ComplianceAsCode Content Versions Save

Highlights:

• Remove OCP3 content (#6296)
• Remove SLE11 (#6164)
• Remove Ubuntu 14.04 (#6154)
• Remove Debian8 (#6137)
• Remove JBoss EAP6 (#6119)
• Introduce machine and package platform conditionals to Bash remediations (#6061)
• Introduce package conditionals to Ansible remediations (#6025)
• OCP4: Enhance e2e tests to check individual rules (#6315)

Profiles changed in this release:

• example: example
• fedora: standard, pci-dss
• ol7: pci-dss
• ol8: cjis, pci-dss
• rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
• rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
• jre: stig
• ocp4: cis-node, cis, e8, moderate, ncp
• rhcos4: e8, moderate, ncp
• rhv4: rhvh-vpp, rhvh-stig
• sle15: cis

Profiles:

• Remove unused RHEL7 profiles (#6326)
• Specify the applicable OpenShift version for the CIS profiles (#6288)
• Update e8 references (#6306)
• Add commented section for OCP4 CIS etcd node checks (#6238)
• CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
• Add ocp4-node product (#6124)
• remove rngd related rules from rhcos profiles (#6159)
• Add policy tracking metadata (#6004)
• Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
• Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
• remove package_screen_installed from rhel7 stig (#6072)
• OCP4 CIS profile placeholder and comments (#6121)
• Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
• Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
• remove deprecated sshd config from e8 profile (#6120)
• remove package_tuned_removed from rhel8 ospp (#6191)
• remove rngd related rules from rhel8 ospp and stig (#6157)
• remove package_iptables_installed from rhel8 ospp and stig (#6155)

Rules:

• Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
• Added JRE update and clean prev version controls (#6324)
• fix conflicts of audit rules for privileged commands (#6279)
• Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
• Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
• Add machine platform for rule kernel_trust_cpu_rng (#6300)
• CIS 1.3.6 (#6225)
• Update jre content with more controls and minor fixes (#6295)
• Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
• ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
• Add OCP4 1.3.5 benchmark (#6198)
• ocp4: fix basic-auth check (#6158)
• CIS OCP4 benchmark: 1.3.3 (#6194)
• Fix rule api_server_token_auth for ocp4 (#6193)
• OCP4 - CIS 1.1.5 Add check (#6274)
• ocp4: Add check for CIS 1.2.20 (#6239)
• Cis 5.2.9 (#6250)
• ocp4: Add checkf or CIS 1.2.18 (#6232)
• ocp4: Add check for 1.2.17 (#6231)
• add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
• Updated rule api_server_service_account_public_key for OCP 4 (#6221)
• Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
• ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
• ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
• CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
• Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
• Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
• OCP4 - CIS 1.1.3 Add check (#6272)
• OCP4 - CIS 1.1.1 Add check (#6271)
• Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Api server etcd (#6266)
• Adding rules for OCP4 CIS 1.2.5 (#6268)
• Add rule for OCP4 CIS 1.3.2 (#6262)
• Cis 5.2.7 (#6245)
• Java JRE 8 draft update (#6282)
• fix srgs for new rhel8 stig rules (#6280)
• 1.2.32 add etcd-cafile check for ocp4 (#6253)
• 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
• add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
• Pull request for etcd-encrypt (#6259)
• OCP4 CIS 5.2.3 (#6244)
• Update api_server_audit_log_path to use different apiserver conf file (#6240)
• OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
• OCP4 CIS 5.2.4 (#6242)
• Add OCP4 1.3.7 Benchmark (#6220)
• ocp4: Add check for CIS 1.2.19 (#6236)
• Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
• Api server kubelet https (#6215)
• Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
• Add rule for CIS 4.1.9 (#6210)
• Cis node 4.1.8 (#6196)
• OCP CIS 1.2.7 (#6209)
• Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
• Fix duplicate assignment of CCE-83396-2 (#6224)
• Completed an existing ocp4 CIS 1.3.4 rule (#6202)
• Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
• add service_kdump_disabled to rhel8 ospp (#6190)
• Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
• fix typos in "references" section of RHEL7 rules (#6188)
• Add some more example content for ocp4 cis profile (#6182)
• Add ISM references (#6143)
• Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
• add mandatory packages to rhel8 ospp (#6181)
• Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
• add rsyslog rules to rhel8 ospp (#6167)
• Remove platform net-snmp from the group and use it in individual rules (#6166)
• Fix severity of RHEL 7 STIG rules (#6110)
• fix rules about sshd idle timeout (#6030)
• Update ANSSI refs (#6052)
• Move grub2_vsyscall_argument to grub2 group (#6129)
• Update rule install hips (#6039)
• Remove zIPL rule for PTI bootloader option (#6065)
• use xccdf variable in audit_audispd_network_failure_action (#6071)
• Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
• Drop "esc" package from install_smartcard_packages rule (#6083)
• Update snmpd_no_default_password (#6050)
• Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
• Fix missing CCE in rules selected by RHEL6 profiles (#6103)
• add ocil to rsyslog_nolisten (#6074)
• Remove extra ocil statement from service_cockpit_disabled (#6092)
• Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
• Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
• Update text of rule account_disable_post_pw_expiration (#6084)
• update srg for smartcard_configure_cert_checking (#6073)
• update accounts_logon_fail_delay (#6040)
• update rule disable_ctrlaltdel_reboot (#6043)
• Remove SRGs from accounts_password_pam_retry (#6045)
• Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
• Update tftpd_uses_secure_mode (#6051)
• Fix SRG mapping of audit rules (#6068)
• Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
• Minor ansible changes that fix failing rules after remediations (#6034)
• Fix typo in SLES12 STIG ID reference (#6036)
• Introduce ability to set check_existence to yaml template (#6177)
• Introduced macros for working with XCCDF values into the wide content (#6048)
• Anaconda moved to pykickstart (#6255)
• Create custom OVAL check for uefi_no_removeable_media (#6276)
• Parametrize rule for login.defs hashing algorithm (#6290)
• As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
• Fix regex in aide rules to consider first letter as uppercase (#6152)
• Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
• Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
• Use resolved profiles in rule playbooks (#6080)
• Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
• Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
• Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
• update accounts_maximum_age_login_defs (#6027)

