The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
-- [isuftin@usgs.gov] - Add ability to add AIDE database update to regulat crontab
-- [isuftin@usgs.gov] - Update dependencies for logrotate, rsyslog and auditd community cookbooks
-- [isuftin@usgs.gov] - Add path strings (allow wildcard) to ignore during audits recipe. Paths included will not be checked as orphans or world writeable permissions
-- [isuftin@usgs.gov] - pam.d system_auth and password_auth order of module loading
-- [isuftin@usgs.gov] - Removed a seconday run of logrotate::global in the default recipe
-- [isuftin@usgs.gov] - auditd cookbook in metadata.rb as a hard dependency -- [isuftin@usgs.gov] - PermitOpen keyword in sshd_config -- [isuftin@usgs.gov] - Ability to ignore errors on sysctl updates
-- [isuftin@usgs.gov] - Third-party sysctl cookbook dependency
-- [isuftin@usgs.gov] - Now using Chef sysctl resource instead of depending on third
party cookbook. BREAKING CHANGE - Now requires Chef 14+
-- [isuftin@usgs.gov] - Switch to using rsyslog third party cookbook. BREAKING CHANGE
The attributes for rsyslog rules should now be default['rsyslog']['default_facility_logs']
in the fornmat specified @ https://github.com/chef-cookbooks/rsyslog/blob/v6.0.7/attributes/default.rb#L94
This now becomes a wrapper cookbook for the third party rsyslog cookbook
-- [isuftin@usgs.gov] - Including auditd cookbook call directly in auditd recipe
-- [isuftin@usgs.gov] - Allow nulls into sshd attributes to keep keywords out of sshd_config
-- [isuftin@usgs.gov] - Allowing auditd base config dir to be configurable in attributes
-- [isuftin@usgs.gov] - Version of CentOS 7 in ChefSpec tests
-- [isuftin@usgs.gov] - Allow not using known sshd attributes to keep them out of sshd
config file
-- [isuftin@usgs.gov] - auditd service reloading. A temp fix until chef-cookbooks/auditd#55 is dealt with -- [isuftin@usgs.gov] - inspec and unit tests
-- [isuftin@usgs.gov] - Changed maintainer to USGS WMA EB
-- [isuftin@usgs.gov] - Removed aide update command as it creates error codes where init does not
-- [isuftin@usgs.gov] - Logic introduced as to whether aide should run init or update based on whether or not the aide database already exists
-- [mamcderm@usgs.gov] - add timeout on init_aide resource in aide.rb -- [mamcderm@usgs.gov] - add timeout on 'find user and group orphaned files and directories' resource in audits.rb -- [mamcderm@usgs.gov] - add ignore_readdir_race flag to commands in 'find user and group orphaned files and directories' resource in audits.rb
-- [isuftin@usgs.gov] - audits recipe is not tolerant of spaces in file paths
-- [isuftin@usgs.gov] - No longer passing output database location to aide init command. Let aide get that from the conf file -- [isuftin@usgs.gov] - Use proper output database location during aide init -- [isuftin@usgs.gov] - Make sure to copy new aide database to old database location post-init -- [isuftin@usgs.gov] - Sticking to major version of CentOS in Test Kitchen -- [isuftin@usgs.gov] - STIG 6.1.6 - File permissions for /etc/passwd- -- [cpoma@mitre.org] - Added default["stig"]["mount_disable"]["disable_usb_storage"] to disable USB Storage. RHEL-06-000503 - CCI-001250 -- [cpoma@mitre.org] - Added default['stig']['postfix']['smtpd_client_restrictions_rhel'] for use in templates/default/etc_man.cf_rhel.erb to disable mail relaying. RHEL-07-040480 - CCI-000366 -- [kdshah@mitre.org] - Added template for /etc/inittab - CCE-4241-6 -- [kdshah@mitre.org] - Added default['stig']['login_defs']['pass_min_length'], default['stig']['login_defs']['umask'], default['stig']['login_defs']['inactive_days'], default['stig']['login_defs']['fail_delay'] for use in templates/default/etc_default_useradd.erb and templates/default/logon_defs.erb -- [kdshah@mitre.org] - Added local_users recipe to remove users and folders that do not belong. Set shells for various service accounts.
