Highlights:
- New product added for Debian 10 (debian10)
- New product added for Red Hat OpenStack Platform 10 (rhosp10)
- New draft Profile for RHEL8 STIG
Profiles changed in this release:
- rhosp10: cui, stig
- debian10: standard, anssi_np_nt28_average, anssi_np_nt28_high, anssi_np_nt28_minimal, anssi_np_nt28_restrictive
- rhel8: rhelh-vpp, stig, rhelh-stig, ospp, e8, sap
- rhel7: e8, sap
- ocp4: sample-linux_os, coreos-ncp, opencis-node, opencis-master, coreos-fedramp
- sle12: stig
Profiles:
- Add security autoupdates to the RHEL8 E8 profile. (#5107)
- E8: ensure there is a single account with uid zero (#5105)
- Add draft RHELH content for rhel8 (#5040)
- Remove SSSD rules from RHEL8 OSPP Profile (#5032)
- Updated the e8 profile for RHEL8. (#5024)
- Add draft RHEL8 STIG profile (#4991)
- Remove coreos-fedramp profile (#4994)
Rules:
- Rhosp10 (#5019)
- Add debian10 content (#5058)
- Added machine-only CPEs to a subset of rules requiring non-virtualized systems (#5104)
- Fix CPE to properly check /etc/login.defs on Ubuntu & Debian systems (#5093)
- Update NIST 800-53 mappings (#5083)
- NIST 800-53 Mapping Updates (#5079)
- Delete rules in favour of package_subscription-manager_installed (#5059)
- Set sshd private key permission to 0600 for Ubuntu 18.04 (#5089)
- Add missing CCE for package_telnetd_removed rule (#5090)
- PermitUserEnvironment Checks For Incorrect Setting (#5087)
- Use the FIPS:OSPP Crypto Policy (#5072)
- Enable ansible template for service_fapolicyd_enable rule. (#5064)
- modify usbguard_allow_* rules to use new match-all keyword (#5055)
- Stig sle12 initial (#4847)
- Update api-server XCCDF and OVAL for ocp4-isms (#5039)
- Mark rules as platform: machine. (#5062)
- Fix OVAL applicability for RHV4 (#5053)
- Remove configure_fapolicyd_mounts rules from profiles. (#5057)
- Update ETCD XCCDF and OVAL for ocp4-isms (#5036)
- Update api-server rules (#5034)
- Coreos build - enable more rules (#5018)
- Various minor fixes (#5025)
- Update etcd rules (#5008)
- [WIP] Add SAP profile to rhel (#3551)
- Add missing CCEs to rules from STIG profile (#5021)
- Add some NIST mappings for FISMA high (#4932)
- Fix RHEL7 rules sshd_use_strong_macs and sshd_use_strong_ciphers. (#5010)
- Ansible tasks fixes (#5004)
- make aide_periodic_cron_checking accepting broader array of time specs (#4989)
- SRG Mapping - misc rules (#4969)
- additional srg mappings (#4981)
- Verified that proper SRGs are in rules that need to be added (#4987)
- adding DISA SRG references to rules found in the OSPP profile (#4877)
- OCP4 content cleanup (#4970)
- Add Network Policies rule to OCP (#4934)
- Make coreos-ncp.profile buildable (#5001)
- Added SRG rule for auditd_audispd_configure_remote_server (#4988)
- DISA STIG SRG mappings (#4940)
- added SRG rule for Exec Shield (#4982)
- Day 2 - Yasir's Contributions (#4975)
- day 2 changes to rules with SRG info (#4974)
- add srg-os-000378-GPOS-00163 reference to usbguard install and enable (#4973)
- Added SRG to rules (#4968)
- mapped ipv4 and ipv6 SRGs to rules (#4967)
- add SRG to rule (#4966)
- Updated to include SRG number (#4971)
Tests:
- oscap: modify using variables in the printf format (#5063)
- Improve fine-tuning of rule/group ordering (#5078)
- Use the DEFAULT:NO-SHA1 Crypto Policy for the E8 profile. (#5073)
- Extend waiting time till virtual machine is again in RUNNING state (#5041)
- SSGTS: Use wildcards instead of matching substring (#5029)
- Add waiting for RUNNING state of virtual machine (#5023)
- Add audit_rules_unsuccessful_file_modification_detailed remediation scripts (#4058)
- Fixed the remediation for rsyslog_files_permissions (#4906)