PegaProx/project-pegaprox v0.9.8.1

v0.9.8.1 Beta – Audit-Grade Compliance PDFs, Hardening Fixes & Log Rotation

on GitHub

🏛️ Compliance Dashboard — Audit-Grade PDFs

The per-framework PDF download is fully restructured to look like a real audit deliverable rather than a CIS-style log dump.

• Real framework control IDs mapped to PegaProx internal checks: CMMC L1 / L2 (NIST 800-171), NIST 800-53 Mod, DISA STIG (RHEL 9 / Ubuntu 22.04), ISO 27001:2022 Annex A, BSI IT-Grundschutz, VS-NfD. 47 internal controls × 7 frameworks. Mappings live in pegaprox/core/compliance_mapping.py and are served via GET /api/compliance/mapping.
• Audit-style structure: Cover page → Disclaimer (now up front) → Executive Summary with posture rating (Substantially / Largely / Partially / Marginally / Non-Compliant) → Top Findings → Scope of Assessment → Methodology (Inquiry / Inspection / Re-performance / Evidence capture) → Findings Summary by Severity → Per-Node Coverage → Per-Family Detail → Appendix B Remediation Plan → Appendix C Evidence (live verbose re-fetch with check command + actual node output) → Appendix D Glossary.
• Severity rating per control (high / medium / low / informational) and recommended remediation timeline (within 30 / 90 / 180 days), used to sort and prioritise the remediation appendix.
• Operator handoff column "PegaProx control" matching the checkbox names in Settings → Compliance → Harden PVE Node, with an explicit operator note linking the report back to the Hardening UI.

🔧 Hardening — Bugfixes + Recovery Control

• pw_quality now actually wires pam_pwquality.so into /etc/pam.d/common-password. Previous version only installed the package + wrote pwquality.conf, leaving the module unloaded.
• pw_history stops adding use_authtok unless pam_pwquality.so is configured ahead of it in the stack — fixes the dreaded passwd: Authentication token manipulation error on every password change after applying the control.
• New control: "Repair PAM password stack" (pam_password_repair) — one-click recovery for systems that already landed in the broken state. Detects, picks the right repair strategy (insert pwquality first, or strip use_authtok), backs up the original and is idempotent on healthy systems.

📋 Logging

• Per-cluster operational log capped at 3h of writes via the new utils/log_handler.CappedTimedFileHandler — bounded disk use even on busy 20+-node clusters that produce ~100 MB/h. Audit log retention is on a separate pipeline and not affected. Closes #345 and #348.
• SSH error logging now shows the actual stderr line (e.g. Permission denied (publickey,password), Connection refused, sudo: not found) instead of the SSH banner-padding asterisks. The previous stderr[:200] truncation got eaten by AUP-banner top borders before the real error line.

🐛 Other Fixes

• Modern Layout — Re-configure Cluster icon now works (#346). The setReconfigureCluster setter was never passed into the ClusterSidebarItem component, so clicking the gear icon raised a silent ReferenceError. Corporate Layout was unaffected.
• Manifest carry-over (#344): webauthn.py, metrics_exporter.py, ssh_pool.py and webhooks.py are properly registered in update_files so incremental updaters from 0.9.7 → 0.9.8 don't bail with ModuleNotFoundError.

💎 Sponsors

Massive thanks to our Platinum Sponsor 🏆 netwolk GmbH — your support keeps this project going and directly funds ongoing PegaProx development.

Welcome to our newest Silver Sponsor 🥈 uvensys GmbH — added in this release.

Interested in sponsoring? → pegaprox.com/#sponsor | sponsor@pegaprox.com | opencollective.com/pegaprox

💬 Community

Join the Discord: https://discord.gg/AJPf3H62QW

Full Changelog: v0.9.8...v0.9.8.1