Release notes
Learn about the new features, enhancements, and resolved issues for the Puppet Comply 2.x release series.
Comply release notes
These are the new features, enhancements, and resolved issues for the Puppet Comply 2.x release series.
Comply 2.23.0
Released 11 December 2024.
New in this release:
-
Additions to the Comply API. Improved
accessibility and efficiency of Comply
functions by adding two new endpoints to the Comply API:
-
Profiles API. Added four new endpoints (
/v1/profiles
,/v1/profiles/{id}
,/v1/custom-profiles
,/v1/custom-profiles/{id}
) to retrieve information about benchmark profiles in Comply. -
Custom Scan API. Added a new endpoint (
/v1/custom-scan
) to create ad-hoc custom scans, which can be run with a custom profile or a profile and benchmark.
-
Profiles API. Added four new endpoints (
-
Added a task to remove old versions of the CIS-CAT Pro Assessor.
Added the
remove_assessor
task that allows you to remove old versions of the CIS-CAT Pro Assessor that are no longer in use. - CIS-CAT Pro Assessor v4.47.0. Comply 2.23.0 contains the CIS-CAT Pro Assessor v4.47.0.
- Benchmarks updated in this release:
- AlmaLinux OS 9 Benchmark v2.0.0
- Amazon Linux 2023 Benchmark v1.0.0
- Apple macOS 13.0 Ventura Benchmark v3.0.0
- Apple macOS 14.0 Sonoma Benchmark v2.0.0
- Debian Linux 12 Benchmark v1.1.0
- Microsoft Windows Server 2016 STIG Benchmark v3.0.0
- Rocky Linux 9 Benchmark v2.0.0
- SUSE Linux Enterprise 12 Benchmark v3.2.0
- Ubuntu Linux 24.04 LTS Benchmark v1.0.0
Resolved in this release:
-
Server failing to complete Comply scan.
Fixed an issue where scans would not complete when running against machines
running CIS-CAT Pro Assessor versions 4.37.0 and later. Note: For Linux and macOS users, this fix requires the
timeout
package, which is installed on Linux hosts by default. Users on macOS may need to install this package. - Remove broken link for Assessor download. Removed a broken link for the Assessor download from the Settings page.
- Default Windows 2022 benchmark incorrectly set. Fixed an issue affecting assessor versions 4.39.0, 4.41.0, 4.42.0, and 4.43.0 where the default benchmark for Windows 2022 was incorrectly set to Azure.
- Comply fails to install when IPv6 is disabled. Fixed an issue where Comply NGINX components incorrectly depended on IPv6, preventing installation on systems with IPv6 disabled.
- Restore from backup failing. Fixed a permission issue causing restore from backup to fail due to issues copying database backups into the container on the target host.
- Incorrect number of scanned nodes displayed. Fixed an issue where the Nodes tab on the Scan reports page could display an incorrect number of nodes: sometimes showing more or fewer nodes than were scanned.
Security fixes in this release:
- CVE-2013-2028, CVE-2021-23017. Updated NGINX to 1.27.2 to address these vulnerabilities.
Comply 2.22.0
Released 16 August 2024.
New in this release:
- Added application configuration to Comply. You can now set the inventory refresh interval and data retention policy from the Settings page.
- Scheduled scans now support node groups. Node groups can now be added to scheduled scans. When a node is added to a node group, it is automatically included in the next scheduled scan for that node group.
- CIS-CAT Pro Assessor v4.43.0. Comply 2.22.0 contains the CIS-CAT Pro Assessor v4.43.0.
- Benchmarks updated in this release:
- Apple macOS 12.0 Monterey Benchmark v3.1.0
- Apple macOS 13.0 Ventura Benchmark v2.1.0
- MicrosoftWindows Server 2019 Stand-alone v2.0.0
- Oracle Linux 9 Benchmark v2.0.0
- Red Hat Enterprise Linux 9 Benchmark v2.0.0
Security fixes in this release:
- CVE-2023-2976. Updated KeyCloak to 25.0.0 to address this vulnerability.
Comply 2.21.0
Released 27 June 2024.
New in this release:
- Desired compliance can be set for operating systems. You can now set the desired compliance defaults for each operating system. Any node added to the operating system is automatically assigned the benchmark and profile you set for that operating system.
- REST API documentation updated. Added a REST API tutorial to the Comply documentation.
- CIS-CAT Pro Assessor v4.42.0. Comply 2.21.0 contains the CIS-CAT Pro Assessor v4.42.0.
- Benchmarks updated in this release:
- Debian Linux 12 Benchmark v1.0.1
- Microsoft Windows 11 Stand-alone Benchmark v3.0.0
- Microsoft Windows Server 2019 Benchmark v3.0.1
Resolved in this release:
- Exceptions disappearing upon upgrade to 2.20.0. Fixed an issue that caused existing rule exceptions to disappear after upgrading.
- Search box on exceptions page not accepting input. Fixed an issue affecting the search bar on the exceptions page.
- macOS not getting desired benchmark assigned. Fixed an issue that was causing macOS nodes to be listed as Darwin on the Inventory page, which prevented the desired compliance from being set for those nodes.
- Upgrades from older versions of Comply to 2.20 not working. Fixed an issue where the scarpy container would not start following an upgrade from an older version.
Security fixes in this release:
- CVE-2024-4068. Updated braces to address this vulnerability.
- CVE-2024-2961, CVE-2024-33599, CVE-2024-2700, CVE-2024-1132, CVE-2024-1249, CVE-2024-2419, CVE-2024-3656, GHSA-69fp-7c8p-crjr. Updated KeyCloak to address these vulnerabilities.
- CVE-2023-5363. Updated oauth2-proxy to address this vulnerability.
