Update dependency ComplianceAsCode/content to v0.1.57

This MR contains the following updates:

Package	Update	Change
ComplianceAsCode/content	patch	0.1.54 -> v0.1.57

---

Release Notes

ComplianceAsCode/content

v0.1.57

Compare Source

Highlights

• CIS profile for RHEL 7 is updated
• initial CIS profiles for Ubuntu 20.04
• Major improvement of RHEL 9 content
• new release process implemented using Github actions

New Rules and Profiles

• Add rule sudo_add_passwd_timeout (#​6984)
• SLES-12-010420 and SLES-15-010510 rules (#​7028)
• SLES-15-010355 rule (#​6947)
• New rsyslog rule per RHEL-08-010070 STIG (#​7114)
• Add initial Ubuntu 20.04 CIS Profiles (#​7181)

Updated Rules and Profiles

• Update ANSSI policy metadata and undraft High Level (#​6997)
• Update cis sle15 profile to better represent the release version 1.0.0 (#​7056)
• Start splitting of rhel7 CIS (#​7108)
• Splitting rhel7 cis profile - section 2 (#​7112)
• Splitting rhel7 cis profile - section 3 (#​7111)
• splitting CIS rhel7 profile - section 4 (#​7134)
• Split RHEL 7 CIS profile - section 5 (#​7193)
• split CIS for rhel7 - section 6 (#​7219)

Changes in Remediations

• Add bash package installated macro (#​7032)
• Ansible playbook to role updates (#​7042)
• Add option to enable installation of individual ansible playbooks per rule (#​7039)
• Only enable ansible/yaml lint tests when playbooks are built (#​7099)
• ensure_pam_module_options now fix empty option value (#​7116)
• Fix bash remediation of sudo_defaults_option (#​7146)
• Fix regex in dconf ansible remediation (#​7150)

Changes in Checks

• Fix disable_users_coredumps's limits.d exists (#​7030)
• Fix oval check in uefi_no_removeable_media (#​7067)
• Add option_regex_suffix to sudo_defaults_option template (#​7082)

Changes in the Infrastructure

• Fix bugs in rule_dir_json.py (#​6911)
• Fix utilities after product move (#​7113)
• Fix kernel module disable template (#​7086)
• SSGTS: Jinja enablement for test cases (#​7210)

Changes in the Test Suite

• Fix SSG test suite support for setting variables (#​7097)
• SSGTS: Jinja enablement for test cases (#​7210)

v0.1.56

Compare Source

Highlights:

• Align ism_o profile with latest ISM SSP (#​6878)
• Align RHEL 7 STIG profile with DISA STIG V3R3
• Creating new RHEL 7 STIG GUI profile (#​6863)
• Creating new RHEL 8 STIG GUI profile (#​6862)
• Add the RHEL9 product (#​6801)
• Initial support for SUSE SLE-15 (#​6666)
• add support for osbuild blueprint remediations (#​6970)

Profiles changed in this release:

• sle12: stig
• sle15: cis, stig
• rhel7: stig_gui, stig
• rhel8: stig_gui, stig, ism_o
• rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
• ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
• ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
• rhv4: pci-dss
• ocp4: cis-node, cis
• rhel9: pci-dss

Profiles:

• Add updated manual DISA STIG XML reference files (#​6903)
• rhcos4/e8: Use individual kernel module load audit rules (#​6797)
• rhcos4: Remove ssh crypto policy hardening from moderate policy (#​6789)
• bump rhel7 stig version to v3r3 (#​6951)
• remove no longer relevant rules from rhel7 stig (#​6865)
• Aligning and updating RHEL 8 STIG w/ V1R2 (#​6927)
• Update OL e8 profiles (#​6840)
• Remove rules related to gnome/dconf (#​6884)
• Ol cjis profiles (#​6851)
• Add PCI-DSS profile to RHV4 (#​6867)
• OL hipaa profiles (#​6819)
• Update OL cui profiles (#​6818)
• remove service_nfs_disabled sle15/profiles/cis.profile (#​6803)
• RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#​6784)
• rhcos4: Remove sssd configuration check from moderate profile (#​6774)
• RHCOS4: Remove rules that use rpmverifypackage_test (#​6776)
• RHCOS4: Remove instances of audit_rules_privileged_commands (#​6769)
• RHCOS: Temporarily remove UEFI password rule (#​6757)
• Add new rules to sle12/profiles/stig.profile (#​6665)
• Remove package_gssproxy_removed from STIG GUI profile (#​6967)
• Updating RHEL8 STIG profile for readability changes (#​6856)
• Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#​6858)
• Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#​6829)

