ComplianceAsCode/content v0.1.50

Content 0.1.50

on GitHub

Highlights:

• Add initial macOS content (#5334)
• Feature suse 15 (#5305)
• Add RHEL 7 and RHEL8 CIS profiles
• Add SLE15 CIS Profile
• RHV4 product is now el8 based (#5352)

Profiles changed in this release:

• ocp4: moderate, coreos-ncp, e8
• rhel7: cis, rhelh-stig, C2S, stig
• rhv4: rhvh-vpp, rhvh-stig
• rhel8: cis, stig
• sle15: cis, standard
• ol7: stig
• macos1015: moderate

Profiles:

• ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
• Added warning about profile not working with GUI systems. (#5734)
• OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
• ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
• ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
• ocp4: enable sysctl security settings in moderate profile (#5591)
• ocp4: Enable sysctl file system settings in moderate profile (#5592)
• change rules for disabling ipv6 in CIS profile (#5574)
• macOS build fixes (#5347)
• ocp4: Remove the rule that disables user namespaces (#5268)
• fix rule sshd use approved macs (#5300)
• Feature suse 15 (#5305)
• Add Initial RHEL 7 CIS profile (#5306)
• Clear up coreos profile titles and descriptions (#5280)

Rules:

• Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
• Update sshd crypto policy for CC (#5742)
• Create machine configuration for the rule no tmux in shells (#5641)
• Fix several audit-related ignition remediations (#5651)
• Ubuntu1804/cis kernel module rules (#5722)
• update prodtype for sysctl_net_ipv4_ip_forward (#5679)
• Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
• ocp4: Add missing AC-1 checks to moderate profile (#5718)
• Add missing CCE for sshd_set_max_sessions rule (#5710)
• Fix audit_basic_configuration ignition remediation (#5642)
• Reference should not point to OS version. (#5660)
• Warn about only local user backends being considered (#5657)
• remove remediations for configure_etc_hosts_deny (#5652)
• New Ignition files for audit and SSHD (#5640)
• Fix template mount_option_removable_partitions (#5278)
• Added more SLES Support (#5613)
• Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
• Update ol7 stig references and severity values (#5575)
• Issue 5529 (#5579)
• add missing cce for sshd_disable_tcp_forwarding (#5614)
• Update sshd disable x11 forwarding (#5610)
• Allow tcp forwarding (#5607)
• update limit-related rules to allow limits.d (#5600)
• Feature suse15 cis (#5578)
• Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
• fix sshd_allow_only_protocol2 (#5582)
• Feature sle15 cis (#5567)
• Issue 5524 (#5554)
• Add e8 profile for ocp4 (#5560)
• Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
• Added OL product support to stig rules (#5556)
• Fix ol8 condition in accounts-physical rules (#5559)
• Move RHV4 product to be el8 based (#5352)
• Feature suse 15.1 (#5548)
• fix rule disabling ipv6 through grub2 (#5547)
• add rule ntpd_run_as_ntp_user (#5291)
• Add missing CCEs to rules from RHEL7 CIS profile (#5546)
• add ntpd_configure_restrictions for rhel7 (#5282)
• Update rhel7 CIS selections (#5349)
• add rules for checking legacy "+" entries in passwd related files (#5339)
• add grub2_disable_ipv6 (#5324)
• Add initial macOS content (#5334)
• Add rules to check permissions and owner of important backup account files (#5317)
• Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
• Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
• Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
• add rule configure_etc_hosts_deny (#5332)
• Select new rules in RHEL 7CIS Profile (#5331)
• Add missing CCEs for rules from CIS profile (#5329)
• add rule package_openldap-clients_removed (#5316)
• add rule package_libselinux_installed (#5312)
• Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
• Banner and cron permissions and owners (#5302)
• Select rules for audit login events (#5296)
• Select package_audit_installed (#5292)
• Update audit data retention selects and variables (#5294)
• remove ntp mention from rule title (#5309)
• Feature suse 15 (#5311)
• add rule service_rsyncd_disabled (#5318)
• Select rules for system file permissions (#5301)
• Select rules for SSH and add references (#5297)
• Parametrized the sshd_use_approved_ciphers rule (#5308)
• add chronyd_run_as_chrony_user (#5298)
• Add rules for Chrony on rhel8 (#5273)
• Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
• Extracted a grub superuser username rule from the grub2_password rule (#5276)
• Add XCCDF conflicts and requires (#5281)
• Initial RHEL 8 CIS profile (#5236)
• Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
• fix grub2_bootloader_argument template (#5756)
• Add Ansible for kernel_module_ipv6_option_disabled (#5737)
• Ansible remediation and tests for audit_rules_immutable (#5609)
• add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
• Add Ansible fixes for audit time rules (#5720)
• Add audit field to the Ansible syscall macros (#5724)
• add Ansible remediation and tests for audit_rules_session_events (#5721)
• Introduce Ansible macros for remediating Audit syscall rules (#5709)
• fix ansible remediations to avoid creating duplicate entries (#5650)
• Update Ansible when statement to handle only containers (#5052)
• add ansible and tests to audit_rules_mac_modification (#5638)
• Fix missing ignition remediations (#5644)
• add ansible remediation to audit_rules_kernel_module_loading (#5594)
• Fix audit_rules_privileged_commands remediation (#5569)
• Fix rule banner_etc_motd (#5319)
• Improved handling of grub2 password/admin checks. (#5313)
• Ansible audit sysadmin actions (#5288)
• Simplify banner text syntax and add utility to generate banner regular expression (#5050)

Tests:

• Fix incomplete temporary file (#5747)
• Add unit test for kubernetes object remediations (#5636)
• ocp4: Expand unit tests to validate profile selections (#5648)
• Flush the write buffers after write. (#5748)
• Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
• Added possibility of the test suite to expand platforms of the benchmark (#5550)
• Fix SSGTS when running with python3 and writing binary data to file. (#5711)
• shared/partition.sh: Increase the size of a test device (#5566)
• ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
• Skip generation of remediation when using special the default profile (#5571)
• Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
• Fix test scenarios for auditd_data_retention_flush rule (#5624)
• ocp4/e2e: display remediations for second scan (#5585)
• ocp4: e2e test continuation (#5354)
• ssg test suite: wait 30 seconds for reboot to finish (#5572)
• Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
• ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
• add configure_etc_hosts_deny to ignored rules (#5348)
• ocp4: reset client in e2e tests after installing operator (#5344)
• ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
• ocp4: Add go dependencies to test directory (#5338)
• Extend timeout for VM restarts (#5330)
• ocp4: Add initial e2e test (#5321)
• SSGTS: addressed incompatibilities with python2 (#5295)
• SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)