Highlights:
- Align ism_o profile with latest ISM SSP (#6878)
- Align RHEL 7 STIG profile with DISA STIG V3R3
- Creating new RHEL 7 STIG GUI profile (#6863)
- Creating new RHEL 8 STIG GUI profile (#6862)
- Add the RHEL9 product (#6801)
- Initial support for SUSE SLE-15 (#6666)
- add support for osbuild blueprint remediations (#6970)
Profiles changed in this release:
- sle12: stig
- sle15: cis, stig
- rhel7: stig_gui, stig
- rhel8: stig_gui, stig, ism_o
- rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
- ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
- ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
- rhv4: pci-dss
- ocp4: cis-node, cis
- rhel9: pci-dss
Profiles:
- Add updated manual DISA STIG XML reference files (#6903)
- rhcos4/e8: Use individual kernel module load audit rules (#6797)
- rhcos4: Remove ssh crypto policy hardening from moderate policy (#6789)
- bump rhel7 stig version to v3r3 (#6951)
- remove no longer relevant rules from rhel7 stig (#6865)
- Aligning and updating RHEL 8 STIG w/ V1R2 (#6927)
- Update OL e8 profiles (#6840)
- Remove rules related to gnome/dconf (#6884)
- Ol cjis profiles (#6851)
- Add PCI-DSS profile to RHV4 (#6867)
- OL hipaa profiles (#6819)
- Update OL cui profiles (#6818)
- remove service_nfs_disabled sle15/profiles/cis.profile (#6803)
- RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#6784)
- rhcos4: Remove sssd configuration check from moderate profile (#6774)
- RHCOS4: Remove rules that use rpmverifypackage_test (#6776)
- RHCOS4: Remove instances of audit_rules_privileged_commands (#6769)
- RHCOS: Temporarily remove UEFI password rule (#6757)
- Add new rules to sle12/profiles/stig.profile (#6665)
- Remove
package_gssproxy_removed
from STIG GUI profile (#6967) - Updating RHEL8 STIG profile for readability changes (#6856)
- Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#6858)
- Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#6829)
Rules:
- Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#6993)
- Remove audit_privileged_commands from RHEL7 STIG profile (#7008)
- Fix grub2's /boot location for Debian, Ubuntu (#6986)
- Add rules to remove setroubleshoot server and plugin packages (#6969)
- SLES-15-010362 (#6968)
- Fix groupowner/permissions for ubuntu2004 (#6979)
- SLES-15-10352 rule (#6822)
- Enable RHEL9 for kernel-related rules (#6966)
- Enable SELinux rules for RHEL9 (#6959)
- Move rule grub2_enable_iommu_force to use template (#6956)
- Clarify what fixes for AiDE acl and xattrs do (#6960)
- Merge duplicate disa (CCI) reference in package_audit_installed (#6964)
- Adding new rule for RHEL-08-010294 (#6932)
- Add OCIL to sshd_limit_user_access (#6836)
- SLES-15-030390 add rule, remediation and test (#6802)
- Add Rule for SLES-15-040382 (#6811)
- RHCOS4: Enhance instructions to better reflect how to work with the platform (#6796)
- RHCOS4: Add recommended chrony config (#6786)
- Address NIST SP 800-32 control CM-8(3) with usbguard (#6949)
- Prevent global references to use product-qualifiers (#6896)
- OCP: Fix description of kubelet TLS cipher suites (#6900)
- Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#6890)
- Update VSEL references to remove qualifier from global references (#6948)
- SLES-15-010250 add rule, remediation and tests (#6879)
- add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#6866)
- Add Rule for SLES-15-010140 & SLES-12-010100 (#6868)
- Add Rule,Remediation and Test for SLES-15-030760 (#6869)
- Revert STIG id for require_emergency_target_auth (#6928)
- Remove bogus nist: FOO-1(a) references (#6917)
- remove product specific disa and srg references (#6895)
- ocp4: Enhance group ownership checks openvswitch processes pid files (#6914)
- Fix usbguard match-all syntax for HID rule (#6909)
- RHEL8 - ensuring stigid's and references are set where appropriate (#6864)
- Notate that Ubuntu is a FIPS-certified OS (#6912)
- OCP: Fix description and OCIL in proxy-kubeconfig rules (#6904)
- update require_emergency_target_auth (#6894)
- add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#6897)
- Add Rule,Test for SLES-15-020103 (#6881)
- Prevent unqualified CIS and STIGID references (#6871)
- SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#6877)
- Add rules related to permissions of
/var/log
and/var/log/messages
(#6861) - SLES-15-010220 updates for firewalld (#6831)
- Add OL anssi profiles (#6817)
- update accounts_tmout (#6839)
- SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#6826)
- add rule for disabling of GUI (#6860)
- Add rules for SLES-12-010060 (#6806)
- CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#6835)
- fix service_sshd_enabled for SLE-15 (#6830)
- RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#6827)
- Add HIPAA rules references (#6854)
