Highlights (in order the changes have been merged):
- [Enhancement] [RHEL/7] Port existing CNSS No.1253 (nist-CL-IL-AL) profile from RHEL-6 to RHEL-7 (Fixes #858)
- [Enhancement] [RHEL/7] Content passes ScapVal-1.2.14.1 requirements
- [Enhancement] [RHEL/7] Assign CCE identifiers to RHEL-7 rules
- [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
- [Enhancement] [Debian/8] Add profile for each ANSSI hardning level for NP targets (ansi_np_nt28_eleve, ansi_np_nt28_intermediaire, ansi_np_nt28_minimal, ansi_np_nt28_restreint)
- [Enhancement] Don't rely on absolute path of the shell remediation functions library to be able to perform remediations (remediations are now part of benchmarks themselves)
XCCDF changes / enhancements:
- [Fedora] Separate dconf settings into dedicated 'Gnome Desktop Environment' XCCDF section
- [RHEL/6] Move most GNOME checks into their own file, Add new GNOME XCCDF and OVAL content (Fixes #1205)
- [Enhancement][RHEL/7] Create a STIG for GUI-enabled systems (Create a RHEL7 GUI STIG, Create a RHEL7 Workstation STIG for future use, Remove DConf checks from the stig-rhel7-server-upstream profile and add to the new stig-rhel7-server-gui-upstream profile) (Fixes #481)
- [BugFix] [RHEL/7] Fix multiple invalid selector warnings when scanning against "stig-rhel7-server-upstream" profile
- [BugFix] [RHEL/6] [RHEL/7] Add warning note for ctrl-alt-delete key sequence
- [Enhancement][RHEL/6] Add STIG GUI profiles for RHEL6
- [Enhancement][RHEL/7] Disable CTRL-ALT-DEL in GUI profile
- [Enhancement][RHEL/7] Add SELinux boolean XSLT macros (Add a single enable/disable SELinux boolean macro, Add a single enable/disable SELinux boolean check macro)
- [Enhancement][RHEL/7] STIG updates for yum (Fixes #1122, Fixes #1123, Fixes #1124)
- [Enhancement][RHEL/7] STIG update for sssd content (Add new SSSD content, Fixes #1158, Fixes #1157, Fixes #1156, Fixes #1017)
- [Enhancement][RHEL/7] stig update for pam settings (Fixes #1136, Fixes #1155, Fixes #1159)
- [Enhancement][RHEL/7] Add RHEL/7 STIG Reference Identifiers (Add RHEL/7 STIG identifier, Add RHEL/7 OS URI Link)
- [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
- [Enhancement][RHEL/7] Add initial sudoers content (Add initial sudo content to check for NOPASSWD and !authenticate in sudoers for RHEL7 STIG, Fixes #1015)
- [Enhancement][RHEL6/7] Add FIPS XCCDF and OVAL content (Adds FIPS GRUB & GRUB2 XCCDF and OVAL content, Fixes #998)
- [Enhancement][Fedora][RHEL/7] Add UEFI XCCDF/OVAL content (Add new UEFI XCCDF/OVAL content, Make sure that if /boot/grub2.cfg or /boot/efi/EFI//grub.cfg does not exist to not fail the check, Fixes #1162)
- [BugFix] [RHEL/7] [Fedora] Update form of 'disable_interactive_boot' rule for Systemd (RHEL/7, Fedora) based systems (update all XCCDF, OVAL, and remediations)
- [Bugfix] Move Chromium XCCDF content to XCCDF directory
- [Bugfix] FIPS grub XCCDF and OVAL
- [BugFix] [RHEL/6] [RHEL/7] [Fedora] Rewrite XCCDF prose for 'no_shelllogin_for_systemaccounts' rule not to mention hardcoded UIDs (use UID_MIN instead)
- [BugFix] Fix unreferenced 'file_permissions_ungroupowned' OVAL for Fedora content (https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/400/label=node-el6-openscap-new/consoleFull)
- [BugFix] [RHEL/6] [RHEL/7] [Fedora] Modify 'standard' profiles to comment out the rules currently returning 'notapplicable' result (needs investigation of reasons why it's behaving so, and fixing the issues prior re-enabling them back)
OVAL check changes / enhancements:
- [BugFix] [RHEL/7] Fix for issue #1227
- [Enhancement][RHEL/7] Add SELinux OVAL templates (Add initial sebool OVAL templates, Create new shared/template folder for future template consolidation work)
- [BugFix] updating RHEL5 file_permissions_ungroupowned to use shared/version
- [Enhancement] Add PPC and PPC64LE System Architecture (Add PPC and PPC64LE OVAL checking support)
- [Enhancement] Examine /etc/profile.d/*.sh for TMOUT
