ComplianceAsCode/content v0.1.79

Content 0.1.79

on GitHub

Important Highlights

• Add rhcos4 Profile for BSI Grundschutz (#13121)
• Create SLE15 general profile (#13882)
• Fix crypto policy settings in RHEL CIS profiles (#14120)
• Refresh CIS Control File for RHEL10 release 1.0 (#13870)
• Remove deprecated CIS OpenShift 1.4.0 and 1.5.0 profiles (#13832)
• Remove OCP STIG V1R1 (#13848)
• Remove OCP STIG V2R1 (#13849)

New Rules and Profiles

• Add rhcos4 Profile for BSI Grundschutz (#13121)
• Create SLE15 general profile (#13882)
• Fix crypto policy settings in RHEL CIS profiles (#14120)
• Sle16 base control (#13965)

Updated Rules and Profiles

• [Ubuntu] Remove xserver-common (#13893)
• [Ubuntu] Allow sys uid and empty user group (#13825)
• [Ubuntu] Enable guard var for time sync and firewall rules (#13881)
• [Ubuntu2404] Fix root_unlock_time value (#13884)
• Add a warning for aide_build_database (#13868)
• Add e8 rules to ism control so that references work (#14022)
• Add GUI to title for RHEL 10 GUI STIG Profile title (#14054)
• Add rule file_at_allow_exists to RHEL CIS profiles (#14137)
• Add rules to check sshd drop in permissions to RHEL 10 CIS 5.1.1 (#14063)
• Add rules to RHEL 10 CIS 7.1.10 (#14064)
• Add SRG to SSSD package and service rules (#13872)
• automate controls regarding maxseq in RHEL 8 and 9 CIS (#14135)
• Ensure that all rules in RHEL ANSSI have references (#13867)
• Fix bug in gdm banner deregexify (#14092)
• Fix crypto policy settings in RHEL CIS profiles (#14120)
• Fix SLE15 pam tally2 rules (#14039)
• Move ISM O references to the control file (#13922)
• On RHEL for library dirs rules only check *.so files (#13921)
• Refresh CIS Control File for RHEL10 release 1.0 (#13870)
• RHEL 9 STIG: align login timeout with the STIG policy (#13830)
• SLE15 iptables service rules related fixes (#13896)
• small fixes to ensure_logrotate_activated (#14013)
• sysctl_kernel_exec_shield: make applicable only on x86_64 (#14115)
• Update ccn profile for OL9 (#14123)
• Update e8 and ism_o profiles for OL8 (#14107)
• Update hipaa profile for OL9 (#14124)
• Update OL8 profiles (#13986)
• Update OL9 profiles (#13973)
• Update ospp profile for OL8 (#14106)
• Update STIG for RHEL 9 to allow for FIPS:STIG (#13834)
• Use platform specific audit binaries (#13786)

Removed Products

• Remove chromium (#14043)