-- [isuftin@usgs.gov] - STIG 6.2.7 - Update script to check for users having a home dir
-- [isuftin@usgs.gov] - Narrowed down sshd MACs config to what works for EL6 and EL7
-- [isuftin@usgs.gov] - STIG 6.2.2-6.2.4 - Updated grep testing criteria for audit script
-- [isuftin@usgs.gov] - STIG 5.2.12 - Updated ClientAliveInterval to 300 and ClientAliveCountMax to 0
-- [isuftin@usgs.gov] - STIG 5.1.3 - 5.1.7 - Change permissions for cron files from 0600 to 0700
-- [isuftin@usgs.gov] - STIG 4.1.9 - Update audit.rules for /vat/log/wtmp and
/var/log/btmp from session to logins
-- [isuftin@usgs.gov] - STIG 4.1.7 - Update audit.rules with expanded MAC-policy check
-- [isuftin@usgs.gov] - STIG 2.2.15 - Change inet_interfaces from localhost to loopback_only
-- [isuftin@usgs.gov] - Removed -e
flag from proc_hard recipe's sysctl resource
since I do not want errors from that guard ignored
-- [isuftin@usgs.gov] - Fixed ChefSpec test for updated functionality in proc_hard
-- [isuftin@usgs.gov] - Fixed node concatenation in rsyslog recipe. Now no longer directly manipulating node attributes
-- [isuftin@usgs.gov] - Updated deprecated fauxhai CnetOS 6 version from 6.7 to 6.9
-- [isuftin@usgs.gov] - proc_hard recipe now calls on the sysctl cookbook's
sysctl_param resource instead of any recipe. This allows the this cookbook to use
sysctl cookbook version >= 1.0.0
-- [isuftin@usgs.gov] - Removed version constraint from Berksfile for sysctl
-- [isuftin@usgs.gov] - Updated Chefspec test to remove test for sysctl::apply recipe
-- [isuftin@usgs.gov] - Add guard to sysctl call in order to work around bug chef/chef#7189
-- [isuftin@usgs.gov] - Switched Changelog format
-- [isuftin@usgs.gov] - Fixed styling for Rubocop 0.55.0
-- [kdshah@mitre.org] - Added SSH private host key file permission to recipe/sshd_config.rb
-- [kdshah@mitre.org] - updated system_auth to manage /etc/pam.d/postlogin-ac
-- [cpoma@mitre.org] - Bugfix in stig/recipes/mail_transfer_agent.rb to use platform_family versus platform -- [cpoma@mitre.org] - Bugfix in stig/attributes/default.rb - Errors out and sshd dies (bricking machine) on RH 7 when FIPS Mode is enabled. Non-FIPS compliant MACs were specified. FIPS MODE is required to be enabled - RHEL-07-021350 - CCI-002476 Old Line: default['stig']['sshd_config']['macs'] = 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96' Replaced with: default['stig']['sshd_config']['macs'] = 'hmac-sha2-512,hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com' See https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html See http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf
- [cpoma@mitre.org] - Added "install fat /bin/true" to stig/templates/etc_modprobe.d_CIS.conf.erb. This will fully disable vfat.
-- [isuftin@usgs.gov] - Due to a change in the Chef client @ 13.7.16, the aide recipe needed to be updated. Also updated Rubocop, Chefspec and Foodcritic issues
-- [jmorris@usgs.gov] - Added template for /etc/aide.conf and it updates the aide database -- [jmorris@usgs.gov] - Added default attributes for Centos 6 & 7 for /etc/aide.conf -- [jmorris@usgs.gov] - Added inspec and unit tests for /etc/aide.conf
-- [jmorris@usgs.gov] - Corrected inspec tests centos7 to run aide tests for redhat platforms
-- [isuftin@usgs.gov] - Updated more audit not included in the last version -- [isuftin@usgs.gov] - Combined two audit steps into one to save time/processing
-- [isuftin@usgs.gov] - Updated audit scripts to not double-check file mounts that may appear twice in df output
-- [jmorris@usgs.gov] - Updated defaults for audit.rules to avoid 32/64 bit syscall mismatch warning -- [jmorris@usgs.gov] - Updated unit tests to work around errors -- [jmorris@usgs.gov] - Updated style tests for later version of foodcritic/rubocop
-- [jmorris@usgs.gov] - Removed "redhat" from the test for purging the avahi-daemon package
-- [isuftin@usgs.gov] - Updating the cookbook to work properly with CentOS 7 -- [isuftin@usgs.gov] - Added disabling vfat and ipv6 to modprobe -- [isuftin@usgs.gov] - Update avahi daemon recipe for CentOS 7 (chkconfig vs sysctl) -- [isuftin@usgs.gov] - Update ipv6 recipe for CentOS 7 -- [isuftin@usgs.gov] - Fixed idempotency issue in ipv6 recipe for CentOS 6 -- [isuftin@usgs.gov] - Update dhcp recipe for CentOS 7 -- [isuftin@usgs.gov] - Update rsyslog.conf default attributes to the latest CIS recommendations -- [isuftin@usgs.gov] - Update sshd_config template to put logic on keywords that may or may not exist in sshd -- [isuftin@usgs.gov] - Switched system_auth recipe to use templates instead of very touchy sed/grep -- [isuftin@usgs.gov] - Changed default PASS_MIN_DAYS in login_defs to 7 as per stig -- [isuftin@usgs.gov] - Updated file_permissions recipe to not branch on ubuntu/rhel -- [isuftin@usgs.gov] - Split InSpec tests into CentOS 6 and CentOS 7 -- [isuftin@usgs.gov] - Updated Gemfile to require a minimal inspec gem version
