github ComplianceAsCode/content v0.1.29
SCAP Security Guide 0.1.29 Release Notes
on GitHub

latest releases: v0.1.75, v0.1.74, v0.1.73...
8 years ago

Highlights (in order the changes have been merged):

  • Numerous STIG profile enhancements for Red Hat Enterprise Linux 7 product,
  • The produced benchmark for Red Hat Enterprise Linux 6 product now passes NIST SCAP Content Validation Tool 1.2.1.14 requirements,
  • A plenty of new OVAL checks have been implemented for the Red Hat Enterprise Linux 7 product,
  • A substantial effort has been contributed the existing SCAP content for JBoss EAP v5 and JBoss Fuse v6 products to follow the format as expected by regular SCAP Security Guide product,
  • Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes (see below for more concrete details)

Enhancements:

XCCDF changes / enhancements:

  • [Enhancement] [Fedora] Added Fedora standard profile
  • [Enhancement][Fedora] Add Xorg service XCCDF content
  • [Enhancement] [Debian/8] starting systcl integration in xccdf: execution restriction
  • [Enhancement] [Debian/8] add fs-specific sysctl hadening to xccdf. Updated xccdf partitioning structure
  • [Enhancement] [Debian/8] add missing anssi references for ntp
  • [Enhancement] [Debian/8] New sysctl_kernel_kptr_restrict rule
  • [Enhancement] [RHEL/6] Per request in:
    https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c8
    https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c9
    update the title of the RHEL/6 CNSS profile it to be more descriptive
  • [BugFix] [RHEL/7] [Fedora] Replace '/etc/grub.conf' with '/etc/default/grub' in RHEL-7 and Fedora XCCDF
  • [BugFix] [RHEL/6] Fix DISA CCI mapping for accounts_password_pam_dcredit rule
  • [Enhancement] [RHEL/6] Added CCE to package_setroubleshoot_removed
  • [Enhancement] [RHEL/6] Added CCE to package_mcstrans_removed
  • [Enhancement] [RHEL/6] Added CCE to package_telnet_removed
  • [Enhancement] [RHEL/6] Added CCE to package_rsh_removed
  • [Enhancement] [RHEL/6] Added CCE to package_ypbind_removed
  • [Enhancement] [RHEL/6] Added CCE to package_tftp_removed
  • [Enhancement] [RHEL/6] Added CCE to package_talk-server_removed
  • [Enhancement] [RHEL/6] Added CCE to package_talk_removed
  • [Enhancement] [RHEL/6] Updated C2S profile (Mapped package_talk-server_removed, package_talk_removed)
  • [Enhancement] Update RHEL6/7 guide.xml with compute node CPE
  • [BugFix] [RHEL/7] [Issue #995] Update var_accounts_max_concurrent_login_sessions to 10 (to meet DoD STIG
    guidance)
  • [Enhancement][Bugfix][Fedora] Update yum XCCDF and OVAL references to dnf
  • [BugFix] [RHEL/7] Fixed socket-disable-macro for rsh and rlogin
  • [BugFix] [RHEL/6] Added to the system
  • [BugFix] Added a description to vsftpd Group in RHEL6 and RHEL7 content
  • [BugFix] [RHEL/6] [RHEL/7] Added description to ftp_use_vsftpd Group
  • [Enhancement] [RHEL/7] Various STIG profile changes:
    • STIG updates to RPM verify
    • STIG updates to rhel7/rpm_verify_hashes
    • STIG updates to rhel7/accounts_password_pam_lcredit
    • STIG updates to rhel7/accounts_password_pam_dcredit
    • add severity to accounts_password_pam_dcredit
    • STIG update to rhel7/accounts_password_pam_ocredit
