-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathCHANGELOG
362 lines (295 loc) · 15.4 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
* Mon Nov 18 2024 Steven Pritchard <[email protected]> - 3.9.0
- Cleanup for rubocop
* Wed Feb 14 2024 Steven Pritchard <[email protected]> - 3.8.1
- Remove use of legacy facts for Puppet 8 compatibility
* Mon Oct 23 2023 Steven Pritchard <[email protected]> - 3.8.0
- [puppetsync] Add EL9 support
* Wed Oct 11 2023 Steven Pritchard <[email protected]> - 3.7.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
* Tue Sep 05 2023 Steven Pritchard <[email protected]> - 3.6.0
- Updates for Puppet 8
- Fixes for Ruby 3
- Add explicit support for Puppet 8
- Drop support for Puppet 6
- Add support for stdlib 9
* Wed Aug 23 2023 Steven Pritchard <[email protected]> - 3.5.0
- Add AlmaLinux 8 support
* Mon Jul 17 2023 Chris Tessmer <[email protected]> - 3.4.0
- Add RockyLinux 8 support
* Tue Mar 14 2023 Garrett Adams <[email protected]> - 3.3.1
- Change enforcement tolerance to be nil if not specified, by default.
nil will ignore any remediation/disabled checks.
* Thu Feb 16 2023 Garrett Adams <[email protected]> - 3.3.0
- Add tolerance as hiera lookup. Confine checks that can be enforced
based on the tolerance setting.
* Fri Jun 03 2022 Mike Riddle <[email protected]> - 3.2.3
- Updated reporting to account for escaping knockout prefixes
* Fri May 20 2022 Trevor Vaughan <[email protected]> - 3.2.2
- Allow for escaping knockout prefixes in strings to preserve leading `--`
entries
* Wed Mar 02 2022 Mike Riddle <[email protected]> - 3.2.2
- Updated confines to allow for negative matches using the '--' prefix
* Sun Feb 13 2022 Trevor Vaughan <[email protected]> - 3.2.1
- Added support for Amazon Linux 2
* Tue Jun 15 2021 Chris Tessmer <[email protected]> - 3.2.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
* Mon Jun 14 2021 Steven Pritchard <[email protected]> - 3.2.0
- Add `compliance_markup::debug::profiles` and
`compliance_markup::debug::compliance_data` keys
* Wed May 19 2021 Trevor Vaughan <[email protected]> - 3.1.6
- Ensure that the same context scope is called throughout the compliance_mapper
enforcement
* Wed Apr 21 2021 Trevor Vaughan <[email protected]> - 3.1.5-0
- Ensure that using a string for 'compliance_markup::enforcement' will not cause
the server to hang
- Fix data recursion issues
* Wed Apr 21 2021 Steven Pritchard <[email protected]> - 3.1.5-0
- Fix and document `compliance_markup::debug::dump` and
`compliance_markup::debug::hiera_backend_compile_time` keys
- Bump puppetlabs-stdlib dependency to allow version 7
* Wed Feb 24 2021 Steven Pritchard <[email protected]> - 3.1.4-0
- Refactor `list_puppet_params` to avoid excessive looping
- Disable caching (SIMP-9623)
* Mon Nov 02 2020 Andy Adrian <[email protected]> - 3.1.4-0
- Remove unused and broken telemetry functionality
- Updated the REFERENCE.md
- Removed EL 6 from support due to EOL
- Added puppet 7 testing
* Mon Nov 02 2020 Steven Pritchard <[email protected]> - 3.1.3-0
- Add missing `nil` check when merging controls, identifiers, and oval-ids
- Add `warn` and `debug` in outer `begin` block to avoid silent failures
* Mon Oct 05 2020 Andy Adrian <[email protected]> - 3.1.2-0
- Change order of import on ``compliance_markup::compliance_map`` so Hiera has
precedence.
- This means that users may now override all settings from the underlying
compliance maps across all modules to fit their environment specifics.
* Wed Sep 16 2020 Steven Pritchard <[email protected]> - 3.1.1-0
- Add tests for profile merging
- Deduplicate profile, control, ce, and check names in enforcement tests to
avoid cross-contamination of test data
- Remove useless loops in list_puppet_params function
- Fix calls to deep_merge!
