Table of Contents

1. Highlights
2. Enhancements
3. XCCDF changes / enhancements
4. OVAL check changes / enhancements
5. New Remediations
6. Remediation fixes / other changes
7. Bug Fixes
8. Infrastructure
9. Other changes
10. Full list of issues and pull requests closed in this release

Highlights:

• New OS Protection Profile for Red Hat Enterprise Linux 7 Server,
• PCI-DSS profile implementation (all OVALs, remediations, and official
  ID mappings) for Red Hat Enterprise Linux 7 Server finished,
• Remediation scripts now support multi_platform tags (replacement for
  former use of symbolic links),
• The version of SCAP Security Guide is now included in the RHEL/5, RHEL/6, RHEL/7,
  Chromium, Fedora, JRE, RHEVM3, Webmin, and Firefox benchmarks,
• Numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

• [OSPP-RHEL7-SERVER] OS Protection Profile for RHEL7 Server
  Profile based off FMT_MOF_EXT1.1 https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#FMT_MOF_EXT.1
• Assign CCE identifiers to RHEL-7 OSPP profile rules
• [RHEL/7] Perform PCI-DSS profile rules mapping to official requirement numbers in the PCI-DSS v3 standard
• [RHEL/7] Added OSPP/NIAP NIST table to Makefile

XCCDF changes / enhancements:

• [RHEL/7] Update XCCDF prose for 'ntpd_specify_remote_server' rule (add support for chronyd)
• [RHEL/7] Update XCCDF prose for 'ntpd_specify_multiple_servers' rule (add support for chronyd)
• [Fedora] add kernel XCCDF
• [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for 'audit_rules_login_events' rule
• [RHEL/7] Updated XCCDF name disable_ypbind --> service_ypbind_disabled
• [RHEL/6] [RHEL/7] [Fedora] accounts_password_pam_unix_remember rule -- update XCCDF prose && add
  pam_pwhistory support
• [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

OVAL check changes / enhancements:

• [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_remote_server' rule
• [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_multiple_servers'
• [RHEL/5] [RHEL/6] Fix OVAL for 'mount_option_nodev_removable_filesystems'
  to allow hyphens in hostnames and mountpoints and ipv6 addresses
• [RHEL/7] [Fedora] Add new OVAL check for 'rsyslog_files_permissions' rule
• [RHEL/7] [Fedora] New OVAL check for 'rsyslog_files_ownership' rule
• [RHEL/7] [Fedora] New OVAL for 'rsyslog_files_groupownership' rule
• [RHEL/7] Update the template_kernel_module_disabled
• [RHEL/6] Fix ldap client TLS checks
• [RHEL/7] Add RHEL/7 kernel OVAL checks and remediation scripts:
  • Added check for install_PAE_kernel_on_x86-32 for RHEL/7,
  • Added check for kernel_module_usb-storage_disabled for RHEL/7 and Fedora
  • Added remediations for kernel_module_usb-storage_disabled,
    package_kernel-PAE_installed, and sysctl_kernel_exec_shield
• [RHEL/5] fix accounts_unique_uid.xml OVAL check
• [RHEL/6] [RHEL/7] [Fedora] [Enhancement] Update sshd and cron XCCDF and OVAL content
  • Add sshd_disable_rhosts and sshd_use_approved_macs to RHEL/7
  • Add cron XCCDF and OVAL to Fedora
  • Update RHEL/7 XCCDF and stig_overlay to match OVAL naming convention
• [RHEL/6] [RHEL/7] RHEL7 obsolete services and bluetooth checks/remediations
  • Add template_socket_disabled for any future socket checks
  • Add OVAL and remediation scripts for obsolete and bluetooth services
  • Update XCCDF content for obsolete services
  • Add socket macros
• [RHEL/6] [RHEL/7] [Fedora] Add new /shared OVAL for 'account_unique_name' rule
• [RHEL/6] [RHEL/7] [Fedora] Modify former RHEL-5 specific OVAL check for
  'gid_passwd_group_same' rule to be more universal (usable also for RHEL-6,
  RHEL-7 && Fedora systems)
• [RHEL/6] [RHEL/7] [Fedora] New OVAL for 'aide_build_database' rule
• [RHEL/6] Update existing RHEL-6 OVAL check for 'audit_rules_login_events' rule
• [RHEL/7] [Fedora] Update existing OVAL check for 'audit_rules_login_events'
• [RHEL/7] New OVAL check for 'smartcard_auth' rule
• [RHEL/7] Add service_xinetd_disabled OVAL to RHEL/7
• [RHEL/7] Switch on referencing / using of OVAL for 'dconf_gnome_screensaver_mode_blank' rule
• [RHEL/7] OVAL for RHEL7 no_rsh_trust_files
• [RHEL/7] OVAL for RHEL7 disable_interactive_boot
• [RHEL/7] Switch on use of 'install_hids' rule
• [shared] Add CentOS gpgkey to OVAL check
• [shared] Update 'dconf_gnome_screensaver_idle_delay' shared/ OVAL definition to
  require proper unsigned int datatype setting when configuring 'idle-delay' value
• [shared] Require proper datatype (unsigned integer) to be specified for 'lock-delay'
  key of [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_lock_enabled' OVAL check
• [RHEL/7] Require 'string' datatype specifier to be provided when setting 'picture-uri'
  key of the [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_mode_blank' OVAL
• [shared] Make rpmverifyfile_test consistent with "rpm -V" output
• [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