    • STIG update to rhel7/accounts_password_pam_difok
    • STIG update to rhel7/accounts_maximum_age_login_defs
    • removing var_password_pam_minlen from STIG profile, inherited from OSPP
    • STIG update for rhel7/accounts_password_pam_minlen
    • STIG update RHEL7/sysctl_net_ipv4_conf_all_accept_source_route
    • STIG update for rhel7/sysctl_net_ipv4_tcp_syncookies
    • STIG update for rhel7/sshd_do_not_permit_user_env
    • STIG update rhel7/nis
    • STIG update for rhel7/rsh-server
    • STIG update for rhel7/package_telnet-server_removed
    • STIG update for rhel7/tftp
    • STIG update for rhel7/banner_etc_issue
    • STIG updates for rhel7/accounts_password_pam_minclass
    • STIG udpates to rhel7/package_screen_installed
    • STIG update to rhel7/crypt_style
    • STIG update for rhel7/accounts_minimum_age_login_defs
    • Add gid_passwd_group_same to RHE7 STIG
    • Add accounts_no_uid_except_zero to RHEL7 STIG
    • Removing RHEL7 duplicate rules from STIG profile
    • assign DISA refs to accounts_password_pam_unix_remember
    • assign to RHEL–07–010260 no_empty_passwords
    • add account_disable_post_pw_expiration to STIG profile, assign DISA refs
    • Assign DISA FSO provided policy references
    • STIG update for RHEL/7 snmpd_not_default_password
    • STIG update RHEL7 add missing CCEs for #1140 and #1138
    • STIG update for RHEL7 for sshd_allow_only_protocol2
    • STIG update for RHEL7 for sshd_use_approved_macs
    • STIG update for RHEL7 firewalld and tcp_wrappers
    • STIG update for RHEL7 xorg settings
    • Add accounts_no_uid_except_zero to RHEL7 STIG
    • STIG update for RHEL7 SSH key permissions (Add XCCDF and OVAL for SSH Server private and public key permissions)
    • STIG update RHEL7 ssh keys
    • STIG update for RHEL7 various SSH settings (Add new SSH XCCDF and OVAL content)
    • STIG update for RHEL7 ipv6.conf.all.accept_source_route (Add new XCCDF and OVAL content for net.ipv6.conf.all.accept_source_route)
    • Add SSH key file perm checks to OSPP profile
    • STIG update RHEL7 add ipv6 accept_source_route to STIG profile
    • STIG update RHEL7 add ssh settings to STIG profile
    • STIG update for RHEL7 quagga service (Add new XCCDF, OVAL, and remediation content for quagga routing)
    • STIG update RHEL7 quagga routing service
    • STIG update RHEL7 IPSec approved tunnel connections (Add new XCCDF for checking for IPSec-approved tunnels, Update severity level for package_libreswan_installed Rule)
    • STIG update RHEL7 add NFS share server/client security (Add new XCCDF and OVAL for NFS server/client Kerberos settings)
    • CCE-27594-1 to package_quagga_removed
    • CCE for service_zebra_disabled
    • CCE for use_kerberos_security_all_exports
    • CCE for mount_option_krb_sec_remote_filesystems
    • CCE for file_permissions_sshd_pub_key
    • CCE for file_permissions_sshd_private_key
      *CCE for sysctl_net_ipv4_conf_all_accept_source_route
    • CCE for disable_ctrlaltdel_reboot
    • CCE for service_autofs_disabled
    • CCE for sysctl_net_ipv4_tcp_syncookies
    • Add service_kdump_disabled to RHEL7 STIG profile
    • STIG update RHEL7 KDUMP service
    • STIG update RHEL7 separate partitions
    • update policy refs and xccdf for dconf_gnome_banner_enabled
