ComplianceAsCode Content Versions Save

Important Highlights

• Update rhel8 stig to v1r6 (#8670)
• OL7 STIG v2r7 update (#8689)
• Initial definition of ANSSI BP28 minmal profile for SLE (#8540)

New Rules and Profiles

• New rules for network sysctls (#8371)
• Grub2 bootloader CPU mitigations (#8325)
• Add new template to check kernel build configurations (#8435)
• Kernel memory configs (#8477)
• Add rules for kernel memory allocators settings (#8488)
• Add rules for kernel data structure configs (#8483)
• Add rules for various kernel behaviors (#8502)
• Add rules to check kernel IP stack configs (#8501)
• Add rules for kernel compiler features (#8499)
• Add rules for kernel security options (#8498)
• Add rules for kernel module security (#8492)
• Add rules for ARM64 kernel (#8506)
• Add rules for 64b kernel (#8504)
• Add rules to configure Kernel panic behavior (#8503)

Updated Rules and Profiles

• gid_passwd_group_same oval does not allow ! in passwd field (#8296)
• Update SRG-OS-000028-GPOS-00009 for RHEL9 STIG (#8321)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Fix missing "to" in account restriction warnings (#8399)
• SLE15 add sysctl_kernel_exec_shield to HIPAA profile5 (#7891)
• Update SRG-OS-000480-GPOS-00229 for RHEL9 STIG (#8405)
• Update SRG-OS-000480-GPOS-00232 for RHEL9 STIG (#8403)
• Add sudoers_default_includedir rule support to SLE12 and SLE15 platforms (#8406)
• SUSE Group init_module and finit_module audit rules. (#8407)
• Update SRG-OS-000031-GPOS-00012 for RHEL9 STIG (#8414)
• Update SRG-OS-000445-GPOS-00199 for RHEL9 STIG (#8415)
• Update SRG-OS-000370-GPOS-00155 for RHEL9 STIG (#8422)
• Update SRG-OS-000437-GPOS-00194 for RHEL9 STIG (#8416)
• Update SRG-OS-000445-GPOS-00199 (#8439)
• Add a rule to STIG profile in OL8 and RHEL8 (#8447)
• SRG-OS-000349-GPOS-00137 for RHEL 9 STIG (#8471)
• Add auid criteria to rules related to syscall audit rules (#8327)
• remove redundant rule from HIPAA profiles (#8509)
• Update SRG-OS-000120-GPOS-00061 for RHEL 9 STIG (#8514)
• align RHEL8 OSPP with certification requirements (#8508)
• Fix broken Oracle Linux doc links. (#8538)
• For sle systems the etc shadow is group shadow (#8554)
• Enable for ansible and bash remediation for SLE15 and SLE12. (#8545)
• consistent perm_x product filtering (#8607)
• Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG (#8505)
• strip trailing blank lines for some templated audit rules (#8805)
• Update SRG-OS-000032-GPOS-00013 for RHEL9 STIG (#8363)
• Add auid criteria to rules related to syscall audit rules (#8327)

Changes in Remediations

• Use UID field for bash remediation of homedirs (#8398)
• SUSE disable_users_coredumps enable bash remediation for sle. (#8558)
• consistent perm_x product filtering (#8607)
• Remediation and improvement for file_permissions_home_dirs rule (#7963)
• fix ansible remediation of enable_dracut_fips_module (#8823)

Changes in the Infrastructure

• Add

   tag HTML element to STIG mapping tables (#8367)

• Remove reference to a nonexistent file (#8370)
• Unify a custom_command (#8357)
• Like the docs requirments GitPod should also use https vs the lagecy git protocol (#8440)
• Update utils/create_srg_export.py (#8437)
• Build data stream without OpenSCAP (#8364)
• Improve the list of HTML guides (#8460)
• Remove update_sds_version.py (#8369)
• Add new GH job to generate XLSX table and HTML page with SRG mapping (#8326)
• Fix index page generation for guides artifacts. (#8533)
• Organize fix text macros (#8529)
• Load any *.jinja file and organize macros (#8576)
• Add cce to srg export (#8571)
• Full Support Variables in SRG Export (#8635)
• utils/compare_results.py to work with --stig-viewer results and print rule identifiers (#8634)
• Fix variable substitution in SRG export (#8683)
• Add custom requirement (#8705)
• GH actions nightly builds (#8137)

Changes in the Test Suite

• Test template filtering (#8052)
• Fix same shadow field bug in tests (#8458)
• Add Centos Stream 8/9 support in install_vm script (#8481)
• Add templated tests for dconf_ini_file (#8740)
• Cleanup tests package installed or removed (#8752)
• Cleanup duplicate scenarios for sshd_lineinfile template (#8742)
• Include snapshot cleanup functions for SSGTS (#8729)
• test scenario adjustments for file_permissions template (#8750)
• Cleanup custom kernel_module_disabled scenarios (#8753)
• Add templated test scenarios for shell_lineinfile template (#8754)
• Remove similar test scenarios on rules templated by file_groupownership (#8755)
• SSGTS: Update to handle CentOS CPEs and fix prefix name of snapshots wrt podman limitation (#8767)
• Add template mode to SSGTS (#8730)
• Remove redundant custom test scenarios for service enabled/disabled rules (#8760)

Documentation

• Fix docs build (#8402)
• Document GHA release process (#8096)
• Add docuemntion for Pandas dependancy (#8544)
• Point the docs to new jinja macro files (#8577)
• Remove Link Checker from README (#8745)

Important Highlights

• Stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Introduce OL9 product (#8102)
• Implement handling of logical expressions in platform definitions (#8043)

New Rules and Profiles

• Introduce OL9 product (#8102)
• RHEL9 OSPP boot parameter rules (#8092)
• Introduce stig_gui profile for OL8 (#8200)
• New rules related to pam_pwquality (#8185)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Add GRUB2 rule for slab_nomerge and mce (#8282)
• Include rule mount_option_proc_hidepid (#8288)
• New sysctl fs parameters (#8304)
• Parametrize configuration of kernel.kptr_restrict and add rule for kernel.panic_on_oops (#8285)

