Skip to content

SCAP Security Guide 0.1.32 Release Notes
Compare
Choose a tag to compare
@yuumasato yuumasato released this 29 Mar 13:31
· 31618 commits to master since this release
v0.1.32
8c6cabe

Highlights:

  • New CMake build system
  • Improved NIST 800-171 profile
  • Initial RHVH profile
  • New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
  • Template clean up in lots of remediations

Profile

  • [Enhancement] Standard profile container
  • [Bugfix][Enhancement][Infrastructure] Add stig_overlay to CMAKE build
  • [Bugfix][Enhancement] Update RHEL7 Manual STIG references to release version 1
  • [Bugfix][Enhancement] Update RHEL7 STIG overlay to map to official DISA STIG release
  • [Enhancement] Add service_atd_disabled to RHEL6 STIG profile
  • [Bugfix] Remove ldap_client_start_tls check in RHEL7 STIG profile
  • [Enhancement] Debs: support for apt unauthenticated repository config check (ANSSI NT-28 - R15)
  • [Bugfix] Add RHEL6/PCI-DSS centric-benchmark
  • [RHEL7] Further NIST 800-171 profile work
  • [Bugfix][Draft RHEL7 STIG] Update RHEL/7 STIG content to match latest STIG ID mapping
  • [Enhancement][RHEL7] Add Initial RHVH profile
  • [Bugfix] Remove RHEL7 CCEs and STIGIDs from SUSE/12
  • Continuing NIST 800-171 profile development
  • [RHEL7] [issue 391] NIST mappings for restrict_nfs_clients_to_privileged_port…
  • [Bugfix] Fixed mismatched tags in RHEL7 nist_support.xml

XCCDF:

  • [Bugfix] Fix RHEL7 CCE-25892-0 typo
  • [Bugfix] Added description to file_ownership_var_log_audit rule.
  • [Enhancement] Adding Container and Machine-only CPEs in RHEL6 CPE dict.
  • [Enhancement] Marked RHEL 6 XCCDF Rules as machine-only when applicable.
  • [Enhancement] Marking more machine only rules
  • [Enhancement] Continue marking machine specific rules
  • [Bugfix][Draft RHEL7 STIG][RHEL7] [issue 1688] update XCCDF for selinux audit
  • Start marking rules that apply only for baremetal / VM environment or only for container environment
  • [Bugfix] Add missing minlen value for RHEL6 password variable
  • [Enhancement] Add PCIDSS mapping to RHEL6 XCCDF
  • [Enhancement][RHEL7] Add new audit rules to STIG profile and update auditing XCCDF ids
  • [Bugfix] Expand some XCCDF descriptions and fixes
  • [Enhancement] Add new httpd file permissions content
  • [Bugfix] Fix DConf typos and update gnome banners descriptions
  • Fixed wording in min password age description text
  • [Draft RHEL7 STIG] [Enhancement][RHEL/7] Update pam_faillock content to use and check for unlock_time=never
  • [bugfix] Fix 'cups_disable_browsing' XCCDF rule

OVAL:

  • [Bugfix] Support pam faillock with sssd enabled
  • [Bugfix] Another check for /var/tmp bind mounted to /tmp
  • [Bugfix] Check more paths with verify_rpm_hashes
  • [Bugfix] Fixing default value for secure_redirects.
  • [Bugfix] Passwd file password field shadowed value
  • [Bugfix] Fix file_ownership_library_dirs.xml
  • [Bugfix] Update smartcard auth OVAL to not require the esc package for non-GUI environments
  • [Enhancement] Added shared/oval/is_a_container.xml to further enable SSG
  • [Bugfix] Update RHEL/7 PAE OVAL check
  • [Bugfix][RHEL6] Fix xpath to handle empty element in gconf_gnome_disable_ctrlaltdel_reboot
  • [Bugfix][Draft RHEL7 STIG][Enhancement] Update Audit Rules OVAL
  • [Bugfix] Fix DConf OVAL typos
  • [Enhancement][RHEL6][RHEL7] Use https:// for CVE OVALs