    • Update language for rhel7/dconf_gnome_screensaver_lock_enabled
    • updating GNOME banner rules
    • update OCIL for dconf_gnome_screensaver_idle_delay
    • update rationale for accounts_password_pam_ucredit
    • removed duplicate rules from STIG profile, already present in OSPP
    • removed ucredit from STIG, present in OSPP
    • update severity and profile placement of dcredit rules
    • update refine value of var_password_pam_difok to 8
    • update OCIL for accounts_password_pam_maxrepeat
    • update password hashing, add to NIAP profile
    • move set_password_hashing_algorithm_logindefs from STIG to OSPP profile
    • move PASS_MAX_DAYS from STIG to OSPP
    • update OCIL for accounts_password_pam_unix_remember
    • update OCIL for accounts_password_pam_minlen
    • update rationale for no_empty_passwords
    • add dconf_gnome_screensaver_idle_activation_enabled to stig, update prose
    • update account_disable_post_pw_expiration prose and variable refinement
    • update sshd_disable_empty_passwords mappings
    • updates to disable_host_auth
    • update to ensure_gpgcheck_globally_activated prose, remove duplicate selector from STIG profile
    • update telnet prose
    • update prose for accounts_max_concurrent_login_sessions
    • updates to sshd_do_not_permit_user_env
    • Fix NIST references for disk_partitioning
    • Assign various CCEs to RHEL7 STIG rules
    • Add service_kdump_disabled to RHEL7 STIG profile
    • STIG update for McAfee content
    • Add in SELinux vs HBSS warning
    • Use chkconfig for nails service check rather than systemctl
    • STIG update RHEL7 additional SSH settings
    • Fix OS SRG typos and enchance some SSH titles
    • STIG update RHEL7 add gdm settings
    • Fix GDM content to use correct case
    • Add set_password_hashing_algorithm_systemauth to STIG
    • rationale update to rhel7/service_auditd_enabled
    • severity and rationale updates to file_ownership_var_log_audit
    • rationale and reference updates to rhel7/audit_rules_privileged_commands
    • policy ref and severity updates to rhel7audit_rules_unsuccessful_file_modification
    • update policy refs for rhel7/audit_rules_login_events
    • STIG policy ref updates to rhel7/audit_rules_media_export
    • update rhel7/audit_rules_kernel_module_loading refs, remove duplicate entry from STIG profile
    • ref updates to rhel7/audit_rules_file_deletion_events, remove dupe from STIG profile
    • sshd_use_approved_ciphers rationale updates
    • [Enhancement][RHEL/7] Update dconf gnome settings
    • update references for rhel7/accounts_tmout
    • update STIG ID for audit_rules_usergroup_modification
    • add libreswan_approved_tunnels to STIG profile
    • fixed OCIL on file_permissions_sshd_private_key
    • reference swap for tftp
    • update with send_redirects
    • add /tmp requirement to STIG
    • update for audit partition
    • update for var partition
    • update for home partition
    • add file_permissions_ungroupowned to ospp
    • [Enhancement][RHEL/7] Update dconf gnome settings
  • [Bugfix][Fuse/6] fix OCIL grammar
  • [BugFix] [RHEL/7] Fix xorg.xml description grammar
  • [Enhancement][RHEL/7] Move GNOME XCCDF content into its own gnome.xml XCCDF file

