Content 0.1.72
github-actions
released this
09 Feb 13:29
·
3065 commits
to master
since this release
Important Highlights
- ANSSI BP 028 profile for debian12 (#11368)
- Building on Windows (#11406)
- Control for BSI APP.4.4 (#11342)
- update to CIS RHEL 7 and RHEL 8 profiles aligning them with the latest benchmarks
New Rules and Profiles
- Add alinux2/alinux3 support for pci-dss compliance (#11398)
- Add anolis23/anolis8 support for pci-dss compliance. (#11401)
- Add new rule file_cron_allow_exists (#11441)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
- ANSSI BP 028 profile for debian12 (#11368)
- Control for BSI APP.4.4 (#11342)
- Add rules for /etc/shells (#11467)
- Add rules STIG UBTU-20-010437 and UBTU-20-010451 (#11325)
Updated Rules and Profiles
- Review CIS RHEL8 v3.0.0 Section 3 (#11469)
- Add 2 CCE-IDs for SLE12 & SLE15 (#11375)
- Add package_firewalld_installed to RHEL 9 CIS (#11351)
- align description of audit_rules_kernel_module_loading (#11443)
- Align RHEL 7 CIS control file with CIS v4.0.0 - Section 3 (#11446)
- Align RHEL 8 CIS control file with CIS v3.0.0 - Section 6 (#11462)
- align rule audit_rules_privileged_commands_kmod (#11320)
- Allow spaces in rule sudo_custom_logfile (#11433)
- Enable Rules For OSBuild (#11362)
- enable sshd_distributed_config for ubuntu 2004 & 2204 (#11305)
- Fix a duplication of the code ID 3.5.2.1 (#11421)
- Fix ANSSI URL in control file and update RHEL profiles (#11365)
- Fix RHEL 8 STIG version (#11515)
- Fix Service Applicability for RHEL 9 Profiles (#11367)
- Handle rules trying to remove no longer existing packages (#11354)
- Improve Performance on rules probing the whole file system (#11319)
- Minor modifications to RHEL STIG profiles (#11327)
- Move to /bin/false for disabling kernel modules (#11475)
- Remove Alibaba Cloud Linux CIS-related profile and associated references (#11486)
- Remove irrelevant rules from PCI-DSS profiles (#11338)
- Remove timer_logrotate_enabled from some pci-dss profiles (#11349)
- Remove warning from kubelet rule (#11243)
- Review CIS RHEL8 v3.0.0 Section 1 - Initial Setup (#11445)
- Review rpm_verify_hashes rule (#11332)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- RHEL 7: change how xwindows is disabled in CIS profile (#11466)
- RHEL 8: align with CIS 3, section 2 (#11457)
- RHEL7 CIS: align section 2 with the final version (#11453)
- Stablization: Update audit_ospp_general (#11520)
- Support drop-in config in journald rules on RHEL (#11440)
- Update CIS profiles descriptions (#11491)
- Update grub2_mitigation_argument (#11271)
- Update OL stig references (#11472)
- Update OL8 STIG id references (#11451)
- Update OL8 stig selection for OL08-00-040259 (#11312)
- Update Oracle Linux anssi profiles (#11313)
- Update RHEL 7 CIS Section 1 (#11449)
- Update RHEL 7 STIG to V3R14 (#11477)
- Update RHEL 8 STIG to V1R13 (#11478)
- Update RHEL 9 STIG to V1R2 (#11479)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
- Update STIG version for SLES 12 and SLES 15 (#11357)
- Update Ubuntu STIG-20-010072 and fix faillock rules (#11355)
- Use correct HTML element for inline code (#11408)
- various small fixes to RHEL 7 and RHEL 8 CIS (#11487)
- xccdf_org.ssgproject.content_rule_accounts_tmout: replace 'declare' by 'typeset' (#11289)
Changes in Remediations
- [Stabilization] fix regex used in Ansible remediation of configure_ssh_crypto_policy (#11525)
- A fix into ansible part of the rule audit_rules_suid_privilege_function (#11170)
- Add blueprint remedation for enable_fips_mode (#11363)
- Add check if to continue with ansible task (#11299)
