Highlights:
- Remove OCP3 content (#6296)
- Remove SLE11 (#6164)
- Remove Ubuntu 14.04 (#6154)
- Remove Debian8 (#6137)
- Remove JBoss EAP6 (#6119)
- Introduce machine and package platform conditionals to Bash remediations (#6061)
- Introduce package conditionals to Ansible remediations (#6025)
- OCP4: Enhance e2e tests to check individual rules (#6315)
Profiles changed in this release:
- example: example
- fedora: standard, pci-dss
- ol7: pci-dss
- ol8: cjis, pci-dss
- rhel7: cjis, stig, hipaa, cis, C2S-docker, ipa-stig, e8, anssi_nt28_enhanced, http-stig, cui, ospp, docker-host, C2S, ncp, tower-stig, pci-dss, satellite-stig
- rhel8: cjis, stig, hipaa, cis, e8, cui, ism_o, ospp, pci-dss, anssi_bp28_enhanced
- jre: stig
- ocp4: cis-node, cis, e8, moderate, ncp
- rhcos4: e8, moderate, ncp
- rhv4: rhvh-vpp, rhvh-stig
- sle15: cis
Profiles:
- Remove unused RHEL7 profiles (#6326)
- Specify the applicable OpenShift version for the CIS profiles (#6288)
- Update e8 references (#6306)
- Add commented section for OCP4 CIS etcd node checks (#6238)
- CIS Node 4.1.6 - Add kubelet.conf ownership scans to OCP4 cis-node.profile (#6199)
- Add ocp4-node product (#6124)
- remove rngd related rules from rhcos profiles (#6159)
- Add policy tracking metadata (#6004)
- Update DISA STIG RHEL7 reference files to latest version (v2r8) (#6104)
- Remove accounts_user_interactive_home_directory_defined from RHEL7 STIG (#6086)
- remove package_screen_installed from rhel7 stig (#6072)
- OCP4 CIS profile placeholder and comments (#6121)
- Add api_server_auth_mode_node rule to ocp4/cis profile (#6195)
- Remove disable_prelink rule from Fedora and RHEL8 profiles (#6289)
- remove deprecated sshd config from e8 profile (#6120)
- remove package_tuned_removed from rhel8 ospp (#6191)
- remove rngd related rules from rhel8 ospp and stig (#6157)
- remove package_iptables_installed from rhel8 ospp and stig (#6155)
Rules:
- Select sshd_set_keepalive where sshd_set_idle_timeout is selected (#6348)
- Added JRE update and clean prev version controls (#6324)
- fix conflicts of audit rules for privileged commands (#6279)
- Added the rest of the new JRE controls - as well as updated other existing controls (#6305)
- Small fixes of OCP rules used in CIS profile that cover the 1.1 section (#6317)
- Add machine platform for rule kernel_trust_cpu_rng (#6300)
- CIS 1.3.6 (#6225)
- Update jre content with more controls and minor fixes (#6295)
- Change rhcos4/moderate kernel argument checks to use coreos check (#6131)
- ocp4: Fix api_server_admission_control_plugin_AlwaysAdmit rule (#6197)
- Add OCP4 1.3.5 benchmark (#6198)
- ocp4: fix basic-auth check (#6158)
- CIS OCP4 benchmark: 1.3.3 (#6194)
- Fix rule api_server_token_auth for ocp4 (#6193)
- OCP4 - CIS 1.1.5 Add check (#6274)
- ocp4: Add check for CIS 1.2.20 (#6239)
- Cis 5.2.9 (#6250)
- ocp4: Add checkf or CIS 1.2.18 (#6232)
- ocp4: Add check for 1.2.17 (#6231)
- add API server service account lookup OCP4 CIS 1.2.27 rule (#6217)
- Updated rule api_server_service_account_public_key for OCP 4 (#6221)
- Add kubelet client cert rotation rules for OCP4 CIS profile (CIS 4.2.11) (#6223)
- ocp4: Add api_server_admission_control_plugin_NamespaceLifecycle rule (#6214)
- ocp4: fix api_server_admission_control_plugin_ServiceAccount rule (#6211)
- CIS Node 4.2.3 - add template to kubelet_configure_client_ca/rule.yml (#6213)
- Add kubelet cert rotation rule for OCP4 CIS profile (CIS 4.1.12) (#6212)
- Implementation of rules api_server_tls_cert api_server_tls_private_ke… (#6269)
- OCP4 - CIS 1.1.3 Add check (#6272)
- OCP4 - CIS 1.1.1 Add check (#6271)
- Update etcd_auto_tls rule for OCP4 CIS 2.3 (#6270)
- Adding rules for OCP4 CIS 1.2.5 (#6268)
- Api server etcd (#6266)
- Adding rules for OCP4 CIS 1.2.5 (#6268)
- Add rule for OCP4 CIS 1.3.2 (#6262)
- Cis 5.2.7 (#6245)
- Java JRE 8 draft update (#6282)
- fix srgs for new rhel8 stig rules (#6280)
- 1.2.32 add etcd-cafile check for ocp4 (#6253)
- 1.2.31 add client-ca-file api server arg check for ocp4 (#6248)
- add rule configuring kernel to trust CPU RNG into rhel8 OSPP (#6189)
- Pull request for etcd-encrypt (#6259)
- OCP4 CIS 5.2.3 (#6244)
- Update api_server_audit_log_path to use different apiserver conf file (#6240)
- OCP4 CIS 5.2.5 (SCC privilege escalation) (#6241)
- OCP4 CIS 5.2.4 (#6242)
- Add OCP4 1.3.7 Benchmark (#6220)
- ocp4: Add check for CIS 1.2.19 (#6236)
- Enhance regex and template data for api_server_kubelet_certificate_authority (#6230)
- Api server kubelet https (#6215)
- Add yamlfile_value template to api_server_kubelet_certificate_authority (#6204)
- Add rule for CIS 4.1.9 (#6210)
- Cis node 4.1.8 (#6196)
- OCP CIS 1.2.7 (#6209)
- Fix rules so no there are no "missing extend_definition" warnings during the build (#6186)
- Fix duplicate assignment of CCE-83396-2 (#6224)
- Completed an existing ocp4 CIS 1.3.4 rule (#6202)
- Decorate my recently added OCP4 CIS rules with CCE identifiers (#6208)
- add service_kdump_disabled to rhel8 ospp (#6190)
- Add rules for worker node kubeconfig ownership to CIS OCP4 profile (CIS 4.1.10) (#6200)
- fix typos in "references" section of RHEL7 rules (#6188)
- Add some more example content for ocp4 cis profile (#6182)
- Add ISM references (#6143)
- Update package_rsyslog_installed in RHEL6 to consider both rsyslog and rsyslog7 package (#6142)
- add mandatory packages to rhel8 ospp (#6181)
- Adopt changes in yamlfilecontent_* check for yamlfile_value template (#6172)
- add rsyslog rules to rhel8 ospp (#6167)
- Remove platform net-snmp from the group and use it in individual rules (#6166)
- Fix severity of RHEL 7 STIG rules (#6110)
- fix rules about sshd idle timeout (#6030)
- Update ANSSI refs (#6052)
- Move grub2_vsyscall_argument to grub2 group (#6129)
- Update rule install hips (#6039)
- Remove zIPL rule for PTI bootloader option (#6065)
- use xccdf variable in audit_audispd_network_failure_action (#6071)
- Introduce new rule sssd_ldap_configure_tls_reqcert (#6044)
- Drop "esc" package from install_smartcard_packages rule (#6083)
- Update snmpd_no_default_password (#6050)
- Change OCP4 (RHCOS) audit=1 kernel option rule to check only the latest entry (#6088)
- Fix missing CCE in rules selected by RHEL6 profiles (#6103)
- add ocil to rsyslog_nolisten (#6074)
- Remove extra ocil statement from service_cockpit_disabled (#6092)
- Update accounts_tmout rule with regards to latest RHEL7 STIG revision (#6085)
- Add CCEs for rules from ANSSI RHEL8 profiles (#6079)
- Update text of rule account_disable_post_pw_expiration (#6084)
- update srg for smartcard_configure_cert_checking (#6073)
- update accounts_logon_fail_delay (#6040)
- update rule disable_ctrlaltdel_reboot (#6043)
- Remove SRGs from accounts_password_pam_retry (#6045)
- Align Fedora PCI DSS profile to RHEL8 PCI DSS (#6029)
- Update tftpd_uses_secure_mode (#6051)
- Fix SRG mapping of audit rules (#6068)
- Update sssd_ldap_start_tls OVAL, bash and ansible remediations (#6032)
- Minor ansible changes that fix failing rules after remediations (#6034)
- Fix typo in SLES12 STIG ID reference (#6036)
- Introduce ability to set check_existence to yaml template (#6177)
- Introduced macros for working with XCCDF values into the wide content (#6048)
- Anaconda moved to pykickstart (#6255)
- Create custom OVAL check for uefi_no_removeable_media (#6276)
- Parametrize rule for login.defs hashing algorithm (#6290)
- As of ansible 2.10, adding 2 more additional container facts as part … (#6291)
- Fix regex in aide rules to consider first letter as uppercase (#6152)
- Fix snmpd_not_default_password ansible remediation when file doesn't exist (#6116)
- Fix PCRE_ERROR_MATCHLIMIT in PASS_MAX_DAYS (#6099)
- Use resolved profiles in rule playbooks (#6080)
- Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate (#6049)
- Fix ansible remediation of accounts_max_concurrent_login_sessions (#6063)
- Set a lower bound value for accounts_passwords_pam_faillock_deny check (#6067)
- update accounts_maximum_age_login_defs (#6027)
Tests:
- Add e2e test metadata for OCP rules in CIS 1.1 (#6321)
- OCP4: Add manual remediation capabilities to e2e tests (#6318)
- OCP4: Enhance e2e tests to check individual rules (#6315)
- Remove the option to enable/disable "mask" a service (#6298)
- Update ocp4 e2e test dependencies (#6128)
- Force shutdown of VM if it cannot be shutdown gracefully (#6098)
- e2e/ocp4: Display more verbose logs for e2e tests (#6192)
- ocp4: Don't fail on transcient error (#6161)
- ocp4/e2e - WORKAROUND: Use suffix to detect scan type (#6237)
- ocp4: Use ScanSettingBindings for e2e tests (#6297)
- allow install_vm.py to create UEFI based machines (#6285)
- Make sure aide_build_database scenarios do not fail when database dosn't exist (#6183)
- SSGTS various test scenarios metadata updates (#6136)
- Implemented packages metadata to the test suite (#6126)
- SSGTS combined mode: use all profile where applicable (#6146)
- SSGTS various test scenarios metadata updates (part 2) (#6145)
- SSGTS: update combined/rule mode to skip not applicable scenarios (#6123)
- Removed profile from test metadata where not needed (#6114)
- Add a test for missing CCEs (#6097)
- Throw warning when ocp4 and rhcos4 content fail on scapval (#6107)
- OCP4: Add e2e tests for rules in section 1.3 of the CIS benchmark (#6320)
- OCP4: Verify CIS 1.3 section (#6302)