CIS Version: 3.0.0 - Oct24 Updates

Based upon CIS Version: 3.0.0 10th November 2023

Remediate

Rebase to fix some older issues, shows as some updates.
Pre-commit updates
Many improvements to different controls
Audit updates
New workflow pipeline

AUDIT

What's Changed

• V3.0.0 initial by @uk-bolly in #351
• updated prelim and typos by @uk-bolly in #352
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #355
• March 24 updates by @uk-bolly in #356
• Fix for #273 Allow for a local crypto policy module, for instance for the openSSH server. by @bbaassssiiee in #358
• Issues March24 by @uk-bolly in #366
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #367
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #368
• updated for audit and url alignment by @uk-bolly in #370
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #372
• use RHEL chrony.conf by @tomkuba in #371
• Update Alma 8 GPG Key by @ajython in #369
• May 24 updates by @uk-bolly in #376
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #383
• updated known issues thanks to @fgierlinger by @uk-bolly in #384
• Interactive users logic and workflow by @uk-bolly in #385
• Issue 387 by @uk-bolly in #388
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #389
• updated inline with #390 by @uk-bolly in #391
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #393
• Fix rule 1.6.1 idempotence; by @ShawnHardwick in #394
• Jmespath audit by @uk-bolly in #395
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #396
• fixed typo for issue 397 thanks to @dirkvdplas by @uk-bolly in #399
• changed maxseq to maxsequence to correct the syntax by @dderemiah in #404
• August issues by @uk-bolly in #406
• Issue 407 and 408 by @uk-bolly in #409
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #410
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #411
• Sept24 updates by @uk-bolly in #412
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #413
• removed group from control not required 6.2.10 by @uk-bolly in #416
• fix typo in 2.2.17 by @enx-roy-scheepers in #419
• updated 5.3.3 inline with documentation by @uk-bolly in #421
• Oct24_ devel to main by @uk-bolly in #420

New Contributors

• @ajython made their first contribution in #369
• @ShawnHardwick made their first contribution in #394
• @dderemiah made their first contribution in #404
• @enx-roy-scheepers made their first contribution in #419

Full Changelog: 3.0.0...3.0.1

CIS 3.0.0 - 1-10-2023

CIS Version: 3.0.0 10th November 2023

Remediate

V3.0.0 release
Pre-commit updates
Many improvements to different controls
Audit updates
New workflow pipeline

AUDIT

• Audit only option added
• New goss binary now supported
• Audit variables tidied and moved

What's Changed

#356
#358
#366
#370
#371
#373
#374
#383
#385

Final Benchmark 2.0.0 Release

CIS Version: 2.0.0 2-23-2022

Remediate

Issues closed and PRs merged - What's changed
Pre-commit updates
Many improvements to different controls
ansible version to 2.11.1

AUDIT

• Audit only option added
• New goss binary now supported
• Audit variables tidied and moved

What's Changed

• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #335
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #341
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #342
• use RHEL conf for chrony by @tomkuba in #343
• fix typo by @tomkuba in #344
• Jan24 updates to devel by @uk-bolly in #346
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #347
• Feb24 updates by @uk-bolly in #349
• Final V2.0.0 release to main by @uk-bolly in #350

New Contributors

• @tomkuba made their first contribution in #343

Full Changelog: 2.5.2...v2.6

RHEL8 CIS - 2.0.0

• audit updates

  • pre and post and format type updates
  • #323 thanks to @cobrin preserve copied audit files permissions
  • python 3 only
  • Improvements for workflow and new pipeline methods
  • README updated with badges and labels to use the new workflow

• pre-commit added and several checks, pre-commit-ci added to repo to ensure content

  • README updated

• Updates to container discovery and usage within benchmark

• linting

• aligned ansible version to 2.10.1 +

• home directories files change links

  • #322 thanks to @mballon

• #304

  • improve passwd check for user only is using sudo thanks to manish on discord community for highlighting issue.

thanks to @bbaassssiiee

• removed legacy tcp_wrappers information
  • #298
• disable ipv6 options
  • #299
  • disable ipv6 for sshd - rhel8cis_ipv6_sshd_disable: false (default) - added to prelim
  • disable ipv6 for chrony - rhel8cis_ipv6_chrony_disable: false (default) - added to prelim
  • turn off ipv6 for localhost - rhel8cis_ipv6_disable_localhost: false (default) - refer https://access.redhat.com/solutions/8709
  • #306
  • #295 crypto policy option updates
  • #296
• journald
• #320 thanks to @bbbbaassiieeee set files even if rsyslog chosen

What's Changed

• Fix for 3.1.3 and premediation/postmediation script calls by @cf-sewe in #317
• updated discord link by @uk-bolly in #318
• Alignment by @uk-bolly in #321
• Oct23 issues by @uk-bolly in #325
• updated the workflow version and galaxy setup by @uk-bolly in #328
• main release by @uk-bolly in #327
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #330
• Formatted task name fields to match playbook format by @BillSkiCO in #331
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #332
• [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci in #333
• Main Release by @uk-bolly in #334

New Contributors

• @pre-commit-ci made their first contribution in #330
• @BillSkiCO made their first contribution in #331

Full Changelog: 2.5.1...2.5.2

Beta test for pamd

thanks to @Crayeth

#278
Added new options to allow ipv6 rules if required although ipv6 disabled
rhel8cis_ipv6_sysctl_force
default: true
thanks to @bbaassssiiee

#279
#280
#281
#284
new option to allow manual changes to pamd files without using authconfig
rhel8cis_5_4_2_risks need sto be set to ACCEPT to run
default: NEVER**

