Content 0.1.73
github-actions
released this
16 May 18:44
·
2655 commits
to master
since this release
Important Highlights
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
- Generate rule references from control files (#11540)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
New Rules and Profiles
- Add and modify rules file/dir_permissions_system_journal (#11840)
- Add ANSSI Profiles for RHEL 10 (#11787)
- Add initial RHEL 10 PCI DSS profile (#11872)
- Add new rule file_permissions_sudo (#11584)
- Add new templated rules for System.map files (#11640)
- ANSSI R31 updates (#11560)
- Audit watch on /etc/sysconfig/network-scripts (#11724)
- CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#11651)
- CMP-2375: Implement a new rule for checking audit logging is enabled (#11731)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Inital RHEL 10 STIG (#11793)
- Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#11820)
- Openembedded fixes (#11652)
- Update ANSSI R50 (#11588)
Updated Rules and Profiles
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_umask_etc_bashrc: extend handled cases of umask (#11822)
- Add a note to ANSSI R23 (#11571)
- Add a warning to sshd_limit_user_access (#11507)
- Add automation to enable faillock rules (#11458)
- Add platform machine to systctl.d rules (#11622)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align chronyd_sync_clock to Ubuntu 22.04 STIG (#11883)
- Align rule encrypt_partitions with Ubuntu 22.04 STIG (#11889)
- Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#11843)
- ANSSI R31 updates (#11560)
- api_server_encryption_provider_cipher rule.yml has bad jsonpath (#11099)
- CMP 2453 pci dss requirement 1 (#11725)
- CMP-2365: Fix check for rotating kubelet server certificates (#11543)
- CMP-2372: Remove info override for virtual syscall rules (#11544)
- CMP-2378: Fix OCP version regex (#11499)
- CMP-2454: PCI-DSS v4 Requirement 2 (#11825)
- CMP-2471: Disable rules on s390x (#11743)
- Corrections in aide_periodic_cron_checking and aide_scan_notification… (#11665)
- Do not require existence of /var/tmp/tmp-inst (#11762)
- Drop retired PCI-DSS 3.2.1 for sle15 (#11798)
- ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#11851)
- extend the explanation why ANSSI R52 requirement is manual (#11629)
- Fix #11895 issue (#11897)
- Fix #11898 issue (#11899)
- Fix #11902 issue (#11905)
- Fix dconf package name for Ubuntu (#11821)
- Fix description for auditd_max_log_file_action (#11585)
- Fix kdump service name on Ubuntu 22.04 (#11914)
- Fix OCP node OVN check (#11861)
- Fix rule for accounts_authorized_local_users in SLE15 (#11602)
- Fix SCE check for ip6tables_rules_for_open_ports (#11849)
- Fix SCE checks for iptables_loopback_traffic (#11850)
- HIPAA profile for SLE 15 - update (#11582)
- Implement ANSSI requirement R69 for RHEL (#11663)
- Improve ANSSI R28 (#11626)
- Improve Rsyslog Rainer regex to find log files (#11808)
- Improve title of CCN profiles for RHEL9 (#11852)
- Make package installation for iptables and nftables mutually exclusive (#11191)
- mount_option_remote_systems: make rule not applicable if mounts not found (#11761)
- Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#11490)
- oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#11603)
- OCP4: Add container_security_operator_exists to PCIDSS profile (#11776)
- OCP4: Add rule to check ACS sensor deployed (#11675)
- OCP4: Fix rules with both platform and platforms (#11760)
- OCPBUGS-18331: Include sshd config directories in remediation template (#11551)
- OCPBUGS-20015: Add remediation for RHCOS banners (#11470)
- OCPBUGS-26193: Fix missing OCP4 STIG selections (#11423)
- OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#11635)
- Openembedded fixes (#11652)
- put exec back to configure_bashrc_exec_tmux (#11561)
- Remove
disabling_ipv6_autoconfig
rule (#11550) - Replace dead HTML links for the chronyd project (#11799)
- RHEL-09-232045: align with STIG (#11890)
- Rule had incorrect CRD reference rule.yml (#11823)
- Set the
requires
tosshd_set_keepalive
onsshd_set_idle_timeout
(#11815) - sysctl template: allow skipping of runtime checks (#11574)
- trivial: fix linting issue (#11711)
- trivial: Update link to audit profile documentation link (#11732)
- Try 4110 for file_permissions_sudo (#11805)
- ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#11715)
