Highlights
- New License - BSD-3 Clause
- New Profiles introduced for development
- ANSSI
- HIPAA
- C2S-Docker
- Adoption of CTest for schema validation
- Several remediation fixes
Profiles
- [Enhancement] Add initial C2S Docker Profile
- [Bugfix] This is a shorthand XCCDF, not the actual XCCDF 1.1, the xmlns makes …
- [Bugfix] It's HIPAA, not HIPPA
- Add some rules for protection of data in transit and adequate capacity to ensure availabity for HIPAA
- Add anssi reference to rsyslog_service_enabled
- [Enhancement] Add initial HIPPA profile
- [Enhancement] Added "anssi" profile to the RHEL7 product
- [Bugfix] Fix ID of RHEL6 DISA STIG Profile
- Fixing reference to outdated PAM configuration manual
XCCDF
- [Bugfix] Add override to C2S-docker Profile
- [Bugfix] Fix kernel module loading and unloading rules
- Grub2 password fix
- [Bugfix] Specify default account expiration value
- [Bugfix] Specify default LUKS cipher and minimum key size
- [Bugfix] Reference real files instead of procfs and sysfs files
OVAL
- update to match all supported EAP 6 releases
- Improve OVAL filepath expressions.
- Add check and remediation for RHEL-07-040550 (shosts.equiv)
- Add check and remediation for RHEL-07-040540
Remediation
- [Enhancement] Introduced draft of SSG Bash scripting guidelines.
- [Bugfix] Fixes #2607 - audit_rules_login_events
- [Bugfix] Enable correct ansible templte for file modification audit rules
- [Bugfix] Fix Ansible remediations broken by Ansible bug.
- [Bugfix] Fixed the banner enablement option name.
- [Bugfix] Add Ansible pre-task version checking for Ansible roles
- [Bugfix] Remove duplicate install_smartcard_packages BASH script
- [Enhancement] Ensure libsemanage-python is installed or Ansible SELinux boolean tas…
- [Bugfix] Fix chronyd or ntpd set maxpoll
- [Bugfix] fixed syntax issue with sed in auditd_data_retention_space_left.sh
- [Ansible] Hooksie1 ansible pam faillock
- [Bugfix] Add some of the missing BASH remediations
- [Bugfix] Disable service remediation fails if service is not installed - ansible
- [Bugfix] Check if prelink is installed before trying to disable
- [Bugfix] updated kernel module loading init and delete to use b32 and b64
- [Bugfix] fixed rpm_verify_permissions to use 4th field in cut statement
- [Bugfix] Fix UsePrivilegeSeparation ansible remediation
- [Bugfix] updated key variable to recognize both -k and -F key=
- [Bugfix] reset IFS back to default in ensure_redhat_gpgkey_installed.sh
- [Infrastructure][Bugfix] fixed template_BASH_sebool_var with valid bash syntax
SSG Test Suite
- [Ssgtestsuite] Add tests for accounts_passwords_pam_faillock_deny
- [Ssgtestsuite] Tests for ctrlaltdel burstaction and audit rules time
- Changed test suite benchmark specification to use Ref-Id.
- Update rule_sshd_use_priv_separation test to check for sandbox value
- [Ssgtestsuite] Add test coverage for rule_accounts_have_homedir_login_defs
- [Ssgtestsuite] Add test scenarios of rule_umask_for_daemons.
- [Ssgtestsuite][Bugfix] Small test suite tweaks
- [Ssgtestsuite] Better bash remediations tests.
- Add tests accounts umask etc login defs
- [Ssgtestsuite] Add scenario remediation parameter and fix sshd test scenarios
Infrastructure
- Update Contributors list for release v0.1.38
- [Infrastructure][Bugfix] Glob source xccdf files recursively
- [Infrastructure][Ansible] Script to auto-upload / update ansible galaxy roles from SSG
- cmake/SSGCommon.cmake: added check for override attribute
- HTML table sanity check
- [Easy Fix] Avoid 3 copy paste definitions of subprocess_check_output
- Initial docs about ctest and adding tests to the cmake build system
- [regression] Import ssgcommon in profile-stats
- [Bugfix] New License
- [Infrastructure][Enhancement] Use ctest instead of
make validate
- [Infrastructure][Bugfix][Enhancement] Update Vendor String in python files to ssgcommon.py
- [Enhancement] Added description how to write new rules.
- HTML tables for ANSSI Rules in RHEL7
- [Bugfix] Fatal error if user attempts in-source build
- [Infrastructure][Enhancement] Add common python module for centralizing reusable code
- [Infrastructure][Bugfix] Apply to XCCDF file only the Rule and Group elements that apply to product being built
- [Infrastructure] Added scanner of STIG IDs for rules in STIG profiles.