Updated Rules and Profiles

• Ol7 stig v2r5 (#7913)
• HIPAA Rules in test (#7916)
• Ubuntu specific bash and oval for dconf_gnome_login_banner_text (#7908)
• The audit package and auditd service are needed for FAU_GEN.1 SFR. (#8069)
• Clarify that log_format and name_format affects specifically information included in the audit records, not events for which audit records get generated. (#8071)
• Ensuring immutable UIDs is related to the subject identity required by FAU_GEN.1.2, it does not affect for wihch events audit records will be generated. (#8072)
• These auditd configurations affect the whole SFR, not just its specific parts. (#8070)
• RHEL9 OSPP: drop some rules disabling kernel module loading (#8093)
• The write_logs is related to where audit records end up stored, not what records get generated. (#8114)
• Amend OSPP references for rsyslog omfwd/gtls configuration. (#8113)
• On OSPP installation, the primary reason for having rsyslog installed… (#8111)
• Configuring the CA certificate targets the TLS "internal" requirements, so FTP_ITC_EXT.1.1 is not needed. (#8112)
• Ensure all processes are auditable and rules loaded for FAU_GEN.1 are applied. (#8098)
• Update OL8 stig profile rule selection (#8124)
• Requirement of not losing data at least to a limit comes from FAU_STG family. (#8133)
• RHEL9 OSPP boot parameter rules (#8092)
• Simple stig v2r6 updates for OL7 (#8162)
• Create OVAL check for selinux_context_elevation_for_sudo [OL7] (#8160)
• Update rule to only remove the graphical interface (#8170)
• drop not needed auditd.conf rules from rhel9 ospp (#8188)
• New rules related to pam_pwquality (#8185)
• Update configure_bashrc_exec_tmux to consider .d directory (#8146)
• align ospp audit rules with the latest upstream release (#8152)
• Align description of grub2 rules with checks and remediations (#8184)
• Update RHEL7 STIG items to V3R6 (#8225)
• update description of rhel9 ospp profile (#8232)
• Add sudoers_default_includedir to ol7 STIG (#8229)
• add rules to add page_alloc.shuffle kernel boot parameter (#8234)
• Fix bug 1195521 (#8215)
• Fix for bug 1195523 (#8242)
• Extend package_pam_pwquality_installed rule for RHEL (#8186)
• make rule enable_fips_mode check only for technical state (#8255)
• UEFI booting requires FAT support. (#8269)
• Removed criteria in OVAL check of require_singleuser_auth (#8121)
• no iptables.service in sle15 (#8292)
• fix aide_build_database rule and remediation to work with sles 12 and 15 (#8287)
• SLE 12 and 15 merge auditd file modification rules STIG IDs (#8295)
• OL8 STIG severity adjustments (#8103)
• Oval update for two rules to only allow results from only one file [ol7] (#8161)
• Performance improvements for file permission and ownership templates (#8456)

Changes in Remediations

• HIPAA Rules in test (#7916)
• Fix handling of literal dollars in macros (#8252)
• Various bash fixes (#8253)
• Simplify generated augen bash expressions (#8254)
• Fix the firewalld remediation (#8251)
• Fix bash remediations of browsers (#8258)
• Introduce convenience macros for find and awk (#8257)
• Introduce a shellcheck test (#8032)
• Refactor pam_faillock remediation (#8347)

Changes in the Infrastructure

• Add condition to SCAPVal script that will trigger when SCAP standard is updated (#8062)
• stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
• Implement handling of logical expressions in platform definitions (#8043)
• Add backends attribute to template in rules schema (#8090)
• Add gitpod support (#8123)
• Added utils/compare_disa_xml.py (#8120)
• Gitpod: Build OpenSCAP 1.3.6 so it can build OCP4 and EKS content (#8206)
• Fix issue with getting STIG items in create_scap_delta_tailoring.py (#8245)
• Store OVAL of compiled platforms as string (#8238)
• Add a script to audit the SRG export CSV (#8077)
• Add version to delta tailoring file name (#8247)
• Various improvments to SRG Export Script (#8091)

Changes in the Test Suite

• align ospp audit rules with the latest upstream release (#8152)
• Remove grub2_pti_argument tests (#8310)
• Delete test scenario that removes SSH keys from machine (#8309)
• Remove RHEL7 platform from invalid_rescue.pass.sh (#8311)

Documentation

• Document boolean expressions in "platform" definitions (#8094)
• Add github workflow to publish statistics, guides and tables (#8136)
• Add missing rsync dependency to gh-pages workflow (#8151)
• Fix badges and remove Centos legacy CI integration (#8244)

Important Highlights

• OL8 draft stig profile v1r1 (#7932)
• Add Amazon EKS platform and initial profiles for the CIS benchmark (#7579)
• Add CentOS Stream 9 derivative product from RHEL9 (#7878)

New Rules and Profiles

• Rename/remove rule for package abrt-addon-python (#7899)
• OL8 draft stig profile v1r1 (#7932)
• Add stig_gui profile for ol7 (#7939)

Updated Rules and Profiles

• update description of grub2_uefi_password (#7859)
• remove ABRT related rules from RHEL9 (#7906)
• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• add hint about audit backlog configuration (#7909)
• Update chronyd_or_ntpd_set_maxpoll to add maxpoll option to chrony pool directives (#7910)
• Clarify behaviour of SSHD rules (#7919)
• OL8 stig prodtype and platform (#7933)
• fix enable_fips_mode remediations (#7936)
• Removed OSPP MLS from RHEL9 (#8037)
• mark rhel9 ospp and cui as draft (#8042)
• fix problems with trailing blank lines in audit rules (#8047)
• fix wrong Jinja macro for audit_rules_execution_restorecon (#8073)
• Make rule network_nmcli_permissions applicable only when polkit is installed (#8110)
• remove configure_gnutls_tls_crypto_policy from rhel9 (#8116)

Changes in Remediations

• Use authselect to edit pam files if it is present (#8026)
• Use authselect and custom profile for pam_pwhistory (#8030)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)
• Use correct config file in ensure_gpgcheck_local_packages (#8105)
• sshd_lineinfile ansible macro dir support and directory check fix (#8109)

Changes in Checks

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)

Changes in the Infrastructure

• Add the ability to load controls from folder (#7876)
• Add utils/compare_results.py (#7894)
• Introduce handling of versioned Boolean algebra expressions (#7873)
• Add a split option to utils/build_stig_control.py (#7904)
• Upgrade to F34 in Gating (#7826)
• Control to csv (#7775)
• Fix issues with dividing a str by str in utils/render-policy.py (#7960)
• Improve create_srg_export.py (#7959)
• Add rationale to controls (#7975)
• Clarify controleval.py help text (#8034)
• Add better error messages to utils/controleval.py and add does not meet to stats output (#8038)
• Improvements to controls and STIG export (#8039)
• Generate release artifacts' checksums (#8087)