Rules:

• Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#​6993)
• Remove audit_privileged_commands from RHEL7 STIG profile (#​7008)
• Fix grub2's /boot location for Debian, Ubuntu (#​6986)
• Add rules to remove setroubleshoot server and plugin packages (#​6969)
• SLES-15-010362 (#​6968)
• Fix groupowner/permissions for ubuntu2004 (#​6979)
• SLES-15-10352 rule (#​6822)
• Enable RHEL9 for kernel-related rules (#​6966)
• Enable SELinux rules for RHEL9 (#​6959)
• Move rule grub2_enable_iommu_force to use template (#​6956)
• Clarify what fixes for AiDE acl and xattrs do (#​6960)
• Merge duplicate disa (CCI) reference in package_audit_installed (#​6964)
• Adding new rule for RHEL-08-010294 (#​6932)
• Add OCIL to sshd_limit_user_access (#​6836)
• SLES-15-030390 add rule, remediation and test (#​6802)
• Add Rule for SLES-15-040382 (#​6811)
• RHCOS4: Enhance instructions to better reflect how to work with the platform (#​6796)
• RHCOS4: Add recommended chrony config (#​6786)
• Address NIST SP 800-32 control CM-8(3) with usbguard (#​6949)
• Prevent global references to use product-qualifiers (#​6896)
• OCP: Fix description of kubelet TLS cipher suites (#​6900)
• Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#​6890)
• Update VSEL references to remove qualifier from global references (#​6948)
• SLES-15-010250 add rule, remediation and tests (#​6879)
• add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#​6866)
• Add Rule for SLES-15-010140 & SLES-12-010100 (#​6868)
• Add Rule,Remediation and Test for SLES-15-030760 (#​6869)
• Revert STIG id for require_emergency_target_auth (#​6928)
• Remove bogus nist: FOO-1(a) references (#​6917)
• remove product specific disa and srg references (#​6895)
• ocp4: Enhance group ownership checks openvswitch processes pid files (#​6914)
• Fix usbguard match-all syntax for HID rule (#​6909)
• RHEL8 - ensuring stigid's and references are set where appropriate (#​6864)
• Notate that Ubuntu is a FIPS-certified OS (#​6912)
• OCP: Fix description and OCIL in proxy-kubeconfig rules (#​6904)
• update require_emergency_target_auth (#​6894)
• add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#​6897)
• Add Rule,Test for SLES-15-020103 (#​6881)
• Prevent unqualified CIS and STIGID references (#​6871)
• SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#​6877)
• Add rules related to permissions of /var/log and /var/log/messages (#​6861)
• SLES-15-010220 updates for firewalld (#​6831)
• Add OL anssi profiles (#​6817)
• update accounts_tmout (#​6839)
• SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#​6826)
• add rule for disabling of GUI (#​6860)
• Add rules for SLES-12-010060 (#​6806)
• CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#​6835)
• fix service_sshd_enabled for SLE-15 (#​6830)
• RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#​6827)
• Add HIPAA rules references (#​6854)
• RHCOS/OCP: Add more detailed instructions for more OCIL instances (#​6838)
• Add CCI reference to package_gssproxy_removed (#​6846)
• Remove sshd_allow_only_protocol2 from RHEL8 STIG (#​6845)
• SLES-15-010353 map rule file_ownership_library_dirs (#​6820)
• Add CCEs for RHEL9 rsyslog rules (#​6832)
• SLES-15-010030 rule (#​6821)
• SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#​6767)
• Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#​6824)
• OCP4: Add applicability warnings (#​6823)
• service_nfs_disabled - change name of nfs service to nfs-server (#​6777)
• Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#​6770)
• OCP4: Address flowschema version change by handling different OCP versions (#​6813)
• Abort the build if an OVAL is not included due to extend_definition (#​6402)
• Add more SLE-15 stigs and CCE IDs to existing rules (#​6778)
• service_rsyncd_disabled - update package name to rsync-daemon (#​6783)
• Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#​6725)
• RHCOS4: Fix require_singleuser_auth rule (#​6780)
• ocp4: Add relevant description for protectKernelDefaults rule (#​6705)
• CIS 5.2, 5.4, and 5.6 updates (#​6704)
• Add documentation links for OL7 and OL8 (#​6756)
• Update OL OSPP profiles (#​6745)
• Change dhcp server package name to dhcp-server in rhel8 (#​6762)
• SLES-15-020101 add rule and tests, no remediation (#​6734)
• Add ansible and bash remediation for wireless_disable_interfaces (#​6685)
• ocp4: Switch to using the platforms construct (#​6759)
• Add rule for RHCOS to check for interactive boot being disabled (#​6747)
• Fix oracle documentation links (#​6740)
• implement support for multiple platforms connected with disjunction (#​6661)
• rhcos4: Add check for nousb kernel argument (#​6743)
• Add tests for no files unowned by user/group rules (#​6738)
• Add rule for checking selinux is not disabled in coreos (#​6737)
• ocp4/etcd: Fix rule checks for 4.8 (#​6732)
• Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#​6718)
• CIS 1.2.12: Add check and test for AlwaysPullImages (#​6714)
• CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#​6715)
• Updating macros to support idempotency when deduplicating values (#​6953)
• Fix Rule CPE Name inheritance (#​6943)
• Reorganize env and product yaml (#​6754)
• RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#​6787)
• rhcos4: Add recommended configuration and e2e test for logrotate (#​6788)
• RHCOS4: Add recommended auditd.conf remediation (#​6782)
• Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#​6453)
• Unmask service in service enable remediation, add test scenarios for service enable rules (#​6761)
• rhcos4: Add remediation and e2e test for auditing access to audit logs (#​6773)
• RHCOS4: Explicitly use OSPP profile for rules covered by it (#​6771)
• mount_option ansible remediation - remediate when mount point is not in mounted (#​6713)