New Remediations:

• [RHEL/7] New RHEL-7 specific remediation for aide_build_database rule
• [RHEL/7] New remediation for service_bluetooth_disabled rule
• [RHEL/7] Remediation for RHEL7 uninstall_talk-server
• [RHEL/7] Remediation for RHEL7 no_rsh_trust_files
• [RHEL/7] Remediation for RHEL7 disable_interactive_boot
• [RHEL/7] Remediation for RHEL7 require_singleuser_auth
• [RHEL/7] Add RHEL-7 specific remediation functions for the following three audit rules:
  • audit_rules_time_adjtimex,
  • audit_rules_time_settimeofday, and
  • audit_rules_time_stime.
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_delay' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_activation_enabled' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_lock_enabled' rule
• [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_mode_blank' rule
• [RHEL/7] [Fedora] New RHEL-7 and Fedora remediation for 'audit_rules_login_events' rule
• [RHEL/7] [Fedora] Add new RHEL-7 and Fedora remediation for 'audit_rules_immutable' rule
• [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

• [RHEL7] Updated package_remove remediation macro
  • Created bash remove package script
  • Added remediations for talk, ypbind, rsh, rsh-server, telnet
  • Updated bash package_removed remediation language to include a CAUTION note
• [RHEL/6] Fix type in RHEL/6 uninstall_ypserv.sh

Bug Fixes:

• Fix failing 'make validate' for Fedora (2015-08-24),
• Fix Fedora's 'make validate' target when run on RHEL-6 system (2015-09-10),
• Fix multiple duplicate RHEL-6 vs RHEL-7 CCEs issue,
• Fix make-validate on Fedora (2015-09-17),
• [RHEL/5] fix make validate failures for RHEL/5 (2015-09-21),
• [Fedora] Fix failing 'make validate' for Fedora product
  when Fedora content is built & validated on RHEL-6 system (2015-09-26),
• [RHEL/5] Disable 'make validate' target for RHEL-5 content for now (2015-09-26),

Infrastructure:

• Enhance RHEL/5's Makefile to look into /shared OVAL directory for possible OVAL definitions applicable to RHEL-5 product too
• [Enhancement][RHEL/6][RHEL/7][Fedora] add functions for services and packages
  • Add function that can enable/disable service in RHEL and Fedora
  • Add function that can install/uninstall packages in RHEL and Fedora
  • Update services enabled/disabled templates
  • Update packages installed/removed templates
• [Enhancement] add multi_platform checks to remediation scripts
• [Enhancement] add platform tag to remediation scripts
• [Enhancement][RHEL6/7][Fedora] remove remediation script symlinks
• [Infrastructure] Fix cpe_generate.py FutureWarning error
• Modified zipfile Makefile target to make a release ZIP to upload to Github

Other changes:

• [RHEL/7] New DSS ODAA default banner

Full list of issues and pull requests closed in this release