Comply 2.20.0
Released 7 May 2024.
New in this release:
- CIS-CAT Pro Assessor v4.41.0. Comply 2.20.0 contains the CIS-CAT Pro Assessor v4.41.0.
- Benchmarks updated in this release:
- Debian Linux 11 Benchmark v2.0.0
- Microsoft Windows 10 Stand-alone Benchmark v3.0.0
- Microsoft Windows Server 2016 Benchmark v3.0.0
- Microsoft Windows Server 2019 Benchmark v3.0.0
- Microsoft Windows Server 2022 Benchmark v3.0.0
- Ubuntu Linux 18.04 LTS Benchmark v2.2.0
- Ubuntu Linux 22.04 LTS Benchmark v2.0.0
Resolved in this release:
- Unable to reset the desired compliance when a node changes operating systems. Fixed an issue where you could not change the desired compliance after changing the OS on a node. You can now reset the desired compliance on a node when the OS of the node changes.
Security fixes in this release:
- Resolved security vulnerabilities present in embedded, third-party
dependencies of the CIS-CAT Pro Assessor v4.41.0:
- PostgreSQL updated to v42.7.2.
- xmlsec updated to v4.0.1.
- cxf-core-updated to v3.5.8.
- bouncycastle updated to v1.78.
Comply 2.19.0
Released 14 March 2024.
New in this release:
-
Additions to the Comply API. Improved
accessibility and efficiency of Comply
functions by adding two new endpoints to the Comply API:
- Exports API. You can use the Exports API to create, retrieve, download, and delete exports of data from Comply.
- Inventory API. You can use the Inventory API to initiate a PE inventory sync.
- CIS-CAT Pro Assessor v4.39.0. Comply 2.19.0 contains the CIS-CAT Pro Assessor v4.39.0.
- Benchmarks updated in this release:
- Microsoft Windows 10 Enterprise v3.0.0
- Microsoft Windows 11 Enterprise v3.0.0
Security fixes in this release:
- Resolved security vulnerabilities present in embedded, third-party
dependencies of the CIS-CAT Pro Assessor v4.39.0:
- commons-compress updated to v1.26.0.
- Resolved security vulnerability CVE-2023-26159, present in the dependency follow-redirects-1.15.2, by upgrading to follow-redirects-1.15.4.
Comply 2.18.2
Released 22 February 2024.
New in this release:
- CIS-CAT Pro Assessor v4.38.0. Comply 2.18.2 contains the CIS-CAT Pro Assessor v4.38.0.
Resolved in this release:
- Exception page when viewing a custom profile as comply-viewer. Previously, the console would display an unknown error when viewing a custom profile with the viewer role. This has been fixed.
Security fixes in this release:
- Resolved security vulnerabilities present in embedded, third party
dependencies of the CIS-CAT Pro Assessor v4.37.0:
- unzip.exe updated to v6
- ion-java updated to v1.11.1. CVE-2024-21634
Comply 2.18.1
Released 18 January 2024.
New in this release:
- Public API specifications. Public API information is available at `https://<COMPLY-HOSTNAME>>/openapi.json`, where COMPLY-HOSTNAME is your Comply server.
- CIS-CAT Pro Assessor v4.37.0. Comply 2.18.1 contains the CIS-CAT Pro Assessor v4.37.0.
- Benchmarks updated in this release:
- CIS Amazon Linux 2 Benchmark v3.0.0
- CIS Microsoft Windows Server 2019 STIG Benchmark v2.0.0
- CIS CentOS Linux 7 Benchmark v4.0.0
- CIS Oracle Linux 7 Benchmark v4.0.0
- CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0
- Benchmarks added in this release:
- CIS Microsoft Windows Server 2019 Stand-alone v1.0.0
- CIS Microsoft Windows Server 2022 STIG Benchmark v1.0.0
Resolved in this release:
- GraphQL pod health check fails and does not recover. Added a probe to the GraphQL pod that restarts the pod if it is not live.
Security fixes in this release:
- Resolved security vulnerabilities present in the CIS-CAT Pro Assessor:
- logback-classic and core updated to 1.2.13
- jackson-databind updated to 2.16.0
- bouncy castle(bcprov) libraries updated to 1.74
Comply 2.18.0
Released 13 December 2023.
New in this release:
-
Comply API
- Puppet's open & integrated approach ensures data sharing with enterprise tools (Such as risk management, systems of records etc.), improves productivity and cross-team collaboration leveraging the same data to ensure transparency.
- The Comply API allows you to automate actions, retrieve Comply data, and share Comply data with other groups and tooling. To use the API, you first must create a personal access token, after which you can access API endpoints.
- The new Comply API improves productivity and resource management by providing access to existing data and functionality.
- Added a new API allowing users to automate actions, retrieve Comply data, and share Comply data with other groups and tooling.
- Users can create personal API access tokens and access endpoints depending on their user permissions.
- Admins can view and revoke users’ access tokens.
- Added an API endpoint for extracting compliance results from Puppet Comply. Users can extract both summary and raw data results for one, many, or all nodes up to 100,000 nodes.
-
CIS-CAT Pro Assessor v4.36.0. Comply 2.18.0 contains the CIS-CAT Pro
Assessor v4.36.0. Benchmarks updated in this release:
- CIS AlmaLinux OS 8 Benchmark v3.0.0
- CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
- CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
- CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
- CIS Microsoft Windows Server 2012 (non-R2) Benchmark v3.0.0
- CIS Microsoft Windows Server 2012 R2 Benchmark v3.0.0
- CIS Microsoft Windows Server 2016 STIG Benchmark v2.0.
