SCAP Security Guide release notes

The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

0.1.73

• ANSSI profiles were updated to better align with latest policy version 2.0 and to increase the policy coverage for the following products:
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
• STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 8 with V1R14
  • Red Hat Enterprise Linux 9 with V1R3
• The security_patches_up_to_date rule has been disabled, the result of evaluating this rule will be notchecked. Also, remediation for this rule is not part of the shipped content.
• Red Hat Enterprise Linux 8 notable bug fixes:
  • Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
  • Fix file path identification in Rsyslog configuration (RHEL-17202)
  • Use a correct chrony server address in STIG profiles (RHEL-1814)
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Correctly parse sudo options even if they are not quoted (RHEL-31976)
  • Ensure that web links within kickstart files are valid (RHEL-30735)
  • Align set of allowed SSH ciphers with STIG requirement (RHEL-29684)
  • Add a rule that enables auditing of files within /etc/sysconfig/network-scripts (RHEL-1093, RHEL-29308)
  • Remove a rule that restricts user namespaces from the STIG GUI profile (RHEL-10416)

0.1.72

• Update to CIS profiles aligning them with the latest benchmarks:
  • CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 - 12-21-2023
  • CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0 - 10-30-2023 (related ticket is RHEL-1314)
• PCI DSS profiles were aligned to the PCI DSS policy version 4.0 for the following products:
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8 (RHEL-1808)
  • Red Hat Enterprise Linux 9
• STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 7 with V3R14
  • Red Hat Enterprise Linux 8 with V1R13
  • Red Hat Enterprise Linux 9 with V1R2
• Red Hat Enterprise Linux 7 notable bug fixes:
  • Ensure that the rule audit_rules_privileged_commands does not report false positives caused by temporary files created by Dracut (RHEL-11938)
• Red Hat Enterprise Linux 8 notable bug fixes:
  • Increase compatibility of the accounts_tmout rule with more shells including ksh (RHEL-16896 and RHEL-1811)
  • Add a rule to terminate idle user sessions after a defined amount of time (RHEL-1801)
  • The rule ensure_pam_wheel_group_empty has been optimized for better performance, and the reported rule result is now clearer (RHEL-1905)
  • Prevent remediation of the display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
  • Other fixed bugs: RHEL-1313, RHEL-1817, RHEL-1819, RHEL-1820, RHEL-1904, RHEL-19127
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Check drop-in files in the /etc/systemd/journald.conf.d/ directory (RHEL-14484)
  • Disable remediation for /dev/shm mount options in offline mode (RHEL-16801)
  • Other fixed bugs: RHEL-1484, RHEL-1489, RHEL-17417, RHEL-17418

0.1.69

• ANSSI profiles were updated to version 2.0.
• Three new SCAP profiles were added for RHEL 9 aligned with the CCN-STIC-610A22 Guide:

• 0.1.69-3 update - available for RHEL 9.0.Z.EUS, RHEL 9.2.Z.EUS, and RHEL 9.3.Z
  • Align the RHEL 9 STIG profile with DISA STIG RHEL-1807

0.1.66

• Updated RHEL 8 STIG profiles
• Deprecated rule account_passwords_pam_faillock_audit in favor of accounts_passwords_pam_faillock_audit

0.1.63

• New compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration were added.
• Rules hardening the PAM stack now use authselect as the configuration tool. Note: With this change the rules hardening the PAM stack will not be applied if the PAM stack was edited by other means.

0.1.60

• Rules hardening the PAM stack now use authselect as the configuration tool.
• Tailoring files that define profiles which represent the differences between DISA STIG automated SCAP content and SCAP automated content (delta tailoring) are now supported.
• The rule xccdf_org.ssgproject.content_enable_fips_mode now checks only whether the FIPS mode has been enabled properly. It does not guarantee that system components have undergone FIPS certification.

0.1.54

• The Operating System Protection Profile (OSPP) has been updated in accordance with the Protection Profile for General Purpose Operating Systems for Red Hat Enterprise Linux 8.4.
• The ANSSI family of profiles based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. The content contains profiles implementing rules of the Minimum, Intermediary and Enhanced hardening levels.
• The Security Technical Implementation Guide (STIG) security profile has been updated, and it implements rules from the recently-released version V1R1.

0.1.50

• Ansible content has been improved: numerous rules contain Ansible remediations for the first time and other rules have been updated to address bug fixes.
• Fixes and improvements to the scap-security-guide content for scanning RHEL7 systems, including:
  • The scap-security-guide packages now provide a profile aligned with the CIS RHEL 7 Benchmark v2.2.0.
    Note that the rpm_verify_permissions rule in the CIS profile does not work correctly; see the BZ-1843913 - rpm_verify_permissions fails in the CIS profile known issue.
  • The SCAP Security Guide profiles now correctly disable and mask services that should not be started.
  • The audit_rules_privileged_commands rule in the scap-security-guide packages now works correctly for privileged commands.
  • Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages no longer incorrectly fails.