UNCLASSIFIED - NO CUI

Skip to content

Update all dependencies

Ghost User requested to merge renovate/all into development

This MR contains the following updates:

Package Type Update Change
ComplianceAsCode/content ironbank-github patch v0.1.72 -> v0.1.73
anchore/syft ironbank-github minor v1.0.1 -> v1.5.0

Release Notes

ComplianceAsCode/content (ComplianceAsCode/content)

v0.1.73: Content 0.1.73

Compare Source

Important Highlights
  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#​11651)
  • Update all RHEL ANSSI BP028 profiles to be aligned with configuration recommendations version 2.0
  • Generate rule references from control files (#​11540)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#​11820)
New Rules and Profiles
  • Add and modify rules file/dir_permissions_system_journal (#​11840)
  • Add ANSSI Profiles for RHEL 10 (#​11787)
  • Add initial RHEL 10 PCI DSS profile (#​11872)
  • Add new rule file_permissions_sudo (#​11584)
  • Add new templated rules for System.map files (#​11640)
  • ANSSI R31 updates (#​11560)
  • Audit watch on /etc/sysconfig/network-scripts (#​11724)
  • CMP 2417: Implement PCI-DSS v4.0 outline for OpenShift (#​11651)
  • CMP-2375: Implement a new rule for checking audit logging is enabled (#​11731)
  • Implement ANSSI requirement R69 for RHEL (#​11663)
  • Improve ANSSI R28 (#​11626)
  • Inital RHEL 10 STIG (#​11793)
  • Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS (#​11820)
  • Openembedded fixes (#​11652)
  • Update ANSSI R50 (#​11588)
Updated Rules and Profiles
  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#​11993)
  • accounts_umask_etc_bashrc: extend handled cases of umask (#​11822)
  • Add a note to ANSSI R23 (#​11571)
  • Add a warning to sshd_limit_user_access (#​11507)
  • Add automation to enable faillock rules (#​11458)
  • Add platform machine to systctl.d rules (#​11622)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#​11864)
  • Additional updates in kernel_module_disabled template (#​11508)
  • Align chronyd_sync_clock to Ubuntu 22.04 STIG (#​11883)
  • Align rule encrypt_partitions with Ubuntu 22.04 STIG (#​11889)
  • Align var_accounts_tmout to Ubuntu 22.04 STIG V1R1 (#​11843)
  • ANSSI R31 updates (#​11560)
  • api_server_encryption_provider_cipher rule.yml has bad jsonpath (#​11099)
  • CMP 2453 pci dss requirement 1 (#​11725)
  • CMP-2365: Fix check for rotating kubelet server certificates (#​11543)
  • CMP-2372: Remove info override for virtual syscall rules (#​11544)
  • CMP-2378: Fix OCP version regex (#​11499)
  • CMP-2454: PCI-DSS v4 Requirement 2 (#​11825)
  • CMP-2471: Disable rules on s390x (#​11743)
  • Corrections in aide_periodic_cron_checking and aide_scan_notification… (#​11665)
  • Do not require existence of /var/tmp/tmp-inst (#​11762)
  • Drop retired PCI-DSS 3.2.1 for sle15 (#​11798)
  • ensure that var_sshd_set_keepalive is not set to 0 in rhel8 and rhel9 profiles (#​11851)
  • extend the explanation why ANSSI R52 requirement is manual (#​11629)
  • Fix #​11895 issue (#​11897)
  • Fix #​11898 issue (#​11899)
  • Fix #​11902 issue (#​11905)
  • Fix dconf package name for Ubuntu (#​11821)
  • Fix description for auditd_max_log_file_action (#​11585)
  • Fix kdump service name on Ubuntu 22.04 (#​11914)
  • Fix OCP node OVN check (#​11861)
  • Fix rule for accounts_authorized_local_users in SLE15 (#​11602)
  • Fix SCE check for ip6tables_rules_for_open_ports (#​11849)
  • Fix SCE checks for iptables_loopback_traffic (#​11850)
  • HIPAA profile for SLE 15 - update (#​11582)
  • Implement ANSSI requirement R69 for RHEL (#​11663)
  • Improve ANSSI R28 (#​11626)
  • Improve Rsyslog Rainer regex to find log files (#​11808)
  • Improve title of CCN profiles for RHEL9 (#​11852)
  • Make package installation for iptables and nftables mutually exclusive (#​11191)
  • mount_option_remote_systems: make rule not applicable if mounts not found (#​11761)
