SCAP Security Guide release notes

The scap-security-guide package provides collections of security policies for Linux systems. The guidance consists of a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

0.1.79

• Profile updates in Red Hat Enterprise Linux 10:
  • CIS profiles are newly based on CIS Red Hat Enterprise Linux 10 Benchmark v1.0.1, and the content coverage of this benchmark is improved.
• In all RHEL versions, system cryptography policy configuration in CIS profiles is centralized and managed by the new rule configure_custom_crypto_policy_cis. This rule handles cryptography policy requirements of the CIS Benchmark. Consequently, multiple legacy rules are removed from the CIS profiles. (This content is not included.RHEL-111896)
• Ansible Tasks and Profile Ansible Playbooks have been made idempotent.
• Red Hat Enterprise Linux 8 notable bug fixes:
  • All CIS profiles are updated to comply with CIS requirements to configure system cryptography policy. Also, they configure sshd to turn off host forwarding. (This content is not included.RHEL-76009)
  • Rule enable_authselect is no longer evaluated when scanning containers and container images, and returns a notapplicable result in this case. (This content is not included.RHEL-84439)
  • Remediation of rule network_ipv6_privacy_extensions is fixed to be idempotent and not to break network-scripts configuration. (This content is not included.RHEL-106813)
  • CIS profiles configure the maximum sequential characters in passwords. (This content is not included.RHEL-128593)
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Fixed remediation in rule ensure_logrotate_activated (This content is not included.RHEL-79123)
  • Fixed building of images hardened by STIG profile in the RHEL image builder by fixing remediation in rule require_singleuser_auth (This content is not included.RHEL-93151)
  • Rule aide_periodic_cron_checking has been removed from STIG profile. (This content is not included.RHEL-100924)
  • Profile CIS detects non-existent directories in root users PATH (This content is not included.RHEL-102330)
  • Audit rules in CIS profiles have been extended to audit file modifications of the /etc/hostname and /etc/NetworkManager/ (This content is not included.RHEL-102331)
  • Audit rules covering audit of loading kernel modules have been unified, and all of them correctly handle unset auid. (This content is not included.RHEL-102334)
  • Rules that configure rsyslog support multi-line RainerScript configuration. (This content is not included.RHEL-104207)
  • Remediation in rule require_singleuser_auth is fixed to be idempotent and does not break systemd configuration. (This content is not included.RHEL-106811)
  • Both /bin/false and /bin/true are newly supported as a valid way of disabling kernel modules. (This content is not included.RHEL-106814)
  • Ansible Playbooks have been fixed so that they don't fail on RHEL 9.0 when configuring systemd services. (This content is not included.RHEL-117141)
  • STIG for RHEL 9 has been updated to allow for the FIPS:STIG system-wide crypto policy.
• Red Hat Enterprise Linux 10 notable bug fixes:
  • Rule accounts_user_interactive_home_directory_defined no longer reports false positive results when you use the RHEL web console. (This content is not included.RHEL-118647)

0.1.78

• Profile updates in Red Hat Enterprise Linux 8:
  • DISA STIG updated to V2R3
• Profile updates in Red Hat Enterprise Linux 9:
  • Added a profile that aligns to the BSI (Germany Federal Office for Security Information) IT-Grundschutz Basic-Protection (sections 1.1 and 1.3)
  • DISA STIG updated to V2R5
• Red Hat Enterprise Linux 8 notable bug fixes:
  • The service_rngd_enabled rule is now evaluated on RHEL 8.4 and later when not running in FIPS mode (This content is not included.RHEL-95188).
  • The default cipher order in the configure_gnutls_tls_crypto_policy rule is used (This content is not included.RHEL-1821).
  • Profile Bash remediation scripts are reintroduced in the RPM package (This content is not included.RHEL-105501).
• Red Hat Enterprise Linux 9 notable bug fixes:
  • The coverage of section 1.2.1.2 of CIS profile has been improved by ensuring that GPG checks are never disabled (This content is not included.RHEL-102328).
  • Rules allow white spaces around the equal sign in systemd configuration (This content is not included.RHEL-89714).
  • Fixed errors in the File_permissions_sudo rule description, and the service_cron_enabled rule now checks for the correct package (This content is not included.RHEL-89812).
  • The polkit-pkla-compat package is installed if required (This content is not included.RHEL-87606).
  • The auditd_freq rule correctly honors the XCCDF variable (This content is not included.RHEL-64013).
• Red Hat Enterprise Linux 10 notable bug fixes:
  • Rules allow white spaces around the equal sign in systemd configuration (This content is not included.RHEL-93659).
  • Added support for drop-in files to systemd coredump rules (This content is not included.RHEL-99973)
• SCE content is now available for rules that traverse file systems.
  • See the Using Script Check Engine (SCE) in OpenSCAP for large filesystems Red Hat Knowledgebase article for details on how to configure your environment to use SCE content for rules that consume a lot of memory on large file systems.

