Important Highlights

• Add new product for Ubuntu 24.04 and draft CIS profiles (#12611)
• Add pyproject.toml for the ssg package (#12604)
• AlmaLinux OS 9 as a new product (#12810)
• Documentation for ssg library (#12606)
• Extend SSG library to more easily collect profile selections (#12797)
• Extend SSG with functions to manage variables (#12717)

New Rules and Profiles

• A new rule system_boot_in_fips_mode (#12671)
• Add a default profile for Ubuntu2404 to add all rules to the datastream (#13023)
• Add ccn profile to OL9 (#12759)
• Add new rule journald_disable_forward_to_syslog (#12674)
• Add new rule logging_services_active (#12857)
• Add new rule no_nologin_in_shells (#12835)
• Add new rule service_dhcpd6_disabled (#12627)
• Add new rule service_dnsmasq_disabled (#12628)
• Add new rule service_nginx_disabled (#12629)
• Add new rules to replace audit_rules_mac_modification on Ubuntu (#12828)
• add new stig rule accounts_password_pam_pwquality_retry (#12965)
• Add rules for installing pam-runtime and pam-modules to Ubuntu 24.04 (#12904)
• Add rules to ubuntu2404 CIS control 7.2.10 (#12716)
• Clean Up Opensc Rules in RHEL 10 (#12738)
• Create Public Cloud Hardening profile for SLE Micro5 (#12817)
• Implement audit rules for nsswitch.conf, pam.conf and pam.d (#12724)
• Implement new rule firewall_single_service_active (#12822)
• Implement rule accounts_umask_root (#12721)
• Implement rule groups_no_zero_gid_except_root (#12720)
• Implement rules for /etc/security/opasswd permissions (#12693)
• New rule package_unbound_removed (#12699)
• rhel10: use new rule for auditing of changes to selinux configuration (#12826)

Updated Rules and Profiles

• Update RHEL 8 STIG to V2R1 (#12924)
• Fixes related to STIG and SSH cryptopolicy (#13025)
• Adapt audit_rules_suid_privilege_function for Ubuntu 24.04 CIS (#12974)
• Add new variable to set_password_hashing_min_rounds_logindefs rule (#12923)
• Add package_ypbind_removed to e8 profile to OL8 (#12957)
• Add ubuntu specific check and remediation for aide_periodic_checking_systemd_timer (#12733)
• Adjust journald rules for RHEL 10 (#12754)
• Adjust two filesystem permission rules to 600 (#12737)
• Adjust wording in kerberos_disable_no_keytab (#12739)
• Alma9 more changes (mk2) (#12905)
• audit_immutable_login_uids: remove stig-specific content (#12676)
• Clean Up Opensc Rules in RHEL 10 (#12738)
• Define var_user_initialization_files_regex on Ubuntu 24.04 (#12960)
• Exclude autrace and audispd on RHEL 10 (#12736)
• Fix audit access rules in ISM_O (#12670)
• Fix mistake done in PR #12714 (#12741)
• Fix package and service name overrides for Ubuntu 24.04 (#12913)
• Fix RHEL 10 DISA and SRG References (#12944)
• Fix RHEL 10 ISM profile fails in Image Mode (#12836)
• Fix rule firewalld_sshd_port_enabled OVAL check (#12914)
• Fix rule ip6tables_rules_for_open_ports and add to ubuntu2404 controls (#12666)
• Fix the bash conditional for checking system architecture (#12815)
• Fix variable name in Ubuntu 22.04 CIS profiles (#12982)
• gdm package cannot be removed in stig_gui profile (#12915)
• Improve rule file_permissions_ungroupowned for use in bootable containers (#12584)
• Refactor ubuntu oval for audit_rules_networkconfig_modification (#12722)
• Remove not applicable rules for OL8 & OL9 (#12558)
• Remove old rules from RHEL 10 profiles (#12697)
• Remove package_quagga_removed from RHEL 10 profiles (#12589)
• Remove RHEL-08-020220 and RHEL-08-020221 from the RHEL 8 STIG (#12805)
• Remove service_chronyd_or_ntpd_enabled from RHEL 10 (#12756)
• remove sshd_use_priv_separation from hipaa control file (#12591)
• require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861)
• require_singleuser_auth:update prose (#12864)
• RHEL 10 Kernel Config and Module Clean Up (#12712)
• RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824)
• rhel8 STIG: update password hashing rounds (#12948)
• RHEL8 STIG: update SSH algorithms (#12949)
• Switch to _guard_var templates for timesync rules on Ubuntu 24.04 (#12903)
• Switch to CIS-specific banner rules for Ubuntu 24.04 CIS (#12619)
• Update sssd_enable_smartcards for RHEL 10 (#12882)
• update audit_ospp_general with the latest content (#12579)
• Update mount_option_proc_hidepid to include OL9 product (#12917)
• Update Ol10 profiles (#12833)
• Update package_gssproxy_removed based on feedback (#12725)
• Update profiles ol8 (#12890)
• Update RHEL 10 GPG Keys (#12744)
• Update RHEL 9 STIG to V2R3 (#12922)
• Update set_password_hashing_algorithm_passwordauth for RHEL 10 STIG (#12758)
• Update several controls and variables for Ubuntu 24.04 CIS (#12624)
• Update several controls for Ubuntu 24.04 CIS (#12912)
• Update SRG GPOS to V3R2 (#12943)
• Update ubuntu2404 CIS control 2.3.2.1 (#12637)
• Update X Servers Rules for Wayland (#12897)
• Use yescrypt in RHEL 10 (#12743)
• Update Ol10 profiles (#12833)