Changes in the Test Suite

• grub2_kernel_trust_cpu_rng was checking for wrong option (#7918)
• fix problems with trailing blank lines in audit rules (#8047)
• override two more tests for grub2_kernel_trust_cpu_rng (#8067)
• Fix Ansible and tests for ensure_gpgcheck_globally_activated (#8101)

Documentation

• add hint about audit backlog configuration (#7909)
• Add docs for create srg export (#7976)

Important Highlights

• Add support for Debian 11 (#7715)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Ground work for implementation of CPE applicability language (#7613)
• Add HIPAA profile to SLE15 platform (#7776)
• Add Delta Tailoring Files to the Build System (#7851)

New Rules and Profiles

• Add rule only_allow_dod_certs (#7658)
• Add new rule "service_ypserv_disabled" (#7679)
• Add rule "Ensure All Groups on the System Have Unique Group Name" (#7676)
• Add SSH LoginGraceTime rule (#7678)
• Add rule accounts_root_gid_zero (#7685)
• Add new rules for CIS Journald Config (#7682)
• Add rule service_slapd_disabled (#7694)
• Add rule group_unique_id (#7683)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add NERC CIP profiles for OCP4 and RHCOS (#7757)
• Add HIPAA profile to SLE15 platform (#7776)

Updated Rules and Profiles

• locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml: sles15 fix (#7389)
• remove rule disable_prelink from rhel7 cis (#7621)
• Make package_mcafeetp_installed work on Ubuntu (#7656)
• Add rule to stig.profiles (#7664)
• SLE bash remediation accounts_passwords_pam_faildelay_delay (#7661)
• Add rule for RHEL8 CIS 5.2.16 (#7677)
• remove old rule from rhel7 stig (#7710)
• More flexibility for login banners (#7690)
• Align rsyslog_remote_loghost to benchmarks (#7692)
• Rework bash remediation for accounts_password_pam_unix_remember (#7660)
• Return rule package_rsyslog-gnutls_installed to RHEL7 (#7731)
• Add "Ensure cron is restricted to authorized users" to RHEL8 and RHEL7 (#7691)
• Add var_sshd_set_keepalive to Ubuntu 20.04 STIG profile (#7771)
• SLE15 Add rsh and talk server remove rules to HIPAA profile (#7813)
• Change sshd_set_idle_timeout to require sshd_set_keepalive_0 (#7751)
• SLE15 add service related rules to HIPAA profile (#7852)

Changes in Remediations

• Add remaining Blueprint templates (#7609)
• Make sure files have newline during bash lineinfile remediation (#7787)
• accounts_no_uid_except_zero: Don't run passwd if awk returns nothing (#7779)
• Make FIPS mode check idempotent (#7318)

Changes in the Infrastructure

• Automated STIG Control File Creation (#7324)
• Added Build, Test on OpenSUSE Leap 15 on pull requests (#7666)
• Handle references with commas in utils/build_stig_control.py (#7697)
• Add utils/create_scap_delta_tailoring.py (#7717)
• Multi-file templates: file_permissions/file_groupowner/file_owner (#7405)
• Ground work for implementation of CPE applicability language (#7613)
• Fix utils/fix_rules.py exit codes (#7821)
• Add Delta Tailoring Files to the Build System (#7851)
• Add CentOS 7 build to CI (#7879)

Changes in the Test Suite

• Test scenarios updates for gpgcheck rules (#7638)
• service_enabled test scenarios templates (#7632)
• Create test scenarios for rule gid_passwd_group_same (#7637)
• ntp/chrony remove server remediations and test scenarios (#7631)
• Add a fail test for accounts_password_all_shadowed (#7642)
• Add test scenarios specific for CIS (#7634)
• Implementing test ssh_set_max_sessions for rhel7 profiles (#7641)
• Created pass/fail scripts for rule sshd_use_approved_macs (#7650)
• Update SSGTS so it can use mount in containers (#7680)
• Added ability to slice SSGTS rule checking runs (#7667)
• Update tests for package_crypto-policies_installed (#7858)

Documentation

• Add Styleguide (#7515)
• improve documentation (#7063)
• Add sphinx missing dependency in the developer guide (#7645)
• Update CONTRIBUTING.md (#7722)
• Add type hints to style guide (#7773)
• Fix directories count in docs/manual/developer/03_creating_content.md (#7805)
• Improve jinja docs (#7785)
• Introduced graphs in the documentation (#7825)
• Add rule schema (#7796)

Important Highlights

• Add SCE Support to build system (#7075)
• Split RHEL 8 CIS profile using new controls file format (#6976)
• Introduce automated CCE adder (#7249)
• CIS Profiles for SLE12 (#7434)
• Add initial Ubuntu 20.04 STIG Profile (#7220)

New Rules and Profiles

• Add initial Ubuntu 20.04 STIG Profile (#7220)
• Add rules for RHEL-08-030610 (#7256)
• Add Ubuntu to cron.allow, at.allow rules for CIS (#7223)
• New rules for RHEL-08-010290 (#7151)
• New rules for RHEL-08-010291 (#7169)
• Add /var/log/audit individual ownership rules (#7129)
• New rule for RHEL-08-020270 (#7276)
• Add rule new for RHEL-08-030700 (#7264)
• Added new rule for RHEL-08-030710 (#7268)
• Add rule for RHEL-08-020300 (#7289)
• Add rule for RHEL-08-020090 (#7313)
• Introduce support for the distributed SSHd configuration (#6926)
• UBTU-20-010057: Add missing rules (#7363)
• Add new rule for RHEL-08-030720 (#7288)
• Add a new rules RHEL-08-010001 and RHEL-07-020019 (#7344)
• Add new rule for RHEL-07-030330 and RHEL-08-030730 (#7323)
• Added rule for RHEL-08-010400 (#7411)
• Sysctl disable ipv6 (#7460)
• CIS Profiles for SLE12 (#7434)