  • Move to /bin/false in Ubuntu remediation for wireless_disable_interface (#​11490)
  • oauth_or_oauthclient_token_maxage: Use variable for remediation of rule (#​11603)
  • OCP4: Add container_security_operator_exists to PCIDSS profile (#​11776)
  • OCP4: Add rule to check ACS sensor deployed (#​11675)
  • OCP4: Fix rules with both platform and platforms (#​11760)
  • OCPBUGS-18331: Include sshd config directories in remediation template (#​11551)
  • OCPBUGS-20015: Add remediation for RHCOS banners (#​11470)
  • OCPBUGS-26193: Fix missing OCP4 STIG selections (#​11423)
  • OCPBUGS-28797: Clarify banner instructions for RHCOS nodes (#​11635)
  • Openembedded fixes (#​11652)
  • put exec back to configure_bashrc_exec_tmux (#​11561)
  • Remove disabling_ipv6_autoconfig rule (#​11550)
  • Replace dead HTML links for the chronyd project (#​11799)
  • RHEL-09-232045: align with STIG (#​11890)
  • Rule had incorrect CRD reference rule.yml (#​11823)
  • Set the requires to sshd_set_keepalive on sshd_set_idle_timeout (#​11815)
  • sysctl template: allow skipping of runtime checks (#​11574)
  • trivial: fix linting issue (#​11711)
  • trivial: Update link to audit profile documentation link (#​11732)
  • Try 4110 for file_permissions_sudo (#​11805)
  • ubuntu2204: cis_level1_workstation: Add missing !package_cups_removed (#​11715)
  • Update ANSSI R29 requirement (#​11633)
  • Update ANSSI R32 (#​11570)
  • Update ANSSI R36 requirement (#​11632)
  • Update ANSSI R40 (#​11563)
  • Update ANSSI R50 (#​11588)
  • Update ANSSI R67 requirement (#​11642)
  • Update ANSSI R68 (#​11580)
  • Update ANSSI R71 (#​11578)
  • Update audit_ospp_general (#​11519)
  • Update CIS requirement status (#​11784)
  • Update CIS RHEL7 requirement 3.4.4.3.4 (#​11502)
  • Update CIS RHEL8 requirements related to crypto (#​11506)
  • update cryptopolicy used in CUI profile to fips (#​11792)
  • Update notes in ANSSI R3 (#​11680)
  • update notes of the R36 requirement for ANSSI (#​11639)
  • Update ol8 pcidss (#​11867)
  • Update ol8 profiles (#​11829)
  • Update ol8 stig (#​11828)
  • Update ol8 stig reference (#​11884)
  • Update ol9 pcidss (#​11873)
  • Update ol9 profiles (#​11846)
  • Update RHEL 8 STIG to V1R14 (#​11878)
  • Update RHEL9 STIG to V1R3 (#​11877)
  • Update SLE12 STIG to V2R13 (#​11599)
  • Update SLE15 STIG to V1R12 (#​11598)
  • update sles oval feed url (#​11461)
  • Update SRG GPOS Control File (#​11634)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#​11474)
  • Update sssd_enable_smartcards & sssd_offline_cred_expiration (#​11473)
  • Update STIG PSC Content (#​11664)
  • Update sudo_dedicated_group (#​11586)
  • Use string instead of number in oauth variable (#​11613)
  • Use controls to assign ANSSI references (#​11556)
Changes in Remediations
  • [stabilization] do not restrict Ansible remediation of zipl_bootmap_is_up_to_date to RHEL 8 only (#​11935)
  • [stabilization] Recollect facts in mount_option_nodev_nonroot_local_partitions (#​11956)
  • [Stabilization]: add when conditional to Ansible remediation of sssd_enable_pam_services (#​11979)
  • [Stabilization]: Ensure that security_patches_up_to_date is not built with remediations (#​11993)
  • accounts_passwords_pam_tally2_deny_root fix (#​11676)
  • Add Ansible remediation to sssd_enable_pam_services (#​11796)
  • Add Ansible Remediations (#​11763)
  • Add root user to interactive users (#​11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#​11864)
  • Additional updates in kernel_module_disabled template (#​11508)
  • Align securetty_root_login_console_only remediations with OVAL/rule description (#​11716)
  • Align wireless_disable_interfaces with Ubuntu 22.04 STIG (#​11886)
  • Changes in template service_disabled - ansible part (#​11645)
  • Disallow spaces in SSSD certificate_verification option (#​11728)
