Skip to content

Releases: ComplianceAsCode/content

SCAP Security Guide 0.1.35 Release Notes

29 Aug 14:40
Compare
Choose a tag to compare

Highlights

  • Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
  • Added several templates for OVAL checks
  • Removal of input directory
  • Many optimizations in build process
  • Different title for PCI-DSS Benchmark variants

Profile

  • [Bugfix] Refix selector for var_time_service_set_maxpoll
  • [Bugfix] Fix selector for var_time_service_set_maxpoll
  • [Bugfix] Removed extra whitespace around RHEL6 STIG profile titles
  • updated profiles to properly use description override
  • [Bugfix] update profiles to accept either DoD banner
  • [Bugfix] Fix refined value typo in RHEL6 FISMA profile

XCCDF

  • [Enhancement] Add firewalld and LDAP checks
  • [Bugfix] Fix for Issue 2264
  • [Bugfix] update ntpd maxpoll to align with DISA
  • [Bugfix] update severity of RHEL-07-021350 (fips=1) to HIGH to align w/DISA
  • [Bugfix] Add variable for dconf_gnome_screensaver_lock_delay
  • [Bugfix] Maxpoll should be set if chronyd is in use
  • Add dod_banners option to banner_login_text
  • [Bugfix][Enhancement] Package firewalld installed
  • [Bugfix] Use profile variable settings for login.defs to clear up scan results confusion
  • STIG Updates
  • RHEL-07-040460 - UsePrivilegeSeparation sandbox
  • [Bugfix] CCE for insmod auditing

OVAL

  • [Bugfix] change to also check inside of /etc/security/limits.d to verify core …
  • [Bugfix] Check if SSH keys are present before validating file permissions
  • [Bugfix] Update accounts_passwords_pam_faillock_deny to handle line skipping
  • [Bugfix] Check if aide is installed in OVAL and remediation scripts

Remediations

  • [Bugfix] Fixing issue 2205
  • [Bugfix] Ansible branch for issue 2205 RHEL 7.3 error: rpm_verify_permissi..
  • [Bugfix] re-enable remediation for net.ipv6.conf.all.disable_ipv6 = 1
  • [Ansible] ansible: account_disable_post_pw_expiration
  • Ansible accounts umask etc login defs
  • [Ansible] ansible: sssd_*
  • [Enhancement] dconf_gnome_screensaver_* ansible scripts
  • [Enhancement] GDM ansible scripts
  • [Enhancement] Set rsyslog_remote_loghost_address to default value "logcollector"
  • [Ansible] Creates file_permissions_* ANSIBLE remediation
  • [Ansible] Creates file_owner_* ANSIBLE remediation
  • [Ansible] ansible: dconf_gnome_disable_*
  • [Enhancement] Creates file_groupowner_* Ansible remediation
  • [Bugfix] Removes silent from the pam.d deny_root search/replace pattern
  • [Bugfix] fix audit syscall rule sed needs an escape character to properly run
  • [Bugfix] Adding update to fix_audit_syscall_rule to not use slashes
  • [Ansible] Creates audit_rules_privileged_commands ANSIBLE remediation
  • Disable remediation for "repo_gpgcheck=1"
  • Additional Ansible Scripts
  • [Bugfix] remove nullok, handle links
  • [Ansible][Enhancement] Firewalld ansible fixes
  • [Ansible][Enhancement] [ansible] security_patches_up_to_date

Infrastructure

  • Update Fedora CPEs
  • update manpage to have --oval-results in example
  • Removes platform column from file_groupowner csv
  • [Bugfix] add container_build to gitignore
  • [Enhancement] Add "PCI-DSS variant" suffix to every title of the PCI-DSS benchmark
  • [Enhancement] Remove input directory
  • [Enhancement] docs: How to create stig_overlay.xml
  • [Ansible][Enhancement] Creates templates for audit_rules_execution OVAL checks, BASH and ANSIBLE remediations
  • [Bugfix] Functions use return, "exit" exits whole script
  • [Bugfix][Infrastructure] Don't generate roles for empty profiles
  • Minor idtranslate fixes
  • [Bugfix][Enhancement] Minor PEP8 fixes in map_product_module.py
  • Skip non-bash remediation function script files
  • [Bugfix] Rebuild PCI-DSS XCCDF benchmark if the script or PCI-DSS ID json change.
  • [Bugfix] Use str.replace instead of re.sub in create_audit_rules_..
  • [Enhancement][Infrastructure] Creates template for audit_rules_usergroup_modification OVAL checks
  • [Ansible][Infrastructure] Template for audit_rules_privileged_commands
  • [Enhancement] Check that a trimmed key is not part of the result string after template sub
  • Creates template for audit_rules_login_events OVAL checks and BASH remediations
  • [Bugfix] Evaluate sed command
  • Creates template for audit_rules_file_deletion_events OVAL and BASH
  • [Bugfix] Fixed the variable substitution in template_OVAL_permissions
  • Creates template for audit_rules_unsuccessful_file_modification OVAL and BASH
  • Sorts the output of option --missing-fix in profile-stats.py
  • Fixes bug in relabel-ids.py regarding missing OVAL definitions
  • Adds CMakeLists.txt.user to .gitignore
  • [Bugfix][Infrastructure] %VAR% for template replace, @var@ for build system replace
  • [Bugfix] Dockerfile fixes
  • [Infrastructure] Updates python shebangs for virtualenv support.
  • [Infrastructure] Pci dss cjis ansible tags
  • [Infrastructure] Only consider PCI-DSS related rules when constructing the PCI-DSS tree
  • [Infrastructure] Ansible tags improvements
  • [Enhancement][Infrastructure] Minor speedups in templates
  • [Enhancement][Infrastructure] Minor cmake improvements
  • [Enhancement][Infrastructure] Version bump
  • [Bugfix][Enhancement][Infrastructure] Improved OVAL and OCIL generator elements
  • [Bugfix][Infrastructure] Combine ovals namespace fixes
  • [Bugfix] Pass the correct variable to the template in create services disabled
  • [Infrastructure] Make schematron OVAL validation optional but still default it to true (build time optimization)
  • [Infrastructure] Very minor optimization in srgmap XSLT (build time optimization)
  • [Infrastructure] Make SSG build more portable
  • [Bugfix][Disa Content Issues] Include AIDE installed in the STIG profile for RHEL7
  • [Infrastructure] Make stats
  • [Infrastructure] Generate roles from xccdf
  • [Infrastructure] Don't list templating file outputs as explicit deps for the targets (build time optimization)

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.34 Release Notes

29 Jun 18:34
Compare
Choose a tag to compare

Highlights

  • Unification of where templates and csv reside
  • Optimization and clean up of build system
  • Lots of Ansible remediations added
  • Bash remediation functions file is now generated by build system

Profile

  • [Bugfix] Remove RHEL STIG in Debian content
  • fixed typo in OSPP profile
  • [Bugfix] Updating STIG References for RHEL7
  • [Enhancement] Add SUSE11 stig_overlay.xml
  • [Bugfix] Use @OverRide for NIST 800 171 CUI profile

XCCDF

  • [Bugfix] Fix typo in mount_option_home_nosuid
  • [Enhancement] Add 'requires' and 'conflicts' to Rules and Groups in XCCDF XSLT templates
  • [Enhancement] Move OpenStack XCCDF to shared XCCDF
  • add support for NT28(R5) for Debian & Ubuntu
  • [Enhancement] Update SUSE11 and 12 XCCDF content to use shared XCCDF content
  • Fixed some SSSD related references
  • Fix more redhat guide links
  • [Bugfix] Update link to RHEL SysAdmin Guide - GRUB2 PW protection

OVAL

  • [Bugfix] Fix Webmin OVAL content by removing unnecessary definition check
  • [Bugfix] Check pam_retry OVAL check for cracklib configuration only for OS versions under 7
  • [Bugfix] Handle new Oracle JRE RPM naming scheme
  • [Bugfix] Fix prelink OVAL check
  • [Bugfix] Remove EAP5 references in EAP6 content and add temp OVAL file for builds to pass
  • [Enhancement] Provide a comment for network_sniffer_disabled
  • [Bugfix] Added OVALs for SSSD in RHEL6
  • [Bugfix] Fix accounts_have_homedir_login_defs false positive

Remediations

  • Initial work on audit_rules_dac_modification templating
  • [Bugfix] Fix remediation of commented line of account_disable_post_pw_expiration
  • [Enhancement] Update disable post password expiration remediation
  • Added ansible fix for rsyslog_remote_loghost
  • [Enhancement] Use templates for ANACONDA mount options remediation scripts
  • Added an ansible remediation for sshd print last log
  • Added ansible remediation for accounts_logon_fail_delay
  • Added missing file name needed for checking if aide fix is already done
  • [Bugfix] Make the aide_periodic_cron_checking bash remediation idempotent
  • [Bugfix] RHBZ#1461330: Add Anaconda remediation for rule "smartcard_auth"
  • [Enhancement] SELinux booleans bash and ansible remediation coverage
  • [Enhancement] Do not use jinja separators in when statements in ansible
  • [Bugfix] Fixed unterminated quotes in approved MACs ansible remediation
  • Few more ansible
  • [Infrastructure] Generate remediation functions
  • Fixing sed confusion for auditd remediation template
  • [Enhancement] Ansible coverage for sysctl remediations
  • Shared templates that are applicable everywhere should be marked as such
  • [Enhancement] Ansible coverage of accounts password
  • [Bugfix] Fix errors in audit remediation bash scripts
  • [Bugfix] Fix no rsh trust files bash remediation
  • SSH Ansible Content
  • [Bugfix] Fix typo in ANACONDA static templates
  • [Bugfix] Use double dash instead of a single dash in ANACONDA remediation temp…
  • Ansible RHEL7 scripts to shared/

