Highlights:
- SCAP 1.3 Data Streams are now the default (#4755)
- 1.2 Data Streams are suffixed with
-1.2.xml
- 1.2 Data Streams are suffixed with
- OSPP consolidation (#4705)
- RHEL7
ospp
Profile renamed to NIST National Checklist Program Profile, under IDncp
. - RHEL7
ccc
Profile is renamed toospp
, as it is better aligned with OSPP 4.2.1. - RHEL7
ospp42
Profile is deprecated.
- RHEL7
Profiles changed in this release:
- rhel8: cjis, rht-ccp, ospp, pci-dss, hipaa
- wrlinux1019: draft_stig_wrlinux_disa
- rhel7: cjis, rhelh-vpp, ccc, rhelh-stig, C2S, ospp, rht-ccp, ncp, hipaa, ospp42, stig
- rhel6: usgcb-rhel6-server, C2S, rht-ccp, standard, stig
- rhv4: rhvh-stig, rhvh-vpp
- debian8: standard, anssi_np_nt28_restrictive
- ubuntu1404: standard, anssi_np_nt28_restrictive
- ubuntu1604: standard, anssi_np_nt28_restrictive
- ubuntu1804: standard, anssi_np_nt28_restrictive
- ol8: ospp, cjis, hipaa, pci-dss
- fedora: ospp, pci-dss
- ol7: stig, pci-dss
Profiles:
- Unselect rule directory_access_var_log_audit in OSPP Profile (#4782)
- Set login banner message to /etc/issue in RHEL8 OSPP profile. (#4728)
- RHEL OSPP Profile Restructuring (#4754)
- NCP Profile extends OSPP profile (#4764)
- Rule grub2_vsyscall_argument is informational in OSPP (#4763)
- Add suport for XCCDF rule-refine (#4750)
- Profile Restructuring (#4736)
- Update OL8 HIPAA profile (#4718)
- Update OL8 CJIS profile (#4719)
- Adding SELinux rules into OSPP profile (#4735)
- Fix section titles. (#4738)
- Remove GNOME rules from rhel7/ospp (#4724)
- The use of ed25519 is disabled via HostKeyAlgorithms in FIPS crypto policy. (#4723)
- When HostbasedAuthentication is disabled using disable_host_auth, sshd_disable_rhosts and sshd_disable_user_known_hosts are redundant. (#4715)
- Cleanup the RHEL7 ccc.profile, minimally (#4691)
- Reintroduce crypto policy rules in the OSPP profile for RHEL8 (#4682)
Rules:
- Enable fapolicyd to watch all system mountpoints. (#4773)
- Remove rule configure_opensc_nss_db from RHEL8 product. (#4779)
- Ensure rsyslog-gnutls is installed. (#4775)
- IASE was migrated to DOD Cyber Exchange (#4768)
- Authorize USB hubs and Human Interface Devices in USBGuard daemon (#4748)
- Add SELinux booleans CSV and remove RHEL8 from rules for packages not available (#4765)
- Update CSRF cookie secure (#4761)
- Add mask_service parameter to services disabled template. (#4633)
- Add new rhel8 aux gpg pubkey (#4675)
- Add new package installed rule specific for RHEL8. (#4673)
- Delete unused/unwanted dconf_use_text_backend rule. (#4684)
- Fix identifiers section to have the correct name in rule sysctl_fs_protected_hardlinks. (#4720)
- extend oval check of configure_crypto_policy (#4757)
- Update STIG Antivirus Language (#4745)
- Log USBGuard daemon audit events using Linux Audit. (#4747)
- Harden ssh client crypto policy (#4681)
- Expanded and cleaned up csv templates. (#4739)
- SSH service rules for SLE12 (#4289)
- Single rule to configure audit rules for OSPP (#4680)
- update STIG antivirus language (#4341)
- Configure tmux to lock session after inactivity (#4737)
- Prevent user from disabling the screen lock. (#4742)
- Support session locking with tmux. (#4740)
- Remove watches since syscall rules cover all cases. (#4706)
- Update OL8 OSPP profile (#4717)
- OSPP requirements and selections (#4662)
- Enable the rngd service for OSPP. (#4733)
- Move some system-tools rules to organized with their respective configuration rules (#4726)
- Harden sshd crypto policy (#4663)
- Set number of records to cause an explicit flush to audit logs. (#4697)
- Set hostname as computer node name in audit logs. (#4701)
- Force frequent session key renegotiation. (#4711)
- Resolve information before writing to audit logs. (#4695)
- Fix typo in api_server_admission_control_plugin_NodeRestriction description (#4699)
- Fix typos in auditd_local_events texts. (#4698)
- Preprocess references and identifiers during the build time. (#4063)
- Use crypto-policies to configure RHEL8 sshd algorithms (#4676)
- Manual page create_module(2) says that this system call is present only in kernels before Linux 2.6. (#4665)
- Disable storing core dumps. (#4650)
- Add new rule auditd_write_logs (#4649)
- new rule timer_dnf-automatic_enabled (#4614)
- New rule auditd_local_events (#4636)
- Start using oval_sshd_config jinja macros for sshd rules (#4624)
- Simplify regexp (#4762)
Tests:
- Fix _check_rule method call in SSG test suite. (#4767)
- Test suite: set bash and ansible remediation to verbose mode. (#4652)
- Fix disk configuration in OSPP anaconda kickstart file. (#4716)
- Add documentation to known issue in the test suite. (#4730)
- SSG Test suite: Add function to find remediation in the datastream. (#4714)
- Add test scenarios for configure_usbguard_auditbackend rule (#4753)
- Fix STIG IDs reference processing (#4725)
- Add syslog_files rules test scenarios (#4743)
- ds_unselect_rules.sh: updated to work with namespaced SCAP 1.3 datastreams (#4727)
- Add test scenarios for sshd_set_keepalive rule (#4712)
- Enable unit-testing of bash shared jinja macros (#4702)
- Parameterize Red Hat's GPG release public key. (#4683)
- Added stripping of new line when obtaining IP addr by podman inspect (#4692)
- Fixed an omission. (#4658)
- Test suite autodetect datastream. (#4657)
- Testing of set_config_file function with BATS 2 (#4659)
- Introduce tests for macro that generates OVAL (#4660)
- Test suite change logging prefix to warning (#4688)
- Test suite: Set additional SSH options when testing ansible remediations (#4674)
- Document where test scenarios are located (#4654)
- Document --url and --extra-repo of install_vm.py script (#4653)
- Quick fix for CombinedMode _modify_parameters() (#4664)
- Macro OVAL lineinfile to collect all objects, and make sure only one exists. (#4647)
- Fix regex which looks for line in file configuration. (#4646)