github-actions
released this
14 Nov 19:57
·
226 commits
to master
since this release
Important Highlights
- Add new product kylinserver10 (#12393)
- Create OL10 product (#12290)
- Update PCI-DSS control file for version 4.0.1 (#12435)
New Rules and Profiles
- [New Rule] Package kea removed (#12464)
- Add Ism profile for ol8 (#12493)
- Add Ism profile to OL9 (#12346)
- Create CIS rules for login banners (#12472)
- New rule tftp_uses_secure_mode_systemd (#12436)
- Update chrony rules for RHEL 10 (#12415)
- Update RHEL 9 STIG to V2R2 (#12551)
Updated Rules and Profiles
- Add to slmicro5 STIG pam pwhistory remember rule (#12255)
- Add CCI to
package_postfix_installed
(#12446) - Add hipaa reference to
sshd_use_directory_configuration
(#12437) - Add Ism profile for ol8 (#12493)
- Add Missing CPEs for RHEL10 (#12411)
- Add OL into jinja conditionals (#12461)
- Add package_rng-tools_installed to Fedora OSPP profile (#12244)
- Add RHEL 10 to Jinja if statements in firewalld_sshd_port_enabled (#12504)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add rule chronyd_or_ntpd_set_maxpoll to SLE Micro 5 STIG profile (#12499)
- Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
- Add rules removed from RHEL8/RHEL9 profiles back to datastream (#12572)
- Add STIG rules for slmicro5 covering lib dirs root ownership (#12252)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- Adjust FIPS enable_fips_mode for RHEL 10 (#12414)
- Adjust zipl_bls_entries_option template remedation to allow RHEL 10 (#12410)
- Change directory_permissions_etc_iptables to 700 (#12384)
- Change platform for rules related to partitions (#12562)
- Change platform in xwindows_runlevel_target (#12563)
- Consolidate ASCS RHEL profiles lastlog via sshd (#12249)
- convert more rules to sshd_lineinfile template (#12301)
- Create CIS rules for login banners (#12472)
- Fix a typo (#12275)
- Fix Audit related rules in RHEL 10 (#12359)
- Fix chronyd remote server filepath dir regex (#12312)
- fix for issue 11909 (#12318)
- Fix rules from the net-snmp component (#12391)
- grub2_vsyscall_argument should only be applicable to x86_64 (#12408)
- Hide CJIS profile for OL8 (#12357)
- Move daemon.* to /var/log/messages (#12433)
- Move package_rear_installed to related rules in e8 (#12456)
- Move RPM verify rules to use --restore (#12413)
- OCP4: Optimize ingress trusted ca remediation (#12268)
- Remove
sshd_enable_warning_banner_net
from HIPAA control file (#12534) - Remove Outdated GNOME Rules in RHEL 10 (#12460)
- Remove package_talk-server_removed from RHEL 10 ANSSI (#12457)
- Remove rng-tools package rules from RHEL 10 (#12455)
- Remove sendmail from RHEL 10 profiles (#12452)
- Remove sshd_allow_only_protocol2 from RHEL 10 (#12390)
- Remove ypbind rules from RHEL10 (#12450)
- Remove ypserv from RHEL 10 profiles (#12451)
- Rename
cron
package tocronie
for RHEL10 product (#12463) - Review PCI-DSS requirements and rules for RHEL 10 (#12347)
- Review sshd_set_maxstartups rule (#12419)
- RHEL 10 HIPAA Profile Updates (#12345)
- RHEL 10 ISM_O: add back enable_fips_mode rule (#12449)
- RHEL 10 STIG Update (#12348)
- RHEL 10 tmux changes (#12383)
- RHEL 9 STIG: change remediated Networkmanager DNS mode (#12448)
- Slmicro5 stig add accounts and amount rules support (#12353)
- Slmicro5 stig add accounts and software rules support (#12364)
- Slmicro5 stig add rules selinux ssh and audit (#12316)
- Slmicro5 stig add services and software rules support (#12395)
- Stabilization: update audit_ospp_general with the latest content (#12592)
- Two CIS RHEL 9 enhancements (#12453)
- Ubuntu 22.04 STIG V2R1 changes (#12298)
- Update ANSSI BP28 profiles in rhel10 product (#12351)
- Update CCI Numbers due to new STIG/SRG GPOS (#12374)
- Update chrony rules for RHEL 10 (#12415)
- Update e8 profile for RHEL 10 (#12402)
- Update file_permissions_etc_chrony_keys (#12521)
- Update file_permissions_etc_chrony_keys to 640 (#12577)
- Update install_smartcard_packages for RHEL10 (#12459)
- update ism_o profiles for RHEL 10 (#12418)
- Update Jinja for package_rsync_removed for RHEL 10 (#12480)
- Update networkmanager_dns_mode for bootable containers (#12574)
- Update of the rule encrypt_partitions to support SLEM (#12343)
- Update ol7 stig (#12544)
- Update ol8 stig (#12545)
- Update OSPP control file (#12369)
- Update PCI-DSS control file for version 4.0.1 (#12435)
- update pwd length requirements for ism_o profile (#12431)
- Update RHEL 10 STIG Selections (#12376)
- Update RHEL 8 STIG due to rule removal (#12559)
- Update RHEL 8 STIG to V2R1 (#12550)
- Update RHEL 9 STIG to V2R1 (#12373)
- Update RHEL 9 STIG to V2R2 (#12551)
- Update rsyslog_cron_logging for bootable containers (#12575)
- Update service_rngd_enabled for RHEL 10 (#12243)
- Update SLE12 STIG version to V3R1 (#12580)
- Update SLE15 STIG version to V2R2 (#12570)
- Update various openshift assertions (#12443)
- Updated 6 rules 2 for sle micro (#12331)
- Updated packages related to openssh to support slem (#12338)
- Updated rules based on template service_disabled to support slem (#12337)
- Updates for Debian 12.6 (#12432)
- Updates related to the rule permissions_local_var_log_audit (#12356)