- Fix logic for merging oval-ids, controls, and identifiers
- Add begin/rescue blocks around merges to avoid problems with incorrect data
* Fri Sep 11 2020 Steven Pritchard <[email protected]> - 3.1.1-0
- Add controls, identifiers, and oval-ids
- Work around rspec failure
- Apply confinement before merging values
- Ignore undefined ces when correlating checks and profiles
* Mon Jun 22 2020 Steven Pritchard <[email protected]> - 3.1.0-0
- Deep merge hash values in the Hiera backend
- Reduce the amount of data passed around in the Hiera backend
* Fri May 29 2020 Steven Pritchard <[email protected]> - 3.1.0-0
- Support confinement in profiles, controls, and ces (as well as checks)
- Add rspec tests for compliance_markup::enforcement
* Mon Apr 13 2020 Trevor Vaughan <[email protected]> - 3.1.0-0
- Add EL8 support
- Ensure that the Hiera backend recurses as little as possible to improve
performance.
- Remove all support for v1 data since it was experimental and removed in 3.0.0
- Removed the deprecated (experimental) Hiera v3 backend
- Removed the deprecated Puppet 3 function
* Fri Apr 10 2020 Steven Pritchard <[email protected]> - 3.1.0-0
- Support arrays of potential matches in confinement blocks
- Support structured facts in confinement
* Wed Aug 21 2019 Trevor Vaughan <[email protected]> - 3.0.2-0
- Update confinement logic to ensure that all possibilities are collected
- Add debugging logs to enforcement logic
- Raise errors on malformed data
- Increase supported simp/simplib version to < 5
* Mon Aug 12 2019 Robert Vincent <[email protected]> - 3.0.2-0
- Support puppetlabs/stdlib 6.x.
* Fri Aug 09 2019 Dylan Cochran <[email protected]> - 3.0.1-0
- Add confinement on modules and facts to SIMP Compliance Engine.
* Wed Aug 07 2019 Trevor Vaughan <[email protected]> - 3.0.0-0
- Converted the `compliance_map` function to a Puppet 4 function called
`compliance_markup::compliance_map()`
- The old puppet 3 function is deprecated and will be removed in the 3.1.0-0
release of this module
- Make the 'timestamp' in the client-side report optional to prevent puppet
from triggering file resource changes every time
- Remove the experimental v1 data since it is no longer used
- Remove partial v2 data sets
- Add v2 data for the non-SIMP `yum` module
* Fri Jun 28 2019 Trevor Vaughan <[email protected]> - 2.5.0-0
- Fix compliance markup validation for Defined Types
* Tue Jun 25 2019 Trevor Vaughan <[email protected]> - 2.4.5-0
- Fix call to Hiera.warn in the compliance mapper
* Mon Jun 24 2019 Trevor Vaughan <[email protected]> - 2.4.4-0
- Revert change from __dir__ to File.dirname(__FILE__) in compliance_map.rb due
to discovered incompatibility with some puppetserver configurations.
- Add log statement if invalid JSON or YAML files are found when loading.
- Remove management of simp::sssd::client::ldap_domain from the mappings since
use of LDAP is not guaranteed.
* Tue Jun 11 2019 Trevor Vaughan <[email protected]> - 2.4.3-0
- Fix Puppet 6 support in the compliance_map function
- Dropped Puppet 4 support
- Fixed bug in the compliance report functionality that did not correctly
record the percent compliant in each report summary
* Tue Mar 12 2019 Trevor Vaughan <[email protected]> - 2.4.2-0
- Fix bug in Array merging
* Thu Mar 07 2019 Liz Nemsick <[email protected]> - 2.4.2-0
- Update the upper bound of stdlib to < 6.0.0
* Tue Mar 05 2019 Steven Pritchard <[email protected]> - 2.4.2-0
- Compliance_map_migrate improvements
- Merge values from multiple input files.
- Make 'check_header' consistent with other v2 data.
- Reorder output to match other v2 data.
- Fix controls, oval-ids, and identifiers output.
- Normalize identifier strings.
- Add option to supply confinement.
- Use a strange YAML incantation to avoid anchors in the output.