Changes in Remediations

• Fix set_password_hashing_min_rounds_logindefs (#12998)
• Add systemd check if it is running for systemctl start commands (#12918)
• Adjust set_password_hashing_algorithm_* for RHEL 10 (#12782)
• Adjust ansible_audit_augenrules_add_syscall_rule to 600 (#12786)
• Firewall technology related rules per service and package change logic according to interactive profile variable (#11818)
• Fix display_login_attempts (#12603)
• Fix dpkg package applicability check in bash (#12873)
• Fix file_permissions_etc_audit_rulesd in Image Mode (#12855)
• Fix path to timesyncd.conf for sle15 (#12919)
• Fix sssd_enable_smartcards (#12600)
• Some small patches for SLE15 CIS related remediations (#12921)
• Update ensure_logrotate_activated for image mode (#12645)

Changes in Checks

• Adjust OVAL for directory_permissions_var_log_audit (#12631)
• Fix file_permissions_unauthorized_sgid (#12602)
• Fix path to timesyncd.conf for sle15 (#12919)
• Fix rule firewalld_sshd_port_enabled OVAL check (#12914)
• Improve OVAL and tests for accounts_password_pam_unix_authtok (#12868)
• Improve regex in sudo_defaults_option oval (#12673)
• Improve rule file_permissions_ungroupowned for use in bootable containers (#12584)
• Update ensure_logrotate_activated for image mode (#12645)
• Use nss-altfiles in file_groupowner_etc_chrony_keys (#12789)

Fixed Bugs

• Remove RHEL 8 STIG reference from file_permission_user_init_files - stable (#13016)
• Fix set_password_hashing_min_rounds_logindefs (#12998)
• Fixes related to STIG and SSH cryptopolicy (#13025)
• Add a script to ensure coredump configuration file exists (#12844)
• Add custom test scenario dconf_gnome_lock_screen_on_smartcard_removal (#12839)
• Adjust kernel_module_disabled/missing_blacklist.fail.sh (#12898)
• Authselect profile minimal is now called local in RHEL10 (#12846)
• disable_ctrlaltdel_burstaction: make sure config file exists (#12841)
• Enable correct OVAL criteria for RHEL9/RHEL10 in file_ownership_var_log_audit_stig (#12845)
• Fix audit_rules_privileged_commands_unix2_chkpwd (#12886)
• Fix CIS reference URI for AlmaLinux 9 (#12850)
• Fix NERC CIP Link (#12892)
• Fix RHEL 8 CIS reference on Ensure noexec option set on /var/tmp (#12847)
• Fix sssd service enabled test scenarios (#12862)
• Fix to prevent oscap crashing on ubuntu (#12728)
• Move to enable_fips_mode from grub2_enable_fips_mode in RHEL 10 (#12899)
• Remove package_xinetd_removed from RHEL 10 (#12881)
• Remove rule disable_ctrlaltdel_burstaction from Ubuntu STIG profiles (#12620)
• rename OVAL tests and objects to fix name conflict (#12869)
• require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861)
• RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824)
• RHEL now checks no other users have primary group ID 0 (#12891)
• RHEL8: add back removed rules to keep datastream consistent (#12966)
• update audit_ospp_general with the latest content (#12579)
• Update tests for file_groupownership_sshd_private_key (#12896)
• Update X Servers Rules for Wayland (#12897)
• Use dedicated_ssh_keyowner variable in test scenarios (#12860)