ComplianceAsCode/content v0.1.46

Content 0.1.46

on GitHub

Highlights:

• SCAP 1.3 Data Streams are now the default (#4755)
  • 1.2 Data Streams are suffixed with -1.2.xml
• OSPP consolidation (#4705)
  • RHEL7 ospp Profile renamed to NIST National Checklist Program Profile, under ID ncp.
  • RHEL7 ccc Profile is renamed to ospp, as it is better aligned with OSPP 4.2.1.
  • RHEL7 ospp42 Profile is deprecated.

Profiles changed in this release:

• rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
• wrlinux1019: draft_stig_wrlinux_disa
• rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
• rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
• rhv4: rhvh-stig, rhvh-vpp
• debian8: standard, anssi_np_nt28_restrictive
• ubuntu1404: standard, anssi_np_nt28_restrictive
• ubuntu1604: standard, anssi_np_nt28_restrictive
• ubuntu1804: standard, anssi_np_nt28_restrictive
• ol8: ospp, cjis, hipaa, pci-dss
• fedora: ospp, pci-dss
• ol7: stig, pci-dss

Profiles:

• Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
• Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
• RHEL OSPP Profile Restructuring (#4754)
• NCP Profile extends OSPP profile (#4764)
• Rule grub2_vsyscall_argument is informational in OSPP (#4763)
• Add suport for XCCDF rule-refine (#4750)
• Profile Restructuring (#4736)
• Update OL8 HIPAA profile (#4718)
• Update OL8 CJIS profile (#4719)
• Adding SELinux rules into OSPP profile (#4735)
• Fix section titles. (#4738)
• Remove GNOME rules from rhel7/ospp (#4724)
• The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
• When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
• Cleanup the RHEL7 ccc.profile, minimally (#4691)
• Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)

Rules:

• Enable fapolicyd to watch all system mountpoints. (#4773)
• Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
• Ensure rsyslog-gnutls is installed. (#4775)
• IASE was migrated to DOD Cyber Exchange (#4768)
• Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
• Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
• Update CSRF cookie secure (#4761)
• Add mask_service parameter to services disabled template. (#4633)
• Add new rhel8 aux gpg pubkey (#4675)
• Add new package installed rule specific for RHEL8. (#4673)
• Delete unused/unwanted dconf_use_text_backend rule. (#4684)
• Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
• extend oval check of configure_crypto_policy (#4757)
• Update STIG Antivirus Language (#4745)
• Log USBGuard daemon audit events using Linux Audit. (#4747)
• Harden ssh client crypto policy (#4681)
• Expanded and cleaned up csv templates. (#4739)
• SSH service rules for SLE12 (#4289)
• Single rule to configure audit rules for OSPP (#4680)
• update STIG antivirus language (#4341)
• Configure tmux to lock session after inactivity (#4737)
• Prevent user from disabling the screen lock. (#4742)
• Support session locking with tmux. (#4740)
• Remove watches since syscall rules cover all cases. (#4706)
• Update OL8 OSPP profile (#4717)
• OSPP requirements and selections (#4662)
• Enable the rngd service for OSPP. (#4733)
• Move some system-tools rules to organized with their respective configuration rules (#4726)
• Harden sshd crypto policy (#4663)
• Set number of records to cause an explicit flush to audit logs. (#4697)
• Set hostname as computer node name in audit logs. (#4701)
• Force frequent session key renegotiation. (#4711)
• Resolve information before writing to audit logs. (#4695)
• Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
• Fix typos in auditd_local_events texts. (#4698)
• Preprocess references and identifiers during the build time. (#4063)
• Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
• Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
• Disable storing core dumps. (#4650)
• Add new rule auditd_write_logs (#4649)
• new rule timer_dnf-automatic_enabled (#4614)
• New rule auditd_local_events (#4636)
• Start using oval_sshd_config jinja macros for sshd rules (#4624)
• Simplify regexp (#4762)

Tests:

• Fix _check_rule method call in SSG test suite. (#4767)
• Test suite: set bash and ansible remediation to verbose mode. (#4652)
• Fix disk configuration in OSPP anaconda kickstart file. (#4716)
• Add documentation to known issue in the test suite. (#4730)
• SSG Test suite: Add function to find remediation in the datastream. (#4714)
• Add test scenarios for configure_usbguard_auditbackend rule (#4753)
• Fix STIG IDs reference processing (#4725)
• Add syslog_files rules test scenarios (#4743)
• ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
• Add test scenarios for sshd_set_keepalive rule (#4712)
• Enable unit-testing of bash shared jinja macros (#4702)
• Parameterize Red Hat's GPG release public key. (#4683)
• Added stripping of new line when obtaining IP addr by podman inspect (#4692)
• Fixed an omission. (#4658)
• Test suite autodetect datastream. (#4657)
• Testing of set_config_file function with BATS 2 (#4659)
• Introduce tests for macro that generates OVAL (#4660)
• Test suite change logging prefix to warning (#4688)
• Test suite: Set additional SSH options when testing ansible remediations (#4674)
• Document where test scenarios are located (#4654)
• Document --url and --extra-repo of install_vm.py script (#4653)
• Quick fix for CombinedMode _modify_parameters() (#4664)
• Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
• Fix regex which looks for line in file configuration. (#4646)