Important Highlights
- Introduce a JSON build manifest (#10761)
- Introduce a script to compare ComplianceAsCode versions (#10768)
- Introduce CCN profiles for RHEL9 (#10860)
- Map rules to components (#10609)
- products/anolis23: supports Anolis OS 23 (#10548)
- Render components to HTML (#10709)
- Store rendered control files (#10656)
- Test and use rules to components mapping (#10693)
- Use distributed product properties (#10554)
New Rules and Profiles
- Add modified audit suid privilege function rule for CIS (#10729)
- Introduce CCN profiles for RHEL9 (#10860)
- Introduce network access control rule (#10596)
- New templated rule to remove iptables-services package (#10703)
- RHCOS4 STIG: Cover controls that correspond to NIST AC (#10727)
- Include new kickstart files for CCN profiles (#10863)
Updated Rules and Profiles
- A change into sudoers_validate_passwd (#10861)
- Add audit_rules_login_events_faillock to RHEL 8 STIG (#10816)
- Add modified audit suid privilege function rule for CIS (#10729)
- Add mount platforms (#10794)
- Add platform package variables for firewalld and iptables (#10740)
- Add warning to rsyslog_remote_tls_cacert (#10676)
- add-rules sles-15-010418 sles-12-010498 (#10711)
- Change rules related to /etc/shadow to check only local user configuration (#10838)
- Deprecate account_emergency_expire_date (#10829)
- ensure_pam_wheel_group_empty: depend on pam being installed (#10808)
- Fix grub2 remediation instructions (#10717)
- Fix of rule sudo_dedicated_group for sle 12/15 (#10689)
- Fixes of cron package/service for SLE 12/15 (#10549)
- Increase RHEL7 STIG Coverage (#10705)
- Link api_server_encryption_provider_cipher with CIS 2.8 (#10494)
- New applicability platform to check IPv6 state (#10830)
- OCP4: Fix instructions of scc_limit_container_allowed_capabilities (#10798)
- pam_faillock rules: show XCCDF variables in rule description (#10824)
- Removal of package_libreswan_installed from SLE 12/15 profiles (#10696)
- Remove quotes from journald config parameters (#10790)
- service_apport_disabled: depend on apport being installed (#10805)
- Set package_iptables_installed as machine only (#10804)
- Set package_nftables_installed as machine only (#10803)
- Set package_rng-tools_installed as machine only (#10810)
- Switch from "use_pam_wheel_for_su" to "use_pam_wheel_group_for_su" for RHEL 8 and 9 (#10762)
- Update of anssi profile for SLE 12/15 (#10702)
- Update OL8 cjis profile (#10771)
- Update OL8 hipaa profile (#10822)
- Update RHEL 7 STIG to v3r11 (#10821)
- Update RHEL 8 STIG to V1R10 (#10826)
- update rule SLES-12-030250 (#10644)
- Update SLE 12/15 rule and change package name (#10580)
- Use opening parenthesis in the switch case condition of RHEL-08-020041 (#10472)
- use_pam_wheel_group_for_su: depend on pam being installed (#10807)
- Updates of the rule use_pam_wheel_group_for_su (#10714)
Changes in Remediations
- Add a Playbook name to Ansible Playbooks (#10713)
- Add remediations for rule network_sniffer_disabled (#10659)
- configure_openssl_cryptopolicy: align remediations with rule description (#10828)
- Fix in service_autofs_disabled - ansible (#10521)
- Fix issue when adding fstab entries with iso9660 (#10572)
- fix: use grep -E instead of deprecated egrep (#10643)
- fixes in file_groupownership template (#10666)
- macros: bash: Avoid matching comments in fstab macros (#10754)
- Refactor Ansible remediation for dir_perms_world_writable_root_owned (#10839)
- SLE Add rsyslog_remote_loghost droping remediations (#10672)
- SLE Coredump configuration support dropin remediation (#10604)
- SLES15 use dropin configuration for issue banner (#10605)
- Various fixes for Ubuntu (#10755)
Changes in Checks
- enhance OVAL for enable_fips_mode (#10900)
- Check only local users home directories (#10825)
- Update sysctl template to check(and not fix) /usr/lib/sysctl.d directory (#10637)
Changes in the Infrastructure
- .github/workflows/gate.yaml:Add anolis8 product. (#10814)
- Add a sanity test of install_vm.py (#10684)
- Add validation for Keys in Controls (#10813)
- create_srg_export: Enable reading check and fix from controls even if they have rules listed (#10769)
- Fix CMakelint (#10701)
- Fix compare datastream check to correctly treat new line characters. (#10667)
- Fix traceback in release helper (#10718)
- Implement distributed product properties without applying them (#10648)
- Stop using "imp" module (#10819)
- utils: Add SRG to NIST control mapping for the OCP4 STIG (#10758)
Changes in the Test Suite
- Add a test for rule journald_compress (#10818)
- Add a test for rule journald_storage (#10817)
- Add Automatus Testing (#10678)
- Add SCAPVal to CTest (#10802)
- Fix grep for Automatus sanity (#10752)
- Fix install_vm.py on older versions of Python (#10651)
- fix: ssg_test_suite: warning when rule not in benchmark (#10642)
- Add requirements files for python dependencies (#10487)