github ComplianceAsCode/content v0.1.76
Content 0.1.76
on GitHub

one day ago

Important Highlights

  • Add new product for Ubuntu 24.04 and draft CIS profiles (#12611)
  • Add pyproject.toml for the ssg package (#12604)
  • AlmaLinux OS 9 as a new product (#12810)
  • Documentation for ssg library (#12606)
  • Extend SSG library to more easily collect profile selections (#12797)
  • Extend SSG with functions to manage variables (#12717)

New Rules and Profiles

  • A new rule system_boot_in_fips_mode (#12671)
  • Add a default profile for Ubuntu2404 to add all rules to the datastream (#13023)
  • Add ccn profile to OL9 (#12759)
  • Add new rule journald_disable_forward_to_syslog (#12674)
  • Add new rule logging_services_active (#12857)
  • Add new rule no_nologin_in_shells (#12835)
  • Add new rule service_dhcpd6_disabled (#12627)
  • Add new rule service_dnsmasq_disabled (#12628)
  • Add new rule service_nginx_disabled (#12629)
  • Add new rules to replace audit_rules_mac_modification on Ubuntu (#12828)
  • add new stig rule accounts_password_pam_pwquality_retry (#12965)
  • Add rules for installing pam-runtime and pam-modules to Ubuntu 24.04 (#12904)
  • Add rules to ubuntu2404 CIS control 7.2.10 (#12716)
  • Clean Up Opensc Rules in RHEL 10 (#12738)
  • Create Public Cloud Hardening profile for SLE Micro5 (#12817)
  • Implement audit rules for nsswitch.conf, pam.conf and pam.d (#12724)
  • Implement new rule firewall_single_service_active (#12822)
  • Implement rule accounts_umask_root (#12721)
  • Implement rule groups_no_zero_gid_except_root (#12720)
  • Implement rules for /etc/security/opasswd permissions (#12693)
  • New rule package_unbound_removed (#12699)
  • rhel10: use new rule for auditing of changes to selinux configuration (#12826)
  • Ubuntu 24.04 1.1.1.6 Ensure overlayfs kernel module is not available (#12692)
  • Ubuntu 24.04 1.3.1.1 Ensure AppArmor is installed (#12701)
  • Ubuntu 24.04 2.1.1 Ensure autofs services are not in use (#12702)
  • Ubuntu 24.04 2.2.6 Ensure ftp client is not installed (#12703)
  • Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users (#12711)
  • Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled (#12714)
  • Ubuntu 24.04 6.1.2.1.2 Ensure systemd-journal-upload authentication (#12852)
  • Ubuntu 24.04: Implement 2.3.1.1 Ensure a single time synchronization daemon is in use (#12823)
  • Ubuntu 24.04: Implement 5.3.2.4 Ensure pam_pwhistory module is enabled (#12726)
  • Ubuntu 24.04: Implement 5.3.3.2.5 Ensure password maximum sequential characters is configured (#12727)
  • Ubuntu 24.04: Implement rule 5.3.2.2 Ensure pam_faillock module is enabled (#12779)
  • Ubuntu 24.04: Implement rule 5.3.3.1.3 Ensure password failed attempts lockout includes root account (#12906)
  • Ubuntu 24.04: Implement rule 5.3.3.3.1 Ensure password history remember is configured (#12784)
  • Ubuntu 24.04: Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user (#12799)
  • Ubuntu 24.04: Implement rule 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok (#12800)
  • Ubuntu 24.04: Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember (#12780)
  • Ubuntu 24.04: Implement rule 5.4.2.5 Ensure root path integrity (#12838)
  • Ubuntu 24.04: Implement rule 5.4.2.8 Ensure accounts without a valid login shell are locked (#12889)

