Releases: ansible-lockdown/RHEL8-CIS
CIS 3.0.0 - 1-10-2023
CIS Version: 3.0.0 10th November 2023
Remediate
V3.0.0 release
Pre-commit updates
Many improvements to different controls
Audit updates
New workflow pipeline
AUDIT
- Audit only option added
- New goss binary now supported
- Audit variables tidied and moved
What's Changed
Final Benchmark 2.0.0 Release
CIS Version: 2.0.0 2-23-2022
Remediate
Issues closed and PRs merged - What's changed
Pre-commit updates
Many improvements to different controls
ansible version to 2.11.1
AUDIT
- Audit only option added
- New goss binary now supported
- Audit variables tidied and moved
What's Changed
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #335
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #341
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #342
- use RHEL conf for chrony by @tomkuba in #343
- fix typo by @tomkuba in #344
- Jan24 updates to devel by @uk-bolly in #346
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #347
- Feb24 updates by @uk-bolly in #349
- Final V2.0.0 release to main by @uk-bolly in #350
New Contributors
Full Changelog: 2.5.2...v2.6
RHEL8 CIS - 2.0.0
-
audit updates
-
pre-commit added and several checks, pre-commit-ci added to repo to ensure content
- README updated
-
Updates to container discovery and usage within benchmark
-
linting
-
aligned ansible version to 2.10.1 +
-
home directories files change links
-
- improve passwd check for user only is using sudo thanks to manish on discord community for highlighting issue.
thanks to @bbaassssiiee
- removed legacy tcp_wrappers information
- disable ipv6 options
- #299
- disable ipv6 for sshd - rhel8cis_ipv6_sshd_disable: false (default) - added to prelim
- disable ipv6 for chrony - rhel8cis_ipv6_chrony_disable: false (default) - added to prelim
- turn off ipv6 for localhost - rhel8cis_ipv6_disable_localhost: false (default) - refer https://access.redhat.com/solutions/8709
- #306
- #295 crypto policy option updates
- #296
- journald
- #320 thanks to @bbbbaassiieeee set files even if rsyslog chosen
What's Changed
- Fix for 3.1.3 and premediation/postmediation script calls by @cf-sewe in #317
- updated discord link by @uk-bolly in #318
- Alignment by @uk-bolly in #321
- Oct23 issues by @uk-bolly in #325
- updated the workflow version and galaxy setup by @uk-bolly in #328
- main release by @uk-bolly in #327
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #330
- Formatted task name fields to match playbook format by @BillSkiCO in #331
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #332
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #333
- Main Release by @uk-bolly in #334
New Contributors
- @pre-commit-ci made their first contribution in #330
- @BillSkiCO made their first contribution in #331
Full Changelog: 2.5.1...2.5.2
Beta test for pamd
thanks to @Crayeth
#278
Added new options to allow ipv6 rules if required although ipv6 disabled
rhel8cis_ipv6_sysctl_force
default: true
thanks to @bbaassssiiee
#279
#280
#281
#284
new option to allow manual changes to pamd files without using authconfig
rhel8cis_5_4_2_risks need sto be set to ACCEPT to run
default: NEVER**
Ansible Galaxy updates
release 2.2.0
Summary Review of Changes:
rule 1.1.2.1 improvement
molecule options added with wsl thanks to @bbaassssiiee
updates to tags
workflow updates
lint updates
new warning summary setup
What's Changed
- Issue 216 - dconf installed although not needed by @uk-bolly in #217
- Issue 215 by @uk-bolly in #218
- 4.2.3 and warnings by @uk-bolly in #219
- Fix for 5.6.2 - Remove unneeded whitespace in when clause by @cf-sewe in #221
- Warning summary improvement by @uk-bolly in #223
- Workflow update, lint by @uk-bolly in #224
- added missing control for audit by @uk-bolly in #229
- Oct update by @uk-bolly in #230
- November 2022 updates by @georgenalen in #240
- Jan 23 updates by @uk-bolly in #251
- Fix #253 by @Thulium-Drake in #254
- Pr 252 6 2 9 by @uk-bolly in #255
- Devel to main release March 23 by @uk-bolly in #256
- 1.1.2.1 conditional by @uk-bolly in #257
- Fix linting, adding Molecule scenarios for ubi8 container and WSL2 by @bbaassssiiee in #258
- updated tags by @uk-bolly in #259
- added oracle to readme by @uk-bolly in #260
- Feature: molecule verify -s localhost by @bbaassssiiee in #262
- Release to main by @uk-bolly in #265
Full Changelog: 2.1.0...2.2.0
Updates and improvements
CIS Version: 2.0.0
CIS Version Release Date: 2-23-2022
Issues Addressed:
@ccravens
- #160 - Ansible 2.12 Does Not Manage /etc/crontab
- #183 - should not/cannot edit /etc/crontab
- #204 - Added CentOS keys (PR)
- #180 - 1.4.1 Ensure bootloader password is set | always skipped
- #181 - 1.8.5 | Ensure automatic mounting of removable media is disabled | Typo
- #182 - /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official
- #185 - 4.2.1.x & 4.2.2.x
- #187 - 5.6.2 'rhel8cis_passwd' is undefined
- #192 - 5.6.2 locks out (almost) all non-system accounts, rather than system accounts
- #195 - Fix path for /etc/group control 6.1.5 (PR)
- #203 - 4.2.1.5 conflicts with itself on cron, auth logs
- #190 - Incorrect container detection fails certain tasks if executed in Podman
- #196 - Some handlers conflict with RHEL7-CIS handlers
- #198 - Fix #197 (PR)
- #200 - Versioned grub2cfg handler because it works differently in comparison to RHEL7-CIS (PR for issue #196 )
- #208 - Excluded nobody user from 6.2.10 (PR for issue #207)
- #186 - Audit not working audit_out_dir is not /var/tmp
@MindPointGroup (@uk-bolly and @georgenalen)
- #201 - fixed typo in 4.1.3.7 rule (PR)
- #205 - Improvements (PR for issues #185, #189, #190, #196, #200, #203, #204, and #206)
- #210 - Audit alignment (PR)
Enhancements:
- changed crypto to DEFAULT in defaults/main and updated as allowed option
- 3.4.1.2 - removed enabled option as errors if masked and enable option
- github workflow added branch option to issues.
- Dynamic UID discovery
- several title updates and alignments
- logic and idempotence improvement
- tag updates and fixes
- removed config no longer used
- dynamic container discovery
- update container variables and usage
- firewall services audit template output now works with goss correctly
- firewall services included cockpit as default
- 4.2.2.1.4 - changed to be socket service as per documentation
- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement
- Added a warning comment managed by Ansible to all template files
Benchmark 2.0.0 updates and issue fixes
- CIS Version: 2.0.0 2-23-2022
Issues Addressed:
- #128 - Current 4.2.3 Ensure permissions on all logfiles are configured remediation will break RHEL8
- #132 - Tasks 1.1.15 - 1.1.17 skipped
- #138 - 4.1.17 Ensure the audit configuration is immutable - Not correct set
- #139 - CIS Control 5.2.13 incorrect value
- #141 - Running in check mode fails on task 6.2.20
- #142 - Remove extra quotes that break check mode
- #143 - Check mode labels missing
- #146 - Undefined variable in parse_etc_password.yml
- #147 - Section 6.2.8: file does not have argument warn
- #155 - Alternative to fail with incompatible OS
- #156 - Include statements deprecated in Ansible 2.12 - will be removed in 2.16
- #157 - Section 6.2.9 should not recurse
- #164 - Please add run_audit tag in tasks/main.yml
- #165 - ansible_distribution_major_version should be treated as a string and not as an integer
- #176 - "2.2.10" task uses the wrong when conditional and tags
Enhancements:
- Benchmarks 2.0.0 updates
Benchmark 1.0.1 updates
Final Benchmark 1.0.0 Release
- CIS Version: 1.0.0 9-30-2019
Issues Addressed:
- #84 - Error with 4.1.1.3/4.1.1.4
- #87 - Error with rhel8cis_rule_6_1_1
- #90 - Section 2.2.12 error "Could not find the requested service nfs: host" for NFS service
- #92 - CIS rules broken that use replace module
- #93 - 1.3.2 and 1.3.3 are not idempotent (conflicting check/result)
- #94 - 5.2.3 and 5.2.4 are not idempotent (use of command module)
- #101 - Unresolved merge conflict in section6/cis_6.1.x.yml
- #102 - 2.2.2 | PATCH | Ensure X Window System is not installed | remove packages if found
- #104 - SCORED | 5.4.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings
- #111 - item 6.2.7 failes with template error
- #112 - Unsupported parameters for (lineinfile) module: block, marker
- #113 - 5.7 ability to use sugroup if defined
- #119 - Add the ability to select CIS Levels
Enhancements:
- Linting for Galaxy