Important Highlights
- Ubuntu 22.04 CIS (ComplianceAsCode#9953)
- OL7 stig v2r9 update (ComplianceAsCode#9976)
- Bump OL8 STIG version to V1R4 (ComplianceAsCode#9974)
- Update RHEL7 STIG to V3R10 (ComplianceAsCode#10079)
- Update RHEL8 STIG to V1R9 (ComplianceAsCode#10078)
- Introduce CIS RHEL9 profiles (ComplianceAsCode#10091)
New Rules and Profiles
- Add nonessential services rule (ComplianceAsCode#9912)
- Added a new rule package_firewalld_removed (ComplianceAsCode#9937)
- Added a new SLE 12/15 rule package_rsync_removed (ComplianceAsCode#9932)
- Added a new rule package_cups_removed (ComplianceAsCode#9930)
- Added a new rule firewalld_service_disabled (ComplianceAsCode#9941)
- Added a new SLE 15 rule package_nftables_installed (ComplianceAsCode#9934)
- Add rule for no .forward files (ComplianceAsCode#9990)
- Add new rule grub2_enable_apparmor (ComplianceAsCode#9978)
- Added a new rule package_tcp_wrappers_removed (ComplianceAsCode#9981)
- Added a new SLE 12/15's rule package_rcpbind_removed (ComplianceAsCode#9931)
- Add package prelink removed (ComplianceAsCode#10062)
- add new rule audit_rules_immutable_login_uids (ComplianceAsCode#10070)
- Added 2 rules for 15 related to nftables (ComplianceAsCode#10068)
- New SLE 15 rule ensure_iptables_are_flushed (ComplianceAsCode#10107)
- add new rule configure_bashrc_tmux (ComplianceAsCode#10100)
Updated Rules and Profiles
- Include warning regarding quota options in XFS (ComplianceAsCode#9879)
- Update the sshd_set_keepalive regarding ClientAliveCountMax (ComplianceAsCode#9903)
- Sync rules for RHEL 9 STIG (ComplianceAsCode#9788)
- Changing a few harcoded OS names for full_name (ComplianceAsCode#9936)
- Assign CIS and CCE-IDs to multiple rules (SLES) (ComplianceAsCode#9940)
- SLE 12/15 CCE and CIS numbers for the CIS group job schedulers (ComplianceAsCode#9883)
- Update sudo_require_reauthentication (ComplianceAsCode#9923)
- Update kmod audit rule for OL7 (ComplianceAsCode#9949)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (ComplianceAsCode#9994)
- Add rule to OL7 stig profile (ComplianceAsCode#10028)
- Small corrections related to 3 rules (ComplianceAsCode#9995)
- Add new rule grub2_enable_apparmor (ComplianceAsCode#9978)
- Include Ubuntu products in package_rsync_removed (ComplianceAsCode#10051)
- Include Ubuntu products in package_nftables_installed (ComplianceAsCode#10052)
- Fix the service_telnet_disabled rule (ComplianceAsCode#10033)
- Update package name for RHEL in package_rsync_removed (ComplianceAsCode#10053)
- Include Ubuntu products in package_cups_removed (ComplianceAsCode#10050)
- Include Ubuntu products in package_rpcbind_removed (ComplianceAsCode#10055)
- Update link to NTP docs (ComplianceAsCode#10056)
- Include Ubuntu products in package_prelink_removed (ComplianceAsCode#10071)
- Add account_emergency_expire_date to OL7 stig (ComplianceAsCode#10073)
- Add aide_build_database to STIG in OL and RHEL (ComplianceAsCode#10094)
- Include Ubuntu products in two nftables rules (ComplianceAsCode#10101)
- Move two rules to higher level in cis_rhel8 control file (ComplianceAsCode#10109)
- add new rule configure_bashrc_tmux (ComplianceAsCode#10100)
- add missing SRG to aide_build_database rule (ComplianceAsCode#10136)
- change applicability of rules configuring idle session timeouts (ComplianceAsCode#10127)
- Stabilization: remove service_rngd_enabled from RHEL9 and RHEL8 STIG profiles (ComplianceAsCode#10152)
- improve applicability of rule package_rear_installed (ComplianceAsCode#10144)
- stabilization: Update levels of some rules in RHEL8 CIS (ComplianceAsCode#10155)
Changes in Remediations
- Fix indentation in Ansible shell module parameter (ComplianceAsCode#9851)
- Recognize 64bit architectures in Ansible remediations (ComplianceAsCode#9887)
- Make Ansible remediation less prone to fatal errors (ComplianceAsCode#9914)
- Add bash and ansible remediation for set_loopback_traffic (ComplianceAsCode#9939)
- Ansible and bash remediations for set_ipv6_loopback_traffic (ComplianceAsCode#9938)
- Update sudo_require_reauthentication (ComplianceAsCode#9923)
- Improve the arguments for Ansible command module (ComplianceAsCode#9921)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (ComplianceAsCode#9994)
- Fix Jinja condition in macro for pam_faillock (ComplianceAsCode#10009)
