Skip to content

SCAP Security Guide 0.1.35 Release Notes
Compare
Choose a tag to compare
@yuumasato yuumasato released this 29 Aug 14:40
· 29629 commits to master since this release
v0.1.35
2b0bb5d

Highlights

  • Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
  • Added several templates for OVAL checks
  • Removal of input directory
  • Many optimizations in build process
  • Different title for PCI-DSS Benchmark variants

Profile

  • [Bugfix] Refix selector for var_time_service_set_maxpoll
  • [Bugfix] Fix selector for var_time_service_set_maxpoll
  • [Bugfix] Removed extra whitespace around RHEL6 STIG profile titles
  • updated profiles to properly use description override
  • [Bugfix] update profiles to accept either DoD banner
  • [Bugfix] Fix refined value typo in RHEL6 FISMA profile

XCCDF

  • [Enhancement] Add firewalld and LDAP checks
  • [Bugfix] Fix for Issue 2264
  • [Bugfix] update ntpd maxpoll to align with DISA
  • [Bugfix] update severity of RHEL-07-021350 (fips=1) to HIGH to align w/DISA
  • [Bugfix] Add variable for dconf_gnome_screensaver_lock_delay
  • [Bugfix] Maxpoll should be set if chronyd is in use
  • Add dod_banners option to banner_login_text
  • [Bugfix][Enhancement] Package firewalld installed
  • [Bugfix] Use profile variable settings for login.defs to clear up scan results confusion
  • STIG Updates
  • RHEL-07-040460 - UsePrivilegeSeparation sandbox
  • [Bugfix] CCE for insmod auditing

OVAL

  • [Bugfix] change to also check inside of /etc/security/limits.d to verify core …
  • [Bugfix] Check if SSH keys are present before validating file permissions
  • [Bugfix] Update accounts_passwords_pam_faillock_deny to handle line skipping
  • [Bugfix] Check if aide is installed in OVAL and remediation scripts

Remediations

  • [Bugfix] Fixing issue 2205
  • [Bugfix] Ansible branch for issue 2205 RHEL 7.3 error: rpm_verify_permissi..
  • [Bugfix] re-enable remediation for net.ipv6.conf.all.disable_ipv6 = 1
  • [Ansible] ansible: account_disable_post_pw_expiration
  • Ansible accounts umask etc login defs
  • [Ansible] ansible: sssd_*
  • [Enhancement] dconf_gnome_screensaver_* ansible scripts
  • [Enhancement] GDM ansible scripts
  • [Enhancement] Set rsyslog_remote_loghost_address to default value "logcollector"
  • [Ansible] Creates file_permissions_* ANSIBLE remediation
  • [Ansible] Creates file_owner_* ANSIBLE remediation
  • [Ansible] ansible: dconf_gnome_disable_*
  • [Enhancement] Creates file_groupowner_* Ansible remediation
  • [Bugfix] Removes silent from the pam.d deny_root search/replace pattern
  • [Bugfix] fix audit syscall rule sed needs an escape character to properly run
  • [Bugfix] Adding update to fix_audit_syscall_rule to not use slashes
  • [Ansible] Creates audit_rules_privileged_commands ANSIBLE remediation
  • Disable remediation for "repo_gpgcheck=1"
  • Additional Ansible Scripts
  • [Bugfix] remove nullok, handle links
  • [Ansible][Enhancement] Firewalld ansible fixes
  • [Ansible][Enhancement] [ansible] security_patches_up_to_date

Infrastructure

  • Update Fedora CPEs
  • update manpage to have --oval-results in example
  • Removes platform column from file_groupowner csv
  • [Bugfix] add container_build to gitignore
  • [Enhancement] Add "PCI-DSS variant" suffix to every title of the PCI-DSS benchmark
  • [Enhancement] Remove input directory
  • [Enhancement] docs: How to create stig_overlay.xml
  • [Ansible][Enhancement] Creates templates for audit_rules_execution OVAL checks, BASH and ANSIBLE remediations
  • [Bugfix] Functions use return, "exit" exits whole script
  • [Bugfix][Infrastructure] Don't generate roles for empty profiles
  • Minor idtranslate fixes
  • [Bugfix][Enhancement] Minor PEP8 fixes in map_product_module.py
  • Skip non-bash remediation function script files
  • [Bugfix] Rebuild PCI-DSS XCCDF benchmark if the script or PCI-DSS ID json change.
  • [Bugfix] Use str.replace instead of re.sub in create_audit_rules_..
  • [Enhancement][Infrastructure] Creates template for audit_rules_usergroup_modification OVAL checks
  • [Ansible][Infrastructure] Template for audit_rules_privileged_commands
  • [Enhancement] Check that a trimmed key is not part of the result string after template sub
  • Creates template for audit_rules_login_events OVAL checks and BASH remediations
  • [Bugfix] Evaluate sed command
  • Creates template for audit_rules_file_deletion_events OVAL and BASH
  • [Bugfix] Fixed the variable substitution in template_OVAL_permissions
  • Creates template for audit_rules_unsuccessful_file_modification OVAL and BASH
  • Sorts the output of option --missing-fix in profile-stats.py
  • Fixes bug in relabel-ids.py regarding missing OVAL definitions
  • Adds CMakeLists.txt.user to .gitignore
  • [Bugfix][Infrastructure] %VAR% for template replace, @var@ for build system replace
  • [Bugfix] Dockerfile fixes
  • [Infrastructure] Updates python shebangs for virtualenv support.
  • [Infrastructure] Pci dss cjis ansible tags
  • [Infrastructure] Only consider PCI-DSS related rules when constructing the PCI-DSS tree
  • [Infrastructure] Ansible tags improvements
  • [Enhancement][Infrastructure] Minor speedups in templates
  • [Enhancement][Infrastructure] Minor cmake improvements
  • [Enhancement][Infrastructure] Version bump
  • [Bugfix][Enhancement][Infrastructure] Improved OVAL and OCIL generator elements
  • [Bugfix][Infrastructure] Combine ovals namespace fixes
  • [Bugfix] Pass the correct variable to the template in create services disabled
  • [Infrastructure] Make schematron OVAL validation optional but still default it to true (build time optimization)
  • [Infrastructure] Very minor optimization in srgmap XSLT (build time optimization)
  • [Infrastructure] Make SSG build more portable
  • [Bugfix][Disa Content Issues] Include AIDE installed in the STIG profile for RHEL7
  • [Infrastructure] Make stats
  • [Infrastructure] Generate roles from xccdf
  • [Infrastructure] Don't list templating file outputs as explicit deps for the targets (build time optimization)

Full list of issues and pull requests closed in this release

Assets 5
Loading