- [Bugfix][RHEL6/7] Add IPv6 equivalents to IPv4 sysctl (Adds IPv6 XCCDF/OVAL content that is equivalent to IPv4 sysctl XCCDF/OVAL content NOTE: Not all IPv4 sysctl XCCDF/OVAL content has correspond IPv6 sysctl equivalents, Fixes #1214)
- [RHEL/7] [bugfix] Check for FIPS in DEFAULT grub line if DEFAULT line exists
- [BugFix] [shared] Rewrite OVAL for 'no_shelllogin_for_systemaccounts' rule so it wouldn't always perform the check on hardcoded <0, 499> UID range
- [BugFix] [RHEL/7] Modify RHEL-7 OVAL for 'install_PAE_kernel_on_x86-32' rule not to fail on 64-bit (any not 32-bit system)
- [BugFix] Fix indentation issue for file_permissions_ungroupowned OVAL (https://github.com/OpenSCAP/scap-security-guide/pull/1296/files#r67556952)
Build System Bug Fixes:
- [Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements (Part of #1046)
- [BugFix] Minor JBoss 6 build fixes
- [BugFix] [RHEL/7] Generate xccdf:metadata (Dublin Core , , (s), and elements) dynamically for RHEL-7 benchmark from the content of Contributors.md file (and other internal variables)
- [BugFix] [Debian/8] [Fedora] [Firefox] [Chromium] [JBoss/Fuse/6] [JRE] [OpenStack/RHEL-OSP/7] [RHEL/5] [RHEL/6] [RHEVM3] [Webmin] Generate xccdf:metadata element of Debian/8 benchmark dynamically (from content of Contributors.md and value of selected internal values)
- [Enhancement] [RHEL/7] Apply the newly introduced shell variables and remediation functions XCCDF expansion (translation into XCCDF
<sub>elements) against RHEL-7 benchmark - [Enhancement][Infrastructure] Apply the new remediations as xccdf:Value functionality to the remaining benchmarks too (Webmin, RHEVM3, RHEL/6, RHEL/5, OpenStack/RHEL-OSP/7, JRE, JBoss/Fuse/6, JBoss/EAP/5, Firefox, Fedora, Debian/8, and Chromium)
- [BugFix] Multiple fixes in
expand_xccdf_subs()routine of the combineremediations.py helper - [BugFix] [Infrastructure] Fix currently failing 'make content' for RHEL/6 content due to undefined 'cisuri' variable (Fixes #1288)
Infrastructure:
- [Fedora] Add Fedora 25 CPE to Fedora benchmark
- [BugFix] [Infrastructure] add_cce_id_refs_to_oval_checks routine - When propagating CCE identifiers from XCCDF to specific OVAL verify particular CCE ID has correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X') (Fixes #1228, #1229, #1230)
- [BugFix] [Infrastructure] Verify if CCE identifiers listed in various SSG XCCDF benchmarks have the correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X')
- [BugFix] Use proper rule names in various RHEL/5, RHEL/6, RHEL/7, and RHEVM3 profiles
- [Bugfix][Infrastructure] Print message for unused remediation scripts during build
- [Enhancement] Don't rely on the absolute path of the remediation functions library when performing remediations (Instead of that transform necessary shell variables and remediation functions calls into corresponding XCCDF
<sub>elements to be present directly in the benchmark, Fixes #590, Fixes #1055) - [Enhancement][Infrastructure] Remove Red Hat identifiers from derivatives
- [Enhancement][Bugfix][Infrastructure] Update constants XSLT
- [Enhancement][Infrastructure] Add new shared_shorthand2xccdf.xslt
- [Enhancement][Infrastructure] Update more content to use shared_shorthand2xccdf.xslt (Enhances Fedora, Debian, RHEL-OSP, and RHEL5/7 to use the new shared_shorthand2xccdf.xslt)
- [Enhancement][Infrastructure] Add auditctl-syscall macro
- [BugFix] [Infrastructure] Introduce $(SHARED)/$(OUT) directory
- [Enhancement] [Infrastructure] Use "hidden" and "prohibitChanges" attributes set to "true" for xccdf:Values representing remediation routines
- [BugFix] [Infrastructure] Perform a sanity check while performing XCCDF
<sub idref=...>substitution for remediation functions (Exit with failure (1) if some of the functions wasn't substituted properly) - [BugFix] [Infrastructure] When performing XCCDF
<sub>substitution expand also functions not having some arguments in the function call - [BugFix] [Infrastructure] If some of the remediation functions recursively calls another remediation function, we need to define also the called function