Release notes

v1.9.1

Released 8 February 2024

CEM for Linux v1.9.1 improves operational efficiency by correcting an issue where Puppet runs fail prematurely in certain scenarios. Furthermore, this release enhances security safeguards by correcting issues that could have prevented three Security Technical Implementation Guide (STIG) controls from being enforced as intended.

• Fixed an issue that could potentially cause Puppet runs to fail prematurely on Red Hat Enterprise Linux (RHEL) 8 systems. The issue is related to the Facter fact cem_mount_info, which can fail to resolve when home directories cannot be determined for a user on a system. The fix helps to ensure that the correct default directory is used, and the fact resolves successfully.
• Fixed the default value for STIG Control V-230270 to help prevent kernel profiling by unauthorized users. The kernel parameter kernel.perf_event_paranoid is now set to a default value of 2 to help prevent attackers from gaining system information.
• Fixed an issue that could cause incorrect failure reports for STIG Control V-230281. The control helps to ensure that the RHEL operating system removes previously installed software components when updated versions are installed. In CEM, the specified default value of true was changed to True to ensure that the control works as designed.
• Fixed the default value for STIG Control V-230494. The control helps to protect the security of systems by disabling the Asynchronous Transfer Mode (ATM) protocol. The default value was changed from ATM to atm so that the control works as designed and helps to protect systems from exploitation.

v1.9.0

Released 14 December 2023

CEM for Linux v1.9.0 introduces extended coverage with support for two new operating systems -- Red Hat Enterprise Linux (RHEL) 9 and Oracle Linux 9. This release also improves operational efficiency by introducing an automated audit process and instant access to audited controls for result review.

• Introduced support for the RHEL 9 operating system. You can now enforce the Center for Internet Security (CIS) RHEL 9 Benchmarks, Levels 1 and 2, to help ensure a secure configuration for your RHEL 9 nodes.
• Introduced support for the Oracle Linux 9 operating system. You can now protect your Oracle Linux 9 nodes by enforcing the CIS Benchmarks at Levels 1 and 2.
• To improve the efficiency of the auditing process, you can now run a single Puppet Bolt® plan that includes 40 audit tasks. The Bolt plan, run_audit, can be run on one or more specified nodes to verify their configuration. Afterward, the Bolt log file provides a list of audited controls and detailed results. You can still run audit tasks separately, as supported in earlier releases.

• To help ensure compatibility between CEM for Linux and Puppet 8, the range of supported versions for the Puppet Labs® firewall module was changed. The firewall module must be at version 5.0 or later, but earlier than 6.0.

v1.8.0

Released 24 October 2023

• Introduced support for enforcing Center for Internet Security (CIS) Benchmarks on the Rocky Linux operating system. With CEM for Linux v1.8.0, you can enforce the CIS Rocky Linux 8 Benchmarks, Levels 1 and 2. In this way, you can help to secure your Rocky Linux system and reduce the manual overhead associated with solution configuration.
• Added controls to help enhance security on Red Hat Enterprise Linux (RHEL) 8, AlmaLinux 8, and Oracle Linux 8 systems. The following controls can now be enforced:
  • Control 2.3.2 helps to ensure that remote shell (rsh) clients are not installed. The rsh program presents a security vulnerability because users who run rsh commands risk exposing their user credentials.
  • Control 2.3.3 helps to ensure that the Linux talk client is not installed. Talk software makes it possible for users to send and receive messages using unencrypted protocols.
  • Control 5.6.1.4 helps to ensure that inactive user accounts are locked automatically within 30 days of password expiration. Inactive accounts present a vulnerability because users are not logging in to check for failed login attempts and other anomalies.
• Added controls to help enhance security on Oracle Linux 7 systems. The following controls can now be enforced:
  • Control 1.4.1 ensures that a bootloader password is set. A user who restarts a system must enter a password before setting command-line boot parameters. This restriction helps to prevent unauthorized users from undermining system security.
  • Control 1.4.2 ensures that permissions are specified for the grub configuration file, which contains information about boot settings and passwords for unlocking boot options. This restriction helps to prevent unauthorized users from viewing and changing boot parameters.
  • Control 1.6.1.2 ensures that Security-Enhanced Linux (SELinux) is enabled at boot time and is not overridden by grub boot parameters.
  • Control 4.1.1.3 ensures that processes are audited even if they are running before the auditd service is started. Audit events must be recorded to detect potential malicious activity.
  • Control 4.1.2.4 helps to ensure that the audit backlog limit is sufficient to prevent audit records from being lost. If records from the auditd service are lost, malicious activity could go undetected.