- CIS Oracle Linux 8 Benchmark v3.0.0
- CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0
- CIS Rocky Linux 8 Benchmark v2.0.0
Benchmarks added in this release:- CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
Benchmarks removed in this release:- CIS Apple macOS 10.15 Catalina Benchmark v3.0.0
Resolved in this release:
- Node results page shows compliance score without exceptions. Fixed an issue where the node results page showed the compliance score of nodes without exceptions included, rather than the 'adjusted compliance score', which accounts for exceptions.
- Security fix. Resolved security vulnerabilities present in embedded, third party dependencies for io.netty.
Comply 2.17.0
Released 2 November 2023.
New in this release:
-
Add parameter to prepend
scan_cmd
in module 2.17.1The Comply module version 2.17.1 allows users to limit CPU usage on individual nodes when running a scan.
To configure this feature, add the
limits
parameter to thecomply
class via PE. The parameter's format is JSON.Example:
{{"systemd-run":{"CPUQuota":50}}}
limits CPU usage to 50% of one CPU core. Values greater than 100 are allowed if you want to use more than one CPU core.Example:
{{"nice":{"increment":10}}}
increments theniceness
value of the process.systemd-run
is supported on Linux systems where/usr/bin/systemd-run
is present, andnice
is supported on Linux and macOS. Neither is supported on Windows.Note: The Comply module 2.17.1 was released with Comply 2.17.0, and it can be used with Comply versions 2.17.0 and later. Upgrading the Comply module from 2.17.0 to 2.17.1 is optional, and version 2.17.0 is still available. - Scalability improvements. Puppet Comply now runs on a maximum of 100,000 nodes.
- Embedded JRE for MacOS. The CIS-CAT Pro Assessor for MacOS now contains embedded Java. It is no longer necessary to install Java when running the Assessor on MacOS.
-
CIS-CAT Pro Assessor v4.34.0.
Comply 2.17.0 contains the CIS-CAT Pro
Assessor v4.34.0. Benchmarks updated in this release:
- CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1
Benchmarks removed in this release:- CIS Red Hat Enterprise Linux 6 Benchmark v3.0.0
- CIS CentOS Linux 6 Benchmark v3.0.0
- CIS Oracle Linux 6 Benchmark v2.0.0
- CIS Debian Linux 9 Benchmark v1.0.1
- Security fix. CVE-2023-3635 has been resolved in the CIS-CAT Pro Assessor v4.34.0.
- The `comply-auth` pod should have liveness and/or startup probes defined. New startup and liveness probes have been added to the `comply-auth` pod. This change fixes an issue encountered on upgrade where the auth pod never went into a ready state and did not restart, as it only had a readiness probe. With the new startup probe, the pod has a set period of time to start up. If it fails to start up within the allotted time it restarts. The liveness probe restarts the pod if the pod appears to be unreachable for 30 seconds.
Comply 2.16.0
Released 21 September 2023.
New in this release:
- Scalability improvements. Puppet Comply now runs on a maximum of 75,000 nodes.
-
CIS-CAT Pro Assessor v4.33.0.
Comply 2.16.0 includes the CIS-CAT Pro
Assessor v4.33.0. Benchmarks updated in this release:
- Ubuntu Linux 20.04 LTS STIG v2.0.0
- Debian Linux 11 STIG v1.0.0
Resolved in this release:
-
Inventory sync improvements. Made the following improvements to
inventory sync:
- Fixed an issue where background inventory syncs were not reflected on the Settings page.
- Fixed an issue where the progress bar displayed NaN briefly at the beginning of an inventory sync.
- Fixed an issue where inventory sync errored at the node groups stage due to the host not existing in Comply inventory.
- Fixed an issue where the refresh data button was not surfacing.
- Fixed an issue where inventory sync was locking up for at least 20 minutes.
- Puppet Application Manager documentation updated. Fixed import of Puppet Application Manager documentation into Comply documentation.
Comply 2.15.1
Released 4 September 2023.
Resolved in this release:
- Data not refreshing: new nodes and reports missing from console. Resolved an issue where the process that syncs inventory into Puppet Comply would hang if it encountered an error in communication with Puppet Enterprise.
- Empty node groups showing all nodes. Puppet Comply now only shows PE node groups that contain Comply managed nodes.
Comply 2.15.0
Released 10 Aug 2023.
New in this release:
- Scalability improvements. Exporting raw scan data now works with up to 50,000 nodes. The raw scan data export is generated as an archive of one or more gzip-compressed CSV files, with each CSV file including the results for up to 1,000 nodes. The nodes are sorted in ascending order of name, and each CSV file is named according to the range of nodes it covers.
-
CIS-CAT Pro Assessor v4.32.0. Comply 2.15.0 includes the CIS-CAT Pro
Assessor v4.32.0. Benchmarks updated in this release:
- Apple macOS 11 v3.1.0
- Apple macOS 12 v2.1.0
Resolved in this release:
- Improvements to the inventory sync with Puppet Enterprise. Previously, inventory sync made paging requests without ordering, which can lead to the ingest retrieving fewer hosts from Puppet Enterprise than expected. This has been fixed. Also improved efficiency and accuracy in the database.
- Compliance over time chart missing a day. Missing days when filters are applied in the Compliance over time chart on the Comply dashboard have been fixed.
- Active exceptions count on dashboard not matching with exceptions page. Fixed an issue where the active exceptions count was mismatched between the dashboard and the exceptions page.
Comply 2.14.0
Released 29 June 2023.
New in this release:
- Compliance at scale. Comply now supports up to 50,000 nodes.
-
Identity and access management - RBAC integration. Comply now integrates with Puppet Enterprise (PE) for role-based access control
(RBAC). Using PE you can create new Comply users or import them from LDAP. You
can assign users to roles in the PE Console.
