Important Highlights
- Introduce cui profile for OL9 (#9638)
- Remove Support for OVAL 5.10 (#9604)
- Rename account_passwords_pam_faillock_audit (#9462)
- CI ansible hardening and rename of existing Bash hardening (#9796)
- Update contributors list for v0.1.65 release (#9843)
New Rules and Profiles
- Add profile for SUSE SAP Public Cloud Images (#9571)
- Introduce cui profile for OL9 (#9638)
- Created SLES 12 PCI DSS 4.0 profile and added rules to it (#9729)
- Add new rules related to system banners - /etc/issue.net (#9733)
- add new rule logind_session_timeout (#9475)
- Pci dss shadow rule (#9756)
Updated Rules and Profiles
- Update chronyd_no_chronyc_network to align with RHEL9 STIG (#9505)
- Update rules for RHEL 9 STIG (#9512)
- Update chronyd_client_only to align with RHEL9 STIG (#9500)
- Update rules for RHEL 9 STIG (#9527)
- RHEL9 stig_gui: don't remove GUI (#9581)
- Remove RPM verify rules from RHEL 9 STIG (#9591)
- Rule updates wrt RHEL9 STIG (#9509)
- Clarify instructions for implementing SCCs (#9569)
- Added SLES_15/12 CCE codes related to rules in the group restict_at_c… (#9643)
- Add pci-dss rules (#9627)
- Two small corrections (#9644)
- Added 6 SLES 15/12 CCE codes to the rules sshd_... (#9669)
- Add PCI-DSS rules (#9645)
- CIS RHEL8 gnome related requirements (#9670)
- Add dconf_gnome_disable_user_list to the RHEL 9 STIG (#9677)
- RHEL 9 STIG Fix Up (#9676)
- Added CCE number for SLES_15 in the rule sshd_use_approved_ciphers (#9680)
- Added 4 SLES 15/12 codes to the rules group_unique_id/name (#9682)
- Add support for PCI DSS v3.2.1 for SLE12 (#9613)
- service_ntp_enabled: Fix description as service name is ntp (#9707)
- Fix issue introduced in commit 1ba11cb (#9692)
- remove ospp-mls.profile (#9710)
- Add pcidss Req-ids (#9705)
- Ubuntu 20.04: fix grub2 password related rules (#9708)
- Fix rsyslog_remote_tls Remediations (#9711)
- Added 2 SLES 15/12 CCE codes to the rule disable_prelink (#9706)
- Assign RHEL-07-010271 to account_emergency_expire_date. (#9717)
- Ubuntu 20.04 CIS Level1 profile: add package_pam_pwquality_installed (#9721)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- install_smartcard_packages: Add Ubuntu specific remediation (#9720)
- Ubuntu 20.04: Make sure xatrr audit rules contains a check for root user (#9722)
- Added rules to PCI DSS 4.0 SLES 15 profile (#9716)
- Add pci-dss rules to SLE15 (#9728)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Added 4 rules to SLES 12/15 PCI DSS 4.0 profiles (#9735)
- Update SLE 15 SAP hardening profile (#9742)
- Update RHEL8 STIG to V1R8 (#9780)
- Update RHEL7 STIG to V3R9 (#9781)
- Align ClientAliveCountMax and ClientAliveInterval on RHEL8 STIG V1R8 (#9784)
- Removed wrong rule from hipaa.profile (#9840)
- Stabilization: Include warning regarding quota options in XFS (#9877)
- Stabilization: Update the sshd_set_keepalive regarding ClientAliveCountMax (#9868)
Removed Products
- Remove the VSEL Product (#9547)
- Remove the fuse6 product (#9544)
- Remove the Debian 9 Product (#9546)
- Remove the JRE product (#9545)
Changes in Remediations
- Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
- Improve ansible remediation of accounts_umask_etc_login_defs (#9490)
- Add bash and ansible remediation for rsyslog_remote_tls (#9484)
- Fix rsyslog_remote_tls Remediations (#9711)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- install_smartcard_packages: Add Ubuntu specific remediation (#9720)
- Fix config file and interpreter check control flow (#9695)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Dconf macros update to align them with OVAL expectation (#9751)
- rsyslog_files_permissions: Consider the last field in the config line the log file path (#9750)
- Fix nmcli bug (#9773)
- Align
service_disabled
template toservice_enabled
(#9806) - Remove deprecated
warn
parameter from Ansible command module (#9807) - CI ansible hardening and rename of existing Bash hardening (#9796)
- Stabilization: Make Ansible remediation less prone to fatal errors (#9911)
Changes in Checks
