-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-5c5ca81710 2024-08-22 01:09:05.273175 -------------------------------------------------------------------------------- Name : scap-security-guide Product : Fedora 39 Version : 0.1.74 Release : 1.fc39 URL : https://github.com/ComplianceAsCode/content/ Summary : Security guidance and baselines in SCAP formats Description : The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines. The system administrator can use the oscap CLI tool from openscap-scanner package, or the scap-workbench GUI tool from scap-workbench package to verify that the system conforms to provided guideline. Refer to scap-security-guide(8) manual page for further information. -------------------------------------------------------------------------------- Update Information: Important Highlights Add Amazon Linux 2023 product (#12006) Introduce new remediation type Kickstart (#12144) Make PAM macros more flexible to variables (#12133) Remove Debian 10 Product (#12205) Remove Red Hat Enterprise Linux 7 product (#12093) Update CIS RHEL9 control file to v2.0.0 (#12067) New Rules and Profiles Add initial RHEL 10 CIS profiles (#12075) Add new rule audit_rules_var_log_journal (#11920) Add new rule file_permissions_var_log_audit_stig (#11966) Add new rule install_endpoint_security_software (#11970) Add new rules package_ntp_removed, package_timesyncd_removed (#11831) Add rule dir_groupowner_system_journal (#11838) Add rule dir_owner_system_journal (#11839) Add rule file_group_ownership_var_log_audit_stig (#11924) Add rule file_groupowner_journalctl (#11841) Add rule file_owner_journalctl (#11835) Add rule file_permissions_etc_audit_rules (#11959) Add rule file_permissions_journalctl (#11834) Check ufw is active (#11984) Defined notes and Rules for BSI APP.4.4.A6-7 (#11794) Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180) Initial HIPAA RHEL 10 Profile (#11915) Initial ISM O RHEL 10 Profile (#11994) Initial OSPP Control File (#11882) Initial RHEL 10 e8 Profile (#11976) Updated Rules and Profiles Add package_rng-tools_installed to Fedora OSPP profile (#12246) Add package_firewalld_installed to CCN and enable CCN Advanced profile test in CI (#12139) Add CCEs to RHEL 10 Rules (#12113) Add draft status to all RHEL 10 profiles (#12224) Add missing rule package_pam_pwquality_installed to Ubuntu 22.04 CIS profile (#11968) Add SSH related STIG rule to slmicro5 platform (#12193) Align audit_xattr rules with Ubuntu 22.04 STIG (#11975) Align sshd_use_approved_ciphers_ordered_stig with Ubuntu STIG (#11983) Align sshd_use_approved_macs_ordered_stig with Ubuntu STIG (#11853) Better description and test scenarios for set_nftables_table (#11991) CMP-2455: PCI-DSS v4 Requirement 3 (#11951) CMP-2456: PCI-DSS v4 Requirement 4 (#12002) CMP-2457: PCI-DSS v4 Requirement 5 (#12045) Correct the platform for rule package_iptables-persistent_removed (#12195) Disable OSPP Profile for RHEL 10 (#12223) Disable remediation for smartcard_pam_enabled on Ubuntu 22.04 (#11988) Enable dconf profiles in Ubuntu CIS/STIG profiles (#11874) Ensure code consistency by using aide_conf_path var (#12066) Ensure that security_patches_up_to_date is not built with remediations (#11995) Exclude package_screen_installed from RHEL 10 OSPP (#12179) Fix banner_etc_issue_net in Ubuntu 22.04 (#12036) Fix dirs in sysctl template for Ubuntu 20.04/22.04 (#11862) Fix missing variable for Ubuntu 22.04 (#11973) Fix package name for libpam-pkcs11 on Ubuntu (#11854) Fix package_dnf-plugin-subscription-manager_installed in RHEL 10 (#12180) Fix pwquality package name for Ubuntu 22.04 (#11919) Fix rule file_permissions_backup_etc_shadow for SLE15/SLE12 (#12047) Fix rule name in Ubuntu 22.04 STIG profile (#11971) Fix value syntax for rule dconf_gnome_disable_ctrlaltdel_reboot (#11913) Guide/anssi r45 (#12129) increase coverage RHEL-08-010770 and RHEL-07-020710 (#11892) Make the behavior of chronyd_sync_clock rule more consistent (#12039) Modify rule file_groupowner_system_journal (#11836) Move to default crypto policy for RHEL10 for CIS Profiles (#12187) OCPBUGS-1316: Add missing variable reference to rules (#12012) OCPBUGS-31510: change the analysis to not include ImageStreamTag (#11783) OCPBUGS-33945: select required SSHD timeout rule (#12091) OSPP profile, use Logind session timeout feature instead of tmux (#12212) Override few variables for Ubuntu 22.04 (#11928) remove logind_session_timeout from stig_gui profiles (#12086) Remove rhel7 only rules (#12112) Revert changes to no_empty_passwords for Ubuntu (#11918) Slmicro5 stig add privileged commands support (#12221) Support all boolean values in dnf.conf (#11965) Update rules related to PAM hashing algorithm (#12164) Update SLE15 STIG version to V1R13 (#11921) Updated 10 rules to support SLE Micro 5 (#12210) Removed Products Remove Debian 10 Product (#12205) Remove Red Hat Enterprise Linux 7 product (#12093) Changes in Remediations Improve remediation for enable_authselect (#12038) Achieve consistent file and directory permissions for systemd journals (#11974) Add ansible automation for configure_usbguard_auditbackend (#12092) Add ansible remediation for account_password_selinux_faillock_dir (#12094) Add ansible remediation for accounts_user_dot_no_world_writable_programs rule (#12213) Add ansible remediation for no_tmux_in_shells rule (#12138) add namespace parameter for cluster-test (#11824) Add SCE check for ufw_rate_limit for Ubuntu (#11998) Add when conditional to Ansible remediation of sssd_enable_pam_services (#11982) Adjust bash template (group)file_owner to follow symlinks (#12214) align template systemd_dropin_configuration (#12054) Create dconf db directory for local profile (#12079) Create file if it doesn't exist for coredump rules (#12181) Ensure that security_patches_up_to_date is not built with remediations (#11995) Fix bash_package_installed macro (#12140) Fix config paths and regex for auditd_audispd_configure_remote_server (#11857) Fix crony.d config directory in Ansible in rule chronyd_or_ntpd_set_maxpoll (#11958) Fix permissions for dconf db on Ubuntu (#12056) Fix Ubuntu faillock (#11932) Introduce new remediation type Kickstart (#12144) Modify ubuntu remediation for dconf_gnome_banner_enabled (#12042) Set correct permissions in macro bash_enable_dconf_user_profile (#12051) Simplify use of ansible_ensure_pam_module_option macro (#12159) Slmicro5 auth,security and audit STIG rules (#12192) templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156) Update ansible remediation CCE-85972-8 to support idempotency (#12152) Update rules related to PAM hashing algorithm (#12164) Changes in Checks Disable check for 'auditd_audispd_configure_sufficiently_large_partition' on Ubuntu 22.04 (#11969) Fix broken OVAL metadata (#12151) Fix config paths and regex for auditd_audispd_configure_remote_server (#11857) Fix OVAL for rule apt_conf_disallow_unauthenticated (#11863) Honour the no_quotes paramter of oval_check_dropin_file macro (#12173) Improve OVAL readability in auditd_audispd_configure_sufficiently_large_partition (#12083) Improve Rsyslog rules to support RainerScript syntax (#12010) Slmicro5 auth,security and audit STIG rules (#12192) templates: add rhel10 to conditional macros where rhel9 is mentioned (#12156) Update OVAL check in accounts_password_last_change_is_in_past (#12177) Update rules related to PAM hashing algorithm (#12164) Changes in the Infrastructure Add a script for finding unused rules (#12110) Add option to build per rule playbook via build_product script (#12105) Allow multiple control files to add the same reference type (#12165) Ensure that RHEL 10 has CCEs (#12137) Expand CCE Available Test to OCP4 (#12114) Fix Filename for UBI test (#12115) Fix Nightly Build - Debian 12 (#12033) Improve error handling when loading yaml stream (#11962) Include product property in profile class (#12050) Install dependency "xmllint" package (#12080) Mark some scenarios as specific to SCE (#12052) OCP Update variable filter to consider go_template (#11906) Remove duplicate product (#12049) Review and reorganize CMakeLists.txt file (#12000) Show most used rules of component (#12001) Stop building -ds-1.2.xml data streams (#11990) Update Gating (#12041) Changes in the Test Suite Add accounts_password_set_max_life_root to unselect_rules_list (#11981) Add Ubuntu 22.04 Automatus workflow (#12058) Automatus to UBI 8 (#12100) Better description and test scenarios for set_nftables_table (#11991) Clean Up Tests Due to RHEL 7 Removal (#12101) Disable service_enabled templated test for service_bluetooth_disabled (#12211) Do not run package_audit-libs_installed package removal test scenarios (#12099) Fix crypto policy in CIS test scenario (#12098) Fix OL7 GH Action (#12143) Fix platforms -> platform in test metadata (#12057) Fix regex in file_ownership_audit_configuration (#12029) Fix tests for sssd_offline_cred_expiration for Ubuntu (#11953) Github Action Ansible shell module changes check (#12014) Include test scenario for multiple partitions (#11950) Make Rawhide CI Green (#12065) OCP4: Add workflow to test ocp content (#11615) OCP4: use new assertion formate for OCP CI (#11790) Pin GitHub actions using Frizbee (#12082) Populate _rule_id virtual template parameter in Automatus (#11943) Remove the excluded_files (#12196) Validate Automatus Metadata (#12059) Documentation Add script to Create a Control file from references (#11916) Additional updates in kernel_module_disabled template (#12160) Bump version after release (#12025) Fix a typo (#12017) Fix typos in notes for ocp4 controls (#11963) Update Contributors for v0.1.74 (#12225) Update control schema (#11942) Update RHEL 8 STIG SCAP Content to V1R13 (#12219) -------------------------------------------------------------------------------- ChangeLog: * Mon Aug 12 2024 Matthew Burket <mburket@xxxxxxxxxx> - 0.1.74-1 - Update to latest upstream release https://github.com/ComplianceAsCode/content/releases/tag/v0.1.74 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-5c5ca81710' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