- Install NetworkManager as part of
wireless_disable_interfacesremediation (ComplianceAsCode#10018) - aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (ComplianceAsCode#9977)
- Update accounts_password template for OL due to precedence confs (ComplianceAsCode#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (ComplianceAsCode#9955)
- Improve service_disabled template (ComplianceAsCode#10026)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (ComplianceAsCode#9954)
- Rewrite remediations for rsyslog_remote_tls (ComplianceAsCode#9866)
- Fix accounts_password template for OL (ComplianceAsCode#10045)
- Using the Ansible shell actions is needed in package_prelink_remove (ComplianceAsCode#10086)
Changes in Checks
- Add SUSE Manager 4.x in installed_OS_is_sle15 (ComplianceAsCode#9854)
- Update sudo_require_reauthentication (ComplianceAsCode#9923)
- accounts_user_dot_group_ownership: Improve OVAL to avoid nobody group (ComplianceAsCode#9956)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (ComplianceAsCode#9994)
- aide_periodic_cron_checking: Improve ubuntu-specific OVAL and bash (ComplianceAsCode#9977)
- Update accounts_password template for OL due to precedence confs (ComplianceAsCode#9935)
- accounts_password_set_min_life_existing: Avoid system accounts (ComplianceAsCode#9955)
- accounts_password_set_max_life_existing does not exclude no passwords or locked accounts (ComplianceAsCode#9954)
Changes in the Infrastructure
- Refactor build_cpe.py (ComplianceAsCode#9834)
- Formatting and bug fixes in utils/import_srg_spreadsheet.py (ComplianceAsCode#9827)
- Refactor templates v2 (ComplianceAsCode#9870)
- Add automatic detection of platform_package_overrides when using automatus (ComplianceAsCode#9897)
- Add Sanity test for utils/create_scap_delta_tailoring.py (ComplianceAsCode#9839)
- Introduce templated platforms (CPEs) (ComplianceAsCode#9906)
- Sort conditional remediation platform checks (ComplianceAsCode#9902)
- Add sanity tests for controleval.py (ComplianceAsCode#9918)
- Add Refchecker to Tests (ComplianceAsCode#9862)
- Wait for buffer flushes to finish writes (ComplianceAsCode#9933)
- Fix the file param in rule_dir_json (ComplianceAsCode#9928)
- Fix typing import in
create_srg_export.py(ComplianceAsCode#9929) - Build all profiles on all CentOS and CentOS Streams (ComplianceAsCode#9946)
- CTest Fixes (ComplianceAsCode#9962)
- CPE AL: Introduce version specifiers support (ComplianceAsCode#9945)
- Correctly process templated Ansible conditionals and introduce os_linux platform (ComplianceAsCode#9959)
- Raise exception when parametrized platform receives invalid argument (ComplianceAsCode#9996)
- Fix
--datastream-onlyin./build_product(ComplianceAsCode#10020) - Add sanity tests for compare_disa_xml.py (ComplianceAsCode#10030)
- Add Ubuntu 22.04 to Gating (ComplianceAsCode#9986)
- Fix a few isssues in test-compare-disa-xml (ComplianceAsCode#10034)
- Update Ansible Lint Config (ComplianceAsCode#10025)
- platforms: rewrite mechanism which parses version into EVR (ComplianceAsCode#10038)
- Produce an understanable error when remediation collections goes wrong (ComplianceAsCode#10027)
- Platforms: prevent building content when version comparison is used and platform provides remediation conditional (ComplianceAsCode#10040)
- Bump fedora version in Dockerfiles to 37 (ComplianceAsCode#10036)
- Fix the generation of SCE checks in the output datastream (ComplianceAsCode#10015)
- Scripts clean up (ComplianceAsCode#10061)
- Clean up SRG export (ComplianceAsCode#10067)
Changes in the Test Suite
- Ensure pwquality.conf.d dir exists on test scenarios - main branch (ComplianceAsCode#9865)
- Add automatic detection of platform_package_overrides when using automatus (ComplianceAsCode#9897)
- Add Refchecker to Tests (ComplianceAsCode#9862)
- Update rules related to pam_pwhistory module to consider pwhistory.conf file (ComplianceAsCode#9994)
- Improve service_disabled template (ComplianceAsCode#10026)
Documentation
- Add Timezone to the Contributors Script (ComplianceAsCode#9844)
- Add documentation about readthedocs.org integration (ComplianceAsCode#9875)
- Update Upstream Release doc (ComplianceAsCode#9952)
- Update contributors list for v0.1.66 release (ComplianceAsCode#10108)