• Fixed an issue related to data protection in log files. The CIS Oracle Linux 8 Benchmark v2.0.0 includes Control 4.2.3, which requires the configuration of access permissions for log files. Previously, the control enforced access permissions only for non-hidden log files. With the fix, access permissions are enforced for both non-hidden and hidden log files.

v1.7.1

Released 29 September 2023

• Fixed the command that automatically generates the Reference section on Puppet Forge. The section now includes information about the Security Technical Implementation Guide (STIG) controls that are enforced by CEM for Linux.

v1.7.0

Released 28 September 2023

• An update was implemented in the cem_mount_info fact to help ensure that Puppet runs successfully. (The cem_mount_info fact uses the homedir_mounts function to determine the home directory mount paths from all mounted file systems. Previously, if the homedir_mounts function failed to return a value, the fact would have no value for home directories, and subsequent Puppet runs using the fact could fail. Now, if the homedir_mounts function fails to detect a value, the function verifies whether the /home directory is mounted and is a valid directory. If so, the function returns a value of /home.)

• This release includes updates that are designed to enhance security on Red Hat Enterprise Linux (RHEL) systems. By upgrading to CEM for Linux v1.7.0, you can enforce the latest US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standards and reduce the manual overhead associated with solution configuration:
  • For the RHEL 8 operating system, the DISA STIG standard was upgraded from Red Hat Enterprise Linux 8 STIG, Version 1, Release 8, to Version 1, Release 11. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 11.
  • For the RHEL 7 operating system, the DISA STIG standard was upgraded from Red Hat Enterprise Linux 7 STIG, Version 3, Release 8, to Version 3, Release 12. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 7 STIG, Version 3, Release 12.
• The CEM for Linux documentation now provides more detailed upgrade instructions, including preparation steps that you can take to help ensure a smooth upgrade. See Upgrading CEM.

• Fixed an issue related to communication security on RHEL 8 systems. STIG Control V-230507 is designed to disable the use of Bluetooth communication technologies because communications transmitted over Bluetooth can be intercepted. Previously, Bluetooth was not fully disabled. In this release, Bluetooth is fully disabled.
• Fixed an issue that could cause erroneous scan failures for users enforcing STIG Control V-204563. The STIG control ensures that audit records are generated when the kmod command is run to manage kernel modules. The audit rule for kernel module loading was fixed to prevent the erroneous scan failures.
• Fixed an issue that could cause scan failures for users enforcing STIG Control V-204579. The control is designed to enforce a timeout on RHEL 7 systems after a session is terminated or after 15 minutes of command-line inactivity by the user. The content of the timeout script, 999-tmout.sh, was updated to align with the STIG control.
• Fixed an issue that could cause scan failures for users enforcing STIG Control V-204605. The control helps to ensure that the date and time of the previous logon is displayed at the next logon. In the cem_linux::utils::postlogin utility class, you can specify the prune_pam_lastlog parameter to remove the silent option from the pam_lastlog.so module entries. In this way, you can help to prevent erroneous scan failures.
• Fixed an issue that caused a failure to set kernel parameter values. This issue occurred when kernel parameter values contained valid shell operators, such as |. Specifically, when the STIG profile attempted to set kernel.core_patterns = |/bin/false, no value was set:

  kernel.core_patterns = 

• Fixed an issue that could cause non-idempotent Puppet agent runs in which the resources related to grub bootloader arguments are reset during each run. With the fix, grub bootloader kernel arguments that are managed by the cem_grub_args custom resource type are now correctly persisted to the grub configuration file.
• Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.

v1.6.3

Released 10 August 2023

• Fixed an issue that caused Puppet run failures. The issue occurred when CEM for Linux set grub2 bootloader arguments on systems that had "non linux entry" kernel entries on the grubby --info=ALL command. The issue affected users on all supported Linux operating systems.

v1.6.2

Released 8 August 2023

• The CEM for Linux code is updated to help ensure compatibility with Puppet 8. Compatibility with earlier Puppet releases remains unchanged.

• A default setting was changed to help ensure that audit logs are encrypted before being offloaded to a remote system. This change affects users who implement the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard on Red Hat Enterprise Linux (RHEL) 8 operating systems. Because the default setting for STIG Control V-230478 is now true, the GNU Privacy Guard (GnuPG) utility is installed by default and the auditd service is enabled to help protect audit logs from unauthorized access.