  • Enable ansible in SLE for dconf_gnome_session_idle_user_locks (#​11655)
  • Fix ansible lint for SLE platforms (#​11911)
  • fix ansible SLES stig remediations in check mode (#​11248)
  • Fix Bash remediation of firewalld-based rules for offline mode (#​11868)
  • Fix configure_bashrc_exec_tmux missing parenthesis (#​11448)
  • Fix non-idempotent bash remediation for sysctl template (#​11671)
  • fix regex in Ansible remediation of configure_ssh_crypto_policy (#​11526)
  • Fix rule mount_option_nodev_nonroot_local_partitions Bash remediation (#​11827)
  • Fix ubuntu remediation for pam_faildelay (#​11532)
  • Fix Ubuntu remediation for pam_faillock rules (#​11488)
  • Fix Ubuntu remediation for smartcard_pam_enabled (#​11489)
  • Issue when using set -e with grep commands (#​11712)
  • Make Blueprint for service_disabled template to mask services (#​11679)
  • OCPBUGS-28242: Fix remediation for service_debug-shell_disabled (#​11638)
  • pam_options ansible template dry-run fix (#​11677)
  • Remove kubernetes hardcoded solution for templated service_debug rules (#​11370)
  • remove prodtype from add_kubernetes_rule (#​11500)
  • Remove restrictions in sshd_use_approved_ciphers remediation (#​11527)
  • Return condition to test firewalld service state in firewalld_loopback_traffic rules (#​11894)
  • set indent to 4 (#​11530)
  • Simplify output of ip link show command (#​11657)
  • update links and unify documentation in kickstart files (#​11765)
  • Update links for Ansible role (#​11737)
  • Update sssd ldap related rules to check /etc/sssd/conf.d/*.conf files (#​11474)
  • use failed_when:false for Ansible register: checks (#​11782)
Changes in Checks
  • accounts_passwords_pam_tally2_deny_root fix (#​11676)
  • Add root user to interactive users (#​11729)
  • Add rule set_password_hashing_algorithm_systemauth to Ubuntu STIG profile (#​11864)
  • all_apparmor_profiles_in_enforce_complain_mode: Fix OVAL logic (#​11672)
  • App armor oval check (#​11273)
  • Correction in oval part ensure_gpgcheck_globally_activated (#​11709)
  • Disallow spaces in SSSD certificate_verification option (#​11728)
  • Enforce explicit setting in password-auth (#​11742)
  • Enforce explicit setting in system-auth (#​11740)
  • Fix handling of grub.d configs in grub2_bootloader_argument (#​11726)
  • Fix macro for extracting local interactive users (#​11589)
  • Fix regression in grub2_bootloader_argument (#​11768)
  • Make additional check if selinux is enabled and operational (#​11510)
  • Red Hat product security is on the path of deprecating the OVAL CVE feed (#​11547)
  • Remove OVAL version restrictions from auditd_audispd_configure_sufficiently_large_partition (#​11816)
  • Restrict the list of accepted shells in no_shelllogin_for_systemaccounts (#​11896)
  • Revert MR 11816 (#​11917)
  • Update ANSSI R67 requirement (#​11642)
  • Update sssd_enable_smartcards & sssd_offline_cred_expiration (#​11473)
Changes in the Infrastructure
  • Account for non-existent 'build' dir in build_product (#​11606)
  • Add new test to ensure that CCEs are removed from the avail file (#​11590)
  • Add RHEL 9 support for playbook to role conversion utility (#​11542)
  • Add RHEL 9 to Ansible Gating (#​11624)
  • Add Script to Import DISA STIG to Policy Specific Content (#​11611)
  • Add stigrefs after references from controls (#​11591)
  • add the "components" test among quick tests (#​11668)
  • Bump paambaati/codeclimate-action from 5.0.0 to 6.0.0 (#​11912)
  • Change the metric of the most-used-components (#​11738)
  • Clean up check_eof (#​11757)
  • Disable RHEL 10 content for 0.1.73 release (#​11989)
  • Ensure that components not in datastream are not mentioned by profiles (#​11811)
  • Extend the stable-profiles test (#​11617)
  • Extension of the most-used-rules and most-used-components subcommands of the profile_tool.py script to specify a list of products to be considered (#​11733)