Infrastructure

  • [Infrastructure] Import template generators (build time optimization)
  • [Infrastructure] Sds move ocils optimization (build time optimization)
  • [Infrastructure] Use element id cache instead of O(n^2) in combine-ovals.py (build time optimization)
  • [Infrastructure] Use xmllint nsclean (build time optimization)
  • [Infrastructure] Make build easier, improve error messages
  • [Bugfix] Evaluate $sed_command
  • [Bugfix] Remove multi-mount option capabilities in mount templates
  • [Enhancement] Using create_mount_options.py for RHEL7 rules
  • [Infrastructure] --skip-valid when composing datastreams (build optimization)
  • [Infrastructure] Optimized relabel ids (build time optimization)
  • [Enhancement][Infrastructure] Avoid repeatedly validating input when generating all roles (build time optimization)
  • [Infrastructure] Renamed the all roles timestamp marker file
  • [Bugfix] Ansible sshd protocol2 extension should be yml, otherwise it won't get picked up
  • [Enhancement][Infrastructure] Benchmark stats and CSV output in profile_stats.py
  • [Bugfix][Infrastructure] Reset parsed remediation attributes in combine-remediations.py correctly
  • Avoid warning about being unable to open output/unlinked-*-oval.xml
  • Better profile stats
  • Fix 'small' element namespace
  • [Bugfix][Infrastructure] Fix JBoss EAP platform mapping
  • SubElement would cause 2 appends which is not what we want
  • [Infrastructure] Look into parent for oval511 templates
  • [Infrastructure] Install remediation roles in content directory
  • [Infrastructure] Cmake delete checks remediations
  • [Bugfix][Infrastructure] Fix drop of OVAL checks extending non-existing definitions
  • [Infrastructure] Build only one test package
  • The great move
  • [Infrastructure] Removed product-make.include
  • combine-remediations and combine-ovals improvements
  • [Infrastructure] Use inbuilt python element tree
  • [Infrastructure] OVAL templating clean-up
  • [Infrastructure] use daemon_name instead of service_name if daemon_name differs
  • [Bugfix][Infrastructure] Escape the CMAKE_INSTALL_PREFIX again
  • [Bugfix][Infrastructure] Build table for ospp-rhel7, not ospp-rhel7-server
  • [Bugfix] Generate all roles, not just the last one
  • Fix installation path of guides and roles
  • [Infrastructure] @ANSIBLE_TAGS@ replacement for ansible fixes
  • [Infrastructure] Use a separate template for OVAL sebool when using a variable

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.33 Release Notes

29 Apr 09:37
Compare
Choose a tag to compare

Highlights:

  • DISA RHEL7 STIG profile alignment improved
  • Introduction of remediation roles
  • RPM and DEB test packages are built by CMake with CPack
  • Lots of remediation fixes

Profile:

  • adding initial SELinux booleans to OSPP
  • [Bugfix] Fix user login in RHEL7-OSPP kickstart
  • [Enhancement] Sorted rule names in OSPP profile
  • Update ftp profile title to proper form
  • [RHEL7] Update STIG profile names
  • [Bugfix] Fixed a typo in title of the FISMA profile for RHEL6
  • [Enhancement][SSG-DISA RHEL7 STIG Alignment] Additional DISA STIG alignments
  • Debian 8: ntpd service name is "ntp"
  • [RHEL7][SSG-DISA RHEL7 STIG Alignment] DISA STIG refactoring

XCCDF:

  • [issue 1842] nosuid on /home
  • update SSH checks with full list of FIPS Ciphers and MACs
  • update sshd xccdf/oval rules
  • XCCDF profile descr <= 80 chars, added periods, assigned missing CCEs

OVAL:

  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Evaluate if var_ntp_set_maxpoll is less than or equal
  • [Enhancement][RHEL7] Use variables in SELinux boolean OVAL content and enable in XCCDF
  • [Bugfix][RHEL7] update enable_dconf_user_profile to check if dconf installed
  • [Bugfix] Make rsyslog_remote_loghost scapval compliant
  • [Bugfix] Change external_variable accounts_umask_etc_login_defs
  • [Bugfix] Fix file_owner_cron_allow and file_groupowner_cron_allow checks

Remediations:

  • fix for ensure_redhat_gpgkey_installed remediation
  • Improve reliability of smartcard_auth remediation
  • Added remediation for aide_scan_notification rule.
  • [Bugfix] Fix remediation for accounts_logon_fail_delay
  • [Bugfix] Use unset IFS instead of unset $IFS
  • [Enhancement] Relabel when SELinux state is changed
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1875: Add a remediation script for aide_verify_ext_attributes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1874: Add a remediation script for aide_verify_acls
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1876: Add remediation script for aide_use_fips_hashes
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1886: Add a remediation for rsyslog_remote_loghost
  • [Bugfix] [issue 1930] remove double quote from audit_rules_* remediations
  • [Bugfix] Fixed pam_faillock_deny_root remediation for RHEL 7.
  • [Bugfix][RHEL7][SSG-DISA RHEL7 STIG Alignment] Disable prelink in grub2_enable_fips_mode.sh
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1889: remediation sshd_use_approved_macs
  • [SSG-DISA RHEL7 STIG Alignment] Remediations for /etc/cron.allow ownership
  • [SSG-DISA RHEL7 STIG Alignment] Issue #1880: Fix remediation for grub2_enable_fips_mode
  • [SSG-DISA RHEL7 STIG Alignment] Add remediations for mount options of removable partitions
  • [SSG-DISA RHEL7 STIG Alignment] missing and broken remediations
  • [Bugfix] RHBZ #1403905: Fix rules for removable media properties

Infrastructure

  • Use @CCENUM@ instead of $CCENUM for the token replacement
  • [Infrastructure] Remove stig-integration-stats.sh in favor of profile_stats.py
  • [Infrastructure] Build remediation roles
  • Re-enable generation of SELinux booleans OVAL checks from templates
  • [Bugfix] Protect variable expansion in replace_or_append
  • [Bugfix] Fix variable expansion in sysctl templates
  • Update manual on how to build a tarball, package and zipfile
  • [Infrastructure] Self implement subprocess.check_output for python 2.6
  • [Infrastructure] Bring shellcheck back
  • [Infrastructure] Fix svg detection
  • [Infrastructure] Build guides into build/guides instead of directly into build/
  • [Infrastructure] Build tables into build/tables
  • [Infrastructure] Remove global Makefile as cmake is the build system now
  • [Infrastructure] Drop OVAL checks whose extend_definition refs don't exist
  • [Infrastructure] Build zipfiles through CMake
  • updated README for Debian installation procedure
  • [Infrastructure] Enable building of RPM and DEB packages with CPack
  • [Bugfix][Infrastructure] Remove refresh-stig-refs.sh as it is replaced by create-stig-overlay.py
  • [Enhancement][Infrastructure] Update User and Developer guides to asciidoc format
  • [Infrastructure] Install kickstarts
  • [Infrastructure] Depend on the CPE dict when generating CPE files
  • [Enhancement] Add create-stig-overlay.py for STIG overlay generation

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.32 Release Notes

29 Mar 13:31
Compare
Choose a tag to compare

Highlights:

  • New CMake build system
  • Improved NIST 800-171 profile
  • Initial RHVH profile
  • New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
  • Template clean up in lots of remediations

Profile

  • [Enhancement] Standard profile container
  • [Bugfix][Enhancement][Infrastructure] Add stig_overlay to CMAKE build
  • [Bugfix][Enhancement] Update RHEL7 Manual STIG references to release version 1
  • [Bugfix][Enhancement] Update RHEL7 STIG overlay to map to official DISA STIG release
  • [Enhancement] Add service_atd_disabled to RHEL6 STIG profile
  • [Bugfix] Remove ldap_client_start_tls check in RHEL7 STIG profile
  • [Enhancement] Debs: support for apt unauthenticated repository config check (ANSSI NT-28 - R15)
  • [Bugfix] Add RHEL6/PCI-DSS centric-benchmark
  • [RHEL7] Further NIST 800-171 profile work
  • [Bugfix][Draft RHEL7 STIG] Update RHEL/7 STIG content to match latest STIG ID mapping
  • [Enhancement][RHEL7] Add Initial RHVH profile
  • [Bugfix] Remove RHEL7 CCEs and STIGIDs from SUSE/12
  • Continuing NIST 800-171 profile development
  • [RHEL7] [issue 391] NIST mappings for restrict_nfs_clients_to_privileged_port…
  • [Bugfix] Fixed mismatched tags in RHEL7 nist_support.xml

XCCDF:

  • [Bugfix] Fix RHEL7 CCE-25892-0 typo
  • [Bugfix] Added description to file_ownership_var_log_audit rule.
  • [Enhancement] Adding Container and Machine-only CPEs in RHEL6 CPE dict.
  • [Enhancement] Marked RHEL 6 XCCDF Rules as machine-only when applicable.
  • [Enhancement] Marking more machine only rules
  • [Enhancement] Continue marking machine specific rules
  • [Bugfix][Draft RHEL7 STIG][RHEL7] [issue 1688] update XCCDF for selinux audit
  • Start marking rules that apply only for baremetal / VM environment or only for container environment
  • [Bugfix] Add missing minlen value for RHEL6 password variable
  • [Enhancement] Add PCIDSS mapping to RHEL6 XCCDF
  • [Enhancement][RHEL7] Add new audit rules to STIG profile and update auditing XCCDF ids
  • [Bugfix] Expand some XCCDF descriptions and fixes
  • [Enhancement] Add new httpd file permissions content
  • [Bugfix] Fix DConf typos and update gnome banners descriptions
  • Fixed wording in min password age description text
  • [Draft RHEL7 STIG] [Enhancement][RHEL/7] Update pam_faillock content to use and check for unlock_time=never
  • [bugfix] Fix 'cups_disable_browsing' XCCDF rule

OVAL:

  • [Bugfix] Support pam faillock with sssd enabled
  • [Bugfix] Another check for /var/tmp bind mounted to /tmp
  • [Bugfix] Check more paths with verify_rpm_hashes
  • [Bugfix] Fixing default value for secure_redirects.
  • [Bugfix] Passwd file password field shadowed value
  • [Bugfix] Fix file_ownership_library_dirs.xml
  • [Bugfix] Update smartcard auth OVAL to not require the esc package for non-GUI environments
  • [Enhancement] Added shared/oval/is_a_container.xml to further enable SSG
  • [Bugfix] Update RHEL/7 PAE OVAL check
  • [Bugfix][RHEL6] Fix xpath to handle empty element in gconf_gnome_disable_ctrlaltdel_reboot
  • [Bugfix][Draft RHEL7 STIG][Enhancement] Update Audit Rules OVAL
  • [Bugfix] Fix DConf OVAL typos
  • [Enhancement][RHEL6][RHEL7] Use https:// for CVE OVALs

Remediations

  • [Enhancement] Improve sysctl remediations to use replace_or_append functions
  • [Bugfix] RHBZ #1413494: Fix the regular expression for SSHD Ciphers
  • [Bugfix] Allow audit to log read and write
  • [Bugfix][RHEL7] Added a new remediation to rule rsyslog_files_permissions, now it doe…
  • [Bugfix] Fixed ensure_gpgcheck_globally_activated rule remediation.
  • [Bugfix] bash remediations cleanup & fix
  • [Ansible][Enhancement] Add ansible remediations
  • [Enhancement] Misc audit remediations
  • [Enhancement] Remediation for sshd checks
  • [Bugfix] Don't limit Fedora template generation
  • [Enhancement] Use openscap-scanner instead of openscap-utils in RHEL/6 kickstarts
  • [Bugfix] Fix so we don't leave remedied config files without trailing newline.
  • [Bugfix] Fix Anaconda package install template typo
  • [Bugfix] typo in policy setting
  • [Bugfix] Use a more specific pattern match in the fix for require_singleuser_auth
  • [bugfix][RHEL/6] Fix kickstarts to use distribution content