• Fixed an issue related to audit backlogs on RHEL 8 operating systems. The issue arose because Center for Internet Security (CIS) Control 4.1.1.4 was not enforced. The control helps to ensure that a sufficient number of audit records are retained in the backlog on system startup so that users can detect potential malicious activity. Starting with CEM for Linux v1.6.2, users can choose whether to enable CIS Control 4.1.1.4. If enabled, the control is enforced.
• Fixed an issue that affected users who enforce the DISA STIG standard on RHEL 8 operating systems. STIG Control V-230307 is designed to implement the nodev mount option to prevent unauthorized access from untrusted file systems. Previously, the control did not work as designed because the nodev option was not applied. The issue is fixed to help ensure that the control works as expected.
• Fixed an issue related to the Security-Enhanced Linux (SELinux) architecture, which controls system access. In previous releases, when a user changed the SELinux security setting, the change went into effect after a system restart. Starting with CEM for Linux v1.6.2, a user can specify that the updated setting is enforced immediately, and the change goes into effect. A user can also specify that the updated setting is enforced only after a system restart.

v1.6.1

Released 16 May 2023

• Fixed an issue that occasionally caused compliance scan failures for users who applied Center for Internet Security (CIS) controls in a Red Hat Enterprise Linux (RHEL) 7 environment. The issue occurred because CIS Control 4.1.15 ‘Ensure system administrator command executions sudo are collected’ did not apply auditd configuration entries. The issue is fixed to ensure that scans run as expected.
• Fixed an issue that prevented CIS Control 4.1.3.7 ‘Ensure unsuccessful file access attempts are collected’ from being enforced. The issue affected users on RHEL 8, AlmaLinux 8, and Oracle Linux 8 systems. The control is now enforced to ensure that information is collected about unsuccessful attempts to access files. These unsuccessful attempts can indicate that an unauthorized user or process is trying to gain access to the system.
• Fixed an error that could cause system operations to halt unexpectedly for users on RHEL 7. The issue was caused by an incorrect default setting for CIS Control 4.1.2.3 ‘Ensure system is disabled when audit logs are full.’ The incorrect default setting could cause system operations to halt when disk space for audit logs runs low. The control is now correctly enforced as recommended by CIS: when disk space runs low, an email is sent to the address specified by the 'action_mail_acct' parameter.
• Implemented a fix to help ensure that the use of privileged programs is monitored on all partitions on RHEL 7 operating systems. Previously, CIS Control 4.1.3.10 ‘Ensure use of privileged commands is collected’ was not fully enforced. The control was only partially enforced because the find command did not descend into all partitions. The fix helps to ensure that all partitions are monitored so that unauthorized use of privileged programs is detected.
• Fixed an issue that occasionally caused the 10-cem_priv_commands.rules file to be blank. This issue affected users on RHEL operating systems. The issue is fixed to ensure that CEM operates as expected when the user specifies a value of true for the audit_privileged_commands option:
  • If privileged commands exist, the 10-cem_priv_commands.rules file displays the audit rule for that control.
  • If privileged commands do not exist or the privileged commands are ignored, a 10-cem_priv_commands.rules file is not created.
• Fixed an issue that caused a failure to remove the Automatic Bug Reporting Tool (ABRT). In CEM for Linux v1.6.0, when the remove_automatic_bug_report_tools class was specified to remove ABRT, the tool remained installed. The problem is resolved to ensure that ABRT packages can be removed based on the class specification without further user intervention.

