Highlights:
- Start porting of
PCI-DSS
profile from RHEL-6 to RHEL-7 - Add OVAL-5.11 language support for RHEL-7 product if underlying system's
oscap
version supports OVAL-5.11 already - Start generating benchmarks for derivative OSes (
CentOS
,Scientific Linux
) - Get rid of using symbolic links mechanism for OVAL checks shared across multiple products (
RHEL/6, RHEL/7
, andFedora
) - Enhance XML files validation performed via
make validate
target for all products (optimize speed, validate all XML files against schematron where possible etc.)
Enhancements:
-
Add Chromium SCAP STIG content
-
Include Firefox, JRE, and Chromium content by default into Fedora's RPM
-
[Fedora] Add
ShellCheck
test as part ofmake validate
for Fedora content -
Ported OVAL checks:
audit_rules_mac_modification
,audit_rules_networkconfig_modification
,audit_rules_time_watch_localtime
,audit_rules_time_clock_settime
,audit_rules_time_stime
,audit_rules_time_settimeofday
, andaudit_rules_time_adjtimex
audit
rules have been ported to RHEL-7 and Fedora products. -
[RHEL/7] [Fedora] Port
accounts_passwords_pam_faillock_unlock_time
OVAL check to RHEL-7 && Fedora -
[RHEL/7] [Fedora] Port
audit_rules_immutable
OVAL check to RHEL-7 and Fedora -
[RHEL/7] [Fedora] Port
audit_rules_login_events
OVAL check to RHEL-7 and Fedora -
[RHEL/7] [Fedora] Port
audit_rules_session_events
OVAL check to RHEL-7 && Fedora -
[RHEL/7] Enable
service_auditd_enabled
andservice_chronyd_enabled
for RHEL-7'sPCI-DSS
profile
New OVAL checks:
- [RHEL/7] Add RHEL-7 OVAL checks for
service_rdisc_disabled
andservice_rsyslog_enabled
- [RHEL/7] Add RHEL-7 OVAL checks for
service_oddjobd_disabled
andservice_qpidd_disabled
- [RHEL/7] Add RHEL-7 OVAL checks for
service_autofs_disabled
andservice_ntpdate_disabled
- [RHEL/7] Add RHEL-7 OVAL checks for
service_atd_disabled
andservice_abrtd_disabled
- [RHEL/7] [Fedora] Add
display_login_attempts
OVAL check for RHEL-7 and Fedora products
New remediations:
- [RHEL/7] Implement remediation fix for RHEL-7's
accounts_password_pam_maxrepeat
rule
Bug Fixes:
- [Infrastructure] Multiple
testcheck.py
fixes and enhancements:- De-duplicate OVAL entity identifiers
- Enhance
testcheck.py
to return appropriate exit code depending on the exit status
of the internally calledoscap oval eval
command - Add support for quiet mode (options
-q | --quiet | --silent
) totestcheck.py
- Fix
testcheck.py
bug when dealing with external variables
- Fix broken python modules in Git tree
- [RHEL/6] [OVAL check fix] Fix
accounts_passwords_pam_faillock_interval
andaccounts_passwords_pam_faillock_unlock_time
to usepreauth
option instead ofauthsucc
- Correct some of the remediation script issues reported by the ShellCheck tool for the remediation scripts for Firefox, JRE, RHEL-6, and RHEL-7 products
- [RHEL/6] Fix OVAL checks for
sysctl_net_ipv6_conf_default_accept_ra
andsysctl_net_ipv6_conf_default_accept_redirects
to report proper results if IPv6 is disabled on the underlying system - [RHEL/7] Fix missing selector values to selected PAM variables as required by PCI-DSS profile
- [BugFix] [RHEL/7] [Fedora] Update XCCDF prose for
display_login_attempts
rule for RHEL-7 and Fedora products to provide correct recommendation wrt topam_lastlog
settings on these products - [BugFix] [Infrastructure] Fix
test_attestation
links to be valid URLs (both for XCCDF and for OVAL) - [RHEL/7] Fix remediation script for
accounts_password_pam_minclass
- [BugFix] [RHEL/6] [RHEL/7] Don't include the
test
profile into the final benchmark by default, only upon request - [BugFix] [Chromium] [Firefox] [Java] [Webmin] Specify correct profile name when generating HTML guides for these products
- [BugFix] Rename 'Java' product to be 'JRE' product (since JRE has been suggested as a more appropriate name for this benchmark)
- [BugFix] [JRE] Fix trailing whitespace issues in the JRE content
Remediation fixes:
- [RHEL/7]
sshd_enable_warning_banner
ensure the banner config appears on a line by itself - [RHEL/6]
accounts_passwords_pam_faillock_interval
remediation - use properfail_interval
option