- Various Bug Fixes for Debian (#12084)
Removed Products
- Remove uos20 (#12248)
Changes in Remediations
- Add ansible remediation configure_bind_crypto_policy (#12325)
- Add ansible remediation to ensure_oracle_gpgkey_installed rule (#12323)
- Add ansible remediation to mount_option_home template (#12546)
- Add ansible remediaton for rsyslog_cron_logging rule (#12326)
- Add insensitive option to ansible_lineinfile macro (#12314)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add rule security_patches_up_to_date to SLE Micro 5 STIG profile (#12506)
- Add rules to support remote offload of journal logs (#12479)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- Added remediation and tests for the rule permissions_local_var_log_audit (#12360)
- Avoid tmpfiles override (#12218)
- Bring bash version in-sync with Ansible (#12398)
- Change flags cleanup (#12397)
- Create CIS rules for login banners (#12472)
- Don't autoremove packages on dnf package uninstall (#12389)
- Fix "unknown predicate -L" (#12305)
- Fix ansible remediation for audispd plugin UBTU-20-010216 (#12293)
- Skip users with ID above UID MAX on accounts_user_interactive_home_directory_defined (#12527)
- SLE15 related fixes in ntp and aide rules (#12548)
- Slmicro5 stig add accounts and software rules support (#12364)
- Update ansible remediation to harden_sshd_ciphers_openssh_conf_crypto_policy rule (#12324)
- Update bash remediation to fix bug into account_disable_inactivity* (#12134)
- Update remedation for firewalld_sshd_port_enabled (#12522)
- Update select rules for RHEL not to modify systemd units in /usr (#12486)
- Update SLE12 STIG version to V3R1 (#12580)
- Update SLE15 STIG version to V2R2 (#12570)
Changes in Checks
- Add "is_substring" variable to grub2_bootloader_argument template (#12308)
- Add OL9 into installed_OS_is_vendor_supported (#12333)
- Add rule accounts_tmout to SLE Micro 5 STIG profile (#12524)
- Add support for XCCDF variables into sshd_lineinfile template (#12251)
- convert more rules to sshd_lineinfile template (#12301)
- Create CIS rules for login banners (#12472)
- enhance the grub2_argument template to cover more use cases (#12375)
- Fix Audit related rules in RHEL 10 (#12359)
- Fix inventory_test_kernel_installed for SLE (#12516)
- Remove redundant sshd oval macro (#12532)
- Slmicro5 stig add accounts and software rules support (#12364)
- Update SLE15 STIG version to V2R2 (#12570)
Changes in the Infrastructure
- Add ocp4 pci dss references (#12309)
- Add setuptools python package to Fedora (#12565)
- Add setuptools to ocp4 build (#12566)
- Build empty OVAL (#12262)
- Build SCE content by default in rhel9 and rhel10 products (#12488)
- Enable templated SCE checks (#12445)
- Ensure that platforms is valid in Automatus tests (#12505)
- Fix issue with ambiguity of control product (#12454)
- Fix thin data streams with SCE (#12503)
- Fix validation with OpenSCAP 1.4 (#12303)
- Fix Windows for OpenSCAP 1.4.0 release (#12304)
- Introduce bootc remediation type (#12497)
- Move data stream component references (#12557)
- Remove template option (#12341)
- Stop SCAP content validation if not necessary (#12523)
- Update Fedora in
install_vm.py
to F41 (#12567)
Changes in the Test Suite
- add debian12 automatus workflow (#12128)
- Add OCP and RHCOS assertion files for 4.17 (#12266)
- Add RHEL Platform to Select AIDE Tests (#12483)
- add rule sysctl_kernel_modules_disabled to unselect_rules_list (#12354)
- Fix automatus podman (#12230)
- Fix Automatus Sanity (#12188)
- Improve Benchmark detection in Automatus (#12554)
- Introduce
/rpmbuild-ctest-fedora
CI for all Fedora versions (#12176) - modify test scenarios of grub2_argument template to handle variables (#12428)
- Remove
missing-references
ctest (#12434) - Remove template option (#12341)
- Review and update install_vm.py script (#12254)
Documentation
- Add UOS 20 removal to docs (#12257)
- Align release date calculation with documentation (#12240)
- Bump master version to 0.1.75 (#12235)
- Clarify stabilization dates process for more predictability (#12232)
- Include a section for fixed bugs in changelog (#12239)
- Remove old and broken tldp.org link (#12284)
- Update contributors for 0.1.75 (#12576)
Fixed Bugs
- Remove installed_OS_is_FIPS_certified from sshd_use_approved_ciphers (#12242)
firewalld_sshd_port_enabled
add zone to all connections (#12256)- Create CIS rules for login banners (#12472)
- Disable
sysctl_kernel_modules_disabled
Ansible remediation (#12514) - Explicitly state FindOpenSCAP cmake so it loads before it's used. (#12538)
- Extend mount_option_nodev_nonroot_local_partitions (#12270)
- Fix crypto policy selection rhel10 (#12466)
- Fix references section in the workshop artificial rule data. (#12261)
- Fix title of var_networkmanager_dns_mode (#12258)
- Remove enable_dracut_fips_module from RHEL 10 profiles (#12467)
- Two CIS RHEL 9 enhancements (#12453)
- Update Account Home Folder Rules (#12465)
- Update audit_rules_suid_privilege_function to use ExecStart instead of ExecStartPost (#12549)
- Update Regex for sudoers_explicit_command_args (#12350)
- Update SLE15 STIG version to V2R1 (#12269)