Comply release notes

These are the new features, enhancements, and resolved issues for the Puppet Comply 2.x release series.

Comply 2.2.2

Released 20 January 2022

New in this release:

  • CIS-CAT Pro Assessor v4.13.1. Comply 2.2.2 includes the latest version of the CIS-CAT assessor and the following supported associated benchmarks:

    • AlmaLinux OS 8 v1.0.0
    • Amazon Linux 2 STIG v2.0.0
    • Apple macOS 11.0 Big Sur v2.0.0
    • Microsoft Windows Server 2012 (non-R2) v2.3.0
    • Red Hat Enterprise Linux 8 STIG v1.0.0

    The following benchmark is at end of life (EOL) and is no longer supported:

    • Debian Linux 8 v2.0.2

    CIS-CAT Pro Assessor v4.13.1 resolved security vulnerabilities present in the following embedded, third party dependency:

    • log4j-core - This library was updated to version 2.17.0.
  • Debug mode. You can now choose to run in debug mode to provide easier access to assessor logs.

    For more information, see Run an ad hoc scan.

Comply 2.2.1

Released 20 December 2021

New in this release:

CIS-CAT Pro Assessor v4.13.0. Comply 2.2.1 includes the latest version of the CIS-CAT assessor and the following supported associated benchmarks:

  • Apple macOS 10.15 Catalina v2.0.0
  • Red Hat Enterprise Linux 7 STIG v2.0.0

The following benchmark is at end of life (EOL) and is no longer supported:

  • Mac OS 10.14

Security notice:

CIS-CAT Pro Assessor v4.13.0 resolved security vulnerabilities present in the following embedded, third party dependencies:

  • log4j-core - This library was updated to version 2.15.0.
  • bcprov-jdk15on - This library was updated to version 1.69.
Important: Version 2.15.0 of the log4j-core library addresses the potential escalation of privilege vulnerability. We do not believe Comply is vulnerable to any of the additional risks addressed in the 2.16.0 release, but plan to release an update in the near future which includes version 2.17.0 or later.

Comply 2.2.0

Released 18 November 2021.

New in this release:

  • Scan Reports improvements. Scan reporting functionality is extended to include the ability to access a list of historical scans and view scan details. For more information, see CIS scan report details.

  • Filtering and sorting. Filtering and sorting functionality has been implemented on all table columns in the Comply UI.

    Note: Filter drop-downs display all available options for a given parameter. On pages where multiple filtering options are available, selecting one filter option does not affect the options presented by any other filter drop-down.
  • CIS-CAT Pro Assessor v4.11.0.. Comply 2.2.0 includes the latest version of the CIS-CAT assessor and its associated benchmarks:

    • Microsoft Windows Server 2012 R2 v2.5.0
    • Microsoft Windows Server 2016 STIG v1.1.0
    • SUSE Linux 15 v1.1.0
  • Desired compliance. The Comply UI has been simplified so that users are no longer required to manually accept the profiles applied by Comply based on fact information from PE.
  • Custom Comply port. You can now specify a custom Comply port in Puppet Application Manager if you do not want to use the default port (30303). For more information, see System requirements.
  • Data retention. The retention period for scan data can now be set on the Puppet Application Manager Config tab. For more information see, Scan results.

Resolved in this release:

  • Node Deletion. A fix was added to ensure that nodes deleted in Puppet Enterprise are no longer listed in Comply as available for scanning.
  • License page node count. Corrected an issue where the number of nodes displayed on the license page was not updated when a node was deleted in Puppet Enterprise.
  • Required installations page. The required installations page that was part of the assessor install procedure was removed as it was no longer required.
  • Comply-graphql. Fixed a known issue where the comply-graphql deployment did not become healthy after restoring Comply using Puppet Application Manager.
  • Rule ordering. Corrected an issue where rules were not always displayed in the correct numerical order.

Comply 2.1.0

Released 7 October 2021.

New in this release:

  • Scan Reports. The Comply UI has a new Scan Reports page that provides a report on rules passed/failed and node compliance from the most recent CIS scan. For more information, see CIS scan report details.

  • CIS-CAT Pro Assessor v4.9.0. Comply 2.1.0 includes the latest version of the CIS-CAT assessor and its associated benchmark:

    • CentOS Linux 7 v3.1.2
  • Scanner upgrades. Scanner upgrade in Comply is not forced but optional to allow better management of PE jobs.

    Note: By default in Comply 2.1.0, assessor upgrade does not happen automatically when you upgrade Comply. Assessor upgrade takes place when you instigate a Puppet Enterprise (PE) Puppet run job after Comply is upgraded. For more information, see Upgrade from Comply 2.2.1 to 2.2.2

Resolved in this release:

  • Desired compliance upgrades. Fixed an issue where Windows 10 nodes lost their desired compliance after upgrade to Compliance 2.x

  • Upgrade statistics. Resolved an issue where statistics were overwritten when multiple upgrades take place.

  • Service start up. Updated Comply so that it now starts when IPv6 is disabled.

  • Preflight failure. Fixed an issue where preflight checks failed during install when trailing newline returns were present in certificates.

  • Scan wizard. The Comply scan wizard was updated to correct an issue where the environment name field did not revert to the previous saved value if the scan set up was cancelled.

Comply 2.0.0

Released August 2021.

New in this release:

  • CIS-CAT Pro Assessor v4.8.2. Comply 2.0.0 includes the latest version of the CIS-CAT assessor and its associated benchmarks:

    • Apple macOS 10.14 v1.4.0
    • Apple macOS 10.15 v1.4.0
    • Apple macOS 11.0 v1.2.0
    • CentOS Linux 7 v3.1.1
    • CentOS Linux 8 v1.0.1
    • Debian Linux 8 v2.0.2
    • Microsoft Windows Server 2019 v1.2.1
    • Microsoft Windows Server 2019 STIG v1.0.1
    • Microsoft Windows 10 20H2 v1.10.1
    • Oracle Linux 7 v3.1.1
    • Oracle Linux 8 v1.0.1
    • Red Hat Linux 7 v3.1.1
    • Red Hat Linux 8 v1.0.1
    • Amazon Linux 2 v2.0.0
    • Microsoft Windows 10 21H1 v1.11.0
    • Microsoft Windows Server 2016 v1.3.0
    • Ubuntu Linux 20.04 LTS STIG v1.0.0
  • Automatic upgrades of the CIS-CAT assessor. Every time you upgrade your Comply application, the assessor automatically upgrades to the latest version. This update also includes the following changes to how you interact with Comply:

    • You can only run a desired compliance scan against nodes with the latest version of the assessor.
    • You can only run a custom scan against benchmarks with the latest version of the assessor.
    • On the node inventory screen, nodes without the latest assessor are highlighted red to indicate that they need upgrading.
    • You can no longer set a desired compliance benchmark against a node that does not have the latest version of the assessor.
    • When the assessor upgrades, custom profiles are automatically updated to use the new benchmarks and profiles, sending you a notification.
  • Assessor upgrades tab. The Assessor upgrades tab on the Activity feed screen provides a summary of assessor upgrades, including the number of nodes that have passed or failed. Note that this only shows the status of your nodes after the upgrade, and does not update again, even if your nodes change to passing.
  • comply module Secure Sockets Layer (SSL). This includes changes to how you install and upgrade the Comply module.

Resolved in this release:

  • Comply tries to install 7-zip on Windows. The comply module no longer installs 7zip on Windows systems.
  • Windows Server Semi Annual Channel (SAC) builds are assigned the wrong CIS profile. SAC builds are now assigned the correct Windows 2019 profile.

Security notice:

  • Vulnerability in 12.18.3-alpine image. The release updates the alpine image to 15.13.0.

  • Vulnerability keycloak:15.0.0. This release updates keycloak to version 15.0.0.

  • Vulnerability in dependencies. This release upgrades NodeJS to version 14.17.1 and React to version 17.0.2.

For upgrade instructions, see Upgrade from Comply 2.2.1 to 2.2.2.

Comply known issues

These are the known issues for the Puppet Comply 1.x and 2.x releases.

Session timeout in Comply 2.2.0

Comply does not redirect users to the login screen on session timeout and some screens show error messages. Reloading the page in Comply fixes this issue.

Windows 2012 non R2 benchmark

The Windows 2012 non R2 benchmark is not available in Comply.

Multiple filtering options

On pages where multiple filtering options are available, selecting one filter option does not affect the options presented by any other filter drop-down. This means filter drop-downs display all available options for a given parameter and therefore invalid options may appear for a given filtering scenario.

GraphQL issue after Puppet Application Manager restore in Comply 2.1.0 or earlier

The Comply-GraphQL pod becomes stuck in CrashLoopBackOff after Comply is restored using Puppet Application Manager. This problem is due to an issue with the Hasura database used in Comply 2.1.0 or earlier. Contact Puppet support for help or upgrade to Comply 2.2.0 or later to fix.

Scan report metrics bar node count not matched in Scan Report page Nodes tab table in Comply 2.1.0

If a error occurs after a scan report is sent from PE to Comply (owing, for example, to the Comply module being out-of-date on the node), the number of nodes appearing in the Scan Report page Nodes tab table can differ from the node count that appears in the Scan report metrics bar.

Running scans on CentOS 7 with Comply 1.0.4

The CentOS 7 benchmark in Comply 1.0.4 has been updated to version 3.1.0. If you have already installed Comply and set desired compliance for your CentOS 7 nodes, you need to run following command on your comply-scarpy pod to update the benchmark version from 3.0.0 to 3.1.0:

kubectl exec --stdin --tty -n <namespace> $(kubectl get pods -n dio-comply | grep comply-scarpy | awk '{print $1}') -- /bin/scarp upgrade-assessor --assessor_version '4.6.0'

This ensures Comply uses the latest CISCAT benchmark and profiles.

Running scan tasks in Puppet Enterprise (PE)

Comply uses PE tasks to run compliance scans on nodes. While you can see the scan task in PE, we advise against running them from here as it can have unforeseen effects on both PE and Comply. Instead, run all CIS scans from Comply. You can view the results of the scan in both products.