Table of Contents
- Highlights
- Enhancements
- XCCDF changes / enhancements
- OVAL check changes / enhancements
- New Remediations
- Remediation fixes / other changes
- Bug Fixes
- Infrastructure
- Other changes
- Full list of issues and pull requests closed in this release
Highlights:
- New OS Protection Profile for Red Hat Enterprise Linux 7 Server,
- PCI-DSS profile implementation (all OVALs, remediations, and official
ID mappings) for Red Hat Enterprise Linux 7 Server finished, - Remediation scripts now support multi_platform tags (replacement for
former use of symbolic links), - The version of SCAP Security Guide is now included in the RHEL/5, RHEL/6, RHEL/7,
Chromium, Fedora, JRE, RHEVM3, Webmin, and Firefox benchmarks, - Numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.
Enhancements:
- [OSPP-RHEL7-SERVER] OS Protection Profile for RHEL7 Server
Profile based off FMT_MOF_EXT1.1 https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#FMT_MOF_EXT.1 - Assign CCE identifiers to RHEL-7 OSPP profile rules
- [RHEL/7] Perform PCI-DSS profile rules mapping to official requirement numbers in the PCI-DSS v3 standard
- [RHEL/7] Added OSPP/NIAP NIST table to Makefile
XCCDF changes / enhancements:
- [RHEL/7] Update XCCDF prose for 'ntpd_specify_remote_server' rule (add support for chronyd)
- [RHEL/7] Update XCCDF prose for 'ntpd_specify_multiple_servers' rule (add support for chronyd)
- [Fedora] add kernel XCCDF
- [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for 'audit_rules_login_events' rule
- [RHEL/7] Updated XCCDF name disable_ypbind --> service_ypbind_disabled
- [RHEL/6] [RHEL/7] [Fedora] accounts_password_pam_unix_remember rule -- update XCCDF prose && add
pam_pwhistory support - [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL
OVAL check changes / enhancements:
- [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_remote_server' rule
- [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_multiple_servers'
- [RHEL/5] [RHEL/6] Fix OVAL for 'mount_option_nodev_removable_filesystems'
to allow hyphens in hostnames and mountpoints and ipv6 addresses - [RHEL/7] [Fedora] Add new OVAL check for 'rsyslog_files_permissions' rule
- [RHEL/7] [Fedora] New OVAL check for 'rsyslog_files_ownership' rule
- [RHEL/7] [Fedora] New OVAL for 'rsyslog_files_groupownership' rule
- [RHEL/7] Update the template_kernel_module_disabled
- [RHEL/6] Fix ldap client TLS checks
- [RHEL/7] Add RHEL/7 kernel OVAL checks and remediation scripts:
- Added check for install_PAE_kernel_on_x86-32 for RHEL/7,
- Added check for kernel_module_usb-storage_disabled for RHEL/7 and Fedora
- Added remediations for kernel_module_usb-storage_disabled,
package_kernel-PAE_installed, and sysctl_kernel_exec_shield
- [RHEL/5] fix accounts_unique_uid.xml OVAL check
- [RHEL/6] [RHEL/7] [Fedora] [Enhancement] Update sshd and cron XCCDF and OVAL content
- Add sshd_disable_rhosts and sshd_use_approved_macs to RHEL/7
- Add cron XCCDF and OVAL to Fedora
- Update RHEL/7 XCCDF and stig_overlay to match OVAL naming convention
- [RHEL/6] [RHEL/7] RHEL7 obsolete services and bluetooth checks/remediations
- Add template_socket_disabled for any future socket checks
- Add OVAL and remediation scripts for obsolete and bluetooth services
- Update XCCDF content for obsolete services
- Add socket macros
- [RHEL/6] [RHEL/7] [Fedora] Add new /shared OVAL for 'account_unique_name' rule
- [RHEL/6] [RHEL/7] [Fedora] Modify former RHEL-5 specific OVAL check for
'gid_passwd_group_same' rule to be more universal (usable also for RHEL-6,
RHEL-7 && Fedora systems) - [RHEL/6] [RHEL/7] [Fedora] New OVAL for 'aide_build_database' rule
- [RHEL/6] Update existing RHEL-6 OVAL check for 'audit_rules_login_events' rule
- [RHEL/7] [Fedora] Update existing OVAL check for 'audit_rules_login_events'