-- [isuftin@usgs.gov] - Leaving sysctl attribute mutation solely to the sysctl cookbook. -- [isuftin@usgs.gov] - Removing STIG cookbook attributes for sysctl. Using only sysctl cookbook attributes
-- [isuftin@usgs.gov] - Update mail transfer agent recipe to fully parameterize the CentOS template for main.cf
-- [isuftin@usgs.gov] - Update the system_auth recipe to respect pre-existing symlinks -- [isuftin@usgs.gov] - Fix boot_settings recipe to catch if selinux is disabled and move on
-- [isuftin@usgs.gov] - More testing -- [isuftin@usgs.gov] - Updated auditd ruleset to include more rules -- [isuftin@usgs.gov] - Created ChefSpec testing for auditd_rules recipe -- [isuftin@usgs.gov] - Updated ServerSpec testing for all default auditd rules
-- [isuftin@usgs.gov] - More rubocop fixes -- [isuftin@usgs.gov] - Rework of sshd_config recipe to allow more customization -- [isuftin@usgs.gov] - Updated templates to point to proper GitHub URL -- [isuftin@usgs.gov] - Updated dependency version for sysctl cookbook in Berksfile -- [isuftin@usgs.gov] - Fixed kitchen converge warnings
-- [steve@bigsteve.us] - fix some rubocop violations
-- [steve@bigsteve.us] - switch to using chef inspec
-- [steve@bigsteve.us] - remove Centos 6.6 and 6.8
-- [steve@bigsteve.us] - bump version to 0.6.0
-- [steve@bigsteve.us] - remove kitchen version pin.
-- [arothian@github] - Update aide to setup crontab for ubuntu
-- [isuftin@usgs.gov] - Fix an issue with auth-config being improperly written to for pass reuse limit
-- [isuftin@usgs.gov] - Switch sysctl write flags
-- [isuftin@usgs.gov] - Ignore errors on unknown sysctl keys
-- [isuftin@usgs.gov] - Included third-party sysctl cookbook as a hard-coupled dependency by calling it in proc_hard recipe
-- [isuftin@usgs.gov] - Switched sysctl.conf template writing out and brought in the third-party sysctl cookbook to handle writing .d config file -- [isuftin@usgs.gov] - Updated serverspec testing
-- [isuftin@usgs.gov] - Updated to switch out which file in /etc/pam.d/system-auth* gets symlinked
-- [isuftin@usgs.gov] - Fix most foodcritic errors and warnings -- [isuftin@usgs.gov] - CIS 1.6.2 (Configure ExecShield) was removed in 2.0.0 of all CIS STIG. No longer testing for it -- [isuftin@usgs.gov] - Added updates to SSHD config to allow boolean for password authentication -- [isuftin@usgs.gov] - Updated system auth recipe to be less destructive to /etc/pam.d/system-auth since that may be updated by authconfig -- [isuftin@usgs.gov] - Fixed a few tests
-- [isuftin@usgs.gov] - Updated sshd config to include approved ciphers (RHEL6 STIG 6.2.11)
-- [isuftin@usgs.gov] - Added the ability to change ChallengeResponseAuthentication
in sshd config
-- [isuftin@usgs.gov] - Added the ability to change UsePAM
in sshd config
-- [isuftin@usgs.gov] - Users may now add auditd rules directly as a series of attributes
-- [isuftin@usgs.gov] - More Auditd fixes
-- [isuftin@usgs.gov] - Fix auditd default parameters which break the build -- [isuftin@usgs.gov] - Add documentation for new attributes
-- [isuftin@usgs.gov] - Fully parameterized auditd configuration file -- [isuftin@usgs.gov] - No longer calling the auditd cookbook directly from auditd.rb -- [isuftin@usgs.gov] - Auditd cookbook is no longer a direct dependency of the STIG cookbook. Should be part of an overall runlist
-- [isuftin@usgs.gov] - Updated STIG and Audit rules to CIS RHEL Stig 1.4.0
-- [isuftin@usgs.gov] - Added CentOS 6 ruleset 3.2 - "Remove the X Window System"
-- [isuftin@usgs.gov] - Fixed and added many Serverspec tests
-- [isuftin@usgs.gov] - Corrected a typo in check_duplicate_gid.sh
to correct STIG control number
-- [isuftin@usgs.gov] - Removed CIS wording from audit scripts
-- [isuftin@usgs.gov] - Enforced permissions on /boot/grub/grub.conf as per STIG 1.5.2
-- [isuftin@usgs.gov] - Removed grub.conf template
-- [isuftin@usgs.gov] - Updated mounting of /dev/shm to be idempotent