Infrastructure

  • [Bugfix][Infrastructure] Enable OSP product
  • Build zip archive and update usage
  • [Bugfix] Update path where compare_generated.sh looks for datastreams
  • [Bugfix] Enable more products with CMake
  • [Bugfix] Fix path of oval.config in testoval.py script
  • [Infrastructure] Let's go back to the old path /usr/share/xml/scap/ssg/content
  • [Infrastructure] template_common.py/create*py: Use classes
  • [Infrastructure] Change interface of create_*py
  • [Infrastructure] compare_generated.sh: Update for cmake structure
  • [Bugfix][Infrastructure] Move OVAL_5.11 static files
  • [Bugfix] RHBZ #1420038: Identify Red Hat Enterprise Virtualization Host as RHEL7
  • [Bugfix][RHEL7] Fix stig testinfo tables for RHEL6 and 7
  • [Infrastructure] Build HTML tables and guides when building product specific content
  • [Enhancement] oscap mangles paths of SDS components so we need to add them by relative path
  • [Enhancement][Infrastructure] Cmake build system
  • [Bugfix][Infrastructure] Issue #1718: Fix build using docker
  • [Infrastructure] Remove testoval.py clones
  • [Infrastructure] RHEL7: remove generated OVAL_5.11 package*installed.xml
  • [Infrastructure] RHEL6: Remove unused package_removed*xml
  • [Infrastructure] RHEL6: cleanup sysctl
  • [Infrastructure] RHEL6: Remove generated kernel module OVAL & Fix remediations to be idempotent
  • [Infrastructure] Fedora cleanup
  • [Bugfix][Enhancement] Add RHEL Client Variant Support
  • [Infrastructure] Debian8: clean generated files
  • [Infrastructure] Wrlinux: Remove old/unused files
  • [Bugfix][Infrastructure] Fix build without SVG
  • [Infrastructure] Webmin: Remove templates
  • [Infrastructure] Chromium: Remove puppet example
  • [Enhancement][Infrastructure] update Makefile to clean dist/tables
  • [Enhancement] Debs: add iommu=force check NT28(R11)
  • [Infrastructure] RHEL6 cleanup packages installed/removed
  • [Infrastructure] RHEL6: cleanup service_disabled & fix templace_common.py: regex_replace
  • [Infrastructure] RHEL6: service*enabled cleanup
  • [Enhancement] Add support for both plain and regex file names in create_permission.py
  • [Bugfix] generate-from-templates: fix error when key does not exist
  • [Infrastructure][RHEL7] Cleanup rhel7 sysctl
  • [Infrastructure] RHEL7: remove package*installed.xml
  • [Infrastructure][RHEL7] Cleanup rhel7 kernel modules
  • [Infrastructure][RHEL7] Cleanup rhel7 package removed 5.11
  • [Infrastructure] Disable overriding of OVAL_5.11 by OVAL_5.10
  • [Enhancement] Add support for Ubuntu/trusty (14.04)
  • [Enhancement] Added to XCCDf shared transformations, so it will
  • [Enhancement] Docker build
  • [Bugfix] replace failing %doc glob
  • [issue 1607] Replenished Red Hat CCEs
  • [Enhancement][Infrastructure] Add JBoss/Fuse/6 to global Makefile
  • [Bugfix] Fix SUSE/11 and Webmin content build issues
  • [Bugfix][Enhancement] Generate guides outputs
  • Removed the old JBossFuse6 content, this content is obsolete and does…
  • [bugfix] Fix remaining duplicate ids
  • [bugfix] Fix some of the duplicate OVAL IDs
  • [Enhancement] [bugfix][Infrastructure] combine-ovals.py: print missing directory message
  • [bugfix][Infrastructure] combine-remediations.py: print missing directory message
  • [Infrastructure] make rpm to be consistent with Fedora's spec

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.31 Release Notes

28 Nov 16:39
Compare
Choose a tag to compare

Highlights (in order the changes have been merged):

  • New Wind River Linux profiles
  • Various STIG profile enhancements
  • Support for Ubuntu Xenial
  • Support for Ansible remediations
  • Refactored build process, with more shared content
  • Cleaner build system for RPM
  • Content passing NIST SCAP Content Validation Tool 1.2.1.15 requirements

XCCDF changes / enhancements:

  • [Bugfix][Fedora][RHEL/7] Fix grub XCCDF to reference 01_users for password/admin account
  • [BugFix][RHEL/6] Fix for issue #1319
  • [Enhancement][RHEL/7] Add Supported/Certified Vendor XCCDF
  • [Enhancement][RHEL/7] Update check-content-ref to use .bz2 version
  • [RHEL/7][Enhancement] Update DISA STIG references for existing content
  • [RHEL7] Updating SSG to align with DoD RHEL7 STIG Draft v2, where appropriate
  • [Enhancement] Additional STIG updates
  • [Enhancement][RHEL/7] Add SELinux Boolean XCCDF
  • [Enhancement][Infrastructure] Add XCCDF weblink macro
  • [RHEL7] Renamed the docker profile to "docker host"
  • [RHEL7] Suggest using SELinux to harden the container host
  • [Enhancement] Issue #1346: Add a check for configuration of Docker storage driver
  • [Enhancement] JBoss EAP 5 XCCDF and OVAL updates
  • [Enhancement] Initial WRLinux support
  • [Enhancement] Move Chromium, JRE, and Firefox XCCDF content to sharec/xccdf
  • [Enhancement][RHEL/7] Add sshd port check content for firewalld
  • [RHEL6][RHEL7][Bugfix] Add content for samba-common package
  • [Enhancement] Organize Wind River Linux profiles
  • [Enhancement] Migrate more XCCDF to shared content
  • [RHEL7] Update RHEL/7 STIG profiles and add some missing CCEs
  • [Enhancement][Infrastructure][RHEL/7] Create shared_guide.xslt and move RHEL/7 XCCDF content to shared/xccdf
  • [Enhancement][Bugfix][RHEL/7] Various RHEL/7 STIG fixes
  • [Bugfix][Enhancement] Break out HBSS Rules and update integrity groups
  • [Bugfix][Enhancement][RHEL7] STIG update for RHEL/7 add additional dconf settings
  • [Bugfix][Infrastructure] Don't include @platform in element
  • [Bugfix] Add missing element to group
  • [RHEL7] DISA usage
  • [RHEL6][RHEL7] updating DoD STIG profile language to include DISA FAQ
  • [Bugfix] Rename PCI-DSS centric profile ID
  • [Enhancement][RHEL7] Converted XML comment DISA STIG note to XHTML
  • [Bugfix] Align SSG to DISA RHEL6 V1R13 content
  • [RHEL6] RHEL6 CCI updates
  • [RHEL7][Bugfix] Fix SSH private key permissions
  • [Enhancement] add support for Ubuntu Xenial in SSG. Based on Debian 8
  • [Fedora][RHEL7][Bugfix][shared] Fix paths in bootloader password check
  • [RHEL7][BugFix] Fix for downstream RH BZ#1344581
  • [Enhancement][RHEL7] Fix description and title in sshd_disable_rhosts_rsa
  • [Enhancement][RHEL7] Fix regex in sshd_disable_user_known_hosts
  • [Bugfix] Fix and Build FISMA RHEL/6 profile
  • [Bugfix][RHEL6] Fix FTP server profile ID

OVAL check changes / enhancements:

  • [RHEL6][RHEL7][Bugfix] Add installed_OS_is_certified OVAL for RHEL systems
  • [Enhancement][shared] Examine limits.d/*.conf for maxlogins
  • [BugFix][Debian/8] When extending ANSSI profiles don't inherit the title and description from the parent profile
  • [RHEL/6] Replace double space in selected elements with single one
  • [BugFix][Infrastructure] Fix for issue #1275 Also fix couple of instances of issue #50
  • [Bugfix] verify-references.py - use proper OVAL paths, unused OVALs are no longer an error
  • [RHEL6][RHEL7][Bugfix] Check for ssl = required or ssl = yes in dovecot/conf.d/10-ssl.conf
  • [Bugfix] Revisit OVAL for "accounts_max_concurrent_login_sessions" ru…
  • [Enhancement][Bugfix] Allow multiple maxlogin specifications in /etc/security/limi…
  • [Bugfix] Fix build-remediations for oval_5.11
  • [Bugfix] Move SSSD OVAL content to oval_5.11
  • [Enhancement] add /etc/cron.daily check to aide_periodic_cron_checking
  • [Bugfix][RHEL7] Correct default and other values in var_password_pam_difok
  • [Bugfix][RHEL7] Add STIG default value to var_accounts_password_minlen_login_defs
  • [Enhancement][RHEL7] STIG Update RHEL/7: Add new SSHD and AIDE XCCDF content
  • [Enhancement][RHEL7] RHEL/7 STIG update: Add new cron content
  • [Enhancement][Bugfix][RHEL7] Add AIDE OVAL content for new AIDE XCCDF
  • [Bugfix] Add OS Certification check for AIDE FIPS OVAL

Ansible changes / enhancements:

  • [Ansible][Enhancement] Initial ansible support (rhel7)
  • [Ansible][Enhancement] ansible service disabled (rhel7)
  • [Ansible][Enhancement] RHEL7: Add ANSIBLE_kernel_module_disabled
  • [Ansible] Disable POST password expiration
  • [Ansible] create_permission: merge & add ansible
  • [Ansible] another ansible scripts

Remediations:

  • [BugFix][RHEL/7] RHEL-7 remediation for 'no_empty_passwords' rule is missing --follow-symlinks currently. Fix that and unify the remediations
  • [Fedora][RHEL6][RHEL7][BugFix] Fix remediations without platforms
  • [BugFix][RHEL/7] Rewrite RHEL-7 remediation for 'smartcard_auth' rule
  • [RHEL7] MollyJoBault remediation scripts + fixes by Shawn
  • [Bugfix][RHEL6][RHEL7] Added newline to MACs remediation
  • [Enhancement][Infrastructure] Enhance remediation attributes
  • [Bugfix][RHEL/7] Various remediation script fixes
  • [Bugfix] Don't bleed remediation content into irrelevant other remediations in…
  • [Infrastructure] RHEL7 generate accounts_password
  • [Enhancement][Infrastructure] Add CCE identifiers to scripts that contain the 'CCENUM' keyword
  • [Enhancement][Infrastructure] Addremediations xslt simplification
  • [Infrastructure] Build remediations refactoring
  • [Enhancement][Infrastructure] Add Anaconda Remediation Scripts
  • [Enhancement][Infrastructure] Add Puppet Remediation scripts
  • [Enhancement] [issue 1369]idempotent kernel modules

Infrastructure:

  • [BugFix][Infrastructure] Fix parallel make
  • [Enhancement][Infastructure][RHEL/7] Migrate more local XSLT to shared XSLT
  • [Infrastructure][Enhancement][RHEL/6][RHEL/7] Fix for #1297 (include the HTML tables and available kickstarts) into produced RPM
  • [Bugfix][Enhancement][Infrastructure] Map OSSRG to DISA SRG URI
  • [Enhancement][Infrastructure] Add vendor variable
  • [Enhancement][Infrastructure] Add custom CCE and Reference capability for Corporate Policies
  • [Enhancement][RHEL/7] Finished moving RHEL7 XSLT to shared XSLT
  • [Infrastructure][Bugfix][infrastructure] Add product stig name variable to shared_xccdf2stigformat.xslt
  • [Enhancement][Infrastructure] Update local XLST content to use shared XSLT
  • [Bugfix] Update SSG project web URL in content
  • [Fedora][Infrastructure] Remove Fedora 22 support
  • [Bugfix][Infrastructure] Fix various testoval.py issues
  • [Enhancement][EAP/5] Add build capability and cleanup
  • [BugFix][Infrastructure] Get rid of duplicate definition of selected OVAL entities (fix for part of #50)
  • [Infrastructure] Utils transforms refactoring
  • [Enhancement] PCI-DSS centric benchmarks for RHEL6 and 7
  • [Infrastructure][BugFix] Add missing <title> and elements for the 'certified-vendor' xccdf:Group
  • [Infrastructure][Bugfix][infrastructure] Remove rhel5 naming from table generation
  • [Infrastructure] Default to the number of CPUs in build-all-guides.py for the number of jobs
  • [Infrastructure][RHEL7] Update rhel7-cpe-dictionary.xml
  • [Infrastructure] Update files by generated versions
  • [Enhancement] Add initial OpenSUSE and SUSE build directories
  • [Bugfix] Makefile fixes
  • [Infrastructure] Refactor template - create_*.py
  • [Infrastructure] Move validate-bash to shared makefile
  • [Infrastructure][Enhancement][Infrastucture] Update disa references
  • [Infrastructure] Don't destroy targets, cp instead of mv. That way rebuilds are faster.
  • [Infrastructure] combineremediations.py to support multiple directories as input
  • [Infrastructure] Use os.path.join instead of string concat for better sanity checks
  • [Infrastructure] Move generated scripts
  • [Bugfix] Fix doubled fixes
  • [Infrastructure] combineovals: remove deprecated branch of code
  • [Infrastructure] Parallelize the "validate" target
  • [Enhancement][Infrastructure] Introduce "profile-stats.py" helper
  • [Infrastructure][Enhancement] Enhance the 'profile-stats.py' helper yet
  • [Infrastructure] End with fatal error if the remediations XML doc can't be loaded
  • [Infrastructure] Combine OVAL - stop copying generated oval
  • [Infrastructure] Move templates & split generations
  • [Infrastructure] RHEL5/Fedora use bash templates
  • [Infrastructure] shared: add template for BASH permission [SMALL]
  • [Infrastructure] Shared: Generate bash - init version
  • [Infrastructure] Fix prefix path for shared remediations
  • [Bugfix] Fix minor mkdir issue
  • [Enhancement] Consolidate common README files and update
  • [Infrastructure] xccdf-addremediations.xslt: Refactor
  • [Infrastructure] Rhel6 use generated bash
  • [Infrastructure] create_BASH_permission.py: Remove forgotten print()
  • [Infrastructure] Shared: generate package_removed
  • [Infrastructure] Shared: generate kernel_module_disabled
  • [Infrastructure] Shared: generate package_installed
  • [Infrastructure] Templates rhel7 permissions
  • [Infrastructure] Templates rhel7
  • [Infrastructure] rhel6 permissions
  • [Infrastructure] rhel5: Generate file permissions
  • [Infrastructure] Remove duplicates remediations
  • [Infrastructure] Fix remediations
  • [Infrastructure] Introduce file generator
  • [Enhancement][Infrastructure] Use shared_guide.xml for content and additional fixes
  • [Infrastructure] compare_remediations
  • [Infrastructure] create_package_(removed_installed) merge
  • [Infrastructure] Remove duplicates templates
  • [Infrastructure] Duplicates finder
  • [Infrastructure] Add support to restrict targets in csv file
  • [Enhancement] share architecture rules more easily
  • [Bugfix][Infrastructure] Remove RHEL idents for derivative OSes
  • [Bugfix] Fix RHEL7 CCP idrefs
  • [Enhancement][Infrastructure] Add shared int...
Read more

SCAP Security Guide 0.1.30 Release Notes

24 Jun 13:48
Compare
Choose a tag to compare

Highlights (in order the changes have been merged):

  • [Enhancement] [RHEL/7] Port existing CNSS No.1253 (nist-CL-IL-AL) profile from RHEL-6 to RHEL-7 (Fixes #858)
  • [Enhancement] [RHEL/7] Content passes ScapVal-1.2.14.1 requirements
  • [Enhancement] [RHEL/7] Assign CCE identifiers to RHEL-7 rules
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement] [Debian/8] Add profile for each ANSSI hardning level for NP targets (ansi_np_nt28_eleve, ansi_np_nt28_intermediaire, ansi_np_nt28_minimal, ansi_np_nt28_restreint)
  • [Enhancement] Don't rely on absolute path of the shell remediation functions library to be able to perform remediations (remediations are now part of benchmarks themselves)

XCCDF changes / enhancements:

  • [Fedora] Separate dconf settings into dedicated 'Gnome Desktop Environment' XCCDF section
  • [RHEL/6] Move most GNOME checks into their own file, Add new GNOME XCCDF and OVAL content (Fixes #1205)
  • [Enhancement][RHEL/7] Create a STIG for GUI-enabled systems (Create a RHEL7 GUI STIG, Create a RHEL7 Workstation STIG for future use, Remove DConf checks from the stig-rhel7-server-upstream profile and add to the new stig-rhel7-server-gui-upstream profile) (Fixes #481)
  • [BugFix] [RHEL/7] Fix multiple invalid selector warnings when scanning against "stig-rhel7-server-upstream" profile
  • [BugFix] [RHEL/6] [RHEL/7] Add warning note for ctrl-alt-delete key sequence
  • [Enhancement][RHEL/6] Add STIG GUI profiles for RHEL6
  • [Enhancement][RHEL/7] Disable CTRL-ALT-DEL in GUI profile
  • [Enhancement][RHEL/7] Add SELinux boolean XSLT macros (Add a single enable/disable SELinux boolean macro, Add a single enable/disable SELinux boolean check macro)
  • [Enhancement][RHEL/7] STIG updates for yum (Fixes #1122, Fixes #1123, Fixes #1124)
  • [Enhancement][RHEL/7] STIG update for sssd content (Add new SSSD content, Fixes #1158, Fixes #1157, Fixes #1156, Fixes #1017)
  • [Enhancement][RHEL/7] stig update for pam settings (Fixes #1136, Fixes #1155, Fixes #1159)
  • [Enhancement][RHEL/7] Add RHEL/7 STIG Reference Identifiers (Add RHEL/7 STIG identifier, Add RHEL/7 OS URI Link)
  • [Enhancement] [RHEL/7] Added a new CJIS profile (Criminal Justice Information Services (CJIS) Security Policy)
  • [Enhancement][RHEL/7] Add initial sudoers content (Add initial sudo content to check for NOPASSWD and !authenticate in sudoers for RHEL7 STIG, Fixes #1015)
  • [Enhancement][RHEL6/7] Add FIPS XCCDF and OVAL content (Adds FIPS GRUB & GRUB2 XCCDF and OVAL content, Fixes #998)
  • [Enhancement][Fedora][RHEL/7] Add UEFI XCCDF/OVAL content (Add new UEFI XCCDF/OVAL content, Make sure that if /boot/grub2.cfg or /boot/efi/EFI//grub.cfg does not exist to not fail the check, Fixes #1162)
  • [BugFix] [RHEL/7] [Fedora] Update form of 'disable_interactive_boot' rule for Systemd (RHEL/7, Fedora) based systems (update all XCCDF, OVAL, and remediations)
  • [Bugfix] Move Chromium XCCDF content to XCCDF directory
  • [Bugfix] FIPS grub XCCDF and OVAL
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Rewrite XCCDF prose for 'no_shelllogin_for_systemaccounts' rule not to mention hardcoded UIDs (use UID_MIN instead)
  • [BugFix] Fix unreferenced 'file_permissions_ungroupowned' OVAL for Fedora content (https://jenkins.open-scap.org/job/scap-security-guide-pull-requests/400/label=node-el6-openscap-new/consoleFull)
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Modify 'standard' profiles to comment out the rules currently returning 'notapplicable' result (needs investigation of reasons why it's behaving so, and fixing the issues prior re-enabling them back)

OVAL check changes / enhancements:

  • [BugFix] [RHEL/7] Fix for issue #1227
  • [Enhancement][RHEL/7] Add SELinux OVAL templates (Add initial sebool OVAL templates, Create new shared/template folder for future template consolidation work)
  • [BugFix] updating RHEL5 file_permissions_ungroupowned to use shared/version
  • [Enhancement] Add PPC and PPC64LE System Architecture (Add PPC and PPC64LE OVAL checking support)
  • [Enhancement] Examine /etc/profile.d/*.sh for TMOUT
  • [Bugfix][RHEL6/7] Add IPv6 equivalents to IPv4 sysctl (Adds IPv6 XCCDF/OVAL content that is equivalent to IPv4 sysctl XCCDF/OVAL content NOTE: Not all IPv4 sysctl XCCDF/OVAL content has correspond IPv6 sysctl equivalents, Fixes #1214)
  • [RHEL/7] [bugfix] Check for FIPS in DEFAULT grub line if DEFAULT line exists
  • [BugFix] [shared] Rewrite OVAL for 'no_shelllogin_for_systemaccounts' rule so it wouldn't always perform the check on hardcoded <0, 499> UID range
  • [BugFix] [RHEL/7] Modify RHEL-7 OVAL for 'install_PAE_kernel_on_x86-32' rule not to fail on 64-bit (any not 32-bit system)
  • [BugFix] Fix indentation issue for file_permissions_ungroupowned OVAL (https://github.com/OpenSCAP/scap-security-guide/pull/1296/files#r67556952)

Build System Bug Fixes:

  • [Enhancement][BugFix] Jboss Fuse 6 build fixes & enhancements (Part of #1046)
  • [BugFix] Minor JBoss 6 build fixes
  • [BugFix] [RHEL/7] Generate xccdf:metadata (Dublin Core , , (s), and elements) dynamically for RHEL-7 benchmark from the content of Contributors.md file (and other internal variables)
  • [BugFix] [Debian/8] [Fedora] [Firefox] [Chromium] [JBoss/Fuse/6] [JRE] [OpenStack/RHEL-OSP/7] [RHEL/5] [RHEL/6] [RHEVM3] [Webmin] Generate xccdf:metadata element of Debian/8 benchmark dynamically (from content of Contributors.md and value of selected internal values)
  • [Enhancement] [RHEL/7] Apply the newly introduced shell variables and remediation functions XCCDF expansion (translation into XCCDF <sub> elements) against RHEL-7 benchmark
  • [Enhancement][Infrastructure] Apply the new remediations as xccdf:Value functionality to the remaining benchmarks too (Webmin, RHEVM3, RHEL/6, RHEL/5, OpenStack/RHEL-OSP/7, JRE, JBoss/Fuse/6, JBoss/EAP/5, Firefox, Fedora, Debian/8, and Chromium)
  • [BugFix] Multiple fixes in expand_xccdf_subs() routine of the combineremediations.py helper
  • [BugFix] [Infrastructure] Fix currently failing 'make content' for RHEL/6 content due to undefined 'cisuri' variable (Fixes #1288)

Infrastructure:

  • [Fedora] Add Fedora 25 CPE to Fedora benchmark
  • [BugFix] [Infrastructure] add_cce_id_refs_to_oval_checks routine - When propagating CCE identifiers from XCCDF to specific OVAL verify particular CCE ID has correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X') (Fixes #1228, #1229, #1230)
  • [BugFix] [Infrastructure] Verify if CCE identifiers listed in various SSG XCCDF benchmarks have the correct form (either 'CCE-XXXX-X' or 'CCE-XXXXX-X')
  • [BugFix] Use proper rule names in various RHEL/5, RHEL/6, RHEL/7, and RHEVM3 profiles
  • [Bugfix][Infrastructure] Print message for unused remediation scripts during build
  • [Enhancement] Don't rely on the absolute path of the remediation functions library when performing remediations (Instead of that transform necessary shell variables and remediation functions calls into corresponding XCCDF <sub> elements to be present directly in the benchmark, Fixes #590, Fixes #1055)
  • [Enhancement][Infrastructure] Remove Red Hat identifiers from derivatives
  • [Enhancement][Bugfix][Infrastructure] Update constants XSLT
  • [Enhancement][Infrastructure] Add new shared_shorthand2xccdf.xslt
  • [Enhancement][Infrastructure] Update more content to use shared_shorthand2xccdf.xslt (Enhances Fedora, Debian, RHEL-OSP, and RHEL5/7 to use the new shared_shorthand2xccdf.xslt)
  • [Enhancement][Infrastructure] Add auditctl-syscall macro
  • [BugFix] [Infrastructure] Introduce $(SHARED)/$(OUT) directory
  • [Enhancement] [Infrastructure] Use "hidden" and "prohibitChanges" attributes set to "true" for xccdf:Values representing remediation routines
  • [BugFix] [Infrastructure] Perform a sanity check while performing XCCDF <sub idref=...> substitution for remediation functions (Exit with failure (1) if some of the functions wasn't substituted properly)
  • [BugFix] [Infrastructure] When performing XCCDF <sub> substitution expand also functions not having some arguments in the function call
  • [BugFix] [Infrastructure] If some of the remediation functions recursively calls another remediation function, we need to define also the called function

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.29 Release Notes

25 Apr 15:56
Compare
Choose a tag to compare

Highlights (in order the changes have been merged):

  • Numerous STIG profile enhancements for Red Hat Enterprise Linux 7 product,
  • The produced benchmark for Red Hat Enterprise Linux 6 product now passes NIST SCAP Content Validation Tool 1.2.1.14 requirements,
  • A plenty of new OVAL checks have been implemented for the Red Hat Enterprise Linux 7 product,
  • A substantial effort has been contributed the existing SCAP content for JBoss EAP v5 and JBoss Fuse v6 products to follow the format as expected by regular SCAP Security Guide product,
  • Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes (see below for more concrete details)

Enhancements:

XCCDF changes / enhancements:

  • [Enhancement] [Fedora] Added Fedora standard profile
  • [Enhancement][Fedora] Add Xorg service XCCDF content
  • [Enhancement] [Debian/8] starting systcl integration in xccdf: execution restriction
  • [Enhancement] [Debian/8] add fs-specific sysctl hadening to xccdf. Updated xccdf partitioning structure
  • [Enhancement] [Debian/8] add missing anssi references for ntp
  • [Enhancement] [Debian/8] New sysctl_kernel_kptr_restrict rule
  • [Enhancement] [RHEL/6] Per request in:
    https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c8
    https://bugzilla.redhat.com/show_bug.cgi?id=1284045#c9
    update the title of the RHEL/6 CNSS profile it to be more descriptive
  • [BugFix] [RHEL/7] [Fedora] Replace '/etc/grub.conf' with '/etc/default/grub' in RHEL-7 and Fedora XCCDF
  • [BugFix] [RHEL/6] Fix DISA CCI mapping for accounts_password_pam_dcredit rule
  • [Enhancement] [RHEL/6] Added CCE to package_setroubleshoot_removed
  • [Enhancement] [RHEL/6] Added CCE to package_mcstrans_removed
  • [Enhancement] [RHEL/6] Added CCE to package_telnet_removed
  • [Enhancement] [RHEL/6] Added CCE to package_rsh_removed
  • [Enhancement] [RHEL/6] Added CCE to package_ypbind_removed
  • [Enhancement] [RHEL/6] Added CCE to package_tftp_removed
  • [Enhancement] [RHEL/6] Added CCE to package_talk-server_removed
  • [Enhancement] [RHEL/6] Added CCE to package_talk_removed
  • [Enhancement] [RHEL/6] Updated C2S profile (Mapped package_talk-server_removed, package_talk_removed)
  • [Enhancement] Update RHEL6/7 guide.xml with compute node CPE
  • [BugFix] [RHEL/7] [Issue #995] Update var_accounts_max_concurrent_login_sessions to 10 (to meet DoD STIG
    guidance)
  • [Enhancement][Bugfix][Fedora] Update yum XCCDF and OVAL references to dnf
  • [BugFix] [RHEL/7] Fixed socket-disable-macro for rsh and rlogin
  • [BugFix] [RHEL/6] Added to the system
  • [BugFix] Added a description to vsftpd Group in RHEL6 and RHEL7 content
  • [BugFix] [RHEL/6] [RHEL/7] Added description to ftp_use_vsftpd Group
  • [Enhancement] [RHEL/7] Various STIG profile changes:
    • STIG updates to RPM verify
    • STIG updates to rhel7/rpm_verify_hashes
    • STIG updates to rhel7/accounts_password_pam_lcredit
    • STIG updates to rhel7/accounts_password_pam_dcredit
    • add severity to accounts_password_pam_dcredit
    • STIG update to rhel7/accounts_password_pam_ocredit
    • STIG update to rhel7/accounts_password_pam_difok
    • STIG update to rhel7/accounts_maximum_age_login_defs
    • removing var_password_pam_minlen from STIG profile, inherited from OSPP
    • STIG update for rhel7/accounts_password_pam_minlen
    • STIG update RHEL7/sysctl_net_ipv4_conf_all_accept_source_route
    • STIG update for rhel7/sysctl_net_ipv4_tcp_syncookies
    • STIG update for rhel7/sshd_do_not_permit_user_env
    • STIG update rhel7/nis
    • STIG update for rhel7/rsh-server
    • STIG update for rhel7/package_telnet-server_removed
    • STIG update for rhel7/tftp
    • STIG update for rhel7/banner_etc_issue
    • STIG updates for rhel7/accounts_password_pam_minclass
    • STIG udpates to rhel7/package_screen_installed
    • STIG update to rhel7/crypt_style
    • STIG update for rhel7/accounts_minimum_age_login_defs
    • Add gid_passwd_group_same to RHE7 STIG
    • Add accounts_no_uid_except_zero to RHEL7 STIG
    • Removing RHEL7 duplicate rules from STIG profile
    • assign DISA refs to accounts_password_pam_unix_remember
    • assign to RHEL–07–010260 no_empty_passwords
    • add account_disable_post_pw_expiration to STIG profile, assign DISA refs
    • Assign DISA FSO provided policy references
    • STIG update for RHEL/7 snmpd_not_default_password
    • STIG update RHEL7 add missing CCEs for #1140 and #1138
    • STIG update for RHEL7 for sshd_allow_only_protocol2
    • STIG update for RHEL7 for sshd_use_approved_macs
    • STIG update for RHEL7 firewalld and tcp_wrappers
    • STIG update for RHEL7 xorg settings
    • Add accounts_no_uid_except_zero to RHEL7 STIG
    • STIG update for RHEL7 SSH key permissions (Add XCCDF and OVAL for SSH Server private and public key permissions)
    • STIG update RHEL7 ssh keys
    • STIG update for RHEL7 various SSH settings (Add new SSH XCCDF and OVAL content)
    • STIG update for RHEL7 ipv6.conf.all.accept_source_route (Add new XCCDF and OVAL content for net.ipv6.conf.all.accept_source_route)
    • Add SSH key file perm checks to OSPP profile
    • STIG update RHEL7 add ipv6 accept_source_route to STIG profile
    • STIG update RHEL7 add ssh settings to STIG profile
    • STIG update for RHEL7 quagga service (Add new XCCDF, OVAL, and remediation content for quagga routing)
    • STIG update RHEL7 quagga routing service
    • STIG update RHEL7 IPSec approved tunnel connections (Add new XCCDF for checking for IPSec-approved tunnels, Update severity level for package_libreswan_installed Rule)
    • STIG update RHEL7 add NFS share server/client security (Add new XCCDF and OVAL for NFS server/client Kerberos settings)
    • CCE-27594-1 to package_quagga_removed
    • CCE for service_zebra_disabled
    • CCE for use_kerberos_security_all_exports
    • CCE for mount_option_krb_sec_remote_filesystems
    • CCE for file_permissions_sshd_pub_key
    • CCE for file_permissions_sshd_private_key
      *CCE for sysctl_net_ipv4_conf_all_accept_source_route
    • CCE for disable_ctrlaltdel_reboot
    • CCE for service_autofs_disabled
    • CCE for sysctl_net_ipv4_tcp_syncookies
    • Add service_kdump_disabled to RHEL7 STIG profile
    • STIG update RHEL7 KDUMP service
    • STIG update RHEL7 separate partitions
    • update policy refs and xccdf for dconf_gnome_banner_enabled
    • Update language for rhel7/dconf_gnome_screensaver_lock_enabled
    • updating GNOME banner rules
    • update OCIL for dconf_gnome_screensaver_idle_delay
    • update rationale for accounts_password_pam_ucredit
    • removed duplicate rules from STIG profile, already present in OSPP
    • removed ucredit from STIG, present in OSPP
    • update severity and profile placement of dcredit rules
    • update refine value of var_password_pam_difok to 8
    • update OCIL for accounts_password_pam_maxrepeat
    • update password hashing, add to NIAP profile
    • move set_password_hashing_algorithm_logindefs from STIG to OSPP profile
    • move PASS_MAX_DAYS from STIG to OSPP
    • update OCIL for accounts_password_pam_unix_remember
    • update OCIL for accounts_password_pam_minlen
    • update rationale for no_empty_passwords
    • add dconf_gnome_screensaver_idle_activation_enabled to stig, update prose
    • update account_disable_post_pw_expiration prose and variable refinement
    • update sshd_disable_empty_passwords mappings
    • updates to disable_host_auth
    • update to ensure_gpgcheck_globally_activated prose, remove duplicate selector from STIG profile
    • update telnet prose
    • update prose for accounts_max_concurrent_login_sessions
    • updates to sshd_do_not_permit_user_env
    • Fix NIST references for disk_partitioning
    • Assign various CCEs to RHEL7 STIG rules
    • Add service_kdump_disabled to RHEL7 STIG profile
    • STIG update for McAfee content
    • Add in SELinux vs HBSS warning
    • Use chkconfig for nails service check rather than systemctl
    • STIG update RHEL7 additional SSH settings
    • Fix OS SRG typos and enchance some SSH titles
    • STIG update RHEL7 add gdm settings
    • Fix GDM content to use correct case
    • Add set_password_hashing_algorithm_systemauth to STIG
    • rationale update to rhel7/service_auditd_enabled
    • severity and rationale updates to file_ownership_var_log_audit
    • rationale and reference updates to rhel7/audit_rules_privileged_commands
    • policy ref and severity updates to rhel7audit_rules_unsuccessful_file_modification
    • update policy refs for rhel7/audit_rules_login_events
    • STIG policy ref updates to rhel7/audit_rules_media_export
    • update rhel7/audit_rules_kernel_module_loading refs, remove duplicate entry from STIG profile
    • ref updates to rhel7/audit_rules_file_deletion_events, remove dupe from STIG profile
    • sshd_use_approved_ciphers rationale updates
    • [Enhancement][RHEL/7] Update dconf gnome settings
    • update references for rhel7/accounts_tmout
    • update STIG ID for audit_rules_usergroup_modification
    • add libreswan_approved_tunnels to STIG profile
    • fixed OCIL on file_permissions_sshd_private_key
    • reference swap for tftp
    • update with send_redirects
    • add /tmp requirement to STIG
    • update for audit partition
    • update for var partition
    • update for home partition
    • add file_permissions_ungroupowned to ospp
    • [Enhancement][RHEL/7] Update dconf gnome settings
  • [Bugfix][Fuse/6] fix OCIL grammar
  • [BugFix] [RHEL/7] Fix xorg.xml description grammar
  • [Enhancement][RHEL/7] Move GNOME XCCDF content into its own gnome.xml XCCDF file