- Add option to append a string to the checks key.
- Add additional helper scripts for v1 to v2 migration.
* Fri Nov 02 2018 Steven Pritchard <[email protected]> - 2.4.1-0
- Fix the following keys:
- simp::mountpoints::tmp::secure
- simp::root_user::manage_group
- simp::root_user::manage_perms
- simp::root_user::manage_user
- ssh::server::conf::pki
* Wed Oct 31 2018 Steven Pritchard <[email protected]> - 2.4.1-0
- Fix the output of utils/compliance_map_migrate
* Fri Oct 19 2018 Liz Nemsick <[email protected]> - 2.4.1-0
- Fixed the following incorrect parameter types
- simp::yum::schedule::minute
- simp::yum::schedule::hour
* Thu Sep 20 2018 Dylan Cochran <[email protected]> - 2.4.0-0
- Open-Source SCE version 2.0
- Add bugfix for environments that are just Strings vs Environment objects.
- Add compliance_markup::loaded_maps() function to return all of the loaded
compliance data from the puppetserver for debugging
- Add compliance_markup::telemetry() function to return filenames used to
load compliance data
- Add compliance_markup::debug::dump hiera parameter that dumps the cached
result hash for hiera debugging.
- Remove pupmod::ca_crl_pull_interval from nist_800_53_rev4.json's since
the parameter is deprecated.
- refactor loader to look in:
- "/SIMP/compliance_profiles"
- "/simp/compliance_profiles"
and for backwards compatbility:
- "/lib/puppetx/compliance"
* Fri Aug 24 2018 Trevor Vaughan <[email protected]> - 2.3.4-0
- Change 'sudosh' to 'tlog' to support the switch to supported session logging
software
- Added support for Puppet 5 and OEL
- DISA STIG changes:
- Added selinux::login_resources
- Added gdm::settings
- Added gdm::banner
- Added gdm::simp_banner
- Added gdm::dconf_hash
- Added gnome::dconf_hash
* Thu Jun 28 2018 Liz Nemsick <[email protected]> - 2.3.4-0
- DISA STIG changes:
- Updated for pupmod-simp-auditd 8.0.0. This enforces the
'stig' audit profile, instead of the 'simp' audit profile.
* Mon Jun 11 2018 Nick Miller <[email protected]> - 2.3.4-0
- DISA STIG changes:
- Added auditd::config::audit_profiles::simp::audit_crontab_cmd
- Added auditd::config::audit_profiles::simp::audit_pam_timestamp_check_cmd
- Added auditd::config::audit_profiles::simp::audit_passwd_cmds
- Added auditd::config::audit_profiles::simp::audit_postfix_cmds
- Added auditd::config::audit_profiles::simp::audit_priv_cmds
- Added auditd::config::audit_profiles::simp::audit_ssh_keysign_cmd
* Wed Jun 06 2018 Chris Tessmer <[email protected]> - 2.3.4-0
- DISA STIG changes:
- Added auditd::config::audit_profiles::simp::audit_session_files
- Added auditd::config::audit_profiles::simp::audit_session_files_tag
* Wed Jun 06 2018 Liz Nemsick <[email protected]> - 2.3.4-0
- DISA STIG changes:
- Added auditd::action_mail_acct entries
- Added auditd::config::audit_profiles::simp::audit_sudoers
- Added auditd::config::audit_profiles::simp::audit_selinux_cmds
- Added auditd::failure_mode
- Corrected auditd::enable identifiers
* Fri May 18 2018 Jeanne Greulich <[email protected]> - 2.3.4-0
- Added postfix main.cf settings to el7 DISA STIG.
* Wed May 16 2018 Liz Nemsick <[email protected]> - 2.3.4-0
- Added aide::aliases entries for DISA STIG
- Replaced OBE simp::yum::enable_auto_updates entries with
simp::yum::schedule::enable in all profiles
- Added and updated simp::yum::schedules entries for DISA STIG
- Added simp::sysctl entries to the DISA STIG profiles for
net.ipv4.conf.default.accept_source_route,
net.ipv4.conf.default.send_redirects, and
net.ipv6.conf.all.accept_source_route.
