SCAP Security Guide 0.1.29 Release Notes

Highlights (in order the changes have been merged):

• Numerous STIG profile enhancements for Red Hat Enterprise Linux 7 product,
• The produced benchmark for Red Hat Enterprise Linux 6 product now passes NIST SCAP Content Validation Tool 1.2.1.14 requirements,
• A plenty of new OVAL checks have been implemented for the Red Hat Enterprise Linux 7 product,
• A substantial effort has been contributed the existing SCAP content for JBoss EAP v5 and JBoss Fuse v6 products to follow the format as expected by regular SCAP Security Guide product,
• Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes (see below for more concrete details)

Enhancements:

XCCDF changes / enhancements:

• [Enhancement] [Fedora] Added Fedora standard profile
• [Enhancement][Fedora] Add Xorg service XCCDF content
• [Enhancement] [Debian/8] starting systcl integration in xccdf: execution restriction
• [Enhancement] [Debian/8] add fs-specific sysctl hadening to xccdf. Updated xccdf partitioning structure
• [Enhancement] [Debian/8] add missing anssi references for ntp
• [Enhancement] [Debian/8] New sysctl_kernel_kptr_restrict rule
• [Enhancement] [RHEL/6] Per request in:
  https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c8
  https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c9
  update the title of the RHEL/6 CNSS profile it to be more descriptive
• [BugFix] [RHEL/7] [Fedora] Replace '/etc/grub.conf' with '/etc/default/grub' in RHEL-7 and Fedora XCCDF
• [BugFix] [RHEL/6] Fix DISA CCI mapping for accounts_password_pam_dcredit rule
• [Enhancement] [RHEL/6] Added CCE to package_setroubleshoot_removed
• [Enhancement] [RHEL/6] Added CCE to package_mcstrans_removed
• [Enhancement] [RHEL/6] Added CCE to package_telnet_removed
• [Enhancement] [RHEL/6] Added CCE to package_rsh_removed
• [Enhancement] [RHEL/6] Added CCE to package_ypbind_removed
• [Enhancement] [RHEL/6] Added CCE to package_tftp_removed
• [Enhancement] [RHEL/6] Added CCE to package_talk-server_removed
• [Enhancement] [RHEL/6] Added CCE to package_talk_removed
• [Enhancement] [RHEL/6] Updated C2S profile (Mapped package_talk-server_removed, package_talk_removed)
• [Enhancement] Update RHEL6/7 guide.xml with compute node CPE
• [BugFix] [RHEL/7] [Issue #995] Update var_accounts_max_concurrent_login_sessions to 10 (to meet DoD STIG
  guidance)
• [Enhancement][Bugfix][Fedora] Update yum XCCDF and OVAL references to dnf
• [BugFix] [RHEL/7] Fixed socket-disable-macro for rsh and rlogin
• [BugFix] [RHEL/6] Added to the system
• [BugFix] Added a description to vsftpd Group in RHEL6 and RHEL7 content
• [BugFix] [RHEL/6] [RHEL/7] Added description to ftp_use_vsftpd Group
• [Enhancement] [RHEL/7] Various STIG profile changes:
  • STIG updates to RPM verify
  • STIG updates to rhel7/rpm_verify_hashes
  • STIG updates to rhel7/accounts_password_pam_lcredit
  • STIG updates to rhel7/accounts_password_pam_dcredit
  • add severity to accounts_password_pam_dcredit
  • STIG update to rhel7/accounts_password_pam_ocredit
  • STIG update to rhel7/accounts_password_pam_difok
