Chef Automate 1.8.68


#1

We are delighted to announce release 1.8.68 of Chef Automate. The release is available for download from https://downloads.chef.io/automate.

New Features

  • Added support for specifying an AWS role ARN using elasticsearch['role_arn'] when performing backups to S3

Resolved Issues

  • Fixed an issue preventing compliance scanner reports from being collected
  • The built-in ssl certificate is no longer a CA keypair and works with newer versions of Chrome
  • Fixed multiple bugs with the reaper:
    • Relocated executable to /opt/delivery/bin/reaper from /opt/delivery/embedded/service/reaper/bin/reaper
    • Application is now AppBundled to ensure high reliability.
    • Logs now append to log file for each execution rather than overwrite.
    • Application crash logs are now appended to the logfile.
    • Curator timeout is now configurable. This can set via node['delivery']['elasticsearch']['curator']['timeout'] in the delivery.rb or by exporting the environment variable CURATOR_ELASTICSEARCH_TIMEOUT when running the reaper manually. Default value is 600 seconds (10 minutes).

Compliance Profile Updates

CIS RHEL6 Server v2.0.2

Various fixes and improvements (for 69 controls) have been ported over from CIS RHEL7 Server v2.1.1
Other specific fixes:

Control # Control title Issue fixed
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration Fixed control - pattern matching logic was previously inverted; and the control now correctly passes is SElinux is not installed.
1.6.1.2 Ensure the SELinux state is enforcing Fixed control logic
1.6.1.3 Ensure SELinux policy is configured Fixed control logic
1.7.1.2 Ensure local login warning banner is configured properly Fixed control - pattern matching logic was previously inverted
1.7.1.3 Ensure remote login warning banner is configured properly Fixed control - pattern matching logic was previously inverted
4.1.18 Ensure the audit configuration is immutable Fixed control logic
4.2.2.1 Ensure syslog-ng service is enabled Fixed control logic
6.2.9 Ensure users own their home directories Fixed control logic
6.2.15 Ensure all groups in /etc/passwd exist in /etc/group Fixed control logic

CIS RHEL7 Server v2.1.1

Control # Control title Issue fixed
1.1.5 Ensure noexec option set on /tmp partition Added additional test to ensure partition is mounted
1.1.8 Ensure separate partition exists for /var Added additional test to ensure partition is mounted
1.1.9 Ensure nosuid option set on /var/tmp partition Added additional test to ensure partition is mounted
1.1.10 Ensure noexec option set on /var/tmp partition Added additional test to ensure partition is mounted
1.1.14 Ensure nodev option set on /home partition Added additional test to ensure partition is mounted
1.1.15 Ensure nodev option set on /dev/shm partition Added additional test to ensure partition is mounted
1.1.16 Ensure nosuid option set on /dev/shm partition Added additional test to ensure partition is mounted
1.1.17 Ensure noexec option set on /dev/shm partition Added additional test to ensure partition is mounted
1.1.22 Disable Automounting Removed unnecessary test of autofs package being installed
1.5.1 Ensure core dumps are restricted Fixed control logic to pass if either condition is true
1.5.2 Ensure XD/NX support is enabled Fixed control logic to pass if either condition is true
1.6.1.1 Audit system file permissions Fixed control logic
1.6.1.2 Ensure the SELinux state is enforcing Fixed control logic
1.6.1.3 Ensure SELinux policy is configured Fixed control logic
1.6.1.4 Ensure SETroubleshoot is not installed Fixed control logic
1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed Fixed control logic
1.6.1.6 Ensure no unconfined daemons exist Fixed control logic
4.1.1.2 Ensure system is disabled when audit logs are full Aligned control with CIS
4.2.2.1 Ensure syslog-ng service is enabled Fixed control logic
5.2.16 Ensure SSH warning banner is configured Fixed control - it now tests only that the SSH banner is not null
5.4.1.1 Ensure password expiration is 90 days or less Fixed control to accept PASS_MAX_DAYS less than or equal to 90 days instead of only accepting exactly 90 days
6.2.10 Ensure users’ dot files are not group or world writable Improved the message that is output if this control is skipped due to absence of any dot files
6.2.15 Ensure all groups in /etc/passwd exist in /etc/group Fixed control logic

CIS Windows Server 2012 v2.0.1

Various non-functional changes to formatting to all controls:

  • Tests of registry keys now assert that the property being checked exists, giving a more meaningful failure message if it doesn’t exist.
  • Removed 8 controls from the Member Server profile that were only applicable to Domain Controller and were previously included in error.
  • Removed 8 controls from the Domain Controller profile that were only applicable to Member Server and were previously included in error.

