Highlights:
- Add initial macOS content (#5334)
- Feature suse 15 (#5305)
- Add RHEL 7 and RHEL8 CIS profiles
- Add SLE15 CIS Profile
- RHV4 product is now el8 based (#5352)
Profiles changed in this release:
- ocp4: moderate, coreos-ncp, e8
- rhel7: cis, rhelh-stig, C2S, stig
- rhv4: rhvh-vpp, rhvh-stig
- rhel8: cis, stig
- sle15: cis, standard
- ol7: stig
- macos1015: moderate
Profiles:
- ocp4: Enable ipv4-specific sysctl checks in moderate profile (#5634)
- Added warning about profile not working with GUI systems. (#5734)
- OL7 stig profile update to align to DISA STIG for OL7 v1r1 (#5631)
- ocp4: Enable ipv6-specific sysctl checks in moderate profile (#5589)
- ocp4: enable sysctl_kernel_core_pattern check in moderate profile (#5593)
- ocp4: enable sysctl security settings in moderate profile (#5591)
- ocp4: Enable sysctl file system settings in moderate profile (#5592)
- change rules for disabling ipv6 in CIS profile (#5574)
- macOS build fixes (#5347)
- ocp4: Remove the rule that disables user namespaces (#5268)
- fix rule sshd use approved macs (#5300)
- Feature suse 15 (#5305)
- Add Initial RHEL 7 CIS profile (#5306)
- Clear up coreos profile titles and descriptions (#5280)
Rules:
- Warn about findings from rpm_verify_permissions and rpm_verify_ownership (#5755)
- Update sshd crypto policy for CC (#5742)
- Create machine configuration for the rule no tmux in shells (#5641)
- Fix several audit-related ignition remediations (#5651)
- Ubuntu1804/cis kernel module rules (#5722)
- update prodtype for sysctl_net_ipv4_ip_forward (#5679)
- Add check and remediation for xwindows_runlevel_target and select in profiles that remove package xorg-x11-server-common (#5625)
- ocp4: Add missing AC-1 checks to moderate profile (#5718)
- Add missing CCE for sshd_set_max_sessions rule (#5710)
- Fix audit_basic_configuration ignition remediation (#5642)
- Reference should not point to OS version. (#5660)
- Warn about only local user backends being considered (#5657)
- remove remediations for configure_etc_hosts_deny (#5652)
- New Ignition files for audit and SSHD (#5640)
- Fix template mount_option_removable_partitions (#5278)
- Added more SLES Support (#5613)
- Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd (#5619)
- Update ol7 stig references and severity values (#5575)
- Issue 5529 (#5579)
- add missing cce for sshd_disable_tcp_forwarding (#5614)
- Update sshd disable x11 forwarding (#5610)
- Allow tcp forwarding (#5607)
- update limit-related rules to allow limits.d (#5600)
- Feature suse15 cis (#5578)
- Add ansible and bash remediation for rule sshd_set_max_auth_tries (#5597)
- fix sshd_allow_only_protocol2 (#5582)
- Feature sle15 cis (#5567)
- Issue 5524 (#5554)
- Add e8 profile for ocp4 (#5560)
- Added machine-only CPEs to rules relevant only to non-virtualized systems (#5085)
- Added OL product support to stig rules (#5556)
- Fix ol8 condition in accounts-physical rules (#5559)
- Move RHV4 product to be el8 based (#5352)
- Feature suse 15.1 (#5548)
- fix rule disabling ipv6 through grub2 (#5547)
- add rule ntpd_run_as_ntp_user (#5291)
- Add missing CCEs to rules from RHEL7 CIS profile (#5546)
- add ntpd_configure_restrictions for rhel7 (#5282)
- Update rhel7 CIS selections (#5349)
- add rules for checking legacy "+" entries in passwd related files (#5339)
- add grub2_disable_ipv6 (#5324)
- Add initial macOS content (#5334)
- Add rules to check permissions and owner of important backup account files (#5317)
- Add rules to check for permission of /etc/hosts.allow and /etc/hosts.deny (#5323)
- Add rule to check owners and group owners of /etc/issue and /etc/motd (#5335)
- Restrict kernel_module and service_rsyncd_disabled rules as machine-only (#5328)
- add rule configure_etc_hosts_deny (#5332)
- Select new rules in RHEL 7CIS Profile (#5331)
- Add missing CCEs for rules from CIS profile (#5329)