- RHCOS/OCP: Add more detailed instructions for more OCIL instances (#6838)
- Add CCI reference to package_gssproxy_removed (#6846)
- Remove sshd_allow_only_protocol2 from RHEL8 STIG (#6845)
- SLES-15-010353 map rule file_ownership_library_dirs (#6820)
- Add CCEs for RHEL9 rsyslog rules (#6832)
- SLES-15-010030 rule (#6821)
- SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#6767)
- Add
dconf_gnome_lock_screen_on_smartcard_removal
to cover RHEL-08-020050 (#6824) - OCP4: Add applicability warnings (#6823)
- service_nfs_disabled - change name of nfs service to nfs-server (#6777)
- Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#6770)
- OCP4: Address flowschema version change by handling different OCP versions (#6813)
- Abort the build if an OVAL is not included due to extend_definition (#6402)
- Add more SLE-15 stigs and CCE IDs to existing rules (#6778)
- service_rsyncd_disabled - update package name to rsync-daemon (#6783)
- Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#6725)
- RHCOS4: Fix
require_singleuser_auth
rule (#6780) - ocp4: Add relevant description for protectKernelDefaults rule (#6705)
- CIS 5.2, 5.4, and 5.6 updates (#6704)
- Add documentation links for OL7 and OL8 (#6756)
- Update OL OSPP profiles (#6745)
- Change dhcp server package name to dhcp-server in rhel8 (#6762)
- SLES-15-020101 add rule and tests, no remediation (#6734)
- Add ansible and bash remediation for wireless_disable_interfaces (#6685)
- ocp4: Switch to using the
platforms
construct (#6759) - Add rule for RHCOS to check for interactive boot being disabled (#6747)
- Fix oracle documentation links (#6740)
- implement support for multiple platforms connected with disjunction (#6661)
- rhcos4: Add check for nousb kernel argument (#6743)
- Add tests for no files unowned by user/group rules (#6738)
- Add rule for checking selinux is not disabled in coreos (#6737)
- ocp4/etcd: Fix rule checks for 4.8 (#6732)
- Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#6718)
- CIS 1.2.12: Add check and test for AlwaysPullImages (#6714)
- CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#6715)
- Updating macros to support idempotency when deduplicating values (#6953)
- Fix Rule CPE Name inheritance (#6943)
- Reorganize env and product yaml (#6754)
- RHCOS4: Remediation and e2e test for
disable_ctrlaltdel_reboot
(#6787) - rhcos4: Add recommended configuration and e2e test for logrotate (#6788)
- RHCOS4: Add recommended auditd.conf remediation (#6782)
- Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#6453)
- Unmask service in service enable remediation, add test scenarios for service enable rules (#6761)
- rhcos4: Add remediation and e2e test for auditing access to audit logs (#6773)
- RHCOS4: Explicitly use OSPP profile for rules covered by it (#6771)
- mount_option ansible remediation - remediate when mount point is not in mounted (#6713)
Tests:
- install_vm.py: add possibility to install GUI system (#7004)
- Improve the test suite wrapper (#6944)
- Remove code from OCP4 e2e tests (#6961)
- Add test scenarios for service enable/disable rules from CIS profile (#6785)
- Missing references test (#6849)
- Fix RHEL8 STIG with GUI stable profile data (#6874)
- increase /usr partition size in testing kicstart (#6808)
- Add Ubuntu as a known platform for ssg_test_suite (#6794)
- Add package_* test scenarios (#6752)
- Add tests for rule accounts_password_pam_minlen (#6751)
- Add tests for rule accounts_no_uid_except_zero (#6750)
- Add test for auditd_data_retention_admin_space_left_action and CIS profile (#6775)
- Update tests of accounts_tmout to work when overriding profiles (#6765)
- Update tests of account_disable_post_pw_expiration (#6753)
- Add tests for rule account_unique_name (#6749)
- accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#6728)
- Switch to generic python shebang (#6744)
- Add tests for rule no_netrc_files (#6741)
- Add tests for rule accounts_minimum_age_login_defs (#6735)
- Updated test scenarios to work on containers (#6701)
- Add tests for rule accounts_password_warn_age_login_defs (#6736)
- Add tests for rule set_password_hashing_algorithm_systemauth (#6733)
- ocp4/moderate: Add e2e tests for rules that pass by default (#6731)
- Add test scenarios for rsyslog rules (#6712)
- set_firewalld_default test scenarios (#6721)
- sysctl_net_* test scenarios (#6696)
- rpm_verify_ownership test scenarios (#6703)
- postfix_network_listening_disabled tests (#6708)
- Ignore trailing whitespaces in the unique references test (#6702)
- Make test suite tests more accessible (#6675)
- mount_option_* test scenarios (#6677)
- file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#6687)
- kernel_module_* test scenarios (#6684)
- Added test scenarios for partition rules (#6676)