Releases v0.1.54
Highlights:
Remove RHEL6 content (#6325 )
Add readthedocs documentation support (#6299 )
Introduce centralised policy definitions (#6499 )
Profiles changed in this release:
ocp4: moderate, cis-node, ncp, e8, cis
rhel7: anssi_nt28_intermediary, cui, cjis, anssi_nt28_minimal, C2S, anssi_nt28_enhanced, stig, ncp, hipaa, e8, anssi_nt28_high, ospp
ol7: stig
rhel8: cui, cjis, anssi_bp28_high, cis, stig, pci-dss, anssi_bp28_intermediary, hipaa, anssi_bp28_minimal, anssi_bp28_enhanced, e8, ospp
rhcos4: ospp, ncp, e8, moderate
rhv4: rhvh-stig, rhvh-vpp
sle12: stig
ol8: e8
Profiles:
Add xwindows_runlevel_target to RHEL7 STIG profile (#6420 )
Remove severity adjustments on OL7 STIG profile (#6403 )
Update SMEs and owners (#6448 )
Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml (#6438 )
Fix RHEL8 CIS Benchmark version (#6463 )
Use control selectors in RHEL8 ANSSI profiles (#6505 )
Update e8 profiles to use correct link to E8 Linux guide (#6497 )
Add initial artifacts to support RHEL8 STIG content (#6513 )
Update RHEL7 STIG profile with /var/log/audit related rules (#6430 )
Update ANSSI Minimal and Intermediary requirements (#6520 )
Add dconf_gnome_disable_automount to RHEL STIG profile (#5961 )
Rules:
Added simple lineinfile template (#6389 )
Generate the CPE Dictionary dynamically (#6304 )
Drop remediation for sudo_dedicated_group (#6556 )
ocp4: Add check for audit log forwarding (#6428 )
Change severity of rules according to STIG V3R1 (#6417 )
Add test to grub2_enable_fips_mode to check if /etc/system-fips exists (#6418 )
Moved OVAL CVE Feed metadata from the rule to individual products (#6419 )
Add new rule dir_perms_world_writable_system_owned_group (#6421 )
SRG for ssh_client_rekey_limit (#6409 )
OCP4/CIS: tidy etcd_unique_ca text (#6407 )
add rule ssh_client_use_strong_rng (#6404 )
ocp4/CIS 1.1.20: Fix references in rules (#6401 )
Add OCIL clauses to several openshift rules (#6457 )
compliance-operator: Prepare rules and profiles for productization (#6455 )
ocp4: ovs conf.db: tighten file permissions (#6445 )
fix oval of grub2_kernel_trust_cpu_rng (#6444 )
add ospp reference to configure_libreswan_crypto_policy (#6443 )
ocp4/CIS 1.2.10: Enable checks (#6436 )
Add OVAL for the second rule covering CIS 4.2.10 (#6489 )
Enable checks and remediations for SLES-12 STIGs (#6485 )
Several cleanup patches for CIS 1.2.x (#6480 )
Add new rules for ANSSI BP28 R22 (#6483 )
OCP4: Add CCEs to rules used by the CIS profile (#6478 )
OCP: Cleanup rules in section 1.1 of CIS profile (#6477 )
Add stricter permissions option to file permissions template (#6476 )
Implement a rule for sudoers - ANSSI R60 (#6473 )
CIS: Add two missing OCILs (#6474 )
Support SLES-12-010380, SLES-12-010110, and SLES-12-030150 (#6472 )
Fix some missing extend_definition dependencies (#6465 )
Add support for parameters in sudo_defaults_option template (#6508 )
Add SRG references for use_pam_wheel_for_su rule (#6356 )
update rule postfix_network_listening_disabled (#6509 )
add rules to anssi r12 (#6515 )
Create new rules for ANSSI R39 (#6495 )
Enable checks and remediations for SLES-12 STIGs (#6504 )
Fix jinja expansion on installed_OS_is_vendor_supported (#6511 )
Updates for Anssi requirement 49 (#6510 )
add rule checking if world writable directories are owned by root (#6507 )
Add rule to check if OS is 64-bit when supported by CPU (#6496 )
Add the sudoers_no_command_negation rule - ANSSI R62 (#6498 )
Add rules to enable sudoers options (#6369 )
Add rule to configure group owner of /usr/bin/sudo (#6352 )
Add RHEL8 CCE to ANSSI selected rules (#6494 )
Add rules for Anssi-bp-028 R23 (#6490 )
Add rule to drop sudo 'other' execution permisson (#6363 )
Add new pwquality.conf and faillock.conf rules (#6370 )
Add mount_option and partition rules (#6340 )
Add bios and uefi CPE applicability for grub2 rules (#6286 )
Add rule for password hashing rounds in pam_unix (#6334 )
OCP4/CIS 2.X: Fix descriptions and add checks (#6338 )
Disable OVAL backend from file_permissions grub2_cfg rules (#6277 )
add rule use_pam_wheel_for_su (#6256 )
OCP4/CIS 1.4.1: Remove invalid rule and add reference to actual check (#6329 )
fix remediation of audit_rules_privileged_commands (#6227 )
fix ansible remediation of dir_perms_world_writable_root_owned (#6574 )
fix remediations of dir_perms_world_writable_root_owned (#6558 )
fix selinux_policytype oval regex (#6530 )
ocp4: Add automatic remediation for etcd encryption provider (#6411 )
OCP4/CIS: kubelet_configure_event_creation e2e remediation (#6406 )
Add kubernetes remediation for sysctl_kernel_randomize_va_space (#6456 )
kubernetes: Fix kernel argument template (#6450 )
RHCOS4: Fix sysctl remediations and add tests (#6449 )
More precise modified time comparison in "configure_crypto_policy" (#6437 )
Propagated possibility to select the remediation backend (#6433 )
Fix FIPS checks for RHCOS (#6479 )
disable_ctrlaltdel_burstaction: Take into account .d/ directory too (#6471 )
Make rsyslog_remote_tls regex case insensitive for rsyslogs parameters (#6396 )
Fix bash_dconf_settings to grep whole keyword alike (#6364 )
Tests:
Extend list of rules of unselected rules for testing (#6573 )
Remove noauto for boot partition from test kickstart and ANSSI profiles (#6570 )
Update testing kickstart file partitions (#6555 )
Add cap_audit_write to be able to run sshd in containers (#6557 )
Move uefi_no_removeable_media tests to correct place (#6414 )
Introduce test suite script wrappers (#6405 )
ocp4: Add tests for rhcos4 kernel arguments (#6451 )
OCP: Add missing tests for two rules that are passing by default (#6466 )
configure_crypto_policy test scenario - ensure that both files have same timestamp (#6502 )
Add documentation for variables option in test scenarios. (#6377 )
Implement variable metadata for test scenarios (#6323 )
Remove capture_output option from subprocess.run in SSGTS (#6347 )
Refactored interaction with the tested machine (#6322 )
You can’t perform that action at this time.