Changes in Remediations

• [stabilization] Prevent Ansible fail in check mode (#14170)
• Add changed_when and check_mode keys (#13996)
• Add support for file_group_ownership_var_log_audit in SLE platform (#13804)
• Fix aide periodic check remediation for sle15/sle16 (#14121)
• Fix linux disable network sniffer ansible syntax for non-standard interfaces (#14076)
• Fix some ansible remediation jinja substitution and remove obsolete code from ensure_redhat_gpgkey_installed (#13931)
• Improve ansible remediation of configure_crypto_policy (#13932)
• Make Ansible file_existence template idempotent (#13952)
• Make Ansible in account_password_selinux_faillock_dir idempotent (#14002)
• Make Ansible in accounts_passwords_pam_faillock_dir idempotent (#14005)
• Make Ansible in aide_build_database idempotent (#13944)
• Make Ansible in audit_rules_immutable idempotent (#13950)
• Make Ansible in dconf_db_up_to_date idempotent (#13997)
• Make Ansible in dconf_gnome_screensaver_lock_enabled idempotent (#13998)
• Make Ansible in dconf_ini_file idempotent (#13978)
• Make Ansible in file_etc_security_opasswd idempotent (#13958)
• Make Ansible in file_groupownership_system_commands_dirs idempotent (#13971)
• Make Ansible in fips_custom_stig_sub_policy idempotent (#13945)
• Make Ansible in GRUB rules idempotent (#13957)
• Make Ansible in grub2_argument_absent template idempotent (#13976)
• Make Ansible in SELinux rules idempotent (#13963)
• Make Ansible in sshd_lineinfile template idempotent (#14006)
• Make Ansible in sysctl_kernel_core_pattern_empty_string idempotent (#14021)
• Make Ansible in the sysctl template idempotent (#14004)
• Make Ansible Tasks in GRUB rules idempotent (#13927)
• Make Ansible Tasks in postfix rules idempotent (#13930)
• Make hardening crypto policies by Ansible idempotent (#14001)
• Make sure ansible task is properly executed when no variable is defined (#13970)
• Only run dconf when there is an actual change in previous tasks for dconf gnome ansible remediations (#13933)
• Prevent Ansible errors in accounts_user_dot_user_ownership (#13955)
• Remove custom Ansible remediation from service_pcscd_enabled (#13926)
• Remove Jinja from when statement (#13993)
• replacing systemd_service with systemd in system_enabled_guard_var (#14058)
• Rework Ansible remediation in accounts_umask_interactive_users (#13934)
• Rewrite Ansible remediation in accounts_user_dot_group_ownership (#13943)
• Rewrite Ansible remediation in accounts_user_dot_user_ownership (#13941)
• SLE15 directory permissions and file ownership rules for var log audit (#13862)
• SLE15 iptables service rules related fixes (#13896)
• SLE15 pam faillock related fixes (#13876)
• SLE16 enable aide and display_login rules (#14046)
• SLE16 enable selinux and grub rules (#14045)
• Sle16 fix rsyslog remote loghost (#14032)
• Sle16 restrict serial port logins (#14040)
• small fixes to ensure_logrotate_activated (#14013)
• Update account_password_* behavior for OL to support only new releases (#13838)
• Update accounts_password_pam_pwquality_retry for OL STIG (#13811)

Changes in Checks

• Add support for file_group_ownership_var_log_audit in SLE platform (#13804)
• Add test scenario to cover case where user has nologin defined in usr (#13994)
• Changing regex for aide.db file to support absolute path (#13915)
• Fix macro 'create_interactive_users_list_object' to also ignore users having /usr/sbin/nologin shell (#13962)
• shared: macros: oval: Fix evr datatype for dpkg-based distros (#13900)
• SLE15 directory permissions and file ownership rules for var log audit (#13862)
• SLE15 pam faillock related fixes (#13876)
• SLE16 enable aide and display_login rules (#14046)
• Sle16 restrict serial port logins (#14040)
• Update account_password_* behavior for OL to support only new releases (#13838)

Changes in the Infrastructure

• Add more ruff checks (#14000)
• Add per product control files (#14060)
• Add Ruff to the project and CI (#13810)
• Bump to 0.1.79 (#13815)
• Fixing add-cce option in fix_rules.py, while "identifiers" section in rule.yml is missing (#13956)
• Move target_oval_version to product_properties (#13966)
• Remove all codecs.open (#14062)
• Update Install VM Script (#13824)

Changes in the Test Suite

• Add a fedora-cis sanity test using Packit / Testing Farm (#13903)
• Fix tests for no_dirs_unowned_by_root (#13999)
• Renaming test for accounts_root_gid_zero (#14129)
• service_systemd-journald_enabled: add specific test scenario (#14096)
• Unmask all avahi (#13942)
• Update test scenario to make sure there are no compliant state (#14007)

Documentation

• Add all modules to ssg module docs (#14061)
• Remove outdated Code Climate references (#14100)

Fixed Bugs

• Add multiline support for RainerScript action detection in rsyslog_remote_loghost rule (#14057)
• Add rule sshd_disable_forwarding to RHEL 8 and 9 CIS (#14103)
• Adding rules for /etc/hostname and NetworkManager auditd monitoring (#14008)
• Detect non-existent PATH directories in RHEL 9 CIS (#13991)
• Fix bsi conflicts (#13846)
• Fix crypto policy settings in RHEL CIS profiles (#14120)
• fix: ol in product to ol in families (#14029)
• Introduce template audit_rules_kernel_module_loading (#14024)
• Make rule enable_authselect notapplicable in containers (#13992)
• Make sure ansible task is properly executed when no variable is defined (#13970)
• RHEL 9 STIG: align login timeout with the STIG policy (#13830)
• shared: macros: oval: Fix evr datatype for dpkg-based distros (#13900)
• small fixes to ensure_logrotate_activated (#14013)