Highlights:
- New product added Debian 9 (debian9)
- New product added OpenShift container Platform 4 (ocp4)
- Add Essential Eight profiles
- New templating system enabled by default
- Move SSGTS test scenarios closer to rule definitions
Profiles changed in this release:
- rhel7: e8, C2S, ospp
- rhel8: e8, ospp
- debian9: standard, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_average, anssi_np_nt28_restrictive
- ocp4: coreos-ncp, opencis-node
- ocp3: opencis-master
- fedora: ospp
- rhel6: C2S, stig
Profiles:
- Add Essential Eight profiles (#4859)
- Remove openshift api_server_profiling check (#4944)
- Remove directory_access_var_log_audit from RHEL 7 OSPP (#4957)
- Extend SSH session to timeout while stilll allowing session to disconnect (#4954)
- Add coreos NCP profile (#4865)
- Add rules for FISMA Low to CoreOS NCP (#4873)
Rules:
- SSG debian9 (#4928)
- ocp4: Initial build system support for the OCP4 product (#4908)
- Don't require that files exist when path is regex (#4960)
- Fix various typos/incorrect descriptions in rules/groups metadata. (#4938)
- Add missing CCEs (#4956)
- Add missing prodtypes for apt rules (#4930)
- Compare suid/sgid files with the RPM database (#4648)
- Add check to set /etc/motd similar to /etc/issue (#4947)
- Set default to match syslog default (#4948)
- Add package rules to OSPP profile (#4953)
- Fill in the samples with the value from our variable (#4949)
- Add postfix relayhost check (#4950)
- Add rule to check cockpit service status (#4939)
- Set rule service_timesyncd_enabled prodtype to ubuntu 16.04 and 18.04 (#4929)
- Added missing CCEs. (#4919)
- Fix missing OVAL in some of RHEL 8 rules (#4927)
- Add CCE identifiers to sshd_disable_pubkey_authentication. (#4926)
- Generate OCIL check for cramfs kernel module (#4918)
- Added OCIL for mount option-type of rules. (#4910)
- Update remetiation of mount_option_tmp rules, /tmp is not tmpfs in RHEL (#4909)
- Ported the sysctl macros to the new system. (#4843)
- Made the new templating system work with Python2.6. (#4897)
- Add WRLinux 10.19 to prodtype (#4903)
- Fix typo and add ocil clause to package_audit_installed. (#4827)
- Fix templates file_owner, file_groupowner and merge templates file_permissions and file_regex_permissions (#4884)
- Map AC-6(5) and add AC-6(9) audit rules to CoreOS (#4896)
- Map AC-17 (#4894)
- Map AC-6(9) (#4895)
- Map AC-17(2) to crypto SSH policies (#4892)
- Add rule for NIST AC-18(4) (#4889)
- Remove extraneous . from description and check of rule 'rsyslog_remote_tls_cacert' (#4878)
- Map AU-7 and AU-10 to audit package (#4890)
- Run tmux only right after sshd/login (#4885)
- Fix missing content in datastreams generated by new templating system (#4883)
- Update coreos-ncp profile and map AU-12(1), AC-12, and AC-2(5) (#4879)
- Fix dnf timer rule (#4882)
- Map AU-9(3) and AU-5(2) for CoreOS (#4880)
- Update list of packages installed in RHEL8 OSPP (#4876)
- Map OCP SCC to Kubernetes benchmark (#4867)
- Merge SELinux Boolean templates and migrate them to new system (#4860)
- Fix rhel6 nist mapping typo (#4872)
- Update migrate_template_csv_to_rule.py script and template data in rules (#4869)
- Add require_emergency_target_auth and update require_singleuser_auth (#4850)
- Enable file permissions templates in new templating system (#4857)
- Added RHEL7 CCEs for rules audit_rules_for_ospp and installed_OS_is_vendor_supported (#4866)
- Add checks for crontab and supporting cron directories (#4858)
- Add sshd_lineinfile and auditd_lineinfile to new templating system (#4854)
- Update FIPS warning message to focus on vendor submitting modules for certification (#4853)
- Postfix network listening to loopback-only (#4832)
- Update rsyslog rules description (#4839)
- Updated the rule description of configure_fapolicyd_mounts (#4835)
- Fix accounts password rules template name (#4836)
- New templating system (#4809)
- Break out api_server_service_account_key into multiple rules (#4831)
- Add openvswitch permission rules (#4830)
- AIDE periodic crontab check modification (#4824)
- Disable Mounting of FAT filesystems (#4815)
- insecure-port should not be configured (#4821)
- Fix kubelet_enable_streaming_connections Rule (#4823)
- Assign CCEs to SSH permission checks (#4819)
- Use int zero (0) for never in unlock_time setting for pam_faillock (#4814)
- Ensure proper permissions on /etc/ssh/sshd_config (#4812)
- Fix /etc/shadow permissions documentation (#4813)
- Improve template grub2 argument (#4786)
- making hardening of sshd crypto policy alligned with OSPP (#4799)
- Disable Kerberos by removing host keytab. (#4793)
- Move audit rules to correct group (#4778)
- Configure TLS for rsyslog remote logging. (#4781)
Tests:
- Update test scenarios for chronyd_or_ntpd_set_maxpoll for RHEL8 (#4963)
- Use only first occurence from /etc/mtab (#4959)
- ssg_test_suite: Fix SSH port option duplication for Podman-based test invocations (#4951)
- Add basic test scenarios for a few audit rules (#4907)
- Made templates product-specific. (#4841)
- Simplified the test_suite command-line. (#4808)
- Changed owner of files in the test suite tarball. (#4797)
- [WIP] Enable test suit support for podman executed by non-privileged user (#4544)
- Update audit_rules_unsuccessful_file_modification regex to match multiple "-S" syscall args (#4888)
- fix grub2_argument bash remediation (#4891)
- Fix regexes in template_oval_service_disabled and template_oval_service_enabled (#4855)
- Fix sourcing of shared functions in test scenarios for gui_login_banner group (#4851)
- SSG Test Suite: Continue even when rule is not found on benchmark. (#4811)
- Add test scenarios for rsyslog_remote_tls (#4788)
- SSG Test Suite: Fix (all) profile execution when running test suite in rule mode (#4792)
- ssg_test_suite: Fix SSH port handling for podman backend in rootless mode (#4789)
- Fix parameter and profile in sysctl_kernel_dmesg_restrict test scenario (#4796)
- Clean up partition before performing test for mount_option_tmp_noexec (#4795)
- Move SSGTS test scenarios closer to rule definitions (#4741)