SSG 0.1.40 Release Notes
The 0.1.40 release has most changes "under the hood". A huge amount of content was de-duplicated, similar checks for slightly different producsts were unified and merged. This has fixed a huge number of imperfections and subtle bugs.
Other highlighs
- SSG can be built by Python3
- SSG build system got unit tests setup.
- Syntax checks of Ansible playbooks have been added to the test suite.
- Project documentation has been updated, expanded, and restructured.
- Dropped support for XSLT in the content in favor of jinja2 macros that are nicer and easier to edit.
- Build system has become more predictable - strict validation for rule identifiers, CCEs and references at build time has been introduced.
- Improved user feedback on more build-time errors.
- Better support for rule checks that use multiple OVAL versions (5.10 and 5.11).
- Made the build system to deduce some properties of producs (e.g. pkg_system from pkg_manager)
- Updated Ansible playbooks, so they don't use deprecated constructs.
- Updated
grepinvocation to useLC_ALL=C, so it is faster and more predictable. - anaconda-populate variable substitution has been fixed.
- Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
- Set up jinja2 cache for faster builds.
- Restructure of Python code, which has been divided into the core
ssgpackage,build-scriptsandutils. - Improved the
compare_generated.shtool for inspection of generated content. - The Dockerfile has been modernized, supports Ansible and started to use the Fedora baseimage.
Additions
- Added mcafee_antivirus_definitions_updated OVAL and XCCDF variables
- OpenSUSE Leap 15.0 CPE
- Rules in 0.1.39 that were missing warnings got them.
- Many OL7 additions (+ pci-dss profile stub).
- Added tests of auditd rules to SSG Test Suite.
- dod_banner selector added for RHEL6
- Support augenrules in RHEL6 for audit_rules_dac_modification
Removals
- Removed FIPS remediations as well as RHEL CCEs from CentOS.