OVAL check changes / enhancements:

  • [Enhancement] [RHEL/7] New OVAL for kernel_module_cramfs_disabled, kernel_module_freevxfs_disabled, kernel_module_hfs_disabled, kernel_module_hfsplus_disabled, kernel_module_jffs2_disabled,
    kernel_module_squashfs_disabled, and kernel_module_udf_disabled rules,
  • [Enhancement] [RHEL/7] New OVAL for dir_perms_etc_httpd_conf, dir_perms_var_log_httpd,
    dir_perms_world_writable_sticky_bits, dir_perms_world_writable_system_owned, file_permissions_httpd_server_conf_files., `file...
Read more

SCAP Security Guide 0.1.28 Release Notes

25 Jan 10:56
Compare
Choose a tag to compare

Highlights (in order the changes have been merged):

  • SCAP Security Guide build process refactoring
  • New "OpenStack/RHEL-OSP/7/" to hold the SCAP
    content for Red Hat Enterprise Linux OpenStack Platform v7
  • Improved (more granular) mapping of official PCI DSS v3 standard
    to the PCI DSS profile for Red Hat Enterprise Linux 7,
  • The build process has been updated to produce STATIC rule IDs in the benchmarks
    (very handy for benchmark version diffs)
  • Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes
    (see below for more concrete details)

Enhancements:

  • OVAL for RHEL-6 benchmark will be produced in 5.11 version if underlying
    oscap version supports OVAL-5.11 version already
  • New shared/oval/oval_5.11 directory to hold shared OVAL checks using
    OVAL-5.11 language constructs

XCCDF changes / enhancements:

  • [BugFix] [Debian/8] Fix typos (in selected rules)
  • [Debian/8] Cleaning on common profile. No more undefined ref
  • [RHEL/7] Refine pcidss-req 'security_patches_up_to_date' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_redhat_gpgkey_installed' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_globally_activated' -> 6.2
  • [RHEL/7] Refine pcidss-req 'ensure_gpgcheck_never_disabled' -> 6.2
  • [Debian/8] Add ssh basics to Debian 8 xccdf
  • [BugFix] [Debian/8] Updated invalid href for rules refences. Add reference to Debian secrity manual
  • [Enhancement] [Debian/8] Add dsg references
  • [Debian/8] Clean dsg from official security guides. Updated ssh reference. Clean postbuild
  • [Debian/8] Clean all references to dsg in xccdf. clean cis link (rhel specific).
    Updated validate while xccdf is not complete
  • [Debian/8] Merge install xccdf part into system part for homogeneous content with other distros
  • [Debian/8] Add support for logging XCCDF check
  • [Debian/8] Add rsyslog basic check in common profile, without network part (client or server side)
  • [Debian/8] Cleaning account files access right checks
  • [RHEL/7] Added shm and sticky bits rules into RHEL7 standard profile
  • [RHEL/7] Added package management related rules to RHEL7 standard profile
  • [RHEL/6] Ported the RHEL7 standard profile over to RHEL6
  • [RHEL/6] [RHEL/7] Added more rules to standard profiles for RHEL6 and 7

OVAL check changes / enhancements:

  • [Debian/8] Updated CPE naming for nist conformity
  • [Debian/8] CPE naming based on NIST NVD 2.2 naming
  • [Debian/8] Cleaning CPE (emptyline)
  • [BugFix] [Debian/8] Fix mistyped OVAL check name in the Debian 8 CPE
  • [BugFix] [Debian/8] Fix tag for 'installed_OS_is_debian8' OVAL check
  • [Enhancement] [Debian/8] Add support for ssh service shared oval files in Debian8
  • [Enhancement] [Debian/8] Add disabled services support. Adding openssh (needed for shared oval)
  • [BugFix] [shared] Updated RPM-based distribution specific shared oval file to RPM based platform only
  • [BugFix] [shared] Updated other RPM-based distrib specific OVAL files
  • [SHARED] Adding _all on ssh oval files
  • [shared] Add SSH protocol v2 only check to multi_platform_debian also
  • [shared] Add rhel-osp to previously multi_platform_all transformed into RPM specific multi-platform oval files
  • [RHEL/6] Fix for issue #932
  • [BugFix] [RHEL/5] Removed an unused idtranslate.py from RHEL5/input/oval
  • [BugFix] [RHEL/6] Update the sysctl XCCDF value fix for ipv6 parameters as well
  • [BugFix] [RHEL/7] Fix Ticket 932 on RHEL7
  • [BugFix] [RHEL/7] Add missing generated files and doc changes for ticket 932
  • [BugFix] [Debian/8] Updated template comment for correct path
  • [RHEL/7] Update "RHEL/7/input/oval/oval_5.11/templates/services_disabled.csv"
    content to start using new daemon_name CSV value expected by 'create_services_disabled.py'
    helper script (prevent ValueError)
  • [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_groupownership' rule (with OVAL-5.11)
  • [Enhancement] [RHEL/7] [Fedora] Move former product specific oval for
    'rsyslog_files_groupownership' rule into shared/oval/oval_5.11 directory
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_ownership' rule (with OVAL-5.11)
  • [Enhancement] [Debian/8] [RHEL/7] [Fedora] Move former per-product based
    'rsyslog_files_ownership' OVAL check into shared/oval/oval_5.11 directory
  • [Enhancement] [RHEL/6] New OVAL for 'rsyslog_files_permissions' rule (with OVAL-5.11)
  • [Enhancement] [RHEL/7] [Fedora] Move former per-product version of
    OVAL for 'rsyslog_files_permissions' rule into shared/oval/oval_5.11
  • [BugFix] [RHEL/6] Enhance the RHEL-6 OVAL for 'package_openswan_installed' rule

New Remediations:

  • [Enhancement][Fedora][RHEL/7] Add ctrl-alt-del command line check and remediation
  • [Enhancement] [RHEL/6] New RHEL-6 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

  • [BugFix] [Debian/8] Cleaning remediation dir

Build System Bug Fixes:

  • [BugFix] Fix failing RHEL-6 "make validate" target (2015-12-17)
  • [BugFix] [BugFix] [Debian/8] Fix 'make validate' on Debian/8 content issue
    when content build on RHEL-6 with openscap-1.0.10-3.el6.* (2015-12-22)
  • [BugFix] [Debian/8] Fix failing 'make' target when Debian/8 content build
    is attempted on a system using openscap-1.0.x version

Infrastructure:

