ComplianceAsCode Content Versions Save

Security automation content in SCAP, Bash, Ansible, and other formats

v0.1.72

2 months ago

Important Highlights

ANSSI BP 028 profile for debian12 (#11368)
Building on Windows (#11406)
Control for BSI APP.4.4 (#11342)
update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks

New Rules and Profiles

Add alinux2/alinux3 support for pci-dss compliance (#11398)
Add anolis23/anolis8 support for pci-dss compliance. (#11401)
Add new rule file_cron_allow_exists (#11441)
Add rules for /etc/shells (#11467)
Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
ANSSI BP 028 profile for debian12 (#11368)
Control for BSI APP.4.4 (#11342)
Add rules for /etc/shells (#11467)
Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)

Updated Rules and Profiles

Review CIS RHEL8 v3.0.0 Section 3 (#11469)
Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
Add package_firewalld_installed to RHEL 9 CIS (#11351)
align description of audit_rules_kernel_module_loading (#11443)
Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
align rule audit_rules_privileged_commands_kmod (#11320)
Allow spaces in rule sudo_custom_logfile (#11433)
Enable Rules For OSBuild (#11362)
enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
Fix a duplication of the code ID 3.5.2.1 (#11421)
Fix ANSSI URL in control file and update RHEL profiles (#11365)
Fix RHEL 8 STIG version (#11515)
Fix Service Applicability for RHEL 9 Profiles (#11367)
Handle rules trying to remove no longer existing packages (#11354)
Improve Performance on rules probing the whole file system (#11319)
Minor modifications to RHEL STIG profiles (#11327)
Move to /bin/false for disabling kernel modules (#11475)
Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
Remove irrelevant rules from PCI-DSS profiles (#11338)
Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
Remove warning from kubelet rule (#11243)
Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
Review rpm_verify_hashes rule (#11332)
Review rpm_verify_ownership rule (#11333)
Review rpm_verify_permissions rule (#11335)
RHEL 7: change how xwindows is disabled in CIS profile (#11466)
RHEL 8: align with CIS 3, section 2 (#11457)
RHEL7 CIS: align section 2 with the final version (#11453)
Stablization: Update audit_ospp_general (#11520)
Support drop-in config in journald rules on RHEL (#11440)
Update CIS profiles descriptions (#11491)
Update grub2_mitigation_argument (#11271)
Update OL stig references (#11472)
Update OL8 STIG id references (#11451)
Update OL8 stig selection for OL08-00-040259 (#11312)
Update Oracle Linux anssi profiles (#11313)
Update RHEL 7 CIS Section 1 (#11449)
Update RHEL 7 STIG to V3R14 (#11477)
Update RHEL 8 STIG to V1R13 (#11478)
Update RHEL 9 STIG to V1R2 (#11479)
Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
Update STIG version for SLES 12 and SLES 15 (#11357)
Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
Use correct HTML element for inline code (#11408)
various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)

Changes in Remediations

[Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
Add blueprint remedation for enable_fips_mode (#11363)
Add check if to continue with ansible task (#11299)
add explaining comment to mount_option bash template (#11444)
Add support to disable wifi interfaces via wicked (#11428)
Ansible: change the sysctl module fqcn for rhel7 product (#11465)
configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
Do not change comments by remediations (#11434)
Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
Fix in sebool ansible (#11245)
Fix ShellCheck Issues in CPE Checks (#11322)
fix: service_timesyncd_configured (#11410)
Make some improvements to bash remediation template (#11361)
Move to /bin/false for disabling kernel modules (#11475)
Sle15 fix ansible cis remediations (#11258)
Sle15 fix ansible hipaa remediation (#11264)
Sle15 fix ansible pci-dss remediations in check mode (#11263)
Stabilization - Fix Ansible compatibility with sysctl module (#11538)
Support drop-in config in journald rules on RHEL (#11440)
Turn off blueprint for package_MFEhiplsm_installed (#11350)
Turn off remedations for /dev/shm (#11364)
Use commit hash for image tag (#11233)

Changes in Checks

Add ocp platforms to some eks shared OVALs (#11436)
Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
Fix invoke parent's init function (#11400)
Generate OVAL document for each rule (#11291)
Improve Performance on rules probing the whole file system (#11319)
Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
Review rpm_verify_ownership rule (#11333)
Review rpm_verify_permissions rule (#11335)
Support drop-in config in journald rules on RHEL (#11440)
Update Select SSSD Rules for RHEL 7 STIG Update (#11476)

Changes in the Infrastructure

Add Gate tests back to master (#11331)
Add missing group.yml (#11373)
Add Windows CI (#11412)
add XSLT_PATH prefix with environment override (#11390)
Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
Building on Windows (#11406)
Control Files' level key must be an array (#11417)
Fix Debian 10 CI (#11426)
Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
Fix invoke parent's init function (#11400)
Fixes update-oscal.yml to remove env context from matrix variables (#11374)
Generate OVAL document for each rule (#11291)
Ignore mypy in the EOF Checker (#11323)
OCP4: Update k8s action to build image on new PR (#11384)
Refactoring: Remove 'prodtype' Mk.2 (#11378)
Remove bogus specifier from audit_rules_privileged_commands_unix2_chkpwd (#11379)
remove the task which deletes artifacts from automatus GH workflows (#11482)
Update GitHub Artifacts Action Steps to v4 (#11411)
Validate levels in controls (#11427)
We should raise NotImplementedError (#11414)

Changes in the Test Suite

Allow tests/test_product_stability.py to be executed (#11464)
Fix OpenEmbedded name in test stability (#11463)
Fix Secure Boot Automatus VM Installs (#11239)
Fix tests for sudo_require_authentication (#11315)
OCP4: Fix e2e result on OCP 4.14 changes (#11207)
Update test-check-eof for smoke test (#11402)
Update Install VM to use Fedora 39 (#11418)

Documentation

Add documentation of the steps that OVAL content goes through during the build (#11336)
Add GitHub Actions Style Guide (#11330)
Add STIG Tables for RHEL 9 (#11376)
bump version to 0.1.72 (#11308)
Finish rename to Automatus (#11404)
Fix broken formatting (#11403)
Remove all contributors file (#11317)
Update contributors list for v0.1.72 release (#11483)
Update SRG GPOS to V2R7 (#11480)

v0.1.71

4 months ago

Important Highlights

Add RHEL 9 STIG (#11193)
Add support for Debian 12 (#11228)
Update PCI-DSS profile for RHEL (#11267)

New Rules and Profiles

New Rule: networkmanager_dns_mode (#11160)

Updated Rules and Profiles

Add remediation and OVAL for UBTU-20-010297 (#11098)
Add SRG id to file_owner_grub2_cfg for RHEL 9 STIG (#11261)
Add var_networkmanager_dns_mode to RHEL 9 STIG (#11242)
Added missing variables to ubuntu profiles (#11227)
Bump OL7 & OL8 STIG versions to V2R13 & V1R8 respectively (#11280)
Corrections in bash/ansible remedition of the rule audit_rules_privil… (#11196)
Daily prod fix: add enable_authselect rule to pci-dss control file (#11295)
daily prod fix: add rhel8 and rhel9 prodtypes to some rules (#11296)
Daily prod fix: return rhel7 prodtypes to some rules (#11303)
Enable ansible remediation for MACs SSH UBTU-20-010043 (#11088)
Fix audit_rules_privileged_commands_kmod (#11277)
Fix multiple STIG IDs for RHEL8 (#11250)
Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
fix ssh-keysign path for UBTU-20-010141 (#11082)
Fix ssh-keysign path for Ubuntu 22.04 (#11297)
Fixes for kernel_config_security rules (#11259)
Include rhel9 in prodtype for directory_access_var_log_audit (#11270)
Make selinux context elevation for sudo more flexible (#11224)
Minor fix for pam_faillock regex on Ubuntu (5.4.2) (#11205)
Modified 'ensure_rsyslog_log_file_conf' OVAL to allow user/groupnames (#11226)
remove sle15 from package_samba_common_installed (#11231)
Review and Update pcidss_4 control file (#11214)
Update PCI-DSS profile for RHEL (#11267)
Update RHEL 7 STIG V3R13 (#11223)
Update RHEL 8 STIG to V1R12 (#11219)

Changes in Remediations

Add ansible remediation for root group owner of audit for UBTU-20-010124 (#11092)
Fix and modify UBTU-20-010463 (no_empty_passwords) (#11282)
Fix for rsyslog_logfiles_attributes_modify remediation for Ubuntu (#11225)
Fix path for aide to /etc/aide/aide.conf for UBTU-20-010205 (#11066)
Fix sudo_require_reauthentication remediations edge case (#11279)
Improve stability of timesyncd based remediation (#11247)
Include remediation for fapolicy_default_deny rule (#11211)
Refactor ensure_pam_wheel_group_empty rule (#11192)
remove duplicated multi_platform_sle in bash.template (#11244)
Remove groupmems command from ensure_pam_wheel_group_empty rule (#11210)
SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)
Small changes in bash and ansible fixes of the rule aide_build_database (#11158)
Update ansible in sshd_use_approved_kex_ordered_stig (#11148)
Update sshd lineinfile (#11151)

