Important Highlights
- Add utils/controlrefcheck.py (#10096)
- RHEL 9 STIG Update Q1 2023 (#10185)
- Include warning for NetworkManager keyfiles in RHEL9 (#10330)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
New Rules and Profiles
- Add new rule package_systemd-journal-remote_installed (#10105)
- New SLE 15 rule service_nftables_enabled (#10113)
- Add CIS iptables rules (#10121)
- New SLE 15 rule set_nftables_new_connections (#10114)
- Introduce new rule sshd_use_approved_kex_ordered_stig (#10103)
- Add a new rule ssh_keys_passphrase_protected (#10017)
- Introduce new rule authconfig_config_files_symlinks (#10129)
- Added rule partition_for_dev_shm (#9984)
- New rule for SLE 15 unnecessary_firewalld_services_ports_disabled (#10090)
- New SLE 15 rule set_nftables_table (#10128)
- Add implementation for rsyslog_logging_configured rule (#10063)
- New SLE 12/15 rule audit_rules_mac_modification_usr_share (#10223)
- OCP4 STIG: Cover SRG-APP-000297-CTR-000705 with a new rule oauth_logout_url_set (#10187)
- Added a new rule accounts_password_set_warn_age_existing (#10006)
- Add new rule socket_systemd-journal-remote_disabled (#10210)
- Introduce rule to remove nginx package (#10291)
- Introduce rule to remove cyrus-imapd package (#10292)
- Add package_dnsmasq_removed rule (#10293)
- Add package_ftp_removed rule (#10294)
- Add new rule rsyslog_filecreatemode (#10264)
- New SLE 12/15 rule all_apparmor_profiles_in_enforce_complain_mode whi… (#10064)
- Add rule package_nfs-kernel-server_removed for Ubuntu CIS (#10358)
Updated Rules and Profiles
- accounts_passwords_pam_tally2: Move to bash_ensure_pam_module_option (#10058)
- Assign CCE-IDs for sysctl_net_ipv4_conf_default_log_martians for SLES-12 and SLES-15 (#10082)
- Ol8 v1r5 small updates - update policy text & remove rule for OL08-00-010510 (#10093)
- Add CIS iptables rules (#10121)
- OL7 stig v2r10 update (#10125)
- Bump version of OL8 STIG to V1R5 (#10123)
- assign ntp_configure_restrictions to SLE12 (#10122)
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Change applicability of rules configuring idle session timeouts (going to master branch) (#10149)
- Add missing SRG to aide_build_database rule (for master branch) (#10150)
- remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (#10153)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update levels of some rules in RHEL8 CIS (#10157)
- Change custom zones check in firewalld_sshd_port_enabled (#10162)
- improve applicability of rule package_rear_installed (master branch) (#10156)
- Accept required and requisite control flag for pam_pwhistory (#10175)
- OCP4 Modify etcd encryption check rules for hypershift (#10179)
- Fixes related to SLE 12/15 for the rules set_min/max_life_existing (#10173)
- Fix prefer_64bit_os for SLE platforms (#10178)
- remove rule logind_session_timeout and associated variable from profiles (#10202)
- Shorten rule title (#10196)
- products/alinux2 && products/alinux3: fix some missing rules in the cis profile (#10138)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Include avahi related rules in RHEL CIS control files (#10233)
- Include partition_for_dev_shm in CIS RHEL7 and RHEL9 (#10239)
- Update CIS RHEL requirements for log files permissions (#10241)
- Include rule for checking password last change in RHEL (#10243)
- Include accounts_set_post_pw_existing rule in CIS RHEL (#10269)
- Enable no_empty_passwords_etc_shadow rule for RHEL7 (#10276)
- Update password hashing algorithm CIS requirement (#10271)
- Complete CIS requirements related to dot-files (#10279)
- Fix package names for some SUSE packages (#10283)
- Enable accounts_password_set_warn_age_existing rule for RHEL (#10284)
- Corrections in the rule package_openldap-clients_removed (#10273)
- Enable sshd_enable_warning_banner_net for RHEL (#10287)
- Add package_nginx_removed to Ubuntu CIS profiles (#10301)
- Add package_cyrus-imapd_removed to Ubuntu CIS profiles (#10302)
- accounts_passwords_pam_faildelay_delay: depend on pam (#10304)
- accounts_passwords_pam_tally2: depend on pam being installed (#10305)
- package_pam_pwquality_installed: depend on pam being installed (#10306)
- apparmor: apply only to platform machine (#10303)
- sudo_require_reauthentication: depend on sudo being installed (#10318)
- vlock_installed: apply only to platform machine (#10307)
- Remove VMM SRG References (#10336)
- Add apparmor rule to Ubuntu CIS profiles and minor fixes to profiles (#10338)
- Add some nftables rules to Ubuntu CIS profile (#10300)
- make accounts_password_last_change_is_in_past not applicable to containers (#10339)
- Align rhel7 dracut-fips-aesni remediations (#10352)
- Add package_cups_removed to Ubuntu CIS Level 2 Worstation profiles (#10360)
- NTP related rules for CIS on Ubuntu 20.04 and 22.04 (#10344)
Changes in Remediations
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update sebool_secure_mode_insmod OL remediations (#9979)
- Enable rsyslog_filecreatemode rule for RHEL (#10328)
- kernel_module_disable template - regexp matches multiple lines (#10351)
- fix loops within ansible template for rsyslog_files (#10349)
Changes in Checks
- Update tmux rules and add them to OL8 STIG profiles (#10124)
- Remove check of /var/log/dmesg from OVAL (#10145)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Fix prefer_64bit_os for SLE platforms (#10178)
- postfix_prevent_unrestricted_relay: allow whitespaces and no comma for 'smtpd_client_restrictions' value (#10219)
- Create OVAL macro to consistently identify Interactive Users (#10215)
- Add offline capability to the 'mount_option' OVAL template (#10200)
Changes in the Infrastructure
- Introduce script shorthand to OVAL (#10085)
- Remove utils/count_oval_objects.py (#10133)
- Update Rawhide Before Use (#10141)
- Move to Code Climate for PEP 8 Checking (#10158)
- Enable SCE integrity checks for RHEL8 (#10165)
- Refactor ssg.build_ovals module (#10048)
- Update srg diff (#10199)
- Require OVAL ID to match rule ID (#10346)
- Various python fixes (#10345)
- Move platform_mount to use cpe-oval vs oval (#10441)
Changes in the Test Suite
- Add utils/controlrefcheck.py (#10096)
- Extends rsyslog_logfiles_attributes_modify template for permissions (#10139)
- Update test scenarios for accounts_password_last_change_is_in_past (#10213)
- add cap_system_chroot capability to Automatus podman container (#10246)
- Fix Automatus on Python 3.6 (#10281)
- Disable logrotate timer in ensure_logrotate_activated tests (#10375)