Comply release notes

These are the new features, enhancements, and resolved issues for the Puppet Comply 2.x release series.

Comply 2.0.0

Released August 2021.

New in this release:

  • CIS-CAT Pro Assessor v4.8.2. Comply 2.0.0 includes the latest version of the CIS-CAT assessor and its associated benchmarks:

    • Apple macOS 10.14 v1.4.0
    • Apple macOS 10.15 v1.4.0
    • Apple macOS 11.0 v1.2.0
    • CentOS Linux 7 v3.1.1
    • CentOS Linux 8 v1.0.1
    • Debian Linux 8 v2.0.2
    • Microsoft Windows Server 2019 v1.2.1
    • Microsoft Windows Server 2019 STIG v1.0.1
    • Microsoft Windows 10 20H2 v1.10.1
    • Oracle Linux 7 v3.1.1
    • Oracle Linux 8 v1.0.1
    • Red Hat Linux 7 v3.1.1
    • Red Hat Linux 8 v1.0.1
    • Amazon Linux 2 v2.0.0
    • Microsoft Windows 10 21H1 v1.11.0
    • Microsoft Windows Server 2016 v1.3.0
    • Ubuntu Linux 20.04 LTS STIG v1.0.0
  • Automatic upgrades of the CIS-CAT assessor. Every time you upgrade your Comply application, the assessor automatically upgrades to the latest version. This update also includes the following changes to how you interact with Comply:

    • You can only run a desired compliance scan against nodes with the latest version of the assessor.
    • You can only run a custom scan against benchmarks with the latest version of the assessor.
    • On the node inventory screen, nodes without the latest assessor are highlighted red to indicate that they need upgrading.
    • You can no longer set a desired compliance benchmark against a node that does not have the latest version of the assessor.
    • When the assessor upgrades, custom profiles are automatically updated to use the new benchmarks and profiles, sending you a notification.
  • Assessor upgrades tab. The Assessor upgrades tab on the Activity feed screen provides a summary of assessor upgrades, including the number of nodes that have passed or failed. Note that this only shows the status of your nodes after the upgrade, and does not update again, even if your nodes change to passing.
  • comply module Secure Sockets Layer (SSL). This includes changes to how you install and upgrade the Comply module.

Resolved in this release:

  • Comply tries to install 7-zip on Windows. The comply module no longer installs 7zip on Windows systems.
  • Windows Server Semi Annual Channel (SAC) builds are assigned the wrong CIS profile. SAC builds are now assigned the correct Windows 2019 profile.

Security notice:

  • Vulnerability in 12.18.3-alpine image. The release updates the alpine image to 15.13.0.

  • Vulnerability keycloak:15.0.0. This release updates keycloak to version 15.0.0.

  • Vulnerability in dependencies. This release upgrades NodeJS to version 14.17.1 and React to version 17.0.2.

For upgrade instructions, see Upgrade from Comply 1.0.4 to 2.0.0.