Tests:

• Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
• OCP4: Add manual remediation capabilities to e2e tests (#6318)
• OCP4: Enhance e2e tests to check individual rules (#6315)
• Remove the option to enable/disable "mask" a service (#6298)
• Update ocp4 e2e test dependencies (#6128)
• Force shutdown of VM if it cannot be shutdown gracefully (#6098)
• e2e/ocp4: Display more verbose logs for e2e tests (#6192)
• ocp4: Don't fail on transcient error (#6161)
• ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
• ocp4: Use ScanSettingBindings for e2e tests (#6297)
• allow install_vm.py to create UEFI based machines (#6285)
• Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
• SSGTS various test scenarios metadata updates (#6136)
• Implemented packages metadata to the test suite (#6126)
• SSGTS combined mode: use all profile where applicable (#6146)
• SSGTS various test scenarios metadata updates (part 2) (#6145)
• SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
• Removed profile from test metadata where not needed (#6114)
• Add a test for missing CCEs (#6097)
• Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
• OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
• OCP4: Verify CIS 1.3 section (#6302)

Highlights:

• huge update of rhel7 stig profile
• Introduced a minimal reference-rule mapping generator (#5946)

Profiles changed in this release:

• rhel7: ospp, hipaa, stig
• rhel8: ospp, hipaa, stig
• ocp4: moderate, e8
• ol8: ospp
• rhcos4: moderate, ncp

Profiles:

• Select sshd_disable_rhosts in RHEL7 STIG profile. (#6019)
• Select sshd_disable_user_known_hosts in RHEL7 STIG profile. (#6021)
• Update RHEL7 STIG profile to use pam unlock_time=900. (#6011)
• Remove rules that are not present on RHEL STIG v2r7 anymore. (#5975)
• Update hipaa description (#5957)
• Select uefi_no_removeable_media in DISA RHEL7 STIG profile (#5987)
• Update dconf_gnome_disable_ctrlaltdel_reboot and select it in RHEL7 STIG profile (#5993)
• Add new rule dconf_gnome_disable_ctrlaltdel_logout to RHEL7 STIG (#5992)
• Add a missing Crypto Policy rule to OSPP. (#6007)

Rules:

• Introduced rule to disable XDMCP in gdm (#5997)
• Update OVAL check and remediations for sshd_use_priv_separation. (#6022)
• Set sshd_do_not_permit_user_env to pass even with missing parameter. (#6018)
• Update network_sniffer_disabled (#6000)
• Add Fedora product to package_bind_removed rule prodtype (#6017)
• Fixed dconf_gnome_screensaver_idle_activation_enabled wrt RHEL7 STIG (#6016)
• Update sle15 product with specific package names and permissions (#6012)
• Update RHEL7 STIG id for grub2_uefi_password to match RHEL >= 7.2. (#6009)
• Added SRG to configure_ssh_crypto_policy (#6008)
• update severity of package_vsftpd_removed (#6002)
• remove srgs from package_openssh-server_installed (#6001)
• implement V-72095 for stig (#5985)
• remove nonexistent srg from audit_rules_usergroup_modification_opasswd (#5998)
• Fix minor description issue in dconf_gnome_login_banner_text (#5994)
• remove redundant srg from audit_rules_privileged_commands_umount (#5983)
• Add RHEL7 STIG ID to sysctl_net_ipv4_conf_default_rp_filter (#5990)
• Add RHEL7 STIG ID to sysctl_net_ipv4_conf_all_rp_filter (#5989)
• Remove extra zero on SRG ref mapping from kernel_module_dccp_disabled (#5991)
• Remove duplicated STIG ID entry in libreswan_approved_tunnels (#5988)
• Add an evaluation for OpenShift allowedRegistries (#5906)
• Add ansible remediation for accounts_have_homedir_login_defs (#5942)
• fix descriptions of rules audit_rules_privileged_command_* (#5980)
• fix descriptions and ocils of audit_rules_execution_* (#5981)
• Update DISA CCI for rpm_verify_hashes (#5979)
• Remove wrong CCI number from no_files_unowned_by_user (#5966)
• Fix typo in OCIL checking command for file_groupownership_home_directories (#5968)
• remove perm=x from rules about auditing of privileged commands (#5956)
• Update rule dconf_gnome_screensaver_lock_locked (#5959)
• Fix syntax in OCIL checking command for accounts_user_dot_no_world_writable_programs (#5969)
• remove SRG mapping from audit_rules_dac_modification_lsetxattr (#5962)
• Update kernel_module_disabled template to add modules into exclude list (#5963)
• Fix typo in grub password rules (#5964)
• Update dconf_gnome_banner_enabled to use local.d dconf database (#5951)
• Use full CCI and STIG identifiers (#5606)
• Add grub2 platform to grub2 kernel option rules (#5952)
• add xccdf variable into ocil of auditd_data_retention_action_mail_acct (#5953)
• Update rpm_verify_hashes according to STIG RHEL7 v2r7 (#5918)
• Remove OVAL check from rule install_antivirus (#5947)
• Update aide_verify_ext_attributes OVAL and Bash (#5945)
• Update aide_verify_acls (#5941)
• Reference relevant OSPP requirements that depend on correct crypto-policy selection via var_system_crypto_policy (#5935)
• The OSPP requirements for cryptographically verifying the integrity of updates are FPT_TUD_EXT.1.2 and FPT_TUD_EXT.2.2 (#5934)
• The CC/OSPP requirement for handling authentication failures is FIA_AFL.1 (#5933)
• The CC/OSPP requirement for the TOE access banner is FTA_TAB.1 (#5932)
• Harden OpenSSL crypto policy (#5925)
• Update file permissions/ownership/group bash template to better support "file_regex" parameter (#5921)
• Add template for zIPL boot entry option (#5908)
• fix rule selinux_all_devicefiles_labeled (#5911)
• Reorganize zIPL rules (#5888)
• add missing cces to rules in ism_o profile (#5913)
• Converted kube remediation to use the macro (#5904)
• Revert back OVAL check for sshd_disable_compression to use xccdf variable. (#6031)
• Update ansible additional when statement to fix issues with rules not being applied to vm's (#5995)
• Check sssd conf.d files and fix bash remediation for sssd_enable_pam_services (#6014)
• Update accounts_passwords_pam_faillock_unlock_time to work with "never" as value (#6003)
• Cleanup audit_rules_login_events ansible remediation template (#5978)
• Update auditd audispd configure remote server (#5949)
• Add ansible remediation for dconf_gnome_screensaver_idle_activation_locked (#5960)
• Update OVAL check and remediation for aide_use_fips_hashes (#5972)