Updated Rules and Profiles

• fix problems with variables in rhel7 cis (#7237)
• Sort references, identifiers in rule.yml (#6882)
• Correct some issues with the CIS ICMP redirects rule on RHEL 7/8 (#7259)
• remove broken links to support.ntp.org (#7262)
• Mark as machine rules that collect password_object (#7263)
• OCP4: fips_mode_enabled rule relates to IA-7 (#7267)
• Enable dconf rules for RHEL9 (#7011)
• Enable generic rules for RHEL9 (#7147)
• Introduce support for the distributed SSHd configuration (#6926)
• Add service_pcscd_enabled to SLE15 PCI-DSS profile (#7322)
• update version of rhel7 stig_gui profile (#7340)
• Update References for RHEL8 STIG V1R3 (#7299)
• Suse sle15 fix reference sles 15 030350 assignment (#7346)
• Add to sle15 PCI-DSS profile rules for account uniqueness and grub config ownership (#7345)
• Select sysctl_net_core_bpf_jit_harden for RHEL-08-040286 (#7354)
• Add SRGs for accounts_password_pam_dictcheck and sssd_enable_certmap (#7362)
• Update RHEL 8 CIS references to match benchmark 1.0.1 (#7356)
• Update CCEs and identifiers on rules that make up RHEL 8 CIS 4.1.15 (#7353)
• generic updates to rhel7 CIS (#7384)
• Update existing rule for RHEL-08-020320 (#7303)
• OCP4: Remove kubelet_disable_hostname_override rule (#7391)
• SLES-12-010599 - remove rule from the STIG (#7397)
• add kickstarts for rhel8 CIS profiles (#7383)
• add rhel7 kickstarts for CIS profiles (#7382)
• UBTU-20-010056: Use rule accounts_password_pam_dictcheck (#7366)
• Add ensure_logrotate_activated rule to SLES15 PCI-DSS (#7381)
• products/sle15/profiles/stig.profile: Update according to U_SLES_15_STIG_V1R3 Manual (#7388)
• Add PCI-DSS rules (#7373)
• Add PCI-DSS file Rules (#7417)
• Add PCI-DSS file rules (#7430)
• SUSE SLE15 service chronyd or ntpd enabled pci dss (#7425)
• Add rsyslog log file configuration rules to SUSE SLE15 PCI-DSS profile (#7420)
• Update existing rules for RHEL-07-010492 and RHEL-07-010482 (#7438)
• Add rule for SLES-12-030365 (#7177)
• SLE15 add package_aide_installed to PCI-DSS profile (#7476)
• SLE15 add package security rules to PCI-DSS profile (#7473)
• SLE15 Add password hashing rules to PCI DSS profile (#7474)
• SLE15 add audit data retnetion rules to PCI-DSS profile (#7475)
• SLE15 add sssd_enable_smartcards to PCI-DSS rule (#7472)
• PCI-DSS Add more auditd rules (#7477)
• OL7 DISA STIG v2r4 update (#7496)
• Pcidss Configure Crypto Rules (#7398)

Changes in Remediations

• Enable remediations for crypto policy settings (#7242)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• add / fix remediations for audit rules wrt modules (#7252)
• Fix possible issue in harden_openssl_crypto_policy remediation (#7178)
• Mount option template updates (#7081)
• Fix coverity problems (#7258)
• Fix ansible remediation of display_login_attempts (#7271)
• Fixed the remediations when there are no previous kernelopts (#7257)
• Remove specific metadata in shared Bash remediations (#7254)
• Update existing rule for RHEL-08-030650 (#7283)
• Remove kubelet_disable_hostname_override rule (#7400)
• Fix remaining audit rule files permissions. (#7440)

Changes in Checks

• Add oval check for bios_enable_execution_restrictions (#7227)
• Mount option template updates (#7081)
• Update existing rule for RHEL-08-030650 (#7283)

Changes in the Infrastructure

• Prioritize install_smartcard_packages like package_*_installed (#7224)
• Sort references, identifiers in rule.yml (#6882)
• Add SCE Support to build system (#7075)
• SSGTS: tests for shared/templates (#7211)
• Add new rule for RHEL-08-030720 (#7288)
• Introduce automated CCE adder (#7249)
• Add sort prodtypes to fix_rules (#7454)

Changes in the Test Suite

• Add rhel9 Dockerfile and distro choice into install_vm.py (#7235)
• fix ansible of accounts_root_path_dirs_no_write (#7255)
• install_vm.py: add --console option (#7186)
• Add some more tests (#7083)
• Add RHEL7 specific test kickstart (#7355)
• SSGTS: tests for shared/templates (#7211)
• Fix combined mode execution in SSGTS (#7395)
• Option --no-reports for SSGTS rule and combined modes (#7523)

Documentation

• Document rule.yml modification utilities (#6916)
• Update Mailing list location in docs (#7293)
• Fix links to repo: SSG->CaC (#7311)
• More documentation (#7406)
• Fix RHEL7 documentation links (#7409)
• Add readthedocs integration badge (#7407)
• Fix RHEL7 documentation link (#7443)
• Add bats to gating and docs (#7543)

Highlights

• CIS profile for RHEL 7 is updated
• initial CIS profiles for Ubuntu 20.04
• Major improvement of RHEL 9 content
• new release process implemented using Github actions

New Rules and Profiles

• Add rule sudo_add_passwd_timeout (#6984)
• SLES-12-010420 and SLES-15-010510 rules (#7028)
• SLES-15-010355 rule (#6947)
• New rsyslog rule per RHEL-08-010070 STIG (#7114)
• Add initial Ubuntu 20.04 CIS Profiles (#7181)

Updated Rules and Profiles

• Update ANSSI policy metadata and undraft High Level (#6997)
• Update cis sle15 profile to better represent the release version 1.0.0 (#7056)
• Start splitting of rhel7 CIS (#7108)
• Splitting rhel7 cis profile - section 2 (#7112)
• Splitting rhel7 cis profile - section 3 (#7111)
• splitting CIS rhel7 profile - section 4 (#7134)
• Split RHEL 7 CIS profile - section 5 (#7193)
• split CIS for rhel7 - section 6 (#7219)

Changes in Remediations

• Add bash package installated macro (#7032)
• Ansible playbook to role updates (#7042)
• Add option to enable installation of individual ansible playbooks per rule (#7039)
• Only enable ansible/yaml lint tests when playbooks are built (#7099)
• ensure_pam_module_options now fix empty option value (#7116)
• Fix bash remediation of sudo_defaults_option (#7146)
• Fix regex in dconf ansible remediation (#7150)

Changes in Checks

• Fix disable_users_coredumps's limits.d exists (#7030)
• Fix oval check in uefi_no_removeable_media (#7067)
• Add option_regex_suffix to sudo_defaults_option template (#7082)