Changes in Checks

Fix kernel_module_disabled template for Ubuntu (#11294)
Include dracut filter to audit_rules_privileged_commands (#11246)
Integration of the OVAL object model into the combine_ovals.py script (#11236)
Modification of the OVAL linker to use the OVAL object model (#11290)
Prepare OVAL object model for integration (#11206)
Refactor ensure_pam_wheel_group_empty rule (#11192)
Reference validation in OVAL document object (#11235)
SLE15 prefer systemd unit handling of AIDE checks and notifications (#11178)

Changes in the Infrastructure

Access to enable the logging of the combine_oval.py script (#11260)
Add .github to EOF checker (#11287)
Add a better Error Message For Undefined Identifier Types (#11213)
Add alternatives to mandatory keys (#11268)
Add Better a Error Message For Undefined Reference Types (#11159)
Avoid duplicate loading of component files (#11195)
controleval.py: Return empty list when parameter is not found (#11300)
Fix CI job after Fedora 39 release (#11256)
Integration of the OVAL object model into the combine_ovals.py script (#11236)
Make prodtype Required in JSON Schema (#11281)
Modification of the OVAL linker to use the OVAL object model (#11290)
Move jqfilter parameter to common parser (#11232)
Reference validation in OVAL document object (#11235)
remove some unnecessary imports (#11175)
remove unused code (#11187)
Update Ansible Lint Config (#11283)
Use up to date build_ds_container script in add_platform_rule.py (#11042)

Changes in the Test Suite

Add package requirement for auditctl tests (#11181)
Add ubuntu 20.04 to audit_rules_kernel_module_loading_delete tests (#11274)
Add Ubuntu to audit_rules_kernel_module_loading tests (#11298)
Enable PCI-DSS in test-farm tests (#11257)
Fix rpm python package SLE15 Automatus docker file (#11212)
Fix SLE15 tests (#11172)
Include dracut filter to audit_rules_privileged_commands (#11246)
Include remediation for fapolicy_default_deny rule (#11211)
New Rules Must Have a prodtype (#11252)
Remove broken test for Ubuntu in template kernel_module_disabled (#11288)
Require SRG Reference for Rules with STIG Reference (#11265)

Documentation

Add stabilization phase description to developers guide (#11234)
Bump version for 0.1.71 (#11168)
Documentation for tool tox (#11165)
Fix docs for utils.add_kubernetes_rule (#11238)
update list of contributors before 0.1.71 release (#11307)
Update Style Guide to Ensure that PR Titles are Useful (#11284)

v0.1.70

6 months ago

Important Highlights

Add openembedded distro support (#10793)
Remove DRAFT wording for OpenShift STIG (#11100)
Remove test-function-check_playbook_file_removed_and_added test (#10982)
scap-security-guide: Add Poky support (#11046)

New Rules and Profiles

Add rule package_s-nail-installed (#11144)
Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)

Updated Rules and Profiles

A correction in the rule pam_disable_automatic_configuration (#10902)
accounts_umask_etc_bashrc: depend on bash being installed (#10915)
Add a two rules to RHEL 9 STIG (#10910)
Add additional rules from CIS Level 1 to SAP hardening profile (#10965)
Add missing CIS references for SLE platforms (#11024)
Add mount platform to mount_option_var_nosuid (#11037)
Add rule logind_session_timeout to OL8 STIG (#10917)
Add SELinux as platform (#11138)
Add SRG ID to logind_session_timeout (#10936)
Add tmux platform to tmux related rules (#11017)
Add UBTU-20-010044 to existing ansible remediation (#11073)
Add UBTU-20-010181 for generating audit record for unsuccessful attem… (#11057)
Add UBTU-20-010401 to restrict kernel message buffer (#11063)
Add UBTU-20-010461 to ensure kernel module usb-storage is blacklisted… (#11062)
Add UBTU-20-010462 to lock accounts without passwords (#11060)
Add UBTU-20-010463 to ensure system does not allow accounts configure… (#11061)
Add variable support to auditd_name_format rule (#11019)
Add version for OCP CIS (#11152)
Add version for OCP STIG (#11153)
Add version metadata to the OCP PCI-DSS profile (#11155)
Add warning to network_configure_name_resolution (#10997)
Allow default permission for user.cfg file in UEFI systems (#10884)
ANSSI: add rules to enable auditing service (#11005)
Build OCP STIG profiles by default (#11132)
Change how example ROLE_LIST are formatted (#11123)
Change rule to use variable when auditing faillock (#11007)
Changes in SLE 12/15 profiles to support logrotate service (#10796)
Couple of fixes in PAM related rules for SLE platforms (#11014)
Create runtime_kernel_fips_enabled cpe and apply it to service_rngd_enabled for OL8 (#10916)
Deprecate UBTU-20-010180 (#11079)
Disable sysctl_kernel_yama_ptrace_scope rule for sle15 (#11139)
Drop hmac-ripemd160 sshd mac from strong MACs list (#10739)
Enable ansible and bash remediation for sssd for UBTU-20-010441 (#11097)
Enable logrotate.timer check on RHCOS4 (#11045)
Enable package_cryptsetup-luks_installed rule for RHEL9 (#10948)
Express more accurate per package platform limitation for firewall rules (#10812)
Fix excluded_files and recursive for UBTU-20-010416 (#11086)
Fix in audit_rules_systadmin_actions and new rule audit_rules_sysadmi… (#10685)
Fix into the rule sysctl_kernel_randomize_va_space (#10555)
fix naming for UBTU-20-010430 (#11056)
Fix package_audit-libs_installed rule.yml (#11127)
Fix rule ubtu 20 010033 (#11065)
Fix STIG references for SLE15 (#10850)
Fix UBTU-20-010179 to use proper parameters and key (#11080)
Fix UBTU-20-010267 and deprecate STIGs (#11084)
Fix UBTU-20-10450 STIG (#11058)
Fix variable selection when selecting the default value (#11015)
Implement rules for CIS OCP Section 1.4 (#10840)
Include new options in var_accounts_minimum_age_login_defs (#11052)
Include RHEL indentifiers in logrotate related rules (#10904)
Introduce secure_boot & kernel_uek cpes and use them in sysctl_kernel_kexec_load_disabled (#10919)
iptables_ruleset_modifications: depend on iptables being installed (#11030)
no_rsh_trust_files: depend on rsh-server being installed (#10809)
OCP4 CIS: Re-add forgotten rules (#10864)
OCPBUGS-10508: Add quotes around SCC audit procedure (#10940)
OCPBUGS-16628: Fix namespace when checking the hosted clusters (#10987)
OCPBUGS-16877: Check for etcd pod specification in /etc/kubernetes/manifests (#10964)
OCPBUGS-16877: Update etcd member rules texts' to align with the checks (#10970)
OCPBUGS-17216: Update rotate certificates check for OCP 4.14 (#10973)
OCPBUGS-7455: Hide API warning messages (#10971)
OL7 DISA STIG v2r12 update (#10921)
Port over etcd encryption rule from CIS 1.3 controls (#10753)
Refactor display_login_attempts rule for simplicity and avoid noise (#10979)
Remove controller_rotate_kubelet_server_certs from OCP CIS v.1.4.0 (#10992)
Remove CIS reference from image policy webhook rule (#10932)
Remove DRAFT wording for OpenShift STIG (#11100)
Remove protect kernel default and sysctl rules from CIS (#10931)
remove rules not relevant to RHEL 9 from STIG profile (#10996)
Remove rules that cannot be applied during image build (#10946)
Remove sebool_secure_mode_insmod from anssi (#11001)
Remove the rule accounts_passwords_pam_faillock_interval from SLE pro… (#11115)
Remove tickets from CIS control files (#10869)
RHCOS4 STIG: Cover the controls that correspond to the AU control family (#10732)
Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
Standard Profile Improvements (#11109)
Ubuntu: Add missing nftables variables and improve remediation and checks (#11134)
Update CIS profiles to use control files (#10833)
Update kubelet event creation limit to 50 (#10950)
Update link to English version of ANSSI guide (#11038)
Update metadata of OSPP profile in RHEL8/9 (#10984)
Update OL8 STIG to V1R7 (#10918)
Update platform on bios_enable_execution_restrictions (#10880)
Update ssh stig HMACS and Ciphers allowed in OL8 STIG (#10920)
Update sshd_approved_ciphers value for RHEL in STIG profile (#10966)
Update Ubuntu 20.04 DISA Manual STIG to v1r9 (#11096)
Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)
Version FedRAMP high and moderate profiles for OpenShift (#11154)