Tests:

• install_vm.py: add possibility to install GUI system (#​7004)
• Improve the test suite wrapper (#​6944)
• Remove code from OCP4 e2e tests (#​6961)
• Add test scenarios for service enable/disable rules from CIS profile (#​6785)
• Missing references test (#​6849)
• Fix RHEL8 STIG with GUI stable profile data (#​6874)
• increase /usr partition size in testing kicstart (#​6808)
• Add Ubuntu as a known platform for ssg_test_suite (#​6794)
• Add package_* test scenarios (#​6752)
• Add tests for rule accounts_password_pam_minlen (#​6751)
• Add tests for rule accounts_no_uid_except_zero (#​6750)
• Add test for auditd_data_retention_admin_space_left_action and CIS profile (#​6775)
• Update tests of accounts_tmout to work when overriding profiles (#​6765)
• Update tests of account_disable_post_pw_expiration (#​6753)
• Add tests for rule account_unique_name (#​6749)
• accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#​6728)
• Switch to generic python shebang (#​6744)
• Add tests for rule no_netrc_files (#​6741)
• Add tests for rule accounts_minimum_age_login_defs (#​6735)
• Updated test scenarios to work on containers (#​6701)
• Add tests for rule accounts_password_warn_age_login_defs (#​6736)
• Add tests for rule set_password_hashing_algorithm_systemauth (#​6733)
• ocp4/moderate: Add e2e tests for rules that pass by default (#​6731)
• Add test scenarios for rsyslog rules (#​6712)
• set_firewalld_default test scenarios (#​6721)
• sysctl_net_* test scenarios (#​6696)
• rpm_verify_ownership test scenarios (#​6703)
• postfix_network_listening_disabled tests (#​6708)
• Ignore trailing whitespaces in the unique references test (#​6702)
• Make test suite tests more accessible (#​6675)
• mount_option_* test scenarios (#​6677)
• file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#​6687)
• kernel_module_* test scenarios (#​6684)
• Added test scenarios for partition rules (#​6676)

v0.1.55

Compare Source

Highlights:

• big update of rules used in SLES-12 STIG profile
• Render policy to HTML (#​6532)
• Add variable support to yamlfile_value template (#​6563)
• Introduce new template for dconf configuration files (#​6118)

Profiles changed in this release:

• ocp4: cis-node, cis, e8, moderate
• rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
• rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
• sle15: cis, standard
• debian10: anssi_np_nt28_average, standard
• debian9: anssi_np_nt28_average, standard
• fedora: pci-dss, standard
• ol7: pci-dss, stig, standard
• ol8: ospp, hipaa, standard, pci-dss, cjis
• rhcos4: e8, ospp, moderate
• rhv4: rhvh-stig, rhvh-vpp
• sle12: stig
• ubuntu1604: anssi_np_nt28_average, standard
• ubuntu1804: cis, anssi_np_nt28_average, standard
• ubuntu2004: standard
• wrlinux1019: draft_stig_wrlinux_disa

Profiles:

• remove ensure_logrotate_configured from CIS profiles (#​6693)
• configure_crypto_policy update for CIS profile (#​6673)
• remove kernel_module_vfat_disabled from CIS profiles (#​6613)
• E8 ocp revisions (#​6587)
• Update ANSSI profile descriptions (#​6592)
• Bump RHEL7 STIG version to v3r2 (#​6576)
• OL7 DISA STIG v2r1 update (#​6538)
• Select RHEL8 STIG V1R1 existing content (#​6579)
• OL7 DISA STIG v2r2 update (#​6607)
• Update OL standard profiles (#​6604)
• Update OL pci-dss profiles (#​6605)
• Remove auditd_data_retention_space_left from RHEL8 STIG profile (#​6615)
• remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#​6528)

Rules:

• Update selinux_confinement_of_daemons rule (#​6695)
• Adds classification-banner rule (#​6652)
• CIS 5.1 changes (#​6678)
• ocp4: Fix audit log forwarding rule (#​6680)
• CIS 5.1 and 5.2: More ocil updates (#​6689)
• Change instances of cis to cis@ocp4 for openshift (#​6654)
• Revert hardcoding of ClientAliveCountMax to 0 (#​6434)
• SLES-12 add checks and remediations (#​6635)
• Update ANSSI references (#​6662)
• Add missing CIS references (#​6660)
• move ssh_client_rekey_limit to correct group (#​6612)
• Fix STIG id reference for sshd_x11_use_localhost (#​6628)
• fix wrong description of sshd_limit_user_access (#​6623)
• mark some CIS rules as machine-only (#​6611)
• CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#​6435)
• ocp4: Add link to documentation for etcd encryption (#​6590)
• Drop remediation for sysctl_kernel_modules_disabled (#​6586)
• OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#​6547)
• CIS: Update api_server_request_timeout description and check (#​6572)
• add rhel7 stig specific rule for sshd approved macs (#​6546)
• Reassign a new unique CCE identifier to approved macs STIG rule (#​6564)
• add rhel7 stig specific rule for ssh ciphers (#​6541)
• sshd_set_keepalive PCI DSS requirement reference (#​6531)
• add rule sysctl_kernel_modules_disabled (#​6533)
• RHEL-07-040710 now configures X11Forwarding to disable (#​6537)
• add rule sshd_x11_use_localhost (#​6534)
• Added a rule for having commands with arguments in sudoers - ANSSI R63 (#​6525)
• fix remediations of ensure_logrotate_activated (#​6710)
• ocp4/e2e: fix classification_banner remediation (#​6679)
• ocp4: Add e2e for no_direct_root_logins (#​6621)
• rhcos4: Add remediations and rules to enable usbguard (#​6452)
• Require separate filesystem for /var/tmp (#​6523)
• Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#​6606)

Tests:

• fix test for smartcard_auth (#​6694)
• Fix test scenario of rpm_verify_permissions rule (#​6671)
• Supress Ansible lint error 503 (#​6542)
• Add test to check for duplicated STIG ids (#​6135)

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box.

---

This MR has been generated by Renovate Bot.