On 2-MAY the SSG v0.1-11 update was released, reflecting the inclusion
of DISA FSO feedback on the (then) Draft RHEL6 STIG and several OVAL
improvements. It was a huge milestone, driving us over 1,800 unique code
commits!
We've since had an additional 88 commits, largely around OVAL content
cleanup and the rewrite of combinefixes.py to handle parameters for
OpenSCAP remediation generation (thanks, Jeff!). User feedback also
prompted us to fix the build system when compiling on Fedora 18+ and the
upcoming RHEL release.
SSG v0.1-12 has been released to the EPEL repository to reflect these
recent bugfixes and enhancements. Download instructions available on the
wiki:
https://fedorahosted.org/scap-security-guide/wiki/downloads
CHANGELOG:
$ git log --oneline --after={2013-05-02} --no-merges
fe2a0b6 Some corrections to the PAM cracklib guidance as follows:
corrected pam_cracklib.so line to include all discussed parame
532aeb8 Modified the DoD banner check to accept either a newline or
space between each word, as the RHEL5 version does. This al
ded2ef4 Created remediation template: create_services_disabled.py -
Based off OVAL services file
a96cdc3 Added sysctl remediation scripts - Updated template to reflect
proper naming of sysctl scripts
c3355eb Added bash templates directory, added sample sysctl script -
Makefile based off OVAL, same usage - CVS files point to
f75ad8d Module is freevxfs, not freevsfs
cd940ef Fix build of OpenStack and RHEVM3 parts on Fedora 18+
df19413 Fix build on Fedora 18+ and the upcoming RHEL release
2ddbbb7 Subexpression datatype shall equal to the variable datatype
4cd7650 Ok, to fix the "error" doing an evaluation for the various
umask checks, changed the following variables referenced in t
5fa190d changed a typo var_acocunts_umask_bashrc =>
var_accounts_umask_bashrc
7d772db Update from deprecated rpmverify_* to rpmverifyfile_* checks
2026606 made xccdf-addfixes insert all text and child nodes of a fix
d6703f4 rewrite of combinefixes.py to handle parameters for OpenSCAP
remedation generation
c13fafa incomplete support file for bash remediations * does at least
warn when undefined variable exists
f87d817 example remediation script which takes a parameter
24f2c2e Removing deprecated recurse="files" behavior
f078b8f Removing deprecated recurse=files behavior.
b12d669 Replacing deprecated <ind:environmentvariable_...> tags with
<ind:environmentvariable58_...> tags
5ed6dc2 Created OVAL for ensure_gpgcheck_never_disabled XCCDF rule
called nonexisting OVAL, created it.
0d69487 Renaming oval check no_rsh_trusted_host_files to
no_rsh_trust_files to match rule ID
295184c Adding check for no_netrc_files
e1aede3 Adding check for pam_lastlog.so
9c21556 additional copy editing
3fd9f3f copy editing
9db6e3d Renaming oval check no_rsh_trusted_host_files to
no_rsh_trust_files to match rule ID
4109078 Adding check for no_netrc_files
6f31c05 Adding check for pam_lastlog.so
0e15e2d Adding check for disabling GNOME thumbnailers in gconf
d10f08e modified makefile to remove test attestation from prose guide
-- revised
4f3ea5f corrections for typos in OVAL references
d50c71b removal of references to nonexistent OVAL for some NFS guidance
980f686 refine verify-references to deal only with OVAL compliance
checks for OVAL
6051ea6 removal of comments, reference to nonexistent OVAL
8251580 removal or correction of misnamed or obsolete OVAL checks
76e93ef removal of packages from check templates
69f31e0 Added backslash escapes to the warning texts to fix the RegEx,
replaced line breaks with newlines, and added some m
c22ed9c Added backslash escapes to the warning texts to fix the RegEx,
replaced line breaks with newlines, and added some more f
c58ac2b Fixing indenting for external variable line.
95d5a4b removal of unused OVAL checks
bcc1495 bugfixes for undisciplined renaming jaunt, missing OVAL references
9a378b9 removal of unused OVAL checks
3b82cf5 deletion of unused OVAL checks
6a89088 removal of commented text, some redundant/unnecessary Rules
from Profiles
9705192 deletion of unused/obsoleted OVAL checks (and commented out XCCDF)
36a75ec deletion of unused OVAL checks
48e9900 removal of unnecessary guidance from SSL section
7682f9c removal of commented/obsolete text from logging section
a1f2d30 removal of commented text, invalid CCE from root logins guidance
0a3577b update to NFS section (still perhaps incomplete)
1a3d854 changed Dovecot Rule to Group as it is guidance and not a
compliance check
fb4a29b removal of commented/obsolete items for base services
9a228d5 updates to the CCE verification script to be more informative
ff25fc9 cleanup of comments, unnecessary Rules in DNS (bind) service
7a16cda Deleting duplicate check for disabling IPv6
d9d1741 Minor typo, removing slash at end of description
330258c added version info for RHEL, URL for project
f36ecf3 removed some now-obsolete advice from samba
8d5ee52 added some clarifying text to the intro
6c9f047 removing some unnecessary (for compliance-focus) text from cups
de705e9 Updated service_tftpd_disabled As reflected from update to
template file
356405f Removed duplicate references to var_samba_private_directory
Updated OVAL to have unique IDs
034b8b3 Removed duplicate references object_etc_skel_files Updated
OVAL to have unique names
d609d6b Removed duplicate var_ssh_config_directory references Updated
OVAL to have unique names
8a7a3f3 Removed duplicate state_uid_root Updated OVAL to have unique names
e421d69 Modified template_OVAL_package_installed and
template_package_removed These files were causing build errors
regarding ob
1ae4c30 Removed duplicate references to var_accounts_user_umask
Assigned unique identifiers
ea10f13 Removed duplicate references to object_lib_modules_files
Assigned unique identifiers
882e341 Removed duplicate object_usr_lib64_files references Assigned
unique identifiers within OVAL
9d89e61 Removed duplicate object_usr_lib64_dir references Assigned
unique identifiers in OVAL
863aa19 Removed duplicate object_usr_lib_files references Assigned
unique identifiers to OVAL checks
714c3c1 Removed duplicate object_usr_lib_dir Updated OVAL to have
unique names
dffd29b Removed duplicates of object_lib64_files Updated OVAL to have
unique names
bc6fbcd Removed duplicate object_lib64_dir Updated OVAL checks to have
unique names
fe089dc Removed duplicate object_lib_files Updated OVAL checks for
unique names
7546f2e Removed duplicate object_lib_dir references Created unique
names in the OVAL templates
b376e27 Updated mount_option_* OVAL variable var_removable_partition
These OVAL files were using duplicate 'var_remove_partition
7fae707 Updated template_permissions to place FILEID into strings
e31dc7b Updated state_gid_0 to reflect per check naming
07380c0 Updated state_uid_0 names within OVAL Multiple OVAL checks
were using "state_uid_0" causing build errors. Updated so eve
f5b90ce Updated rpm_verify_hashes for OVAL 5.10 compliance The old
rpmverify_* is now depricated, updated check to rpmverifyfile
e3b5697 modified transform to only match test attestation
02a19e2 transform designed to remove the 'tested by' information
a330ccf deleting files for imprecise and obsolete OVAL checks, manual
remediation
ca71cde simplification of Postfix service configuration
14397cd Removing a newline to fix XHTML formatting
7d1ab28 deletion of manual audit profile, OVAL for obsolete ldap
server checks
d7f3ca4 removed obsolete LDAP guidance, checks