- add explaining comment to mount_option bash template (#11444)
- Add support to disable wifi interfaces via wicked (#11428)
- Ansible: change the sysctl module fqcn for rhel7 product (#11465)
- configure_bashrc_*_tmux: escape braces within regex in Ansible (#11388)
- Do not change comments by remediations (#11434)
- Fix Ansible in rule ensure_redhat_gpgkey_installed (#11413)
- Fix in sebool ansible (#11245)
- Fix ShellCheck Issues in CPE Checks (#11322)
- fix: service_timesyncd_configured (#11410)
- Make some improvements to bash remediation template (#11361)
- Move to /bin/false for disabling kernel modules (#11475)
- Sle15 fix ansible cis remediations (#11258)
- Sle15 fix ansible hipaa remediation (#11264)
- Sle15 fix ansible pci-dss remediations in check mode (#11263)
- Stabilization - Fix Ansible compatibility with sysctl module (#11538)
- Support drop-in config in journald rules on RHEL (#11440)
- Turn off blueprint for package_MFEhiplsm_installed (#11350)
- Turn off remedations for
/dev/shm
(#11364) - Use commit hash for image tag (#11233)
Changes in Checks
- Add ocp platforms to some eks shared OVALs (#11436)
- Fix audit key check in audit_rules_privileged_commands_fdisk (#11306)
- Fix invoke parent's init function (#11400)
- Generate OVAL document for each rule (#11291)
- Improve Performance on rules probing the whole file system (#11319)
- Move install_mcafee_hbss shared OVAL to the install_hids rule (#11432)
- Rename inconsistent shared OVAL IDs (Oracle Linux) (#11392)
- Review rpm_verify_ownership rule (#11333)
- Review rpm_verify_permissions rule (#11335)
- Support drop-in config in journald rules on RHEL (#11440)
- Update Select SSSD Rules for RHEL 7 STIG Update (#11476)
Changes in the Infrastructure
- Add Gate tests back to master (#11331)
- Add missing group.yml (#11373)
- Add Windows CI (#11412)
- add XSLT_PATH prefix with environment override (#11390)
- Adds an oscal directory and GitHub Actions workflow for upstream OSCAL content (#11286)
- Building on Windows (#11406)
- Control Files'
level
key must be an array (#11417) - Fix Debian 10 CI (#11426)
- Fix duplicate OVAL ids (gpgkey package, GDM login) (#11377)
- Fix invoke parent's init function (#11400)
- Fixes update-oscal.yml to remove env context from matrix variables (#11374)
- Generate OVAL document for each rule (#11291)
- Ignore mypy in the EOF Checker (#11323)
- OCP4: Update k8s action to build image on new PR (#11384)
- Refactoring: Remove 'prodtype' Mk.2 (#11378)
- Remove bogus specifier from
audit_rules_privileged_commands_unix2_chkpwd
(#11379) - remove the task which deletes artifacts from automatus GH workflows (#11482)
- Update GitHub Artifacts Action Steps to v4 (#11411)
- Validate levels in controls (#11427)
- We should raise NotImplementedError (#11414)
Changes in the Test Suite
- Allow tests/test_product_stability.py to be executed (#11464)
- Fix OpenEmbedded name in test stability (#11463)
- Fix Secure Boot Automatus VM Installs (#11239)
- Fix tests for sudo_require_authentication (#11315)
- OCP4: Fix e2e result on OCP 4.14 changes (#11207)
- Update test-check-eof for smoke test (#11402)
- Update Install VM to use Fedora 39 (#11418)
Documentation
- Add documentation of the steps that OVAL content goes through during the build (#11336)
- Add GitHub Actions Style Guide (#11330)
- Add STIG Tables for RHEL 9 (#11376)
- bump version to 0.1.72 (#11308)
- Finish rename to Automatus (#11404)
- Fix broken formatting (#11403)
- Remove all contributors file (#11317)
- Update contributors list for v0.1.72 release (#11483)
- Update SRG GPOS to V2R7 (#11480)