CEM Linux 1.5.1 Release Announcement

[Puppet Product Updates]

Hello everyone! We have released CEM for Linux 1.5.1

Included in cem_linux 1.5.1: 

Changed

• A change was introduced to simplify configuration in Red Hat Enterprise Linux (RHEL) 8 environments where the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard is enforced. The update applies to DISA STIG control V-230339, which is designed to limit login attempts and thus help to prevent brute-force attacks. The default directory where login failure records are kept can now be changed.

Fixed

• An issue that prevented the OpenSSH server process from starting on RHEL 8 systems. The issue affected users who enforced the DISA STIG standard. When a value of FUTURE was set for cryptographic policies to help prevent malware attacks, the OpenSSH process failed with the following error message:

  Extra argument FUTURE.Copied!

• An issue that prevented users from running the system account task from the Puppet Enterprise (PE) console. Previously, attempts to run the task resulted in error messages about missing metadata. With the fix applied, users can run the cem_linux::system_account task from the PE console to view system accounts.
• An issue that caused an error message pertaining to the audit.rules file. The issue was seen on RHEL operating systems after an upgrade to CEM for Linux v1.5.0. The following error message was issued:

  Could not stat /etc/audit/rules.d/audit.rulesCopied!

  To resolve the issue, the CEM for Linux module was updated to reference all existing files in /etc/audit/rules.d/ directory.

• An issue that caused a failure to audit sudo log files. When events pertaining to a sudo log file are collected, system administrators can review the events to detect whether unauthorized commands were run. The issue, which affected users on RHEL 8 systems, was caused by a failure to enforce Center for Internet Security (CIS) Control 4.1.3.3. The control is now enforced.
• A failure to enable GNU Privacy Guard (GPG) checks for downloaded packages on RHEL 8 operating systems. CIS Benchmark Control 1.2.3 ("Ensure gpgcheck is globally activated") is designed to ensure that downloaded packages from the RPM package management tool are checked. However, these checks failed to occur because the repo_files parameter associated with the CIS control does not specify the YUM files that are used to manage RHEL packages. The fix ensures that GPG checks will be enabled on a per-repository basis for each file that is listed in the repo_files parameter.
• An issue that can cause configuration problems in RHEL 8 environments where DISA STIG standards are enforced. Because of the issue, the following top-level parameters for the Grub2 bootloader could not be set: cem_linux::regenerate_grub2_config, cem_linux::set_grub2_password,cem_linux::grub2_superuser, and cem_linux::grub2_superuser_password. The issue was resolved to ensure that the parameters can be set, and the values are applied.
• A configuration issue that affects the security of messages when DISA STIG standards are applied in a RHEL 8 environment. The issue pertains to STIG control V-230245, which is designed to ensure that unauthorized persons cannot access system messages. Security is enforced by setting a permissions mode for access to the /var/log/messages file. The issue occurred because the resource data for STIG control V-230245 specified a value of directory instead of file. The issue was fixed to ensure that permissions are set for the messages file. The fix also ensures that a /var/log/messages directory is not created inadvertently.
• An issue that can cause configuration problems for users who attempt to enforce the DISA STIG standard in a RHEL 8 environment. The issue was caused by extraneous text in the cem_linux/manifests/utils/bootloader/grub2/fips.pp file. The extraneous text, a Universal Unique Identifier of 6484, is now removed.

Full release notes can be found here.

Puppet