Tests:

• Remove Fedora platform from test scenarios working with FIPS:OSPP crypto policy (#6023)
• Introduce quick tests (#6013)
• Remove SCAP-1.3 SCAPVAL workarounds (#6005)
• add tests to audit_rules_kernel_module_loading_finit (#5999)
• add tests to audit_rules_usergroup_modification template (#5996)
• Use helper functions to install dconf and gdm. (#5970)
• Enabled support for both podman2 in the ssg test suite. (#5924)
• Print different command to get IP address when using fish shell. (#5907)

Highlights:

• Add SSG content for McAfee VSEL (#5864)
• Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
• Add RHCOS4 product (#5775)
• Add ubuntu cis profile (#5750)

Profiles changed in this release:

• rhel8: ospp, cis, ism_o, stig
• ocp4: cis, moderate, platform-moderate, coreos-ncp, opencis-node, ncp, e8
• vsel: stig
• rhcos4: coreos-ncp, ncp, moderate, e8
• firefox: stig
• rhel7: cis, stig
• sle15: cis
• ubuntu1804: cis

Profiles:

• Creation of Australian ISM 'Official' RHEL 8 profile (#5861)
• Attribute credit for CIS content (#5779)
• Update CoreOS profile to short name (#5834)
• rhcos4: Remove checks for nmcli permissions (#5826)
• Sle15 cis (#5807)
• Add ubuntu cis profile (#5750)

Rules:

• Add stigid reference to rpm_verify_ownership according to STIG RHEL7 v2r7 (#5919)
• Fix file regex in OCP3 content (#5920)
• Fix of issues seen with OpenShift 3.11 (#5860)
• Add zipl and grub2 CPEs (#5905)
• Add ocp rules to cis profile (#5872)
• Update RHEL7 documentation link for grub2_uefi_admin_username. (#5890)
• fix filename in configure_openssl_crypto_policy (#5885)
• Add SSG content for McAfee VSEL (#5864)
• Add 'bls_audit_option' rule (#5793)
• Add OCP XCCDF CIS policy rules (#5833)
• Updating Firefox content (#5858)
• OCP4 allowed registries (#5839)
• Template for yamlfilecontent checks (#5758)
• Remove grub documentation links from RHEL7 rationale (#5851)
• More CIS OCP checks (#5837)
• Update OCP permissions add master, worker, and general content changes (#5838)
• Add OCP4 CIS API server XCCDF content (#5843)
• Add support for blacklisting directories when doing system-wide file scans (#5804)
• Finish RHCOS product migration (#5835)
• Add missing CCEs for CIS RHEL8 (#5781)
• Update unowned user rule warning (#5806)
• Add dev_shm rules to rhel7 stig profile (#5830)
• add rule ssh_client_rekey_limit (#5788)
• pkgname@debian auditd (#5809)
• Add RHCOS4 product (#5775)
• Add rules to configure zIPL (#5784)
• Made the rule sshd_rekey_limit parametrized (#5772)
• Introduced a rule that uses non-standard yaml checks (#5326)
• Cis partitions rules (#5749)
• Add Ansible for ensure_logrotate_activated (#5753)
• Change oval check to verify if we're in OCP4 (#5824)
• Use templates to generate Machineconfigs (#5814)
• Simplify check for no_shelllogin_for_systemaccounts (#5810)
• change sshd rekey limit to 1G 1 hour in rhel8 ospp (#5782)
• Create macro for selinux ansible/bash remediation. (#5785)
• Fix ansible/bash remediation for rule grub2_enable_selinux. (#5787)
• fix rhel8 hipaa ansible playbook (#5777)
• Add Ansible for audit_rules_system_shutdown (#5761)
• Add Bash and Ansible remediations for sshd_set_max_sessions (#5757)

Tests:

• test_parse_affected.py: Handle empty rendered content (#5840)
• Add test scenario for sshd_rekey_limit to cover OSPP profile (#5827)
• add simple tests for sshd_do_not_permit_user_env (#5829)
• Remove result files when test scenarios pass (#5812)
• ocp4: Test amount of check results for scans (#5803)
• ocp4: Check for diminishing failures in e2e test (#5794)
• ocp4: Create complianceSuites in debug mode (#5798)
• OCP4: Add remediation equality unit tests (#5743)