- Update ANSSI R29 requirement (#11633)
- Update ANSSI R32 (#11570)
- Update ANSSI R36 requirement (#11632)
- Update ANSSI R40 (#11563)
- Update ANSSI R50 (#11588)
- Update ANSSI R67 requirement (#11642)
- Update ANSSI R68 (#11580)
- Update ANSSI R71 (#11578)
- Update audit_ospp_general (#11519)
- Update CIS requirement status (#11784)
- Update CIS RHEL7 requirement 3.4.4.3.4 (#11502)
- Update CIS RHEL8 requirements related to crypto (#11506)
- update cryptopolicy used in CUI profile to fips (#11792)
- Update notes in ANSSI R3 (#11680)
- update notes of the R36 requirement for ANSSI (#11639)
- Update ol8 pcidss (#11867)
- Update ol8 profiles (#11829)
- Update ol8 stig (#11828)
- Update ol8 stig reference (#11884)
- Update ol9 pcidss (#11873)
- Update ol9 profiles (#11846)
- Update RHEL 8 STIG to V1R14 (#11878)
- Update RHEL9 STIG to V1R3 (#11877)
- Update SLE12 STIG to V2R13 (#11599)
- Update SLE15 STIG to V1R12 (#11598)
- update sles oval feed url (#11461)
- Update SRG GPOS Control File (#11634)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
- Update STIG PSC Content (#11664)
- Update sudo_dedicated_group (#11586)
- Use
string
instead ofnumber
in oauth variable (#11613) - Use controls to assign ANSSI references (#11556)
Changes in Remediations
- [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#11935)
- [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#11956)
- [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#11979)
- [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#11993)
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add Ansible remediation to sssd_enable_pam_services (#11796)
- Add Ansible Remediations (#11763)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- Additional updates in kernel_module_disabled template (#11508)
- Align
securetty_root_login_console_only
remediations with OVAL/rule description (#11716) - Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#11886)
- Changes in template service_disabled - ansible part (#11645)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#11655)
- Fix ansible lint for SLE platforms (#11911)
- fix ansible SLES stig remediations in check mode (#11248)
- Fix Bash remediation of firewalld-based rules for offline mode (#11868)
- Fix configure_bashrc_exec_tmux missing parenthesis (#11448)
- Fix non-idempotent bash remediation for sysctl template (#11671)
- fix regex in Ansible remediation of configure_ssh_crypto_policy (#11526)
- Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#11827)
- Fix ubuntu remediation for pam_faildelay (#11532)
- Fix Ubuntu remediation for pam_faillock rules (#11488)
- Fix Ubuntu remediation for smartcard_pam_enabled (#11489)
- Issue when using set -e with grep commands (#11712)
- Make Blueprint for service_disabled template to mask services (#11679)
- OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#11638)
- pam_options ansible template dry-run fix (#11677)
- Remove kubernetes hardcoded solution for templated service_debug rules (#11370)
- remove prodtype from add_kubernetes_rule (#11500)
- Remove restrictions in sshd_use_approved_ciphers remediation (#11527)
- Return condition to test firewalld service state in firewalld_loopback_traffic rules (#11894)
- set indent to 4 (#11530)
- Simplify output of ip link show command (#11657)
- update links and unify documentation in kickstart files (#11765)
- Update links for Ansible role (#11737)
- Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#11474)
- use
failed_when:false
for Ansibleregister:
checks (#11782)
Changes in Checks
- accounts_passwords_pam_tally2_deny_root fix (#11676)
- Add root user to interactive users (#11729)
- Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#11864)
- all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#11672)
- App armor oval check (#11273)
- Correction in oval part ensure_gpgcheck_globally_activated (#11709)
- Disallow spaces in SSSD certificate_verification option (#11728)
- Enforce explicit setting in password-auth (#11742)
- Enforce explicit setting in system-auth (#11740)
- Fix handling of grub.d configs in grub2_bootloader_argument (#11726)
- Fix macro for extracting local interactive users (#11589)
- Fix regression in grub2_bootloader_argument (#11768)
- Make additional check if selinux is enabled and operational (#11510)
- Red Hat product security is on the path of deprecating the OVAL CVE feed (#11547)
- Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#11816)
- Restrict the list of accepted shells in no_shelllogin_for_systemaccounts (#11896)
- Revert PR 11816 (#11917)
- Update ANSSI R67 requirement (#11642)
- Update sssd_enable_smartcards & sssd_offline_cred_expiration (#11473)
Changes in the Infrastructure
- Account for non-existent 'build' dir in build_product (#11606)
- Add new test to ensure that CCEs are removed from the avail file (#11590)
- Add RHEL 9 support for playbook to role conversion utility (#11542)
- Add RHEL 9 to Ansible Gating (#11624)
- Add Script to Import DISA STIG to Policy Specific Content (#11611)
- Add stigrefs after references from controls (#11591)
- add the "components" test among quick tests (#11668)
- Bump paambaati/codeclimate-action from 5.0.0 to 6.0.0 (#11912)
- Change the metric of the
most-used-components
(#11738) - Clean up check_eof (#11757)
- Disable RHEL 10 content for 0.1.73 release (#11989)
- Ensure that components not in datastream are not mentioned by profiles (#11811)
- Extend the stable-profiles test (#11617)
- Extension of the
most-used-rules
andmost-used-components
subcommands of theprofile_tool.py
script to specify a list of products to be considered (#11733) - Fix broken exception message (#11842)
- Fix content_diff when a rule is removed (#11855)
- Fix deprecation warning in ssg/build_derivatives.py (#11666)
- Fix SCE finding XPath to allow nesting with OCILs (#11682)
- Fix TypeError in get_implemented_stigs (#11596)
- Improve github workflow for building OCP PR image (#11492)
- Improve playbook script and documention (#11747)
- k8s content image: Image from PR should not be tagged
latest
(#11643) - k8s image content from PRs: Fix
id
in job step (#11604) - k8s image content from PRs: remove token from action parameters (#11608)
- Move auditing group (#11789)
- Move to use main branch and OpenSCAP 1.4.0 for building on Windows (#11734)
- OCP: Fix e2e remediation for container_security_operator_exists (#11545)
- OCP4: Fix pr image workflow (#11533)
- OCP4: use utf-8 as default xml encoding (#11614)
- Prevent conflicts in references (#11555)
- profile_tool.py: Fix traceback in sub command (#11637)
- Re-organize
tests/fmf-plans
into a more concise format (#11809) - Reduce OCIL size (#11577)
- Reduce XCCDF (#11800)
- Reduce XML reformatting (#11641)
- Reduction of CPE content in DS (#11648)
- Refactoring: Remove all references to prodtype (code/tests/docs) (#11505)
- Remove CNSS REF URL (#11714)
- Removing unused variables from the datastream (#11858)
- Rework of
cpe_generate.py
(#11644) - Run Contest test instead of Fedora project beakerlib tests (#11419)
- Speed up build of thin data streams (#11618)
- Stabilize resolved profiles (#11727)
- Test that all rules have references (#11610)
- Thin DS: Command Line Interface (#11549)
- Tool for identifying the most used components (#11730)
- Tool for identifying the most used rules (#11439)
- Update entities/common.py to use CDumper (#11541)
- Update PR workflow actions to run only on latest push (#11616)
- Use control files to generate references (#11594)
- utils/gen_rendered_policies_index.py: read compiled control files (#11667)
Changes in the Test Suite
- Add RHEL 10 Install Command to Automatus (#11797)
- CMP-2366: Update service_autofs_disabled default e2e result (#11546)
- Disallow spaces in SSSD certificate_verification option (#11728)
- extend misleading Automatus error message (#11658)
- Fix ANSSI Ansible fmf test plan (#11791)
- Fix Automatus in CI (#11494)
- Fix tests for file_permissions, file_owner, file_groupowner (#11814)
- Flush automatus test logs before outputting results (#11605)
- OCP4: Fix rules with both platform and platforms (#11760)
- Split out TMT plans to separate Packit jobs (#11860)
- Thin DS tests (#11755)
- Update crypto_policy test scenario for CIS RHEL8 (#11513)
Documentation
- Add docs how to build thin ds (#11900)
- Add RHEL 10 to SRG Mapping Table Action (#11881)
- Bump master branch version to 0.1.73 (#11496)
- Improve playbook script and documention (#11747)
- release_helper script updates (#11504)
- Remove prodtype from rule schema (#11493)
- Update links for Ansible role (#11737)
- update list of contributors before releasing 0.1.73 (#11888)
- update meaning of the "automated" status in control files (#11646)
- Update RHEL 9 SCAP references to V1R1 (#11673)