Changes in Remediations

0640 permission in permissions_local_var_log should only apply to files (#10856)
accounts_umask_etc_bashrc: ansible: Fix bashrc path for Ubuntu (#11124)
Add Ansible remediation for directory_group_ownership_var_log_audit (#11025)
Add Ansible Remediation for directory_ownership_var_log_audit (#11012)
Add RHEL as platform in su pam wheel group remidiation (#10995)
Add rsyslog ansible remediation for UBTU-20-010403 (#11094)
Avoid Ansible shell module if not necessary (#10887)
change hardcoded value to variable in ansible of accounts_password_set_min_life_existing (#10885)
Couple of small fixes (#11004)
Drop irrelevant return statement in bash remediation (#10988)
Fix ansible remediation of configure_ssh_crypto_policy (#11008)
Fix Ansible Tasks order (#11117)
Fix bash_sshd_remediation macro on OL exclusive code (#10980)
Fix into the rule sysctl_kernel_randomize_va_space (#10555)
Fix path and add ansible remediation UBTU-20-010298 (#11087)
Fix remediation of sssd_enable_smartcards (#10981)
Fix UBTU-20-010449 ansible remediation to proper path and substitution (#11068)
Fix umask bash and Ansible (#11108)
Improve Ansible remediation for dir_perms_world_writable_sticky_bits (#10951)
improve bash remediation of mount_option template (#11009)
Improve remediation for SSH global settings (#11032)
Improve template macros for grub command line (#10989)
Minor improvements in configure_opensc_nss_db (#11044)
Modify adie db exist path for UBTU-20-010450 (#11064)
OCPBUGS-11696: Update encryption type to support 4.13 deployments (#10974)
Refactor Ansible remediations that search local file systems (#10912)
Replace shell command with find for chrony.conf files on UBTU-20-010435 (#11095)
SLE Add journald configuration droping remediations (#10671)
SLE AIDE periodic check and remediation via systemd timer (#10589)
SLE Service timesyncd configured rule (#10670)
templates: file_permissions: Improve handling of directories in ansible remediation (#10882)
Update enable_fips_mode Ansible Remedation (#11026)
Update no_legacy_plus_entries_* Ansible Remedations (#11027)
Use parameter value in ansible lineinfile macro (#10958)
Use var_accounts_passwords_pam_faillock_dir in audit_rules_login_events (#11110)

Changes in Checks

Couple of fixes in PAM related rules for SLE platforms (#11014)
enhance OVAL for enable_fips_mode (#10897)
Fix into the rule sysctl_kernel_randomize_va_space (#10555)
Improve OVAL readability in enable_fips_mode (#10911)
Improve sshd_use_approved_kex_ordered_stig (#11053)
Minor improvements in configure_opensc_nss_db (#11044)
Remove kernel cmdline check (#10961)
Select the var_accounts_passwords_pam_faillock_dir=run in RHEL7 profiles (#11163)
SLE15 audit rules mac modification usr share depends on selinux policy packages (#10883)
Sysctl template remediations do not modify package files (#10881)

Changes in the Infrastructure

Add a faster alternative for generating HTML guides (#11036)
Add Dependabot (#11113)
Add manifests to zipfile target (#10944)
Add Merge Group Trigger to Required Jobs (#11162)
Add product as parameter when building profile reports (#11023)
Add SCAPVal to Stabilize task (#11043)
Add tickets key to control validation (#10872)
Add version to profile element in the data stream (#10909)
Allow k8s-content workflow to write (#11020)
Build profile bash scripts differently (#11028)
Bump paambaati/codeclimate-action from 4.0.0 to 5.0.0 (#11119)
Dependabot Preparation (#11112)
Fail build if profiles or controls contain invalid rule selections (#11135)
Fix Ansible Tasks order (#11117)
Fix multiple STIG id table generation (#11016)
Fix OrderedDict definition (#11121)
Fix Rawhide Build (#10953)
Fix scap delta tailoring (#11145)
Fix stig overlay (#11114)
Generate profile oriented Ansible Playbooks in a different way (#11033)
Grant packages write permissions to k8s-content workflow (#11021)
Introduce controleval_metrics.py tool to generate metrics in Prometheus format (#11040)
Make CCN references more flexible (#10871)
Move master to use merge groups (#11131)
OVAL object model (#11041)
Reduce the number of times we build all of the products in CI (#10977)
Remove dnf5 from Rawhide job (#11122)
Remove override-true-all-profile-* tests (#11077)
Remove superseded script compare_disa_xml.py (#10875)
Remove unused code (#11039)
Remove unused logging (#11125)
Remove yamlpath (#10985)
Running locally unit tests of ssg module using python2 and 3 (#11146)
Sanitize lines for clean YAML output when generating profiles (#10870)
Unify file saving (#11126)
Update Packit Config (#11147)

Changes in the Test Suite

Add a test for pcre2 compatibility (#11022)
Add refchecker tests to RHEL 9 (#10969)
Add support of derivatives to Automatus (#11129)
Ensure Python dependencies in Gate tests (#11048)
Fix Automatus traceback (#11111)
Fix Gate Test on Fedora Rawhide (#11047)
Fix scenario applicability in Automatus combined mode (#11140)
Include test scenario scripts in timer_enabled template (#10947)
Optimize tests that run fix_rules.py (#10968)
Remove duplicate builds for GitHub Actions (#10991)
Remove override-true-all-profile-* tests (#11077)
Remove test "validate-parse-platform" (#10990)
Remove test validate-parse-affected (#10959)
Remove test-function-check_playbook_file_removed_and_added test (#10982)
Skip OVAL schematron validation in CI (#10960)
test_machine_only_rules: allow multiple blank characters (#10983)
Update expected result of e2e tests for sysctls already defined in /usr/lib/sysctl.d (#10930)
Use distributed product properties in Automatus (#10878)

Documentation

Add JSON schema for controls (#11157)
Add JSON schema for variables (#11156)
Add libvirt-dev to read the docs apt packages (#11142)
Documentation Clean Up (#11006)
Expand Docs for SRG Spreadsheets (#11076)
Expose Prometheus metrics on GitHub Pages (#11055)
Improve rendering controls to HTML (#10994)
Include metrics for rules and variables selected in Controls (#11128)
Remove "not available" message (#10998)
Sphinx apidocs (#10928)
Update Build System Docs (#10955)
Update contributors for 0.1.70 (#11150)
Update editor config (#11161)
update version to 0.1.70 (#10865)

v0.1.69

8 months ago

Important Highlights

Introduce a JSON build manifest (#10761)
Introduce a script to compare ComplianceAsCode versions (#10768)
Introduce CCN profiles for RHEL9 (#10860)
Map rules to components (#10609)
products/anolis23: supports Anolis OS 23 (#10548)
Render components to HTML (#10709)
Store rendered control files (#10656)
Test and use rules to components mapping (#10693)
Use distributed product properties (#10554)

New Rules and Profiles

Add modified audit suid privilege function rule for CIS (#10729)
Introduce CCN profiles for RHEL9 (#10860)
Introduce network access control rule (#10596)
New templated rule to remove iptables-services package (#10703)
RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
Include new kickstart files for CCN profiles (#10863)

Updated Rules and Profiles

A change into sudoers_validate_passwd (#10861)
Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
Add modified audit suid privilege function rule for CIS (#10729)
Add mount platforms (#10794)
Add platform package variables for firewalld and iptables (#10740)
Add warning to rsyslog_remote_tls_cacert (#10676)
add-rules sles-15-010418 sles-12-010498 (#10711)
Change rules related to /etc/shadow to check only local user configuration (#10838)
Deprecate account_emergency_expire_date (#10829)
ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
Fix grub2 remediation instructions (#10717)
Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
Fixes of cron package/service for SLE 12/15 (#10549)
Increase RHEL7 STIG Coverage (#10705)
Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
New applicability platform to check IPv6 state (#10830)
OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
pam_faillock rules: show XCCDF variables in rule description (#10824)
Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
Remove quotes from journald config parameters (#10790)
service_apport_disabled: depend on apport being installed (#10805)
Set package_iptables_installed as machine only (#10804)
Set package_nftables_installed as machine only (#10803)
Set package_rng-tools_installed as machine only (#10810)
Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
Update of anssi profile for SLE 12/15 (#10702)
Update OL8 cjis profile (#10771)
Update OL8 hipaa profile (#10822)
Update RHEL 7 STIG to v3r11 (#10821)
Update RHEL 8 STIG to V1R10 (#10826)
update rule SLES-12-030250 (#10644)
Update SLE 12/15 rule and change package name (#10580)
Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
use_pam_wheel_group_for_su: depend on pam being installed (#10807)
Updates of the rule use_pam_wheel_group_for_su (#10714)