  • STIG update to rhel7/accounts_maximum_age_login_defs
  • removing var_password_pam_minlen from STIG profile, inherited from OSPP
  • STIG update for rhel7/accounts_password_pam_minlen
  • STIG update RHEL7/sysctl_net_ipv4_conf_all_accept_source_route
  • STIG update for rhel7/sysctl_net_ipv4_tcp_syncookies
  • STIG update for rhel7/sshd_do_not_permit_user_env
  • STIG update rhel7/nis
  • STIG update for rhel7/rsh-server
  • STIG update for rhel7/package_telnet-server_removed
  • STIG update for rhel7/tftp
  • STIG update for rhel7/banner_etc_issue
  • STIG updates for rhel7/accounts_password_pam_minclass
  • STIG udpates to rhel7/package_screen_installed
  • STIG update to rhel7/crypt_style
  • STIG update for rhel7/accounts_minimum_age_login_defs
  • Add gid_passwd_group_same to RHE7 STIG
  • Add accounts_no_uid_except_zero to RHEL7 STIG
  • Removing RHEL7 duplicate rules from STIG profile
  • assign DISA refs to accounts_password_pam_unix_remember
  • assign to RHEL–07–010260 no_empty_passwords
  • add account_disable_post_pw_expiration to STIG profile, assign DISA refs
  • Assign DISA FSO provided policy references
  • STIG update for RHEL/7 snmpd_not_default_password
  • STIG update RHEL7 add missing CCEs for #1140 and #1138
  • STIG update for RHEL7 for sshd_allow_only_protocol2
  • STIG update for RHEL7 for sshd_use_approved_macs
  • STIG update for RHEL7 firewalld and tcp_wrappers
  • STIG update for RHEL7 xorg settings
  • Add accounts_no_uid_except_zero to RHEL7 STIG
  • STIG update for RHEL7 SSH key permissions (Add XCCDF and OVAL for SSH Server private and public key permissions)
  • STIG update RHEL7 ssh keys
  • STIG update for RHEL7 various SSH settings (Add new SSH XCCDF and OVAL content)
  • STIG update for RHEL7 ipv6.conf.all.accept_source_route (Add new XCCDF and OVAL content for net.ipv6.conf.all.accept_source_route)
  • Add SSH key file perm checks to OSPP profile
  • STIG update RHEL7 add ipv6 accept_source_route to STIG profile
  • STIG update RHEL7 add ssh settings to STIG profile
  • STIG update for RHEL7 quagga service (Add new XCCDF, OVAL, and remediation content for quagga routing)
  • STIG update RHEL7 quagga routing service
  • STIG update RHEL7 IPSec approved tunnel connections (Add new XCCDF for checking for IPSec-approved tunnels, Update severity level for package_libreswan_installed Rule)
  • STIG update RHEL7 add NFS share server/client security (Add new XCCDF and OVAL for NFS server/client Kerberos settings)
  • CCE-27594-1 to package_quagga_removed
  • CCE for service_zebra_disabled
  • CCE for use_kerberos_security_all_exports
  • CCE for mount_option_krb_sec_remote_filesystems
  • CCE for file_permissions_sshd_pub_key
  • CCE for file_permissions_sshd_private_key
    *CCE for sysctl_net_ipv4_conf_all_accept_source_route
  • CCE for disable_ctrlaltdel_reboot
  • CCE for service_autofs_disabled
  • CCE for sysctl_net_ipv4_tcp_syncookies
  • Add service_kdump_disabled to RHEL7 STIG profile
  • STIG update RHEL7 KDUMP service
  • STIG update RHEL7 separate partitions
  • update policy refs and xccdf for dconf_gnome_banner_enabled