Updated Rules and Profiles

  • Update RHEL 8 STIG to V2R1 (#12924)
  • Fixes related to STIG and SSH cryptopolicy (#13025)
  • Adapt audit_rules_suid_privilege_function for Ubuntu 24.04 CIS (#12974)
  • Add new variable to set_password_hashing_min_rounds_logindefs rule (#12923)
  • Add package_ypbind_removed to e8 profile to OL8 (#12957)
  • Add rule for ubuntu2404 CIS control 4.4.3.2 (#12662)
  • Add rule sysctl_kernel_yama_ptrace_scope to Ubuntu 24.04 CIS (#12618)
  • Add rules and vars to ubuntu2404 CIS control 5.1.16 (#12667)
  • Add rules to several ubuntu2404 CIS controls (#12675)
  • Add rules to several ubuntu2404 CIS controls (#12694)
  • Add rules to ubuntu2404 CIS control 5.1.18 (#12668)
  • Add rules to ubuntu2404 CIS control 7.2.10 (#12716)
  • Add ubuntu specific check and remediation for aide_periodic_checking_systemd_timer (#12733)
  • Adjust journald rules for RHEL 10 (#12754)
  • Adjust two filesystem permission rules to 600 (#12737)
  • Adjust wording in kerberos_disable_no_keytab (#12739)
  • Alma9 more changes (mk2) (#12905)
  • audit_immutable_login_uids: remove stig-specific content (#12676)
  • Clean Up Opensc Rules in RHEL 10 (#12738)
  • Define var_user_initialization_files_regex on Ubuntu 24.04 (#12960)
  • Exclude autrace and audispd on RHEL 10 (#12736)
  • Fix audit access rules in ISM_O (#12670)
  • Fix mistake done in PR #12714 (#12741)
  • Fix package and service name overrides for Ubuntu 24.04 (#12913)
  • Fix RHEL 10 DISA and SRG References (#12944)
  • Fix RHEL 10 ISM profile fails in Image Mode (#12836)
  • Fix rule firewalld_sshd_port_enabled OVAL check (#12914)
  • Fix rule ip6tables_rules_for_open_ports and add to ubuntu2404 controls (#12666)
  • Fix the bash conditional for checking system architecture (#12815)
  • Fix variable name in Ubuntu 22.04 CIS profiles (#12982)
  • gdm package cannot be removed in stig_gui profile (#12915)
  • Improve rule file_permissions_ungroupowned for use in bootable containers (#12584)
  • Refactor ubuntu oval for audit_rules_networkconfig_modification (#12722)
  • Remove not applicable rules for OL8 & OL9 (#12558)
  • Remove old rules from RHEL 10 profiles (#12697)
  • Remove package_quagga_removed from RHEL 10 profiles (#12589)
  • Remove RHEL-08-020220 and RHEL-08-020221 from the RHEL 8 STIG (#12805)
  • Remove service_chronyd_or_ntpd_enabled from RHEL 10 (#12756)
  • remove sshd_use_priv_separation from hipaa control file (#12591)
  • require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861)
  • require_singleuser_auth:update prose (#12864)
  • RHEL 10 Kernel Config and Module Clean Up (#12712)
  • RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824)
  • rhel8 STIG: update password hashing rounds (#12948)
  • RHEL8 STIG: update SSH algorithms (#12949)
  • Switch to _guard_var templates for timesync rules on Ubuntu 24.04 (#12903)
  • Switch to CIS-specific banner rules for Ubuntu 24.04 CIS (#12619)
  • Ubuntu 24.04 1.1.1.2 Ensure freevxfs kernel module is not available (#12688)
  • Ubuntu 24.04 1.1.1.3 Ensure hfs kernel module is not available (#12689)
  • Ubuntu 24.04 1.1.1.4 Ensure hfsplus kernel module is not available (#12690)
  • Ubuntu 24.04 1.1.1.5 Ensure jffs2 kernel module is not available (#12691)
  • Ubuntu 24.04 1.1.1.6 Ensure overlayfs kernel module is not available (#12692)
  • Ubuntu 24.04 1.1.2.2.1 Ensure /dev/shm is a separate partition (#12700)
  • Ubuntu 24.04 1.3.1.1 Ensure AppArmor is installed (#12701)
  • Ubuntu 24.04 2.1.1 Ensure autofs services are not in use (#12702)
  • Ubuntu 24.04 2.2.6 Ensure ftp client is not installed (#12703)
  • Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users (#12711)