Changes in Remediations

Add a Playbook name to Ansible Playbooks (#10713)
Add remediations for rule network_sniffer_disabled (#10659)
configure_openssl_cryptopolicy: align remediations with rule description (#10828)
Fix in service_autofs_disabled - ansible (#10521)
Fix issue when adding fstab entries with iso9660 (#10572)
fix: use grep -E instead of deprecated egrep (#10643)
fixes in file_groupownership template (#10666)
macros: bash: Avoid matching comments in fstab macros (#10754)
Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
SLE Add rsyslog_remote_loghost droping remediations (#10672)
SLE Coredump configuration support dropin remediation (#10604)
SLES15 use dropin configuration for issue banner (#10605)
Various fixes for Ubuntu (#10755)

Changes in Checks

enhance OVAL for enable_fips_mode (#10900)
Check only local users home directories (#10825)
Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)

Changes in the Infrastructure

.github/workflows/gate.yaml:Add anolis8 product. (#10814)
Add a sanity test of install_vm.py (#10684)
Add validation for Keys in Controls (#10813)
create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
Fix CMakelint (#10701)
Fix compare datastream check to correctly treat new line characters. (#10667)
Fix traceback in release helper (#10718)
Implement distributed product properties without applying them (#10648)
Stop using "imp" module (#10819)
utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)

Changes in the Test Suite

Add a test for rule journald_compress (#10818)
Add a test for rule journald_storage (#10817)
Add Automatus Testing (#10678)
Add SCAPVal to CTest (#10802)
Fix grep for Automatus sanity (#10752)
Fix install_vm.py on older versions of Python (#10651)
fix: ssg_test_suite: warning when rule not in benchmark (#10642)
Add requirements files for python dependencies (#10487)

Documentation

Add a section guiding through the process of rule divergence (#10763)
Add graphs to represent the life cycle of controls file (#1863
Integrate manpage with CMake better (#10624)
Move the most important links to a better place (#10745)
update list of contributors before stabilizing 0.1.69 (#10844)

v0.1.68

10 months ago

Important Highlights

Bump OL8 STIG version to V1R6 (#10497)
Introduce a Product class, make the project work with it (#10529)
Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
OL7 DISA STIG v2r11 update (#10498)
Publish rendered policy artifacts (#10585)
Update ANSSI BP-028 to version 2.0 (#10334)

New Rules and Profiles

Add rule package_mailx_installed (#10495)
Ensure access to the su command is restricted (#10386)
Ensure authentication required for single user mode for Ubuntu (#10415)
Introduce Fedora and Firefox CaC profiles for common workstation users (#10506)
Introduce file_permissions_audit_configuration rule (#10489)
Introduce rule to check if SELinux is not Disabled (#10575)
Introduce rules to configure loopback traffic with Firewalld (#10573)
New rules to complete CIS requirements for SSH Keys (#10552)
New SLE 15 rule set_nftables_base_chain (#10180)
Rebased hagenest set nftables loopback traffic (#10366)
Restart postfix service and add rule has_nonlocal_mta (#10359)
SLE15 add implementation of nftables_rules_permanent rule (#10201)
SLE15 add nftables ensure default deny policy (#10249)
Update 4.1.3.19 CIS requirement for RHEL8 and RHEL9 (#10491)

Updated Rules and Profiles

Add nftables rules to Ubuntu and make it the default firewall for CIS Level 1 Server (#10586)
Add package_avahi_removed to ubuntu profiles (#10406)
Add rules SLES-15-010375 and SLES-12-010375 (#10625)
Add rules SLES-15-010419 and SLES-12-010499 (#10621)
Add rules SLES-15-010420 and SLES-12-010500 (#10623)
Add sysctl sysctl_net_ipv6_conf_all_disable_ipv6 rule to CIS 3.1.1 (#10475)
audit_rules_privileged commands: skip /proc directory (#10471)
Bump OL8 STIG version to V1R6 (#10497)
Complete CIS requirement for system accounts (#10627)
Complete the CIS requirement to prevent rsyslog from receiving logs from remote clients (#10619)
delete rule SLES-15-040280 (#10383)
Drop of some rules from SLE 12/15 profiles (#10527)
Enable ensure_shadow_group_empty for RHEL7 (#10416)
Enable service_nftables_disabled for RHEL (#10390)
Enable service_nftables_enabled for RHEL7 and RHEL8 (#10398)
Enable set_iptables_default_rule and set_ip6tables_default_rule for RHEL7 (#10397)
Ensure access to the su command is restricted (#10386)
Ensure authentication required for single user mode for Ubuntu (#10415)
Fix in SLE 12/15 rule sshd_use_approved_macs (#10536)
Fix in sshd_use_approved_ciphers (#10535)
Fix in sudo_require_reauthentication (#10216)
Fix in the SLE 12/15 rule sshd_use_strong_kex (#10544)
Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
Include aide_check_audit_tools rule in CIS for RHEL9 (#10576)
Introduce rule to check if SELinux is not Disabled (#10575)
Introduce rules to configure loopback traffic with Firewalld (#10573)
Modify SLE remediation for ensure_logrotate_activated (#10481)
No remediation warning for fapolicy_default_deny (#10433)
OCP4: Fix instructions of rules that set kubelet related sysctls, use the sysctl probe (#10434)
OCPBUGS-8358: enable_fips_mode: Make it clear that RHCOS can't be FIPS-enabled post-install (#10363)
OL7 DISA STIG v2r11 update (#10498)
Refactor audit_rules_privileged_commands to include in CIS (#10326)
SLE 12/15 profile updates (#10577)
SLE improve kernel module disabled rule (#10368)
SLE PCIDSS Fix problem with sshd_strong_kex default selector (#10590)
sshd_limit_user_access: Improve rule description, add oval and tests (#10463)
Sync rules that contain a stig ID to those in stig profiles for ol products (#10632)
Ubuntu 22.04 CIS modify password remember rule (#10480)
Update accounts_umask_etc_profile rule to also consider /etc/profile.d directory (#10486)
Update accounts_password_pam_retry yaml (#10496)
Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
Update ANSSI BP-028 to version 2.0 (#10334)
Update CIS controls related to nftables table and chains (#10629)
Update CIS requirement for SSH access limit (#10470)
Update netrc requirement in CIS for RHEL8 (#10511)
Update OL9 STIG profile (#10407)
Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
Update pass aging rules to not ignore empty pass (#10633)
update rule sles-15-040250 (#10492)

Changes in Remediations

Add Ubuntu SCE checks for iptables rules (#10587)
Ansible remediation for configure_bashrc_exec_tmux (#10584)
audit_rules_privileged commands: skip /proc directory (#10471)
Changes in bash remediation for accounts_password_set_max_life_existi… (#10268)
Ensure authentication required for single user mode for Ubuntu (#10415)
Fix Ansible remediation in rsyslog_logfiles_attributes_modify template (#10551)
Fix changes in Ansible tasks not expected to fail (#10427)
Fix into ansible part of the rule audit_rules_suid_privilege_function (#10510)
Fix up RHEL kickstarts (#10499)
fix: aide_string: drop nl at end (#10578)
fix: ensure_fedora_gpgkey_installed/bash: use bash_package_install (#10571)
fix: ensure_logrotate_activated/bash: quote #! with '', avoid history expansion (#10560)
Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
modify regexp in bash remediation of chronyd_specify_remote_server (#10591)
Modify SLE remediation for ensure_logrotate_activated (#10481)
Refactor audit_rules_privileged_commands to include in CIS (#10326)
Replace grep command with ansible find (#10579)
SLE add ability to configure emergency via dropin (#10482)
SLE improve kernel module disabled rule (#10368)
SLE platforms use drop in file for sysctl variables for SLE platforms (#10367)
Stabilization: Add a Playbook name to Ansible Playbooks (#10712)
templates/mount_option: Switch mount Ansible remediation module's state back to 'mounted' (#10432)
Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)

Changes in Checks

audit_rules_privileged commands: skip /proc directory (#10471)
bugfix: mount_option: handle commented lines (#10518)
Ensure authentication required for single user mode for Ubuntu (#10415)
Fix in sudo_require_reauthentication (#10216)
Fixes in SLE 12/15 rule accounts_passwords_pam_tally2_deny_root (#10567)
Refactor audit_rules_privileged_commands to include in CIS (#10326)
SLE improve kernel module disabled rule (#10368)
Update accounts_user_dot_no_world_writable_programs OVAL (#10392)
Update OVAL, ansible an tests in audit_rules_suid_privilege_function rule (#10597)
Update pass aging rules to not ignore empty pass (#10633)
Use specific name in private key groups instead of gid (#10622)