v1.6.0

Released 28 March 2023

• Enforcement of Center for Internet Security (CIS) Benchmarks on three new operating systems:
  • CIS Benchmark for AlmaLinux 8, v2.0.0, levels 1 and 2
  • CIS Benchmark for Oracle Linux 7, v3.1.1, levels 1 and 2
  • CIS Benchmark for Oracle Linux 8, v2.0.0, levels 1 and 2
• For users who enforce the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard on Red Hat Enterprise Linux (RHEL) operating systems, CEM now supports several controls that are designed to secure graphical user interfaces (GUIs). The following new GUI controls are enforced:
  • Control V-204397 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
  • Control V-204398 - The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
  • Control V-204399 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
  • Control V-204400 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
  • Control V-204402 - The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
  • Control V-204403 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
  • Control V-204404 - The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
  • Control V-204432 - The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
  • Control V-204433 - The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.
  • Control V-204456 - The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
  • Control V-214937 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
  • Control V-219059 - The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
  • Control V-251718 - The graphical display manager must not be the default target on RHEL 8 unless approved.
  • Control V-230530 - The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
  • Control V-230553 - The graphical display manager must not be installed on RHEL 8 unless approved.
  • Control V-244519 - RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
  • Control V-244535 - RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
  • Control V-244536 - RHEL 8 must disable the user list at logon for graphical user interfaces.
  • Control V-244538 - RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
  • Control V-244539 - RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
  • Control V-230347 - RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
  • Control V-230351 - RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
  • Control V-230352 - RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
  • Control V-230354 - RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
  • Control V-230329 - Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
  • Control V-230226 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
  • Control V-204393 - The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
  • Control V-204394 - The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
  • Control V-204396 - The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
• The ability to enable controls that are designed to secure a GNOME desktop environment. Users who enforce the DISA STIG standard on a RHEL 7 or 8 operating system can set the top-level manage_gnome option to true to enforce all relevant controls in a GNOME desktop environment. Users who enforce CIS controls in RHEL 7 or 8 or CentOS environments must also specify manage_gnome=true to enable controls for GNOME. For CIS users, the following GNOME controls are added:
  • 1.8.1 - Ensure GNOME Display Manager is removed
  • 1.8.2 - Ensure GDM login banner is configured
  • 1.8.3 - Ensure last logged in user display is disabled
  • 1.8.4 - Ensure XDCMP is not enabled
  • 1.8.5 - Ensure automatic mounting of removable media is disabled

• The implementation for DISA STIG Control V-204600 was changed to ensure that the StrictModes=yes setting is explicitly applied to the Secure Shell (SSH) configuration. This setting helps to protect SSH keys. If file system permissions for SSH keys are too lax, SSH authentication fails. The change affects users who enforce DISA STIG in a RHEL 7 environment.

• An issue that caused invalid permissions to be assigned to the audit directory. This issue affected users who enforced the DISA STIG standard on RHEL operating systems. The issue was related to STIG Control V-230471, which helps to ensure that only users with sufficient permissions can specify which events will be audited. The correct permissions are now set on the audit directory.
• An issue that prevented proper enforcement of STIG Controls V-204614 and V-204615, which are designed to prevent man-in-the-middle attacks. The controls are enforced on RHEL systems to specify whether redirect messages sent with the Internet Control Message Protocol (ICMP) using Internet Control version 4 (IPv4) can be accepted. This issue is corrected to ensure that the ICMP redirect messages are disabled by default for both IPv4 and IPv6.
• A CEM configuration issue for users who enforce the DISA STIG standard in a RHEL 8 environment. In CEM for Linux v1.5.0, the base class cem_linux::utils::packages::linux::sudo was not included for STIG use in the data/RedHat/RedHat/8.yaml file. The omission resulted in additional configuration steps for some users. The YAML file is now updated to include the missing sudo class.
• A scan issue for users who enforce the DISA STIG standard on RHEL operating systems. Previously, Controls V-204427 (5.4.12) and V-204428 (5.4.13) were reported as failing in Puppet Comply. Failures were reported even when CEM appeared to correctly enforce the controls. These controls help to protect systems against unauthorized access by limiting the number of failed login attempts. Scans for the controls now report accurate results.

v1.5.2

Released 9 March 2023

• An issue that prevented the CEM for Linux v1.5.1 reference topics from being displayed on Puppet Forge. With the v1.5.2 release, the Reference tab is restored. The topics on the Reference tab for v1.5.2 are applicable to both the v1.5.2 and v1.5.1 releases.

v1.5.1

Released 7 March 2023

• A change was introduced to simplify configuration in Red Hat Enterprise Linux (RHEL) 8 environments where the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard is enforced. The update applies to DISA STIG control V-230339, which is designed to limit login attempts and thus help to prevent brute-force attacks. The default directory where login failure records are kept can now be changed.

• An issue that prevented the OpenSSH server process from starting on RHEL 8 systems. The issue affected users who enforced the DISA STIG standard. When a value of FUTURE was set for cryptographic policies to help prevent malware attacks, the OpenSSH process failed with the following error message:

  Extra argument FUTURE.

• An issue that prevented users from running the system account task from the Puppet Enterprise (PE) console. Previously, attempts to run the task resulted in error messages about missing metadata. With the fix applied, users can run the cem_linux::system_account task from the PE console to view system accounts.
• An issue that caused an error message pertaining to the audit.rules file. The issue was seen on RHEL operating systems after an upgrade to CEM for Linux v1.5.0. The following error message was issued:

  Could not stat /etc/audit/rules.d/audit.rules

  To resolve the issue, the CEM for Linux module was updated to reference all existing files in /etc/audit/rules.d/ directory.

• An issue that caused a failure to audit sudo log files. When events pertaining to a sudo log file are collected, system administrators can review the events to detect whether unauthorized commands were run. The issue, which affected users on RHEL 8 systems, was caused by a failure to enforce Center for Internet Security (CIS) Control 4.1.3.3. The control is now enforced.
• A failure to enable GNU Privacy Guard (GPG) checks for downloaded packages on RHEL 8 operating systems. CIS Benchmark Control 1.2.3 ("Ensure gpgcheck is globally activated") is designed to ensure that downloaded packages from the RPM package management tool are checked. However, these checks failed to occur because the repo_files parameter associated with the CIS control does not specify the YUM files that are used to manage RHEL packages. The fix ensures that GPG checks will be enabled on a per-repository basis for each file that is listed in the repo_files parameter.
• An issue that can cause configuration problems in RHEL 8 environments where DISA STIG standards are enforced. Because of the issue, the following top-level parameters for the Grub2 bootloader could not be set: cem_linux::regenerate_grub2_config, cem_linux::set_grub2_password, cem_linux::grub2_superuser, and cem_linux::grub2_superuser_password. The issue was resolved to ensure that the parameters can be set, and the values are applied.
• A configuration issue that affects the security of messages when DISA STIG standards are applied in a RHEL 8 environment. The issue pertains to STIG control V-230245, which is designed to ensure that unauthorized persons cannot access system messages. Security is enforced by setting a permissions mode for access to the /var/log/messages file. The issue occurred because the resource data for STIG control V-230245 specified a value of directory instead of file. The issue was fixed to ensure that permissions are set for the messages file. The fix also ensures that a /var/log/messages directory is not created inadvertently.
• An issue that can cause configuration problems for users who attempt to enforce the DISA STIG standard in a RHEL 8 environment. The issue was caused by extraneous text in the cem_linux/manifests/utils/bootloader/grub2/fips.pp file. The extraneous text, a Universal Unique Identifier of 6484, is now removed.

v1.5.0

Released 14 February 2023

• Enforcement of the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 8 operating systems:
  • The Security Technical Implementation Guide (STIG) standard was developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government. On RHEL 8, the following DISA STIG standard is supported: Red Hat Enterprise Linux 8 STIG, Version 1, Release 8.
  • For the RHEL 8 operating system, STIG can be enabled by adding the following Hiera data to the control repository:

    cem_linux::benchmark: 'stig'

  • STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3 and their associated “public,” “sensitive,” and “classified” profiles. STIG controls can be configured with their vulnerability ID (V-nnn) or rule ID (SV-nnn).
  • For a list of supported STIG controls and configurations, see the CEM Linux Reference.
• New top-level configuration option, disable_package_gpgcheck. By enabling this option, you disable GNU Privacy Guard (GPG) checks of downloaded packages. Disabling GPG checks can be helpful in rare cases if you enable more stringent system encryption standards, such as the Federal Information Processing Standards (FIPS). These standards can introduce stricter criteria than are normally available for GPG package signatures. If GPG and more stringent criteria are applied simultaneously, package downloads can fail. Specify the disable_package_gpgcheck=true setting only when necessary. Enabling this option can make your infrastructure less secure.

