Important Highlights
- Stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
- Introduce OL9 product (#8102)
- Implement handling of logical expressions in platform definitions (#8043)
New Rules and Profiles
- Introduce OL9 product (#8102)
- RHEL9 OSPP boot parameter rules (#8092)
- Introduce stig_gui profile for OL8 (#8200)
- New rules related to pam_pwquality (#8185)
- add rules to add page_alloc.shuffle kernel boot parameter (#8234)
- Add GRUB2 rule for slab_nomerge and mce (#8282)
- Include rule mount_option_proc_hidepid (#8288)
- New sysctl fs parameters (#8304)
- Parametrize configuration of
kernel.kptr_restrict
and add rule forkernel.panic_on_oops
(#8285)
Updated Rules and Profiles
- Ol7 stig v2r5 (#7913)
- HIPAA Rules in test (#7916)
- Ubuntu specific bash and oval for dconf_gnome_login_banner_text (#7908)
- The audit package and auditd service are needed for FAU_GEN.1 SFR. (#8069)
- Clarify that log_format and name_format affects specifically information included in the audit records, not events for which audit records get generated. (#8071)
- Ensuring immutable UIDs is related to the subject identity required by FAU_GEN.1.2, it does not affect for wihch events audit records will be generated. (#8072)
- These auditd configurations affect the whole SFR, not just its specific parts. (#8070)
- RHEL9 OSPP: drop some rules disabling kernel module loading (#8093)
- The write_logs is related to where audit records end up stored, not what records get generated. (#8114)
- Amend OSPP references for rsyslog omfwd/gtls configuration. (#8113)
- On OSPP installation, the primary reason for having rsyslog installed… (#8111)
- Configuring the CA certificate targets the TLS "internal" requirements, so FTP_ITC_EXT.1.1 is not needed. (#8112)
- Ensure all processes are auditable and rules loaded for FAU_GEN.1 are applied. (#8098)
- Update OL8 stig profile rule selection (#8124)
- Requirement of not losing data at least to a limit comes from FAU_STG family. (#8133)
- RHEL9 OSPP boot parameter rules (#8092)
- Simple stig v2r6 updates for OL7 (#8162)
- Create OVAL check for selinux_context_elevation_for_sudo [OL7] (#8160)
- Update rule to only remove the graphical interface (#8170)
- drop not needed auditd.conf rules from rhel9 ospp (#8188)
- New rules related to pam_pwquality (#8185)
- Update configure_bashrc_exec_tmux to consider .d directory (#8146)
- align ospp audit rules with the latest upstream release (#8152)
- Align description of grub2 rules with checks and remediations (#8184)
- Update RHEL7 STIG items to V3R6 (#8225)
- update description of rhel9 ospp profile (#8232)
- Add sudoers_default_includedir to ol7 STIG (#8229)
- add rules to add page_alloc.shuffle kernel boot parameter (#8234)
- Fix bug 1195521 (#8215)
- Fix for bug 1195523 (#8242)
- Extend package_pam_pwquality_installed rule for RHEL (#8186)
- make rule enable_fips_mode check only for technical state (#8255)
- UEFI booting requires FAT support. (#8269)
- Removed criteria in OVAL check of require_singleuser_auth (#8121)
- no iptables.service in sle15 (#8292)
- fix aide_build_database rule and remediation to work with sles 12 and 15 (#8287)
- SLE 12 and 15 merge auditd file modification rules STIG IDs (#8295)
- OL8 STIG severity adjustments (#8103)
- Oval update for two rules to only allow results from only one file [ol7] (#8161)
- Performance improvements for file permission and ownership templates (#8456)
Changes in Remediations
- HIPAA Rules in test (#7916)
- Fix handling of literal dollars in macros (#8252)
- Various bash fixes (#8253)
- Simplify generated augen bash expressions (#8254)
- Fix the firewalld remediation (#8251)
- Fix bash remediations of browsers (#8258)
- Introduce convenience macros for find and awk (#8257)
- Introduce a shellcheck test (#8032)
- Refactor pam_faillock remediation (#8347)
Changes in the Infrastructure
- Add condition to SCAPVal script that will trigger when SCAP standard is updated (#8062)
- stop building PCI-DSS-centric XCCDF benchmark for RHEL 7 (#8122)
- Implement handling of logical expressions in platform definitions (#8043)
- Add backends attribute to template in rules schema (#8090)
- Add gitpod support (#8123)
- Added utils/compare_disa_xml.py (#8120)
- Gitpod: Build OpenSCAP 1.3.6 so it can build OCP4 and EKS content (#8206)
- Fix issue with getting STIG items in
create_scap_delta_tailoring.py
(#8245) - Store OVAL of compiled platforms as string (#8238)
- Add a script to audit the SRG export CSV (#8077)
- Add version to delta tailoring file name (#8247)
- Various improvments to SRG Export Script (#8091)
Changes in the Test Suite
- align ospp audit rules with the latest upstream release (#8152)
- Remove grub2_pti_argument tests (#8310)
- Delete test scenario that removes SSH keys from machine (#8309)
- Remove RHEL7 platform from invalid_rescue.pass.sh (#8311)