There are three default roles provided for Comply users: comply-admin, comply-operator,
and comply-viewer. Each role has different permissions and a different view
of the Comply console. Important: When upgrading to 2.14.0, you must ensure that your PE account has permissions to View and Create User Roles. For more information, visit https://www.puppet.com/docs/comply/2.x/configure-comply-with-pe.html.
-
CIS-CAT Pro Assessor v4.30.0.
Comply 2.14.0 includes the CIS-CAT Pro
Assessor v4.30.0. Benchmarks updated in this release:
- Debian Linux 10 v2.0.0
- Microsoft Windows 10 Standalone v2.0.0
- Microsoft Windows 11 Standalone v2.0.0
- Ubuntu Linux 20.04 LTS v2.0.0
- Azure Compute Microsoft Windows Server 2019 v1.0.1
- Microsoft Windows Server 2016 v2.0.0
- Microsoft Windows Server 2019 v2.0.0
- Microsoft Windows Server 2022 v2.0.0
Resolved in this release:
- Vulnerability in gin-v1.9.0. Resolved security vulnerabilities to address CVE-2023-29401.
- Overall compliance score over time card is not working. Previously, the overall compliance score over time card in the Comply dashboard displayed the average compliance score based on scans performed on each day. It now shows the average compliance score based on the latest scan result available on each day.
- OS and environment filters appear as options for Node Results exports. Removed options for Operating system and Environment filters on the Node Results page to match actual functionality.
Comply 2.13.0
Released 4 May 2023.
New in this release:
- Redesign Comply dashboard. Redesigned and added new features to the compliance dashboard, including numbers of nodes and exceptions, graphs for better understanding compliance score, and quickly accessible action steps.
-
CIS-CAT Pro Assessor v4.28.0.
Comply 2.13.0 includes the CIS-CAT Pro
Assessor v4.28.0. Benchmarks updated in this release:
-
Windows 10 Enterprise v2.0.0
-
Windows 11 Enterprise v2.0.0
-
Resolved in this release:
- Vulnerabilities in the oauth2-proxy container. Updated Comply oauth2-proxy container to address CVEs.
- Vulnerabilities in the Redis container. Updated Comply Redis container to address CVEs.
- Snakeyaml vulnerabilities. The CIS-CAT Pro Asessor v4.28.0 resolves security vulnerabilities in embedded, third-party dependency snakeyami. This library has moved to version 2.0.0.
-
ciscat.pp
fails to apply if Puppet agent version is prior to 6.24 or 7.9. The CIS-CAT Pro Assessor can now be downloaded with any 6.x or 7.x version of Puppet agent. - Performance fixes. Improved performance and scalability.
Comply 2.12.0
Released 23 March 2023.
New in this release:
- Scan wizard changes. Added filters and removed irrelevant node options when running a scan.
- Navigation changes. Made Comply navigation clearer and more streamlined.
- Exceptions upgrade changes. Added handling for exceptions during upgrades. Exceptions are upgraded if their benchmark is upgraded. Exceptions that are no longer functional after the upgrade are removed. You can see the status of your exceptions following an upgrade in the Activity feed.
- Custom profiles export. You can now export one, many, or all of your custom profiles in order to easily gather custom profile details.
- Scalability improvements. Comply now supports up to 25000 nodes.
- CIS-CAT Pro Assessor v4.27.0. Comply 2.12.0 includes the CIS-CAT Pro Assessor v4.27.0. With this new version, the assessor runs using an embedded JRE, removing the requirement to have a locally installed JRE.
- Filtering an empty PE Group within Comply displays all nodes. Filtering an empty PE group now returns 0 nodes instead of all nodes.
- Broken links in Comply navigation. Fixed broken links.
Comply 2.11.0
Released 26 January 2023.
New in this release:
-
Scan wizard redesign. Improvements to the scan wizard including:
-
For both ad hoc and scheduled scans, you can scan on multiple nodes across different environments. Results for all scanned environments are available in a single report.
-
You can only start scans from the Scans page or the Node detail page.
-
- CIS-CAT Pro Assessor v4.25.0. Comply 2.11.0 includes the CIS-CAT Pro Assessor v4.25.0. For more information, visit: CIS-CAT Pro Assessor history.
- Various enhancements to improve scan reliability and performance with larger node counts.
Resolved in this release:
- Node groups not imported from Puppet Enterprise (PE) when nodes are not pinned to group. Previously, node groups were only imported for nodes explicitly pinned to the node group. Comply now also imports groups in which rules match nodes to groups based on facts.
- Exceptions that are both resolved and expired disappear from the exceptions page. Exceptions that are resolved before the expiry time is reached now stay in the “expired” tab of the exceptions page.
- Reports export null data when custom profile filter applied. Exported reports are no longer empty when a custom profile has been selected on the "Profiles" quick filter.
- SCE scripts run for too long if they find non-compliant files when packaging and building the Comply module. SCE scripts now quit immediately upon finding a single non-compliant file.
- System curl commands fail to download the CIS-CAT Pro Assessor. Previously, you could not download the CIS-CAT Pro Assessor using your system curl command. This has been fixed.
- Only the latest version of the CIS-CAT Pro Assessor has the latest security fixes. Customers on previous versions of the CIS-CAT Pro Assessor might be vulnerable to security issues. CIS-CAT Pro Assessor v4.25.0 resolves security vulnerabilities present in embedded, third-party dependencies in CIS-CAT Pro Assessor v4.23.0, which was shipped in Comply 2.10.0. For details, see CIS-CAT Pro Assessor and Dashboard December 2022 Vulnerability Updates.
Comply 2.10.0
Released 1 December 2022
New in this release:
- CIS-CAT Pro Assessor v4.23.0. Comply 2.10.0 includes the CIS-CAT Pro Assessor v4.23.0.
