Highlights
- Unification of where templates and csv reside
- Optimization and clean up of build system
- Lots of Ansible remediations added
- Bash remediation functions file is now generated by build system
Profile
- [Bugfix] Remove RHEL STIG in Debian content
- fixed typo in OSPP profile
- [Bugfix] Updating STIG References for RHEL7
- [Enhancement] Add SUSE11 stig_overlay.xml
- [Bugfix] Use @OverRide for NIST 800 171 CUI profile
XCCDF
- [Bugfix] Fix typo in mount_option_home_nosuid
- [Enhancement] Add 'requires' and 'conflicts' to Rules and Groups in XCCDF XSLT templates
- [Enhancement] Move OpenStack XCCDF to shared XCCDF
- add support for NT28(R5) for Debian & Ubuntu
- [Enhancement] Update SUSE11 and 12 XCCDF content to use shared XCCDF content
- Fixed some SSSD related references
- Fix more redhat guide links
- [Bugfix] Update link to RHEL SysAdmin Guide - GRUB2 PW protection
OVAL
- [Bugfix] Fix Webmin OVAL content by removing unnecessary definition check
- [Bugfix] Check pam_retry OVAL check for cracklib configuration only for OS versions under 7
- [Bugfix] Handle new Oracle JRE RPM naming scheme
- [Bugfix] Fix prelink OVAL check
- [Bugfix] Remove EAP5 references in EAP6 content and add temp OVAL file for builds to pass
- [Enhancement] Provide a comment for network_sniffer_disabled
- [Bugfix] Added OVALs for SSSD in RHEL6
- [Bugfix] Fix accounts_have_homedir_login_defs false positive
Remediations
- Initial work on audit_rules_dac_modification templating
- [Bugfix] Fix remediation of commented line of account_disable_post_pw_expiration
- [Enhancement] Update disable post password expiration remediation
- Added ansible fix for rsyslog_remote_loghost
- [Enhancement] Use templates for ANACONDA mount options remediation scripts
- Added an ansible remediation for sshd print last log
- Added ansible remediation for accounts_logon_fail_delay
- Added missing file name needed for checking if aide fix is already done
- [Bugfix] Make the aide_periodic_cron_checking bash remediation idempotent
- [Bugfix] RHBZ#1461330: Add Anaconda remediation for rule "smartcard_auth"
- [Enhancement] SELinux booleans bash and ansible remediation coverage
- [Enhancement] Do not use jinja separators in when statements in ansible
- [Bugfix] Fixed unterminated quotes in approved MACs ansible remediation
- Few more ansible
- [Infrastructure] Generate remediation functions
- Fixing sed confusion for auditd remediation template
- [Enhancement] Ansible coverage for sysctl remediations
- Shared templates that are applicable everywhere should be marked as such
- [Enhancement] Ansible coverage of accounts password
- [Bugfix] Fix errors in audit remediation bash scripts
- [Bugfix] Fix no rsh trust files bash remediation
- SSH Ansible Content
- [Bugfix] Fix typo in ANACONDA static templates
- [Bugfix] Use double dash instead of a single dash in ANACONDA remediation temp…
- Ansible RHEL7 scripts to shared/
Infrastructure
- [Infrastructure] Import template generators (build time optimization)
- [Infrastructure] Sds move ocils optimization (build time optimization)
- [Infrastructure] Use element id cache instead of O(n^2) in combine-ovals.py (build time optimization)
- [Infrastructure] Use xmllint nsclean (build time optimization)
- [Infrastructure] Make build easier, improve error messages
- [Bugfix] Evaluate $sed_command
- [Bugfix] Remove multi-mount option capabilities in mount templates
- [Enhancement] Using create_mount_options.py for RHEL7 rules
- [Infrastructure] --skip-valid when composing datastreams (build optimization)
- [Infrastructure] Optimized relabel ids (build time optimization)
- [Enhancement][Infrastructure] Avoid repeatedly validating input when generating all roles (build time optimization)
- [Infrastructure] Renamed the all roles timestamp marker file
- [Bugfix] Ansible sshd protocol2 extension should be yml, otherwise it won't get picked up
- [Enhancement][Infrastructure] Benchmark stats and CSV output in profile_stats.py
- [Bugfix][Infrastructure] Reset parsed remediation attributes in combine-remediations.py correctly
- Avoid warning about being unable to open output/unlinked-*-oval.xml
- Better profile stats
- Fix 'small' element namespace
- [Bugfix][Infrastructure] Fix JBoss EAP platform mapping
- SubElement would cause 2 appends which is not what we want
- [Infrastructure] Look into parent for oval511 templates
- [Infrastructure] Install remediation roles in content directory
- [Infrastructure] Cmake delete checks remediations
- [Bugfix][Infrastructure] Fix drop of OVAL checks extending non-existing definitions
- [Infrastructure] Build only one test package
- The great move
- [Infrastructure] Removed product-make.include
- combine-remediations and combine-ovals improvements
- [Infrastructure] Use inbuilt python element tree
- [Infrastructure] OVAL templating clean-up
- [Infrastructure] use daemon_name instead of service_name if daemon_name differs
- [Bugfix][Infrastructure] Escape the CMAKE_INSTALL_PREFIX again
- [Bugfix][Infrastructure] Build table for ospp-rhel7, not ospp-rhel7-server
- [Bugfix] Generate all roles, not just the last one
- Fix installation path of guides and roles
- [Infrastructure] @ANSIBLE_TAGS@ replacement for ansible fixes
- [Infrastructure] Use a separate template for OVAL sebool when using a variable