Changes in the Infrastructure

Add a product stability test (#10606)
Add CMakelint (#10468)
Add controls the EOF checker (#10477)
Automate and Fix Missing Newline at the of Files (#10361)
Expand the list of rules skiped by Ansible Lint (#10485)
Fix data stream component parsing (#10411)
Implement a tool for parsing profiles and outputing rules (#10455)
Introduce a Product class, make the project work with it (#10529)
Publish rendered policy artifacts (#10585)
Refactor the scapval test (#10611)
Remove the expat dependency package that provides xmlwf which is not being used anymore. (#10467)
Remove unused imports (#10384)
Remove unused variables (#10382)
Shell quote support for Jinja macros (#10524)
Stabilization: Fix install_vm.py on older versions of Python (#10652)
Stop using deprecated set-output in GitHub Actions (#10588)
Update CI Repo for CTF (#10385)
Update GitHub Action Versions (#10543)

Changes in the Test Suite

Add a product stability test (#10606)
Add a warning to AutoMatus (#10394)
bugfix: configure_etc_hosts_deny/tests/file_missing.fail.sh: typo (#10561)
bugfix: packages: delim is comma (#10559)
bugfix: ssg_test_suite: RuleResult eq (#10365)
Fix template not found error in Automatus (#10631)
Fix tests applicablity for ol8 product (#10570)
Fix tests in sshd_lineinfile template (#10595)
Fix typo in tests for sshd_limit_user_acess (#10478)
install_vm refactor (#10607)
install-vm fixes / features (#10562)
Remove machine pruning from gating (#10453)
Revert change in test scenario script for enable_authselect rule (#10430)
Unused test code (#10558)
Use bash_package_* (#10557)
Use mkdir -p when creating directories (#10556)

Documentation

Add Kickstarts to the changelog (#10512)
add python3 to the list of build dependencies for RHEL-8+ (#10503)
Bump version for 0.1.68 (#10372)
Fix read the docs build (#10537)
fix: Fix misspelled word infrastruture (#10531)
Jinja macro doc fixes (#10599)
Reduce Doc Warnings (#10528)
Styleguide Update (#10466)
Update Add Product Guide (#10533)
Update release documentation about release_helper.py script (#10502)

v0.1.67

1 year ago

Important Highlights

Add utils/controlrefcheck.py (#10096)
RHEL 9 STIG Update Q1 2023 (#10185)
Include warning for NetworkManager keyfiles in RHEL9 (#10330)
OL7 stig v2r10 update (https://github.com/ComplianceAsCode/content/pull/10125)
Bump version of OL8 STIG to V1R5 (#10123)

New Rules and Profiles

Add new rule package_systemd-journal-remote_installed (#10105)
New SLE 15 rule service_nftables_enabled (#10113)
Add CIS iptables rules (#10121)
New SLE 15 rule set_nftables_new_connections (#10114)
Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
Add a new rule ssh_keys_passphrase_protected (#10017)
Introduce new rule authconfig_config_files_symlinks (#10129)
Added rule partition_for_dev_shm (#9984)
New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
New SLE 15 rule set_nftables_table (#10128)
Add implementation for rsyslog_logging_configured rule (#10063)
New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
Added a new rule accounts_password_set_warn_age_existing (#10006)
Add new rule socket_systemd-journal-remote_disabled (#10210)
Introduce rule to remove nginx package (#10291)
Introduce rule to remove cyrus-imapd package (#10292)
Add package_dnsmasq_removed rule (#10293)
Add package_ftp_removed rule (#10294)
Add new rule rsyslog_filecreatemode (#10264)
New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)

Updated Rules and Profiles

accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
Add CIS iptables rules (#10121)
OL7 stig v2r10 update (#10125)
Bump version of OL8 STIG to V1R5 (#10123)
assign ntp_configure_restrictions to SLE12 (#10122)
Update tmux rules and add them to OL8 STIG profiles (#10124)
Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
Add missing SRG to aide_build_database rule (for master branch) (#10150)
remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
Update levels of some rules in RHEL8 CIS (#10157)
Change custom zones check in firewalld_sshd_port_enabled (#10162)
improve applicability of rule package_rear_installed (master branch) (#10156)
Accept required and requisite control flag for pam_pwhistory (#10175)
OCP4 Modify etcd encryption check rules for hypershift (#10179)
Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
Fix prefer_64bit_os for SLE platforms (#10178)
remove rule logind_session_timeout and associated variable from profiles (#10202)
Shorten rule title (#10196)
products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
Create OVAL macro to consistently identify Interactive Users (#10215)
Include avahi related rules in RHEL CIS control files (#10233)
Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
Update CIS RHEL requirements for log files permissions (#10241)
Include rule for checking password last change in RHEL (#10243)
Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
Update password hashing algorithm CIS requirement (#10271)
Complete CIS requirements related to dot-files (#10279)
Fix package names for some SUSE packages (#10283)
Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
Corrections in the rule package_openldap-clients_removed (#10273)
Enable sshd_enable_warning_banner_net for RHEL (#10287)
Add package_nginx_removed to Ubuntu CIS profiles (#10301)
Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
accounts_passwords_pam_tally2: depend on pam being installed (#10305)
package_pam_pwquality_installed: depend on pam being installed (#10306)
apparmor: apply only to platform machine (#10303)
sudo_require_reauthentication: depend on sudo being installed (#10318)
vlock_installed: apply only to platform machine (#10307)
Remove VMM SRG References (#10336)
Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
Add some nftables rules to Ubuntu CIS profile (#10300)
make accounts_password_last_change_is_in_past not applicable to containers (#10339)
Align rhel7 dracut-fips-aesni remediations (#10352)
Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)

Changes in Remediations

Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
Update sebool_secure_mode_insmod OL remediations (#9979)
Enable rsyslog_filecreatemode rule for RHEL (#10328)
kernel_module_disable template - regexp matches multiple lines (#10351)
fix loops within ansible template for rsyslog_files (#10349)

Changes in Checks

Update tmux rules and add them to OL8 STIG profiles (#10124)
Remove check of /var/log/dmesg from OVAL (#10145)
Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
Fix prefer_64bit_os for SLE platforms (#10178)
postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
Create OVAL macro to consistently identify Interactive Users (#10215)
Add offline capability to the 'mount_option' OVAL template (#10200)

Changes in the Infrastructure

Introduce script shorthand to OVAL (#10085)
Remove utils/count_oval_objects.py (#10133)
Update Rawhide Before Use (#10141)
Move to Code Climate for PEP 8 Checking (#10158)
Enable SCE integrity checks for RHEL8 (#10165)
Refactor ssg.build_ovals module (#10048)
Update srg diff (#10199)
Require OVAL ID to match rule ID (#10346)
Various python fixes (#10345)
Move platform_mount to use cpe-oval vs oval (#10441)

Changes in the Test Suite

Add utils/controlrefcheck.py (#10096)
Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
Update test scenarios for accounts_password_last_change_is_in_past (#10213)
add cap_system_chroot capability to Automatus podman container (#10246)
Fix Automatus on Python 3.6 (#10281)
Disable logrotate timer in ensure_logrotate_activated tests (#10375)

Documentation

Update Ansible section in project Style Guide (#10211)
Fix broken link to statistics page (#10217)
Introduce style guidelines for commit messages (#10220)
Remove VMM SRG References (#10336)
Add URL for ISM (#10337)
Convert User Docs (#10214)
Update Contributors for v0.1.67 (#10350)

v0.1.66

1 year ago

Important Highlights

Ubuntu 22.04 CIS (#9953)
OL7 stig v2r9 update (#9976)
Bump OL8 STIG version to V1R4 (#9974)
Update RHEL7 STIG to V3R10 (#10079)
Update RHEL8 STIG to V1R9 (#10078)
Introduce CIS RHEL9 profiles (#10091)

New Rules and Profiles

Add nonessential services rule (#9912)
Added a new rule package_firewalld_removed (#9937)
Added a new SLE 12/15 rule package_rsync_removed (#9932)
Added a new rule package_cups_removed (#9930)
Added a new rule firewalld_service_disabled (#9941)
Added a new SLE 15 rule package_nftables_installed (#9934)
Add rule for no .forward files (#9990)
Add new rule grub2_enable_apparmor (#9978)
Added a new rule package_tcp_wrappers_removed (#9981)
Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
Add package prelink removed (#10062)
add new rule audit_rules_immutable_login_uids (#10070)
Added 2 rules for 15 related to nftables (#10068)
New SLE 15 rule ensure_iptables_are_flushed (#10107)
add new rule configure_bashrc_tmux (#10100)