  • Update language for rhel7/dconf_gnome_screensaver_lock_enabled
  • updating GNOME banner rules
  • update OCIL for dconf_gnome_screensaver_idle_delay
  • update rationale for accounts_password_pam_ucredit
  • removed duplicate rules from STIG profile, already present in OSPP
  • removed ucredit from STIG, present in OSPP
  • update severity and profile placement of dcredit rules
  • update refine value of var_password_pam_difok to 8
  • update OCIL for accounts_password_pam_maxrepeat
  • update password hashing, add to NIAP profile
  • move set_password_hashing_algorithm_logindefs from STIG to OSPP profile
  • move PASS_MAX_DAYS from STIG to OSPP
  • update OCIL for accounts_password_pam_unix_remember
  • update OCIL for accounts_password_pam_minlen
  • update rationale for no_empty_passwords
  • add dconf_gnome_screensaver_idle_activation_enabled to stig, update prose
  • update account_disable_post_pw_expiration prose and variable refinement
  • update sshd_disable_empty_passwords mappings
  • updates to disable_host_auth
  • update to ensure_gpgcheck_globally_activated prose, remove duplicate selector from STIG profile
  • update telnet prose
  • update prose for accounts_max_concurrent_login_sessions
  • updates to sshd_do_not_permit_user_env
  • Fix NIST references for disk_partitioning
  • Assign various CCEs to RHEL7 STIG rules
  • Add service_kdump_disabled to RHEL7 STIG profile
  • STIG update for McAfee content
  • Add in SELinux vs HBSS warning
  • Use chkconfig for nails service check rather than systemctl
  • STIG update RHEL7 additional SSH settings
  • Fix OS SRG typos and enchance some SSH titles
  • STIG update RHEL7 add gdm settings
  • Fix GDM content to use correct case
  • Add set_password_hashing_algorithm_systemauth to STIG
  • rationale update to rhel7/service_auditd_enabled
  • severity and rationale updates to file_ownership_var_log_audit
  • rationale and reference updates to rhel7/audit_rules_privileged_commands
  • policy ref and severity updates to rhel7audit_rules_unsuccessful_file_modification
  • update policy refs for rhel7/audit_rules_login_events
  • STIG policy ref updates to rhel7/audit_rules_media_export
  • update rhel7/audit_rules_kernel_module_loading refs, remove duplicate entry from STIG profile
  • ref updates to rhel7/audit_rules_file_deletion_events, remove dupe from STIG profile
  • sshd_use_approved_ciphers rationale updates
  • [Enhancement][RHEL/7] Update dconf gnome settings
  • update references for rhel7/accounts_tmout
  • update STIG ID for audit_rules_usergroup_modification
  • add libreswan_approved_tunnels to STIG profile
  • fixed OCIL on file_permissions_sshd_private_key
  • reference swap for tftp
  • update with send_redirects
  • add /tmp requirement to STIG
  • update for audit partition
  • update for var partition
  • update for home partition
  • add file_permissions_ungroupowned to ospp
  • [Enhancement][RHEL/7] Update dconf gnome settings
• [Bugfix][Fuse/6] fix OCIL grammar
• [BugFix] [RHEL/7] Fix xorg.xml description grammar
• [Enhancement][RHEL/7] Move GNOME XCCDF content into its own gnome.xml XCCDF file

