Openscap Versions Save

NIST Certified SCAP 1.2 toolkit

1.3.10

2 months ago
  • New features
    • Dump all env. variables that affects the behaviour on INFO log level
    • Support Blueprint services customization for masking
    • Fix Blueprint template to be self-contained
    • Add a refine-rule tailoring ability to autotailor
    • Introduce JSON tailoring import option for autotailor
    • Select rules based on reference
    • Skip certain paths from scanning (controlled via env. variable)
    • Introduce a limit of collected items (controlled via env. variable)
  • Maintenance, bug fix
    • Fix partition probe for PCRE2
    • Fix NSS crypto backend
    • Wrap Bash snippets in a subshell when generating a fix script
    • Improve references in HTML guides and reports
    • Update html report with OVAL details
    • Rewrite dpkginfo probe without using APT
    • Fix incorrect openscap-cpe-oval result filename
    • Implement xccdf_session_get_rule_results function in XCCDF session API
    • Implement xccdf_session_result_reset function in XCCDF session API

1.3.9

8 months ago
  • New features
    • OpenSCAP can now use PCRE2 library
  • Maintenance, bug fix
    • Fix offline mode (OVAL/sysctl)
    • Fix leak of dpkg cache when dpkginfo_init is called multiple times
    • Fix un-expanded variable in xccdf report output
    • Fix issues when parsing profiles
    • Fix minor problems and resource leaks

1.3.8

10 months ago
  • New features
    • The boot-time remediation service for systemd's Offline Update mode is now disabled by default
    • Add offline capabilities to the shadow OVAL probe
    • Add offline capabilities to the sysctl OVAL probe
    • Add 'auristorfs' to list of network fileystems
    • Add new experimental linux-bound fwupdsecattr probe for system firmware security attributes (fwupd-based)
  • Maintenance, bug fix
    • Use ListUnitFiles D-Bus method to fetch all units in systemd OVAL probe
    • Fix minor resource leaks
    • Workaround for issues with tailoring files produced by autotailor

1.3.7

1 year ago
  • Maintenance, bug fix
    • Fix error when processing OVAL filters (rhbz#2126882, rhbz#2126883)
    • Don't emit xmlfilecontent items if XPath doesn't match (rhbz#2138884, rhbz#2139060)
    • Prevent "Failed to check available memory" errors (rhbz#2109485, rhbz#2111040)
    • Make epoch comparison less strict for dpkg
    • Generate graphs when creating Doxygen documentation
    • Fix build on Fedora 37 and Rawhide
    • Fix some compiler warnings
    • Infrastructure and test suite fixes
    • Use more conscious language
    • Fix typos and update documentation

1.3.6

2 years ago
  • New features
    • Select and exclude groups of rules on the command line
    • The boot-time remediation service for systemd's Offline Update mode
    • Memory limit control using OSCAP_PROBE_MEMORY_USAGE_RATIO environment variable
    • Allow disablement of SHA-1 and MD5
    • Allow providing pre-downloaded components
    • Introduce OSBuild Blueprint fix type
  • Maintenance, bug fix
    • Fix coverity issues
    • Patch the segfault in dpkginfo_fini()
    • Add an alternative source of hostname
    • Fail download on HTTP errors
    • Compile "environmentvariable_probe" on Windows
    • FreeBSD build and test fixes
    • Add offline mode for password probe
    • Initialize crypto API only once
    • Fix UBI 9 scan
    • oval/yamlfilecontent: Add 'null' values handling
    • Do not set Rpath
    • Do not split XCCDF:requires with multiple idrefs
    • Allow empty /proc in offline mode

1.3.5

3 years ago
  • New features
    • Made schematron-based validation enabled by default for validate command of oval and xccdf modules
    • Added SCAP 1.3 source data stream Schematron
    • Added XML Signature Validation
    • Added --enforce-signature option for eval, guide, and fix modules
    • Added entity support (OVAL/yamlfilecontent)
    • Allowed to clamp mtime to SOURCE_DATE_EPOCH
    • Added severity and role attributes
    • Added support for requires/conflicts elements of the Rule and Group (XCCDF)
    • Added Kubernetes remediation to HTML report
  • Maintenance, bug fix
    • Fixed CMake warnings
    • Made 'gpfs', 'proc' and 'sysfs' filesystems non-local
    • Fixed handling of '--arg=val'-styled common options
    • Documented used environment variables
    • Updated man page and help texts
    • Added --skip-validation option synonym for --skip-valid
    • Fixed behavior of StateType operator
    • Fixed some of the coverity warnings
    • Ignoring namespace in XPath expressions
    • Fixed how oval_probe_ext_eval checks absence of the response from the probe (obtrusive data warning)
    • Described SWID tags detection
    • Improved documentation about --stig-viewer option
    • File probe behaviour fixed (symlink traversal now behaves as defined by OVAL)
    • Fixed multiple segfaults and broken test in --stig-viewer feature
    • Added dpkg version comparison algorithm
    • Pluged some memory leaks
    • Fixed TestResult/benchmark/@href attribute
    • Fixed memory allocation
    • Fixed field names for cases where key selection section is followed by a set section (probes/yamfilecontent)
    • Changing hard coded libperl path in favor of FindPerlLibs method
    • Check local filesystems when using 'filepath' element

1.3.4

3 years ago
  • New features
    • Add support for FreeBSD
    • Make a use of HTTP header content-encoding: gzip if available
    • Improved yamlfilecontent: updated yaml-filter, extend the schema and probe to be able to work with a set of values in maps
  • Maintenance, bug fixes
    • Fixed a lot of warnings (GCC and Clang)
    • Cmake now can find mingw32-winpthreads
    • A lot of memory managements fixes
    • A lot of memory leaks have been plugged
    • Refactored rpmverifyfile probe and fixed memory leak
    • Fixed SEGFAULT caused by recursive and circular dependencies between OVAL definitions
    • Fixed DOM representation of the profile platform
    • Test suit: better portability, more granularity in results, inclusion of memory-related tests
    • Compatibility with uClibc
    • Local and remote file system detection method was improved
    • Fixed dpkginfo probe to use pkgCacheFile instead of manually opening the cache
    • Make the report a valid HTML5 document
    • oscap-podman: force unmount and removal of temporary container
    • Fixed unwanted recursion in file probe
    • oscap-docker: fixed for the case when Atomic is not present

1.3.3

4 years ago
  • New features
    • Added a Python script that can be used for CLI tailoring (autotailor)
    • Added timezone to XCCDF TestResult start/end time
    • Added yamlfilecontent independent probe (proposal/draft implementation), see https://github.com/OVAL-Community/OVAL/issues/91 for more information
    • Introduced urn:xccdf:fix:script:kubernetes fix type in XCCDF
    • Added ability to generate machineconfig fix
  • Maintenance, bug fixes
    • utils/oscap-podman: Detect ambiguous scan target
    • Fixed #170: The rpmverifyfile probe can't verify files from '/bin' directory
    • The data system_info probe return for offline and online modes is consistent and actual
    • Prevent crashes when complicated regexes are executed in textfilecontent58 probe
    • Fixed #1512: Severity refinement lost in generated guide
    • Fixed #1453: Pointer lost in Swig API
    • Evaluation Characteristics of the XCCDF report are now consistent with OVAL entities from system_info probe
    • Fixed filepath pattern matching in offline mode in textfilecontent58 probe
    • Fixed infinite recursion in systemdunitdependency probe
    • Fixed the case when CMake couldn't find libacl or xattr.h

1.3.2

4 years ago
  • New features
    • Offline mode support for environmentvariable58 probe
    • The oscap-docker wrapper is available without Atomic
  • Maintenance, bug fixes
    • Improved support of multi-check rules (report, remediations, console output)
    • Improved HTML report look and feel, including printed version
    • Less clutter in verbose mode output; some warnings and errors demoted to verbose mode levels
    • Probe rpmverifyfile uses and returns canonical paths
    • Improved a11y of HTML reports and guides
    • Fixes and improvements for SWIG Python bindings
    • #1403 fixed: Scanner would not apply remediation for multicheck rules (verbosity)
    • Fixed URL link mechanism for Red Hat Errata
    • New STIG Viewer URI: public.cyber.mil
    • Probe selinuxsecuritycontext would not check if SELinux is enabled
    • Scanner would provide information about unsupported OVAL objects
    • Added more tests for offline mode (probes, remediation)
    • #528 fixed: Eval SCE script when /tmp is in mode noexec
    • #1173, RHBZ#1603347 fixed: Double chdir/chroot in probe rpmverifypackage

1.3.1

4 years ago
  • New features
    • Support for SCAP 1.3 Source Datastreams (evaluating, XML schemas, validation)
    • Introduced oscap-podman -- a tool for SCAP evaluation of Podman images and containers (rhbz#1642373)
    • Tailoring files are included in ARF result files (#902)
    • OVAL details are always shown in HTML report, users do not have to provide --oval-results on command line
    • HTML report displays OVAL test details also for OVAL tests included from other OVAL definitions using extend_definition (#916, #954)
    • OVAL test IDs are shown in HTML report
    • Rule IDs are shown in HTML guide (#1293)
    • Added block_size in Linux partition_state defined in OVAL 5.11.2
    • Added oscap_wrapper that can be used to comfortably execute custom compiled oscap tool
  • Maintenance, bug fixes
    • Remote filesystems mounted using autofs direct maps are not recognized as local filesystems (rhbz#1655943)
    • SCAP source datastreams containing remote components can be evaluated without downloading remote data (rhbz#1709423)
    • Fixed duplicated variables in generated Ansible Playbooks
    • Fixed trailing whitespace characters in Ansible Playbooks
    • Correctly handle multiline profile titles and profile descriptions in generated Ansible Playbooks (#1112)
    • Fixed STIG Viewer output (--stig-viewer) to handle multiple rules that have the same STIG ID
    • Fixed incorrect displaying of OVAL test results in HTML report
    • Fixed segmentation fault in offline mode caused by usage of chroot file descriptor after closing (rhbz#1636431)
    • Fixed textfilecontent54 probe to not ignore max_depth, recurse, recurse_direction and recurse_file_system attributes of behaviors element when filepath element is given (rhbz#1655943)
    • Added CMake policies (CMP0078 and CMP0086) related to UseSWIG
    • Added RHEL 8 CPE, Fedora 31 CPE, Oracle Linux 8 CPE
    • Fedora CPEs fixed to work also on Fedora >= 30
    • Fixed segmentation fault in CVRF module (rhbz#1642283)
    • Fixed unresolved symbols in libopenscap_sce.so
    • Fixed memory leaks in Windows registry probe (#1269)
    • Fixed many GCC compiler warnings
    • Removed dead code from fsdev module
    • Many new test cases in upstream test suite
    • Refactoring
    • Updated Developer Guide
    • Updated manual pages