Highlights:
- New
CNSS No. 1253
Profile for Red Hat Enterprise Linux 6, - New
C2S (CIS)
Profile for Red Hat Enterprise Linux 7, - New
Debian/8 (Jessie)
product and initial benchmark for it, - Improved (more granular) mapping of official PCI DSS v3 standard
to the PCI DSS profile for Red Hat Enterprise Linux 7, - Finished (OVALs, and selected remediations) for PCI DSS profile
for Red Hat Enterprise Linux 6. More granular mapping of official
rules to come yet. - Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.
Enhancements:
- [RHEL/6] New CNSS No. 1253 Profile
- [RHEL/7] Granularize PCI-DSS profile rules mapping to official requirement (sub)
section numbers in PCI DSS v3 standard - [RHEL/7] New C2S / CIS Profile
- [Enhancement] Initial integration of Debian 8 in SSG
XCCDF changes / enhancements:
- [BugFix] [RHEL/6] Update LUKS Disk encryption URL
- [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Fix XCCDF descriptions for:
file_permissions_binary_dirs
, andfile_ownership_binary_dirs
- [BugFix] [RHEL/5] Update XCCDF description for
file_groupowner_binary_dirs
- [BugFix] [RHEL/6] Add noexec, nosuid, and nodev rules for removable
partitions and /dev/shm into RHEL-6 STIG profile - [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Drop
clock_settime
system call
from the audit time rules examples suggesting multiple commands to be included
into one audit rule - [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for
audit_rules_time_clock_settime
rule - [Enhancement][RHEL6/7] Add audit permission scripts and update XCCDF/OVAL content
- [BugFix][Fedora][RHEL6] remove pam_passwdqc references
- [BugFix] [RHEL/6] Update XCCDF prose for
disable_interactive_boot
rule - [BugFix] [RHEL/6] Introduce
entropy
section of the RHEL-6 benchmark
and include new rule --kernel_disable_entropy_contribution_for_solid_state_drives
into it - [Enhancement] [RHEL/6] Start shipping CNSS No. 1253 Profile
- [Enhancement] RHEL7 - Added CIS mappings to disk partitioning/options XCCDF
- [BugFix] [RHEL/6] Fix HTTP 404 URL in XCCDF prose for
smartcard_auth
rule - [Enhancement] [RHEL/6] [RHEL/7] Per:
#879 (comment)
add a into the RHEL-6 & RHEL-7 XCCDF prose forrpm_verify_permissions
- [BugFix] [RHEL/6] Fix invalid selectors in the RHEL-6's CNSS No.1253 profile
OVAL check changes / enhancements:
- [Enhancement][bugfix][Fedora][RHEL/7] standardize more XCCDF and OVAL IDs
- [Enhancement][RHEL6/7][Fedora] Standardize XCCDF and OVAL names
- [BugFix] [RHEL/6] [RHEL/7] [Fedora] Use correct SELinux type in
selinux_all_devicefiles_labeled
rule - [Enhancement][RHEL6/7] Selinux and Kernel dmesg updates
- [Enhancement][Fedora] Add no_direct_root_logins OVAL check
- [Enhancement] [RHEL/7] Enable RHEL-7 OVAL check for
enable_selinux_bootloader
rule - [BugFix] [shared] Fix OVAL checks for
file_ownership_binary_dirs
, andfile_permissions_binary_dirs
- [BugFix] [RHEL/5] Update OVAL check for
file_ownership_binary_dirs
rule - [BugFix] [RHEL/5] Replace RHEL-5 specific OVAL check for
file_permissions_binary_dirs
rule with
calling of existing shared/ OVAL check for the very same rule - [Enhancement][RHEL/7] Add time and faillock OVAL and remediations
- [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update existing OVALs for
audit_rules_time_clock_settime
rule - [RHEL/7] Add some sysctl_net_ipv4 oval checks
- [Enhancement][RHEL7] Add missing RHEL7 services OVAL and remediations
- [BugFix] [RHEL/6] Update OVAL for
disable_interactive_boot
rule - [Enhancement] [RHEL/6] Add RHEL-6 specific OVAL for
kernel_disable_entropy_contribution_for_solid_state_drives
rule - [BugFix] [Optimization] [RHEL/6] Optimize OVAL check for
kernel_disable_entropy_contribution_for_solid_state_drives
rule
for speed / efficiency - [shared] [Enhancement] update
file_ownership_var_log_audit.xml
to check log_group in auditd.conf - [shared] check that all_exist for non-root checks in
file_ownership_var_log_audit.xml