Highlights:

• Add initial macOS content (#5334)
• Feature suse 15 (#5305)
• Add RHEL 7 and RHEL8 CIS profiles
• Add SLE15 CIS Profile
• RHV4 product is now el8 based (#5352)

Profiles changed in this release:

• ocp4: moderate, coreos-ncp, e8
• rhel7: cis, rhelh-stig, C2S, stig
• rhv4: rhvh-vpp, rhvh-stig
• rhel8: cis, stig
• sle15: cis, standard
• ol7: stig
• macos1015: moderate

Profiles:

• ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
• Added warning about profile not working with GUI systems. (#5734)
• OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
• ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
• ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
• ocp4: enable sysctl security settings in moderate profile (#5591)
• ocp4: Enable sysctl file system settings in moderate profile (#5592)
• change rules for disabling ipv6 in CIS profile (#5574)
• macOS build fixes (#5347)
• ocp4: Remove the rule that disables user namespaces (#5268)
• fix rule sshd use approved macs (#5300)
• Feature suse 15 (#5305)
• Add Initial RHEL 7 CIS profile (#5306)
• Clear up coreos profile titles and descriptions (#5280)

Rules:

• Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
• Update sshd crypto policy for CC (#5742)
• Create machine configuration for the rule no tmux in shells (#5641)
• Fix several audit-related ignition remediations (#5651)
• Ubuntu1804/cis kernel module rules (#5722)
• update prodtype for sysctl_net_ipv4_ip_forward (#5679)
• Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
• ocp4: Add missing AC-1 checks to moderate profile (#5718)
• Add missing CCE for sshd_set_max_sessions rule (#5710)
• Fix audit_basic_configuration ignition remediation (#5642)
• Reference should not point to OS version. (#5660)
• Warn about only local user backends being considered (#5657)
• remove remediations for configure_etc_hosts_deny (#5652)
• New Ignition files for audit and SSHD (#5640)
• Fix template mount_option_removable_partitions (#5278)
• Added more SLES Support (#5613)
• Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
• Update ol7 stig references and severity values (#5575)
• Issue 5529 (#5579)
• add missing cce for sshd_disable_tcp_forwarding (#5614)
• Update sshd disable x11 forwarding (#5610)
• Allow tcp forwarding (#5607)
• update limit-related rules to allow limits.d (#5600)
• Feature suse15 cis (#5578)
• Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
• fix sshd_allow_only_protocol2 (#5582)
• Feature sle15 cis (#5567)
• Issue 5524 (#5554)
• Add e8 profile for ocp4 (#5560)
• Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
• Added OL product support to stig rules (#5556)
• Fix ol8 condition in accounts-physical rules (#5559)
• Move RHV4 product to be el8 based (#5352)
• Feature suse 15.1 (#5548)
• fix rule disabling ipv6 through grub2 (#5547)
• add rule ntpd_run_as_ntp_user (#5291)
• Add missing CCEs to rules from RHEL7 CIS profile (#5546)
• add ntpd_configure_restrictions for rhel7 (#5282)
• Update rhel7 CIS selections (#5349)
• add rules for checking legacy "+" entries in passwd related files (#5339)
• add grub2_disable_ipv6 (#5324)
• Add initial macOS content (#5334)
• Add rules to check permissions and owner of important backup account files (#5317)
• Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
• Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
• Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
• add rule configure_etc_hosts_deny (#5332)
• Select new rules in RHEL 7CIS Profile (#5331)
• Add missing CCEs for rules from CIS profile (#5329)
• add rule package_openldap-clients_removed (#5316)
• add rule package_libselinux_installed (#5312)
• Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
• Banner and cron permissions and owners (#5302)
• Select rules for audit login events (#5296)
• Select package_audit_installed (#5292)
• Update audit data retention selects and variables (#5294)
• remove ntp mention from rule title (#5309)
• Feature suse 15 (#5311)
• add rule service_rsyncd_disabled (#5318)
• Select rules for system file permissions (#5301)
• Select rules for SSH and add references (#5297)
• Parametrized the sshd_use_approved_ciphers rule (#5308)
• add chronyd_run_as_chrony_user (#5298)
• Add rules for Chrony on rhel8 (#5273)
• Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
• Extracted a grub superuser username rule from the grub2_password rule (#5276)
• Add XCCDF conflicts and requires (#5281)
• Initial RHEL 8 CIS profile (#5236)
• Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
• fix grub2_bootloader_argument template (#5756)
• Add Ansible for kernel_module_ipv6_option_disabled (#5737)
• Ansible remediation and tests for audit_rules_immutable (#5609)
• add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
• Add Ansible fixes for audit time rules (#5720)
• Add audit field to the Ansible syscall macros (#5724)
• add Ansible remediation and tests for audit_rules_session_events (#5721)
• Introduce Ansible macros for remediating Audit syscall rules (#5709)
• fix ansible remediations to avoid creating duplicate entries (#5650)
• Update Ansible when statement to handle only containers (#5052)
• add ansible and tests to audit_rules_mac_modification (#5638)
• Fix missing ignition remediations (#5644)
• add ansible remediation to audit_rules_kernel_module_loading (#5594)
• Fix audit_rules_privileged_commands remediation (#5569)
• Fix rule banner_etc_motd (#5319)
• Improved handling of grub2 password/admin checks. (#5313)
• Ansible audit sysadmin actions (#5288)
• Simplify banner text syntax and add utility to generate banner regular expression (#5050)

Tests:

• Fix incomplete temporary file (#5747)
• Add unit test for kubernetes object remediations (#5636)
• ocp4: Expand unit tests to validate profile selections (#5648)
• Flush the write buffers after write. (#5748)
• Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
• Added possibility of the test suite to expand platforms of the benchmark (#5550)
• Fix SSGTS when running with python3 and writing binary data to file. (#5711)
• shared/partition.sh: Increase the size of a test device (#5566)
• ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
• Skip generation of remediation when using special the default profile (#5571)
• Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
• Fix test scenarios for auditd_data_retention_flush rule (#5624)
• ocp4/e2e: display remediations for second scan (#5585)
• ocp4: e2e test continuation (#5354)
• ssg test suite: wait 30 seconds for reboot to finish (#5572)
• Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
• ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
• add configure_etc_hosts_deny to ignored rules (#5348)
• ocp4: reset client in e2e tests after installing operator (#5344)
• ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
• ocp4: Add go dependencies to test directory (#5338)
• Extend timeout for VM restarts (#5330)
• ocp4: Add initial e2e test (#5321)
• SSGTS: addressed incompatibilities with python2 (#5295)
• SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)

Highlights:

• Add OL8 Essential Eight profile (#5211)
• Add support to Ignition remediation type (#5137)

Profiles changed in this release:

• ol8: pci-dss, e8, ospp
• rhel8: pci-dss, stig, ospp
• ocp4: coreos-ncp, moderate
• sle12: stig
• rhel7: stig

Profiles:

• Add OL8 Essential Eight profile (#5211)
• Remove ocp4 checks (#5216)
• Update OL8 PCI-DSS profile (#5191)
• Add rsyslog TLS configuration to STIG (#5167)
• Re-add configure_firewalld_rate_limiting to rhel7 stig profile (#5168)
• remove Rsyslog rules from OSPP for Rhel8 (#5158)
• ocp4/moderate: Remove check for AIDE package (#5146)
• PCI-DSS profile should install audispd plugins (#5124)
• Adjust OL8 OSPP profile (#5210)
• ocp4/moderate: Enable more kernel module checks (#5136)
• ocp4: Add controls that cover AC-2 better (#5134)
• rhel8: modify rule selections for OSPP and STIG to meet baselines (#5181)
• Enable rules that cover AU-9 better in OCP4 moderate profile (#5138)
• ocp4/moderate: Add CM-* checks (#5129)
• Add moderate profile (#5128)
• Add dconf_db_up_to_date to RHEL8 STIG profile. (#5274)

Rules:

• Sort prodtypes lexicographicaly (#5130)
• Added OL support to ospp profile rules (#5203)
• Update rpm_verification group rules with OL support (#5204)
• Add OL support to packages and services rules (#5198)
• Add OL support to policy audit rules (#5197)
• Add OL support to configuring_ipv6 rules (#5196)
• Add OL support to the partitions mount rules (#5195)
• Add OL support to accounts user_umask rules (#5194)
• Also remove 389-ds LDAP server (#5186)
• Add check for read-write SNMP users (#5185)
• Add RADIUS group and rule to remove server (#5188)
• Permit setting sshd GSSAPI to yes (#5184)
• Stig sle12 security patches up to date (#5192)
• network_host_and_router_parameters group as machine-only (#5190)
• Remove krb5-server (#5187)
• Permit enforcement of nosuid on /var (#5183)
• Add CCE identifier for openssh-server installed (#5189)
• create checks for (grub2|uefi)_no_removeable_media (#5178)
• Map missing SRG rules (#5177)
• Split rule for audit sample rules according to audit component (#5110)
• Add and fix few entries of SRG mapping (#5170)
• create new rule for ipv4 tcp rate limiting through sysctl (#5126)
• Add a rule for the openssl strong entropy wrapper (#5127)
• Update OVAL templates with oval_affected macro. (#5148)
• Add CCE identifiers to OCP moderate profile rules (#5149)
• Add ocp4 prod to grub2_enable_fips_mode (#5140)
• Add CoreOS CCE for service_auditd_enabled (#5133)
• Added a few NIST references to audit related rules (#5131)
• Add a shell lineinfile template (#5109)
• Check EKU in rsyslog remote configuration (#5119)
• audit package on ubuntu* is auditd. (#5117)

Tests:

• fix wrong value in test scenario (#5214)
• Introduce resolved profiles, and test for profile stability (#5209)
• Fix newline discrepancies in jinja macros for file content (#5202)
• fix regex in accounts_passwords_pam_faillock_deny (#5166)
• Add support to Ignition remediation type (#5137)
• Update crypto policies ospp scenarios (#5121)
• Don't check for path length of logs directory (#5122)

Highlights:

• New product added for Debian 10 (debian10)
• New product added for Red Hat OpenStack Platform 10 (rhosp10)
• New draft Profile for RHEL8 STIG

Profiles changed in this release:

• rhosp10: cui, stig
• debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
• rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
• rhel7: e8, sap
• ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
• sle12: stig

Profiles:

• Add security autoupdates to the RHEL8 E8 profile. (#5107)
• E8: ensure there is a single account with uid zero (#5105)
• Add draft RHELH content for rhel8 (#5040)
• Remove SSSD rules from RHEL8 OSPP Profile (#5032)
• Updated the e8 profile for RHEL8. (#5024)
• Add draft RHEL8 STIG profile (#4991)
• Remove coreos-fedramp profile (#4994)

Rules:

• Rhosp10 (#5019)
• Add debian10 content (#5058)
• Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
• Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
• Update NIST 800-53 mappings (#5083)
• NIST 800-53 Mapping Updates (#5079)
• Delete rules in favour of package_subscription-manager_installed (#5059)
• Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
• Add missing CCE for package_telnetd_removed rule (#5090)
• PermitUserEnvironment Checks For Incorrect Setting (#5087)
• Use the FIPS:OSPP Crypto Policy (#5072)
• Enable ansible template for service_fapolicyd_enable rule. (#5064)
• modify usbguard_allow_* rules to use new match-all keyword (#5055)
• Stig sle12 initial (#4847)
• Update api-server XCCDF and OVAL for ocp4-isms (#5039)
• Mark rules as platform: machine. (#5062)
• Fix OVAL applicability for RHV4 (#5053)
• Remove configure_fapolicyd_mounts rules from profiles. (#5057)
• Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
• Update api-server rules (#5034)
• Coreos build - enable more rules (#5018)
• Various minor fixes (#5025)
• Update etcd rules (#5008)
• [WIP] Add SAP profile to rhel (#3551)
• Add missing CCEs to rules from STIG profile (#5021)
• Add some NIST mappings for FISMA high (#4932)
• Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
• Ansible tasks fixes (#5004)
• make aide_periodic_cron_checking accepting broader array of time specs (#4989)
• SRG Mapping - misc rules (#4969)
• additional srg mappings (#4981)
• Verified that proper SRGs are in rules that need to be added (#4987)
• adding DISA SRG references to rules found in the OSPP profile (#4877)
• OCP4 content cleanup (#4970)
• Add Network Policies rule to OCP (#4934)
• Make coreos-ncp.profile buildable (#5001)
• Added SRG rule for auditd_audispd_configure_remote_server (#4988)
• DISA STIG SRG mappings (#4940)
• added SRG rule for Exec Shield (#4982)
• Day 2 - Yasir's Contributions (#4975)
• day 2 changes to rules with SRG info (#4974)
• add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
• Added SRG to rules (#4968)
• mapped ipv4 and ipv6 SRGs to rules (#4967)
• add SRG to rule (#4966)
• Updated to include SRG number (#4971)

Tests:

• oscap: modify using variables in the printf format (#5063)
• Improve fine-tuning of rule/group ordering (#5078)
• Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
• Extend waiting time till virtual machine is again in RUNNING state (#5041)
• SSGTS: Use wildcards instead of matching substring (#5029)
• Add waiting for RUNNING state of virtual machine (#5023)
• Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
• Fixed the remediation for rsyslog_files_permissions (#4906)

Highlights:

• New product added Debian 9 (debian9)
• New product added OpenShift container Platform 4 (ocp4)
• Add Essential Eight profiles
• New templating system enabled by default
• Move SSGTS test scenarios closer to rule definitions

Profiles changed in this release:

• rhel7: e8, C2S, ospp
• rhel8: e8, ospp
• debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
• ocp4: coreos-ncp, opencis-node
• ocp3: opencis-master
• fedora: ospp
• rhel6: C2S, stig

Profiles:

• Add Essential Eight profiles (#4859)
• Remove openshift api_server_profiling check (#4944)
• Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
• Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
• Add coreos NCP profile (#4865)
• Add rules for FISMA Low to CoreOS NCP (#4873)

Rules:

• SSG debian9 (#4928)
• ocp4: Initial build system support for the OCP4 product (#4908)
• Don't require that files exist when path is regex (#4960)
• Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
• Add missing CCEs (#4956)
• Add missing prodtypes for apt rules (#4930)
• Compare suid/sgid files with the RPM database (#4648)
• Add check to set /etc/motd similar to /etc/issue (#4947)
• Set default to match syslog default (#4948)
• Add package rules to OSPP profile (#4953)
• Fill in the samples with the value from our variable (#4949)
• Add postfix relayhost check (#4950)
• Add rule to check cockpit service status (#4939)
• Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
• Added missing CCEs. (#4919)
• Fix missing OVAL in some of RHEL 8 rules (#4927)
• Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
• Generate OCIL check for cramfs kernel module (#4918)
• Added OCIL for mount option-type of rules. (#4910)
• Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
• Ported the sysctl macros to the new system. (#4843)
• Made the new templating system work with Python2.6. (#4897)
• Add WRLinux 10.19 to prodtype (#4903)
• Fix typo and add ocil clause to package_audit_installed. (#4827)
• Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
• Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
• Map AC-17 (#4894)
• Map AC-6(9) (#4895)
• Map AC-17(2) to crypto SSH policies (#4892)
• Add rule for NIST AC-18(4) (#4889)
• Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
• Map AU-7 and AU-10 to audit package (#4890)
• Run tmux only right after sshd/login (#4885)
• Fix missing content in datastreams generated by new templating system (#4883)
• Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
• Fix dnf timer rule (#4882)
• Map AU-9(3) and AU-5(2) for CoreOS (#4880)
• Update list of packages installed in RHEL8 OSPP (#4876)
• Map OCP SCC to Kubernetes benchmark (#4867)
• Merge SELinux Boolean templates and migrate them to new system (#4860)
• Fix rhel6 nist mapping typo (#4872)
• Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
• Add require_emergency_target_auth and update require_singleuser_auth (#4850)
• Enable file permissions templates in new templating system (#4857)
• Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
• Add checks for crontab and supporting cron directories (#4858)
• Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
• Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
• Postfix network listening to loopback-only (#4832)
• Update rsyslog rules description (#4839)
• Updated the rule description of configure_fapolicyd_mounts (#4835)
• Fix accounts password rules template name (#4836)
• New templating system (#4809)
• Break out api_server_service_account_key into multiple rules (#4831)
• Add openvswitch permission rules (#4830)
• AIDE periodic crontab check modification (#4824)
• Disable Mounting of FAT filesystems (#4815)
• insecure-port should not be configured (#4821)
• Fix kubelet_enable_streaming_connections Rule (#4823)
• Assign CCEs to SSH permission checks (#4819)
• Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
• Ensure proper permissions on /etc/ssh/sshd_config (#4812)
• Fix /etc/shadow permissions documentation (#4813)
• Improve template grub2 argument (#4786)
• making hardening of sshd crypto policy alligned with OSPP (#4799)
• Disable Kerberos by removing host keytab. (#4793)
• Move audit rules to correct group (#4778)
• Configure TLS for rsyslog remote logging. (#4781)

Tests:

• Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
• Use only first occurence from /etc/mtab (#4959)
• ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
• Add basic test scenarios for a few audit rules (#4907)
• Made templates product-specific. (#4841)
• Simplified the test_suite command-line. (#4808)
• Changed owner of files in the test suite tarball. (#4797)
• [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
• Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
• fix grub2_argument bash remediation (#4891)
• Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
• Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
• SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
• Add test scenarios for rsyslog_remote_tls (#4788)
• SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
• ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
• Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
• Clean up partition before performing test for mount_option_tmp_noexec (#4795)
• Move SSGTS test scenarios closer to rule definitions (#4741)

Highlights:

• SCAP 1.3 Data Streams are now the default (#4755)
  • 1.2 Data Streams are suffixed with -1.2.xml
• OSPP consolidation (#4705)
  • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
  • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
  • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

• rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
• wrlinux1019: draft_stig_wrlinux_disa
• rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
• rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
• rhv4: rhvh-stig, rhvh-vpp
• debian8: standard, anssi_np_nt28_restrictive
• ubuntu1404: standard, anssi_np_nt28_restrictive
• ubuntu1604: standard, anssi_np_nt28_restrictive
• ubuntu1804: standard, anssi_np_nt28_restrictive
• ol8: ospp, cjis, hipaa, pci-dss
• fedora: ospp, pci-dss
• ol7: stig, pci-dss

Profiles:

• Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
• Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
• RHEL OSPP Profile Restructuring (#4754)
• NCP Profile extends OSPP profile (#4764)
• Rule grub2_vsyscall_argument is informational in OSPP (#4763)
• Add suport for XCCDF rule-refine (#4750)
• Profile Restructuring (#4736)
• Update OL8 HIPAA profile (#4718)
• Update OL8 CJIS profile (#4719)
• Adding SELinux rules into OSPP profile (#4735)
• Fix section titles. (#4738)
• Remove GNOME rules from rhel7/ospp (#4724)
• The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
• When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
• Cleanup the RHEL7 ccc.profile, minimally (#4691)
• Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

• Enable fapolicyd to watch all system mountpoints. (#4773)
• Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
• Ensure rsyslog-gnutls is installed. (#4775)
• IASE was migrated to DOD Cyber Exchange (#4768)
• Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
• Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
• Update CSRF cookie secure (#4761)
• Add mask_service parameter to services disabled template. (#4633)
• Add new rhel8 aux gpg pubkey (#4675)
• Add new package installed rule specific for RHEL8. (#4673)
• Delete unused/unwanted dconf_use_text_backend rule. (#4684)
• Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
• extend oval check of configure_crypto_policy (#4757)
• Update STIG Antivirus Language (#4745)
• Log USBGuard daemon audit events using Linux Audit. (#4747)
• Harden ssh client crypto policy (#4681)
• Expanded and cleaned up csv templates. (#4739)
• SSH service rules for SLE12 (#4289)
• Single rule to configure audit rules for OSPP (#4680)
• update STIG antivirus language (#4341)
• Configure tmux to lock session after inactivity (#4737)
• Prevent user from disabling the screen lock. (#4742)
• Support session locking with tmux. (#4740)
• Remove watches since syscall rules cover all cases. (#4706)
• Update OL8 OSPP profile (#4717)
• OSPP requirements and selections (#4662)
• Enable the rngd service for OSPP. (#4733)
• Move some system-tools rules to organized with their respective configuration rules (#4726)
• Harden sshd crypto policy (#4663)
• Set number of records to cause an explicit flush to audit logs. (#4697)
• Set hostname as computer node name in audit logs. (#4701)
• Force frequent session key renegotiation. (#4711)
• Resolve information before writing to audit logs. (#4695)
• Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
• Fix typos in auditd_local_events texts. (#4698)
• Preprocess references and identifiers during the build time. (#4063)
• Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
• Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
• Disable storing core dumps. (#4650)
• Add new rule auditd_write_logs (#4649)
• new rule timer_dnf-automatic_enabled (#4614)
• New rule auditd_local_events (#4636)
• Start using oval_sshd_config jinja macros for sshd rules (#4624)
• Simplify regexp (#4762)

Tests:

• Fix _check_rule method call in SSG test suite. (#4767)
• Test suite: set bash and ansible remediation to verbose mode. (#4652)
• Fix disk configuration in OSPP anaconda kickstart file. (#4716)
• Add documentation to known issue in the test suite. (#4730)
• SSG Test suite: Add function to find remediation in the datastream. (#4714)
• Add test scenarios for configure_usbguard_auditbackend rule (#4753)
• Fix STIG IDs reference processing (#4725)
• Add syslog_files rules test scenarios (#4743)
• ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
• Add test scenarios for sshd_set_keepalive rule (#4712)
• Enable unit-testing of bash shared jinja macros (#4702)
• Parameterize Red Hat's GPG release public key. (#4683)
• Added stripping of new line when obtaining IP addr by podman inspect (#4692)
• Fixed an omission. (#4658)
• Test suite autodetect datastream. (#4657)
• Testing of set_config_file function with BATS 2 (#4659)
• Introduce tests for macro that generates OVAL (#4660)
• Test suite change logging prefix to warning (#4688)
• Test suite: Set additional SSH options when testing ansible remediations (#4674)
• Document where test scenarios are located (#4654)
• Document --url and --extra-repo of install_vm.py script (#4653)
• Quick fix for CombinedMode _modify_parameters() (#4664)
• Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
• Fix regex which looks for line in file configuration. (#4646)

