UNCLASSIFIED - NO CUI

Skip to content

Update dependency ComplianceAsCode/content to v0.1.57

renovate requested to merge renovate/complianceascode-content-0.x into development

This MR contains the following updates:

Package Update Change
ComplianceAsCode/content patch 0.1.54 -> v0.1.57

Release Notes

ComplianceAsCode/content

v0.1.57

Compare Source

Highlights
  • CIS profile for RHEL 7 is updated
  • initial CIS profiles for Ubuntu 20.04
  • Major improvement of RHEL 9 content
  • new release process implemented using Github actions
New Rules and Profiles
  • Add rule sudo_add_passwd_timeout (#​6984)
  • SLES-12-010420 and SLES-15-010510 rules (#​7028)
  • SLES-15-010355 rule (#​6947)
  • New rsyslog rule per RHEL-08-010070 STIG (#​7114)
  • Add initial Ubuntu 20.04 CIS Profiles (#​7181)
Updated Rules and Profiles
  • Update ANSSI policy metadata and undraft High Level (#​6997)
  • Update cis sle15 profile to better represent the release version 1.0.0 (#​7056)
  • Start splitting of rhel7 CIS (#​7108)
  • Splitting rhel7 cis profile - section 2 (#​7112)
  • Splitting rhel7 cis profile - section 3 (#​7111)
  • splitting CIS rhel7 profile - section 4 (#​7134)
  • Split RHEL 7 CIS profile - section 5 (#​7193)
  • split CIS for rhel7 - section 6 (#​7219)
Changes in Remediations
  • Add bash package installated macro (#​7032)
  • Ansible playbook to role updates (#​7042)
  • Add option to enable installation of individual ansible playbooks per rule (#​7039)
  • Only enable ansible/yaml lint tests when playbooks are built (#​7099)
  • ensure_pam_module_options now fix empty option value (#​7116)
  • Fix bash remediation of sudo_defaults_option (#​7146)
  • Fix regex in dconf ansible remediation (#​7150)
Changes in Checks
  • Fix disable_users_coredumps's limits.d exists (#​7030)
  • Fix oval check in uefi_no_removeable_media (#​7067)
  • Add option_regex_suffix to sudo_defaults_option template (#​7082)
Changes in the Infrastructure
  • Fix bugs in rule_dir_json.py (#​6911)
  • Fix utilities after product move (#​7113)
  • Fix kernel module disable template (#​7086)
  • SSGTS: Jinja enablement for test cases (#​7210)
Changes in the Test Suite
  • Fix SSG test suite support for setting variables (#​7097)
  • SSGTS: Jinja enablement for test cases (#​7210)

