Highlights
- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
- Added several templates for OVAL checks
- Removal of input directory
- Many optimizations in build process
- Different title for PCI-DSS Benchmark variants
Profile
- [Bugfix] Refix selector for var_time_service_set_maxpoll
- [Bugfix] Fix selector for var_time_service_set_maxpoll
- [Bugfix] Removed extra whitespace around RHEL6 STIG profile titles
- updated profiles to properly use description override
- [Bugfix] update profiles to accept either DoD banner
- [Bugfix] Fix refined value typo in RHEL6 FISMA profile
XCCDF
- [Enhancement] Add firewalld and LDAP checks
- [Bugfix] Fix for Issue 2264
- [Bugfix] update ntpd maxpoll to align with DISA
- [Bugfix] update severity of RHEL-07-021350 (fips=1) to HIGH to align w/DISA
- [Bugfix] Add variable for dconf_gnome_screensaver_lock_delay
- [Bugfix] Maxpoll should be set if chronyd is in use
- Add dod_banners option to banner_login_text
- [Bugfix][Enhancement] Package firewalld installed
- [Bugfix] Use profile variable settings for login.defs to clear up scan results confusion
- STIG Updates
- RHEL-07-040460 - UsePrivilegeSeparation sandbox
- [Bugfix] CCE for insmod auditing
OVAL
- [Bugfix] change to also check inside of /etc/security/limits.d to verify core …
- [Bugfix] Check if SSH keys are present before validating file permissions
- [Bugfix] Update accounts_passwords_pam_faillock_deny to handle line skipping
- [Bugfix] Check if aide is installed in OVAL and remediation scripts
Remediations
- [Bugfix] Fixing issue 2205
- [Bugfix] Ansible branch for issue 2205 RHEL 7.3 error: rpm_verify_permissi..
- [Bugfix] re-enable remediation for net.ipv6.conf.all.disable_ipv6 = 1
- [Ansible] ansible: account_disable_post_pw_expiration
- Ansible accounts umask etc login defs
- [Ansible] ansible: sssd_*
- [Enhancement] dconf_gnome_screensaver_* ansible scripts
- [Enhancement] GDM ansible scripts
- [Enhancement] Set rsyslog_remote_loghost_address to default value "logcollector"
- [Ansible] Creates file_permissions_* ANSIBLE remediation
- [Ansible] Creates file_owner_* ANSIBLE remediation
- [Ansible] ansible: dconf_gnome_disable_*
- [Enhancement] Creates file_groupowner_* Ansible remediation
- [Bugfix] Removes
silent
from the pam.d deny_root search/replace pattern - [Bugfix] fix audit syscall rule sed needs an escape character to properly run
- [Bugfix] Adding update to fix_audit_syscall_rule to not use slashes
- [Ansible] Creates audit_rules_privileged_commands ANSIBLE remediation
- Disable remediation for "repo_gpgcheck=1"
- Additional Ansible Scripts
- [Bugfix] remove nullok, handle links
- [Ansible][Enhancement] Firewalld ansible fixes
- [Ansible][Enhancement] [ansible] security_patches_up_to_date
Infrastructure
- Update Fedora CPEs
- update manpage to have --oval-results in example
- Removes platform column from file_groupowner csv
- [Bugfix] add container_build to gitignore
- [Enhancement] Add "PCI-DSS variant" suffix to every title of the PCI-DSS benchmark
- [Enhancement] Remove input directory
- [Enhancement] docs: How to create stig_overlay.xml
- [Ansible][Enhancement] Creates templates for audit_rules_execution OVAL checks, BASH and ANSIBLE remediations
- [Bugfix] Functions use return, "exit" exits whole script
- [Bugfix][Infrastructure] Don't generate roles for empty profiles
- Minor idtranslate fixes
- [Bugfix][Enhancement] Minor PEP8 fixes in map_product_module.py
- Skip non-bash remediation function script files
- [Bugfix] Rebuild PCI-DSS XCCDF benchmark if the script or PCI-DSS ID json change.
- [Bugfix] Use str.replace instead of re.sub in create_audit_rules_..
- [Enhancement][Infrastructure] Creates template for audit_rules_usergroup_modification OVAL checks
- [Ansible][Infrastructure] Template for audit_rules_privileged_commands
- [Enhancement] Check that a trimmed key is not part of the result string after template sub
- Creates template for audit_rules_login_events OVAL checks and BASH remediations
- [Bugfix] Evaluate sed command
- Creates template for audit_rules_file_deletion_events OVAL and BASH
- [Bugfix] Fixed the variable substitution in template_OVAL_permissions
- Creates template for audit_rules_unsuccessful_file_modification OVAL and BASH
- Sorts the output of option --missing-fix in profile-stats.py
- Fixes bug in relabel-ids.py regarding missing OVAL definitions
- Adds CMakeLists.txt.user to .gitignore
- [Bugfix][Infrastructure] %VAR% for template replace, @var@ for build system replace
- [Bugfix] Dockerfile fixes
- [Infrastructure] Updates python shebangs for virtualenv support.
- [Infrastructure] Pci dss cjis ansible tags
- [Infrastructure] Only consider PCI-DSS related rules when constructing the PCI-DSS tree
- [Infrastructure] Ansible tags improvements
- [Enhancement][Infrastructure] Minor speedups in templates
- [Enhancement][Infrastructure] Minor cmake improvements
- [Enhancement][Infrastructure] Version bump
- [Bugfix][Enhancement][Infrastructure] Improved OVAL and OCIL generator elements
- [Bugfix][Infrastructure] Combine ovals namespace fixes
- [Bugfix] Pass the correct variable to the template in create services disabled
- [Infrastructure] Make schematron OVAL validation optional but still default it to true (build time optimization)
- [Infrastructure] Very minor optimization in srgmap XSLT (build time optimization)
- [Infrastructure] Make SSG build more portable
- [Bugfix][Disa Content Issues] Include AIDE installed in the STIG profile for RHEL7
- [Infrastructure] Make stats
- [Infrastructure] Generate roles from xccdf
- [Infrastructure] Don't list templating file outputs as explicit deps for the targets (build time optimization)