OVAL check changes / enhancements:

• [Enhancement] [RHEL/7] New OVAL for kernel_module_cramfs_disabled, kernel_module_freevxfs_disabled, kernel_module_hfs_disabled, kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled,
  kernel_module_squashfs_disabled, and kernel_module_udf_disabled rules,
• [Enhancement] [RHEL/7] New OVAL for dir_perms_etc_httpd_conf, dir_perms_var_log_httpd,
  dir_perms_world_writable_sticky_bits, dir_perms_world_writable_system_owned, file_permissions_httpd_server_conf_files., file_permissions_unauthorized_world_writable,
  file_permissions_ungroupowned, no_files_unowned_by_user, and root_path_no_dot rules
• [Enhancement] [RHEL/7] New OVAL for cups_disable_browsing, cups_disable_printserver,
  ovecot_disable_plaintext_auth, dovecot_enable_ssl, ldap_client_start_tls, ldap_client_tls_cacertpath,
  logwatch_configured_hostlimit, logwatch_configured_splithosts, service_dovecot_disabled,
  package_openldap_removed, package_samba-common_removed, postfix_network_listening_disabled,
  postfix_server_banner, require_smb_client_signing, rsyslog_nolisten, and tftpd_uses_secure_mode rules,
• [Enhancement] [RHEL/5] New OVAL for service_dovecot_disabled and service_postfix_enabled rules,
• [BugFix] [shared] httpd permission check updates and fixes (Make sure that httpd permission OVAL content check if the httpd package is installed, Fix httpd .conf file permission check),
• [Enhancement][RHEL/7] Add RHEL7 Mount OVAL checks
  • mount_option_nodev_nonroot_local_partitions,
  • mount_option_nodev_remote_filesystems,
  • mount_option_nodev_removable_partitions,
  • mount_option_noexec_removable_partitions,
  • mount_option_nosuid_remote_filesystems,
  • mount_option_nosuid_removable_partitions,
  • mount_option_smb_client_signing, and
  • mount_option_tmp_noexec,
• [BugFix] file_permissions_httpd_server_conf_files - Fix http conf file permission check,
• [BugFix] dir_perms_etc_httpd_conf - Fix /etc/httpd/conf dir permissions check,
• [Enhancement][RHEL/7] New OVAL for sysctl_fs_suid_dumpable rule,
• [Enhancement][RHEL/7] New OVAL for network_disable_zeroconf, network_ipv6_default_gateway,
  network_ipv6_disable_rpc, network_ipv6_privacy_extensions, network_ipv6_static_address,
  network_sniffer_disabled, and wireless_disable_interfaces rules
• [BugFix] [RHEL/7] LDAP OVAL checks -- Use /etc/nslcd.conf instead of /etc/openldap/ldap.conf,
• [BugFix][RHEL/7] Fix disable ipv6 in kernel regression,
• [Enhancement][Fedora][RHEL/7] Add xwindows multi-user.target check for non-graphical runlevel,
• [Enhancement] Enable xwindows_runlevel_setting for oval 5.11 and greater
• [bugfix][RHEL/7] Update network_ipv6 OVAL checks (Update network_ipv6_default_gateway, network_ipv6_privacy_extensions, and network_ipv6_static_address OVAL checks to use the
  sysctl_kernel_ipv6_disable OVAL check as using modprobe to disable ipv6 is no longer valid)
• [BugFix] [Debian/8] updated yum specific informationals into apt-get for Debian
• [Enhancement] [Debian/8] add support for sysctl in deb8 oval template
• [Enhancement] [Debian/8] New OVAL for sysctl_fs_protected_symlinks, sysctl_fs_protected_hardlinks,
  sysctl_fs_suid_dumpable, and sysctl_kernel_randomize_va_space rules
• [Enhancement] [RHEL/7] [Fedora] New OVAL for 'bootloader_nousb_argument' rule
• [Enhancement][RHEL/7] Add firewalld_sshd_disabled check and enable RHEL7 make validate
• [BugFix] [Infrastructure] Replace separate Fedora and RHEL-7 OVALs for
  chronyd_specify_multiple_servers.xml rule with shared one from shared/oval/oval_5.11
• [BugFix] [Infrastructure] Replace Fedora and RHEL-7 specific OVALs for
  "chronyd_specify_remote_server.xml" rule with one shared OVAL from shared/oval/oval_5.11 directory
• [BugFix] [Infrastructure] Split shared OVAL for 'ntpd_specify_multiple_servers' rule
  into two separate RHEL/6 and RHEL/7 OVALs
• [BugFix] [Infrastructure] Split shared OVAL for 'ntpd_specify_remote_server' into separate RHEL-6 and RHEL-7
  version
• [Enhancement] [RHEL/6] Adding missing C2S rules in RHEL for Section 3
• [Enhancement] [RHEL/7] Add missing kernel.randomize_va_space OVAL check
• [Bugfix] Fix aide OVAL expression to allow entries after --check
• [shared] bootloader_audit_argument rule Allow audit=1 to be matched on GRUB_CMDLINE_LINUX_DEFAULT
• [BugFix] [RHEL/7] service_nails_enabled OVAL check:
  • Update to list RHEL-7 (not to return 'notchecked' result),
  • Drop <extend_definition> dependency on 'package_nails_installed' (since this was just a result of generating the
    check from template)
• [Bugfix][RHEL/7] use_kerberos_security_all_exports.xml (Pass if /etc/exports does not contain an export)

New Remediations:

• [Enhancement] [RHEL/7] [Fedora] New remediation for 'bootloader_nousb_argument' rule

Remediation fixes / other changes:

• [BugFix] [RHEL/6] Fix multiple issues in 'smartcard_auth' remediation script for RHEL-6,
• [Enhancement] [Debian/8] Start French ANSSI references integration,
• [BugFix] [shared] Fix behaviour of 'perform_audit_rules_privileged_commands_remediation' helper remediation function,
• [BugFix] [shared] Fix behaviour of 'package_command' remediation function (While on Fedora (after UsrMove Feature) the rpm is in /usr/bin/rpm and /bin/rpm, RHEL-6 systems have rpm utility only in /bin/rpm),
• [Enhancement] [Debian/8] add support for ANSSI table reference build
• [Enhancement] Update UMASK remediations (Moved RHEL6 accounts_umask_etc_bashrc.sh to shared, Created accounts_umask_etc_csh_cshrc.sh)
• [Enhancement] Remediations for accounts_umask_etc_bashrc and accounts_umask_etc_csh_cshrc rules -- Update remediation platform tag to multi_platform_rhel
• [Enhancement] Update kickstarts with static IP references
• [Enhancement][Firefox] Use the new Firefox remediation functions
• [Enhancement][Firefox] Add Firefox .js and .cfg functions to remediation_functions
• [Bugfix] Send parenthesis to function for firefox_preferences-lock_settings_config_file.sh
• [BugFix] disable unused checking file digest differs by rpm (Checking file digest differs causes full-file scan, but in this case we are just interesting in mode differs.)
• Quote the format variable to allow for spaces in the pattern
• Use replace_or_append function to edit sshd_config

Build System Bug Fixes:

• [BugFix] [Infrastructure] Fix failing [RHEL/7] 'make' on RHEL-6 system with openscap supporting just OVAL-5.10 (openscap-1.0.*) (2016-02-08)
• [BugFix] [RHEL/7] Don't verify OVAL checks references for "service * enabled / disabled" OVAL checks in the case we are building RHEL/7 "make validate" target with openscap-1.0.x
• [BugFix] [Infrastructure] Fix 'make content' target circular dependency issues in: Fedora/Makefile and Webmin/Makefile Fixes: #1118

Infrastructure:

• [BugFix] shared/utils/enable-derivatives.py -- Fixed whitespace in the SL warning
• [BugFix] [Infrastructure] Modify "count_oval_objects" helper script not to act on remotely referenced OVAL
• [BugFix] [Infrastructure] shared/utils/count_oval_objects.py helper
  Fix issues pointed out in:
  • #992 (comment)
  • #992 (comment)
• [Update] [Infrastructure] Update the version of referenced PCI DSS PDF document (since latest version is v3.1 from April 2015)
• [BugFix] [Infrastructure] shared/utils/count_oval_objects.py helper
  Fix issue from:
  • https://github.com/OpenSCAP/scap-security-guide/pull/992/files#r51714809
• [BugFix] [RHEL/6] Point 'DISA FSO' RHEL-6 <rule_version> IDs to official URI of DISA FSO RHEL-6 STIG Zip archive instead of to http://cce.mitre.org
• [BugFix] [RHEL/6] Per #1036 (comment) update the link to DISA FSO RHEL-6 rule IDS to be more universal (point to DISA STIGS OS unix-linux URI instead)
• [BugFix] [RHEL/6] Add the xccdf:metadata element to RHEL/6 benchmark Fixes: #1041
• [BugFix] [RHEL/6] Define also "cpe:/o:redhat:enterprise_linux:6::client" CPE as OVAL CPE item in RHEL-6 CPE
  dictionary Fixes: #1042
• [BugFix] [Infrastructure] Fix the situation of having two 'multi_platform_rhel' OVAL checks for 'package_abrt_removed' in two different locations
• [BugFix] [Infrastructure] Fix 'package_at_removed' OVAL check build system ambiguity
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_audit_installed' OVAL check
• BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_bluez_removed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_chronyd_installed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_cronie_installed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_firewalld_installed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_iputils_removed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_nfs-utils_removed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_ntp_installed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_oddjob_removed' OVAL check
• [BugFix] [Infrastructure] Fix build system ambiguity wrt to 'package_qpid-cpp-server_removed' OVAL check
• [Enhancement] [Infrastructure] 'relabelids.py' helper script -- compare XCCDF ID for match with both OVAL and OCIL ID
• [BugFix] [Infrastructure] Replace EXSLT date:date() function call with EXSLT date:date-time() which returns timestamp in the format of xs:dateTime (see http://exslt.org/date/functions/date-time/ )
• [Infrastructure] shared/utils/verify-references.py helper script:
  • Replace 'ocil-transitional' check system in 'get_ovalfiles()' routine with official OCIL-2.0 check system,
  • When performing the verification if all XCCDF rules reference valid OVAL checks skip
    elements having OCIL-2.0 as the check-system (since we are verifying sanity of XCCDF vs OVAL IDs here)
• [BugFix] [Infrastructure] Create XCCDF and DataStream benchmark from intermediary XML having OCIL checks
  already expanded for official OCIL-2.0
  Fixes:
  • #1037
  • #1038
• [Enhancement] [Infrastructure] Add RHEL6/7 Compute Node CPEs
• Enhancement] [Infrastructure] Be more explicit WRT to "$(OUT)/xccdf-unlinked-ocilrefs.xml" so the motivation behind the change is immediately clear (Update WRT to https://github.com/OpenSCAP/scap-security-guide/pull
  /1050#discussion_r53675404 )
• [Enhancement] [Infrastructure] shared/transforms/relabelids.py helper Modify the output error message shown
  depending on the fact if OVAL or OCIL ID didn't match the XCCDF ID (Update per: #1050 (diff))
• [Enhancement] Add new JBoss directory structure
• [BugFix] [RHEL/6] Add "cpe:/o:redhat:enterprise_linux:6::computenode" xccdf:Platform definition into RHEL-6 CPE dictionary
• [BugFix] Add "style=SCAP_1.1" attribute to produced XCCDF 1.1 SSG benchmarks and "style=SCAP_1.2" attribute to produced XCCDF 1.2 SSG benchmarks Fixes: #1059
• [Bugfix][Firefox] Clean up directories and files (Remove unused templates, Standardize layout/files with existing RHEL structure)
• [BugFix] [Firefox] Clean up Makefiles, Guides, and DISCLAIMER
• [bugfix][infrastructure] Update make clean to remove unused content
• [Enhancement] Build OpenStack OSP7 content as part of the build process
• [Enhancement][JBoss/EAP5] Update JBoss EAP5 v2
  • Add empty JBoss STIG profile
  • Add guide.xml and guide.xslt
  • Create new JBoss XCCDF content structure broken out into groups
  • Break out groups into new xml files from eap5-xccdf.xml
• [Enhancement][JBoss/Fuse] JBoss Fuse Enhancements
  • Add empty JBoss Fuse STIG profile
  • Add guide.xml and guide.xslt
  • Create new JBoss XCCDF content structure
  • Break out groups into new xml files from ssg-fuse6-xccdf.xml
• [Enhancement][JBoss/EAP] Update eap5 CPE dictionary
• Don't build the RPM by default when running make
• [BugFix] [Infrastructure] For each XCCDF rule ID having and CCE element set add corresponding CCE identifier in the form of: also to the (not remote) OVAL check related to this XCCDF rule (not remote OVAL check referenced from that XCCDF rule) Fixes (majority of issues in): #1092
• [BugFix] [Infrastructure] relabelids.py helper script -- during the process of creation of the XCCDF and OVAL documents: * ssg-$(PROD)-xccdf.xml, and * ssg-$(PROD)-oval.xml ensure every local OVAL definition referenced in XCCDF file is truly defined / implemented in the OVAL file. Drop the XCCDF's OVAL reference if not.
• [Enhancement][Fuse/6] Finalize Fuse content to new format
• [BugFix] Merge STIG and OSPP profile (STIG profile should inherit OSPP, and only included DoD-specific refinements (e.g. against future OSPP DoD Configuration Annex). Moved rules into RHEL7 OSPP profile that map directly to OSPP requirements, retained DoD-specific refinements in STIG profile),
• [BugFix] [Infrastructure] Introduce new datastream_move_ocil_to_ds_checks.py SSG transformation as a temporary SSG workaround for the OpenSCAP bug: [1] OpenSCAP/openscap#364 when dealing with OCIL components in datastream format
• [BugFix] [Infrastructure] Apply the newly introduced datastream_move_ocil_to_ds_checks.py transformation to various SSG products producing datastream format of the benchmark This is a workaround for:
  [1] OpenSCAP/openscap#364
• [BugFix] [Infrastructure] Update datastream_move_ocil_to_ds_checks.py helper script in order to "oscap ds sds-validate" to succeed
• [BugFix] [Infrastructure] Add fix for issue #1096: #1096
• [BugFix] [Infrastructure] Fixes for issues #1100 and #1101
• [BugFix] [Infrastructure] Perform xccdf:Value 'type' to corresponding OVAL variable 'datatype' data export constraint verification. Also fix the 'type' attribute of those xccdf:Values where the content does not meet the constraint Fixes: #1089
• [BugFix] [Infrastructure] Per #1191 set @schematron-version in produced datastreams from "1.0" to "1.2"
• [BugFix] [Infrastructure] Update xccdf-ocilcheck2ref.xslt transformation to also remove xccdf:check-export OCIL elements of the form e.g.: '<xccdf:check-export export-name="no line is returned" value-id="conditional_clause"/>' since these were used only in the previous stage of the build to append the correct question to the particular OCIL element
• [BugFix] [Infrastructure] Drop the "conditional_clause" xccdf:Value from the final XCCDF benchmark since it is required only to expand OCIL macros during the OCIL content build
• [Enhancement][Fuse/6] Finalize Fuse content to new format
• [BugFix] [Infrastructure] Fix for issue #1191
• [BugFix][Infrastructure] Add quotes to '*.' in find command usage
• [Blocker] [BugFix] [Infrastructure] [RHEL/7] use_kerberos_security_all_exports OVAL Drop useless dependency on "package_nfs-utils_removed" OVAL check Fixes: #1196
• [BugFix] [RHEL/6] Fix XCCDF to OVAL data export constraints warnings Update 'type' attribute on selected XCCDF:Values to quit the XCCDF to OVAL data export constraints warnings for RHEL/6
• [BugFix] [RHEL/6] [RHEL/7] Fix more XCCDF to OVAL data export constraints warnings
• [BugFix] [RHEL/5] Fix XCCDF to OVAL data export constraint warning
• [BugFix] Fix for issue #1206 (comment)
• [BugFix] [Infrastructure] Specify correct OVAL datatype when passing 'var_accounts_tmout' variable to specific OVAL state
• [BugFix] [Infrastructure] When populating shell variable into corresponding xccdf:Value in remediation scripts don't remove the inclusion of the remediation_functions library (because in the case there's also some other remediation function called besides populate() the resulting remediation script won't be functional)
  Fixes: #1075
  Fixes: #1075 (comment)
  Fixes: #1207 (comment)
• [BugFix] Drop the duplicate inclusion of the remediation_functions library from the following remediation scripts:
  • selinux_policytype.sh
  • selinux_state.sh
• [BugFix] [RHEL/7] Replace buggy implementation of accounts_passwords_pam_*.sh remediation scripts with use of SSG internal replace_or_append() remediation function
  Fixes: #1085
  (all the rules except "accounts_password_pam_retry" which needs slightly
  more testing => part of future PR)
  Fixes (downstream): https://bugzilla.redhat.com/show_bug.cgi?id=1309037
• [BugFix] [Fedora] Fix for issue #1220 Add missing XML sections into Fedora guide to quite the warning when issuing "make content" target on Fedora. Use RHEL-7 prose by dropping CCE identifiers, elements, and replacing RHEL with Fedora (also updating selected links where appropriate / necessary) Fixes: #1220
• [BugFix] [Infrastructure] Produce the resulting OCIL file with the filename in the form "ssg-$(PROD)-ocil.xml" rather than with the current 'ocil-ssg.xml' file
• [Infrastructure] [Enhancement] Include the produced "ssg-$(PROD)-ocil.xml" OCIL file into the "dist" make target when generating SCAP content specific SSG products
• [BugFix] [Webmin] Drop the "ssg-webmin-ocil.xml" from the "dist" target since for Webmin OCIL file isn't produced