v0.1.56

Compare Source

Highlights:
  • Align ism_o profile with latest ISM SSP (#​6878)
  • Align RHEL 7 STIG profile with DISA STIG V3R3
  • Creating new RHEL 7 STIG GUI profile (#​6863)
  • Creating new RHEL 8 STIG GUI profile (#​6862)
  • Add the RHEL9 product (#​6801)
  • Initial support for SUSE SLE-15 (#​6666)
  • add support for osbuild blueprint remediations (#​6970)
Profiles changed in this release:
  • sle12: stig
  • sle15: cis, stig
  • rhel7: stig_gui, stig
  • rhel8: stig_gui, stig, ism_o
  • rhcos4: e8, anssi_bp28_minimal, moderate, anssi_bp28_intermediary, anssi_bp28_enhanced, ncp, anssi_bp28_high
  • ol7: e8, anssi_nt28_enhanced, anssi_nt28_intermediary, hipaa, cui, anssi_nt28_minimal, anssi_nt28_high, cjis, ospp
  • ol8: e8, anssi_bp28_minimal, hipaa, cui, anssi_bp28_intermediary, anssi_bp28_enhanced, cjis, anssi_bp28_high, ospp
  • rhv4: pci-dss
  • ocp4: cis-node, cis
  • rhel9: pci-dss
Profiles:
  • Add updated manual DISA STIG XML reference files (#​6903)
  • rhcos4/e8: Use individual kernel module load audit rules (#​6797)
  • rhcos4: Remove ssh crypto policy hardening from moderate policy (#​6789)
  • bump rhel7 stig version to v3r3 (#​6951)
  • remove no longer relevant rules from rhel7 stig (#​6865)
  • Aligning and updating RHEL 8 STIG w/ V1R2 (#​6927)
  • Update OL e8 profiles (#​6840)
  • Remove rules related to gnome/dconf (#​6884)
  • Ol cjis profiles (#​6851)
  • Add PCI-DSS profile to RHV4 (#​6867)
  • OL hipaa profiles (#​6819)
  • Update OL cui profiles (#​6818)
  • remove service_nfs_disabled sle15/profiles/cis.profile (#​6803)
  • RHCOS4: Remove account_disable_post_pw_expiration from moderate profile (#​6784)
  • rhcos4: Remove sssd configuration check from moderate profile (#​6774)
  • RHCOS4: Remove rules that use rpmverifypackage_test (#​6776)
  • RHCOS4: Remove instances of audit_rules_privileged_commands (#​6769)
  • RHCOS: Temporarily remove UEFI password rule (#​6757)
  • Add new rules to sle12/profiles/stig.profile (#​6665)
  • Remove package_gssproxy_removed from STIG GUI profile (#​6967)
  • Updating RHEL8 STIG profile for readability changes (#​6856)
  • Remove harden_sshd_crypto_policy from RHEL8 STIG profile (#​6858)
  • Select dconf_gnome_lock_screen_on_smartcard_removal in STIG profile (#​6829)
Rules:
  • Disable anaconda remediation from package_gssproxy_removed to prevent blocking installation (#​6993)
  • Remove audit_privileged_commands from RHEL7 STIG profile (#​7008)
  • Fix grub2's /boot location for Debian, Ubuntu (#​6986)
  • Add rules to remove setroubleshoot server and plugin packages (#​6969)
  • SLES-15-010362 (#​6968)
  • Fix groupowner/permissions for ubuntu2004 (#​6979)
  • SLES-15-10352 rule (#​6822)
  • Enable RHEL9 for kernel-related rules (#​6966)
  • Enable SELinux rules for RHEL9 (#​6959)
  • Move rule grub2_enable_iommu_force to use template (#​6956)
  • Clarify what fixes for AiDE acl and xattrs do (#​6960)
  • Merge duplicate disa (CCI) reference in package_audit_installed (#​6964)
  • Adding new rule for RHEL-08-010294 (#​6932)
  • Add OCIL to sshd_limit_user_access (#​6836)
  • SLES-15-030390 add rule, remediation and test (#​6802)
  • Add Rule for SLES-15-040382 (#​6811)
  • RHCOS4: Enhance instructions to better reflect how to work with the platform (#​6796)
  • RHCOS4: Add recommended chrony config (#​6786)
  • Address NIST SP 800-32 control CM-8(3) with usbguard (#​6949)
  • Prevent global references to use product-qualifiers (#​6896)
  • OCP: Fix description of kubelet TLS cipher suites (#​6900)