Highlights:

• Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
• RHEL7 ANSSI profiles are now enabled
• Improvements to profile statistics, check them out in stats job
• New OVAL, Bash and Ansible macros for rules that check for parameter and value

Profiles changed in this release:

• rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
• fedora: pci-dss, ospp
• rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
• ol8: hipaa, cjis, pci-dss, ospp
• wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
• wrlinux8: basic-embedded
• rhel6: C2S, CS2, nist-CL-IL-AL
• chromium: stig
• firefox: stig
• ol7: stig, pci-dss

Profiles:

• Remove unnecessary packages from ospp (#4632)
• Deduplicate profile files. (#4601)
• Fixing No newline at end of file, introduced by 38fe5cf50fa6cc73a700fb779c7983845415b79d. (#4602)
• Update the RHEL8 profile (#4229)
• Add rhel7 ccc (Common Criteria Certification) profile (#4361)
• Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
• OL8 profiles update (#4374)
• Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
• Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
• misc updates to OSPP profile (#4586)
• RHVH/RHELH STIG mappings (#4033)

Rules:

• New rule dnf-automatic_security_updates_only (#4619)
• Pimp ANSSI up and enable it (#4615)
• New rule disable_tmux_status_line (#4631)
• Enable the fapolicyd service for OSPP. (#4623)
• Install fapolicyd for OSPP. (#4622)
• new rule dnf-automatic_apply_updates (#4613)
• Disable storing core dumps. (#4618)
• Enable the usbguard service in OSPP profiles. (#4611)
• Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
• Added a test for uniqueness of CCEs. (#4577)
• Add remaining rules from CC to OSPP (#4599)
• Disable the use of user namespaces. (#4569)
• Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
• Enable Kernel page-table isolation. (#4566)
• add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
• Update OSPP profile with required package checks (#4580)
• Disable CAN Support. (#4572)
• Disable ATM Support. (#4571)
• Disable IEEE 1394 (FireWire) Support. (#4573)
• update OSPP (#4446)
• Harden the kernel package filter just-in-time compiler operation. (#4564)
• Disable access to network bpf() syscall from unprivileged processes. (#4563)
• Disallow kernel profiling by unprivileged users. (#4547)
• Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
• Add nodev Option to /var. (#4542)
• Add nodev Option to /boot. (#4453)
• Add nosuid Option to /boot. (#4452)
• Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
• Disable chrony daemon from acting as server. (#4445)
• Disable network management of chrony daemon. (#4449)
• Map more rules into Anssi policy (#4439)
• ANSSI network sysctl (#4345)
• Fix typo. (#4423)
• Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
• Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
• Anssi updates (#4351)
• OSP13 Checks (#4364)
• Smartcards auth in OL8 should be done via sssd (#4377)
• Remove dconf_use_text_backend rule from profiles. (#4375)
• Make hardened containers smaller (#4357)
• Scap 1.3 content adjustments (#4353)
• Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
• Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
• Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
• Rename group sap to sap_host (#4332)

Tests:

• Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
• Add tests for kernel_module_firewire-core_disabled rule. (#4605)
• Document combined mode in tests/README.md (#4590)
• install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
• Remove ansible_playbook_set_hosts function from test suite (#4576)
• Add profile metadata override in rule mode (#4578)
• Fix test scenarios for mount option home nosuid (#4579)
• Fix minlen test scenarios and include RHEL8 platform (#4450)
• Print an error message when rule isn't found (#4454)
• Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
• Enable the (all) virtual profile in the rule-based test suite. (#4441)
• Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
• Install just things needed for the sssd service to run. (#4396)
• Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
• Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
• Fix audit rules openat_o_trunc_write test scenarios. (#4438)
• Add verbose output to the verbose logs (#4431)
• Fix broken test scenario name (#4426)
• Add option for extra repository in install_vm.py script. (#4421)
• Change test scenarios for rule rpm_verify_permissions (#4344)
• tests/install_vm.py: Do not abort if ostype detection fails (#4343)
• Use VM install repo URL on the installed system (#4338)
• Workaround SCAPVal 1.3.2 NullPointerException (#4339)
• Use separate partition for /var/tmp in tests/kickstart (#4337)
• Add test wrapper around SCAPVal tool (#4327)
• Fix-ups and remote host support for tests/install_vm.py (#4328)

Highlights

• SCAP 1.3 DS generated along side SCAP 1.2 DS
• An Ansible Playbook is generated for each rule
• Remediation roles terminology fixed
  • Ansible "roles" are now called Playbooks
  • Bash "roles" are now called bash scripts Introduction of package CPEs for Rule applicability
• Content will detect Podman as a container environment
• Several fixes in Ansible snippets so that they don't error during execution

Products and Profiles

• Significant content additions and bugfixes for OpenShift
• Enable RHV-H and RHEL-H draft STIG profiles
• RHEL7 STIG profiles renamed to have shorter ID
• RHEL7 nist-800-171-cui renamed to cui
• New rules enabled for SLE12

Rules

• FIPS regulatory warning updated
• Rules not relevant for containers tagged as machine only
• Fixed duplicated CCEs

Documentation

• Documentation in Build.md merged into Developer Guide
• Mention profile_stats.py in Developer Guide
• Update Ansible section in Developer Guide
• Add documentation to build zipfile target

Infrastructure

• Rename profile_stats to profile_tool and update usage by CMake.
• CCE checksums are now validated
• Update ansible template, readme, and script to bring in line with Ansible Galaxy

Full list of issues and pull requests closed in this release