Remediations

  • [Enhancement] Improve sysctl remediations to use replace_or_append functions
  • [Bugfix] RHBZ #1413494: Fix the regular expression for SSHD Ciphers
  • [Bugfix] Allow audit to log read and write
  • [Bugfix][RHEL7] Added a new remediation to rule rsyslog_files_permissions, now it doe…
  • [Bugfix] Fixed ensure_gpgcheck_globally_activated rule remediation.
  • [Bugfix] bash remediations cleanup & fix
  • [Ansible][Enhancement] Add ansible remediations
  • [Enhancement] Misc audit remediations
  • [Enhancement] Remediation for sshd checks
  • [Bugfix] Don't limit Fedora template generation
  • [Enhancement] Use openscap-scanner instead of openscap-utils in RHEL/6 kickstarts
  • [Bugfix] Fix so we don't leave remedied config files without trailing newline.
  • [Bugfix] Fix Anaconda package install template typo
  • [Bugfix] typo in policy setting
  • [Bugfix] Use a more specific pattern match in the fix for require_singleuser_auth
  • [bugfix][RHEL/6] Fix kickstarts to use distribution content

Infrastructure

  • [Bugfix][Infrastructure] Enable OSP product
  • Build zip archive and update usage
  • [Bugfix] Update path where compare_generated.sh looks for datastreams
  • [Bugfix] Enable more products with CMake
  • [Bugfix] Fix path of oval.config in testoval.py script
  • [Infrastructure] Let's go back to the old path /usr/share/xml/scap/ssg/content
  • [Infrastructure] template_common.py/create*py: Use classes
  • [Infrastructure] Change interface of create_*py
  • [Infrastructure] compare_generated.sh: Update for cmake structure
  • [Bugfix][Infrastructure] Move OVAL_5.11 static files
  • [Bugfix] RHBZ #1420038: Identify Red Hat Enterprise Virtualization Host as RHEL7
  • [Bugfix][RHEL7] Fix stig testinfo tables for RHEL6 and 7
  • [Infrastructure] Build HTML tables and guides when building product specific content
  • [Enhancement] oscap mangles paths of SDS components so we need to add them by relative path
  • [Enhancement][Infrastructure] Cmake build system
  • [Bugfix][Infrastructure] Issue #1718: Fix build using docker
  • [Infrastructure] Remove testoval.py clones
  • [Infrastructure] RHEL7: remove generated OVAL_5.11 package*installed.xml
  • [Infrastructure] RHEL6: Remove unused package_removed*xml
  • [Infrastructure] RHEL6: cleanup sysctl
  • [Infrastructure] RHEL6: Remove generated kernel module OVAL & Fix remediations to be idempotent
  • [Infrastructure] Fedora cleanup
  • [Bugfix][Enhancement] Add RHEL Client Variant Support
  • [Infrastructure] Debian8: clean generated files
  • [Infrastructure] Wrlinux: Remove old/unused files
  • [Bugfix][Infrastructure] Fix build without SVG
  • [Infrastructure] Webmin: Remove templates
  • [Infrastructure] Chromium: Remove puppet example
  • [Enhancement][Infrastructure] update Makefile to clean dist/tables
  • [Enhancement] Debs: add iommu=force check NT28(R11)
  • [Infrastructure] RHEL6 cleanup packages installed/removed
  • [Infrastructure] RHEL6: cleanup service_disabled & fix templace_common.py: regex_replace
  • [Infrastructure] RHEL6: service*enabled cleanup
  • [Enhancement] Add support for both plain and regex file names in create_permission.py
  • [Bugfix] generate-from-templates: fix error when key does not exist
  • [Infrastructure][RHEL7] Cleanup rhel7 sysctl
  • [Infrastructure] RHEL7: remove package*installed.xml
  • [Infrastructure][RHEL7] Cleanup rhel7 kernel modules
  • [Infrastructure][RHEL7] Cleanup rhel7 package removed 5.11
  • [Infrastructure] Disable overriding of OVAL_5.11 by OVAL_5.10
  • [Enhancement] Add support for Ubuntu/trusty (14.04)
  • [Enhancement] Added to XCCDf shared transformations, so it will
  • [Enhancement] Docker build
  • [Bugfix] replace failing %doc glob
  • [issue 1607] Replenished Red Hat CCEs
  • [Enhancement][Infrastructure] Add JBoss/Fuse/6 to global Makefile
  • [Bugfix] Fix SUSE/11 and Webmin content build issues
  • [Bugfix][Enhancement] Generate guides outputs
  • Removed the old JBossFuse6 content, this content is obsolete and does…
  • [bugfix] Fix remaining duplicate ids
  • [bugfix] Fix some of the duplicate OVAL IDs
  • [Enhancement] [bugfix][Infrastructure] combine-ovals.py: print missing directory message
  • [bugfix][Infrastructure] combine-remediations.py: print missing directory message
  • [Infrastructure] make rpm to be consistent with Fedora's spec

Full list of issues and pull requests closed in this release

Assets 5
Loading