Ansible Galaxy updates

What's Changed

• updated rule tag ref by @uk-bolly in #266
• Removed empty lines by @uk-bolly in #267
• Fix for #268 by @bbaassssiiee in #269
• March interim updates by @uk-bolly in #270
• Galaxy updates by @uk-bolly in #271
• Galaxy compliance by @uk-bolly in #272

Full Changelog: 2.2.0...2.2.1

release 2.2.0

Summary Review of Changes:
rule 1.1.2.1 improvement
molecule options added with wsl thanks to @bbaassssiiee
updates to tags
workflow updates
lint updates
new warning summary setup

What's Changed

• Issue 216 - dconf installed although not needed by @uk-bolly in #217
• Issue 215 by @uk-bolly in #218
• 4.2.3 and warnings by @uk-bolly in #219
• Fix for 5.6.2 - Remove unneeded whitespace in when clause by @cf-sewe in #221
• Warning summary improvement by @uk-bolly in #223
• Workflow update, lint by @uk-bolly in #224
• added missing control for audit by @uk-bolly in #229
• Oct update by @uk-bolly in #230
• November 2022 updates by @georgenalen in #240
• Jan 23 updates by @uk-bolly in #251
• Fix #253 by @Thulium-Drake in #254
• Pr 252 6 2 9 by @uk-bolly in #255
• Devel to main release March 23 by @uk-bolly in #256
• 1.1.2.1 conditional by @uk-bolly in #257
• Fix linting, adding Molecule scenarios for ubi8 container and WSL2 by @bbaassssiiee in #258
• updated tags by @uk-bolly in #259
• added oracle to readme by @uk-bolly in #260
• Feature: molecule verify -s localhost by @bbaassssiiee in #262
• Release to main by @uk-bolly in #265

Full Changelog: 2.1.0...2.2.0

Updates and improvements

CIS Version: 2.0.0
CIS Version Release Date: 2-23-2022

Issues Addressed:
@ccravens

• #160 - Ansible 2.12 Does Not Manage /etc/crontab
• #183 - should not/cannot edit /etc/crontab
• #204 - Added CentOS keys (PR)

@flwitten

• #180 - 1.4.1 Ensure bootloader password is set | always skipped
• #181 - 1.8.5 | Ensure automatic mounting of removable media is disabled | Typo
• #182 - /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-official
• #185 - 4.2.1.x & 4.2.2.x

@ChandlerSwift

• #187 - 5.6.2 'rhel8cis_passwd' is undefined
• #192 - 5.6.2 locks out (almost) all non-system accounts, rather than system accounts
• #195 - Fix path for /etc/group control 6.1.5 (PR)

@scottdoane

• #203 - 4.2.1.5 conflicts with itself on cron, auth logs

@ztmr

• #190 - Incorrect container detection fails certain tasks if executed in Podman

@Thulium-Drake

• #196 - Some handlers conflict with RHEL7-CIS handlers
• #198 - Fix #197 (PR)
• #200 - Versioned grub2cfg handler because it works differently in comparison to RHEL7-CIS (PR for issue #196 )
• #208 - Excluded nobody user from 6.2.10 (PR for issue #207)

@pavloos

• #186 - Audit not working audit_out_dir is not /var/tmp

@MindPointGroup (@uk-bolly and @georgenalen)

• #201 - fixed typo in 4.1.3.7 rule (PR)
• #205 - Improvements (PR for issues #185, #189, #190, #196, #200, #203, #204, and #206)
• #210 - Audit alignment (PR)

Enhancements:

• changed crypto to DEFAULT in defaults/main and updated as allowed option
• 3.4.1.2 - removed enabled option as errors if masked and enable option
• github workflow added branch option to issues.
• Dynamic UID discovery
• several title updates and alignments
• logic and idempotence improvement
• tag updates and fixes
• removed config no longer used
• dynamic container discovery
• update container variables and usage
• firewall services audit template output now works with goss correctly
• firewall services included cockpit as default
• 4.2.2.1.4 - changed to be socket service as per documentation
• update to auditd template
• uses facts and template new variable
• update_audit_template (default false)
• 3.4.1.5 discovery improvement
• 5.6.1.4 discovery improvement
• Added a warning comment managed by Ansible to all template files

Benchmark 2.0.0 updates and issue fixes

• CIS Version: 2.0.0 2-23-2022

Issues Addressed:

• #128 - Current 4.2.3 Ensure permissions on all logfiles are configured remediation will break RHEL8
• #132 - Tasks 1.1.15 - 1.1.17 skipped
• #138 - 4.1.17 Ensure the audit configuration is immutable - Not correct set
• #139 - CIS Control 5.2.13 incorrect value
• #141 - Running in check mode fails on task 6.2.20
• #142 - Remove extra quotes that break check mode
• #143 - Check mode labels missing
• #146 - Undefined variable in parse_etc_password.yml
• #147 - Section 6.2.8: file does not have argument warn
• #155 - Alternative to fail with incompatible OS
• #156 - Include statements deprecated in Ansible 2.12 - will be removed in 2.16
• #157 - Section 6.2.9 should not recurse
• #164 - Please add run_audit tag in tasks/main.yml
• #165 - ansible_distribution_major_version should be treated as a string and not as an integer
• #176 - "2.2.10" task uses the wrong when conditional and tags

Enhancements:

• Benchmarks 2.0.0 updates

Benchmark 1.0.1 updates

• CIS Version: 1.0.1 5-19-2021

Issues Addressed:

• #110 - tmp.mount support
• #132 - Tasks 1.1.15 - 1.1.17 skipped

Enhancements:

• Benchmarks 1.0.1
• Added Issue Templates
• Added PR Templates