0.1.77

• The STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 8 to V2R3
  • Red Hat Enterprise Linux 9 to V2R4
• Red Hat Enterprise Linux 8 notable bug fixes:
  • User namespaces are no longer disabled by the STIG profile (This content is not included.RHEL-76750).
• Red Hat Enterprise Linux 9 notable bug fixes:
  • The rsyslog_remote_loghost rule now supports RainerScript syntax (This content is not included.RHEL-62731).
  • The networkmanager_dns_mode rule now checks drop-in configuration files and has more resilient regular expression (This content is not included.RHEL-62843).
  • Improved checking of GRUB 2 superuser and password configuration (This content is not included.RHEL-58818)
• Red Hat Enterprise Linux 10 content has been updated to reflect changes in RHEL 10 components.

0.1.76

• The STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 8 to V2R2
  • Red Hat Enterprise Linux 9 to V2R3
  • Added Red Hat Enterprise Linux 10 Vendor STIG
• Red Hat Enterprise Linux 8 notable bug fixes:
  • The require_singleuser_auth rule now uses the systemd override mechanism (This content is not included.RHEL-71936)
• Red Hat Enterprise Linux 9 notable bug fixes:
  • The require_singleuser_auth rule now uses systemd override mechanism (This content is not included.RHEL-71936)
  • The sysctl_user_max_user_namespaces rule is now not scored and informational (This content is not included.RHEL-40120)
  • Aligned the check for approved SSH ciphers with the latest STIG policy (This content is not included.RHEL-65432)

0.1.75

• The PCI-DSS profiles were updated to better align with PCI-DSS benchmark version 4.0.1 for the following products:
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
• The STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 8 with V2R1
  • Red Hat Enterprise Linux 9 with V2R2
• Red Hat Enterprise Linux 8 notable bug fixes:
  • Enhance GRUB2 kernel command line arguments detection to cover more use cases (This content is not included.RHEL-53365)
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Adjust rules related to sshd, ensure constancy in checked values and ensure that drop-in configuration files are checked (This content is not included.RHEL-38206)
  • Adjust mount_option_nodev_nonroot_local_partitions to work in Image Builder environments (This content is not included.RHEL-45018)
  • Add a rule checking for presence of chrony to CIS profiles (This content is not included.RHEL-60005)
  • Remove the rule sshd_use_priv_separation from STIG profiles (This content is not included.RHEL-66057)
  • Remediation of NetworkManager DNS mode now remediates value default (This content is not included.RHEL-53426)

0.1.74

• The CIS profiles were updated to v2.0.0 for Red Hat Enterprise Linux 9.
• Red Hat Enterprise Linux 8 and 9 notable bug fixes:
  • Ensure authselect features are preserved by the enable_authselect rule (This content is not included.RHEL-39383)
  • Fix checking for passwords last changed date (This content is not included.RHEL-47129)
  • Remediations of Journald configuration files now create correct .ini file sections (This content is not included.RHEL-38531)
  • Adjust service requirements for the CIS profiles (This content is not included.RHEL-23852)
  • Update password hashing settings for the ANSSI profiles (This content is not included.RHEL-44983), (This content is not included.RHEL-54390)
  • Improve Rsyslog rules to support the RainerScript syntax (This content is not included.RHEL-1816)
• Red Hat Enterprise Linux 8 notable changes:
  • The ssg-rhel8-ds-1.2.xml and ssg-firefox-ds-1.2.xml data streams are no longer provided. They are replaced by symbolic links leading to the respective data streams (ssg-rhel8-ds.xml or ssg-firefox-ds.xml).
  • The Red Hat Enterprise Linux 7 content is no longer updated and remains in the state as provided in the 0.1.73 version.
• Red Hat Enterprise Linux 9 notable changes:
  • The STIG profiles are not upgraded to V2R1 in this release because this STIG update touches only CCI references.

0.1.73

• ANSSI profiles were updated to better align with latest policy version 2.0 and to increase the policy coverage for the following products:
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
• STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 8 with V1R14
  • Red Hat Enterprise Linux 9 with V1R3
• The security_patches_up_to_date rule has been disabled, the result of evaluating this rule will be notchecked. Also, remediation for this rule is not part of the shipped content.
• Red Hat Enterprise Linux 8 notable bug fixes:
  • Change crypto policy used in the CUI profile to FIPS (This content is not included.RHEL-30346)
  • Fix file path identification in Rsyslog configuration (This content is not included.RHEL-17202)
  • Use a correct chrony server address in STIG profiles (This content is not included.RHEL-1814)
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Correctly parse sudo options even if they are not quoted (This content is not included.RHEL-31976)
  • Ensure that web links within kickstart files are valid (This content is not included.RHEL-30735)
  • Align set of allowed SSH ciphers with STIG requirement (This content is not included.RHEL-29684)
  • Add a rule that enables auditing of files within /etc/sysconfig/network-scripts (This content is not included.RHEL-1093, This content is not included.RHEL-29308)
  • Remove a rule that restricts user namespaces from the STIG GUI profile (This content is not included.RHEL-10416)