OVAL check changes / enhancements:

  • [Enhancement] [RHEL/7] New OVAL for kernel_module_cramfs_disabled, kernel_module_freevxfs_disabled, kernel_module_hfs_disabled, kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled,
    kernel_module_squashfs_disabled, and kernel_module_udf_disabled rules,
  • [Enhancement] [RHEL/7] New OVAL for dir_perms_etc_httpd_conf, dir_perms_var_log_httpd,
    dir_perms_world_writable_sticky_bits, dir_perms_world_writable_system_owned, file_permissions_httpd_server_conf_files., file_permissions_unauthorized_world_writable,
    file_permissions_ungroupowned, no_files_unowned_by_user, and root_path_no_dot rules
  • [Enhancement] [RHEL/7] New OVAL for cups_disable_browsing, cups_disable_printserver,
    ovecot_disable_plaintext_auth, dovecot_enable_ssl, ldap_client_start_tls, ldap_client_tls_cacertpath,
    logwatch_configured_hostlimit, logwatch_configured_splithosts, service_dovecot_disabled,
    package_openldap_removed, package_samba-common_removed, postfix_network_listening_disabled,
    postfix_server_banner, require_smb_client_signing, rsyslog_nolisten, and tftpd_uses_secure_mode rules,
  • [Enhancement] [RHEL/5] New OVAL for service_dovecot_disabled and service_postfix_enabled rules,
  • [BugFix] [shared] httpd permission check updates and fixes (Make sure that httpd permission OVAL content check if the httpd package is installed, Fix httpd .conf file permission check),
  • [Enhancement][RHEL/7] Add RHEL7 Mount OVAL checks
    • mount_option_nodev_nonroot_local_partitions,
    • mount_option_nodev_remote_filesystems,
    • mount_option_nodev_removable_partitions,
    • mount_option_noexec_removable_partitions,
    • mount_option_nosuid_remote_filesystems,
    • mount_option_nosuid_removable_partitions,
    • mount_option_smb_client_signing, and
    • mount_option_tmp_noexec,
  • [BugFix] file_permissions_httpd_server_conf_files - Fix http conf file permission check,
  • [BugFix] dir_perms_etc_httpd_conf - Fix /etc/httpd/conf dir permissions check,
  • [Enhancement][RHEL/7] New OVAL for sysctl_fs_suid_dumpable rule,
  • [Enhancement][RHEL/7] New OVAL for network_disable_zeroconf, network_ipv6_default_gateway,
    network_ipv6_disable_rpc, network_ipv6_privacy_extensions, network_ipv6_static_address,
    network_sniffer_disabled, and wireless_disable_interfaces rules
  • [BugFix] [RHEL/7] LDAP OVAL checks -- Use /etc/nslcd.conf instead of /etc/openldap/ldap.conf,
  • [BugFix][RHEL/7] Fix disable ipv6 in kernel regression,
  • [Enhancement][Fedora][RHEL/7] Add xwindows multi-user.target check for non-graphical runlevel,
  • [Enhancement] Enable xwindows_runlevel_setting for oval 5.11 and greater
  • [bugfix][RHEL/7] Update network_ipv6 OVAL checks (Update network_ipv6_default_gateway, network_ipv6_privacy_extensions, and network_ipv6_static_address OVAL checks to use the
    sysctl_kernel_ipv6_disable OVAL check as using modprobe to disable ipv6 is no longer valid)
  • [BugFix] [Debian/8] updated yum specific informationals into apt-get for Debian
  • [Enhancement] [Debian/8] add support for sysctl in deb8 oval template
  • [Enhancement] [Debian/8] New OVAL for sysctl_fs_protected_symlinks, sysctl_fs_protected_hardlinks,
    sysctl_fs_suid_dumpable, and sysctl_kernel_randomize_va_space rules
  • [Enhancement] [RHEL/7] [Fedora] New OVAL for 'bootloader_nousb_argument' rule
  • [Enhancement][RHEL/7] Add firewalld_sshd_disabled check and enable RHEL7 make validate
  • [BugFix] [Infrastructure] Replace separate Fedora and RHEL-7 OVALs for
    chronyd_specify_multiple_servers.xml rule with shared one from shared/oval/oval_5.11
  • [BugFix] [Infrastructure] Replace Fedora and RHEL-7 specific OVALs for
    "chronyd_specify_remote_server.xml" rule with one shared OVAL from shared/oval/oval_5.11 directory
  • [BugFix] [Infrastructure] Split shared OVAL for 'ntpd_specify_multiple_servers' rule
    into two separate RHEL/6 and RHEL/7 OVALs
  • [BugFix] [Infrastructure] Split shared OVAL for 'ntpd_specify_remote_server' into separate RHEL-6 and RHEL-7
    version
  • [Enhancement] [RHEL/6] Adding missing C2S rules in RHEL for Section 3
  • [Enhancement] [RHEL/7] Add missing kernel.randomize_va_space OVAL check
  • [Bugfix] Fix aide OVAL expression to allow entries after --check
  • [shared] bootloader_audit_argument rule Allow audit=1 to be matched on GRUB_CMDLINE_LINUX_DEFAULT
  • [BugFix] [RHEL/7] service_nails_enabled OVAL check:
    • Update to list RHEL-7 (not to return 'notchecked' result),
    • Drop <extend_definition> dependency on 'package_nails_installed' (since this was just a result of generating the
      check from template)
  • [Bugfix][RHEL/7] use_kerberos_security_all_exports.xml (Pass if /etc/exports does not contain an export)

New Remediations:

  • [Enhancement] [RHEL/7] [Fedora] New remediation for 'bootloader_nousb_argument' rule

Remediation fixes / other changes:

  • [BugFix] [RHEL/6] Fix multiple issues in 'smartcard_auth' remediation script for RHEL-6,
  • [Enhancement] [Debian/8] Start French ANSSI references integration,
  • [BugFix] [shared] Fix behaviour of 'perform_audit_rules_privileged_commands_remediation' helper remediation function,
  • [BugFix] [shared] Fix behaviour of 'package_command' remediation function (While on Fedora (after UsrMove Feature) the rpm is in /usr/bin/rpm and /bin/rpm, RHEL-6 systems have rpm utility only in /bin/rpm),
  • [Enhancement] [Debian/8] add support for ANSSI table reference build
  • [Enhancement] Update UMASK remediations (Moved RHEL6 accounts_umask_etc_bashrc.sh to shared, Created accounts_umask_etc_csh_cshrc.sh)
  • [Enhancement] Remediations for accounts_umask_etc_bashrc and accounts_umask_etc_csh_cshrc rules -- Update remediation platform tag to multi_platform_rhel
  • [Enhancement] Update kickstarts with static IP references
  • [Enhancement][Firefox] Use the new Firefox remediation functions
  • [Enhancement][Firefox] Add Firefox .js and .cfg functions to remediation_functions
  • [Bugfix] Send parenthesis to function for firefox_preferences-lock_settings_config_file.sh
  • [BugFix] disable unused checking file digest differs by rpm (Checking file digest differs causes full-file scan, but in this case we are just interesting in mode differs.)
  • Quote the format variable to allow for spaces in the pattern
  • Use replace_or_append function to edit sshd_config

Build System Bug Fixes:

  • [BugFix] [Infrastructure] Fix failing [RHEL/7] 'make' on RHEL-6 system with openscap supporting just OVAL-5.10 (openscap-1.0.*) (2016-02-08)
  • [BugFix] [RHEL/7] Don't verify OVAL checks references for "service * enabled / disabled" OVAL checks in the case we are building RHEL/7 "make validate" target with openscap-1.0.x
  • [BugFix] [Infrastructure] Fix 'make content' target circular dependency issues in: Fedora/Makefile and Webmin/Makefile Fixes: #1118

Infrastructure:

  • [BugFix] shared/utils/enable-derivatives.py -- Fixed whitespace in the SL warning
  • [BugFix] [Infrastructure] Modify "count_oval_objects" helper script not to act on remotely referenced OVAL
  • [BugFix] [Infrastructure] shared/utils/count_oval_objects.py helper
    Fix issues pointed out in:
  • [Update] [Infrastructure] Update the version of referenced PCI DSS PDF document (since latest version is v3.1 from April 2015)
  • [BugFix] [Infrastructure] shared/utils/count_oval_objects.py helper
    Fix issue from:
  • [BugFix] [RHEL/6] Point 'DISA FSO' RHEL-6 <rule_version> IDs to official URI of DISA FSO RHEL-6 STIG Zip archive instead of to http://cce.mitre.org
  • [BugFix] [RHEL/6] Per #1036 (comment) update the link to DISA FSO RHEL-6 rule IDS to be more universal (point to DISA STIGS OS unix-linux URI instead)
  • [BugFix] [RHEL/6] Add the xccdf:metadata element to RHEL/6 benchmark Fixes: #1041
  • [BugFix] [RHEL/6] Define also "cpe:/o:redhat:enterprise_linux:6::client" CPE as OVAL CPE item in RHEL-6 CPE
    dictionary Fixes: #1042
  • [BugFix] [Infrastructure] Fix the situation of having two 'multi_platform_rhel' OVAL checks for 'package_abrt_removed' in two different locations
  • [BugFix] [Infrastructure] Fix 'package_at_removed' OVAL check build system ambiguity
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_audit_installed' OVAL check
  • BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_bluez_removed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_chronyd_installed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_cronie_installed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_firewalld_installed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_iputils_removed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_nfs-utils_removed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_ntp_installed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_oddjob_removed' OVAL check
  • [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_qpid-cpp-server_removed' OVAL check
  • [Enhancement] [Infrastructure] 'relabelids.py' helper script -- compare XCCDF ID for match with both OVAL and OCIL ID
  • [BugFix] [Infrastructure] Replace EXSLT date:date() function call with EXSLT date:date-time() which returns timestamp in the format of xs:dateTime (see http://exslt.org/date/functions/date-time/ )
  • [Infrastructure] shared/utils/verify-references.py helper script:
    • Replace 'ocil-transitional' check system in 'get_ovalfiles()' routine with official OCIL-2.0 check system,
    • When performing the verification if all XCCDF rules reference valid OVAL checks skip
      elements having OCIL-2.0 as the check-system (since we are verifying sanity of XCCDF vs OVAL IDs here)
  • [BugFix] [Infrastructure] Create XCCDF and DataStream benchmark from intermediary XML having OCIL checks
    already expanded for official OCIL-2.0
    Fixes:
  • [Enhancement] [Infrastructure] Add RHEL6/7 Compute Node CPEs
  • Enhancement] [Infrastructure] Be more explicit WRT to "$(OUT)/xccdf-unlinked-ocilrefs.xml" so the motivation behind the change is immediately clear (Update WRT to https://github.com/OpenSCAP/scap-security-guide/pull
    /1050#discussion_r53675404 )
  • [Enhancement] [Infrastructure] shared/transforms/relabelids.py helper Modify the output error message shown
    depending on the fact if OVAL or OCIL ID didn't match the XCCDF ID (Update per: #1050 (diff))
  • [Enhancement] Add new JBoss directory structure
  • [BugFix] [RHEL/6] Add "cpe:/o:redhat:enterprise_linux:6::computenode" xccdf:Platform definition into RHEL-6 CPE dictionary
  • [BugFix] Add "style=SCAP_1.1" attribute to produced XCCDF 1.1 SSG benchmarks and "style=SCAP_1.2" attribute to produced XCCDF 1.2 SSG benchmarks Fixes: #1059
  • [Bugfix][Firefox] Clean up directories and files (Remove unused templates, Standardize layout/files with existing RHEL structure)
  • [BugFix] [Firefox] Clean up Makefiles, Guides, and DISCLAIMER
  • [bugfix][infrastructure] Update make clean to remove unused content
  • [Enhancement] Build OpenStack OSP7 content as part of the build process
  • [Enhancement][JBoss/EAP5] Update JBoss EAP5 v2
    • Add empty JBoss STIG profile
    • Add guide.xml and guide.xslt
    • Create new JBoss XCCDF content structure broken out into groups
    • Break out groups into new xml files from eap5-xccdf.xml
  • [Enhancement][JBoss/Fuse] JBoss Fuse Enhancements
    • Add empty JBoss Fuse STIG profile
    • Add guide.xml and guide.xslt
    • Create new JBoss XCCDF content structure
    • Break out groups into new xml files from ssg-fuse6-xccdf.xml
  • [Enhancement][JBoss/EAP] Update eap5 CPE dictionary
  • Don't build the RPM by default when running make
  • [BugFix] [Infrastructure] For each XCCDF rule ID having and CCE element set add corresponding CCE identifier in the form of: also to the (not remote) OVAL check related to this XCCDF rule (not remote OVAL check referenced from that XCCDF rule) Fixes (majority of issues in): #1092
  • [BugFix] [Infrastructure] relabelids.py helper script -- during the process of creation of the XCCDF and OVAL documents: * ssg-$(PROD)-xccdf.xml, and * ssg-$(PROD)-oval.xml ensure every local OVAL definition referenced in XCCDF file is truly defined / implemented in the OVAL file. Drop the XCCDF's OVAL reference if not.
  • [Enhancement][Fuse/6] Finalize Fuse content to new format
  • [BugFix] Merge STIG and OSPP profile (STIG profile should inherit OSPP, and only included DoD-specific refinements (e.g. against future OSPP DoD Configuration Annex). Moved rules into RHEL7 OSPP profile that map directly to OSPP requirements, retained DoD-specific refinements in STIG profile),
  • [BugFix] [Infrastructure] Introduce new datastream_move_ocil_to_ds_checks.py SSG transformation as a temporary SSG workaround for the OpenSCAP bug: [1] OpenSCAP/openscap#364 when dealing with OCIL components in datastream format
  • [BugFix] [Infrastructure] Apply the newly introduced datastream_move_ocil_to_ds_checks.py transformation to various SSG products producing datastream format of the benchmark This is a workaround for:
    [1] OpenSCAP/openscap#364
  • [BugFix] [Infrastructure] Update datastream_move_ocil_to_ds_checks.py helper script in order to "oscap ds sds-validate" to succeed
  • [BugFix] [Infrastructure] Add fix for issue #1096: #1096
  • [BugFix] [Infrastructure] Fixes for issues #1100 and #1101
  • [BugFix] [Infrastructure] Perform xccdf:Value 'type' to corresponding OVAL variable 'datatype' data export constraint verification. Also fix the 'type' attribute of those xccdf:Values where the content does not meet the constraint Fixes: #1089
  • [BugFix] [Infrastructure] Per #1191 set @schematron-version in produced datastreams from "1.0" to "1.2"
  • [BugFix] [Infrastructure] Update xccdf-ocilcheck2ref.xslt transformation to also remove xccdf:check-export OCIL elements of the form e.g.: '<xccdf:check-export export-name="no line is returned" value-id="conditional_clause"/>' since these were used only in the previous stage of the build to append the correct question to the particular OCIL element
  • [BugFix] [Infrastructure] Drop the "conditional_clause" xccdf:Value from the final XCCDF benchmark since it is required only to expand OCIL macros during the OCIL content build
  • [Enhancement][Fuse/6] Finalize Fuse content to new format
  • [BugFix] [Infrastructure] Fix for issue #1191
  • [BugFix][Infrastructure] Add quotes to '*.' in find command usage
  • [Blocker] [BugFix] [Infrastructure] [RHEL/7] use_kerberos_security_all_exports OVAL Drop useless dependency on "package_nfs-utils_removed" OVAL check Fixes: #1196
  • [BugFix] [RHEL/6] Fix XCCDF to OVAL data export constraints warnings Update 'type' attribute on selected XCCDF:Values to quit the XCCDF to OVAL data export constraints warnings for RHEL/6
  • [BugFix] [RHEL/6] [RHEL/7] Fix more XCCDF to OVAL data export constraints warnings
  • [BugFix] [RHEL/5] Fix XCCDF to OVAL data export constraint warning
  • [BugFix] Fix for issue #1206 (comment)
  • [BugFix] [Infrastructure] Specify correct OVAL datatype when passing 'var_accounts_tmout' variable to specific OVAL state
  • [BugFix] [Infrastructure] When populating shell variable into corresponding xccdf:Value in remediation scripts don't remove the inclusion of the remediation_functions library (because in the case there's also some other remediation function called besides populate() the resulting remediation script won't be functional)
    Fixes: #1075
    Fixes: #1075 (comment)
    Fixes: #1207 (comment)
  • [BugFix] Drop the duplicate inclusion of the remediation_functions library from the following remediation scripts:
    • selinux_policytype.sh
    • selinux_state.sh
  • [BugFix] [RHEL/7] Replace buggy implementation of accounts_passwords_pam_*.sh remediation scripts with use of SSG internal replace_or_append() remediation function
    Fixes: #1085
    (all the rules except "accounts_password_pam_retry" which needs slightly
    more testing => part of future PR)
    Fixes (downstream): https://bugzilla.redhat.com/show_bug.cgi?id=1309037
  • [BugFix] [Fedora] Fix for issue #1220 Add missing XML sections into Fedora guide to quite the warning when issuing "make content" target on Fedora. Use RHEL-7 prose by dropping CCE identifiers, elements, and replacing RHEL with Fedora (also updating selected links where appropriate / necessary) Fixes: #1220
  • [BugFix] [Infrastructure] Produce the resulting OCIL file with the filename in the form "ssg-$(PROD)-ocil.xml" rather than with the current 'ocil-ssg.xml' file
  • [Infrastructure] [Enhancement] Include the produced "ssg-$(PROD)-ocil.xml" OCIL file into the "dist" make target when generating SCAP content specific SSG products
  • [BugFix] [Webmin] Drop the "ssg-webmin-ocil.xml" from the "dist" target since for Webmin OCIL file isn't produced
Check out latest releases or
releases around ComplianceAsCode/content v0.1.29

Don't miss a new content release

NewReleases is sending notifications on new releases.

Get notifications