  • Enable the RHEL9 prodtype for rules that are expected to work the same on that system (#​6890)
  • Update VSEL references to remove qualifier from global references (#​6948)
  • SLES-15-010250 add rule, remediation and tests (#​6879)
  • add sudo_restrict_privilege_elevation_to_authorized to rhel7 and rhel8 stig (#​6866)
  • Add Rule for SLES-15-010140 & SLES-12-010100 (#​6868)
  • Add Rule,Remediation and Test for SLES-15-030760 (#​6869)
  • Revert STIG id for require_emergency_target_auth (#​6928)
  • Remove bogus nist: FOO-1(a) references (#​6917)
  • remove product specific disa and srg references (#​6895)
  • ocp4: Enhance group ownership checks openvswitch processes pid files (#​6914)
  • Fix usbguard match-all syntax for HID rule (#​6909)
  • RHEL8 - ensuring stigid's and references are set where appropriate (#​6864)
  • Notate that Ubuntu is a FIPS-certified OS (#​6912)
  • OCP: Fix description and OCIL in proxy-kubeconfig rules (#​6904)
  • update require_emergency_target_auth (#​6894)
  • add sudoers_validate_passwd to rhel7 and rhel8 stig profiles (#​6897)
  • Add Rule,Test for SLES-15-020103 (#​6881)
  • Prevent unqualified CIS and STIGID references (#​6871)
  • SLES-15-030520 add to existing rule, audit_rules_kernel_module_loadin… (#​6877)
  • Add rules related to permissions of /var/log and /var/log/messages (#​6861)
  • SLES-15-010220 updates for firewalld (#​6831)
  • Add OL anssi profiles (#​6817)
  • update accounts_tmout (#​6839)
  • SLES-15-030730 'Record Unsuccessul Delete Attempts to Files - renameat2' (#​6826)
  • add rule for disabling of GUI (#​6860)
  • Add rules for SLES-12-010060 (#​6806)
  • CIS: Add OCIL to kubelet_configure_tls_cipher_suites (#​6835)
  • fix service_sshd_enabled for SLE-15 (#​6830)
  • RHCOS4: Add relevant instructions and e2e test for banner_etc_issue (#​6827)
  • Add HIPAA rules references (#​6854)
  • RHCOS/OCP: Add more detailed instructions for more OCIL instances (#​6838)
  • Add CCI reference to package_gssproxy_removed (#​6846)
  • Remove sshd_allow_only_protocol2 from RHEL8 STIG (#​6845)
  • SLES-15-010353 map rule file_ownership_library_dirs (#​6820)
  • Add CCEs for RHEL9 rsyslog rules (#​6832)
  • SLES-15-010030 rule (#​6821)
  • SLES-12-030310, SLES-15-010410 'Ensure real-time clock is set to UTC' (#​6767)
  • Add dconf_gnome_lock_screen_on_smartcard_removal to cover RHEL-08-020050 (#​6824)
  • OCP4: Add applicability warnings (#​6823)
  • service_nfs_disabled - change name of nfs service to nfs-server (#​6777)
  • Add SLES-12-010080 & SLES-15-010120 to dconf_gnome_screensaver_idle_delay (#​6770)
  • OCP4: Address flowschema version change by handling different OCP versions (#​6813)
  • Abort the build if an OVAL is not included due to extend_definition (#​6402)
  • Add more SLE-15 stigs and CCE IDs to existing rules (#​6778)
  • service_rsyncd_disabled - update package name to rsync-daemon (#​6783)
  • Add rules from the Policy to profiles based on prodtype (Includes DRAFT ANSSI profiles for RHCOS) (#​6725)
  • RHCOS4: Fix require_singleuser_auth rule (#​6780)
  • ocp4: Add relevant description for protectKernelDefaults rule (#​6705)
  • CIS 5.2, 5.4, and 5.6 updates (#​6704)
  • Add documentation links for OL7 and OL8 (#​6756)
  • Update OL OSPP profiles (#​6745)
  • Change dhcp server package name to dhcp-server in rhel8 (#​6762)
  • SLES-15-020101 add rule and tests, no remediation (#​6734)
  • Add ansible and bash remediation for wireless_disable_interfaces (#​6685)
  • ocp4: Switch to using the platforms construct (#​6759)