  • Ubuntu 24.04 3.1.3 Ensure bluetooth services are not in use (#12713)
  • Ubuntu 24.04 5.1.12 Ensure sshd KexAlgorithms is configured (#12731)
  • Ubuntu 24.04 5.1.15 Ensure sshd MACs are configured (#12735)
  • Ubuntu 24.04 5.1.8 Ensure sshd DisableForwarding is enabled (#12714)
  • Ubuntu 24.04 5.1.9 Ensure sshd GSSAPIAuthentication is disabled (#12719)
  • Ubuntu 24.04 5.3.2.1 Ensure pam_unix module is enabled (#12706)
  • Ubuntu 24.04 5.3.3.4.4 Ensure pam_unix includes use_authtok (#12760)
  • Ubuntu 24.04 5.4.2.4 Ensure root account access is controlled (#12672)
  • Ubuntu 24.04 6.1.2.1.2 Ensure systemd-journal-upload authentication (#12852)
  • Ubuntu 24.04 CIS section 6.1.2.1.3 Ensure systemd-journal-upload is enabled and active (#12680)
  • Ubuntu 24.04: Implement 2.1.21 Ensure mail transfer agent is configured for local-only mode (#12818)
  • Ubuntu 24.04: Implement 2.3.1.1 Ensure a single time synchronization daemon is in use (#12823)
  • Ubuntu 24.04: Implement 5.3.2.3 Ensure pam_pwquality module is enabled (#12723)
  • Ubuntu 24.04: Implement 5.3.2.4 Ensure pam_pwhistory module is enabled (#12726)
  • Ubuntu 24.04: Implement 5.3.3.2.5 Ensure password maximum sequential characters is configured (#12727)
  • Ubuntu 24.04: Implement 5.3.3.2.7 Ensure password quality checking is enforced (#12752)
  • Ubuntu 24.04: Implement 5.3.3.4.1 Ensure pam_unix does not include nullok (#12770)
  • Ubuntu 24.04: Implement rule 5.3.2.2 Ensure pam_faillock module is enabled (#12779)
  • Ubuntu 24.04: Implement rule 5.3.3.1.2 Ensure password unlock time is configured (#12772)
  • Ubuntu 24.04: Implement rule 5.3.3.1.3 Ensure password failed attempts lockout includes root account (#12906)
  • Ubuntu 24.04: Implement rule 5.3.3.2.1 Ensure password number of changed characters is configured (#12750)
  • Ubuntu 24.04: Implement rule 5.3.3.2.2 Ensure minimum password length is configured (#12748)
  • Ubuntu 24.04: Implement rule 5.3.3.2.3 Ensure password complexity is configured (#12753)
  • Ubuntu 24.04: Implement rule 5.3.3.2.4 Ensure password same consecutive characters is configured (#12747)
  • Ubuntu 24.04: Implement rule 5.3.3.2.6 Ensure password dictionary check is enabled (#12751)
  • Ubuntu 24.04: Implement rule 5.3.3.3.1 Ensure password history remember is configured (#12784)
  • Ubuntu 24.04: Implement rule 5.3.3.3.2 Ensure password history is enforced for the root user (#12799)
  • Ubuntu 24.04: Implement rule 5.3.3.3.3 Ensure pam_pwhistory includes use_authtok (#12800)
  • Ubuntu 24.04: Implement rule 5.3.3.4.2 Ensure pam_unix does not include remember (#12780)
  • Ubuntu 24.04: Implement rule 5.4.2.2 Ensure root is the only GID 0 account (#12777)
  • Ubuntu 24.04: Implement rule 5.4.2.5 Ensure root path integrity (#12838)
  • Ubuntu 24.04: Implement rule 5.4.2.8 Ensure accounts without a valid login shell are locked (#12889)
  • Update sssd_enable_smartcards for RHEL 10 (#12882)
  • update audit_ospp_general with the latest content (#12579)
  • Update mount_option_proc_hidepid to include OL9 product (#12917)
  • Update Ol10 profiles (#12833)
  • Update package_gssproxy_removed based on feedback (#12725)
  • Update profiles ol8 (#12890)
  • Update RHEL 10 GPG Keys (#12744)
  • Update RHEL 9 STIG to V2R3 (#12922)
  • Update set_password_hashing_algorithm_passwordauth for RHEL 10 STIG (#12758)
  • Update several controls and variables for Ubuntu 24.04 CIS (#12624)
  • Update several controls for Ubuntu 24.04 CIS (#12912)
  • Update SRG GPOS to V3R2 (#12943)
  • Update ubuntu2404 CIS control 2.3.2.1 (#12637)
  • Update X Servers Rules for Wayland (#12897)
  • Use yescrypt in RHEL 10 (#12743)
  • Update Ol10 profiles (#12833)