- Move kernel_module_disabled use more genric RHEL in conditionals (#9450)
- Update accounts_password template's OVAL (#9459)
- OCP4: Fix OCIL of machine_volume_encrypted (#9597)
- Clarify instructions for implementing SCCs (#9569)
- Remove jinja condition to make rule applicability to all products in Kerberos rules (#9412)
- Ubuntu 20.04: fix grub2 password related rules (#9708)
- Add Ubuntu specific bash for ensure_rsyslog_log_file_configuration (#9719)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Dconf macros update to align them with OVAL expectation (#9751)
Changes in the Infrastructure
- Remove superflous check of rule ID consistency (#9539)
- Add tests to auditd_lineinfile template (#9519)
- Generate XCCDF 1.2 directly (#9464)
- Add support for regulated fields (#9553)
- SRG Import/Export Uses Policy Specific Content (#9570)
- Add Git Mail Map (#9573)
- Remove ident_size for .py files from editorconfig (#9603)
- Make CodeClimate to use .editorconfig (#9630)
- Remove function drop_oval_definitions (#9629)
- Add mypy to CI (#9430)
- Remove shorthand.xml from the build process (#9548)
- Remove XCCDF 1.1 from enable_derivatives.py (#9654)
- Remove XCCDF 1.1 from profile tool (#9655)
- Remove unused import (#9656)
- Remove XCCDF 1.1 from ssg/xccdf.py (#9657)
- Remove Support for OVAL 5.10 (#9604)
- Import SRG content for RHEL9 (#9574)
- Don't use editorconfig to check for indentation (#9653)
- Remove get_fixgroup_for_type (#9661)
- Remove superfluous XML namespaces from HTML tables (#9662)
- Update sysctl template's OVAL and tests to align with STIG (#9458)
- Remove unused XSLT xccdf2table-profileanssirefs.xslt (#9659)
- CMake Improvements (#9646)
- Remove Travis CI (#9683)
- Remove comparison utilities (#9688)
- Create unit tests for ssg.id_translate (#9624)
- Add unit tests of XCCDF 1.2 elements (#9617)
- Add unit tests for warnings and sub elements (#9637)
- Refactor and speed up combine_ovals.py (#9689)
- Fix unit tests to work with CentOS 7 (#9727)
- make CPE items compiled during the build process (#9700)
- SRG Diff: Add section for rows without a CCE (#9763)
- Make the utils/srg_diff.py more generic (#9767)
- parametrize methods for getting remediation conditionals of XCCDF platforms (#9777)
- build_remediations.py: deduplicate code which retrieves conditionals (#9779)
- Add sorted results to srg_diff (#9778)
- Add Smoke Tests for Some Scripts (#9787)
- Platforms can accept parameters and pass them to underlying CPE items (#9799)
- Do not remove blank lines when building profile playbook (#9809)
- SRG Export XLSX in CMake (#9811)
- Add config for Ansible lint (#9838)
Changes in the Test Suite
- [Master] add accounts_password_set_max_life_existing to unselect_rules_list (#9554)
- Fix issue introduced in commit 1ba11cb (#9692)
- Add tests to rule dconf_gnome_screensaver_idle_activation_enabled (#9701)
- Refactor firewalld_sshd_port_enabled rule (#9712)
- Complete tests to validate Ol9 pci dss profile (#9739)
- Add tests to accounts_password template (#9743)
- Do not instantiate Builder() when running Automatus (#9755)
- Fix Automatus --duplicate-templates (#9766)
- accounts_password_pam_retry: Add test for dupes and conflicts (#9805)
- accounts_passwords: Add tests for value conflicts and duplicates (#9804)
- sshd_lineinfile: Add tests for duplicated params (#9802)
- CI ansible hardening and rename of existing Bash hardening (#9796)
- Stabilization: Ensure pwquality.conf.d dir exists on test scenarios (#9864)
Documentation
- Doc fix up (#9596)
- Add PR gating guideline (#9611)
- Move to MyST as recommonmark and CommonMark are not supported (#9560)
- Fix docs refs (#9704)
- Include SLE products into the CCE tooling for auto assignment (#9714)
- Docs/developer: Mention that rules will inherit its group(s) platforms (#9635)
- Reformulate the release process documentation (#9736)
- Update gitignore (#9810)
- Document rule deprecation instructions and agreements (#9797)
- Update contributors list for v0.1.65 release (#9843)
- Add Sanity Test for generate_contributors.py (#9845)