  • Add rule for RHCOS to check for interactive boot being disabled (#​6747)
  • Fix oracle documentation links (#​6740)
  • implement support for multiple platforms connected with disjunction (#​6661)
  • rhcos4: Add check for nousb kernel argument (#​6743)
  • Add tests for no files unowned by user/group rules (#​6738)
  • Add rule for checking selinux is not disabled in coreos (#​6737)
  • ocp4/etcd: Fix rule checks for 4.8 (#​6732)
  • Updated CIS references to align with RHEL7 v2.2.0 and RHEL8 v1.0.0 benchmarks (#​6718)
  • CIS 1.2.12: Add check and test for AlwaysPullImages (#​6714)
  • CIS: Fix api_server_admission_control_plugin_AlwaysAdmit value (#​6715)
  • Updating macros to support idempotency when deduplicating values (#​6953)
  • Fix Rule CPE Name inheritance (#​6943)
  • Reorganize env and product yaml (#​6754)
  • RHCOS4: Remediation and e2e test for disable_ctrlaltdel_reboot (#​6787)
  • rhcos4: Add recommended configuration and e2e test for logrotate (#​6788)
  • RHCOS4: Add recommended auditd.conf remediation (#​6782)
  • Add extended definition to check for OpenSSH 7.4 in sshd_disable_compression (#​6453)
  • Unmask service in service enable remediation, add test scenarios for service enable rules (#​6761)
  • rhcos4: Add remediation and e2e test for auditing access to audit logs (#​6773)
  • RHCOS4: Explicitly use OSPP profile for rules covered by it (#​6771)
  • mount_option ansible remediation - remediate when mount point is not in mounted (#​6713)
Tests:
  • install_vm.py: add possibility to install GUI system (#​7004)
  • Improve the test suite wrapper (#​6944)
  • Remove code from OCP4 e2e tests (#​6961)
  • Add test scenarios for service enable/disable rules from CIS profile (#​6785)
  • Missing references test (#​6849)
  • Fix RHEL8 STIG with GUI stable profile data (#​6874)
  • increase /usr partition size in testing kicstart (#​6808)
  • Add Ubuntu as a known platform for ssg_test_suite (#​6794)
  • Add package_* test scenarios (#​6752)
  • Add tests for rule accounts_password_pam_minlen (#​6751)
  • Add tests for rule accounts_no_uid_except_zero (#​6750)
  • Add test for auditd_data_retention_admin_space_left_action and CIS profile (#​6775)
  • Update tests of accounts_tmout to work when overriding profiles (#​6765)
  • Update tests of account_disable_post_pw_expiration (#​6753)
  • Add tests for rule account_unique_name (#​6749)
  • accounts_umask_etc_* and accounts_password_pam_minclass test scenarios (#​6728)
  • Switch to generic python shebang (#​6744)
  • Add tests for rule no_netrc_files (#​6741)
  • Add tests for rule accounts_minimum_age_login_defs (#​6735)
  • Updated test scenarios to work on containers (#​6701)
  • Add tests for rule accounts_password_warn_age_login_defs (#​6736)
  • Add tests for rule set_password_hashing_algorithm_systemauth (#​6733)
  • ocp4/moderate: Add e2e tests for rules that pass by default (#​6731)
  • Add test scenarios for rsyslog rules (#​6712)
  • set_firewalld_default test scenarios (#​6721)
  • sysctl_net_* test scenarios (#​6696)
  • rpm_verify_ownership test scenarios (#​6703)
  • postfix_network_listening_disabled tests (#​6708)
  • Ignore trailing whitespaces in the unique references test (#​6702)
  • Make test suite tests more accessible (#​6675)
  • mount_option_* test scenarios (#​6677)
  • file_*_grub2_ctg and dir_perms_world_writable_sticky_bits test scenarios (#​6687)
  • kernel_module_* test scenarios (#​6684)
  • Added test scenarios for partition rules (#​6676)