- Security notice:
- The CIS-CAT Pro Assessor v4.23.0 resolves a security vulnerability
present in the embedded, third party dependency for the
jackson-databind
mapping functionality. This library has moved tojackson-databind-2.13.4.jar
.
- The CIS-CAT Pro Assessor v4.23.0 resolves a security vulnerability
present in the embedded, third party dependency for the
- Export scan results. You can now export the last scan results for all nodes, a subset of nodes, or a single node. All exported data is collected in a single .csv file. To export scan results, use the Export CSV button on the Node Results pane on the Compliance Dashboard. To view and download previous reports, use the Generated Reports button in the Comply navigation pane.
- Resolve exceptions. You can now resolve exceptions that are no longer needed. Details about resolved exceptions remain visible in Puppet Comply for reporting purposes. You can resolve an exception for all nodes or for a subset of nodes.
- Exception details. You can now view and edit the details of your exceptions.
- Using old versions of the CIS-CAT Pro Assessor. You can now upgrade to the latest version of Comply without updating the CIS-CAT Pro Assessor. As of this release the supported versions of the CIS-CAT Pro Assessor are 4.22.0 and 4.23.0. In future releases, the current version and the two previous versions will be supported. All nodes still must run the same version of the CIS-CAT Pro Assessor.
- Security notice:
- Only the latest version of the CIS-CAT Pro Assessor has the latest security fixes. Customers on older versions of the CIS-CAT Pro Assessor may be vulnerable to security issues.
- Node group filtering. Anywhere all nodes are listed, node groups filtering now supports nodes that have been pinned to the node group in PE. Node groups are based on PE classification groups.
Resolved in this release:
- Exceptions remain active after they are no longer applicable. Exceptions are now removed if their custom profile is deleted or edited to remove the relevant rule.
- A deleted exception cannot immediately be re-created. Previously, if you created an exception for a specified rule and node and then deleted the exception, you could not immediately re-create the exception for the specified rule and node. This has been fixed.
Comply 2.9.0
Released 20 October 2022
New in this release:
-
CIS-CAT Pro Assessor v4.22.0.
Comply
2.9.0 includes the CIS-CAT Pro
Assessor v4.22.0 and the following associated benchmarks:
- Debian Linux 11, v1.0.0
- Azure Compute Microsoft Windows Server 2019, v1.0.0
- Security notice:
- The CIS-CAT Pro Assessor v4.22.0 resolves security vulnerabilities present in embedded, third party dependencies. For details, see CIS-CAT Pro Dashboard and Assessor September 2022 Vulnerability Updates.
- Create temporary exceptions to rules. With Comply 2.9.0, you can create a temporary exception to a CIS Benchmark rule and apply that exception to a node, a group of nodes, or all nodes. During the period when the exception is active, the rule's compliance score is excluded from the overall compliance score for the selected nodes. Exceptions are useful in many situations. For example, if you plan to install a software patch on several nodes, but the patch requires additional testing, you can specify a temporary exception for the affected nodes while testing continues. During the next scan, the exception is applied, and the compliance score reflects the exception. When testing is completed, you can apply the software patch to the nodes, and the exception expires automatically on your specified date.
- View and delete exceptions. You can go to the new Exceptions page to view and delete exceptions.
Resolved in this release:
-
Scans fail to complete processing. In some cases, when scans were run
manually, the scans would remain in the
started
state and would fail to generate a final report.
Comply 2.8.0
Released 8 September 2022
New in this release:
-
CIS-CAT Pro Assessor v4.21.0. Comply
2.8.0 includes the CIS-CAT Pro Assessor v4.21.0 and the following
associated benchmarks:
- Microsoft Windows 11.
- Microsoft Windows 10 (stand-alone). (A stand-alone system is not connected to a domain and cannot be managed by using Active Directory.)
- Ubuntu 22.04.
- Specify a refresh interval to obtain the latest inventory updates from Puppet Enterprise (PE). By default, the Comply inventory is refreshed every 24 hours with the latest node and fact information from Puppet Enterprise. With Comply 2.8.0, you can customize the refresh interval to meet your organization’s requirements.
Resolved in this release:
- Consistency of scan compliance scores. To help ensure consistency of compliance scores throughout the Comply user interface, the Node detail page and the Rule detail page are updated. The donut charts and the accompanying legends now exclude non-scoring statuses. A non-scoring status means that a CIS recommendation is not applicable or cannot be automatically validated. With this change, the charts on the Node detail page and Rule detail page now provide a more realistic view of compliance.
- Accurate status for profiles. The Profile column on the Scan Report page now reflects the correct status of profiles. Previously, if you hovered over the Profile column, you might have seen an invalid message that the profile was deleted.
- Scheduled scans not running after Comply upgrade. After upgrading Comply, scheduled scans that were created before the upgrade might not run. After upgrading to Comply v2.8.0, these scans should run as configured.
- This release includes a security update that helps to prevent command injection in the Comply module.
Comply 2.7.0
Released 27 July 2022
New in this release:
- CIS-CAT Pro Assessor v4.19.0. Comply 2.7.0 includes the CIS-CAT Pro Assessor v4.19.0.
- Learn how to run Comply at scale. You can scan up to 5000 nodes in a single batch to check the compliance of your infrastructure against Center for Internet Security (CIS) Benchmarks. The documentation is updated to help you configure and run scans at scale. See Guidelines for running Comply at scale.
- Delete a custom profile. In previous releases, you could create a custom profile based on a CIS Benchmark. In this release, you can also delete one or more custom profiles.
Resolved in this release:
-
Warning messages during preflight checks. An issue that caused invalid
warning messages to be displayed during preflight checks is resolved in this
release. The invalid message,
No matching files
, is no longer displayed.