  • [Refactoring] Start using verify-references.py from the shared directory
  • [Refactoring] Move the documentation close to the script
    (Also remove the documentation from previous locations)
  • [Unification] Remove the support.sh script
  • [Refactoring] Put common Makefile declarations to a single file
  • [Refactoring] Make a use of product-make.include file
  • [Refactoring] Put query for OVAL 5.11 into a common Makefile
  • [Refactoring] Put query for guide-from-ds-oscap into a common Makefile
  • [Refactoring] Put query for SVG support into a common Makefile
  • [Enhancement] Create a shorthand target that emulates what jenkins runs
  • [Debian/8] Updated templates recopy calls to correct places in Makefiles
  • [Enhancement] Create a shorthand target that emulates what jenkins runs
  • [Unification] Use $(OUT) variable consistently
  • [Refactoring] Avoid changes in letter capitalization between the Makefiles
  • [Correction] Fix python binary name
  • [Refactoring] Refactor the very first make target: the guide.xml
  • [Refactoring] Imperceptible makefile changes
  • [Clarification] Amend documentation to mirror exactly what is going to happen
  • [Refactoring] Consolidate filename of shorthand.xml
  • [Refactoring] Move PHONY shorthand-guide to the common Makefile
  • [BugFix] [Debian/8] Put xhtml:p into a correct namespace for Debian content
  • [Refactoring] Spell-out all the dependencies of the guide.xml that exists
  • [Refactoring] Refactor shorthand-guide phony target to non-phony variant
  • [Refactoring] Create xccdf-unlinked-unresolved.xml as a separate target
  • [Refactoring] Create xccdf-unlinked-empty-groups.xml as a separate target
  • [Refactoring] Minor changes in webmin shorthand transformation
  • [Refactoring] Minor changes in openstack shorthand transformation
  • [BugFix] Fix broken xslt (causing "$ sudo chgrp root xsl:value-of select="@file"/>"
    in the HTML guides
  • [Refactoring] Openstack and webmin makefiles should use xccdf-unlinked-unresolved target
  • [Refactoring] [RHEVM3] Update shorthand to assign namespaces
  • [Refactoring] [RHEVM3] Remove 'addprofiles.xslt' step
  • [Refactoring] [RHEVM3] Resolve xccdf before proceeding
  • [Refactoring] [OpenStack] Update shorthand to assign namespaces
  • [Refactoring] [OpenStack] Remove addprofiles.xslt' step
  • [Refactoring] [OpenStack] Resolve xccdf before proceeding
  • [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transformation
  • [Refactoring] Drop xccdf-addrefs.xslt
  • [Refactoring] Create ocil-unlinked.xml as a separate target
  • [BugFix] [Infrastructure] Harden the 'cpe_generate.py' shared transform even more
  • [Infrastructure] Temporarily allow the modified 'cpe_generate.py' transform
    to continue even if the intermediary OVAL is invalid
  • [BugFix] [Main Makefile] Use updated Openstack/RHEL-OSP/7 location in
    the 'make clean' target of the main Makefile
  • [BugFix] [OpenStack/RHEL-OSP/7] Makefile changes
  • [Refactoring] Create xccdf-unlinked-ocilrefs as a separate target
  • [BugFix] [Debian/8] Modify Debian/8 package_installed.csv template
  • [Refactoring] Move shared constants to a separate file
  • [Refactoring] Move xccdf-ocilheck2ref.xslt to the shared directory
  • [Refactoring] Remove commented version and config include
  • [Refactoring] Remove INCLUDE_TEST_PROFILE=0 setting
  • [Refactoring] [BugFix] [Debian/8] Modify the 'validate' target in the similar
    way like it's modified in Fedora or RHEL/7 product case
  • [Infrastructure] [Post PR#913 Cleanup] Make RHEL-OSP/7 content to use
    shared/ version of 'verify-references.py' script
  • [Refactoring] Consolidate xccdf-unlinked-ocilrefs target, shared constants.xslt,
    and xccdf-ocilheck2ref.xslt transformation
  • [Refactoring] [BugFix] [Infrastructure] Various "cpe_generate.py" shared/
    transform hardenings
  • [Enhancement] Add support for multi_platform_debian. Requires some patches in shared/oval
  • [Enhancement] Updated shared oval in order to avoid multi_platform_all oval
    extending multi_platform_(rhel|fedora) definitions
  • [Enhancement] Keep a human readable hints in SSG IDs after relabelling
  • [Enhancement] Produce stable IDs, no longer generate a mapping INI file
  • [Bugfix][Debian/8] Update Debian Makefile and global makefile
  • [Refactoring] Refactor BUILD_REMEDIATIONS variable to shared makefile
  • [Refactoring] Remediations should be always sourced from the shared directories
  • [BugFix] Add RHEVM to combineremediations.py
  • [Refactoring] Create bash-remediations.xml as a separate target
  • [Refactoring] bash-remediations.xml should not depend on oval.config
  • [Enhancement] Make ocilrefs xccdf for Fedora as well
  • [Refactoring] Move xccdf-create-ocil.xslt to the shared directory
  • [Refactoring] Create xccdf-unlinked...
Read more

SCAP Security Guide 0.1.27 Release Notes

11 Dec 20:15
Compare
Choose a tag to compare

Highlights:

  • New CNSS No. 1253 Profile for Red Hat Enterprise Linux 6,
  • New C2S (CIS) Profile for Red Hat Enterprise Linux 7,
  • New Debian/8 (Jessie) product and initial benchmark for it,
  • Improved (more granular) mapping of official PCI DSS v3 standard
    to the PCI DSS profile for Red Hat Enterprise Linux 7,
  • Finished (OVALs, and selected remediations) for PCI DSS profile
    for Red Hat Enterprise Linux 6. More granular mapping of official
    rules to come yet.
  • Other numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

  • [RHEL/6] New CNSS No. 1253 Profile
  • [RHEL/7] Granularize PCI-DSS profile rules mapping to official requirement (sub)
    section numbers in PCI DSS v3 standard
  • [RHEL/7] New C2S / CIS Profile
  • [Enhancement] Initial integration of Debian 8 in SSG

XCCDF changes / enhancements:

  • [BugFix] [RHEL/6] Update LUKS Disk encryption URL
  • [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Fix XCCDF descriptions for:
    • file_permissions_binary_dirs, and
    • file_ownership_binary_dirs
  • [BugFix] [RHEL/5] Update XCCDF description for file_groupowner_binary_dirs
  • [BugFix] [RHEL/6] Add noexec, nosuid, and nodev rules for removable
    partitions and /dev/shm into RHEL-6 STIG profile
  • [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Drop clock_settime system call
    from the audit time rules examples suggesting multiple commands to be included
    into one audit rule
  • [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for
    audit_rules_time_clock_settime rule
  • [Enhancement][RHEL6/7] Add audit permission scripts and update XCCDF/OVAL content
  • [BugFix][Fedora][RHEL6] remove pam_passwdqc references
  • [BugFix] [RHEL/6] Update XCCDF prose for disable_interactive_boot rule
  • [BugFix] [RHEL/6] Introduce entropy section of the RHEL-6 benchmark
    and include new rule -- kernel_disable_entropy_contribution_for_solid_state_drives
    into it
  • [Enhancement] [RHEL/6] Start shipping CNSS No. 1253 Profile
  • [Enhancement] RHEL7 - Added CIS mappings to disk partitioning/options XCCDF
  • [BugFix] [RHEL/6] Fix HTTP 404 URL in XCCDF prose for smartcard_auth rule
  • [Enhancement] [RHEL/6] [RHEL/7] Per:
    #879 (comment)
    add a into the RHEL-6 & RHEL-7 XCCDF prose for rpm_verify_permissions
  • [BugFix] [RHEL/6] Fix invalid selectors in the RHEL-6's CNSS No.1253 profile

OVAL check changes / enhancements:

  • [Enhancement][bugfix][Fedora][RHEL/7] standardize more XCCDF and OVAL IDs
  • [Enhancement][RHEL6/7][Fedora] Standardize XCCDF and OVAL names
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Use correct SELinux type in selinux_all_devicefiles_labeled rule
  • [Enhancement][RHEL6/7] Selinux and Kernel dmesg updates
  • [Enhancement][Fedora] Add no_direct_root_logins OVAL check
  • [Enhancement] [RHEL/7] Enable RHEL-7 OVAL check for enable_selinux_bootloader rule
  • [BugFix] [shared] Fix OVAL checks for file_ownership_binary_dirs, and file_permissions_binary_dirs
  • [BugFix] [RHEL/5] Update OVAL check for file_ownership_binary_dirs rule
  • [BugFix] [RHEL/5] Replace RHEL-5 specific OVAL check for file_permissions_binary_dirs rule with
    calling of existing shared/ OVAL check for the very same rule
  • [Enhancement][RHEL/7] Add time and faillock OVAL and remediations
  • [BugFix] [RHEL/5] [RHEL/6] [RHEL/7] [Fedora] Update existing OVALs for
    audit_rules_time_clock_settime rule
  • [RHEL/7] Add some sysctl_net_ipv4 oval checks
  • [Enhancement][RHEL7] Add missing RHEL7 services OVAL and remediations
  • [BugFix] [RHEL/6] Update OVAL for disable_interactive_boot rule
  • [Enhancement] [RHEL/6] Add RHEL-6 specific OVAL for
    kernel_disable_entropy_contribution_for_solid_state_drives rule
  • [BugFix] [Optimization] [RHEL/6] Optimize OVAL check for
    kernel_disable_entropy_contribution_for_solid_state_drives rule
    for speed / efficiency
  • [shared] [Enhancement] update file_ownership_var_log_audit.xml to check log_group in auditd.conf
  • [shared] check that all_exist for non-root checks in file_ownership_var_log_audit.xml
  • [BugFix] [RHEL/6] Modify / optimize OVAL check for audit_rules_privileged_commands rule
  • [BugFix] [RHEL/6] Fix OVAL check for audit_rules_privileged_commands rule
  • [Enhancement] [RHEL/7] Enhance the RHEL-7 OVAL for smartcard_auth
  • [Enhancement] [RHEL/6] Modify the current RHEL-6 OVAL for smartcard_auth rule
  • [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] Provide links to remote
    (offical Red Hat RHSA / CVE OVAL) for security_patches_up_to_date rule
  • [BugFix] [RHEL/6] [RHEL/7] Fix the RHEL-6 & RHEL-7 OVALs for kernel_module_bluetooth_disabled rule
  • [BugFix] [RHEL/6] [RHEL/7] Split the currently shared/ OVAL for the
    kernel_module_sctp_disabled rule into two separate OVALs

New Remediations:

  • [Enhancement][RHEL6/7] Add securetty XCCDF/OVAL checks and remediations
  • [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
  • [Enhancement] [RHEL/6] Add RHEL-6 remediation for
    kernel_disable_entropy_contribution_for_solid_state_drives rule
  • [Enhancement] [RHEL/6] New RHEL-6 remediation for audit_rules_login_events rule
  • [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
    auditd_audispd_syslog_plugin_activated rule to RHEL-6
  • [Enhancement] [RHEL/6] Add new RHEL-6 remediation for accounts_password_pam_minlen rule
  • [Enhancement] [RHEL/6] Port existing RHEL-7 remediation for
    aide_build_database rule to RHEL-6
  • [Enhancement] [RHEL/6] Add RHEL-6 remediation for smartcard_auth rule
  • [Enhancement] [RHEL/6] [RHEL/7] Add remediation for rpm_verify_permissions rule
  • [Enhancement] [RHEL/5] [RHEL/6] [RHEL/7] New remediation for
    security_patches_up_to_date rule
  • [Enhancement] Add a kickstart file for PCI DSS for RHEL6

Remediation fixes / other changes:

  • [BugFix] [RHEL/7] smartcard_auth remediation - provide full path to the 'authconfig' executable
  • [Bugfix][RHEL6/7] fix rememdiation script names
  • [BugFix] [RHEL/6] [RHEL/7] Fix remediations for file_permissions_binary_dirs, and file_ownership_binary_dirs
  • [Enhancement][RHEL6/7] add audit and display_login_attempts remediations
  • [BugFix] [RHEL/6] [RHEL/7] [Fedora] Fix existing remediations for audit_rules_time_clock_settime rule
  • [BugFix] [RHEL/6] Fix remediation for disable_interactive_boot rule
  • [shared] [Enhancement] Make the display_login_attempts.sh remediation script more robust
  • [Enhancement] [RHEL/7] Enhance the RHEL-7 remediation script for smartcard_auth rule
  • [BugFix] [RHEL/6] Modify the existing RHEL-6 remediation scripts
    for the following rules:
    • audit_rules_time_adjtimex,
    • audit_rules_time_settimeofday, and
    • audit_rules_time_stime
  • [shared] Edge case fix for var_password_pam_unix_remember
  • [Enhancement] Add universal replace_or_append function
  • [Various products] Update --follow-symlink --> --follow-symlinks
  • [BugFix][RHEL/6] fix sed --follow-symlink typo in smartcard remediation script