Changes in the Infrastructure

• Fix bugs in rule_dir_json.py (#6911)
• Fix utilities after product move (#7113)
• Fix kernel module disable template (#7086)
• SSGTS: Jinja enablement for test cases (#7210)

Changes in the Test Suite

• Fix SSG test suite support for setting variables (#7097)
• SSGTS: Jinja enablement for test cases (#7210)

Highlights:

• Align ism_o profile with latest ISM SSP (#6878)
• Align RHEL 7 STIG profile with DISA STIG V3R3
• Creating new RHEL 7 STIG GUI profile (#6863)
• Creating new RHEL 8 STIG GUI profile (#6862)
• Add the RHEL9 product (#6801)
• Initial support for SUSE SLE-15 (#6666)
• add support for osbuild blueprint remediations (#6970)

Profiles changed in this release:

• sle12: stig
• sle15: cis, stig
• rhel7: stig_gui, stig
• rhel8: stig_gui, stig, ism_o
• rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
• ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
• ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
• rhv4: pci-dss
• ocp4: cis-node, cis
• rhel9: pci-dss

Profiles:

• Add updated manual DISA STIG XML reference files (#6903)
• rhcos4/e8: Use individual kernel module load audit rules (#6797)
• rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
• bump rhel7 stig version to v3r3 (#6951)
• remove no longer relevant rules from rhel7 stig (#6865)
• Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
• Update OL e8 profiles (#6840)
• Remove rules related to gnome/dconf (#6884)
• Ol cjis profiles (#6851)
• Add PCI-DSS profile to RHV4 (#6867)
• OL hipaa profiles (#6819)
• Update OL cui profiles (#6818)
• remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
• RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
• rhcos4: Remove sssd configuration check from moderate profile (#6774)
• RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
• RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
• RHCOS: Temporarily remove UEFI password rule (#6757)
• Add new rules to sle12/profiles/stig.profile (#6665)
• Remove package_gssproxy_removed from STIG GUI profile (#6967)
• Updating RHEL8 STIG profile for readability changes (#6856)
• Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
• Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)

Rules:

• Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
• Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
• Fix grub2's /boot location for Debian, Ubuntu (#6986)
• Add rules to remove setroubleshoot server and plugin packages (#6969)
• SLES-15-010362 (#6968)
• Fix groupowner/permissions for ubuntu2004 (#6979)
• SLES-15-10352 rule (#6822)
• Enable RHEL9 for kernel-related rules (#6966)
• Enable SELinux rules for RHEL9 (#6959)
• Move rule grub2_enable_iommu_force to use template (#6956)
• Clarify what fixes for AiDE acl and xattrs do (#6960)
• Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
• Adding new rule for RHEL-08-010294 (#6932)
• Add OCIL to sshd_limit_user_access (#6836)
• SLES-15-030390 add rule, remediation and test (#6802)
• Add Rule for SLES-15-040382 (#6811)
• RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
• RHCOS4: Add recommended chrony config (#6786)
• Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
• Prevent global references to use product-qualifiers (#6896)
• OCP: Fix description of kubelet TLS cipher suites (#6900)
• Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
• Update VSEL references to remove qualifier from global references (#6948)
• SLES-15-010250 add rule, remediation and tests (#6879)
• add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
• Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
• Add Rule,Remediation and Test for SLES-15-030760 (#6869)
• Revert STIG id for require_emergency_target_auth (#6928)
• Remove bogus nist: FOO-1(a) references (#6917)
• remove product specific disa and srg references (#6895)
• ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
• Fix usbguard match-all syntax for HID rule (#6909)
• RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
• Notate that Ubuntu is a FIPS-certified OS (#6912)
• OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
• update require_emergency_target_auth (#6894)
• add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
• Add Rule,Test for SLES-15-020103 (#6881)
• Prevent unqualified CIS and STIGID references (#6871)
• SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
• Add rules related to permissions of /var/log and /var/log/messages (#6861)
• SLES-15-010220 updates for firewalld (#6831)
• Add OL anssi profiles (#6817)
• update accounts_tmout (#6839)
• SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
• add rule for disabling of GUI (#6860)
• Add rules for SLES-12-010060 (#6806)
• CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
• fix service_sshd_enabled for SLE-15 (#6830)
• RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
• Add HIPAA rules references (#6854)
• RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
• Add CCI reference to package_gssproxy_removed (#6846)
• Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
• SLES-15-010353 map rule file_ownership_library_dirs (#6820)
• Add CCEs for RHEL9 rsyslog rules (#6832)
• SLES-15-010030 rule (#6821)
• SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
• Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#6824)
• OCP4: Add applicability warnings (#6823)
• service_nfs_disabled - change name of nfs service to nfs-server (#6777)
• Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
• OCP4: Address flowschema version change by handling different OCP versions (#6813)
• Abort the build if an OVAL is not included due to extend_definition (#6402)
• Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
• service_rsyncd_disabled - update package name to rsync-daemon (#6783)
• Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
• RHCOS4: Fix require_singleuser_auth rule (#6780)
• ocp4: Add relevant description for protectKernelDefaults rule (#6705)
• CIS 5.2, 5.4, and 5.6 updates (#6704)
• Add documentation links for OL7 and OL8 (#6756)
• Update OL OSPP profiles (#6745)
• Change dhcp server package name to dhcp-server in rhel8 (#6762)
• SLES-15-020101 add rule and tests, no remediation (#6734)
• Add ansible and bash remediation for wireless_disable_interfaces (#6685)
• ocp4: Switch to using the platforms construct (#6759)
• Add rule for RHCOS to check for interactive boot being disabled (#6747)
• Fix oracle documentation links (#6740)
• implement support for multiple platforms connected with disjunction (#6661)
• rhcos4: Add check for nousb kernel argument (#6743)
• Add tests for no files unowned by user/group rules (#6738)
• Add rule for checking selinux is not disabled in coreos (#6737)
• ocp4/etcd: Fix rule checks for 4.8 (#6732)
• Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
• CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
• CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
• Updating macros to support idempotency when deduplicating values (#6953)
• Fix Rule CPE Name inheritance (#6943)
• Reorganize env and product yaml (#6754)
• RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#6787)
• rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
• RHCOS4: Add recommended auditd.conf remediation (#6782)
• Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
• Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
• rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
• RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
• mount_option ansible remediation - remediate when mount point is not in mounted (#6713)

Tests:

• install_vm.py: add possibility to install GUI system (#7004)
• Improve the test suite wrapper (#6944)
• Remove code from OCP4 e2e tests (#6961)
• Add test scenarios for service enable/disable rules from CIS profile (#6785)
• Missing references test (#6849)
• Fix RHEL8 STIG with GUI stable profile data (#6874)
• increase /usr partition size in testing kicstart (#6808)
• Add Ubuntu as a known platform for ssg_test_suite (#6794)
• Add package_* test scenarios (#6752)
• Add tests for rule accounts_password_pam_minlen (#6751)
• Add tests for rule accounts_no_uid_except_zero (#6750)
• Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
• Update tests of accounts_tmout to work when overriding profiles (#6765)
• Update tests of account_disable_post_pw_expiration (#6753)
• Add tests for rule account_unique_name (#6749)
• accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
• Switch to generic python shebang (#6744)
• Add tests for rule no_netrc_files (#6741)
• Add tests for rule accounts_minimum_age_login_defs (#6735)
• Updated test scenarios to work on containers (#6701)
• Add tests for rule accounts_password_warn_age_login_defs (#6736)
• Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
• ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
• Add test scenarios for rsyslog rules (#6712)
• set_firewalld_default test scenarios (#6721)
• sysctl_net_* test scenarios (#6696)
• rpm_verify_ownership test scenarios (#6703)
• postfix_network_listening_disabled tests (#6708)
• Ignore trailing whitespaces in the unique references test (#6702)
• Make test suite tests more accessible (#6675)
• mount_option_* test scenarios (#6677)
• file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#6687)
• kernel_module_* test scenarios (#6684)
• Added test scenarios for partition rules (#6676)

Highlights:

• big update of rules used in SLES-12 STIG profile
• Render policy to HTML (#6532)
• Add variable support to yamlfile_value template (#6563)
• Introduce new template for dconf configuration files (#6118)

Profiles changed in this release:

• ocp4: cis-node, cis, e8, moderate
• rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
• rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
• sle15: cis, standard
• debian10: anssi_np_nt28_average, standard
• debian9: anssi_np_nt28_average, standard
• fedora: pci-dss, standard
• ol7: pci-dss, stig, standard
• ol8: ospp, hipaa, standard, pci-dss, cjis
• rhcos4: e8, ospp, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ubuntu1604: anssi_np_nt28_average, standard
• ubuntu1804: cis, anssi_np_nt28_average, standard
• ubuntu2004: standard
• wrlinux1019: draft_stig_wrlinux_disa

Profiles:

• remove ensure_logrotate_configured from CIS profiles (#6693)
• configure_crypto_policy update for CIS profile (#6673)
• remove kernel_module_vfat_disabled from CIS profiles (#6613)
• E8 ocp revisions (#6587)
• Update ANSSI profile descriptions (#6592)
• Bump RHEL7 STIG version to v3r2 (#6576)
• OL7 DISA STIG v2r1 update (#6538)
• Select RHEL8 STIG V1R1 existing content (#6579)
• OL7 DISA STIG v2r2 update (#6607)
• Update OL standard profiles (#6604)
• Update OL pci-dss profiles (#6605)
• Remove auditd_data_retention_space_left from RHEL8 STIG profile (#6615)
• remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#6528)

Rules:

• Update selinux_confinement_of_daemons rule (#6695)
• Adds classification-banner rule (#6652)
• CIS 5.1 changes (#6678)
• ocp4: Fix audit log forwarding rule (#6680)
• CIS 5.1 and 5.2: More ocil updates (#6689)
• Change instances of cis to cis@ocp4 for openshift (#6654)
• Revert hardcoding of ClientAliveCountMax to 0 (#6434)
• SLES-12 add checks and remediations (#6635)
• Update ANSSI references (#6662)
• Add missing CIS references (#6660)
• move ssh_client_rekey_limit to correct group (#6612)
• Fix STIG id reference for sshd_x11_use_localhost (#6628)
• fix wrong description of sshd_limit_user_access (#6623)
• mark some CIS rules as machine-only (#6611)
• CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#6435)
• ocp4: Add link to documentation for etcd encryption (#6590)
• Drop remediation for sysctl_kernel_modules_disabled (#6586)
• OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#6547)
• CIS: Update api_server_request_timeout description and check (#6572)
• add rhel7 stig specific rule for sshd approved macs (#6546)
• Reassign a new unique CCE identifier to approved macs STIG rule (#6564)
• add rhel7 stig specific rule for ssh ciphers (#6541)
• sshd_set_keepalive PCI DSS requirement reference (#6531)
• add rule sysctl_kernel_modules_disabled (#6533)
• RHEL-07-040710 now configures X11Forwarding to disable (#6537)
• add rule sshd_x11_use_localhost (#6534)
• Added a rule for having commands with arguments in sudoers - ANSSI R63 (#6525)
• fix remediations of ensure_logrotate_activated (#6710)
• ocp4/e2e: fix classification_banner remediation (#6679)
• ocp4: Add e2e for no_direct_root_logins (#6621)
• rhcos4: Add remediations and rules to enable usbguard (#6452)
• Require separate filesystem for /var/tmp (#6523)
• Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#6606)

Tests:

• fix test for smartcard_auth (#6694)
• Fix test scenario of rpm_verify_permissions rule (#6671)
• Supress Ansible lint error 503 (#6542)
• Add test to check for duplicated STIG ids (#6135)

Highlights:

• Remove RHEL6 content (#6325)
• Add readthedocs documentation support (#6299)
• Introduce centralised policy definitions (#6499)

Profiles changed in this release:

• ocp4: moderate, cis-node, ncp, e8, cis
• rhel7: anssi_nt28_intermediary, cui, cjis, anssi_nt28_minimal, C2S, anssi_nt28_enhanced, stig, ncp, hipaa, e8, anssi_nt28_high, ospp
• ol7: stig
• rhel8: cui, cjis, anssi_bp28_high, cis, stig, pci-dss, anssi_bp28_intermediary, hipaa, anssi_bp28_minimal, anssi_bp28_enhanced, e8, ospp
• rhcos4: ospp, ncp, e8, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ol8: e8

Profiles:

• Add xwindows_runlevel_target to RHEL7 STIG profile (#6420)
• Remove severity adjustments on OL7 STIG profile (#6403)
• Update SMEs and owners (#6448)
• Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml (#6438)
• Fix RHEL8 CIS Benchmark version (#6463)
• Use control selectors in RHEL8 ANSSI profiles (#6505)
• Update e8 profiles to use correct link to E8 Linux guide (#6497)
• Add initial artifacts to support RHEL8 STIG content (#6513)
• Update RHEL7 STIG profile with /var/log/audit related rules (#6430)
• Update ANSSI Minimal and Intermediary requirements (#6520)
• Add dconf_gnome_disable_automount to RHEL STIG profile (#5961)

Rules:

• Added simple lineinfile template (#6389)
• Generate the CPE Dictionary dynamically (#6304)
• Drop remediation for sudo_dedicated_group (#6556)
• ocp4: Add check for audit log forwarding (#6428)
• Change severity of rules according to STIG V3R1 (#6417)
• Add test to grub2_enable_fips_mode to check if /etc/system-fips exists (#6418)
• Moved OVAL CVE Feed metadata from the rule to individual products (#6419)
• Add new rule dir_perms_world_writable_system_owned_group (#6421)
• SRG for ssh_client_rekey_limit (#6409)
• OCP4/CIS: tidy etcd_unique_ca text (#6407)
• add rule ssh_client_use_strong_rng (#6404)
• ocp4/CIS 1.1.20: Fix references in rules (#6401)
• Add OCIL clauses to several openshift rules (#6457)
• compliance-operator: Prepare rules and profiles for productization (#6455)
• ocp4: ovs conf.db: tighten file permissions (#6445)
• fix oval of grub2_kernel_trust_cpu_rng (#6444)
• add ospp reference to configure_libreswan_crypto_policy (#6443)
• ocp4/CIS 1.2.10: Enable checks (#6436)
• Add OVAL for the second rule covering CIS 4.2.10 (#6489)
• Enable checks and remediations for SLES-12 STIGs (#6485)
• Several cleanup patches for CIS 1.2.x (#6480)
• Add new rules for ANSSI BP28 R22 (#6483)
• OCP4: Add CCEs to rules used by the CIS profile (#6478)
• OCP: Cleanup rules in section 1.1 of CIS profile (#6477)
• Add stricter permissions option to file permissions template (#6476)
• Implement a rule for sudoers - ANSSI R60 (#6473)
• CIS: Add two missing OCILs (#6474)
• Support SLES-12-010380, SLES-12-010110, and SLES-12-030150 (#6472)
• Fix some missing extend_definition dependencies (#6465)
• Add support for parameters in sudo_defaults_option template (#6508)
• Add SRG references for use_pam_wheel_for_su rule (#6356)
• update rule postfix_network_listening_disabled (#6509)
• add rules to anssi r12 (#6515)
• Create new rules for ANSSI R39 (#6495)
• Enable checks and remediations for SLES-12 STIGs (#6504)
• Fix jinja expansion on installed_OS_is_vendor_supported (#6511)
• Updates for Anssi requirement 49 (#6510)
• add rule checking if world writable directories are owned by root (#6507)
• Add rule to check if OS is 64-bit when supported by CPU (#6496)
• Add the sudoers_no_command_negation rule - ANSSI R62 (#6498)
• Add rules to enable sudoers options (#6369)
• Add rule to configure group owner of /usr/bin/sudo (#6352)
• Add RHEL8 CCE to ANSSI selected rules (#6494)
• Add rules for Anssi-bp-028 R23 (#6490)
• Add rule to drop sudo 'other' execution permisson (#6363)
• Add new pwquality.conf and faillock.conf rules (#6370)
• Add mount_option and partition rules (#6340)
• Add bios and uefi CPE applicability for grub2 rules (#6286)
• Add rule for password hashing rounds in pam_unix (#6334)
• OCP4/CIS 2.X: Fix descriptions and add checks (#6338)
• Disable OVAL backend from file_permissions grub2_cfg rules (#6277)
• add rule use_pam_wheel_for_su (#6256)
• OCP4/CIS 1.4.1: Remove invalid rule and add reference to actual check (#6329)
• fix remediation of audit_rules_privileged_commands (#6227)
• fix ansible remediation of dir_perms_world_writable_root_owned (#6574)
• fix remediations of dir_perms_world_writable_root_owned (#6558)
• fix selinux_policytype oval regex (#6530)
• ocp4: Add automatic remediation for etcd encryption provider (#6411)
• OCP4/CIS: kubelet_configure_event_creation e2e remediation (#6406)
• Add kubernetes remediation for sysctl_kernel_randomize_va_space (#6456)
• kubernetes: Fix kernel argument template (#6450)
• RHCOS4: Fix sysctl remediations and add tests (#6449)
• More precise modified time comparison in "configure_crypto_policy" (#6437)
• Propagated possibility to select the remediation backend (#6433)
• Fix FIPS checks for RHCOS (#6479)
• disable_ctrlaltdel_burstaction: Take into account .d/ directory too (#6471)
• Make rsyslog_remote_tls regex case insensitive for rsyslogs parameters (#6396)
• Fix bash_dconf_settings to grep whole keyword alike (#6364)

Tests:

• Extend list of rules of unselected rules for testing (#6573)
• Remove noauto for boot partition from test kickstart and ANSSI profiles (#6570)
• Update testing kickstart file partitions (#6555)
• Add cap_audit_write to be able to run sshd in containers (#6557)
• Move uefi_no_removeable_media tests to correct place (#6414)
• Introduce test suite script wrappers (#6405)
• ocp4: Add tests for rhcos4 kernel arguments (#6451)
• OCP: Add missing tests for two rules that are passing by default (#6466)
• configure_crypto_policy test scenario - ensure that both files have same timestamp (#6502)
• Add documentation for variables option in test scenarios. (#6377)
• Implement variable metadata for test scenarios (#6323)
• Remove capture_output option from subprocess.run in SSGTS (#6347)
• Refactored interaction with the tested machine (#6322)

Highlights:

• Remove OCP3 content (#6296)
• Remove SLE11 (#6164)
• Remove Ubuntu 14.04 (#6154)
• Remove Debian8 (#6137)
• Remove JBoss EAP6 (#6119)
• Introduce machine and package platform conditionals to Bash remediations (#6061)
• Introduce package conditionals to Ansible remediations (#6025)
• OCP4: Enhance e2e tests to check individual rules (#6315)

Profiles changed in this release:

• example: example
• fedora: standard, pci-dss
• ol7: pci-dss
• ol8: cjis, pci-dss
• rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
• rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
• jre: stig
• ocp4: cis-node, cis, e8, moderate, ncp
• rhcos4: e8, moderate, ncp
• rhv4: rhvh-vpp, rhvh-stig
• sle15: cis

