Highlights:
- Add WRLinux product WRLinux8 and WRLinux1019 support (#4594)
- RHEL7 ANSSI profiles are now enabled
- Improvements to profile statistics, check them out in stats job
- New OVAL, Bash and Ansible macros for rules that check for parameter and value
Profiles changed in this release:
- rhel8: cjis, pci-dss, hipaa, ospp, ospp-mls
- fedora: pci-dss, ospp
- rhel7: ospp42, anssi_nt28_high, C2S, stig, cjis, anssi_nt28_enhanced, anssi_nt28_minimal, hipaa, ccc, anssi_nt28_intermediary, ospp, pci-dss
- ol8: hipaa, cjis, pci-dss, ospp
- wrlinux1019: basic-embedded, draft_stig_wrlinux_disa
- wrlinux8: basic-embedded
- rhel6: C2S, CS2, nist-CL-IL-AL
- chromium: stig
- firefox: stig
- ol7: stig, pci-dss
Profiles:
- Remove unnecessary packages from ospp (#4632)
- Deduplicate profile files. (#4601)
- Fixing No newline at end of file, introduced by 38fe5cf. (#4602)
- Update the RHEL8 profile (#4229)
- Add rhel7 ccc (Common Criteria Certification) profile (#4361)
- Remove firewalld DefaultZone=drop check from rhel7/ccc profile (#4381)
- OL8 profiles update (#4374)
- Remove the sshd_disable_rhosts_rsa rule from OL8 profiles (#4373)
- Update RHEL to Red Hat Enterprise Linux in DISA STIG profile and add language for containers (#4370)
- misc updates to OSPP profile (#4586)
- RHVH/RHELH STIG mappings (#4033)
Rules:
- New rule dnf-automatic_security_updates_only (#4619)
- Pimp ANSSI up and enable it (#4615)
- New rule disable_tmux_status_line (#4631)
- Enable the fapolicyd service for OSPP. (#4623)
- Install fapolicyd for OSPP. (#4622)
- new rule dnf-automatic_apply_updates (#4613)
- Disable storing core dumps. (#4618)
- Enable the usbguard service in OSPP profiles. (#4611)
- Disable Transparent Inter Process Communication (TIPC) Support. (#4603)
- Added a test for uniqueness of CCEs. (#4577)
- Add remaining rules from CC to OSPP (#4599)
- Disable the use of user namespaces. (#4569)
- Finish alignment of RHEL8 OSPP profile with Common Criteria (#4575)
- Enable Kernel page-table isolation. (#4566)
- add sysctl_kernel_unprivileged_bpf_disabled into OSPP (#4584)
- Update OSPP profile with required package checks (#4580)
- Disable CAN Support. (#4572)
- Disable ATM Support. (#4571)
- Disable IEEE 1394 (FireWire) Support. (#4573)
- update OSPP (#4446)
- Harden the kernel package filter just-in-time compiler operation. (#4564)
- Disable access to network bpf() syscall from unprivileged processes. (#4563)
- Disallow kernel profiling by unprivileged users. (#4547)
- Add nodev,noexec,nosuid options to /var/log and /var/log/audit. (#4543)
- Add nodev Option to /var. (#4542)
- Add nodev Option to /boot. (#4453)
- Add nosuid Option to /boot. (#4452)
- Options memcache_timeout and offline_credentials_expiration are performance-related, not security-related. (#4400)
- Disable chrony daemon from acting as server. (#4445)
- Disable network management of chrony daemon. (#4449)
- Map more rules into Anssi policy (#4439)
- ANSSI network sysctl (#4345)
- Fix typo. (#4423)
- Use systemd-sulogin-shell to set single-user mode password in RHEL8 (#4407)
- Introduced the "DConf System DBs are in sync with keyfiles" rule. (#4382)
- Anssi updates (#4351)
- OSP13 Checks (#4364)
- Smartcards auth in OL8 should be done via sssd (#4377)
- Remove dconf_use_text_backend rule from profiles. (#4375)
- Make hardened containers smaller (#4357)
- Scap 1.3 content adjustments (#4353)
- Generate check and remediation for rules regarding sys controls for links to file you not own (#4346)
- Add bash remediation, fix oval and add test scenarios for sssd_ssh_known_hosts_timeout (#4352)
- Deduplicate CCE from rule force_opensc_card_drivers. (#4334)
- Rename group sap to sap_host (#4332)
Tests:
- Do not test empty OVAL 5.10 definition rendered by Jinja (#4638)
- Add tests for kernel_module_firewire-core_disabled rule. (#4605)
- Document combined mode in tests/README.md (#4590)
- install_vm.py: fix for osinfo-detect not working under sudo/su (#4568)
- Remove ansible_playbook_set_hosts function from test suite (#4576)
- Add profile metadata override in rule mode (#4578)
- Fix test scenarios for mount option home nosuid (#4579)
- Fix minlen test scenarios and include RHEL8 platform (#4450)
- Print an error message when rule isn't found (#4454)
- Enable configure_crypto_policy set DEFAULT test scenario for RHEL8. (#4443)
- Enable the (all) virtual profile in the rule-based test suite. (#4441)
- Fix accounts_passwords_pam_faillock_deny test scenarios and move to OSPP (#4447)
- Install just things needed for the sssd service to run. (#4396)
- Add partition rules to mount_options.csv file for RHEL8 and update test scenarios. (#4433)
- Restrict rule_auditd_data_retention_flush test scenarios to RHEL7. (#4434)
- Fix audit rules openat_o_trunc_write test scenarios. (#4438)
- Add verbose output to the verbose logs (#4431)
- Fix broken test scenario name (#4426)
- Add option for extra repository in install_vm.py script. (#4421)
- Change test scenarios for rule rpm_verify_permissions (#4344)
- tests/install_vm.py: Do not abort if ostype detection fails (#4343)
- Use VM install repo URL on the installed system (#4338)
- Workaround SCAPVal 1.3.2 NullPointerException (#4339)
- Use separate partition for /var/tmp in tests/kickstart (#4337)
- Add test wrapper around SCAPVal tool (#4327)
- Fix-ups and remote host support for tests/install_vm.py (#4328)