Build System Bug Fixes:

  • Fix make validate target for Fedora (2015-12-03)

Infrastructure:

  • Rename fixes folder to remediations
  • [Enhancement][Infrastructure] add XCCDF and OVAL id check
  • Unify OVAL directory naming convention
  • [Enhancement][Infrastructure] detect oscap version
  • [Enhancement][Infrastructure] add id name to remediation scripts
  • [bugfix] remove duplicate openscap python import
  • [Enhancement][Infrastructure] Add openscap-python requirement to Build.md
  • [BugFix] Declare XCCDF vars before its use
  • Support for Fedora rawhide CPE
  • [Enhancement] [Infrastructure] Modify the buildsystem to allow remotely referenced OVAL
  • [BugFix] Fix regex in combineremediations.py
  • [Test suite] [RHEL/6] Add initial version of check_instances_test.py Python testing script for RHEL-6 content
  • [Enhancement] [Infrastructure] Enhance the various helper scripts creating OVAL checks from the templating
    files to support comment in the CSV files
  • [Enhancement] Update list of CPEs for Fedora benchmark because F21 is end of life now

Other changes:

  • Adding OSPP Kickstart file
  • Adding FedRAMP High Baseline

Full list of issues and pull requests closed in this release

SCAP Security Guide 0.1.26 Release Notes

11 Dec 20:14
Compare
Choose a tag to compare

Table of Contents

  1. Highlights
  2. Enhancements
  3. XCCDF changes / enhancements
  4. OVAL check changes / enhancements
  5. New Remediations
  6. Remediation fixes / other changes
  7. Bug Fixes
  8. Infrastructure
  9. Other changes
  10. Full list of issues and pull requests closed in this release

Highlights:

  • New OS Protection Profile for Red Hat Enterprise Linux 7 Server,
  • PCI-DSS profile implementation (all OVALs, remediations, and official
    ID mappings) for Red Hat Enterprise Linux 7 Server finished,
  • Remediation scripts now support multi_platform tags (replacement for
    former use of symbolic links),
  • The version of SCAP Security Guide is now included in the RHEL/5, RHEL/6, RHEL/7,
    Chromium, Fedora, JRE, RHEVM3, Webmin, and Firefox benchmarks,
  • Numerous XCCDF, OVAL, and remediation scripts enhancements and bug fixes.

Enhancements:

  • [OSPP-RHEL7-SERVER] OS Protection Profile for RHEL7 Server
    Profile based off FMT_MOF_EXT1.1 https://www.niap-ccevs.org/pp/pp_os_v4.0.htm#FMT_MOF_EXT.1
  • Assign CCE identifiers to RHEL-7 OSPP profile rules
  • [RHEL/7] Perform PCI-DSS profile rules mapping to official requirement numbers in the PCI-DSS v3 standard
  • [RHEL/7] Added OSPP/NIAP NIST table to Makefile

XCCDF changes / enhancements:

  • [RHEL/7] Update XCCDF prose for 'ntpd_specify_remote_server' rule (add support for chronyd)
  • [RHEL/7] Update XCCDF prose for 'ntpd_specify_multiple_servers' rule (add support for chronyd)
  • [Fedora] add kernel XCCDF
  • [RHEL/6] [RHEL/7] [Fedora] Update XCCDF prose for 'audit_rules_login_events' rule
  • [RHEL/7] Updated XCCDF name disable_ypbind --> service_ypbind_disabled
  • [RHEL/6] [RHEL/7] [Fedora] accounts_password_pam_unix_remember rule -- update XCCDF prose && add
    pam_pwhistory support
  • [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

OVAL check changes / enhancements:

  • [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_remote_server' rule
  • [RHEL/7] Add new OVAL check for 'chronyd_or_ntpd_specify_multiple_servers'
  • [RHEL/5] [RHEL/6] Fix OVAL for 'mount_option_nodev_removable_filesystems'
    to allow hyphens in hostnames and mountpoints and ipv6 addresses
  • [RHEL/7] [Fedora] Add new OVAL check for 'rsyslog_files_permissions' rule
  • [RHEL/7] [Fedora] New OVAL check for 'rsyslog_files_ownership' rule
  • [RHEL/7] [Fedora] New OVAL for 'rsyslog_files_groupownership' rule
  • [RHEL/7] Update the template_kernel_module_disabled
  • [RHEL/6] Fix ldap client TLS checks
  • [RHEL/7] Add RHEL/7 kernel OVAL checks and remediation scripts:
    • Added check for install_PAE_kernel_on_x86-32 for RHEL/7,
    • Added check for kernel_module_usb-storage_disabled for RHEL/7 and Fedora
    • Added remediations for kernel_module_usb-storage_disabled,
      package_kernel-PAE_installed, and sysctl_kernel_exec_shield
  • [RHEL/5] fix accounts_unique_uid.xml OVAL check
  • [RHEL/6] [RHEL/7] [Fedora] [Enhancement] Update sshd and cron XCCDF and OVAL content
    • Add sshd_disable_rhosts and sshd_use_approved_macs to RHEL/7
    • Add cron XCCDF and OVAL to Fedora
    • Update RHEL/7 XCCDF and stig_overlay to match OVAL naming convention
  • [RHEL/6] [RHEL/7] RHEL7 obsolete services and bluetooth checks/remediations
    • Add template_socket_disabled for any future socket checks
    • Add OVAL and remediation scripts for obsolete and bluetooth services
    • Update XCCDF content for obsolete services
    • Add socket macros
  • [RHEL/6] [RHEL/7] [Fedora] Add new /shared OVAL for 'account_unique_name' rule
  • [RHEL/6] [RHEL/7] [Fedora] Modify former RHEL-5 specific OVAL check for
    'gid_passwd_group_same' rule to be more universal (usable also for RHEL-6,
    RHEL-7 && Fedora systems)
  • [RHEL/6] [RHEL/7] [Fedora] New OVAL for 'aide_build_database' rule
  • [RHEL/6] Update existing RHEL-6 OVAL check for 'audit_rules_login_events' rule
  • [RHEL/7] [Fedora] Update existing OVAL check for 'audit_rules_login_events'
  • [RHEL/7] New OVAL check for 'smartcard_auth' rule
  • [RHEL/7] Add service_xinetd_disabled OVAL to RHEL/7
  • [RHEL/7] Switch on referencing / using of OVAL for 'dconf_gnome_screensaver_mode_blank' rule
  • [RHEL/7] OVAL for RHEL7 no_rsh_trust_files
  • [RHEL/7] OVAL for RHEL7 disable_interactive_boot
  • [RHEL/7] Switch on use of 'install_hids' rule
  • [shared] Add CentOS gpgkey to OVAL check
  • [shared] Update 'dconf_gnome_screensaver_idle_delay' shared/ OVAL definition to
    require proper unsigned int datatype setting when configuring 'idle-delay' value
  • [shared] Require proper datatype (unsigned integer) to be specified for 'lock-delay'
    key of [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_lock_enabled' OVAL check
  • [RHEL/7] Require 'string' datatype specifier to be provided when setting 'picture-uri'
    key of the [org/gnome/desktop/screensaver] schema in 'dconf_gnome_screensaver_mode_blank' OVAL
  • [shared] Make rpmverifyfile_test consistent with "rpm -V" output
  • [RHEL/7] [Enhancement] Add debug-shell XCCDF and OVAL

New Remediations:

  • [RHEL/7] New RHEL-7 specific remediation for aide_build_database rule
  • [RHEL/7] New remediation for service_bluetooth_disabled rule
  • [RHEL/7] Remediation for RHEL7 uninstall_talk-server
  • [RHEL/7] Remediation for RHEL7 no_rsh_trust_files
  • [RHEL/7] Remediation for RHEL7 disable_interactive_boot
  • [RHEL/7] Remediation for RHEL7 require_singleuser_auth
  • [RHEL/7] Add RHEL-7 specific remediation functions for the following three audit rules:
    • audit_rules_time_adjtimex,
    • audit_rules_time_settimeofday, and
    • audit_rules_time_stime.
  • [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_delay' rule
  • [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_idle_activation_enabled' rule
  • [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_lock_enabled' rule
  • [RHEL/7] New RHEL-7 remediation for 'dconf_gnome_screensaver_mode_blank' rule
  • [RHEL/7] [Fedora] New RHEL-7 and Fedora remediation for 'audit_rules_login_events' rule
  • [RHEL/7] [Fedora] Add new RHEL-7 and Fedora remediation for 'audit_rules_immutable' rule
  • [RHEL/7] New RHEL-7 remediation for 'rsyslog_files_permissions' rule

Remediation fixes / other changes:

  • [RHEL7] Updated package_remove remediation macro
    • Created bash remove package script
    • Added remediations for talk, ypbind, rsh, rsh-server, telnet
    • Updated bash package_removed remediation language to include a CAUTION note
  • [RHEL/6] Fix type in RHEL/6 uninstall_ypserv.sh

Bug Fixes:

  • Fix failing 'make validate' for Fedora (2015-08-24),
  • Fix Fedora's 'make validate' target when run on RHEL-6 system (2015-09-10),
  • Fix multiple duplicate RHEL-6 vs RHEL-7 CCEs issue,
  • Fix make-validate on Fedora (2015-09-17),
  • [RHEL/5] fix make validate failures for RHEL/5 (2015-09-21),
  • [Fedora] Fix failing 'make validate' for Fedora product
    when Fedora content is built & validated on RHEL-6 system (2015-09-26),
  • [RHEL/5] Disable 'make validate' target for RHEL-5 content for now (2015-09-26),

Infrastructure:

  • Enhance RHEL/5's Makefile to look into /shared OVAL directory for possible OVAL definitions applicable to RHEL-5 product too
  • [Enhancement][RHEL/6][RHEL/7][Fedora] add functions for services and packages
    • Add function that can enable/disable service in RHEL and Fedora
    • Add function that can install/uninstall packages in RHEL and Fedora
    • Update services enabled/disabled templates
    • Update packages installed/removed templates
  • [Enhancement] add multi_platform checks to remediation scripts
  • [Enhancement] add platform tag to remediation scripts
  • [Enhancement][RHEL6/7][Fedora] remove remediation script symlinks
  • [Infrastructure] Fix cpe_generate.py FutureWarning error
  • Modified zipfile Makefile target to make a release ZIP to upload to Github

Other changes:

  • [RHEL/7] New DSS ODAA default banner

Full list of issues and pull requests closed in this release