Updated Rules and Profiles

Include warning regarding quota options in XFS (#9879)
Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
Sync rules for RHEL 9 STIG (#9788)
Changing a few harcoded OS names for full_name (#9936)
Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
Update sudo_require_reauthentication (#9923)
Update kmod audit rule for OL7 (#9949)
Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
Add rule to OL7 stig profile (#10028)
Small corrections related to 3 rules (#9995)
Add new rule grub2_enable_apparmor (#9978)
Include Ubuntu products in package_rsync_removed (#10051)
Include Ubuntu products in package_nftables_installed (#10052)
Fix the service_telnet_disabled rule (#10033)
Update package name for RHEL in package_rsync_removed (#10053)
Include Ubuntu products in package_cups_removed (#10050)
Include Ubuntu products in package_rpcbind_removed (#10055)
Update link to NTP docs (#10056)
Include Ubuntu products in package_prelink_removed (#10071)
Add account_emergency_expire_date to OL7 stig (#10073)
Add aide_build_database to STIG in OL and RHEL (#10094)
Include Ubuntu products in two nftables rules (#10101)
Move two rules to higher level in cis_rhel8 control file (#10109)
add new rule configure_bashrc_tmux (#10100)
add missing SRG to aide_build_database rule (#10136)
change applicability of rules configuring idle session timeouts (#10127)
Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
improve applicability of rule package_rear_installed (#10144)
stabilization: Update levels of some rules in RHEL8 CIS (#10155)

Changes in Remediations

Fix indentation in Ansible shell module parameter (#9851)
Recognize 64bit architectures in Ansible remediations (#9887)
Make Ansible remediation less prone to fatal errors (#9914)
Add bash and ansible remediation for set_loopback_traffic (#9939)
Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
Update sudo_require_reauthentication (#9923)
Improve the arguments for Ansible command module (#9921)
Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
Fix Jinja condition in macro for pam_faillock (#10009)
Install NetworkManager as part of wireless_disable_interfaces remediation (#10018)
aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
Update accounts_password template for OL due to precedence confs (#9935)
accounts_password_set_min_life_existing: Avoid system accounts (#9955)
Improve service_disabled template (#10026)
accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
Rewrite remediations for rsyslog_remote_tls (#9866)
Fix accounts_password template for OL (#10045)
Using the Ansible shell actions is needed in package_prelink_remove (#10086)

Changes in Checks

Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
Update sudo_require_reauthentication (#9923)
accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
Update accounts_password template for OL due to precedence confs (#9935)
accounts_password_set_min_life_existing: Avoid system accounts (#9955)
accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)

Changes in the Infrastructure

Refactor build_cpe.py (#9834)
Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
Refactor templates v2 (#9870)
Add automatic detection of platform_package_overrides when using automatus (#9897)
Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
Introduce templated platforms (CPEs) (#9906)
Sort conditional remediation platform checks (#9902)
Add sanity tests for controleval.py (#9918)
Add Refchecker to Tests (#9862)
Wait for buffer flushes to finish writes (#9933)
Fix the file param in rule_dir_json (#9928)
Fix typing import in create_srg_export.py (#9929)
Build all profiles on all CentOS and CentOS Streams (#9946)
CTest Fixes (#9962)
CPE AL: Introduce version specifiers support (#9945)
Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
Raise exception when parametrized platform receives invalid argument (#9996)
Fix --datastream-only in ./build_product (#10020)
Add sanity tests for compare_disa_xml.py (#10030)
Add Ubuntu 22.04 to Gating (#9986)
Fix a few isssues in test-compare-disa-xml (#10034)
Update Ansible Lint Config (#10025)
platforms: rewrite mechanism which parses version into EVR (#10038)
Produce an understanable error when remediation collections goes wrong (#10027)
Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
Bump fedora version in Dockerfiles to 37 (#10036)
Fix the generation of SCE checks in the output datastream (#10015)
Scripts clean up (#10061)
Clean up SRG export (#10067)

Changes in the Test Suite

Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
Add automatic detection of platform_package_overrides when using automatus (#9897)
Add Refchecker to Tests (#9862)
Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
Improve service_disabled template (#10026)

Documentation

Add Timezone to the Contributors Script (#9844)
Add documentation about readthedocs.org integration (#9875)
Update Upstream Release doc (#9952)
Update contributors list for v0.1.66 release (#10108)

v0.1.65

1 year ago

Important Highlights

Introduce cui profile for OL9 (#9638)
Remove Support for OVAL 5.10 (#9604)
Rename account_passwords_pam_faillock_audit (#9462)
CI ansible hardening and rename of existing Bash hardening (#9796)
Update contributors list for v0.1.65 release (#9843)

New Rules and Profiles

Add profile for SUSE SAP Public Cloud Images (#9571)
Introduce cui profile for OL9 (#9638)
Created SLES 12 PCI DSS 4.0 profile and added rules to it (#9729)
Add new rules related to system banners - /etc/issue.net (#9733)
add new rule logind_session_timeout (#9475)
Pci dss shadow rule (#9756)

Updated Rules and Profiles

Update chronyd_no_chronyc_network to align with RHEL9 STIG (#9505)
Update rules for RHEL 9 STIG (#9512)
Update chronyd_client_only to align with RHEL9 STIG (#9500)
Update rules for RHEL 9 STIG (#9527)
RHEL9 stig_gui: don't remove GUI (#9581)
Remove RPM verify rules from RHEL 9 STIG (#9591)
Rule updates wrt RHEL9 STIG (#9509)
Clarify instructions for implementing SCCs (#9569)
Added SLES_15/12 CCE codes related to rules in the group restict_at_c… (#9643)
Add pci-dss rules (#9627)
Two small corrections (#9644)
Added 6 SLES 15/12 CCE codes to the rules sshd_... (#9669)
Add PCI-DSS rules (#9645)
CIS RHEL8 gnome related requirements (#9670)
Add dconf_gnome_disable_user_list to the RHEL 9 STIG (#9677)
RHEL 9 STIG Fix Up (#9676)
Added CCE number for SLES_15 in the rule sshd_use_approved_ciphers (#9680)
Added 4 SLES 15/12 codes to the rules group_unique_id/name (#9682)
Add support for PCI DSS v3.2.1 for SLE12 (#9613)
service_ntp_enabled: Fix description as service name is ntp (#9707)
Fix issue introduced in commit 1ba11cb (#9692)
remove ospp-mls.profile (#9710)
Add pcidss Req-ids (#9705)
Ubuntu 20.04: fix grub2 password related rules (#9708)
Fix rsyslog_remote_tls Remediations (#9711)
Added 2 SLES 15/12 CCE codes to the rule disable_prelink (#9706)
Assign RHEL-07-010271 to account_emergency_expire_date. (#9717)
Ubuntu 20.04 CIS Level1 profile: add package_pam_pwquality_installed (#9721)
Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
install_smartcard_packages: Add Ubuntu specific remediation (#9720)
Ubuntu 20.04: Make sure xatrr audit rules contains a check for root user (#9722)
Added rules to PCI DSS 4.0 SLES 15 profile (#9716)
Add pci-dss rules to SLE15 (#9728)
Refactor firewalld_sshd_port_enabled rule (#9712)
Added 4 rules to SLES 12/15 PCI DSS 4.0 profiles (#9735)
Update SLE 15 SAP hardening profile (#9742)
Update RHEL8 STIG to V1R8 (#9780)
Update RHEL7 STIG to V3R9 (#9781)
Align ClientAliveCountMax and ClientAliveInterval on RHEL8 STIG V1R8 (#9784)
Removed wrong rule from hipaa.profile (#9840)
Stabilization: Include warning regarding quota options in XFS (#9877)
Stabilization: Update the sshd_set_keepalive regarding ClientAliveCountMax (#9868)

Removed Products

Remove the VSEL Product (#9547)
Remove the fuse6 product (#9544)
Remove the Debian 9 Product (#9546)
Remove the JRE product (#9545)

Changes in Remediations

Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
Improve ansible remediation of accounts_umask_etc_login_defs (#9490)
Add bash and ansible remediation for rsyslog_remote_tls (#9484)
Fix rsyslog_remote_tls Remediations (#9711)
Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
install_smartcard_packages: Add Ubuntu specific remediation (#9720)
Fix config file and interpreter check control flow (#9695)
Refactor firewalld_sshd_port_enabled rule (#9712)
Dconf macros update to align them with OVAL expectation (#9751)
rsyslog_files_permissions: Consider the last field in the config line the log file path (#9750)
Fix nmcli bug (#9773)
Align service_disabled template to service_enabled (#9806)
Remove deprecated warn parameter from Ansible command module (#9807)
CI ansible hardening and rename of existing Bash hardening (#9796)
Stabilization: Make Ansible remediation less prone to fatal errors (#9911)

Changes in Checks

Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
Update accounts_password template's OVAL (#9459)
OCP4: Fix OCIL of machine_volume_encrypted (#9597)
Clarify instructions for implementing SCCs (#9569)
Remove jinja condition to make rule applicability to all products in Kerberos rules (#9412)
Ubuntu 20.04: fix grub2 password related rules (#9708)
Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
Refactor firewalld_sshd_port_enabled rule (#9712)
Dconf macros update to align them with OVAL expectation (#9751)

