Important Highlights
- Ubuntu 22.04 CIS (#9953)
- OL7 stig v2r9 update (#9976)
- Bump OL8 STIG version to V1R4 (#9974)
- Update RHEL7 STIG to V3R10 (#10079)
- Update RHEL8 STIG to V1R9 (#10078)
- Introduce CIS RHEL9 profiles (#10091)
New Rules and Profiles
- Add nonessential services rule (#9912)
- Added a new rule package_firewalld_removed (#9937)
- Added a new SLE 12/15 rule package_rsync_removed (#9932)
- Added a new rule package_cups_removed (#9930)
- Added a new rule firewalld_service_disabled (#9941)
- Added a new SLE 15 rule package_nftables_installed (#9934)
- Add rule for no .forward files (#9990)
- Add new rule grub2_enable_apparmor (#9978)
- Added a new rule package_tcp_wrappers_removed (#9981)
- Added a new SLE 12/15's rule package_rcpbind_removed (#9931)
- Add package prelink removed (#10062)
- add new rule audit_rules_immutable_login_uids (#10070)
- Added 2 rules for 15 related to nftables (#10068)
- New SLE 15 rule ensure_iptables_are_flushed (#10107)
- add new rule configure_bashrc_tmux (#10100)
Updated Rules and Profiles
- Include warning regarding quota options in XFS (#9879)
- Update the sshd_set_keepalive regarding ClientAliveCountMax (#9903)
- Sync rules for RHEL 9 STIG (#9788)
- Changing a few harcoded OS names for full_name (#9936)
- Assign CIS and CCE-IDs to multiple rules (SLES) (#9940)
- SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (#9883)
- Update sudo_require_reauthentication (#9923)
- Update kmod audit rule for OL7 (#9949)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Add rule to OL7 stig profile (#10028)
- Small corrections related to 3 rules (#9995)
- Add new rule grub2_enable_apparmor (#9978)
- Include Ubuntu products in package_rsync_removed (#10051)
- Include Ubuntu products in package_nftables_installed (#10052)
- Fix the service_telnet_disabled rule (#10033)
- Update package name for RHEL in package_rsync_removed (#10053)
- Include Ubuntu products in package_cups_removed (#10050)
- Include Ubuntu products in package_rpcbind_removed (#10055)
- Update link to NTP docs (#10056)
- Include Ubuntu products in package_prelink_removed (#10071)
- Add account_emergency_expire_date to OL7 stig (#10073)
- Add aide_build_database to STIG in OL and RHEL (#10094)
- Include Ubuntu products in two nftables rules (#10101)
- Move two rules to higher level in cis_rhel8 control file (#10109)
- add new rule configure_bashrc_tmux (#10100)
- add missing SRG to aide_build_database rule (#10136)
- change applicability of rules configuring idle session timeouts (#10127)
- Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10152)
- improve applicability of rule package_rear_installed (#10144)
- stabilization: Update levels of some rules in RHEL8 CIS (#10155)
Changes in Remediations
- Fix indentation in Ansible shell module parameter (#9851)
- Recognize 64bit architectures in Ansible remediations (#9887)
- Make Ansible remediation less prone to fatal errors (#9914)
- Add bash and ansible remediation for set_loopback_traffic (#9939)
- Ansible and bash remediations for set_ipv6_loopback_traffic (#9938)
- Update sudo_require_reauthentication (#9923)
- Improve the arguments for Ansible command module (#9921)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Fix Jinja condition in macro for pam_faillock (#10009)
- Install NetworkManager as part of
wireless_disable_interfaces
remediation (#10018) - aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- Improve service_disabled template (#10026)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
- Rewrite remediations for rsyslog_remote_tls (#9866)
- Fix accounts_password template for OL (#10045)
- Using the Ansible shell actions is needed in package_prelink_remove (#10086)
Changes in Checks
- Add SUSE Manager 4.x in installed_OS_is_sle15 (#9854)
- Update sudo_require_reauthentication (#9923)
- accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (#9956)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (#9977)
- Update accounts_password template for OL due to precedence confs (#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (#9955)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (#9954)
Changes in the Infrastructure
- Refactor build_cpe.py (#9834)
- Formatting and bug fixes in utils/import_srg_spreadsheet.py (#9827)
- Refactor templates v2 (#9870)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Sanity test for utils/create_scap_delta_tailoring.py (#9839)
- Introduce templated platforms (CPEs) (#9906)
- Sort conditional remediation platform checks (#9902)
- Add sanity tests for controleval.py (#9918)
- Add Refchecker to Tests (#9862)
- Wait for buffer flushes to finish writes (#9933)
- Fix the file param in rule_dir_json (#9928)
- Fix typing import in
create_srg_export.py
(#9929) - Build all profiles on all CentOS and CentOS Streams (#9946)
- CTest Fixes (#9962)
- CPE AL: Introduce version specifiers support (#9945)
- Correctly process templated Ansible conditionals and introduce os_linux platform (#9959)
- Raise exception when parametrized platform receives invalid argument (#9996)
- Fix
--datastream-only
in./build_product
(#10020) - Add sanity tests for compare_disa_xml.py (#10030)
- Add Ubuntu 22.04 to Gating (#9986)
- Fix a few isssues in test-compare-disa-xml (#10034)
- Update Ansible Lint Config (#10025)
- platforms: rewrite mechanism which parses version into EVR (#10038)
- Produce an understanable error when remediation collections goes wrong (#10027)
- Platforms: prevent building content when version comparison is used and platform provides remediation conditional (#10040)
- Bump fedora version in Dockerfiles to 37 (#10036)
- Fix the generation of SCE checks in the output datastream (#10015)
- Scripts clean up (#10061)
- Clean up SRG export (#10067)
Changes in the Test Suite
- Ensure pwquality.conf.d dir exists on test scenarios - main branch (#9865)
- Add automatic detection of platform_package_overrides when using automatus (#9897)
- Add Refchecker to Tests (#9862)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (#9994)
- Improve service_disabled template (#10026)