- [BugFix] [RHEL/6] Modify / optimize OVAL check for
audit_rules_privileged_commands
rule - [BugFix] [RHEL/6] Fix OVAL check for
audit_rules_privileged_commands
rule - [Enhancement] [RHEL/7] Enhance the RHEL-7 OVAL for
smartcard_auth
- [Enhancement] [RHEL/6] Modify the current RHEL-6 OVAL for
smartcard_auth
rule - [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] Provide links to remote
(offical Red Hat RHSA / CVE OVAL) forsecurity_patches_up_to_date
rule - [BugFix] [RHEL/6] [RHEL/7] Fix the RHEL-6 & RHEL-7 OVALs for
kernel_module_bluetooth_disabled
rule - [BugFix] [RHEL/6] [RHEL/7] Split the currently shared/ OVAL for the
kernel_module_sctp_disabled
rule into two separate OVALs
New Remediations:
- [Enhancement][RHEL6/7] Add securetty XCCDF/OVAL checks and remediations
- [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
- [Enhancement] [RHEL/6] Add RHEL-6 remediation for
kernel_disable_entropy_contribution_for_solid_state_drives
rule - [Enhancement] [RHEL/6] New RHEL-6 remediation for
audit_rules_login_events
rule - [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
auditd_audispd_syslog_plugin_activated
rule to RHEL-6 - [Enhancement] [RHEL/6] Add new RHEL-6 remediation for
accounts_password_pam_minlen
rule - [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
aide_build_database
rule to RHEL-6 - [Enhancement] [RHEL/6] Add RHEL-6 remediation for
smartcard_auth
rule - [Enhancement] [RHEL/6] [RHEL/7] Add remediation for
rpm_verify_permissions
rule - [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] New remediation for
security_patches_up_to_date
rule - [Enhancement] Add a kickstart file for PCI DSS for RHEL6
Remediation fixes / other changes:
- [BugFix] [RHEL/7]
smartcard_auth
remediation - provide full path to the 'authconfig' executable - [Bugfix][RHEL6/7] fix rememdiation script names
- [BugFix] [RHEL/6] [RHEL/7] Fix remediations for
file_permissions_binary_dirs
, andfile_ownership_binary_dirs
- [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
- [BugFix] [RHEL/6] [RHEL/7] [Fedora] Fix existing remediations for
audit_rules_time_clock_settime
rule - [BugFix] [RHEL/6] Fix remediation for
disable_interactive_boot
rule - [shared] [Enhancement] Make the
display_login_attempts.sh
remediation script more robust - [Enhancement] [RHEL/7] Enhance the RHEL-7 remediation script for
smartcard_auth
rule - [BugFix] [RHEL/6] Modify the existing RHEL-6 remediation scripts
for the following rules:audit_rules_time_adjtimex
,audit_rules_time_settimeofday
, andaudit_rules_time_stime
- [shared] Edge case fix for
var_password_pam_unix_remember
- [Enhancement] Add universal
replace_or_append function
- [Various products] Update --follow-symlink --> --follow-symlinks
- [BugFix][RHEL/6] fix sed --follow-symlink typo in smartcard remediation script
Build System Bug Fixes:
- Fix
make validate
target for Fedora (2015-12-03)
Infrastructure:
- Rename
fixes
folder toremediations
- [Enhancement][Infrastructure] add XCCDF and OVAL id check
- Unify OVAL directory naming convention
- [Enhancement][Infrastructure] detect oscap version
- [Enhancement][Infrastructure] add id name to remediation scripts
- [bugfix] remove duplicate openscap python import
- [Enhancement][Infrastructure] Add openscap-python requirement to Build.md
- [BugFix] Declare XCCDF vars before its use
- Support for Fedora rawhide CPE
- [Enhancement] [Infrastructure] Modify the buildsystem to allow remotely referenced OVAL
- [BugFix] Fix regex in combineremediations.py
- [Test suite] [RHEL/6] Add initial version of check_instances_test.py Python testing script for RHEL-6 content
- [Enhancement] [Infrastructure] Enhance the various helper scripts creating OVAL checks from the templating
files to support comment in the CSV files - [Enhancement] Update list of CPEs for Fedora benchmark because F21 is end of life now
Other changes:
- Adding OSPP Kickstart file
- Adding FedRAMP High Baseline