v0.1.55

Compare Source

Highlights:
  • big update of rules used in SLES-12 STIG profile
  • Render policy to HTML (#​6532)
  • Add variable support to yamlfile_value template (#​6563)
  • Introduce new template for dconf configuration files (#​6118)
Profiles changed in this release:
  • ocp4: cis-node, cis, e8, moderate
  • rhel7: cis, ospp, hipaa, anssi_nt28_enhanced, rht-ccp, C2S, anssi_nt28_high, anssi_nt28_intermediary, anssi_nt28_minimal, pci-dss, rhelh-stig, cjis, rhelh-vpp, stig
  • rhel8: cis, ospp, hipaa, anssi_bp28_enhanced, anssi_bp28_minimal, e8, pci-dss, anssi_bp28_high, rht-ccp, cjis, stig, anssi_bp28_intermediary
  • sle15: cis, standard
  • debian10: anssi_np_nt28_average, standard
  • debian9: anssi_np_nt28_average, standard
  • fedora: pci-dss, standard
  • ol7: pci-dss, stig, standard
  • ol8: ospp, hipaa, standard, pci-dss, cjis
  • rhcos4: e8, ospp, moderate
  • rhv4: rhvh-stig, rhvh-vpp
  • sle12: stig
  • ubuntu1604: anssi_np_nt28_average, standard
  • ubuntu1804: cis, anssi_np_nt28_average, standard
  • ubuntu2004: standard
  • wrlinux1019: draft_stig_wrlinux_disa
Profiles:
  • remove ensure_logrotate_configured from CIS profiles (#​6693)
  • configure_crypto_policy update for CIS profile (#​6673)
  • remove kernel_module_vfat_disabled from CIS profiles (#​6613)
  • E8 ocp revisions (#​6587)
  • Update ANSSI profile descriptions (#​6592)
  • Bump RHEL7 STIG version to v3r2 (#​6576)
  • OL7 DISA STIG v2r1 update (#​6538)
  • Select RHEL8 STIG V1R1 existing content (#​6579)
  • OL7 DISA STIG v2r2 update (#​6607)
  • Update OL standard profiles (#​6604)
  • Update OL pci-dss profiles (#​6605)
  • Remove auditd_data_retention_space_left from RHEL8 STIG profile (#​6615)
  • remove accounts_passwords_pam_faillock_enforce_local from rhel8 stig (#​6528)
Rules:
  • Update selinux_confinement_of_daemons rule (#​6695)
  • Adds classification-banner rule (#​6652)
  • CIS 5.1 changes (#​6678)
  • ocp4: Fix audit log forwarding rule (#​6680)
  • CIS 5.1 and 5.2: More ocil updates (#​6689)
  • Change instances of cis to cis@ocp4 for openshift (#​6654)
  • Revert hardcoding of ClientAliveCountMax to 0 (#​6434)
  • SLES-12 add checks and remediations (#​6635)
  • Update ANSSI references (#​6662)
  • Add missing CIS references (#​6660)
  • move ssh_client_rekey_limit to correct group (#​6612)
  • Fix STIG id reference for sshd_x11_use_localhost (#​6628)
  • fix wrong description of sshd_limit_user_access (#​6623)
  • mark some CIS rules as machine-only (#​6611)
  • CIS Benchmark 4.2.13 (kubelet_configure_tls_cipher_suites) (#​6435)
  • ocp4: Add link to documentation for etcd encryption (#​6590)
  • Drop remediation for sysctl_kernel_modules_disabled (#​6586)
  • OCP4/CIS 3.1.1: Write rule to ensure IdP has been configured (#​6547)
  • CIS: Update api_server_request_timeout description and check (#​6572)
  • add rhel7 stig specific rule for sshd approved macs (#​6546)
  • Reassign a new unique CCE identifier to approved macs STIG rule (#​6564)
  • add rhel7 stig specific rule for ssh ciphers (#​6541)
  • sshd_set_keepalive PCI DSS requirement reference (#​6531)
  • add rule sysctl_kernel_modules_disabled (#​6533)
  • RHEL-07-040710 now configures X11Forwarding to disable (#​6537)
  • add rule sshd_x11_use_localhost (#​6534)
  • Added a rule for having commands with arguments in sudoers - ANSSI R63 (#​6525)
  • fix remediations of ensure_logrotate_activated (#​6710)
  • ocp4/e2e: fix classification_banner remediation (#​6679)
  • ocp4: Add e2e for no_direct_root_logins (#​6621)
  • rhcos4: Add remediations and rules to enable usbguard (#​6452)
  • Require separate filesystem for /var/tmp (#​6523)
  • Add /boot options to ANSSI kickstarts and remediation for mount_option_nodev_nonroot_local_partitions (#​6606)
Tests:
  • fix test for smartcard_auth (#​6694)
  • Fix test scenario of rpm_verify_permissions rule (#​6671)
  • Supress Ansible lint error 503 (#​6542)
  • Add test to check for duplicated STIG ids (#​6135)

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box.

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI