We are delighted to announce release 1.8.68 of Chef Automate. The release is available for download from https://downloads.chef.io/automate.
New Features
- Added support for specifying an AWS role ARN using
elasticsearch['role_arn']when performing backups to S3
Resolved Issues
- Fixed an issue preventing compliance scanner reports from being collected
- The built-in ssl certificate is no longer a CA keypair and works with newer versions of Chrome
- Fixed multiple bugs with the reaper:
- Relocated executable to
/opt/delivery/bin/reaperfrom/opt/delivery/embedded/service/reaper/bin/reaper - Application is now AppBundled to ensure high reliability.
- Logs now append to log file for each execution rather than overwrite.
- Application crash logs are now appended to the logfile.
- Curator timeout is now configurable. This can set via
node['delivery']['elasticsearch']['curator']['timeout']in the delivery.rb or by exporting the environment variableCURATOR_ELASTICSEARCH_TIMEOUTwhen running the reaper manually. Default value is 600 seconds (10 minutes).
- Relocated executable to
Compliance Profile Updates
CIS RHEL6 Server v2.0.2
Various fixes and improvements (for 69 controls) have been ported over from CIS RHEL7 Server v2.1.1
Other specific fixes:
| Control # | Control title | Issue fixed |
|---|---|---|
| 1.6.1.1 | Ensure SELinux is not disabled in bootloader configuration | Fixed control - pattern matching logic was previously inverted; and the control now correctly passes is SElinux is not installed. |
| 1.6.1.2 | Ensure the SELinux state is enforcing | Fixed control logic |
| 1.6.1.3 | Ensure SELinux policy is configured | Fixed control logic |
| 1.7.1.2 | Ensure local login warning banner is configured properly | Fixed control - pattern matching logic was previously inverted |
| 1.7.1.3 | Ensure remote login warning banner is configured properly | Fixed control - pattern matching logic was previously inverted |
| 4.1.18 | Ensure the audit configuration is immutable | Fixed control logic |
| 4.2.2.1 | Ensure syslog-ng service is enabled | Fixed control logic |
| 6.2.9 | Ensure users own their home directories | Fixed control logic |
| 6.2.15 | Ensure all groups in /etc/passwd exist in /etc/group | Fixed control logic |
CIS RHEL7 Server v2.1.1
| Control # | Control title | Issue fixed |
|---|---|---|
| 1.1.5 | Ensure noexec option set on /tmp partition | Added additional test to ensure partition is mounted |
| 1.1.8 | Ensure separate partition exists for /var | Added additional test to ensure partition is mounted |
| 1.1.9 | Ensure nosuid option set on /var/tmp partition | Added additional test to ensure partition is mounted |
| 1.1.10 | Ensure noexec option set on /var/tmp partition | Added additional test to ensure partition is mounted |
| 1.1.14 | Ensure nodev option set on /home partition | Added additional test to ensure partition is mounted |
| 1.1.15 | Ensure nodev option set on /dev/shm partition | Added additional test to ensure partition is mounted |
| 1.1.16 | Ensure nosuid option set on /dev/shm partition | Added additional test to ensure partition is mounted |
| 1.1.17 | Ensure noexec option set on /dev/shm partition | Added additional test to ensure partition is mounted |
| 1.1.22 | Disable Automounting | Removed unnecessary test of autofs package being installed |
| 1.5.1 | Ensure core dumps are restricted | Fixed control logic to pass if either condition is true |
| 1.5.2 | Ensure XD/NX support is enabled | Fixed control logic to pass if either condition is true |
| 1.6.1.1 | Audit system file permissions | Fixed control logic |
| 1.6.1.2 | Ensure the SELinux state is enforcing | Fixed control logic |
| 1.6.1.3 | Ensure SELinux policy is configured | Fixed control logic |
| 1.6.1.4 | Ensure SETroubleshoot is not installed | Fixed control logic |
| 1.6.1.5 | Ensure the MCS Translation Service (mcstrans) is not installed | Fixed control logic |
| 1.6.1.6 | Ensure no unconfined daemons exist | Fixed control logic |
| 4.1.1.2 | Ensure system is disabled when audit logs are full | Aligned control with CIS |
| 4.2.2.1 | Ensure syslog-ng service is enabled | Fixed control logic |
| 5.2.16 | Ensure SSH warning banner is configured | Fixed control - it now tests only that the SSH banner is not null |
| 5.4.1.1 | Ensure password expiration is 90 days or less | Fixed control to accept PASS_MAX_DAYS less than or equal to 90 days instead of only accepting exactly 90 days |
| 6.2.10 | Ensure users’ dot files are not group or world writable | Improved the message that is output if this control is skipped due to absence of any dot files |
| 6.2.15 | Ensure all groups in /etc/passwd exist in /etc/group | Fixed control logic |
CIS Windows Server 2012 v2.0.1
Various non-functional changes to formatting to all controls:
- Tests of registry keys now assert that the property being checked exists, giving a more meaningful failure message if it doesn’t exist.
- Removed 8 controls from the Member Server profile that were only applicable to Domain Controller and were previously included in error.
- Removed 8 controls from the Domain Controller profile that were only applicable to Member Server and were previously included in error.
Other specific fixes:
| Control # | Control title | Issue fixed |
|---|---|---|
| 2.2.3 | Ensure ‘Act as part of the operating system’ is set to ‘No One’ | Improved logic to ensure no user has this user right |
| 2.2.6 | (L1) Configure ‘Allow log on locally’ | Fixed control logic and updated the test to use Security Identifiers (SIDs) |
| 2.2.16 | (L1) Ensure ‘Debug programs’ is set to ‘Administrators’ | Control now correctly checks that Administrators have permission rather than ‘No one’ |
| 2.2.18 | (L1) Ensure ‘Deny log on as a batch job’ to include ‘Guests’ | Fixed control logic to check that USER_GUESTS are denied batch rights |
| 2.2.19 | (L1) Ensure ‘Deny log on as a service’ to include ‘Guests’ | Improved logic to ensure no user has this user right |
| 2.3.10.1 | (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ | Fixed control logic |
| 2.3.10.6 | (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ | Fixed control logic |
| 2.3.10.7 | (L1) Configure ‘Network access: Remotely accessible registry paths’ | Fixed control logic |
| 2.3.10.8 | (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ | Fixed control logic |
| 2.3.10.10 | (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ | Fixed control logic |
| 18.9.24.3 | (L1) Ensure ‘Default Protections for Internet Explorer’ is set to ‘Enabled’ | Fixed usage of EMET_Conf.exe to correctly detect config |
| 18.9.24.4 | (L1) Ensure ‘Default Protections for Popular Software’ is set to ‘Enabled’ | Fixed usage of EMET_Conf.exe to correctly detect config |
| 18.9.24.5 | (L1) Ensure ‘Default Protections for Recommended Software’ is set to ‘Enabled’ | Fixed usage of EMET_Conf.exe to correctly detect config |
| 19.1.3.2 | (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ | Fixed control logic |
CIS Windows Server 2012 R2 v2.2.1
| Control # | Control title | Issue fixed |
|---|---|---|
| 2.2.6 | (L1) Configure ‘Allow log on locally’ | Updated test to use Security Identifiers (SIDs) |
| 2.2.7 | (L1) Configure ‘Allow log on through Remote Desktop Services’ | Updated test to use Security Identifiers (SIDs) |
| 2.3.10.1 | (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ | Fixed control logic |
| 2.3.10.7 | (L1) Configure ‘Network access: Remotely accessible registry paths’ | Fixed control logic |
| 2.3.10.6 | (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ | Fixed control logic |
| 2.3.10.8 | (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ | Fixed control logic |
| 2.3.10.10 | (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ | Fixed control logic |
| 19.1.3.2 | (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ | Fixed control logic |
CIS Windows Server 2016 v1.0.0
- 258 tests have been updated to remove repetitive
describestatements, improving execution time and reporting.
| Control # | Control title | Issue fixed |
|---|---|---|
| 2.2.7 | (L1) Configure ‘Allow log on through Remote Desktop Services’ | Updated test to use Security Identifiers (SIDs) |
| 2.3.10.1 | (L1) Ensure ‘Network access: Allow anonymous SID/Name translation’ is set to ‘Disabled’ | Fixed control logic |
| 2.3.10.6 | (L1) Configure ‘Network access: Named Pipes that can be accessed anonymously’ | Fixed control logic |
| 2.3.10.7 | (L1) Configure ‘Network access: Remotely accessible registry paths’ | Fixed control logic |
| 2.3.10.8 | (L1) Configure ‘Network access: Remotely accessible registry paths and sub-paths’ | Fixed control logic |
| 2.3.10.11 | (L1) Ensure ‘Network access: Shares that can be accessed anonymously’ is set to ‘None’ | Fixed control logic |
| 19.1.3.2 | (L1) Ensure ‘Force specific screen saver: Screen saver executable name’ is set to ‘Enabled: scrnsave.scr’ | Fixed control logic |
Compliance Profiles released
cis-rhel6-level1-server-2.0.2-6
cis-rhel6-level2-server-2.0.2-7
cis-rhel7-level1-server-2.1.1-17
cis-rhel7-level2-server-2.1.1-17
cis-windows2012-level1-domaincontroller-2.0.1-7
cis-windows2012-level1-memberserver-2.0.1-7
cis-windows2012-level2-domaincontroller-2.0.1-7
cis-windows2012-level2-memberserver-2.0.1-7
cis-windows2012r2-level1-domaincontroller-2.2.1-5
cis-windows2012r2-level1-memberserver-2.2.1-5
cis-windows2012r2-level2-domaincontroller-2.2.1-5
cis-windows2012r2-level2-memberserver-2.2.1-5
cis-windows2016rtm-release1607-level1-domaincontroller-1.0.0-5
cis-windows2016rtm-release1607-level1-memberserver-1.0.0-4
cis-windows2016rtm-release1607-level2-domaincontroller-1.0.0-5
cis-windows2016rtm-release1607-level2-memberserver-1.0.0-4
We encourage you to upgrade often. As always, we welcome your feedback and invite you to contact us directly or share your feedback online. Thanks for using Chef Automate!