Changes in the Infrastructure

Remove superflous check of rule ID consistency (#9539)
Add tests to auditd_lineinfile template (#9519)
Generate XCCDF 1.2 directly (#9464)
Add support for regulated fields (#9553)
SRG Import/Export Uses Policy Specific Content (#9570)
Add Git Mail Map (#9573)
Remove ident_size for .py files from editorconfig (#9603)
Make CodeClimate to use .editorconfig (#9630)
Remove function drop_oval_definitions (#9629)
Add mypy to CI (#9430)
Remove shorthand.xml from the build process (#9548)
Remove XCCDF 1.1 from enable_derivatives.py (#9654)
Remove XCCDF 1.1 from profile tool (#9655)
Remove unused import (#9656)
Remove XCCDF 1.1 from ssg/xccdf.py (#9657)
Remove Support for OVAL 5.10 (#9604)
Import SRG content for RHEL9 (#9574)
Don't use editorconfig to check for indentation (#9653)
Remove get_fixgroup_for_type (#9661)
Remove superfluous XML namespaces from HTML tables (#9662)
Update sysctl template's OVAL and tests to align with STIG (#9458)
Remove unused XSLT xccdf2table-profileanssirefs.xslt (#9659)
CMake Improvements (#9646)
Remove Travis CI (#9683)
Remove comparison utilities (#9688)
Create unit tests for ssg.id_translate (#9624)
Add unit tests of XCCDF 1.2 elements (#9617)
Add unit tests for warnings and sub elements (#9637)
Refactor and speed up combine_ovals.py (#9689)
Fix unit tests to work with CentOS 7 (#9727)
make CPE items compiled during the build process (#9700)
SRG Diff: Add section for rows without a CCE (#9763)
Make the utils/srg_diff.py more generic (#9767)
parametrize methods for getting remediation conditionals of XCCDF platforms (#9777)
build_remediations.py: deduplicate code which retrieves conditionals (#9779)
Add sorted results to srg_diff (#9778)
Add Smoke Tests for Some Scripts (#9787)
Platforms can accept parameters and pass them to underlying CPE items (#9799)
Do not remove blank lines when building profile playbook (#9809)
SRG Export XLSX in CMake (#9811)
Add config for Ansible lint (#9838)

Changes in the Test Suite

[Master] add accounts_password_set_max_life_existing to unselect_rules_list (#9554)
Fix issue introduced in commit 1ba11cb (#9692)
Add tests to rule dconf_gnome_screensaver_idle_activation_enabled (#9701)
Refactor firewalld_sshd_port_enabled rule (#9712)
Complete tests to validate Ol9 pci dss profile (#9739)
Add tests to accounts_password template (#9743)
Do not instantiate Builder() when running Automatus (#9755)
Fix Automatus --duplicate-templates (#9766)
accounts_password_pam_retry: Add test for dupes and conflicts (#9805)
accounts_passwords: Add tests for value conflicts and duplicates (#9804)
sshd_lineinfile: Add tests for duplicated params (#9802)
CI ansible hardening and rename of existing Bash hardening (#9796)
Stabilization: Ensure pwquality.conf.d dir exists on test scenarios (#9864)

Documentation

Doc fix up (#9596)
Add PR gating guideline (#9611)
Move to MyST as recommonmark and CommonMark are not supported (#9560)
Fix docs refs (#9704)
Include SLE products into the CCE tooling for auto assignment (#9714)
Docs/developer: Mention that rules will inherit its group(s) platforms (#9635)
Reformulate the release process documentation (#9736)
Update gitignore (#9810)
Document rule deprecation instructions and agreements (#9797)
Update contributors list for v0.1.65 release (#9843)
Add Sanity Test for generate_contributors.py (#9845)

v0.1.64

1 year ago

Important Highlights

This is the last release to feature content with OVAL-5.10 (https://github.com/ComplianceAsCode/content/discussions/9451)
Introduce ol9 stig profile (#9207)
Introduce Ol9 anssi profiles (#9243)
Update RHEL8 STIG to V1R7 (#9276)
Introduce e8 profile for OL9 (#9284)
Update RHEL7 STIG to V3R8 (#9317)

New Rules and Profiles

Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
add rule package_postfix_installed (#9191)
add audit policy rules specific for ppc64le platform (#9124)
Introduce ol9 stig profile (#9207)
Introduce Ol9 anssi profiles (#9243)
Introduce rule accounts_passwords_pam_faillock_audit (#9264)
Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
Introduced rules to disable accounts because of inactivity (#9244)
Introduce e8 profile for OL9 (#9284)
New sysctl ipv4 forwarding rule (#9277)
Introduce hipaa profile for ol9 (#9478)

Updated Rules and Profiles

Remove 3 crypto rules from RHEL 9 OSPP (#9181)
Remove 3 package rules from RHEL 9 OSPP (#9182)
Introduce new sebool description and ocil macros (#9184)
Add to SLE ANSSI profile various sysctl rules (#9185)
Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
Add more ANSSI Intermediary Rules (#9203)
Add more sysctl rules to intermediary profile (#9202)
The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
Remove 4 PAM related rules from RHEL9 OSPP (#9217)
switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
add audit policy rules specific for ppc64le platform (#9124)
remove umask-related rules from RHEL9 OSPP (#9223)
Make audit AArch64 specific rules RHEL9 only (#9188)
Remove rules for package removal from RHEL 9 OSPP (#9233)
remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
Don't pass sssd rules when sssd.conf is absent (#9225)
Update accounts_password_pam_retry behavior (#8880)
System commands dir root or system account (#9258)
SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
Update RHEL8 STIG to V1R7 (#9276)
Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
Update few sysctl rules to accept multiple compliant values (#9286)
Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
Make OSPP profiles use minimal Authselect profile (#9298)
add warning to audit_rules_for_ospp (#9303)
add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
Update RHEL7 STIG to V3R8 (#9317)
change rules protecting boot in RHEL8 OSPP (#9306)
Add the AUID filters on RHEL7 audit kernel module rules (#9290)
add 4 rules back to RHEL9 datastream (#9334)
Implement DISA check for auditing kmod on RHEL7 (#9338)
Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
Include warning about the pam_securetty.so PAM module (#9348)
Add AUID filters on audit_rules_kernel_module_loading (#9371)
Mask sensitive objects (#9364)
Update RHEL9 STIG (#9378)
add/remove fedora from privileged commands depending if exists or not (#9367)
change way of disabling coredumps in RHEL9 OSPP (#9384)
Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
Bump version of OL8 to V1R3 and update STIG ids (#9457)
Add missing SRG references for RHEL 9 STIG (#9428)
Remove support for upstart init system (#9452)
Updates RHEL 9 STIG: Part 3 (#9489)
Add ol8 platform to existing required tests (#9485)
Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
Update account_password_selinux_faillock_dir rule (#9501)
Remove audit_rules_execution_restorecon from SRG control files. (#9503)
Add tests to file_ownership_binary_dirs (#9515)
Update ocil and ocil_clause in display_login_attempts (#9522)
Update some account rules according to RHEL9 STIG (#9499)
Include checktest for banner_etc_issue rule (#9521)
Update pam_faillock rules for RHEL9 STIG (#9520)
Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
Update clean_components_post_updating to align with RHEL9 STIG (#9510)
Update accounts_umask_etc_profile (#9496)
Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
Update audit rules RHEL9 STIG metadata (#9513)
Add tests to no_user_host_based_files (#9529)
Add tests to dir_perms_world_writable_system_owned (#9517)
Add tests to no_host_based_files (#9532)
Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
Add tests to clean_components_post_updating (#9530)
Update macros from audit privileged commands (#9502)
Update some PAM rules for RHEL9 STIG (#9514)
Add variable for auditd freq (#9504)
Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
[stabilization] RHEL9 stig_gui: don't remove GUI (#9582)

Changes in Remediations

Allow two modes of SSH key ownership (#9094)
Add oval and remediation for auditd_audispd_disk_full_action (#9195)
include = sign in remediation of configure_openssl_crypto_policy (#9194)
Condition run of newaliases to its availability (#9241)
Update accounts_password_pam_retry behavior (#8880)
Add DISA STIG ids to when conditions in ansible roles (#9029)
Improve bash_ensure_pam_module_line macro (#9252)
Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
Fix rule sudo_custom_logfile (#9299)
Fix ansible partition conditionals (#9339)
Fix account_password_selinux_faillock_dir rule (#9381)
Add Kubernetes remediation for rule configure_crypto_policy (#9266)
Fix 2 ctest shellcheck issues (#9398)
Fix kernel_module_disabled remediation template (#9346)
Conditional for Ansible remediation on RHEL7 (#9440)
change parameter of findmnt used in bash partition conditional (#9480)
Fix remediation of rules dealing with Audit watches (#9463)

