CEM Linux 1.5.0 Release Announcement

4 views
Skip to first unread message

Puppet Product Updates

unread,
Feb 15, 2023, 4:55:02 AM2/15/23
to puppet-...@googlegroups.com

Hello Everyone, 


A new version of the Compliance Enforcement Modules has just been released! We are excited to announce that CEM for Linux now supports DISA STIG for Red Hat Enterprise Linux 8. 


cem_linux v1.5.0 includes the following: 


Added
  • Enforcement of the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 8 operating systems:
    • The Security Technical Implementation Guide (STIG) standard was developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government.
    • For the RHEL 8 operating system, STIG can be enabled by adding the following Hiera data to the control repository:
      cem_linux::benchmark: 'stig'Copied!
    • STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3 and their associated “public,” “sensitive,” and “classified” profiles. STIG controls can be configured with their vulnerability ID (V-nnn) or rule ID (SV-nnn).
    • For a list of supported STIG controls and configurations, see the CEM Linux Reference.
  • New top-level configuration option, disable_package_gpgcheck. By enabling this option, you disable GNU Privacy Guard (GPG) checks of downloaded packages. Disabling GPG checks can be helpful in rare cases if you enable more stringent system encryption standards, such as the Federal Information Processing Standards (FIPS). These standards can introduce stricter criteria than are normally available for GPG package signatures. If GPG and more stringent criteria are applied simultaneously, package downloads can fail. Specify the disable_package_gpgcheck=true setting only when necessary. Enabling this option can make your infrastructure less secure.

Fixed
  • An error that occasionally prevented system startups and that caused failures of the Internet Control Message Protocol (ICMP) was resolved. The error was identified in the Puppet manifest file disable_icmp_redirects.pp, which specifies whether messages sent with ICMP can be redirected. In the file, extraneous text is now commented out.
  • An issue with the cem::utils::boot_fstab_entry class was fixed to help ensure that Puppet runs would not overwrite user-specified settings.

Full release notes can be found here.

Puppet


Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Linux.

Reply all
Reply to author
Forward
0 new messages