Highlights:
- Start porting of
PCI-DSSprofile from RHEL-6 to RHEL-7 - Add OVAL-5.11 language support for RHEL-7 product if underlying system's
oscapversion supports OVAL-5.11 already - Start generating benchmarks for derivative OSes (
CentOS,Scientific Linux) - Get rid of using symbolic links mechanism for OVAL checks shared across multiple products (
RHEL/6, RHEL/7, andFedora) - Enhance XML files validation performed via
make validatetarget for all products (optimize speed, validate all XML files against schematron where possible etc.)
Enhancements:
-
Add Chromium SCAP STIG content
-
Include Firefox, JRE, and Chromium content by default into Fedora's RPM
-
[Fedora] Add
ShellChecktest as part ofmake validatefor Fedora content -
Ported OVAL checks:
audit_rules_mac_modification,audit_rules_networkconfig_modification,audit_rules_time_watch_localtime,audit_rules_time_clock_settime,audit_rules_time_stime,audit_rules_time_settimeofday, andaudit_rules_time_adjtimex
auditrules have been ported to RHEL-7 and Fedora products. -
[RHEL/7] [Fedora] Port
accounts_passwords_pam_faillock_unlock_timeOVAL check to RHEL-7 && Fedora -
[RHEL/7] [Fedora] Port
audit_rules_immutableOVAL check to RHEL-7 and Fedora -
[RHEL/7] [Fedora] Port
audit_rules_login_eventsOVAL check to RHEL-7 and Fedora -
[RHEL/7] [Fedora] Port
audit_rules_session_eventsOVAL check to RHEL-7 && Fedora -
[RHEL/7] Enable
service_auditd_enabledandservice_chronyd_enabledfor RHEL-7'sPCI-DSSprofile
New OVAL checks:
- [RHEL/7] Add RHEL-7 OVAL checks for
service_rdisc_disabledandservice_rsyslog_enabled - [RHEL/7] Add RHEL-7 OVAL checks for
service_oddjobd_disabledandservice_qpidd_disabled - [RHEL/7] Add RHEL-7 OVAL checks for
service_autofs_disabledandservice_ntpdate_disabled - [RHEL/7] Add RHEL-7 OVAL checks for
service_atd_disabledandservice_abrtd_disabled - [RHEL/7] [Fedora] Add
display_login_attemptsOVAL check for RHEL-7 and Fedora products
New remediations:
- [RHEL/7] Implement remediation fix for RHEL-7's
accounts_password_pam_maxrepeatrule
Bug Fixes:
- [Infrastructure] Multiple
testcheck.pyfixes and enhancements:- De-duplicate OVAL entity identifiers
- Enhance
testcheck.pyto return appropriate exit code depending on the exit status
of the internally calledoscap oval evalcommand - Add support for quiet mode (options
-q | --quiet | --silent) totestcheck.py - Fix
testcheck.pybug when dealing with external variables
- Fix broken python modules in Git tree
- [RHEL/6] [OVAL check fix] Fix
accounts_passwords_pam_faillock_intervalandaccounts_passwords_pam_faillock_unlock_timeto usepreauthoption instead ofauthsucc - Correct some of the remediation script issues reported by the ShellCheck tool for the remediation scripts for Firefox, JRE, RHEL-6, and RHEL-7 products
- [RHEL/6] Fix OVAL checks for
sysctl_net_ipv6_conf_default_accept_raandsysctl_net_ipv6_conf_default_accept_redirectsto report proper results if IPv6 is disabled on the underlying system - [RHEL/7] Fix missing selector values to selected PAM variables as required by PCI-DSS profile
- [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for
display_login_attemptsrule for RHEL-7 and Fedora products to provide correct recommendation wrt topam_lastlogsettings on these products - [BugFix] [Infrastructure] Fix
test_attestationlinks to be valid URLs (both for XCCDF and for OVAL) - [RHEL/7] Fix remediation script for
accounts_password_pam_minclass - [BugFix] [RHEL/6] [RHEL/7] Don't include the
testprofile into the final benchmark by default, only upon request - [BugFix] [Chromium] [Firefox] [Java] [Webmin] Specify correct profile name when generating HTML guides for these products
- [BugFix] Rename 'Java' product to be 'JRE' product (since JRE has been suggested as a more appropriate name for this benchmark)
- [BugFix] [JRE] Fix trailing whitespace issues in the JRE content
Remediation fixes:
- [RHEL/7]
sshd_enable_warning_bannerensure the banner config appears on a line by itself - [RHEL/6]
accounts_passwords_pam_faillock_intervalremediation - use properfail_intervaloption