Changes in Remediations

  • Fix set_password_hashing_min_rounds_logindefs (#12998)
  • Add systemd check if it is running for systemctl start commands (#12918)
  • Add ubuntu platforms to auditd_data_disk_error_action remediation (#12928)
  • Adjust set_password_hashing_algorithm_* for RHEL 10 (#12782)
  • Adjust ansible_audit_augenrules_add_syscall_rule to 600 (#12786)
  • Firewall technology related rules per service and package change logic according to interactive profile variable (#11818)
  • Fix display_login_attempts (#12603)
  • Fix dpkg package applicability check in bash (#12873)
  • Fix file_permissions_etc_audit_rulesd in Image Mode (#12855)
  • Fix path to timesyncd.conf for sle15 (#12919)
  • Fix sssd_enable_smartcards (#12600)
  • Fix/debian20241107 (#12585)
  • Some small patches for SLE15 CIS related remediations (#12921)
  • Update ensure_logrotate_activated for image mode (#12645)

Changes in Checks

  • Adjust OVAL for directory_permissions_var_log_audit (#12631)
  • Fix file_permissions_unauthorized_sgid (#12602)
  • Fix path to timesyncd.conf for sle15 (#12919)
  • Fix rule firewalld_sshd_port_enabled OVAL check (#12914)
  • Fix/debian20241107 (#12585)
  • Improve OVAL and tests for accounts_password_pam_unix_authtok (#12868)
  • Improve regex in sudo_defaults_option oval (#12673)
  • Improve rule file_permissions_ungroupowned for use in bootable containers (#12584)
  • Refactor ubuntu oval for audit_rules_networkconfig_modification (#12722)
  • Ubuntu 24.04: Implement 2.1.21 Ensure mail transfer agent is configured for local-only mode (#12818)
  • Update ensure_logrotate_activated for image mode (#12645)
  • Use nss-altfiles in file_groupowner_etc_chrony_keys (#12789)

Changes in the Infrastructure

  • Add AlmaLinux 9 to CI (#12851)
  • Add ubuntu2404 to GitHub Actions (#12616)
  • Add workflow to ensure no merge commits are included (#12809)
  • Adjust to regex for building scap delta tailoring files (#12742)
  • Bump OpenSCAP Version for Windows Tests (#12798)
  • Change shellcheck tests (#12848)
  • Fix processing platform key in SCE (#12961)
  • Improve error message (#12642)
  • Make it flexible to load macros in SSG (#12816)
  • Remove GitPod comment from CTF workflow (#12837)
  • Remove OL7 from CI (#12661)
  • Update create_scap_delta_tailoring and apply it to OL8 build (#12684)
  • Update RHEL 8 installed regex (#12908)
  • Update RHEL STIG SCAP Content For CY25Q1 (#12939)

Changes in the Test Suite

  • Add custom test scenario dconf_gnome_lock_screen_on_smartcard_removal (#12839)
  • Adjust kernel_module_disabled/missing_blacklist.fail.sh (#12898)
  • Create a minimalist reproduction of content directory for unit tests (#12819)
  • Fix tests for root_path_no_dot on Ubuntu (#12962)
  • Improve OVAL and tests for accounts_password_pam_unix_authtok (#12868)
  • install_vm: Add default osinfo for RHEL distro (#12858)
  • Make coredump_disable_storage/coredumps_storage_none.pass work on RHEL 10 (#12885)
  • Make Automatus Sanity Pass (#12590)
  • Process files in tests/shared by Jinja (#12867)
  • Update logind_session_timeout/not_configured.fail to handle if the systemd config is not there (#12884)

Documentation

  • Add Ubuntu Maintainers as CODEOWNERS for 24.04 CIS (#12630)
  • Document possibility of installing ssg module with pip (#12658)
  • Fix comparing timezone and non-timezone timestamps (#12583)
  • Include Docstrings for ssg/build_yaml.py (#12609)

Fixed Bugs

  • Remove RHEL 8 STIG reference from file_permission_user_init_files - stable (#13016)
  • Fix set_password_hashing_min_rounds_logindefs (#12998)
  • Fixes related to STIG and SSH cryptopolicy (#13025)
  • Add a script to ensure coredump configuration file exists (#12844)
  • Add custom test scenario dconf_gnome_lock_screen_on_smartcard_removal (#12839)
  • Adjust kernel_module_disabled/missing_blacklist.fail.sh (#12898)
  • Authselect profile minimal is now called local in RHEL10 (#12846)
  • disable_ctrlaltdel_burstaction: make sure config file exists (#12841)
  • Enable correct OVAL criteria for RHEL9/RHEL10 in file_ownership_var_log_audit_stig (#12845)
  • Fix audit_rules_privileged_commands_unix2_chkpwd (#12886)
  • Fix CIS reference URI for AlmaLinux 9 (#12850)
  • Fix NERC CIP Link (#12892)
  • Fix RHEL 8 CIS reference on Ensure noexec option set on /var/tmp (#12847)
  • Fix sssd service enabled test scenarios (#12862)
  • Fix to prevent oscap crashing on ubuntu (#12728)
  • Move to enable_fips_mode from grub2_enable_fips_mode in RHEL 10 (#12899)
  • Remove package_xinetd_removed from RHEL 10 (#12881)
  • Remove rule disable_ctrlaltdel_burstaction from Ubuntu STIG profiles (#12620)
  • rename OVAL tests and objects to fix name conflict (#12869)
  • require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861)
  • RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824)
  • RHEL now checks no other users have primary group ID 0 (#12891)
  • RHEL8: add back removed rules to keep datastream consistent (#12966)
  • update audit_ospp_general with the latest content (#12579)
  • Update tests for file_groupownership_sshd_private_key (#12896)
  • Update X Servers Rules for Wayland (#12897)
  • Use dedicated_ssh_keyowner variable in test scenarios (#12860)
Check out latest releases or
releases around ComplianceAsCode/content v0.1.76

Don't miss a new content release

NewReleases is sending notifications on new releases.

Get notifications