Highlights:
- big update of rules used in SLES-12 STIG profile
- Render policy to HTML (#6532)
- Add variable support to yamlfile_value template (#6563)
- Introduce new template for dconf configuration files (#6118)
Profiles changed in this release:
- ocp4: cis-node, cis, e8, moderate
- rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
- rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
- sle15: cis, standard
- debian10: anssi_np_nt28_average, standard
- debian9: anssi_np_nt28_average, standard
- fedora: pci-dss, standard
- ol7: pci-dss, stig, standard
- ol8: ospp, hipaa, standard, pci-dss, cjis
- rhcos4: e8, ospp, moderate
- rhv4: rhvh-stig, rhvh-vpp
- sle12: stig
- ubuntu1604: anssi_np_nt28_average, standard
- ubuntu1804: cis, anssi_np_nt28_average, standard
- ubuntu2004: standard
- wrlinux1019: draft_stig_wrlinux_disa
Profiles:
- remove ensure_logrotate_configured from CIS profiles (#6693)
- configure_crypto_policy update for CIS profile (#6673)
- remove kernel_module_vfat_disabled from CIS profiles (#6613)
- E8 ocp revisions (#6587)
- Update ANSSI profile descriptions (#6592)
- Bump RHEL7 STIG version to v3r2 (#6576)
- OL7 DISA STIG v2r1 update (#6538)
- Select RHEL8 STIG V1R1 existing content (#6579)
- OL7 DISA STIG v2r2 update (#6607)
- Update OL standard profiles (#6604)
- Update OL pci-dss profiles (#6605)
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (#6615)
- remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#6528)
Rules:
- Update selinux_confinement_of_daemons rule (#6695)
- Adds classification-banner rule (#6652)
- CIS 5.1 changes (#6678)
- ocp4: Fix audit log forwarding rule (#6680)
- CIS 5.1 and 5.2: More ocil updates (#6689)
- Change instances of cis to cis@ocp4 for openshift (#6654)
- Revert hardcoding of ClientAliveCountMax to 0 (#6434)
- SLES-12 add checks and remediations (#6635)
- Update ANSSI references (#6662)
- Add missing CIS references (#6660)
- move ssh_client_rekey_limit to correct group (#6612)
- Fix STIG id reference for sshd_x11_use_localhost (#6628)
- fix wrong description of sshd_limit_user_access (#6623)
- mark some CIS rules as machine-only (#6611)
- CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#6435)
- ocp4: Add link to documentation for etcd encryption (#6590)
- Drop remediation for sysctl_kernel_modules_disabled (#6586)
- OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#6547)
- CIS: Update api_server_request_timeout description and check (#6572)
- add rhel7 stig specific rule for sshd approved macs (#6546)
- Reassign a new unique CCE identifier to approved macs STIG rule (#6564)
- add rhel7 stig specific rule for ssh ciphers (#6541)
- sshd_set_keepalive PCI DSS requirement reference (#6531)
- add rule sysctl_kernel_modules_disabled (#6533)
- RHEL-07-040710 now configures X11Forwarding to disable (#6537)
- add rule sshd_x11_use_localhost (#6534)
- Added a rule for having commands with arguments in sudoers - ANSSI R63 (#6525)
- fix remediations of ensure_logrotate_activated (#6710)
- ocp4/e2e: fix classification_banner remediation (#6679)
- ocp4: Add e2e for no_direct_root_logins (#6621)
- rhcos4: Add remediations and rules to enable usbguard (#6452)
- Require separate filesystem for /var/tmp (#6523)
- Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#6606)