Comply 2.6.0
Released 16 June 2022
New in this release:
-
CIS-CAT Pro Assessor v4.18.0. Comply
2.6.0 includes the CIS-CAT Pro Assessor v4.18.0 and the following
associated benchmarks:
- Alma Linux 8 v2.0.0
- Microsoft Windows Server 2016 v1.4.0
- Microsoft Windows Server 2016 STIG v1.2.0
- Microsoft Windows Server 2012 v2.4.0
- Microsoft Windows Server 2012 R2 v2.6.0
-
Possible errors due to renamed benchmarks: In addition to version changes, CIS renamed two benchmarks in this release. AlmaLinux was renamed to Alma Linux and Microsoft Windows Server 2016 RTM (Release_1607) was renamed to Microsoft Windows Server 2016. If you are using a benchmark that was renamed, you might see an error message indicating that the benchmark is no longer supported. If your nodes use custom profiles that are based on renamed benchmarks, you must manually update the nodes because they will not be automatically updated during the Comply upgrade process.
- Edit a scheduled scan. You can edit a scheduled scan to modify the type of scan, the frequency, and the start and end dates.
- Delete a scheduled scan. You can delete a scheduled scan to permanently remove it.
- Take advantage of enhanced usability for scan reports. From a scan report, you can navigate to the Node detail page, where the Scan status pane now includes a legend showing the total number of rules that were run on the node and detailed results. You can hover over the results to see percentages in the donut chart. Similarly, on the Rule detail page, the Scan status pane now shows the total number of scanned nodes and detailed results. You can hover over the results to see percentages in the donut chart. The Rule detail page includes a new Environment column so that you can determine the environment (for example, test or production) in which the scan took place. The Node detail page includes a new Last passed on column, which shows the date and time of the last successful scan for each rule.
Security notice:
- Vulnerability in the
3.14.2-alpine
image. The release updates the alpine image to 3.15.4.
Comply 2.5.1
Released 31 May 2022
Resolved in this release:
-
Potential deployment issue for users of Comply
2.4.0 and 2.5.0. This issue can affect users who install Comply in a Google Kubernetes Engine (GKE)
environment and potentially other environments. If you are unable to start Comply after installation, you might be
experiencing this issue. To diagnose the issue, review the log for the
comply-scarpy
pod. If the issue is occurring, the pod will be in anInit:CrashLoopBackOff
state during the attempt to start Comply. Review of the pod will show that thecomply-scarpy-init
container was terminated with an out-of-memory error (OOMKilled
). To resolve the issue, install Comply 2.5.1. If you do not detect the issue, it is not necessary to install Comply 2.5.1.
Comply 2.5.0
Released 5 May 2022
New in this release:
-
CIS-CAT Pro Assessor v4.16.1. Comply
2.5.0 includes the CIS-CAT Pro Assessor v4.16.1 and the following associated
benchmarks:
- Microsoft Windows Server 2019 v1.3.0
- Microsoft Windows Server 2019 STIG v1.1.0
- Oracle Linux 8
-
Rocky Linux 8
CIS-CAT Pro Assessor v4.16.1 resolves a security issue (https://nvd.nist.gov/vuln/detail/CVE-2022-21724) that does not affect current users of Comply.
-
The following CIS benchmarks are at end of life and are no longer supported:
- CentOS Linux 8
- SUSE Linux Enterprise Server 11
- View details about a scheduled scan. You can select a scheduled compliance scan and view its details, including the creation date, last modification date, affected nodes, start and end times, and frequency. You can also view the scan history, including the number of runs, the date and time of the most recent run, and the date and time of the next scheduled run.
- Pause, resume, or end a scheduled scan. On the Scheduled scan details page, you can pause, resume, or end a scheduled scan.
- Assign benchmarks and profiles to multiple nodes simultaneously. On the Inventory page, you can select multiple nodes and assign a benchmark, a profile, and, optionally, a custom profile to all. The selected nodes must be running on the same operating system, and the latest version of the CIS-CAT Pro Assessor must be installed on each node.
- View a report about scan results for a single rule. The Scan rule report lists the nodes on which the rule was run, the results, and the overall compliance score for the rule.
- View a report about scan results for a single node. The Scan node report lists the rules that were run on the node, the results, and the overall compliance score for the node.
Resolved in this release:
-
Initial deployment issue on Microsoft Windows Server 2016 and Microsoft
Windows Server 2019 operating systems. In previous releases, the initial
deployment of the Comply module sometimes failed
with the following error
message:
Provider wget is not functional on this host
Comply 2.4.0
Released 24 March
New in this release:
-
CIS-CAT Pro Assessor v4.15.0. Comply
2.4.0 includes the latest version of the CIS-CAT assessor and the
following
supported associated benchmarks:
- CentOS Linux 8 (final release)
- Microsoft Windows 10 v1.12.0.
- Microsoft Windows Server 2022 v1.0.0
- Red Hat Enterprise Linux 8 v2.0.0
- SUSE Linux Enterprise 11 v2.1.1 (final release)
Note: The Microsoft Windows 10 benchmark has upgraded from 1.11.0 CIS Microsoft Windows 10 Enterprise Release 21H1 to 1.12.0 CIS Microsoft Windows 10 Enterprise. Comply's 1.12.0 CIS Microsoft Windows 10 Enterprise benchmark is based on Microsoft Windows 10 Enterprise Release 21H2 and is intended for all versions of the Windows 10 operating system, including older versions. If any of your nodes use custom profiles based on the 1.11.0 CIS Microsoft Windows 10 Enterprise Release 21H1 benchmark, you need to resolve these manually, as they will not automatically update during the upgrade process. - Profile and Custom profile. You can view and sort two new columns on the Inventory page - Profile and Custom profile. The columns allow you to see if a node has a default profile or custom profile assigned to it.