Other specific fixes:

Control # Control title Issue fixed
2.2.3 Ensure ‘Act as part of the operating system’ is set to ‘No One’ Improved logic to ensure no user has this user right
2.2.6 (L1) Configure ‘Allow log on locally’ Fixed control logic and updated the test to use Security Identifiers (SIDs)
2.2.16 (L1) Ensure ‘Debug programs’ is set to ‘Administrators’ Control now correctly checks that Administrators have permission rather than ‘No one’
2.2.18 (L1) Ensure ‘Deny log on as a batch job’ to include ‘Guests’ Fixed control logic to check that USER_GUESTS are denied batch rights
2.2.19 (L1) Ensure ‘Deny log on as a service’ to include ‘Guests’ Improved logic to ensure no user has this user right
2.3.10.1 (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ Fixed control logic
2.3.10.6 (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ Fixed control logic
2.3.10.7 (L1) Configure ‘Network access: Remotely accessible registry paths’ Fixed control logic
2.3.10.8 (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ Fixed control logic
2.3.10.10 (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ Fixed control logic
18.9.24.3 (L1) Ensure ‘Default Protections for Internet Explorer’ is set to ‘Enabled’ Fixed usage of EMET_Conf.exe to correctly detect config
18.9.24.4 (L1) Ensure ‘Default Protections for Popular Software’ is set to ‘Enabled’ Fixed usage of EMET_Conf.exe to correctly detect config
18.9.24.5 (L1) Ensure ‘Default Protections for Recommended Software’ is set to ‘Enabled’ Fixed usage of EMET_Conf.exe to correctly detect config
19.1.3.2 (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ Fixed control logic

CIS Windows Server 2012 R2 v2.2.1

Control # Control title Issue fixed
2.2.6 (L1) Configure ‘Allow log on locally’ Updated test to use Security Identifiers (SIDs)
2.2.7 (L1) Configure ‘Allow log on through Remote Desktop Services’ Updated test to use Security Identifiers (SIDs)
2.3.10.1 (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ Fixed control logic
2.3.10.7 (L1) Configure ‘Network access: Remotely accessible registry paths’ Fixed control logic
2.3.10.6 (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ Fixed control logic
2.3.10.8 (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ Fixed control logic
2.3.10.10 (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ Fixed control logic
19.1.3.2 (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ Fixed control logic

CIS Windows Server 2016 v1.0.0

  • 258 tests have been updated to remove repetitive describe statements, improving execution time and reporting.
Control # Control title Issue fixed
2.2.7 (L1) Configure ‘Allow log on through Remote Desktop Services’ Updated test to use Security Identifiers (SIDs)
2.3.10.1 (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ Fixed control logic
2.3.10.6 (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ Fixed control logic
2.3.10.7 (L1) Configure ‘Network access: Remotely accessible registry paths’ Fixed control logic
2.3.10.8 (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ Fixed control logic
2.3.10.11 (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ Fixed control logic
19.1.3.2 (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ Fixed control logic

Compliance Profiles released

cis-rhel6-level1-server-2.0.2-6
cis-rhel6-level2-server-2.0.2-7
cis-rhel7-level1-server-2.1.1-17
cis-rhel7-level2-server-2.1.1-17
cis-windows2012-level1-domaincontroller-2.0.1-7
cis-windows2012-level1-memberserver-2.0.1-7
cis-windows2012-level2-domaincontroller-2.0.1-7
cis-windows2012-level2-memberserver-2.0.1-7
cis-windows2012r2-level1-domaincontroller-2.2.1-5
cis-windows2012r2-level1-memberserver-2.2.1-5
cis-windows2012r2-level2-domaincontroller-2.2.1-5
cis-windows2012r2-level2-memberserver-2.2.1-5
cis-windows2016rtm-release1607-level1-domaincontroller-1.0.0-5
cis-windows2016rtm-release1607-level1-memberserver-1.0.0-4
cis-windows2016rtm-release1607-level2-domaincontroller-1.0.0-5
cis-windows2016rtm-release1607-level2-memberserver-1.0.0-4

We encourage you to upgrade often. As always, we welcome your feedback and invite you to contact us directly or share your feedback online. Thanks for using Chef Automate!