We have released ComplianceAsCode 0.1.48 and we would like to share our thoughts about the new features in the release.
Crypto Policy news
The release leverages the new feature of system-wide crypto policies – Crypto Policy Modules. RHEL Crypto Policies define a set of basic policies - compatible, but potentially insecure
LEGACY, the secure
DEFAULT, stricter policy that uses only certified algorithms
FIPS, and a very strict
FUTURE crypto policy.
Security baselines have all range of crypto requirements, and unfortunately one policy doesn’t fit all requirements. Although the
DEFAULT crypto policy is good enough for PCI-DSS, the Australian Essential Eight (E8) baseline prohibits usage of
SHA-1. This is not a surprise, if you consider recent news exposing its weakness. Unfortunately, on RHEL 8.0 and 8.1, only the
FUTURE crypto policy disables
SHA-1 for the system. Similarly, the OSPP baseline requires a somewhat stricter setting than the
FIPS crypto policy.
Crypto policy modules can customize any system-wide crypto policy with additional restrictions, and it can relax it as well. The possibility of combining existing policies with modules means that the number of configurations grew, and it is possible to pick a configuration that is much closer to the original requirement, i.e. the user will not experience unnecessary restrictions.
RHEL8 Essential Eight and OSPP profiles made use of this enhancement in a form of adopting
FIPS:OSPP crypto policies respectively, so this is something to look forward to if you are a consumer of one of those profiles.
Draft of DISA STIG for RHEL 8
This release features a draft version of DISA STIG for Red Hat Enterprise Linux 8 and DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)
These profiles are based on the OSPP profile. The OSPP profile has been updated to reflect the latest changes in Red Hat Enterprise Linux 8, for example aforementioned crypto policy modules or the new keywords in USBGuard configuration. A large update of SRG mappings associated with the rules in these profiles has been completed. The HTML tables have been fixed.
Debian 10 content
We have introduced support for Debian 10. An initial version of SCAP content for Debian 10 has been created. The Guide to the Secure Configuration of Debian 10 contains a generic
standard profile and four ANSSI profiles.
This release also contains a large amount of bug fixes. Check the detailed list of changes at Upstream release page on GitHub.
Zip archive with pre-built content: https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48.zip
Zip archive with pre-built content using only OVAL-5.10: https://github.com/ComplianceAsCode/content/releases/download/v0.1.48/scap-security-guide-0.1.48-oval-510.zip
Should you have any questions or concerns, join conversation at email@example.com or report an issue on the GitHub Issue Tracker.
Thank you to everyone who has contributed to this release!