The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
-- [[email protected]] - Fixed ChefSpec test for updated functionality in proc_hard -- [[email protected]] - Fixed node concatenation in rsyslog recipe. Now no longer directly manipulating node attributes -- [[email protected]] - Updated deprecated fauxhai CnetOS 6 version from 6.7 to 6.9 -- [[email protected]] - proc_hard recipe now calls on the sysctl cookbook's sysctl_param resource instead of any recipe. This allows the this cookbook to use sysctl cookbook version >= 1.0.0 -- [[email protected]] - Removed version constraint from Berksfile for sysctl -- [[email protected]] - Updated Chefspec test to remove test for sysctl::apply recipe -- [[email protected]] - Add guard to sysctl call in order to work around bug chef/chef#7189 -- [[email protected]] - Switched Changelog format -- [[email protected]] - Fixed styling for Rubocop 0.55.0
-- [[email protected]] - Bugfix in stig/recipes/mail_transfer_agent.rb to use platform_family versus platform -- [[email protected]] - Bugfix in stig/attributes/default.rb - Errors out and sshd dies (bricking machine) on RH 7 when FIPS Mode is enabled. Non-FIPS compliant MACs were specified. FIPS MODE is required to be enabled - RHEL-07-021350 - CCI-002476 Old Line: default['stig']['sshd_config']['macs'] = 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96' Replaced with: default['stig']['sshd_config']['macs'] = 'hmac-sha2-512,hmac-sha2-256' See https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf
-- [[email protected]] - Due to a change in the Chef client @ 13.7.16, the aide recipe needed to be updated. Also updated Rubocop, Chefspec and Foodcritic issues
-- [[email protected]] - Added template for /etc/aide.conf and it updates the aide database -- [[email protected]] - Added default attributes for Centos 6 & 7 for /etc/aide.conf -- [[email protected]] - Added inspec and unit tests for /etc/aide.conf
-- [[email protected]] - Corrected inspec tests centos7 to run aide tests for redhat platforms
-- [[email protected]] - Updated more audit not included in the last version -- [[email protected]] - Combined two audit steps into one to save time/processing
-- [[email protected]] - Updated audit scripts to not double-check file mounts that may appear twice in df output
-- [[email protected]] - Updated defaults for audit.rules to avoid 32/64 bit syscall mismatch warning -- [[email protected]] - Updated unit tests to work around errors -- [[email protected]] - Updated style tests for later version of foodcritic/rubocop
-- [[email protected]] - Removed "redhat" from the test for purging the avahi-daemon package
-- [[email protected]] - Updating the cookbook to work properly with CentOS 7 -- [[email protected]] - Added disabling vfat and ipv6 to modprobe -- [[email protected]] - Update avahi daemon recipe for CentOS 7 (chkconfig vs sysctl) -- [[email protected]] - Update ipv6 recipe for CentOS 7 -- [[email protected]] - Fixed idempotency issue in ipv6 recipe for CentOS 6 -- [[email protected]] - Update dhcp recipe for CentOS 7 -- [[email protected]] - Update rsyslog.conf default attributes to the latest CIS recommendations -- [[email protected]] - Update sshd_config template to put logic on keywords that may or may not exist in sshd -- [[email protected]] - Switched system_auth recipe to use templates instead of very touchy sed/grep -- [[email protected]] - Changed default PASS_MIN_DAYS in login_defs to 7 as per stig -- [[email protected]] - Updated file_permissions recipe to not branch on ubuntu/rhel -- [[email protected]] - Split InSpec tests into CentOS 6 and CentOS 7 -- [[email protected]] - Updated Gemfile to require a minimal inspec gem version
-- [[email protected]] - Leaving sysctl attribute mutation solely to the sysctl cookbook. -- [[email protected]] - Removing STIG cookbook attributes for sysctl. Using only sysctl cookbook attributes
-- [[email protected]] - Update mail transfer agent recipe to fully parameterize the CentOS template for main.cf
-- [[email protected]] - Update the system_auth recipe to respect pre-existing symlinks -- [[email protected]] - Fix boot_settings recipe to catch if selinux is disabled and move on
-- [[email protected]] - More testing -- [[email protected]] - Updated auditd ruleset to include more rules -- [[email protected]] - Created ChefSpec testing for auditd_rules recipe -- [[email protected]] - Updated ServerSpec testing for all default auditd rules
-- [[email protected]] - More rubocop fixes -- [[email protected]] - Rework of sshd_config recipe to allow more customization -- [[email protected]] - Updated templates to point to proper GitHub URL -- [[email protected]] - Updated dependency version for sysctl cookbook in Berksfile -- [[email protected]] - Fixed kitchen converge warnings
-- [[email protected]] - fix some rubocop violations
-- [[email protected]] - switch to using chef inspec
-- [[email protected]] - remove Centos 6.6 and 6.8
-- [[email protected]] - bump version to 0.6.0
-- [[email protected]] - remove kitchen version pin.
-- [arothian@github] - Update aide to setup crontab for ubuntu
-- [[email protected]] - Fix an issue with auth-config being improperly written to for pass reuse limit
-- [[email protected]] - Switch sysctl write flags
-- [[email protected]] - Ignore errors on unknown sysctl keys
-- [[email protected]] - Included third-party sysctl cookbook as a hard-coupled dependency by calling it in proc_hard recipe
-- [[email protected]] - Switched sysctl.conf template writing out and brought in the third-party sysctl cookbook to handle writing .d config file -- [[email protected]] - Updated serverspec testing
-- [[email protected]] - Updated to switch out which file in /etc/pam.d/system-auth* gets symlinked
-- [[email protected]] - Fix most foodcritic errors and warnings -- [[email protected]] - CIS 1.6.2 (Configure ExecShield) was removed in 2.0.0 of all CIS STIG. No longer testing for it -- [[email protected]] - Added updates to SSHD config to allow boolean for password authentication -- [[email protected]] - Updated system auth recipe to be less destructive to /etc/pam.d/system-auth since that may be updated by authconfig -- [[email protected]] - Fixed a few tests
-- [[email protected]] - Updated sshd config to include approved ciphers (RHEL6 STIG 6.2.11)
-- [[email protected]] - Added the ability to change ChallengeResponseAuthentication in sshd config
-- [[email protected]] - Added the ability to change UsePAM in sshd config
-- [[email protected]] - Users may now add auditd rules directly as a series of attributes
-- [[email protected]] - More Auditd fixes
-- [[email protected]] - Fix auditd default parameters which break the build -- [[email protected]] - Add documentation for new attributes
-- [[email protected]] - Fully parameterized auditd configuration file -- [[email protected]] - No longer calling the auditd cookbook directly from auditd.rb -- [[email protected]] - Auditd cookbook is no longer a direct dependency of the STIG cookbook. Should be part of an overall runlist
-- [[email protected]] - Updated STIG and Audit rules to CIS RHEL Stig 1.4.0
-- [[email protected]] - Added CentOS 6 ruleset 3.2 - "Remove the X Window System"
-- [[email protected]] - Fixed and added many Serverspec tests
-- [[email protected]] - Corrected a typo in check_duplicate_gid.sh to correct STIG control number
-- [[email protected]] - Removed CIS wording from audit scripts
-- [[email protected]] - Enforced permissions on /boot/grub/grub.conf as per STIG 1.5.2
-- [[email protected]] - Removed grub.conf template
-- [[email protected]] - Updated mounting of /dev/shm to be idempotent