (#14040)
small fixes to ensure_logrotate_activated (#14013)
Update account_password_* behavior for OL to support only new releases (#13838)
Update accounts_password_pam_pwquality_retry for OL STIG (#13811)

Changes in Checks

Add support for file_group_ownership_var_log_audit in SLE platform (#13804)
Add test scenario to cover case where user has nologin defined in usr (#13994)
Changing regex for aide.db file to support absolute path (#13915)
Fix macro 'create_interactive_users_list_object' to also ignore users having /usr/sbin/nologin shell (#13962)
shared: macros: oval: Fix evr datatype for dpkg-based distros (#13900)
SLE15 directory permissions and file ownership rules for var log audit (#13862)
SLE15 pam faillock related fixes (#13876)
SLE16 enable aide and display_login rules (#14046)
Sle16 restrict serial port logins (#14040)
Update account_password_* behavior for OL to support only new releases (#13838)

Changes in the Infrastructure

Add more ruff checks (#14000)
Add per product control files (#14060)
Add Ruff to the project and CI (#13810)
Bump to 0.1.79 (#13815)
Fixing add-cce option in fix_rules.py, while "identifiers" section in rule.yml is missing (#13956)
Move target_oval_version to product_properties (#13966)
Remove all codecs.open (#14062)
Update Install VM Script (#13824)

Changes in the Test Suite

Add a fedora-cis sanity test using Packit / Testing Farm (#13903)
Fix tests for no_dirs_unowned_by_root (#13999)
Renaming test for accounts_root_gid_zero (#14129)
service_systemd-journald_enabled: add specific test scenario (#14096)
Unmask all avahi (#13942)
Update test scenario to make sure there are no compliant state (#14007)

Documentation

Add all modules to ssg module docs (#14061)
Remove outdated Code Climate references (#14100)

Fixed Bugs

Add multiline support for RainerScript action detection in rsyslog_remote_loghost rule (#14057)
Add rule sshd_disable_forwarding to RHEL 8 and 9 CIS (#14103)
Adding rules for /etc/hostname and NetworkManager auditd monitoring (#14008)
Detect non-existent PATH directories in RHEL 9 CIS (#13991)
Fix bsi conflicts (#13846)
Fix crypto policy settings in RHEL CIS profiles (#14120)
fix: ol in product to ol in families (#14029)
Introduce template audit_rules_kernel_module_loading (#14024)
Make rule enable_authselect notapplicable in containers (#13992)
Make sure ansible task is properly executed when no variable is defined (#13970)
RHEL 9 STIG: align login timeout with the STIG policy (#13830)
shared: macros: oval: Fix evr datatype for dpkg-based distros (#13900)
small fixes to ensure_logrotate_activated (#14013)

Assets 8

05 Sep 14:18

github-actions

v0.1.78

f7d7948

Content 0.1.78

Important Highlights

Enable SCE content for problematic rules that can traverse the whole filesystem (#13758)
Remove unnecessary Jinja2 macros in control files (#13592)
Update RHEL 8 STIG to V2R4 (#13774)
Update RHEL 9 STIG to V2R5 (#13795)
Add CIS benchmark support for debian (#13712)
Add Debian 13 profile for ANSSI BP 28 (enhanced) (#13571)
Create SLE Micro 5 General profile (#13490)
Update the way in which the stable branch is maintained (#13769)

New Rules and Profiles

add anssi BP28 high profile to debian13 product (#13603)
Debian13 ANSSI BP28 (minimal) (#13540)
Debian13: add BP28 intermediary profile (#13556)
Implement rpm_verify_crypto_policies (#13469)
Update RHEL 8 STIG to V2R4 (#13774)
- Create slmicro6 product (#13570)

Updated Rules and Profiles

RHEL 9 STIG: align login timeout with the STIG policy (#13826)
[Ubuntu 24.04]: Add vlock_installed pkg override (#13582)
[Ubuntu] Define firewall varriable for Ubuntu 2404 STIG (#13689)
Add CCE for rsyncd disabled rule to slmicro5 (#13523)
Add distributed config support (#13653)
Adjust description of file_permissions_sudo (#13685)
Fix GRUB 2 UEFI selections in RHEL 9 ANSSI profiles (#13598)
Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564)
Move RHEL 8 STIG to Control file (#13481)
Move RHEL 9 ISM O Profile to Control File (#13511)
Remove rule from OL09-00-001085 (#13673)
RHEL 9 CIS: add ensure_gpgcheck_never_disabled (#13706)
RHEL 9 CIS: complete 6.3.3.5 (#13707)
Set var_screensaver_lock_delay for OL9 (#13672)
Slmicro5 disable ipv6 rules (#13524)
Fix bsi conflicts (#13847)
stop using fixfiles relabel in remediations (#13738)
Support drop-in files in coredump rules (#13665)
Update OL10 profiles (#13569)
Update var_password_pam_unix_rounds for OL9 stig control (#13516)
Use default order in configure_gnutls_tls_crypto_policy (#13692)

Removed Products

Remove leftover from ubuntu2004 (#13604)
Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483)

Changes in Remediations

RHEL 9 Ansible replace systemd_service module with systemd (#13829)
Add OL9 to platform in ssh ciphers rule's bash (#13506)
Enable audit configure rules for slmicro5 (#13525)
Ensure tmout.sh and ssh_confirm.sh have correct permissions on creation (#13711)
Exclude remote mounted filesystems from local partition nodev tasks (#13530)
Fix architecture dependent path (#13714)
Implement mount_option_tmp_noexec for slmicro5 platform (#13509)
Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694)
Prevent fails in check mode (#13703)
Prevent problems with single quotes (#13742)
Reduce gathering facts in profile Ansible Playbooks (#13739)
Remove file_owner_var_log_messages bash remediation (#13488)
SLE fixes for gid-related rules (#13779)
SLE improve require_singleuser_auth oval check and remediations (#13746)
stop using fixfiles relabel in remediations (#13738)
Support banner with single quote (#13713)
Update ansible for auditd_data_retention_action_mail_acct (#13650)
Update ansible in require_singleuser_auth for OL (#13651)
Update disable_users_coredumps rule to support drop-in and string values (#13749)
Update jinja in require_emergency_target_auth for OL (#13652)
Use fully qualified collection name in Ansible tasks (#13794)
Workaround OpenSCAP issue for Image Mode (#13645)

Changes in Checks

[Ubuntu] Fix rule encrypt_partitions (#13596)
Add OL9 in oval to directory_permissions_var_log_audit rule (#13745)
Add oval check for prevent_direct_root_logins (#13615)
Add OVAL for encrypt_partitions rule (#13539)
Allow spaces around equal sign (#13691)
Create slmicro6 product (#13570)
Disable value of zero in dconf_gnome_screensaver_idle_delay (#13671)
Enable multi_platform_sle platforms for encrypt_partition oval check (#13775)
Exclude remote mounted filesystems from local partition nodev tasks (#13530)
Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564)
Fix(OVAL): Correct variable reference in account_disable_inactivity_* (#13591)
Implement mount_option_tmp_noexec for slmicro5 platform (#13509)
Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694)
Improve OVAL checks for nss-altfiles (#13759)
Make sure oval service disable macro covers also not found definition (#13725)
SLE fixes for gid-related rules (#13779)
SLE improve require_singleuser_auth oval check and remediations (#13746)
SLE kernel package may be called kernel-default-base (#13748)
Sshd rekey limit update OVAL (#13687)
Update disable_users_coredumps rule to support drop-in and string values (#13749)
Update path for OL9 in sysctl_kernel_exec_shield oval file (#13538)
Update sshd_set_idle_timeout oval file & sshd_lineinfile template for OL (#13695)

Changes in the Infrastructure

[workflow] Fix ansible for Ubuntu workflow (#13480)
Add the ability built more than one product with SRG XLSX Option (#13693)
Fix Debian 13 in CI (#13557)
Fix level inheritance when processing profiles (#13666)
Fix SCAP Delta Tailoring (#13542)
Format rhel8 related yaml files (#13621)
Improve reproducibility and stability (#13531)
Move RHEL 9 E8 profile to use the e8 control file (#13482)
Pre-load Jinja macros (#13502)
Remove 2 functions (#13659)
Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483)
Update Export SRG Script (#13474)

Changes in the Test Suite

[Ubuntu] Fix test of package_bind_removed (#13560)
Add missing profile stability data (#13600)
Add OL9 to disable_ctrlaltdel_reboot tests (#13609)
Add tags to test scenarios in accounts_root_path_dirs_no_write (#13536)
Change TS in networkmanager_dns_mode from fail to pass (#13724)
CI: fedora gating - collapse the multiline command (#13735)
file_groupownership_system_commands_dirs fix test scenario (#13675)
Fix platform tag in test scenarios (#13534)
Fix tests for rule grub2_pti_argument (#13733)
Update profile to variable in banner_etc_issue_disa_dod_short test (#13667)

Documentation

Remove outdated Code Climate badage (#13744)
Update Contributors for 0.1.78 (#13807)

Fixed Bugs

RHEL 9 STIG: align login timeout with the STIG policy (#13826)
[stabilization]: auditd_lineinfile: allow specifying data type of XCCDF variable (#13841)
RHEL 9 Ansible replace systemd_service module with systemd (#13829)
[Ubuntu] Remove non-ascii character (#13607)
Add var_sudo_timestamp_timeout=always_prompt to RHEL 9 and RHEL 10 STIG (#13517)
Adjust description of file_permissions_sudo (#13685)
Allow spaces around equal sign (#13691)
file_groupownership_system_commands_dirs fix test scenario (#13675)
Fix rule auditd_freq (#13718)
grub2_*_admin_username: make regex less strict (#13740)
Install package polkit-pkla-compat (#13729)
make service_rngd_enabled applicable in case FIPS mode is not enabled (#13705)
Remove remaining dependencies on installed_OS_is_FIPS_certified (#13757)
replace instances of grub-mkconfig with correct grub2-mkconfig (#13640)
sshd_limit_user_access is missing the opening tag (#13616)
stop using fixfiles relabel in remediations (#13738)
Support drop-in files in coredump rules (#13665)
Update links which pointed to outdated documentation (#13508)
Update the suffix for rules used when generating components gh pages (#13597)
Use default order in configure_gnutls_tls_crypto_policy (#13692)
Use template in grub2_nousb_argument (#13726)

Assets 8

02 Jun 19:42

github-actions

v0.1.77

c1e1ba1

Content 0.1.77

Important Highlights

Introduce Architecture Decisions Records (#13019)
Move stablization to the third Monday of the second month (#13119)
Remove CCI References (#13397)
Remove macOS content (#13158)

New Rules and Profiles

[ubuntu2404] New rule: remove pkg inetutils-telnet (#13095)
add a check for secure boot enabled (#13094)
Add a default profile for Ubuntu2404 to add all rules to the datastream (#13022)
Add draft profile and control file for Ubuntu 24.04 STIG (#13288)
Add new rule for rootfiles package (#13134)
Add Rule for STIG Sub-Crypto Policies (#13393)
Implement STIG id Ol09-00-000242 (#13464)
Introduce new rule audit_rules_dac_modification_fchmodat2 (#13335)
Introduce rule enable_gpgcheck_for_all_repositories (#13156)
new rule sysctl_use_max_user_namespaces_no_remediation (#13351)
OPENSCAP-4913 - Update audit_file_deletion_events group for RHEL 10 (#13179)
RHEL 10 SRG GPOS PAM Hashing Update (#13421)

Updated Rules and Profiles

[ubuntu2404] Add ubuntu specific configuration path (#13096)
[Ubuntu2404] Fix rule 5.3.3.4.1 (#12940)
Add /sbin/audisp-syslog to audit binary rules (#13251)
Add dconf rules dependencies sle (#13063)
Add new rule for rootfiles package (#13134)
Add OL08-00-010423 to OL8 STIG profile (#13377)
Add Ol09-00-002151 to OL9 STIG (#13435)
Add recommendation about authselect (#13356)
Add Rule for STIG Sub-Crypto Policies (#13393)
Add xccdf status to profiles (#13045)
Align audit OSPP rules with audit upstream (#13295)
Apply 1.1.1.8 to server_l1 to match the benchmark on RHEL 8 (#13103)
audit_ospp_general_ppc64le: architecture cannot contain 32 bit rules (#13433)
dir_perms_world_writable_sticky_bits: add warning (#13466)
Drop irrelevant rules for SLE platform (#13475)
fix accounts_password_pan_rety oval check for Debian (#13174)
Fix logind_session_timeout in anssi controls (#13189)
Fix set_password_hashing_min_rounds_logindefs (#13004)
Fix SLE15 CIS Ensure AppArmor is installed (#13264)
Fix variable name in Ubuntu 22.04 CIS profiles (#12981)
Fixes related to STIG and SSH cryptopolicy (#13042)
fixes to grub2 admin user and password rules (#13467)
Handle XCCDF variable in key_value_pair_in_file template (#13051)
Improve AlmaLinux OS support (#13409)
Improve description in accounts_passwords_pam_faillock_dir (#13348)
Make accounts password pam pwhistory remember rule use template for SLE etc (#13343)
new rule sysctl_use_max_user_namespaces_no_remediation (#13351)
Ol9 stig v1r1 (#13413)
OPENSCAP-4913 - Update audit_file_deletion_events group for RHEL 10 (#13179)
OPENSCAP-4921, OPENSCAP-4922, OPENSCAP-4923, OPENSCAP-4924: Change audit watches for ARLE (#13194)
OPENSCAP-4926 - Use template in audit_rules_mac_modification_usr_share (#13273)
OPENSCAP-4927 - Update audit_rules_media_export (#13206)
OPENSCAP-4928 - Fix description in audit_rules_networkconfig_modification (#13207)
OPENSCAP-4930, OPENSCAP-4931, OPENSCAP-4932, OPENSCAP-4933, OPENSCAP-4934, OPENSCAP-4935, OPENSCAP-4936, OPENSCAP-4937, OPENSCAP-4938, OPENSCAP-4939, OPENSCAP-4940, OPENSCAP-4941, OPENSCAP-4942, OPENSCAP-4943, OPENSCAP-4944, OPENSCAP-4945, OPENSCAP-4946, OPENSCAP-4947 Add arch filter to ARPC (#13213)
OPENSCAP-4948 - Use modern audit watches in audit_rules_session_events (#13262)
OPENSCAP-4949, OPENSCAP-4950 - Change audit watches in rule audit_rules_sudoers and audit_rules_sudoers_d (#13218)
OPENSCAP-4951: Support modern watches in audit_rules_sysadmin_actions (#13242)
OPENSCAP-4952: Use template in audit_rules_time_watch_localtime (#13244)
OPENSCAP-4954, OPENSCAP-4955, OPENSCAP-4956, OPENSCAP-4957: Use audit_rules_watch template instead of audit_rules_usergroup_modification (#13249)
OPENSCAP-4959 - Add arch filter to directory_access_var_log_audit (#13215)
OPENSCAP-5471 Enhance systemd_dropin_configuration template (#13208)
Release Ubuntu 24.04 CIS v1.0.0 profiles (#13072)
Remove sysctl_user_max_user_namespaces from RHEL 10 STIG (#13243)
Remove CIS profile for slmicro5 (#13457)
Remove from OL8 STIG not STIG related rules (#13246)
Remove RHEL-09-672035 and RHEL-09-672040 from RHEL 9 STIG (#12973)
Remove rule enable_authselect from RHEL10 (#13341)
Replace pam_unix_remember with pam_pwhistory_remember (#13390)
Revert the uid back to rsyslog for the rule file_owner_var_log_syslog (#13169)
RHEL 10 SRG GPOS PAM Hashing Update (#13421)
RHEL: remove talk related rules (#13327)
rhel10 ospp: remove package_scap-security-guide_installed (#13434)
rsyslog_remote_loghost: support Rainer Script in OVAL (#13274)
Rule: sshd_include_crypto_policy, drop remediations, improve OVAL (#13028)
SLE15 nfs and dhcp disable service fixes (#13186)
SLE15 Use socket disable template for telnet (#13154)
Specify platform specific packages for xwindows_remove_packages rule (#12853)
Update CA file path (#13328)
Update harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy (#13374)
Update ol10 profiles (#13292)
Update ol8 STIG (#13378)
Update OL9 hipaa profile (#13253)
Update OL9 profiles (#13101)
Update RHEL 10 Profiles Titles (#12990)
Update rule package_bind_removed for RHEL 9.6 (#13168)
Update SLE15 and SLE12 ANSSI profiles (#13190)
Update STIG IDs for SSH Client MAC and Ciphers rules on RHEL 8 (#13404)
Update Ubuntu 22.04 STIG to V2R3 (#13167)

Removed Products

Remove macOS content (#13158)

Changes in Remediations

[Ubuntu] Insert to beginning of file in Ubuntu (#13290)
Change checks for rexec and rlogin to use xinetd configuration (#13185)
Change the way in which applicability of selinux platform is determined (#13173)
dir_system_commands_* remediation fixes and applicability for all products (#13298)
Fix accounts_user_dot_user/group_ownership to only remediate regular files (#13178)
Fix dconf key for idle-delay lock on Ubuntu (#13112)
Fix oval and remediations for journald-upload rules (#13050)
Fix rule accounts_passwords_pam_tally2 (#13308)
Fix set_password_hashing_min_rounds_logindefs (#13004)
Improve bash/ansible_ensure_pam_module_option macros (#13405)
OPENSCAP-4951: Support modern watches in audit_rules_sysadmin_actions (#13242)
OPENSCAP-4959 - Add arch filter to directory_access_var_log_audit (#13215)
OPENSCAP-5471 Enhance systemd_dropin_configuration template (#13208)
RHEL 10 Ansible fixes (#13458)
RHEL 9 Ansible fixes (#13455)
Rule: sshd_include_crypto_policy, drop remediations, improve OVAL (#13028)
Rule: sshd_include_crypto_policy, platform: not osbuild (#13008)
SLE Add dependency to crypto-policies-scripts package (#13088)
Specify platform specific packages for xwindows_remove_packages rule (#12853)
Update Ansible find task to report on broken symbolic links, matching STIG vulnerability scanning behavior (#13386)
Update bash_sudo_remove_config macro (#13122)
Update enable_authselect remediation on bootable containers (#13131)
Update harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy (#13374)
Update regex to support RainerScript in rsyslog_cron_logging (#13172)
Update shared.yml (#13320)
Use fully qualified collection name for community.general.ini_file (#13184)

Changes in Checks

Add Ubuntu 22.04 to the list of FIPS certified OS (#13132)
Change checks for rexec and rlogin to use xinetd configuration (#13185)
Fix Memory Usage for file_(group)owner (#13306)
Fix accounts_password_pam_retry (#13144)
Fix file_groupowner_etc_chrony_keys OVAL check (#13248)
Fix oval and remediations for journald-upload rules (#13050)
Fix sshd oval check for SLE15, SLEM5 and opensuse (#13197)
Fix typos and exclude symlinks in file_(group)ownerships_var_log rules (#13111)
Fixes related to STIG and SSH cryptopolicy (#13042)
Make accounts password pam pwhistory remember rule use template for SLE etc (#13343)
OPENSCAP-4959 - Add arch filter to directory_access_var_log_audit (#13215)
OPENSCAP-5471 Enhance systemd_dropin_configuration template (#13208)
oval macro: remove no longer used special case for sshd rules (#13193)
rsyslog_remote_loghost: support Rainer Script in OVAL (#13274)
Rule: sshd_include_crypto_policy, drop remediations, improve OVAL (#13028)
SLE Add dependency to crypto-policies-scripts package (#13088)
Specify platform specific packages for xwindows_remove_packages rule (#12853)
Update harden_sshd_ciphers/macs_opensshserver_conf_crypto_policy (#13374)
Update regex to support RainerScript in rsyslog_cron_logging (#13172)
Update rule package_bind_removed for RHEL 9.6 (#13168)

Changes in the Infrastructure

Add product_properties to open_environment for build tests (#13223)
Add required to controlseval.py --product switch (#13136)
Add rule removed test (#13358)
Add tar.gz file of the build data streams (#13321)
Add xccdf status to profiles (#13045)
build_product: add --render-test-scenarios option (#13309)
Clean Up CMake and build_product Product List (#13280)
Fail if the build causes empty OCIL (#13148)
Fix Memory Usage for file_(group)owner (#13306)
Fix stabilization job (#13367)
Fix timestamps for data-stream composition (#12625)
Format thin data streams (#13416)
Improve profile stability test (#13476)
Introduce Architecture Decisions Records (#13019)
Make Delta tailoring for RHEL 8 only (#13120)
Make overrding tests work in built tests (#13330)
OCPBUGS-55180: Fix file groupowner oval template on OCP (#13357)
OPENSCAP-4118 - Add script to build tests (#13029)
Remove CCI References (#13397)
Remove Ubuntu 20.04 from Gating (#13294)
Remove unnecessary Jinja2 macros in control files (#13180)
Speed up build by using JSON for interim atifacts (#13445)
Stop adding list of contribu...

Assets 8

24 Feb 10:37

github-actions

v0.1.76

616d436

Content 0.1.76

Important Highlights

Add new product for Ubuntu 24.04 and draft CIS profiles (#12611)
Add pyproject.toml for the ssg package (#12604)
AlmaLinux OS 9 as a new product (#12810)
Documentation for ssg library (#12606)
Extend SSG library to more easily collect profile selections (#12797)
Extend SSG with functions to manage variables (#12717)

New Rules and Profiles

A new rule system_boot_in_fips_mode (#12671)
Add a default profile for Ubuntu2404 to add all rules to the datastream (#13023)
Add ccn profile to OL9 (#12759)
Add new rule journald_disable_forward_to_syslog (#12674)
Add new rule logging_services_active (#12857)
Add new rule no_nologin_in_shells (#12835)
Add new rule service_dhcpd6_disabled (#12627)
Add new rule service_dnsmasq_disabled (#12628)
Add new rule service_nginx_disabled (#12629)
Add new rules to replace audit_rules_mac_modification on Ubuntu (#12828)
add new stig rule accounts_password_pam_pwquality_retry (#12965)
Add rules for installing pam-runtime and pam-modules to Ubuntu 24.04 (#12904)
Add rules to ubuntu2404 CIS control 7.2.10 (#12716)
Clean Up Opensc Rules in RHEL 10 (#12738)
Create Public Cloud Hardening profile for SLE Micro5 (#12817)
Implement audit rules for nsswitch.conf, pam.conf and pam.d (#12724)
Implement new rule firewall_single_service_active (#12822)
Implement rule accounts_umask_root (#12721)
Implement rule groups_no_zero_gid_except_root (#12720)
Implement rules for /etc/security/opasswd permissions (#12693)
New rule package_unbound_removed (#12699)
rhel10: use new rule for auditing of changes to selinux configuration (#12826)
Ubuntu 24.04 1.1.1.6 Ensure overlayfs kernel module is not available (#12692)
Ubuntu 24.04 1.3.1.1 Ensure AppArmor is installed (#12701)
Ubuntu 24.04 2.1.1 Ensure autofs services are not in use (#12702)
Ubuntu 24.04 2.2.6 Ensure ftp client is not installed (#12703)
Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users (#12711)
Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled (#12714)
Ubuntu 24.04 6.1.2.1.2 Ensure systemd-journal-upload authentication (#12852)
Ubuntu 24.04: Implement 2.3.1.1 Ensure a single time synchronization daemon is in use (#12823)
Ubuntu 24.04: Implement 5.3.2.4 Ensure pam_pwhistory module is enabled (#12726)
Ubuntu 24.04: Implement 5.3.3.2.5 Ensure password maximum sequential characters is configured (#12727)
Ubuntu 24.04: Implement rule 5.3.2.2 Ensure pam_faillock module is enabled (#12779)
Ubuntu 24.04: Implement rule 5.3.3.1.3 Ensure password failed attempts lockout includes root account (#12906)
Ubuntu 24.04: Implement rule 5.3.3.3.1 Ensure password history remember is configured (#12784)
Ubuntu 24.04: Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user (#12799)
Ubuntu 24.04: Implement rule 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok (#12800)
Ubuntu 24.04: Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember (#12780)
Ubuntu 24.04: Implement rule 5.4.2.5 Ensure root path integrity (#12838)
Ubuntu 24.04: Implement rule 5.4.2.8 Ensure accounts without a valid login shell are locked (#12889)

Updated Rules and Profiles

Update RHEL 8 STIG to V2R1 (#12924)
Fixes related to STIG and SSH cryptopolicy (#13025)
Adapt audit_rules_suid_privilege_function for Ubuntu 24.04 CIS (#12974)
Add new variable to set_password_hashing_min_rounds_logindefs rule (#12923)
Add package_ypbind_removed to e8 profile to OL8 (#12957)
Add rule for ubuntu2404 CIS control 4.4.3.2 (#12662)
Add rule sysctl_kernel_yama_ptrace_scope to Ubuntu 24.04 CIS (#12618)
Add rules and vars to ubuntu2404 CIS control 5.1.16 (#12667)
Add rules to several ubuntu2404 CIS controls (#12675)
Add rules to several ubuntu2404 CIS controls (#12694)
Add rules to ubuntu2404 CIS control 5.1.18 (#12668)
Add rules to ubuntu2404 CIS control 7.2.10 (#12716)
Add ubuntu specific check and remediation for aide_periodic_checking_systemd_timer (#12733)
Adjust journald rules for RHEL 10 (#12754)
Adjust two filesystem permission rules to 600 (#12737)
Adjust wording in kerberos_disable_no_keytab (#12739)
Alma9 more changes (mk2) (#12905)
audit_immutable_login_uids: remove stig-specific content (#12676)
Clean Up Opensc Rules in RHEL 10 (#12738)
Define var_user_initialization_files_regex on Ubuntu 24.04 (#12960)
Exclude autrace and audispd on RHEL 10 (#12736)
Fix audit access rules in ISM_O (#12670)
Fix mistake done in PR #12714 (#12741)
Fix package and service name overrides for Ubuntu 24.04 (#12913)
Fix RHEL 10 DISA and SRG References (#12944)
Fix RHEL 10 ISM profile fails in Image Mode (#12836)
Fix rule firewalld_sshd_port_enabled OVAL check (#12914)
Fix rule ip6tables_rules_for_open_ports and add to ubuntu2404 controls (#12666)
Fix the bash conditional for checking system architecture (#12815)
Fix variable name in Ubuntu 22.04 CIS profiles (#12982)
gdm package cannot be removed in stig_gui profile (#12915)
Improve rule file_permissions_ungroupowned for use in bootable containers (#12584)
Refactor ubuntu oval for audit_rules_networkconfig_modification (#12722)
Remove not applicable rules for OL8 & OL9 (#12558)
Remove old rules from RHEL 10 profiles (#12697)
Remove package_quagga_removed from RHEL 10 profiles (#12589)
Remove RHEL-08-020220 and RHEL-08-020221 from the RHEL 8 STIG (#12805)
Remove service_chronyd_or_ntpd_enabled from RHEL 10 (#12756)
remove sshd_use_priv_separation from hipaa control file (#12591)
require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861)
require_singleuser_auth:update prose (#12864)
RHEL 10 Kernel Config and Module Clean Up (#12712)
RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824)
rhel8 STIG: update password hashing rounds (#12948)
RHEL8 STIG: update SSH algorithms (#12949)
Switch to _guard_var templates for timesync rules on Ubuntu 24.04 (#12903)
Switch to CIS-specific banner rules for Ubuntu 24.04 CIS (#12619)
Ubuntu 24.04 1.1.1.2 Ensure freevxfs kernel module is not available (#12688)
Ubuntu 24.04 1.1.1.3 Ensure hfs kernel module is not available (#12689)
Ubuntu 24.04 1.1.1.4 Ensure hfsplus kernel module is not available (#12690)
Ubuntu 24.04 1.1.1.5 Ensure jffs2 kernel module is not available (#12691)
Ubuntu 24.04 1.1.1.6 Ensure overlayfs kernel module is not available (#12692)
Ubuntu 24.04 1.1.2.2.1 Ensure /dev/shm is a separate partition (#12700)
Ubuntu 24.04 1.3.1.1 Ensure AppArmor is installed (#12701)
Ubuntu 24.04 2.1.1 Ensure autofs services are not in use (#12702)
Ubuntu 24.04 2.2.6 Ensure ftp client is not installed (#12703)
Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users (#12711)
Ubuntu 24.04 3.1.3 Ensure bluetooth services are not in use (#12713)
Ubuntu 24.04 5.1.12 Ensure sshd KexAlgorithms is configured (#12731)
Ubuntu 24.04 5.1.15 Ensure sshd MACs are configured (#12735)
Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled (#12714)
Ubuntu 24.04 5.1.9 Ensure sshd GSSAPIAuthentication is disabled (#12719)
Ubuntu 24.04 5.3.2.1 Ensure pam_unix module is enabled (#12706)
Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok (#12760)
Ubuntu 24.04 5.4.2.4 Ensure root account access is controlled (#12672)
Ubuntu 24.04 6.1.2.1.2 Ensure systemd-journal-upload authentication (#12852)
Ubuntu 24.04 CIS section 6.1.2.1.3 Ensure systemd-journal-upload is enabled and active (#12680)
Ubuntu 24.04: Implement 2.1.21 Ensure mail transfer agent is configured for local-only mode (#12818)
Ubuntu 24.04: Implement 2.3.1.1 Ensure a single time synchronization daemon is in use (#12823)
Ubuntu 24.04: Implement 5.3.2.3 Ensure pam_pwquality module is enabled (#12723)
Ubuntu 24.04: Implement 5.3.2.4 Ensure pam_pwhistory module is enabled (#12726)
Ubuntu 24.04: Implement 5.3.3.2.5 Ensure password maximum sequential characters is configured (#12727)
Ubuntu 24.04: Implement 5.3.3.2.7 Ensure password quality checking is enforced (#12752)
Ubuntu 24.04: Implement 5.3.3.4.1 Ensure pam_unix does not include nullok (#12770)
Ubuntu 24.04: Implement rule 5.3.2.2 Ensure pam_faillock module is enabled (#12779)
Ubuntu 24.04: Implement rule 5.3.3.1.2 Ensure password unlock time is configured (#12772)
Ubuntu 24.04: Implement rule 5.3.3.1.3 Ensure password failed attempts lockout includes root account (#12906)
Ubuntu 24.04: Implement rule 5.3.3.2.1 Ensure password number of changed characters is configured (#12750)
Ubuntu 24.04: Implement rule 5.3.3.2.2 Ensure minimum password length is configured (#12748)
Ubuntu 24.04: Implement rule 5.3.3.2.3 Ensure password complexity is configured (#12753)
Ubuntu 24.04: Implement rule 5.3.3.2.4 Ensure password same consecutive characters is configured (#12747)
Ubuntu 24.04: Implement rule 5.3.3.2.6 Ensure password dictionary check is enabled (#12751)
Ubuntu 24.04: Implement rule 5.3.3.3.1 Ensure password history remember is configured (#12784)
Ubuntu 24.04: Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user (#12799)
Ubuntu 24.04: Implement rule 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok (#12800)
Ubuntu 24.04: Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember (#12780)
Ubuntu 24.04: Implement rule 5.4.2.2 Ensure root is the only GID 0 account (#12777)
Ubuntu 24.04: Implement rule 5.4.2.5 Ensure root path integrity (#12838)
Ubuntu 24.04: Implement rule 5.4.2.8 Ensure accounts without a valid login shell are locked (#12889)
Update sssd_enable_smartcards for RHEL 10 (#12882)
update audit_ospp_general with the latest content (#12579)
Update mount_option_proc_hidepid to include OL9 product (#12917)
Update Ol10 pro...

Assets 6

14 Nov 19:57

github-actions

v0.1.75

73a89fb

Content 0.1.75

Important Highlights

Add new product kylinserver10 (#12393)
Create OL10 product (#12290)
Update PCI-DSS control file for version 4.0.1 (#12435)

New Rules and Profiles

[New Rule] Package kea removed (#12464)
Add Ism profile for ol8 (#12493)
Add Ism profile to OL9 (#12346)
Create CIS rules for login banners (#12472)
New rule tftp_uses_secure_mode_systemd (#12436)
Update chrony rules for RHEL 10 (#12415)
Update RHEL 9 STIG to V2R2 (#12551)

Updated Rules and Profiles

Add to slmicro5 STIG pam pwhistory remember rule (#12255)
Add CCI to package_postfix_installed (#12446)
Add hipaa reference to sshd_use_directory_configuration (#12437)
Add Ism profile for ol8 (#12493)
Add Missing CPEs for RHEL10 (#12411)
Add OL into jinja conditionals (#12461)
Add package_rng-tools_installed to Fedora OSPP profile (#12244)
Add RHEL 10 to Jinja if statements in firewalld_sshd_port_enabled (#12504)
Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
Add rule chronyd_or_ntpd_set_maxpoll to SLE Micro 5 STIG profile (#12499)
Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
Add rules removed from RHEL8/RHEL9 profiles back to datastream (#12572)
Add STIG rules for slmicro5 covering lib dirs root ownership (#12252)
Add support for XCCDF variables into sshd_lineinfile template (#12251)
Adjust FIPS enable_fips_mode for RHEL 10 (#12414)
Adjust zipl_bls_entries_option template remedation to allow RHEL 10 (#12410)
Change directory_permissions_etc_iptables to 700 (#12384)
Change platform for rules related to partitions (#12562)
Change platform in xwindows_runlevel_target (#12563)
Consolidate ASCS RHEL profiles lastlog via sshd (#12249)
convert more rules to sshd_lineinfile template (#12301)
Create CIS rules for login banners (#12472)
Fix a typo (#12275)
Fix Audit related rules in RHEL 10 (#12359)
Fix chronyd remote server filepath dir regex (#12312)
fix for issue 11909 (#12318)
Fix rules from the net-snmp component (#12391)
grub2_vsyscall_argument should only be applicable to x86_64 (#12408)
Hide CJIS profile for OL8 (#12357)
Move daemon.* to /var/log/messages (#12433)
Move package_rear_installed to related rules in e8 (#12456)
Move RPM verify rules to use --restore (#12413)
OCP4: Optimize ingress trusted ca remediation (#12268)
Remove sshd_enable_warning_banner_net from HIPAA control file (#12534)
Remove Outdated GNOME Rules in RHEL 10 (#12460)
Remove package_talk-server_removed from RHEL 10 ANSSI (#12457)
Remove rng-tools package rules from RHEL 10 (#12455)
Remove sendmail from RHEL 10 profiles (#12452)
Remove sshd_allow_only_protocol2 from RHEL 10 (#12390)
Remove ypbind rules from RHEL10 (#12450)
Remove ypserv from RHEL 10 profiles (#12451)
Rename cron package to cronie for RHEL10 product (#12463)
Review PCI-DSS requirements and rules for RHEL 10 (#12347)
Review sshd_set_maxstartups rule (#12419)
RHEL 10 HIPAA Profile Updates (#12345)
RHEL 10 ISM_O: add back enable_fips_mode rule (#12449)
RHEL 10 STIG Update (#12348)
RHEL 10 tmux changes (#12383)
RHEL 9 STIG: change remediated Networkmanager DNS mode (#12448)
Slmicro5 stig add accounts and amount rules support (#12353)
Slmicro5 stig add accounts and software rules support (#12364)
Slmicro5 stig add rules selinux ssh and audit (#12316)
Slmicro5 stig add services and software rules support (#12395)
Stabilization: update audit_ospp_general with the latest content (#12592)
Two CIS RHEL 9 enhancements (#12453)
Ubuntu 22.04 STIG V2R1 changes (#12298)
Update ANSSI BP28 profiles in rhel10 product (#12351)
Update CCI Numbers due to new STIG/SRG GPOS (#12374)
Update chrony rules for RHEL 10 (#12415)
Update e8 profile for RHEL 10 (#12402)
Update file_permissions_etc_chrony_keys (#12521)
Update file_permissions_etc_chrony_keys to 640 (#12577)
Update install_smartcard_packages for RHEL10 (#12459)
update ism_o profiles for RHEL 10 (#12418)
Update Jinja for package_rsync_removed for RHEL 10 (#12480)
Update networkmanager_dns_mode for bootable containers (#12574)
Update of the rule encrypt_partitions to support SLEM (#12343)
Update ol7 stig (#12544)
Update ol8 stig (#12545)
Update OSPP control file (#12369)
Update PCI-DSS control file for version 4.0.1 (#12435)
update pwd length requirements for ism_o profile (#12431)
Update RHEL 10 STIG Selections (#12376)
Update RHEL 8 STIG due to rule removal (#12559)
Update RHEL 8 STIG to V2R1 (#12550)
Update RHEL 9 STIG to V2R1 (#12373)
Update RHEL 9 STIG to V2R2 (#12551)
Update rsyslog_cron_logging for bootable containers (#12575)
Update service_rngd_enabled for RHEL 10 (#12243)
Update SLE12 STIG version to V3R1 (#12580)
Update SLE15 STIG version to V2R2 (#12570)
Update various openshift assertions (#12443)
Updated 6 rules 2 for sle micro (#12331)
Updated packages related to openssh to support slem (#12338)
Updated rules based on template service_disabled to support slem (#12337)
Updates for Debian 12.6 (#12432)
Updates related to the rule permissions_local_var_log_audit (#12356)
Various Bug Fixes for Debian (#12084)

Removed Products

Remove uos20 (#12248)

Changes in Remediations

Add ansible remediation configure_bind_crypto_policy (#12325)
Add ansible remediation to ensure_oracle_gpgkey_installed rule (#12323)
Add ansible remediation to mount_option_home template (#12546)
Add ansible remediaton for rsyslog_cron_logging rule (#12326)
Add insensitive option to ansible_lineinfile macro (#12314)
Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
Add rules to support remote offload of journal logs (#12479)
Add support for XCCDF variables into sshd_lineinfile template (#12251)
Added remediation and tests for the rule permissions_local_var_log_audit (#12360)
Avoid tmpfiles override (#12218)
Bring bash version in-sync with Ansible (#12398)
Change flags cleanup (#12397)
Create CIS rules for login banners (#12472)
Don't autoremove packages on dnf package uninstall (#12389)
Fix "unknown predicate -L" (#12305)
Fix ansible remediation for audispd plugin UBTU-20-010216 (#12293)
Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined (#12527)
SLE15 related fixes in ntp and aide rules (#12548)
Slmicro5 stig add accounts and software rules support (#12364)
Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule (#12324)
Update bash remediation to fix bug into account_disable_inactivity* (#12134)
Update remedation for firewalld_sshd_port_enabled (#12522)
Update select rules for RHEL not to modify systemd units in /usr (#12486)
Update SLE12 STIG version to V3R1 (#12580)
Update SLE15 STIG version to V2R2 (#12570)

Changes in Checks

Add "is_substring" variable to grub2_bootloader_argument template (#12308)
Add OL9 into installed_OS_is_vendor_supported (#12333)
Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
Add support for XCCDF variables into sshd_lineinfile template (#12251)
convert more rules to sshd_lineinfile template (#12301)
Create CIS rules for login banners (#12472)
enhance the grub2_argument template to cover more use cases (#12375)
Fix Audit related rules in RHEL 10 (#12359)
Fix inventory_test_kernel_installed for SLE (#12516)
Remove redundant sshd oval macro (#12532)
Slmicro5 stig add accounts and software rules support (#12364)
Update SLE15 STIG version to V2R2 (#12570)

Changes in the Infrastructure

Add ocp4 pci dss references (#12309)
Add setuptools python package to Fedora (#12565)
Add setuptools to ocp4 build (#12566)
Build empty OVAL (#12262)
Build SCE content by default in rhel9 and rhel10 products (#12488)
Enable templated SCE checks (#12445)
Ensure that platforms is valid in Automatus tests (#12505)
Fix issue with ambiguity of control product (#12454)
Fix thin data streams with SCE (#12503)
Fix validation with OpenSCAP 1.4 (#12303)
Fix Windows for OpenSCAP 1.4.0 release (#12304)
Introduce bootc remediation type (#12497)
Move data stream component references (#12557)
Remove template option (#12341)
Stop SCAP content validation if not necessary (#12523)
Update Fedora in install_vm.py to F41 (#12567)

Changes in the Test Suite

add debian12 automatus workflow (#12128)
Add OCP and RHCOS assertion files for 4.17 (#12266)
Add RHEL Platform to Select AIDE Tests (#12483)
add rule sysctl_kernel_modules_disabled to unselect_rules_list (#12354)
Fix automatus podman (#12230)
Fix Automatus Sanity (#12188)
Improve Benchmark detection in Automatus (#12554)
Introduce /rpmbuild-ctest-fedora CI for all Fedora versions (#12176)
modify test scenarios of grub2_argument template to handle variables (#12428)
Remove missing-references ctest (#12434)
Remove template option (#12341)
Review and update install_vm.py script (#12254)

Documentation

Add UOS 20 removal to docs (#12257)
Align release date calculation with documentation (#12240)
Bump master version to 0.1.75 (#12235)
Clarify stabilization dates process for more predictability (#12232)
Include a section for fixed bugs in changelog (#12239)
Remove old and broken tldp.org link (#12284)
Update contributors for 0.1.75 (#12576)

Fixed Bugs

Remove installed_OS_is_FIPS_certified from sshd_use_approved_ciphers (#12242)
firewalld_sshd_port_enabled add zone to all connections (#12256)
Create CIS rules for login banners (#12472)
Disable sysctl_kernel_modules_disabled Ansible remediation (#12514)
Explicitly state FindOpenSCAP cmake so it...

Assets 6

09 Aug 14:29

github-actions

v0.1.74

1bf21b0

Content 0.1.74

Important Highlights

Add Amazon Linux 2023 product (#12006)
Introduce new remediation type Kickstart (#12144)
Make PAM macros more flexible to variables (#12133)
Remove Debian 10 Product (#12205)
Remove Red Hat Enterprise Linux 7 product (#12093)
Update CIS RHEL9 control file to v2.0.0 (#12067)

New Rules and Profiles

Add initial RHEL 10 CIS profiles (#12075)
Add new rule audit_rules_var_log_journal (#11920)
Add new rule file_permissions_var_log_audit_stig (#11966)
Add new rule install_endpoint_security_software (#11970)
Add new rules package_ntp_removed, package_timesyncd_removed (#11831)
Add rule dir_groupowner_system_journal (#11838)
Add rule dir_owner_system_journal (#11839)
Add rule file_group_ownership_var_log_audit_stig (#11924)
Add rule file_groupowner_journalctl (#11841)
Add rule file_owner_journalctl (#11835)
Add rule file_permissions_etc_audit_rules (#11959)
Add rule file_permissions_journalctl (#11834)
Check ufw is active (#11984)
Defined notes and Rules for BSI APP.4.4.A6-7 (#11794)
Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
Initial HIPAA RHEL 10 Profile (#11915)
Initial ISM O RHEL 10 Profile (#11994)
Initial OSPP Control File (#11882)
Initial RHEL 10 e8 Profile (#11976)

Updated Rules and Profiles

Add package_rng-tools_installed to Fedora OSPP profile (#12246)
Add package_firewalld_installed to CCN and enable CCN Advanced profile test in CI (#12139)
Add CCEs to RHEL 10 Rules (#12113)
Add draft status to all RHEL 10 profiles (#12224)
Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968)
Add SSH related STIG rule to slmicro5 platform (#12193)
Align audit_xattr rules with Ubuntu 22.04 STIG (#11975)
Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983)
Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853)
Better description and test scenarios for set_nftables_table (#11991)
CMP-2455: PCI-DSS v4 Requirement 3 (#11951)
CMP-2456: PCI-DSS v4 Requirement 4 (#12002)
CMP-2457: PCI-DSS v4 Requirement 5 (#12045)
Correct the platform for rule package_iptables-persistent_removed (#12195)
Disable OSPP Profile for RHEL 10 (#12223)
Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988)
Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874)
Ensure code consistency by using aide_conf_path var (#12066)
Ensure that security_patches_up_to_date is not built with remediations (#11995)
Exclude package_screen_installed from RHEL 10 OSPP (#12179)
Fix banner_etc_issue_net in Ubuntu 22.04 (#12036)
Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862)
Fix missing variable for Ubuntu 22.04 (#11973)
Fix package name for libpam-pkcs11 on Ubuntu (#11854)
Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180)
Fix pwquality package name for Ubuntu 22.04 (#11919)
Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047)
Fix rule name in Ubuntu 22.04 STIG profile (#11971)
Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913)
Guide/anssi r45 (#12129)
increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892)
Make the behavior of chronyd_sync_clock rule more consistent (#12039)
Modify rule file_groupowner_system_journal (#11836)
Move to default crypto policy for RHEL10 for CIS Profiles (#12187)
OCPBUGS-1316: Add missing variable reference to rules (#12012)
OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783)
OCPBUGS-33945: select required SSHD timeout rule (#12091)
OSPP profile, use Logind session timeout feature instead of tmux (#12212)
Override few variables for Ubuntu 22.04 (#11928)
remove logind_session_timeout from stig_gui profiles (#12086)
Remove rhel7 only rules (#12112)
Revert changes to no_empty_passwords for Ubuntu (#11918)
Slmicro5 stig add privileged commands support (#12221)
Support all boolean values in dnf.conf (#11965)
Update rules related to PAM hashing algorithm (#12164)
Update SLE15 STIG version to V1R13 (#11921)
Updated 10 rules to support SLE Micro 5 (#12210)

Removed Products

Remove Debian 10 Product (#12205)
Remove Red Hat Enterprise Linux 7 product (#12093)

Changes in Remediations

Improve remediation for enable_authselect (#12038)
Achieve consistent file and directory permissions for systemd journals (#11974)
Add ansible automation for configure_usbguard_auditbackend (#12092)
Add ansible remediation for account_password_selinux_faillock_dir (#12094)
Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213)
Add ansible remediation for no_tmux_in_shells rule (#12138)
add namespace parameter for cluster-test (#11824)
Add SCE check for ufw_rate_limit for Ubuntu (#11998)
Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982)
Adjust bash template (group)file_owner to follow symlinks (#12214)
align template systemd_dropin_configuration (#12054)
Create dconf db directory for local profile (#12079)
Create file if it doesn't exist for coredump rules (#12181)
Ensure that security_patches_up_to_date is not built with remediations (#11995)
Fix bash_package_installed macro (#12140)
Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958)
Fix permissions for dconf db on Ubuntu (#12056)
Fix Ubuntu faillock (#11932)
Introduce new remediation type Kickstart (#12144)
Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042)
Set correct permissions in macro bash_enable_dconf_user_profile (#12051)
Simplify use of ansible_ensure_pam_module_option macro (#12159)
Slmicro5 auth,security and audit STIG rules (#12192)
templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
Update ansible remediation CCE-85972-8 to support idempotency (#12152)
Update rules related to PAM hashing algorithm (#12164)

Changes in Checks

Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969)
Fix broken OVAL metadata (#12151)
Fix config paths and regex for auditd_audispd_configure_remote_server (#11857)
Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863)
Honour the no_quotes paramter of oval_check_dropin_file macro (#12173)
Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083)
Improve Rsyslog rules to support RainerScript syntax (#12010)
Slmicro5 auth,security and audit STIG rules (#12192)
templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156)
Update OVAL check in accounts_password_last_change_is_in_past (#12177)
Update rules related to PAM hashing algorithm (#12164)

Changes in the Infrastructure

Add a script for finding unused rules (#12110)
Add option to build per rule playbook via build_product script (#12105)
Allow multiple control files to add the same reference type (#12165)
Ensure that RHEL 10 has CCEs (#12137)
Expand CCE Available Test to OCP4 (#12114)
Fix Filename for UBI test (#12115)
Fix Nightly Build - Debian 12 (#12033)
Improve error handling when loading yaml stream (#11962)
Include product property in profile class (#12050)
Install dependency "xmllint" package (#12080)
Mark some scenarios as specific to SCE (#12052)
OCP Update variable filter to consider go_template (#11906)
Remove duplicate product (#12049)
Review and reorganize CMakeLists.txt file (#12000)
Show most used rules of component (#12001)
Stop building -ds-1.2.xml data streams (#11990)
Update Gating (#12041)

Changes in the Test Suite

Add accounts_password_set_max_life_root to unselect_rules_list (#11981)
Add Ubuntu 22.04 Automatus workflow (#12058)
Automatus to UBI 8 (#12100)
Better description and test scenarios for set_nftables_table (#11991)
Clean Up Tests Due to RHEL 7 Removal (#12101)
Disable service_enabled templated test for service_bluetooth_disabled (#12211)
Do not run package_audit-libs_installed package removal test scenarios (#12099)
Fix crypto policy in CIS test scenario (#12098)
Fix OL7 GH Action (#12143)
Fix platforms -> platform in test metadata (#12057)
Fix regex in file_ownership_audit_configuration (#12029)
Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953)
Github Action Ansible shell module changes check (#12014)
Include test scenario for multiple partitions (#11950)
Make Rawhide CI Green (#12065)
OCP4: Add workflow to test ocp content (#11615)
OCP4: use new assertion formate for OCP CI (#11790)
Pin GitHub actions using Frizbee (#12082)
Populate _rule_id virtual template parameter in Automatus (#11943)
Remove the excluded_files (#12196)
Validate Automatus Metadata (#12059)

Documentation

Add script to Create a Control file from references (#11916)
Additional updates in kernel_module_disabled template (#12160)
Bump version after release (#12025)
Fix a typo (#12017)
Fix typos in notes for ocp4 controls (#11963)
Update Contributors for v0.1.74 (#12225)
Update control schema (#11942)
Update RHEL 8 STIG SCAP Content to V1R13 (#12219)

Assets 6

16 May 18:44

github-actions

v0.1.73

2bf9d43

Content 0.1.73

Important Highlights

CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
Generate rule references from control files (#11540)
Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)

New Rules and Profiles

Add and modify rules file/dir_permissions_system_journal (#11840)
Add ANSSI Profiles for RHEL 10 (#11787)
Add initial RHEL 10 PCI DSS profile (#11872)
Add new rule file_permissions_sudo (#11584)
Add new templated rules for System.map files (#11640)
ANSSI R31 updates (#11560)
Audit watch on /etc/sysconfig/network-scripts (#11724)
CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
Implement ANSSI requirement R69 for RHEL (#11663)
Improve ANSSI R28 (#11626)
Inital RHEL 10 STIG (#11793)
Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
Openembedded fixes (#11652)
Update ANSSI R50 (#11588)

Updated Rules and Profiles

[Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
Add a note to ANSSI R23 (#11571)
Add a warning to sshd_limit_user_access (#11507)
Add automation to enable faillock rules (#11458)
Add platform machine to systctl.d rules (#11622)
Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
Additional updates in kernel_module_disabled template (#11508)
Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
ANSSI R31 updates (#11560)
api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
CMP 2453 pci dss requirement 1 (#11725)
CMP-2365: Fix check for rotating kubelet server certificates (#11543)
CMP-2372: Remove info override for virtual syscall rules (#11544)
CMP-2378: Fix OCP version regex (#11499)
CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
CMP-2471: Disable rules on s390x (#11743)
Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
Do not require existence of /var/tmp/tmp-inst (#11762)
Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
extend the explanation why ANSSI R52 requirement is manual (#11629)
Fix #11895 issue (#11897)
Fix #11898 issue (#11899)
Fix #11902 issue (#11905)
Fix dconf package name for Ubuntu (#11821)
Fix description for auditd_max_log_file_action (#11585)
Fix kdump service name on Ubuntu 22.04 (#11914)
Fix OCP node OVN check (#11861)
Fix rule for accounts_authorized_local_users in SLE15 (#11602)
Fix SCE check for ip6tables_rules_for_open_ports (#11849)
Fix SCE checks for iptables_loopback_traffic (#11850)
HIPAA profile for SLE 15 - update (#11582)
Implement ANSSI requirement R69 for RHEL (#11663)
Improve ANSSI R28 (#11626)
Improve Rsyslog Rainer regex to find log files (#11808)
Improve title of CCN profiles for RHEL9 (#11852)
Make package installation for iptables and nftables mutually exclusive (#11191)
mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
OCP4: Add rule to check ACS sensor deployed (#11675)
OCP4: Fix rules with both platform and platforms (#11760)
OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
Openembedded fixes (#11652)
put exec back to configure_bashrc_exec_tmux (#11561)
Remove disabling_ipv6_autoconfig rule (#11550)
Replace dead HTML links for the chronyd project (#11799)
RHEL-09-232045: align with STIG (#11890)
Rule had incorrect CRD reference rule.yml (#11823)
Set the requires to sshd_set_keepalive on sshd_set_idle_timeout (#11815)
sysctl template: allow skipping of runtime checks (#11574)
trivial: fix linting issue (#11711)
trivial: Update link to audit profile documentation link (#11732)
Try 4110 for file_permissions_sudo (#11805)
ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
Update ANSSI R29 requirement (#11633)
Update ANSSI R32 (#11570)
Update ANSSI R36 requirement (#11632)
Update ANSSI R40 (#11563)
Update ANSSI R50 (#11588)
Update ANSSI R67 requirement (#11642)
Update ANSSI R68 (#11580)
Update ANSSI R71 (#11578)
Update audit_ospp_general (#11519)
Update CIS requirement status (#11784)
Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
Update CIS RHEL8 requirements related to crypto (#11506)
update cryptopolicy used in CUI profile to fips (#11792)
Update notes in ANSSI R3 (#11680)
update notes of the R36 requirement for ANSSI (#11639)
Update ol8 pcidss (#11867)
Update ol8 profiles (#11829)
Update ol8 stig (#11828)
Update ol8 stig reference (#11884)
Update ol9 pcidss (#11873)
Update ol9 profiles (#11846)
Update RHEL 8 STIG to V1R14 (#11878)
Update RHEL9 STIG to V1R3 (#11877)
Update SLE12 STIG to V2R13 (#11599)
Update SLE15 STIG to V1R12 (#11598)
update sles oval feed url (#11461)
Update SRG GPOS Control File (#11634)
Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
Update STIG PSC Content (#11664)
Update sudo_dedicated_group (#11586)
Use string instead of number in oauth variable (#11613)
Use controls to assign ANSSI references (#11556)

Changes in Remediations

[stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
[stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
[Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
[Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
accounts_passwords_pam_tally2_deny_root fix (#11676)
Add Ansible remediation to sssd_enable_pam_services (#11796)
Add Ansible Remediations (#11763)
Add root user to interactive users (#11729)
Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
Additional updates in kernel_module_disabled template (#11508)
Align securetty_root_login_console_only remediations with OVAL/rule description (#11716)
Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
Changes in template service_disabled - ansible part (#11645)
Disallow spaces in SSSD certificate_verification option (#11728)
Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
Fix ansible lint for SLE platforms (#11911)
fix ansible SLES stig remediations in check mode (#11248)
Fix Bash remediation of firewalld-based rules for offline mode (#11868)
Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
Fix non-idempotent bash remediation for sysctl template (#11671)
fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
Fix ubuntu remediation for pam_faildelay (#11532)
Fix Ubuntu remediation for pam_faillock rules (#11488)
Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
Issue when using set -e with grep commands (#11712)
Make Blueprint for service_disabled template to mask services (#11679)
OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
pam_options ansible template dry-run fix (#11677)
Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
remove prodtype from add_kubernetes_rule (#11500)
Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
set indent to 4 (#11530)
Simplify output of ip link show command (#11657)
update links and unify documentation in kickstart files (#11765)
Update links for Ansible role (#11737)
Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
use failed_when:false for Ansible register: checks (#11782)

Changes in Checks

accounts_passwords_pam_tally2_deny_root fix (#11676)
Add root user to interactive users (#11729)
Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
App armor oval check (#11273)
Correction in oval part ensure_gpgcheck_globally_activated (#11709)
Disallow spaces in SSSD certificate_verification option (#11728)
Enforce explicit setting in password-auth (#11742)
Enforce explicit setting in system-auth (#11740)
Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
Fix macro for extracting local interactive users (#11589)
Fix regression in grub2_bootloader_argument (#11768)
Make additional check if selinux is enabled and operational (#11510)
Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
Restrict the list of accepted shells in no_shelllogin_for_systemaccounts...

Assets 6

09 Feb 13:29

github-actions

v0.1.72

7fb44f7

Content 0.1.72

Important Highlights

ANSSI BP 028 profile for debian12 (#11368)
Building on Windows (#11406)
Control for BSI APP.4.4 (#11342)
update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks

New Rules and Profiles

Add alinux2/alinux3 support for pci-dss compliance (#11398)
Add anolis23/anolis8 support for pci-dss compliance. (#11401)
Add new rule file_cron_allow_exists (#11441)
Add rules for /etc/shells (#11467)
Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
ANSSI BP 028 profile for debian12 (#11368)
Control for BSI APP.4.4 (#11342)
Add rules for /etc/shells (#11467)
Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)

Updated Rules and Profiles

Review CIS RHEL8 v3.0.0 Section 3 (#11469)
Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
Add package_firewalld_installed to RHEL 9 CIS (#11351)
align description of audit_rules_kernel_module_loading (#11443)
Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
align rule audit_rules_privileged_commands_kmod (#11320)
Allow spaces in rule sudo_custom_logfile (#11433)
Enable Rules For OSBuild (#11362)
enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
Fix a duplication of the code ID 3.5.2.1 (#11421)
Fix ANSSI URL in control file and update RHEL profiles (#11365)
Fix RHEL 8 STIG version (#11515)
Fix Service Applicability for RHEL 9 Profiles (#11367)
Handle rules trying to remove no longer existing packages (#11354)
Improve Performance on rules probing the whole file system (#11319)
Minor modifications to RHEL STIG profiles (#11327)
Move to /bin/false for disabling kernel modules (#11475)
Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
Remove irrelevant rules from PCI-DSS profiles (#11338)
Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
Remove warning from kubelet rule (#11243)
Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
Review rpm_verify_hashes rule (#11332)
Review rpm_verify_ownership rule (#11333)
Review rpm_verify_permissions rule (#11335)
RHEL 7: change how xwindows is disabled in CIS profile (#11466)
RHEL 8: align with CIS 3, section 2 (#11457)
RHEL7 CIS: align section 2 with the final version (#11453)
Stablization: Update audit_ospp_general (#11520)
Support drop-in config in journald rules on RHEL (#11440)
Update CIS profiles descriptions (#11491)
Update grub2_mitigation_argument (#11271)
Update OL stig references (#11472)
Update OL8 STIG id references (#11451)
Update OL8 stig selection for OL08-00-040259 (#11312)
Update Oracle Linux anssi profiles (#11313)
Update RHEL 7 CIS Section 1 (#11449)
Update RHEL 7 STIG to V3R14 (#11477)
Update RHEL 8 STIG to V1R13 (#11478)
Update RHEL 9 STIG to V1R2 (#11479)
Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
Update STIG version for SLES 12 and SLES 15 (#11357)
Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
Use correct HTML element for inline code (#11408)
various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)

Changes in Remediations

[Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
Add blueprint remedation for enable_fips_mode (#11363)
Add check if to continue with ansible task (#11299)
add explaining comment to mount_option bash template (#11444)
Add support to disable wifi interfaces via wicked (#11428)
Ansible: change the sysctl module fqcn for rhel7 product (#11465)
configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
Do not change comments by remediations (#11434)
Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
Fix in sebool ansible (#11245)
Fix ShellCheck Issues in CPE Checks (#11322)
fix: service_timesyncd_configured (#11410)
Make some improvements to bash remediation template (#11361)
Move to /bin/false for disabling kernel modules (#11475)
Sle15 fix ansible cis remediations (#11258)
Sle15 fix ansible hipaa remediation (#11264)
Sle15 fix ansible pci-dss remediations in check mode (#11263)
Stabilization - Fix Ansible compatibility with sysctl module (#11538)
Support drop-in config in journald rules on RHEL (#11440)
Turn off blueprint for package_MFEhiplsm_installed (#11350)
Turn off remedations for /dev/shm (#11364)
Use commit hash for image tag (#11233)

Changes in Checks

Add ocp platforms to some eks shared OVALs (#11436)
Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
Fix invoke parent's init function (#11400)
Generate OVAL document for each rule (#11291)
Improve Performance on rules probing the whole file system (#11319)
Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
Review rpm_verify_ownership rule (#11333)
Review rpm_verify_permissions rule (#11335)
Support drop-in config in journald rules on RHEL (#11440)
Update Select SSSD Rules for RHEL 7 STIG Update (#11476)

Changes in the Infrastructure

Add Gate tests back to master (#11331)
Add missing group.yml (#11373)
Add Windows CI (#11412)
add XSLT_PATH prefix with environment override (#11390)
Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
Building on Windows (#11406)
Control Files' level key must be an array (#11417)
Fix Debian 10 CI (#11426)
Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
Fix invoke parent's init function (#11400)
Fixes update-oscal.yml to remove env context from matrix variables (#11374)
Generate OVAL document for each rule (#11291)
Ignore mypy in the EOF Checker (#11323)
OCP4: Update k8s action to build image on new PR (#11384)
Refactoring: Remove 'prodtype' Mk.2 (#11378)
Remove bogus specifier from audit_rules_privileged_commands_unix2_chkpwd (#11379)
remove the task which deletes artifacts from automatus GH workflows (#11482)
Update GitHub Artifacts Action Steps to v4 (#11411)
Validate levels in controls (#11427)
We should raise NotImplementedError (#11414)

Changes in the Test Suite

Allow tests/test_product_stability.py to be executed (#11464)
Fix OpenEmbedded name in test stability (#11463)
Fix Secure Boot Automatus VM Installs (#11239)
Fix tests for sudo_require_authentication (#11315)
OCP4: Fix e2e result on OCP 4.14 changes (#11207)
Update test-check-eof for smoke test (#11402)
Update Install VM to use Fedora 39 (#11418)

Documentation

Add documentation of the steps that OVAL content goes through during the build (#11336)
Add GitHub Actions Style Guide (#11330)
Add STIG Tables for RHEL 9 (#11376)
bump version to 0.1.72 (#11308)
Finish rename to Automatus (#11404)
Fix broken formatting (#11403)
Remove all contributors file (#11317)
Update contributors list for v0.1.72 release (#11483)
Update SRG GPOS to V2R7 (#11480)

Assets 6

0 Join discussion

08 Dec 14:17

github-actions

v0.1.71

459f0ab

Content 0.1.71

Important Highlights

Add RHEL 9 STIG (#11193)
Add support for Debian 12 (#11228)
Update PCI-DSS profile for RHEL (#11267)

New Rules and Profiles

New Rule: networkmanager_dns_mode (#11160)

Updated Rules and Profiles

Add remediation and OVAL for UBTU-20-010297 (#11098)
Add SRG id to file_owner_grub2_cfg for RHEL 9 STIG (#11261)
Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
Added missing variables to ubuntu profiles (#11227)
Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
Daily prod fix: return rhel7 prodtypes to some rules (#11303)
Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
Fix audit_rules_privileged_commands_kmod (#11277)
Fix multiple STIG IDs for RHEL8 (#11250)
Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
fix ssh-keysign path for UBTU-20-010141 (#11082)
Fix ssh-keysign path for Ubuntu 22.04 (#11297)
Fixes for kernel_config_security rules (#11259)
Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
Make selinux context elevation for sudo more flexible (#11224)
Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
remove sle15 from package_samba_common_installed (#11231)
Review and Update pcidss_4 control file (#11214)
Update PCI-DSS profile for RHEL (#11267)
Update RHEL 7 STIG V3R13 (#11223)
Update RHEL 8 STIG to V1R12 (#11219)

Changes in Remediations

Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
Fix sudo_require_reauthentication remediations edge case (#11279)
Improve stability of timesyncd based remediation (#11247)
Include remediation for fapolicy_default_deny rule (#11211)
Refactor ensure_pam_wheel_group_empty rule (#11192)
remove duplicated multi_platform_sle in bash.template (#11244)
Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
Update sshd lineinfile (#11151)

Changes in Checks

Fix kernel_module_disabled template for Ubuntu (#11294)
Include dracut filter to audit_rules_privileged_commands (#11246)
Integration of the OVAL object model into the combine_ovals.py script (#11236)
Modification of the OVAL linker to use the OVAL object model (#11290)
Prepare OVAL object model for integration (#11206)
Refactor ensure_pam_wheel_group_empty rule (#11192)
Reference validation in OVAL document object (#11235)
SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)

Changes in the Infrastructure

Access to enable the logging of the combine_oval.py script (#11260)
Add .github to EOF checker (#11287)
Add a better Error Message For Undefined Identifier Types (#11213)
Add alternatives to mandatory keys (#11268)
Add Better a Error Message For Undefined Reference Types (#11159)
Avoid duplicate loading of component files (#11195)
controleval.py: Return empty list when parameter is not found (#11300)
Fix CI job after Fedora 39 release (#11256)
Integration of the OVAL object model into the combine_ovals.py script (#11236)
Make prodtype Required in JSON Schema (#11281)
Modification of the OVAL linker to use the OVAL object model (#11290)
Move jqfilter parameter to common parser (#11232)
Reference validation in OVAL document object (#11235)
remove some unnecessary imports (#11175)
remove unused code (#11187)
Update Ansible Lint Config (#11283)
Use up to date build_ds_container script in add_platform_rule.py (#11042)

Changes in the Test Suite

Add package requirement for auditctl tests (#11181)
Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
Enable PCI-DSS in test-farm tests (#11257)
Fix rpm python package SLE15 Automatus docker file (#11212)
Fix SLE15 tests (#11172)
Include dracut filter to audit_rules_privileged_commands (#11246)
Include remediation for fapolicy_default_deny rule (#11211)
New Rules Must Have a prodtype (#11252)
Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
Require SRG Reference for Rules with STIG Reference (#11265)

Documentation

Add stabilization phase description to developers guide (#11234)
Bump version for 0.1.71 (#11168)
Documentation for tool tox (#11165)
Fix docs for utils.add_kubernetes_rule (#11238)
update list of contributors before 0.1.71 release (#11307)
Update Style Guide to Ensure that PR Titles are Useful (#11284)

Assets 6

Releases: ComplianceAsCode/content

Content 0.1.80

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Changes in the Test Suite

Fixed Bugs

Uh oh!

Content 0.1.79

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Removed Products

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Changes in the Test Suite

Documentation

Fixed Bugs

Uh oh!

Content 0.1.78

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Removed Products

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Changes in the Test Suite

Documentation

Fixed Bugs

Uh oh!

Content 0.1.77

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Removed Products

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Uh oh!

Content 0.1.76

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Uh oh!

Content 0.1.75

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Removed Products

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Changes in the Test Suite

Documentation

Fixed Bugs

Uh oh!

Content 0.1.74

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Removed Products

Changes in Remediations

Changes in Checks

Changes in the Infrastructure

Changes in the Test Suite

Documentation

Uh oh!

Content 0.1.73

Important Highlights

New Rules and Profiles

Updated Rules and Profiles

Changes in Remediations

Changes in Checks

Uh oh!

Content 0.1.72