0.1.72

• Update to CIS profiles aligning them with the latest benchmarks:
  • CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 - 12-21-2023
  • CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0 - 10-30-2023 (related ticket is This content is not included.RHEL-1314)
• PCI DSS profiles were aligned to the PCI DSS policy version 4.0 for the following products:
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8 (This content is not included.RHEL-1808)
  • Red Hat Enterprise Linux 9
• STIG profiles were aligned with the latest DISA STIG policies:
  • Red Hat Enterprise Linux 7 with V3R14
  • Red Hat Enterprise Linux 8 with V1R13
  • Red Hat Enterprise Linux 9 with V1R2
• Red Hat Enterprise Linux 7 notable bug fixes:
  • Ensure that the rule audit_rules_privileged_commands does not report false positives caused by temporary files created by Dracut (This content is not included.RHEL-11938)
• Red Hat Enterprise Linux 8 notable bug fixes:
  • Increase compatibility of the accounts_tmout rule with more shells including ksh (This content is not included.RHEL-16896 and This content is not included.RHEL-1811)
  • Add a rule to terminate idle user sessions after a defined amount of time (This content is not included.RHEL-1801)
  • The rule ensure_pam_wheel_group_empty has been optimized for better performance, and the reported rule result is now clearer (This content is not included.RHEL-1905)
  • Prevent remediation of the display_login_attempts rule from creating redundant configuration entries (This content is not included.RHEL-1809)
  • Other fixed bugs: This content is not included.RHEL-1313, This content is not included.RHEL-1817, This content is not included.RHEL-1819, This content is not included.RHEL-1820, This content is not included.RHEL-1904, This content is not included.RHEL-19127
• Red Hat Enterprise Linux 9 notable bug fixes:
  • Check drop-in files in the /etc/systemd/journald.conf.d/ directory (This content is not included.RHEL-14484)
  • Disable remediation for /dev/shm mount options in offline mode (This content is not included.RHEL-16801)
  • Other fixed bugs: This content is not included.RHEL-1484, This content is not included.RHEL-1489, This content is not included.RHEL-17417, This content is not included.RHEL-17418

0.1.69

• ANSSI profiles were updated to version 2.0.
• Three new SCAP profiles were added for RHEL 9 aligned with the CCN-STIC-610A22 Guide:

• 0.1.69-3 update - available for RHEL 9.0.Z.EUS, RHEL 9.2.Z.EUS, and RHEL 9.3.Z
  • Align the RHEL 9 STIG profile with DISA STIG This content is not included.RHEL-1807

0.1.66

• Updated RHEL 8 STIG profiles
• Deprecated rule account_passwords_pam_faillock_audit in favor of accounts_passwords_pam_faillock_audit

0.1.63

• New compliance rules for sysctl, grub2, pam_pwquality, and build time kernel configuration were added.
• Rules hardening the PAM stack now use authselect as the configuration tool. Note: With this change the rules hardening the PAM stack will not be applied if the PAM stack was edited by other means.

0.1.60

• Rules hardening the PAM stack now use authselect as the configuration tool.
• Tailoring files that define profiles which represent the differences between DISA STIG automated SCAP content and SCAP automated content (delta tailoring) are now supported.
• The rule xccdf_org.ssgproject.content_enable_fips_mode now checks only whether the FIPS mode has been enabled properly. It does not guarantee that system components have undergone FIPS certification.

0.1.54

• The Operating System Protection Profile (OSPP) has been updated in accordance with the Protection Profile for General Purpose Operating Systems for Red Hat Enterprise Linux 8.4.
• The ANSSI family of profiles based on the ANSSI BP-028 recommendations from the French National Security Agency (ANSSI), has been introduced. The content contains profiles implementing rules of the Minimum, Intermediary and Enhanced hardening levels.
• The Security Technical Implementation Guide (STIG) security profile has been updated, and it implements rules from the recently-released version V1R1.

0.1.50

• Ansible content has been improved: numerous rules contain Ansible remediations for the first time and other rules have been updated to address bug fixes.
• Fixes and improvements to the scap-security-guide content for scanning RHEL7 systems, including:
  • The scap-security-guide packages now provide a profile aligned with the CIS RHEL 7 Benchmark v2.2.0.
    Note that the rpm_verify_permissions rule in the CIS profile does not work correctly; see the This content is not included.BZ-1843913 - rpm_verify_permissions fails in the CIS profile known issue.
  • The SCAP Security Guide profiles now correctly disable and mask services that should not be started.
  • The audit_rules_privileged_commands rule in the scap-security-guide packages now works correctly for privileged commands.
  • Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages no longer incorrectly fails.