- [RHEL/7] New OVAL check for 'smartcard_auth' rule
- [RHEL/7] Add service_xinetd_disabled OVAL to RHEL/7
- [RHEL/7] Switch on referencing / using of OVAL for 'dconf_gnome_screensaver_mode_blank' rule
- [RHEL/7] OVAL for RHEL7 no_rsh_trust_files
- [RHEL/7] OVAL for RHEL7 disable_interactive_boot
- [RHEL/7] Switch on use of 'install_hids' rule
- [shared] Add CentOS gpgkey to OVAL check
- [shared] Update 'dconf_gnome_screensaver_idle_delay' shared/ OVAL definition to
require proper unsigned int datatype setting when configuring 'idle-delay' value - [shared] Require proper datatype (unsigned integer) to be specified for 'lock-delay'
key of [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_lock_enabled' OVAL check - [RHEL/7] Require 'string' datatype specifier to be provided when setting 'picture-uri'
key of the [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_mode_blank' OVAL - [shared] Make rpmverifyfile_test consistent with "rpm -V" output
- [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL
New Remediations:
- [RHEL/7] New RHEL-7 specific remediation for aide_build_database rule
- [RHEL/7] New remediation for service_bluetooth_disabled rule
- [RHEL/7] Remediation for RHEL7 uninstall_talk-server
- [RHEL/7] Remediation for RHEL7 no_rsh_trust_files
- [RHEL/7] Remediation for RHEL7 disable_interactive_boot
- [RHEL/7] Remediation for RHEL7 require_singleuser_auth
- [RHEL/7] Add RHEL-7 specific remediation functions for the following three audit rules:
- audit_rules_time_adjtimex,
- audit_rules_time_settimeofday, and
- audit_rules_time_stime.
- [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_delay' rule
- [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_activation_enabled' rule
- [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_lock_enabled' rule
- [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_mode_blank' rule
- [RHEL/7] [Fedora] New RHEL-7 and Fedora remediation for 'audit_rules_login_events' rule
- [RHEL/7] [Fedora] Add new RHEL-7 and Fedora remediation for 'audit_rules_immutable' rule
- [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule
Remediation fixes / other changes:
- [RHEL7] Updated package_remove remediation macro
- Created bash remove package script
- Added remediations for talk, ypbind, rsh, rsh-server, telnet
- Updated bash package_removed remediation language to include a CAUTION note
- [RHEL/6] Fix type in RHEL/6 uninstall_ypserv.sh
Bug Fixes:
- Fix failing 'make validate' for Fedora (2015-08-24),
- Fix Fedora's 'make validate' target when run on RHEL-6 system (2015-09-10),
- Fix multiple duplicate RHEL-6 vs RHEL-7 CCEs issue,
- Fix make-validate on Fedora (2015-09-17),
- [RHEL/5] fix
make validate
failures for RHEL/5 (2015-09-21), - [Fedora] Fix failing 'make validate' for Fedora product
when Fedora content is built & validated on RHEL-6 system (2015-09-26), - [RHEL/5] Disable 'make validate' target for RHEL-5 content for now (2015-09-26),
Infrastructure:
- Enhance RHEL/5's Makefile to look into /shared OVAL directory for possible OVAL definitions applicable to RHEL-5 product too
- [Enhancement][RHEL/6][RHEL/7][Fedora] add functions for services and packages
- Add function that can enable/disable service in RHEL and Fedora
- Add function that can install/uninstall packages in RHEL and Fedora
- Update services enabled/disabled templates
- Update packages installed/removed templates
- [Enhancement] add multi_platform checks to remediation scripts
- [Enhancement] add platform tag to remediation scripts
- [Enhancement][RHEL6/7][Fedora] remove remediation script symlinks
- [Infrastructure] Fix cpe_generate.py FutureWarning error
- Modified zipfile Makefile target to make a release ZIP to upload to Github
Other changes:
- [RHEL/7] New DSS ODAA default banner