Highlights:
- Add initial draft of
Standard Security Profile
for RHEL-7 to serve as base to ensure common security sanity of various flavous of Red Hat Enterprise Linux 7 system ("traditional", virtualized / containerized, RHEL-7 Atomic host etc.), - Dozen of new remediation scripts for various audit rules of Red Hat Enterprise Linux 7 system,
- HTML formatted guides enhancements (start building HTML guide for each profile, minimize the HTML guide size by unselecting empty groups). Thanks to Martin Preisler for contributing these!
Enhancements:
- Add initial draft of
Standard Security Profile
for RHEL-7, - Use XCCDF's
override
inheritance model whenextend
-ing profiles, - Enhance the former
fix_audit_watch_rule
andfix_audit_syscall_rule
remediation functions to work properly also on RHEL-7 and Fedora systems, - Start building HTML formatted guide for every profile for every benchmark (product),
- Apply that
build-all-guides
change toFedora
,Chromium
,Firefox
,JRE
,OpenStack
,RHEL/5
,RHEL/6
,RHEL/7
,Chromium
, andWebmin
products, - Implement HTML index file to ease browsing across the HTML guides produced,
- Implement non-JavaScript option for HTML index files,
- Build
default
profile as part ofbuild-all-guides
effort, - Changed logic when building the HTML formatted guides in the sense now the XCCDF:groups not having at least one rule selected in them, would not be visible in the final HTML guide (though they would still be accessible when tailoring the content),
- Added CentOS6 CPE to CPE dictionary for RHEL-6 and variants,
- Added CentOS7 CPE to CPE dictionary for RHEL-7 and variants,
- Added Scientific Linux 6 CPE to CPE dictionary for RHEL-6 and variants,
- Added Scientific Linux 7 CPE to CPE dictionary for RHEL-7 and variants,
- Add draft / example PCI-DSS' profile kickstart for Red Hat Enterprise Linux 7 Server system using the
Oscap Anaconda Addon
tool,
XCCDF changes / enhancements:
- [RHEL/7] Update the XCCDF prose for
Enable the NTP Daemon
rule to properly deal withchronyd
daemon,
OVAL check changes:
- [RHEL/7] Update the existing OVAL check for
Enable the NTP Daemon
rule to returnPASS
if at least one ofchronyd
, orntpd
services are enabled (besides other things the patch for this issue fixed also oneinvalid selector RHEL-7 PCI-DSS
profile issue),
New Remediations:
- [RHEL/7]
audit_rules_file_deletion_events
, - [RHEL/7]
audit_rules_kernel_module_loading
, - [RHEL/7]
audit_rules_sysadmin_actions
, - [RHEL/7]
audit_rules_media_export
, - [RHEL/7]
audit_rules_unsuccessful_file_modification
, - [RHEL/6] [RHEL/7]
audit_rules_session_events
, - [RHEL/7]
audit_rules_dac_modification_setxattr
, - [RHEL/7]
audit_rules_dac_modification_removexattr
, - [RHEL/7]
audit_rules_dac_modification_lsetxattr
, - [RHEL/7]
audit_rules_dac_modification_lremovexattr
, - [RHEL/7]
audit_rules_dac_modification_fsetxattr
, - [RHEL/7]
audit_rules_dac_modification_fremovexattr
, - [RHEL/7]
audit_rules_dac_modification_chown
, - [RHEL/7]
audit_rules_dac_modification_fchown
, - [RHEL/7]
audit_rules_dac_modification_fchownat
, - [RHEL/7]
audit_rules_dac_modification_lchown
, - [RHEL/7]
audit_rules_dac_modification_chmod
, - [RHEL/7]
audit_rules_dac_modification_fchmod
, - [RHEL/7]
audit_rules_dac_modification_fchmodat
, - [RHEL/7]
audit_rules_mac_modification
, - [RHEL/7]
audit_rules_networkconfig_modification
, - [RHEL/7]
audit_rules_usergroup_modification
, - [RHEL/7]
audit_rules_time_watch_localtime
,
Remediation fixes / other changes:
- [RHEL/6] Rewrite
audit_rules_dac_modification_setxattr
remediation to start usingfix_audit_syscall_rule
remediation function, - [RHEL/6] Rewrite existing RHEL-6
audit_rules_dac_modification_chown
,audit_rules_dac_modification_fchown
,audit_rules_dac_modification_fchownat
, andaudit_rules_dac_modification_lchown
remediation scripts to start usingfix_audit_syscall_rule
function, - [RHEL/6] Rewrite
audit_rules_dac_modification_chmod
,audit_rules_dac_modification_fchmod
,audit_rules_dac_modification_fchmodat
to start usingfix_audit_syscall_rule
function,
Bug Fixes:
- Fix broken
make dist
target, - [RHEL/7] [Fedora] Fix false positive in
disable_prelink
OVAL check in certain circumstances, - Fix out missing CentOS6 and CentOS7 CPEs when building CentOS content with older versions of
oscap
, - Don't include the Fedora OVAL-5.11 checks into the benchmark by default, only upon request This fixes failing
make
target when building Fedora content on RHEL-6 system againstoscap
not supporting OVAL-5.11 language version yet,
Infrastructure:
- Drop Fedora 20 support in
Fedora
benchmark since EOL, - Multiple
ShellCheck
warnings fixed across the content, - Multiple
scap-security-guide.spec.in
simplifications, - Unified all
LICENSE
files into just one ./LICENSE,