- Benchmark column. The Desired compliance column has been renamed to Benchmark.
Resolved in this release:
- Sync license. Fixed an issue where a user was logged out of Comply after selecting Sync license on the License page.
Comply 2.3.0
Released 10 February 2022
New in this release:
-
Scheduled scans. You can now schedule one-off and repeating scans, in
addition to running manual ad hoc scans, in Comply.
For more information, see Scheduled scans.
- Environment information. The Scan list page now shows the scan report environment.
-
CIS-CAT Pro Assessor v4.14.0. Comply
2.3.0 includes the latest version of the CIS-CAT assessor and the following
supported associated benchmarks:
- SUSE Linux Enterprise 12 v3.1.0
- SUSE Linux Enterprise 15 v1.1.1
This release of the assessor resolves security vulnerability present in embedded, third party dependencies:
- The OpenDXL Java Client library, which includes log4j, is now a derivative work of version 0.2.6 which includes log4j 2.17.1.
- The logback-core and logback-classic libraries have been moved to version 1.2.10.
- Comply now supports Kubernetes 1.19 to 1.24. Kubernetes 1.17 and 1.18 are no longer supported.
Resolved in this release:
- Rule details. Fixed an bug where the last reported time stamp on the rule detail page did not recognize the user's local timezone.
- Compliance profiles. Corrected an issue where the default compliance profile was incorrectly assigned for Windows Server versions.
Comply 2.2.2
Released 20 January 2022
New in this release:
-
Debug mode. You can now choose to run in debug mode to provide easier
access to assessor logs.
For more information, see Run an ad hoc scan.
-
CIS-CAT Pro Assessor v4.13.1. Comply
2.2.2 includes the latest version of the CIS-CAT assessor and the following
supported associated benchmarks:
- AlmaLinux OS 8 v1.0.0
- Amazon Linux 2 STIG v2.0.0
- Apple macOS 11.0 Big Sur v2.0.0
- Microsoft Windows Server 2012 (non-R2) v2.3.0
- Red Hat Enterprise Linux 8 STIG v1.0.0
CIS-CAT Pro Assessor v4.13.1 resolved security vulnerabilities present in the following embedded, third party dependency:
- log4j-core - This library was updated to version 2.17.0.
Comply 2.2.1
Released 20 December 2021
New in this release:
CIS-CAT Pro Assessor v4.13.0. Comply 2.2.1 includes the latest version of the CIS-CAT assessor and the following supported associated benchmarks:
- Apple macOS 10.15 Catalina v2.0.0
- Red Hat Enterprise Linux 7 STIG v2.0.0
The following benchmark is at end of life and is no longer supported:
- Mac OS 10.14
Security notice:
-
CIS-CAT Pro Assessor v4.13.0 resolved security vulnerabilities present in
the following embedded, third party dependencies:
- log4j-core - This library was updated to version 2.15.0.
- bcprov-jdk15on - This library was updated to version 1.69.
- Component upgrade to address CVEs. To address various CVEs, this version includes an upgrade of Kubernetes to 1.19.15.
Comply 2.2.0
Released 18 November 2021.
New in this release:
-
Scan Reports improvements. Scan reporting functionality is extended to include the ability to access a list of historical scans and view scan details. For more information, see CIS scan report details.
-
Filtering and sorting. Filtering and sorting functionality has been implemented on all table columns in the Comply UI.
Note: Filter drop-downs display all available options for a given parameter. On pages where multiple filtering options are available, selecting one filter option does not affect the options presented by any other filter drop-down. -
CIS-CAT Pro Assessor v4.11.0.. Comply 2.2.0 includes the latest version of the CIS-CAT assessor and its associated benchmarks:
- Microsoft Windows Server 2012 R2 v2.5.0
- Microsoft Windows Server 2016 STIG v1.1.0
- SUSE Linux 15 v1.1.0
- Desired compliance. The Comply UI has been simplified so that users are no longer required to manually accept the profiles applied by Comply based on fact information from PE.
- Custom Comply port. You can now specify a custom Comply port in Puppet Application Manager if you do not want to use the default port (30303). For more information, see System requirements.
- Data retention. The retention period for scan data can now be set on the Puppet Application Manager Config tab. For more information see, Scan results.
Resolved in this release:
- Node Deletion. A fix was added to ensure that nodes deleted in Puppet Enterprise are no longer listed in Comply as available for scanning.
- License page node count. Corrected an issue where the number of nodes displayed on the license page was not updated when a node was deleted in Puppet Enterprise.
- Required installations page. The required installations page that was part of the assessor install procedure was removed as it was no longer required.
- Comply-graphql. Fixed a known issue where the comply-graphql deployment did not become healthy after restoring Comply using Puppet Application Manager.
- Rule ordering. Corrected an issue where rules were not always displayed in the correct numerical order.
Comply 2.1.0
Released 7 October 2021.
New in this release:
-
Scan Reports. The Comply UI has a new Scan Reports page that provides a report on rules passed/failed and node compliance from the most recent CIS scan. For more information, see CIS scan report details.
-
CIS-CAT Pro Assessor v4.9.0. Comply 2.1.0 includes the latest version of the CIS-CAT assessor and its associated benchmark:
- CentOS Linux 7 v3.1.2
-
Scanner upgrades. Scanner upgrade in Comply is not forced but optional to allow better management of PE jobs.
Note: By default in Comply 2.1.0, assessor upgrade does not happen automatically when you upgrade Comply. Assessor upgrade takes place when you instigate a Puppet Enterprise (PE) Puppet run job after Comply is upgraded. For more information, see Upgrade from Comply 2.2.2 to 2.3.0.
