Highlights:
- DISA RHEL7 STIG profile alignment improved
- Introduction of remediation roles
- RPM and DEB test packages are built by CMake with CPack
- Lots of remediation fixes
Profile:
- adding initial SELinux booleans to OSPP
- [Bugfix] Fix user login in RHEL7-OSPP kickstart
- [Enhancement] Sorted rule names in OSPP profile
- Update ftp profile title to proper form
- [RHEL7] Update STIG profile names
- [Bugfix] Fixed a typo in title of the FISMA profile for RHEL6
- [Enhancement][SSG-DISA RHEL7 STIG Alignment] Additional DISA STIG alignments
- Debian 8: ntpd service name is "ntp"
- [RHEL7][SSG-DISA RHEL7 STIG Alignment] DISA STIG refactoring
XCCDF:
- [issue 1842] nosuid on /home
- update SSH checks with full list of FIPS Ciphers and MACs
- update sshd xccdf/oval rules
- XCCDF profile descr <= 80 chars, added periods, assigned missing CCEs
OVAL:
- [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Evaluate if var_ntp_set_maxpoll is less than or equal
- [Enhancement][RHEL7] Use variables in SELinux boolean OVAL content and enable in XCCDF
- [Bugfix][RHEL7] update enable_dconf_user_profile to check if dconf installed
- [Bugfix] Make rsyslog_remote_loghost scapval compliant
- [Bugfix] Change external_variable accounts_umask_etc_login_defs
- [Bugfix] Fix file_owner_cron_allow and file_groupowner_cron_allow checks
Remediations:
- fix for ensure_redhat_gpgkey_installed remediation
- Improve reliability of smartcard_auth remediation
- Added remediation for aide_scan_notification rule.
- [Bugfix] Fix remediation for accounts_logon_fail_delay
- [Bugfix] Use
unset IFSinstead ofunset $IFS - [Enhancement] Relabel when SELinux state is changed
- [SSG-DISA RHEL7 STIG Alignment] Issue #1875: Add a remediation script for aide_verify_ext_attributes
- [SSG-DISA RHEL7 STIG Alignment] Issue #1874: Add a remediation script for aide_verify_acls
- [SSG-DISA RHEL7 STIG Alignment] Issue #1876: Add remediation script for aide_use_fips_hashes
- [SSG-DISA RHEL7 STIG Alignment] Issue #1886: Add a remediation for rsyslog_remote_loghost
- [Bugfix] [issue 1930] remove double quote from audit_rules_* remediations
- [Bugfix] Fixed pam_faillock_deny_root remediation for RHEL 7.
- [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Disable prelink in grub2_enable_fips_mode.sh
- [SSG-DISA RHEL7 STIG Alignment] Issue #1889: remediation sshd_use_approved_macs
- [SSG-DISA RHEL7 STIG Alignment] Remediations for /etc/cron.allow ownership
- [SSG-DISA RHEL7 STIG Alignment] Issue #1880: Fix remediation for grub2_enable_fips_mode
- [SSG-DISA RHEL7 STIG Alignment] Add remediations for mount options of removable partitions
- [SSG-DISA RHEL7 STIG Alignment] missing and broken remediations
- [Bugfix] RHBZ #1403905: Fix rules for removable media properties
Infrastructure
- Use @CCENUM@ instead of $CCENUM for the token replacement
- [Infrastructure] Remove stig-integration-stats.sh in favor of profile_stats.py
- [Infrastructure] Build remediation roles
- Re-enable generation of SELinux booleans OVAL checks from templates
- [Bugfix] Protect variable expansion in replace_or_append
- [Bugfix] Fix variable expansion in sysctl templates
- Update manual on how to build a tarball, package and zipfile
- [Infrastructure] Self implement subprocess.check_output for python 2.6
- [Infrastructure] Bring shellcheck back
- [Infrastructure] Fix svg detection
- [Infrastructure] Build guides into build/guides instead of directly into build/
- [Infrastructure] Build tables into build/tables
- [Infrastructure] Remove global Makefile as cmake is the build system now
- [Infrastructure] Drop OVAL checks whose extend_definition refs don't exist
- [Infrastructure] Build zipfiles through CMake
- updated README for Debian installation procedure
- [Infrastructure] Enable building of RPM and DEB packages with CPack
- [Bugfix][Infrastructure] Remove refresh-stig-refs.sh as it is replaced by create-stig-overlay.py
- [Enhancement][Infrastructure] Update User and Developer guides to asciidoc format
- [Infrastructure] Install kickstarts
- [Infrastructure] Depend on the CPE dict when generating CPE files
- [Enhancement] Add create-stig-overlay.py for STIG overlay generation