• An error that occasionally prevented system startups and that caused failures of the Internet Control Message Protocol (ICMP) was resolved. The error was identified in the Puppet manifest file disable_icmp_redirects.pp, which specifies whether messages sent with ICMP can be redirected. In the file, extraneous text is now commented out.
• An issue with the cem::utils::boot_fstab_entry class was fixed to help ensure that Puppet runs would not overwrite user-specified settings.

v1.4.3

Released 15 December 2022

• Fixed an issue that resulted in catalog compilation errors on the Red Hat Enterprise Linux (RHEL) 7 operating system. The issue, caused by a duplicate instance of control V-204450 in the YAML file, resulted in error messages like the following:

  Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server 
  Error: Evaluation Error: Error while evaluating a Function Call, CEM: 
  cem_create_resources: failed  
  resource: class

• Fixed an issue related to Center for Internet Security (CIS) Control 4.1.3.6 in a RHEL 8 environment. When Control 4.1.3.6 is enabled, privileged programs are monitored to determine whether unauthorized users are trying to gain access. However, when Control 4.1.3.6 was enabled on systems using the Postfix mail transfer agent, two setuid binary files (postdrop and postqueue) were not being added to the auditd monitor list. The issue is corrected so that scans can run successfully.
• Fixed an issue related to CIS Control 1.5.3 in a RHEL environment. Control 1.5.3 is designed to ensure that address space layout randomization (ASLR) is enabled. ASLR randomly arranges the address space of data areas in processes to help protect system security. Enforcement for Control 1.5.3 was available in a RHEL 7 environment but was missing from RHEL 8. The control is now available to RHEL 8 users.
• Fixed an issue that affects users of the RHEL 7 operating system and pertains to control V-204444. When enabled, the control helps to prevent non-privileged users from initiating privileged functions such as disabling, circumventing, or altering security safeguards. However, after a system administrator specified the privileged users (resources) for control V-204444 and scans were run, the Puppet agent overwrote the resource list on each run. The issue is fixed to ensure that the resource list is not overwritten.
• Fixed an issue that caused scan failures for CIS Control 4.1.16, ‘Ensure kernel module loading and unloading is collected,’ in a RHEL 7 environment. When this control is enforced, the process of loading and unloading kernel modules is monitored to help detect unauthorized access to the system. Users of RHEL 7 found that Control 4.1.16 failed scans even when the control was correctly configured. The issue is corrected so that scans can run successfully.

v1.4.2

Released 8 November 2022

• Added the ability to configure multiple rsyslog remote hosts to CEM for Linux. In previous releases, only single remote hosts were fully configurable. This software update simplifies the process of using the rsyslog software utility to forward logs to remote servers.
• Added an audit script for the V-204392 control, which is included in a Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG control helps to ensure that file permissions, ownership, and group membership of system files and commands match vendor values. You can use the new audit script to troubleshoot issues related to the control.

• Updated the Advanced Intrusion Detection Environment (AIDE) utility class to add support for the cron scheduling utility. As a result, AIDE scans can be scheduled by using a cron task rather than systemd timers.
• Updated CEM for Linux to ensure that the nullok option cannot be included in the system-auth file. The nullok option determines whether users can access a service with a blank password. This software update is designed to prevent unauthorized access to the system.

• Fixed an issue that prevented certificates from being checked for Public Key Infrastructure (PKI) authentication. This software update affects users who are enforcing DISA STIG controls on a Red Hat Enterprise Linux (RHEL) operating system.
• Fixed an issue to help ensure that any new password must contain at least 8 characters that differ from the previous password. This software update affects users who are enforcing DISA STIG controls on a RHEL operating system.
• Fixed an issue related to the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark 2.0.0, Control 3.3.2: Ensure ICMP redirects are not accepted. This software update helps to ensure that the control is enforced so that Internet Control and Error Message Protocol redirects are prevented.
• Fixed an issue that caused the cem_semanage fact to run and log errors on an unsupported operating system, RHEL 6. semanage is a Security-Enhanced Linux (SELinux) management tool.
• Fixed an issue that caused catalog compilation errors when users selected the Network Time Protocol (NTP) synchronization service.

v1.4.1

Released 24 October 2022

• Fixed an issue that prevented the cem_mount_info fact from resolving on Puppet Enterprise (PE) versions 2019.x.x. The issue prompted the following error message:

  Facter: error while resolving custom facts...

  To resolve the issue, you can install CEM Linux v1.4.1. To help avoid the issue, you can install the latest version of PE.

v1.4.0

Released 20 October 2022

v1.3.2

Released 8 September 2022

v1.3.1

Released 18 August 2022

v1.3.0

Released 3 August 2022

v1.2.0

Released 24 May 2022

v1.1.4

Released 25 March 2022

v1.1.3

Released 24 March 2022

v1.1.2

Released 16 March 2022

v1.1.1

Released 25 January 2022

v1.1.0

Released 14 December 2021

v1.0.0

Released 28 September 2021

This is the initial public release of CEM for Linux.