Resolved in this release:
-
Desired compliance upgrades. Fixed an issue where Windows 10 nodes lost their desired compliance after upgrade to Compliance 2.x
-
Upgrade statistics. Resolved an issue where statistics were overwritten when multiple upgrades take place.
-
Service start up. Updated Comply so that it now starts when IPv6 is disabled.
-
Preflight failure. Fixed an issue where preflight checks failed during install when trailing newline returns were present in certificates.
-
Scan wizard. The Comply scan wizard was updated to correct an issue where the environment name field did not revert to the previous saved value if the scan set up was cancelled.
Comply 2.0.0
Released August 2021.
New in this release:
-
CIS-CAT Pro Assessor v4.8.2. Comply 2.0.0 includes the latest version of the CIS-CAT assessor and its associated benchmarks:
- Apple macOS 10.14 v1.4.0
- Apple macOS 10.15 v1.4.0
- Apple macOS 11.0 v1.2.0
- CentOS Linux 7 v3.1.1
- CentOS Linux 8 v1.0.1
- Debian Linux 8 v2.0.2
- Microsoft Windows Server 2019 v1.2.1
- Microsoft Windows Server 2019 STIG v1.0.1
- Microsoft Windows 10 20H2 v1.10.1
- Oracle Linux 7 v3.1.1
- Oracle Linux 8 v1.0.1
- Red Hat Linux 7 v3.1.1
- Red Hat Linux 8 v1.0.1
- Amazon Linux 2 v2.0.0
- Microsoft Windows 10 21H1 v1.11.0
- Microsoft Windows Server 2016 v1.3.0
- Ubuntu Linux 20.04 LTS STIG v1.0.0
-
Automatic upgrades of the CIS-CAT assessor. Every time you upgrade your Comply application, the assessor automatically upgrades to the latest version. This update also includes the following changes to how you interact with Comply:
- You can only run a desired compliance scan against nodes with the latest version of the assessor.
- You can only run a custom scan against benchmarks with the latest version of the assessor.
- On the node inventory screen, nodes without the latest assessor are highlighted red to indicate that they need upgrading.
- You can no longer set a desired compliance benchmark against a node that does not have the latest version of the assessor.
- When the assessor upgrades, custom profiles are automatically updated to use the new benchmarks and profiles, sending you a notification.
- Assessor upgrades tab. The Assessor upgrades tab on the Activity feed screen provides a summary of assessor upgrades, including the number of nodes that have passed or failed. Note that this only shows the status of your nodes after the upgrade, and does not update again, even if your nodes change to passing.
-
comply
module Secure Sockets Layer (SSL). This includes changes to how you install and upgrade the Comply module.
Resolved in this release:
-
Comply tries to install 7-zip on Windows.
The
comply
module no longer installs 7zip on Windows systems. - Windows Server Semi Annual Channel (SAC) builds are assigned the wrong CIS profile. SAC builds are now assigned the correct Windows 2019 profile.
Security notice:
-
Vulnerability in 12.18.3-alpine image. The release updates the alpine image to 15.13.0.
-
Vulnerability keycloak:15.0.0. This release updates keycloak to version 15.0.0.
-
Vulnerability in dependencies. This release upgrades NodeJS to version 14.17.1 and React to version 17.0.2.
For upgrade instructions, see Upgrade from Comply 2.2.2 to 2.3.0.
Comply known issues
These are the known issues for the Puppet Comply 1.x and 2.x releases.
Possible errors due to renamed benchmarks
The Alma Linux 8 benchmark was renamed by CIS in the CIS-CAT Pro Assessor v4.36.0. As
a result the assessor upgrade page reports a warning that 2.0.0 CIS Alma
Linux OS 8
is No longer supported
.
The new benchmark is 3.0.0 CIS AlmaLinux OS 8
, and any nodes
previously assigned 2.0.0 CIS Alma Linux OS 8
will have their
desired compliance automatically upgraded to the new benchmark.
Incompatibility with stdlib v9.0 and v9.1
Puppet Comply is not compatible with stdlib versions 9.0 and 9.1.
Security vulnerability
Comply includes CIS components in its CIS-CAT Pro Assessor. The CIS components of the assessor version 4.34.0, shipped with Comply 2.17.0, contain the security vulnerability CVE-2023-4586. Our investigation into the issue shows that our implementation does not pose risk to Puppet Comply customers. Once the CVE is addressed by CIS, the fix will be included in the next release of Puppet Comply and documented accordingly.
Security vulnerability
Comply includes CIS components in its CIS-CAT Pro Assessor. The CIS components of the assessor versions 4.30.0, 4.32.0, and 4.33.0, shipped with Comply 2.14.0, 2.15.0, and 2.16.0, contain the security vulnerability CVE-2023-3635. Our investigation into the issue shows that our implementation does not pose risk to Puppet Comply customers, although in certain extreme cases it might cause Comply to stop responding. The CVE has been addressed by CIS, and the fix is included in the CIS-CAT Pro Assessor version 4.34.0, released with Puppet Comply 2.17.0.
Reports export null data when custom profile filter is applied
Exported reports are empty if a custom profile has been selected on the Profiles quick filter.
Node group filtering does not work for deleted nodes
Deleted nodes do not have node group information available. The Node Group quick filters on the Scan Report (Nodes tab) and Rule Detail pages do not apply to deleted nodes.
Running scan tasks in Puppet Enterprise (PE)
Comply uses PE tasks to run compliance scans on nodes. Although you can see the scan tasks in PE, we advise against running these tasks from PE because this practice can have unforeseen effects on both PE and Comply. Instead, run all CIS scans from Comply. You can view the scan results in both products.