Profiles:

• Remove unused RHEL7 profiles (#6326)
• Specify the applicable OpenShift version for the CIS profiles (#6288)
• Update e8 references (#6306)
• Add commented section for OCP4 CIS etcd node checks (#6238)
• CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
• Add ocp4-node product (#6124)
• remove rngd related rules from rhcos profiles (#6159)
• Add policy tracking metadata (#6004)
• Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
• Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
• remove package_screen_installed from rhel7 stig (#6072)
• OCP4 CIS profile placeholder and comments (#6121)
• Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
• Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
• remove deprecated sshd config from e8 profile (#6120)
• remove package_tuned_removed from rhel8 ospp (#6191)
• remove rngd related rules from rhel8 ospp and stig (#6157)
• remove package_iptables_installed from rhel8 ospp and stig (#6155)

Rules:

• Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
• Added JRE update and clean prev version controls (#6324)
• fix conflicts of audit rules for privileged commands (#6279)
• Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
• Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
• Add machine platform for rule kernel_trust_cpu_rng (#6300)
• CIS 1.3.6 (#6225)
• Update jre content with more controls and minor fixes (#6295)
• Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
• ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
• Add OCP4 1.3.5 benchmark (#6198)
• ocp4: fix basic-auth check (#6158)
• CIS OCP4 benchmark: 1.3.3 (#6194)
• Fix rule api_server_token_auth for ocp4 (#6193)
• OCP4 - CIS 1.1.5 Add check (#6274)
• ocp4: Add check for CIS 1.2.20 (#6239)
• Cis 5.2.9 (#6250)
• ocp4: Add checkf or CIS 1.2.18 (#6232)
• ocp4: Add check for 1.2.17 (#6231)
• add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
• Updated rule api_server_service_account_public_key for OCP 4 (#6221)
• Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
• ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
• ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
• CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
• Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
• Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
• OCP4 - CIS 1.1.3 Add check (#6272)
• OCP4 - CIS 1.1.1 Add check (#6271)
• Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Api server etcd (#6266)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Add rule for OCP4 CIS 1.3.2 (#6262)
• Cis 5.2.7 (#6245)
• Java JRE 8 draft update (#6282)
• fix srgs for new rhel8 stig rules (#6280)
• 1.2.32 add etcd-cafile check for ocp4 (#6253)
• 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
• add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
• Pull request for etcd-encrypt (#6259)
• OCP4 CIS 5.2.3 (#6244)
• Update api_server_audit_log_path to use different apiserver conf file (#6240)
• OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
• OCP4 CIS 5.2.4 (#6242)
• Add OCP4 1.3.7 Benchmark (#6220)
• ocp4: Add check for CIS 1.2.19 (#6236)
• Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
• Api server kubelet https (#6215)
• Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
• Add rule for CIS 4.1.9 (#6210)
• Cis node 4.1.8 (#6196)
• OCP CIS 1.2.7 (#6209)
• Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
• Fix duplicate assignment of CCE-83396-2 (#6224)
• Completed an existing ocp4 CIS 1.3.4 rule (#6202)
• Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
• add service_kdump_disabled to rhel8 ospp (#6190)
• Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
• fix typos in "references" section of RHEL7 rules (#6188)
• Add some more example content for ocp4 cis profile (#6182)
• Add ISM references (#6143)
• Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
• add mandatory packages to rhel8 ospp (#6181)
• Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
• add rsyslog rules to rhel8 ospp (#6167)
• Remove platform net-snmp from the group and use it in individual rules (#6166)
• Fix severity of RHEL 7 STIG rules (#6110)
• fix rules about sshd idle timeout (#6030)
• Update ANSSI refs (#6052)
• Move grub2_vsyscall_argument to grub2 group (#6129)
• Update rule install hips (#6039)
• Remove zIPL rule for PTI bootloader option (#6065)
• use xccdf variable in audit_audispd_network_failure_action (#6071)
• Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
• Drop "esc" package from install_smartcard_packages rule (#6083)
• Update snmpd_no_default_password (#6050)
• Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
• Fix missing CCE in rules selected by RHEL6 profiles (#6103)
• add ocil to rsyslog_nolisten (#6074)
• Remove extra ocil statement from service_cockpit_disabled (#6092)
• Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
• Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
• Update text of rule account_disable_post_pw_expiration (#6084)
• update srg for smartcard_configure_cert_checking (#6073)
• update accounts_logon_fail_delay (#6040)
• update rule disable_ctrlaltdel_reboot (#6043)
• Remove SRGs from accounts_password_pam_retry (#6045)
• Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
• Update tftpd_uses_secure_mode (#6051)
• Fix SRG mapping of audit rules (#6068)
• Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
• Minor ansible changes that fix failing rules after remediations (#6034)
• Fix typo in SLES12 STIG ID reference (#6036)
• Introduce ability to set check_existence to yaml template (#6177)
• Introduced macros for working with XCCDF values into the wide content (#6048)
• Anaconda moved to pykickstart (#6255)
• Create custom OVAL check for uefi_no_removeable_media (#6276)
• Parametrize rule for login.defs hashing algorithm (#6290)
• As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
• Fix regex in aide rules to consider first letter as uppercase (#6152)
• Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
• Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
• Use resolved profiles in rule playbooks (#6080)
• Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
• Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
• Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
• update accounts_maximum_age_login_defs (#6027)

Tests:

• Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
• OCP4: Add manual remediation capabilities to e2e tests (#6318)
• OCP4: Enhance e2e tests to check individual rules (#6315)
• Remove the option to enable/disable "mask" a service (#6298)
• Update ocp4 e2e test dependencies (#6128)
• Force shutdown of VM if it cannot be shutdown gracefully (#6098)
• e2e/ocp4: Display more verbose logs for e2e tests (#6192)
• ocp4: Don't fail on transcient error (#6161)
• ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
• ocp4: Use ScanSettingBindings for e2e tests (#6297)
• allow install_vm.py to create UEFI based machines (#6285)
• Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
• SSGTS various test scenarios metadata updates (#6136)
• Implemented packages metadata to the test suite (#6126)
• SSGTS combined mode: use all profile where applicable (#6146)
• SSGTS various test scenarios metadata updates (part 2) (#6145)
• SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
• Removed profile from test metadata where not needed (#6114)
• Add a test for missing CCEs (#6097)
• Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
• OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
• OCP4: Verify CIS 1.3 section (#6302)