SCAP Security Guide release notes

Updated -

The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

0.1.75

  • The PCI-DSS profiles were updated to better align with PCI-DSS benchmark version 4.0.1 for the following products:
    • Red Hat Enterprise Linux 8
    • Red Hat Enterprise Linux 9
  • The STIG profiles were aligned with the latest DISA STIG policies:
    • Red Hat Enterprise Linux 8 with V2R1
    • Red Hat Enterprise Linux 9 with V2R2
  • Red Hat Enterprise Linux 8 notable bug fixes
    • Enhance GRUB2 kernel command line arguments detection to cover more use cases (RHEL-53365)
  • Red Hat Enterprise Linux 9 notable bug fixes
    • Adjust rules related to sshd, ensure constancy in checked values and ensure that drop-in configuration files are checked (RHEL-38206)
    • Adjust mount_option_nodev_nonroot_local_partitions to work in Image Builder environments (RHEL-45018)
    • Add a rule checking for presence of chrony to CIS profiles (RHEL-60005)
    • Remove the rule sshd_use_priv_separation from STIG profiles (RHEL-66057)
    • Remediation of NetworkManager DNS mode now remediates value default (RHEL-53426)

0.1.74

  • The CIS profiles were updated to v2.0.0 for Red Hat Enterprise Linux 9.
  • Red Hat Enterprise Linux 8 and 9 notable bug fixes:
    • Ensure authselect features are preserved by the enable_authselect rule (RHEL-39383)
    • Fix checking for passwords last changed date (RHEL-47129)
    • Remediations of Journald configuration files now create correct .ini file sections (RHEL-38531)
    • Adjust service requirements for the CIS profiles (RHEL-23852)
    • Update password hashing settings for the ANSSI profiles (RHEL-44983), (RHEL-54390)
    • Improve Rsyslog rules to support the RainerScript syntax (RHEL-1816)
  • Red Hat Enterprise Linux 8 notable changes:
    • The ssg-rhel8-ds-1.2.xml and ssg-firefox-ds-1.2.xml data streams are no longer provided. They are replaced by symbolic links leading to the respective data streams (ssg-rhel8-ds.xml or ssg-firefox-ds.xml).
    • The Red Hat Enterprise Linux 7 content is no longer updated and remains in the state as provided in the 0.1.73 version.
  • Red Hat Enterprise Linux 9 notable changes:
    • The STIG profiles are not upgraded to V2R1 in this release because this STIG update touches only CCI references.

0.1.73

  • ANSSI profiles were updated to better align with latest policy version 2.0 and to increase the policy coverage for the following products:
    • Red Hat Enterprise Linux 7
    • Red Hat Enterprise Linux 8
    • Red Hat Enterprise Linux 9
  • STIG profiles were aligned with the latest DISA STIG policies:
    • Red Hat Enterprise Linux 8 with V1R14
    • Red Hat Enterprise Linux 9 with V1R3
  • The security_patches_up_to_date rule has been disabled, the result of evaluating this rule will be notchecked. Also, remediation for this rule is not part of the shipped content.
  • Red Hat Enterprise Linux 8 notable bug fixes:
    • Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
    • Fix file path identification in Rsyslog configuration (RHEL-17202)
    • Use a correct chrony server address in STIG profiles (RHEL-1814)
  • Red Hat Enterprise Linux 9 notable bug fixes:
    • Correctly parse sudo options even if they are not quoted (RHEL-31976)
    • Ensure that web links within kickstart files are valid (RHEL-30735)
    • Align set of allowed SSH ciphers with STIG requirement (RHEL-29684)
    • Add a rule that enables auditing of files within /etc/sysconfig/network-scripts (RHEL-1093, RHEL-29308)
    • Remove a rule that restricts user namespaces from the STIG GUI profile (RHEL-10416)

0.1.72

  • Update to CIS profiles aligning them with the latest benchmarks:
    • CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 - 12-21-2023
    • CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0 - 10-30-2023 (related ticket is RHEL-1314)
  • PCI DSS profiles were aligned to the PCI DSS policy version 4.0 for the following products:
    • Red Hat Enterprise Linux 7
    • Red Hat Enterprise Linux 8 (RHEL-1808)
    • Red Hat Enterprise Linux 9
  • STIG profiles were aligned with the latest DISA STIG policies:
    • Red Hat Enterprise Linux 7 with V3R14
    • Red Hat Enterprise Linux 8 with V1R13
    • Red Hat Enterprise Linux 9 with V1R2
  • Red Hat Enterprise Linux 7 notable bug fixes:
    • Ensure that the rule audit_rules_privileged_commands does not report false positives caused by temporary files created by Dracut (RHEL-11938)
  • Red Hat Enterprise Linux 8 notable bug fixes:
    • Increase compatibility of the accounts_tmout rule with more shells including ksh (RHEL-16896 and RHEL-1811)
    • Add a rule to terminate idle user sessions after a defined amount of time (RHEL-1801)
    • The rule ensure_pam_wheel_group_empty has been optimized for better performance, and the reported rule result is now clearer (RHEL-1905)
    • Prevent remediation of the display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
    • Other fixed bugs: RHEL-1313, RHEL-1817, RHEL-1819, RHEL-1820, RHEL-1904, RHEL-19127
  • Red Hat Enterprise Linux 9 notable bug fixes:

0.1.69

  • ANSSI profiles were updated to version 2.0.
  • Three new SCAP profiles were added for RHEL 9 aligned with the CCN-STIC-610A22 Guide:
Profile name Profile ID Policy version
CCN Red Hat Enterprise Linux 9 - Advanced xccdf_org.ssgproject.content_profile_ccn_advanced 2022-10
CCN Red Hat Enterprise Linux 9 - Basic xccdf_org.ssgproject.content_profile_ccn_basic 2022-10
CCN Red Hat Enterprise Linux 9 - Intermediate xccdf_org.ssgproject.content_profile_ccn_intermediate 2022-10
  • 0.1.69-3 update - available for RHEL 9.0.Z.EUS, RHEL 9.2.Z.EUS, and RHEL 9.3.Z
    • Align the RHEL 9 STIG profile with DISA STIG RHEL-1807

0.1.66

  • Updated RHEL 8 STIG profiles
  • Deprecated rule account_passwords_pam_faillock_audit in favor of accounts_passwords_pam_faillock_audit

0.1.63

  • New compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration were added.
  • Rules hardening the PAM stack now use authselect as the configuration tool. Note: With this change the rules hardening the PAM stack will not be applied if the PAM stack was edited by other means.

0.1.60

  • Rules hardening the PAM stack now use authselect as the configuration tool.
  • Tailoring files that define profiles which represent the differences between DISA STIG automated SCAP content and SCAP automated content (delta tailoring) are now supported.
  • The rule xccdf_org.ssgproject.content_enable_fips_mode now checks only whether the FIPS mode has been enabled properly. It does not guarantee that system components have undergone FIPS certification.

0.1.54

  • The Operating System Protection Profile (OSPP) has been updated in accordance with the Protection Profile for General Purpose Operating Systems for Red Hat Enterprise Linux 8.4.
  • The ANSSI family of profiles based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. The content contains profiles implementing rules of the Minimum, Intermediary and Enhanced hardening levels.
  • The Security Technical Implementation Guide (STIG) security profile has been updated, and it implements rules from the recently-released version V1R1.

0.1.50

  • Ansible content has been improved: numerous rules contain Ansible remediations for the first time and other rules have been updated to address bug fixes.
  • Fixes and improvements to the scap-security-guide content for scanning RHEL7 systems, including:
    • The scap-security-guide packages now provide a profile aligned with the CIS RHEL 7 Benchmark v2.2.0.
      Note that the rpm_verify_permissions rule in the CIS profile does not work correctly; see the BZ-1843913 - rpm_verify_permissions fails in the CIS profile known issue.
    • The SCAP Security Guide profiles now correctly disable and mask services that should not be started.
    • The audit_rules_privileged_commands rule in the scap-security-guide packages now works correctly for privileged commands.
    • Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages no longer incorrectly fails.

Comments