* Fri May 04 2018 Jeanne Greulich <[email protected]> - 2.3.4-0
- Added and updated ssh::server::conf entries for DISA STIG
* Mon Apr 30 2018 Trevor Vaughan <[email protected]> - 2.3.4-0
- Added 'svckill::mode' to be 'enforcing' in STIG and 800-53 modes
* Fri Apr 27 2018 Liz Nemsick <[email protected]> - 2.3.4-0
- Fixed the inappropriate value of useradd::useradd::inactive in
the DISA STIG profiles. It is now set to 0.
* Fri Mar 30 2018 Trevor Vaughan <[email protected]> - 2.3.4-0
- Update PAM settings in the `disa_stig` profile
- Fixed issues with the compliance_map logic that were causing false results to
be added to the 'documented_missing_parameters' and
'documented_missing_resources' lists
* Tue Mar 06 2018 Liz Nemsick <[email protected]> - 2.3.3-0
- Updated TMOUT setting in /etc/profile.d/simp.sh to match EL7 STIG
setting (Reference: RHEL-07-040160)
- Added missing audispd program to simp_rsyslog::default_logs
- Added missing ' IPT:' message start to simp_ryslog::default_logs.
This is required for iptables violation messages because some
versions of rsyslog add a space separating the message
timestamp/id and the message.
* Wed Dec 13 2017 Nick Markowski <[email protected]> - 2.3.3-0
- Further aligned the EL7 disa_stig profile with scap-security-guide 0.1.33-5
- Added oval-ids to map puppet parameters to openscap tests and SIMP
remediations. Note this mapping is NOT complete.
- See simp/doc for a policy evaluation response report for CentOS 7
- Includes remedies and justifications to address failures in
the openscap scan
* Wed Nov 15 2017 Trevor Vaughan <[email protected]> - 2.3.3-0
- Aligned the EL7 disa_stig profile with the latest SSG content
- Fixed several parameters with incorrect data types
* Mon Oct 03 2017 Dylan Cochran <[email protected]> - 2.3.2-0
- Fix discrepancies between NIST and DISA compliance profiles
* Fri Sep 22 2017 Dylan Cochran <[email protected]> - 2.3.1-0
- Refactor report generator to use a shared file format parser/compiler.
- Add vendored 'profiles-in-modules' support
* Tue Sep 19 2017 Liz Nemsick <[email protected]> - 2.3.1-0
- Remove test link to allow module to be published to PuppetForge
* Tue Sep 05 2017 Lucas Yamanishi <[email protected]> - 2.3.0-0
- Converted compliance profiles to JSON. This allows non-string values
and faster deserialization.
- Provided scripts in 'utils/' to convert the compliance profiles from
YAML to JSON and vice versa.
* Mon Jun 16 2017 Dylan Cochran <[email protected]> - 2.2.0-0
- Added a compliance enforcement hierav3 and hierav5 backend.
* Sat Jun 10 2017 Trevor Vaughan <[email protected]> - 2.1.0-0
- Documented the report format in the README
- Added the defaut SIMP compliance profiles to the module data
- Enhanced the lookup mapper function to take an optional default map
- Passed the internal data as the default map
- Added client metadata to the compliance report for easier analysis
- Fixed several minor processing bugs
- Added the documented, but missing, regular expression match capability
- Confine puppet version in metadata.json
* Tue Feb 28 2017 Nick Miller <[email protected]> - 2.0.1-0
- travis.yml and gemfile updates
* Fri Oct 28 2016 Trevor Vaughan <[email protected]> - 2.0.0-0
- New map format
- New output format
- Added compliant values
- Added missed parameters
- Added missing class references
- Added server-side storage
- Added a conversion utility in the 'utils' directory
* Wed Sep 28 2016 Chris Tessmer <[email protected]> - 1.0.1-0
- Move GitHub org from `onyxpoint` to `simp`
* Sun Jul 03 2016 Chris Tessmer <[email protected]> - 1.0.0-0
- Move Forge org from `onyxpoint` to `simp`
- Provide Ruby 1.8.7 compatibility
- Ensure that a report is written on every run.
- Updated to properly handle the hash references
* Mon Dec 07 2015 Trevor Vaughan <[email protected]> - 0.0.1-0
- Initial Release