Skip to content

SCAP Security Guide 0.1.34 Release Notes

Compare
Choose a tag to compare
@yuumasato yuumasato released this 29 Jun 18:34
· 30353 commits to master since this release

Highlights

  • Unification of where templates and csv reside
  • Optimization and clean up of build system
  • Lots of Ansible remediations added
  • Bash remediation functions file is now generated by build system

Profile

  • [Bugfix] Remove RHEL STIG in Debian content
  • fixed typo in OSPP profile
  • [Bugfix] Updating STIG References for RHEL7
  • [Enhancement] Add SUSE11 stig_overlay.xml
  • [Bugfix] Use @OverRide for NIST 800 171 CUI profile

XCCDF

  • [Bugfix] Fix typo in mount_option_home_nosuid
  • [Enhancement] Add 'requires' and 'conflicts' to Rules and Groups in XCCDF XSLT templates
  • [Enhancement] Move OpenStack XCCDF to shared XCCDF
  • add support for NT28(R5) for Debian & Ubuntu
  • [Enhancement] Update SUSE11 and 12 XCCDF content to use shared XCCDF content
  • Fixed some SSSD related references
  • Fix more redhat guide links
  • [Bugfix] Update link to RHEL SysAdmin Guide - GRUB2 PW protection

OVAL

  • [Bugfix] Fix Webmin OVAL content by removing unnecessary definition check
  • [Bugfix] Check pam_retry OVAL check for cracklib configuration only for OS versions under 7
  • [Bugfix] Handle new Oracle JRE RPM naming scheme
  • [Bugfix] Fix prelink OVAL check
  • [Bugfix] Remove EAP5 references in EAP6 content and add temp OVAL file for builds to pass
  • [Enhancement] Provide a comment for network_sniffer_disabled
  • [Bugfix] Added OVALs for SSSD in RHEL6
  • [Bugfix] Fix accounts_have_homedir_login_defs false positive

Remediations

  • Initial work on audit_rules_dac_modification templating
  • [Bugfix] Fix remediation of commented line of account_disable_post_pw_expiration
  • [Enhancement] Update disable post password expiration remediation
  • Added ansible fix for rsyslog_remote_loghost
  • [Enhancement] Use templates for ANACONDA mount options remediation scripts
  • Added an ansible remediation for sshd print last log
  • Added ansible remediation for accounts_logon_fail_delay
  • Added missing file name needed for checking if aide fix is already done
  • [Bugfix] Make the aide_periodic_cron_checking bash remediation idempotent
  • [Bugfix] RHBZ#1461330: Add Anaconda remediation for rule "smartcard_auth"
  • [Enhancement] SELinux booleans bash and ansible remediation coverage
  • [Enhancement] Do not use jinja separators in when statements in ansible
  • [Bugfix] Fixed unterminated quotes in approved MACs ansible remediation
  • Few more ansible
  • [Infrastructure] Generate remediation functions
  • Fixing sed confusion for auditd remediation template
  • [Enhancement] Ansible coverage for sysctl remediations
  • Shared templates that are applicable everywhere should be marked as such
  • [Enhancement] Ansible coverage of accounts password
  • [Bugfix] Fix errors in audit remediation bash scripts
  • [Bugfix] Fix no rsh trust files bash remediation
  • SSH Ansible Content
  • [Bugfix] Fix typo in ANACONDA static templates
  • [Bugfix] Use double dash instead of a single dash in ANACONDA remediation temp…
  • Ansible RHEL7 scripts to shared/

Infrastructure

  • [Infrastructure] Import template generators (build time optimization)
  • [Infrastructure] Sds move ocils optimization (build time optimization)
  • [Infrastructure] Use element id cache instead of O(n^2) in combine-ovals.py (build time optimization)
  • [Infrastructure] Use xmllint nsclean (build time optimization)
  • [Infrastructure] Make build easier, improve error messages
  • [Bugfix] Evaluate $sed_command
  • [Bugfix] Remove multi-mount option capabilities in mount templates
  • [Enhancement] Using create_mount_options.py for RHEL7 rules
  • [Infrastructure] --skip-valid when composing datastreams (build optimization)
  • [Infrastructure] Optimized relabel ids (build time optimization)
  • [Enhancement][Infrastructure] Avoid repeatedly validating input when generating all roles (build time optimization)
  • [Infrastructure] Renamed the all roles timestamp marker file
  • [Bugfix] Ansible sshd protocol2 extension should be yml, otherwise it won't get picked up
  • [Enhancement][Infrastructure] Benchmark stats and CSV output in profile_stats.py
  • [Bugfix][Infrastructure] Reset parsed remediation attributes in combine-remediations.py correctly
  • Avoid warning about being unable to open output/unlinked-*-oval.xml
  • Better profile stats
  • Fix 'small' element namespace
  • [Bugfix][Infrastructure] Fix JBoss EAP platform mapping
  • SubElement would cause 2 appends which is not what we want
  • [Infrastructure] Look into parent for oval511 templates
  • [Infrastructure] Install remediation roles in content directory
  • [Infrastructure] Cmake delete checks remediations
  • [Bugfix][Infrastructure] Fix drop of OVAL checks extending non-existing definitions
  • [Infrastructure] Build only one test package
  • The great move
  • [Infrastructure] Removed product-make.include
  • combine-remediations and combine-ovals improvements
  • [Infrastructure] Use inbuilt python element tree
  • [Infrastructure] OVAL templating clean-up
  • [Infrastructure] use daemon_name instead of service_name if daemon_name differs
  • [Bugfix][Infrastructure] Escape the CMAKE_INSTALL_PREFIX again
  • [Bugfix][Infrastructure] Build table for ospp-rhel7, not ospp-rhel7-server
  • [Bugfix] Generate all roles, not just the last one
  • Fix installation path of guides and roles
  • [Infrastructure] @ANSIBLE_TAGS@ replacement for ansible fixes
  • [Infrastructure] Use a separate template for OVAL sebool when using a variable

Full list of issues and pull requests closed in this release