We have released ComplianceAsCode 0.1.48 and we would like to share our thoughts about the new features in the release.

Crypto Policy news

The release leverages the new feature of system-wide crypto policies – Crypto Policy Modules. RHEL Crypto Policies define a set of basic policies - compatible, but potentially insecure LEGACY, the secure DEFAULT, stricter policy that uses only certified algorithms FIPS, and a very strict FUTURE crypto policy.

Security baselines have all range of crypto requirements, and unfortunately one policy doesn’t fit all requirements. Although the DEFAULT crypto policy is good enough for PCI-DSS, the Australian Essential Eight (E8) baseline prohibits usage of SHA-1. This is not a surprise, if you consider recent news exposing its weakness. Unfortunately, on RHEL 8.0 and 8.1, only the FUTURE crypto policy disables SHA-1 for the system. Similarly, the OSPP baseline requires a somewhat stricter setting than the FIPS crypto policy.

Crypto policy modules can customize any system-wide crypto policy with additional restrictions, and it can relax it as well. The possibility of combining existing policies with modules means that the number of configurations grew, and it is possible to pick a configuration that is much closer to the original requirement, i.e. the user will not experience unnecessary restrictions.

RHEL8 Essential Eight and OSPP profiles made use of this enhancement in a form of adopting DEFAULT:NO-SHA1 and FIPS:OSPP crypto policies respectively, so this is something to look forward to if you are a consumer of one of those profiles.

Draft of DISA STIG for RHEL 8

This release features a draft version of DISA STIG for Red Hat Enterprise Linux 8 and DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)

These profiles are based on the OSPP profile. The OSPP profile has been updated to reflect the latest changes in Red Hat Enterprise Linux 8, for example aforementioned crypto policy modules or the new keywords in USBGuard configuration. A large update of SRG mappings associated with the rules in these profiles has been completed. The HTML tables have been fixed.

Debian 10 content

We have introduced support for Debian 10. An initial version of SCAP content for Debian 10 has been created. The Guide to the Secure Configuration of Debian 10 contains a generic standard profile and four ANSSI profiles.

Conclusion

This release also contains a large amount of bug fixes. Check the detailed list of changes at Upstream release page on GitHub.

Zip archive with pre-built content: https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip

Zip archive with pre-built content using only OVAL-5.10: https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48-oval-510.zip

Should you have any questions or concerns, join conversation at scap-security-guide@lists.fedorahosted.org or report an issue on the GitHub Issue Tracker.

Thank you to everyone who has contributed to this release!

Happy hardening!