- add rule package_openldap-clients_removed (#5316)
- add rule package_libselinux_installed (#5312)
- Fix service check service_chronyd_enabled to use proper rhel package name (#5325)
- Banner and cron permissions and owners (#5302)
- Select rules for audit login events (#5296)
- Select package_audit_installed (#5292)
- Update audit data retention selects and variables (#5294)
- remove ntp mention from rule title (#5309)
- Feature suse 15 (#5311)
- add rule service_rsyncd_disabled (#5318)
- Select rules for system file permissions (#5301)
- Select rules for SSH and add references (#5297)
- Parametrized the sshd_use_approved_ciphers rule (#5308)
- add chronyd_run_as_chrony_user (#5298)
- Add rules for Chrony on rhel8 (#5273)
- Introduce a rule that mandates usage of subset of FIPS SSHD ciphers (#5283)
- Extracted a grub superuser username rule from the grub2_password rule (#5276)
- Add XCCDF conflicts and requires (#5281)
- Initial RHEL 8 CIS profile (#5236)
- Ansible template mount options: avoid duplicating options and extend system default when appropriate (#5752)
- fix grub2_bootloader_argument template (#5756)
- Add Ansible for kernel_module_ipv6_option_disabled (#5737)
- Ansible remediation and tests for audit_rules_immutable (#5609)
- add Ansible remediation and improve tests for audit_rules_networkconfig_modification (#5719)
- Add Ansible fixes for audit time rules (#5720)
- Add audit field to the Ansible syscall macros (#5724)
- add Ansible remediation and tests for audit_rules_session_events (#5721)
- Introduce Ansible macros for remediating Audit syscall rules (#5709)
- fix ansible remediations to avoid creating duplicate entries (#5650)
- Update Ansible when statement to handle only containers (#5052)
- add ansible and tests to audit_rules_mac_modification (#5638)
- Fix missing ignition remediations (#5644)
- add ansible remediation to audit_rules_kernel_module_loading (#5594)
- Fix audit_rules_privileged_commands remediation (#5569)
- Fix rule
banner_etc_motd
(#5319) - Improved handling of grub2 password/admin checks. (#5313)
- Ansible audit sysadmin actions (#5288)
- Simplify banner text syntax and add utility to generate banner regular expression (#5050)
Tests:
- Fix incomplete temporary file (#5747)
- Add unit test for kubernetes object remediations (#5636)
- ocp4: Expand unit tests to validate profile selections (#5648)
- Flush the write buffers after write. (#5748)
- Remove outdated OSPP metadata from test scenario for audit_rules_privileged_commands. (#5739)
- Added possibility of the test suite to expand platforms of the benchmark (#5550)
- Fix SSGTS when running with python3 and writing binary data to file. (#5711)
- shared/partition.sh: Increase the size of a test device (#5566)
- ocp4/e2e: Remove references to catalogSourceConfig object (#5645)
- Skip generation of remediation when using special the default profile (#5571)
- Update platform metadata in tests for auditd_data_retention_flush rule (#5635)
- Fix test scenarios for auditd_data_retention_flush rule (#5624)
- ocp4/e2e: display remediations for second scan (#5585)
- ocp4: e2e test continuation (#5354)
- ssg test suite: wait 30 seconds for reboot to finish (#5572)
- Fix profile metadata in test scenarios for auditd_audispd_syslog_plugin_activated (#5565)
- ocp4/e2e: Add Makefile variable to optionally skip the operator install (#5549)
- add configure_etc_hosts_deny to ignored rules (#5348)
- ocp4: reset client in e2e tests after installing operator (#5344)
- ocp4 test: Take IMAGE_FORMAT env variable into use (#5337)
- ocp4: Add go dependencies to test directory (#5338)
- Extend timeout for VM restarts (#5330)
- ocp4: Add initial e2e test (#5321)
- SSGTS: addressed incompatibilities with python2 (#5295)
- SSGTS: profile mode extended to reboot VM before performing the final scan (#5217)