  • Fix broken exception message (#​11842)
  • Fix content_diff when a rule is removed (#​11855)
  • Fix deprecation warning in ssg/build_derivatives.py (#​11666)
  • Fix SCE finding XPath to allow nesting with OCILs (#​11682)
  • Fix TypeError in get_implemented_stigs (#​11596)
  • Improve github workflow for building OCP MR image (#​11492)
  • Improve playbook script and documention (#​11747)
  • k8s content image: Image from MR should not be tagged latest (#​11643)
  • k8s image content from MRs: Fix id in job step (#​11604)
  • k8s image content from MRs: remove token from action parameters (#​11608)
  • Move auditing group (#​11789)
  • Move to use main branch and OpenSCAP 1.4.0 for building on Windows (#​11734)
  • OCP: Fix e2e remediation for container_security_operator_exists (#​11545)
  • OCP4: Fix pr image workflow (#​11533)
  • OCP4: use utf-8 as default xml encoding (#​11614)
  • Prevent conflicts in references (#​11555)
  • profile_tool.py: Fix traceback in sub command (#​11637)
  • Re-organize tests/fmf-plans into a more concise format (#​11809)
  • Reduce OCIL size (#​11577)
  • Reduce XCCDF (#​11800)
  • Reduce XML reformatting (#​11641)
  • Reduction of CPE content in DS (#​11648)
  • Refactoring: Remove all references to prodtype (code/tests/docs) (#​11505)
  • Remove CNSS REF URL (#​11714)
  • Removing unused variables from the datastream (#​11858)
  • Rework of cpe_generate.py (#​11644)
  • Run Contest test instead of Fedora project beakerlib tests (#​11419)
  • Speed up build of thin data streams (#​11618)
  • Stabilize resolved profiles (#​11727)
  • Test that all rules have references (#​11610)
  • Thin DS: Command Line Interface (#​11549)
  • Tool for identifying the most used components (#​11730)
  • Tool for identifying the most used rules (#​11439)
  • Update entities/common.py to use CDumper (#​11541)
  • Update MR workflow actions to run only on latest push (#​11616)
  • Use control files to generate references (#​11594)
  • utils/gen_rendered_policies_index.py: read compiled control files (#​11667)
Changes in the Test Suite
  • Add RHEL 10 Install Command to Automatus (#​11797)
  • CMP-2366: Update service_autofs_disabled default e2e result (#​11546)
  • Disallow spaces in SSSD certificate_verification option (#​11728)
  • extend misleading Automatus error message (#​11658)
  • Fix ANSSI Ansible fmf test plan (#​11791)
  • Fix Automatus in CI (#​11494)
  • Fix tests for file_permissions, file_owner, file_groupowner (#​11814)
  • Flush automatus test logs before outputting results (#​11605)
  • OCP4: Fix rules with both platform and platforms (#​11760)
  • Split out TMT plans to separate Packit jobs (#​11860)
  • Thin DS tests (#​11755)
  • Update crypto_policy test scenario for CIS RHEL8 (#​11513)
Documentation
  • Add docs how to build thin ds (#​11900)
  • Add RHEL 10 to SRG Mapping Table Action (#​11881)
  • Bump master branch version to 0.1.73 (#​11496)
  • Improve playbook script and documention (#​11747)
  • release_helper script updates (#​11504)
  • Remove prodtype from rule schema (#​11493)
  • Update links for Ansible role (#​11737)
  • update list of contributors before releasing 0.1.73 (#​11888)
  • update meaning of the "automated" status in control files (#​11646)
  • Update RHEL 9 SCAP references to V1R1 (#​11673)
anchore/syft (anchore/syft)

v1.5.0

Compare Source

Added Features
Bug Fixes
Additional Changes

(Full Changelog)

v1.4.1

Compare Source

Bug Fixes

(Full Changelog)

v1.4.0

Compare Source

Added Features
Bug Fixes
Additional Changes

(Full Changelog)

v1.3.0

Compare Source

Added Features
Bug Fixes

(Full Changelog)

v1.2.0

Compare Source

Added Features
Bug Fixes

(Full Changelog)

v1.1.1

Compare Source

Bug Fixes

(Full Changelog)

v1.1.0

Compare Source

Added Features
Bug Fixes

(Full Changelog)


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports