Important Highlights
- This is the last release to feature content with OVAL-5.10 (#9451)
- Introduce ol9 stig profile (#9207)
- Introduce Ol9 anssi profiles (#9243)
- Update RHEL8 STIG to V1R7 (#9276)
- Introduce e8 profile for OL9 (#9284)
- Update RHEL7 STIG to V3R8 (#9317)
New Rules and Profiles
- Introduce the rule accounts_passwords_pam_faillock_dir (#9170)
- add rule package_postfix_installed (#9191)
- add audit policy rules specific for ppc64le platform (#9124)
- Introduce ol9 stig profile (#9207)
- Introduce Ol9 anssi profiles (#9243)
- Introduce rule accounts_passwords_pam_faillock_audit (#9264)
- Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
- Introduced rules to disable accounts because of inactivity (#9244)
- Introduce e8 profile for OL9 (#9284)
- New sysctl ipv4 forwarding rule (#9277)
- Introduce hipaa profile for ol9 (#9478)
Updated Rules and Profiles
- Remove 3 crypto rules from RHEL 9 OSPP (#9181)
- Remove 3 package rules from RHEL 9 OSPP (#9182)
- Introduce new sebool description and ocil macros (#9184)
- Add to SLE ANSSI profile various sysctl rules (#9185)
- Add sebool rules for execheap insmod and ssh login to ANSSI SLE profile (#9186)
- Add more ANSSI Intermediary Rules (#9203)
- Add more sysctl rules to intermediary profile (#9202)
- The FMT_MOF_EXT.1 only deals with restricting management functions to administrator (#9206)
- Remove 4 PAM related rules from RHEL9 OSPP (#9217)
- switch template of audit_immutable_login_uids back to audit_file_contents (#9133)
- remove accounts_max_concurrent_login_sessions from RHEL9 OSPP (#9218)
- add audit policy rules specific for ppc64le platform (#9124)
- remove umask-related rules from RHEL9 OSPP (#9223)
- Make audit AArch64 specific rules RHEL9 only (#9188)
- Remove rules for package removal from RHEL 9 OSPP (#9233)
- remove securetty_root_login_console_only from RHEL9 OSPP (#9234)
- Polishing the RHEL 9 OSPP profile file, removing the DRAFT designation (#9232)
- remove redundant rules configuring partitioning from RHEL9 OSPP (#9237)
- Don't pass sssd rules when sssd.conf is absent (#9225)
- Update accounts_password_pam_retry behavior (#8880)
- System commands dir root or system account (#9258)
- SUSE SLE15 add messagebus and nscd to authorized_local_users (#9260)
- Update RHEL8 STIG to V1R7 (#9276)
- Refresh BPF related rules in RHEL 9 OSPP profile (#9147)
- Update few sysctl rules to accept multiple compliant values (#9286)
- Add -F perm=x filter on RHEL7 privileged commands rules (#9289)
- Make OSPP profiles use minimal Authselect profile (#9298)
- add warning to audit_rules_for_ospp (#9303)
- add warning to the rsyslog_remote_loghost rule about configuring queues (#9305)
- Update RHEL7 STIG to V3R8 (#9317)
- change rules protecting boot in RHEL8 OSPP (#9306)
- Add the AUID filters on RHEL7 audit kernel module rules (#9290)
- add 4 rules back to RHEL9 datastream (#9334)
- Implement DISA check for auditing kmod on RHEL7 (#9338)
- Update var_password_pam_remember_control_flag to allow multiple values in OL8 (#8861)
- Include warning about the pam_securetty.so PAM module (#9348)
- Add AUID filters on audit_rules_kernel_module_loading (#9371)
- Mask sensitive objects (#9364)
- Update RHEL9 STIG (#9378)
- add/remove fedora from privileged commands depending if exists or not (#9367)
- change way of disabling coredumps in RHEL9 OSPP (#9384)
- Adding rule to DISA STIG for RHEL7 as of V3R7 (Vuln V-250314). (#9401)
- Bump version of OL8 to V1R3 and update STIG ids (#9457)
- Add missing SRG references for RHEL 9 STIG (#9428)
- Remove support for upstart init system (#9452)
- Updates RHEL 9 STIG: Part 3 (#9489)
- Add ol8 platform to existing required tests (#9485)
- Update chronyd_or_ntpd_set_maxpoll to align with RHEL9 STIG (#9507)
- Update account_password_selinux_faillock_dir rule (#9501)
- Remove audit_rules_execution_restorecon from SRG control files. (#9503)
- Add tests to file_ownership_binary_dirs (#9515)
- Update ocil and ocil_clause in display_login_attempts (#9522)
- Update some account rules according to RHEL9 STIG (#9499)
- Include checktest for banner_etc_issue rule (#9521)
- Update pam_faillock rules for RHEL9 STIG (#9520)
- Add tests to rule dir_perms_world_writable_system_owned_group (#9516)
- Update clean_components_post_updating to align with RHEL9 STIG (#9510)
- Update accounts_umask_etc_profile (#9496)
- Add audit_rules_kernel_module_loading_create to RHEL7 STIG profile (#9524)
- Update audit rules RHEL9 STIG metadata (#9513)
- Add tests to no_user_host_based_files (#9529)
- Add tests to dir_perms_world_writable_system_owned (#9517)
- Add tests to no_host_based_files (#9532)
- Update rule CCE-83441-6 with RHEL9 STIG assessment (#9497)
- Add tests to clean_components_post_updating (#9530)
- Update macros from audit privileged commands (#9502)
- Update some PAM rules for RHEL9 STIG (#9514)
- Add variable for auditd freq (#9504)
- Align rule audit_rules_immutable with results of RHEL9 STIG assesment (#9506)
- [stabilization] RHEL9 stig_gui: don't remove GUI (#9582)
Changes in Remediations
- Allow two modes of SSH key ownership (#9094)
- Add oval and remediation for auditd_audispd_disk_full_action (#9195)
- include = sign in remediation of configure_openssl_crypto_policy (#9194)
- Condition run of newaliases to its availability (#9241)
- Update accounts_password_pam_retry behavior (#8880)
- Add DISA STIG ids to
when
conditions in ansible roles (#9029) - Improve bash_ensure_pam_module_line macro (#9252)
- Fix bash remediation in rsyslog_remote_access_monitoring rule (#9253)
- Fix rule sudo_custom_logfile (#9299)
- Fix ansible partition conditionals (#9339)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Add Kubernetes remediation for rule configure_crypto_policy (#9266)
- Fix 2 ctest shellcheck issues (#9398)
- Fix kernel_module_disabled remediation template (#9346)
- Conditional for Ansible remediation on RHEL7 (#9440)
- change parameter of findmnt used in bash partition conditional (#9480)
- Fix remediation of rules dealing with Audit watches (#9463)
Changes in Checks
- Update accounts_password_pam_retry behavior (#8880)
- Improve regex to match retry parameter in pwquality.conf (#9245)
- Fix rule sudo_custom_logfile (#9299)
- Do not use the sshd service disabled OVAL in sshd_set_max_auth_tries (#9344)
- Mask sensitive objects (#9364)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Fix 5.10 OVAL validation of core_pattern_empty_string rule (#9420)
- Fix audit_rules_privileged_commands_kmod rule in RHEL7 (#9477)
- Update regex in OVAL for harden_sshd_ciphers_opensshserver_conf_crypto_policy rule (#9486)
- [stabilization] Update auditd_data_retention_max_log_file_action_stig OVAL to accept expected values from RHEL9 STIG profile (#9568)
Changes in the Infrastructure
- Fix various bugs in utils (#9172)
- Remove CentOS 6 and SL 6 references from the project (#9211)
- Fix pre tag in ocil_mount_option (#9209)
- Remove unused build option (#9213)
- Update gitpod HTML preview extension. (#9261)
- Install ansible for the extra modules (#9273)
- Use DS to build Ansible Playbooks and Bash scripts (#9291)
- Stop validating ssg-product-xccdf.xml (#9292)
- Use data stream to verify profile titles and descriptions (#9294)
- Use data stream to verify references (#9293)
- Generate CCE tables from data stream (#9300)
- Fix CMake dependencies (#9328)
- Use XCCDF 1.2 to create STIG overlay (#9301)
- Specify output file names (#9361)
- Test missing references in a data stream (#9295)
- Add trim_trailing_whitespace to editorconfig (#9391)
- Sort check-export elements (#9397)
- Use data stream to generate statistics (#9296)
- Generate per profile testinfo tables from XCCDF 1.2 (#9325)
- Fix missing OCIL text and 800-53 references (#9415)
- Use XCCDF 1.2 to generate STIG HTML tables (#9406)
- Add a script to import SRG export changes (#9416)
- Make groups inherit platforms from parent groups (#9465)
- Fix vuldiscussion key in utils/import_srg_spreadsheet.py (#9473)
- correct inheritance of platforms by rules from groups (#9491)
- Improve HTML for Table Templates (#9481)
- SRG Export: Improve vuldiscussion sourcing (#9493)
- Remove empty load operation (#9492)
- Add tests to rule no_tmux_in_shells (#9518)
- Fix the column letters for SRG VulDiscussion and VulDiscussion (#9526)
- Avoid sed hack (#9363)
Changes in the Test Suite
- Automatus: close hanging tempfiles descriptors (#9199)
- Improve regex to match retry parameter in pwquality.conf (#9245)
- Support commas in variables (#9280)
- Refactor templated test scenarios (#9254)
- Fix account_password_selinux_faillock_dir rule (#9381)
- Replace platform conditionals in whole remediation code (#9347)
- install_vm.py: add new option for disk size specification (#9479)
- correct inheritance of platforms by rules from groups (#9491)
- Add tests to audit privileged commands template (#9487)