Changes in Checks

Update accounts_password_pam_retry behavior (#8880)
Improve regex to match retry parameter in pwquality.conf (#9245)
Fix rule sudo_custom_logfile (#9299)
Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
Mask sensitive objects (#9364)
Fix account_password_selinux_faillock_dir rule (#9381)
Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
[stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)

Changes in the Infrastructure

Fix various bugs in utils (#9172)
Remove CentOS 6 and SL 6 references from the project (#9211)
Fix pre tag in ocil_mount_option (#9209)
Remove unused build option (#9213)
Update gitpod HTML preview extension. (#9261)
Install ansible for the extra modules (#9273)
Use DS to build Ansible Playbooks and Bash scripts (#9291)
Stop validating ssg-product-xccdf.xml (#9292)
Use data stream to verify profile titles and descriptions (#9294)
Use data stream to verify references (#9293)
Generate CCE tables from data stream (#9300)
Fix CMake dependencies (#9328)
Use XCCDF 1.2 to create STIG overlay (#9301)
Specify output file names (#9361)
Test missing references in a data stream (#9295)
Add trim_trailing_whitespace to editorconfig (#9391)
Sort check-export elements (#9397)
Use data stream to generate statistics (#9296)
Generate per profile testinfo tables from XCCDF 1.2 (#9325)
Fix missing OCIL text and 800-53 references (#9415)
Use XCCDF 1.2 to generate STIG HTML tables (#9406)
Add a script to import SRG export changes (#9416)
Make groups inherit platforms from parent groups (#9465)
Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
correct inheritance of platforms by rules from groups (#9491)
Improve HTML for Table Templates (#9481)
SRG Export: Improve vuldiscussion sourcing (#9493)
Remove empty load operation (#9492)
Add tests to rule no_tmux_in_shells (#9518)
Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
Avoid sed hack (#9363)

Changes in the Test Suite

Automatus: close hanging tempfiles descriptors (#9199)
Improve regex to match retry parameter in pwquality.conf (#9245)
Support commas in variables (#9280)
Refactor templated test scenarios (#9254)
Fix account_password_selinux_faillock_dir rule (#9381)
Replace platform conditionals in whole remediation code (#9347)
install_vm.py: add new option for disk size specification (#9479)
correct inheritance of platforms by rules from groups (#9491)
Add tests to audit privileged commands template (#9487)

Documentation

Enable Security Content workshop into Gitpod environment (#9438)
Add ordering to the platform key (#9488)

v0.1.63

1 year ago

Important Highlights

Expand project guidelines (#8314)
Add Draft OCP4 STIG profile (#8799)
Add anssi_bp28_intermediary profile (#9045)
add products/uos20 to support UnionTech OS Server 20 (#8779)
products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
Remove WRLinux Products (#9106)
Update CIS RHEL8 Benchmark for v2.0.0 (#9154)

New Rules and Profiles

Fill gaps in the RHEL8/RHEL9 STIG (#9016)
Add anssi_bp28_intermediary profile (#9045)
Introduce OL9 ospp profile (#9057)
products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles (#9103)
add Audit OSPP rules for AArch64 (#9091)
Add grub2_systemd_debug-shell_argument_absent (#9100)
CIS RHEL8 v2.0.0 small fixes (#9165)

Updated Rules and Profiles

Make krb5 rules applicable only to older versions of certain package (#9003)
RHEL8 STIG: Install redhat gpg key (#8993)
Add anssi gshadow rules (#9022)
Fill gaps in the RHEL8/RHEL9 STIG (#9016)
remove support for external Audit files and cleanup test scenarios (#9073)
Remove sysctl_fs_protected_* rules from RHEL 9 OSPP (#9081)
Remove rule zip_vsyscall_argument (#9083)
Enforce rule sysctl_user_max_user_namespaces in RHEL 9 OSPP (#9084)
Make rule audit_access_success in OSPP profile unenforcing (#9082)
Cleanup RHEL9 OSPP networking sysctl rules (#9092)
Add two rules and some more CCEIDs (#9107)
add Audit OSPP rules for AArch64 (#9091)
remove rule accounts_password_minlen_login_defs from RHEL and Fedora profiles (#9113)
remove Rsyslog related rules from RHEL9 OSPP (#9116)
Anssi Rules Added (#9105)
remove sshd_enable_strictmodes from RHEL9 OSPP (#9143)
Update SLE15 DISA STIG from v1r6 (#9146)
Remove yp-related rules from RHEL9 (#9148)
Add Enable Auth Select to RHEL8/9 STIG (#9151)
BUG: 2105878 OCP: Fix rule ocp4-kubelet-enable-streaming-connections (#9135)
Relax chrony check and remediations (#9156)
make RHEL-08-020231 automated again (#9125)
Unify the RHEL approach for rule file_permissions_var_log_audit (#9129)
Review and improve sssd_enable_smartcards rule (#9145)
Amend OSPP references for some package_*_installed rules. (#9164)
Add automation content to kernel_module_uvcvideo_disabled (#9162)
Add missing rules to OL8 STIG profile (#9171)
Remove rule dnf-automatic_security_updates_only from RHEL 9 OSPP (#9179)
[Stabilization] remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9219)
Make Audit aarch64 rules specific to RHEL9 only (#9187)
[stabilization] Remove umask-related rules from RHEL9 OSPP (#9224)
Remove 3 package rules from RHEL 9 OSPP (#9228)
Remove 3 crypto rules from RHEL 9 OSPP (#9227)
[Stabilization] remove 4 PAM rules from RHEL9 OSPP (#9220)
add new rule package_postfix_installed (stabilization) (#9214)
[Stabilization] remove securetty_root_login_console_only from RHEL9 OSPP (#9235)
[stabilization] Remove rules for package removal from RHEL 9 OSPP (#9236)
[Stabilization] remove redundant rules configuring partitioning from RHEL9 OSPP (#9238)
Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9239)

Removed Products

Remove WRLinux Products (#9106)

Changes in Remediations

Add whitespace in macro function so CTF can properly parse tokens (#9030)
EKS: Fix typo (#9037)
Fix regular expression in Ansible remediation (#9063)
Add ansible remediation for postfix_prevent_unrestricted_relay (#9072)
Ansible remediation for enable_authselect (#9085)
Refactor bash macros for PAM (#9017)
Adjust bash to correspond to rule.yml for correct value of TimedLoginEnable (#9098)
Fix ubuntu logic in display_login_attempts (#9110)
Refactor Ansible macros for PAM (#9097)
Add Ansible remediation (#9114)
Create Ansible macro for authselect backup command (#9128)
Align PAM Bash macros to equivalent in Ansible (#9127)
SLE15 SP4 audit_rules_augenrules broken. (#9130)
fix bash remediation of configure_libreswan_crypto_policy (#9134)
add Ansible conditionals to CPE platforms determining architecture (#9126)
Set pipefail in Ansible shell commands with pipe (#9123)
Update faillock related macros (#9139)
Command 'chown', change from '.' to ':' separator (#9159)
Review and improve sssd_enable_smartcards rule (#9145)
SUSE dconf_gnome_screensaver_lock_enabled fix bash and ansible remediation (#9138)
add new rule package_postfix_installed (stabilization) (#9214)
[Stabilization] Add DISA STIG ids to when conditions in ansible roles (#9240)

Changes in Checks

Add missing ocil_clause for audit rules (#9109)
SLE15 SP4 audit_rules_augenrules broken. (#9130)
Reduce the list of FIPS crypto policies (#9149)
Review and improve sssd_enable_smartcards rule (#9145)
Store intermediate OVAL check files (#9157)

Changes in the Infrastructure

Parametrize the file name of the container used by gitpod integration (#9043)
Add python vscode extension to the gitpod environment (#9074)
Add a markdown output target to create_srg_export (#9064)
Update docker files (#9153)
Remove the vendor-zipfile and redhat-zipfile targets (#9152)
Add per profile filter of missing_cce test (#9155)
Store intermediate OVAL check files (#9157)
[Stabilization] Install ansible for the extra modules (#9274)

Changes in the Test Suite

test_env.py: add more attempts when executing ssh command (#9015)
Rework tarball generation (#8883)
Add OL9 Dockerfile (#9099)
Update CIS L2 test for configure_crypto_policy (#9163)
Automatus: close hanging tempfiles descriptors (#9200)

Documentation

A EditorConfig file (#9020)
Add removed products to the changelog (#9108)
Guidelines: Add the entry about one-off scripts (#9089)
Fix typos in man page and profile descriptions (#9160)
Fix man-page header for lexgrog (#9158)