Distribution A: Approved for Public Release (16 Feb 2021) NIWCLANT SPR# 2021-52 SCAP Compliance Checker Release Notes Mar 12, 2021 07:37:50 Naval Information Warfare Center (NIWC) Atlantic https://www.niwcatlantic.navy.mil/scap/ SCAP Compliance Checker 5.4 Features Added =============================================================================== Type IssueID Summary ------------------------------------------------------------------------------- Feature 30758 Update DISA content for January 2021 releases Feature 30752 Update user manual remote scanning requirements and troubleshooting section Feature 30750 Add info to Windows user manual on verifying digital signatures of Windows installers and executables Feature 30724 Add open source license file to installers and viewable via Help -> Open Source Licenses Feature 30676 Add help menu option to view SCC's license file Feature 30664 Add all open source and other 3rd party licenses to SCC installation Feature 30657 Update SCC end user license agreement based on NIWC IP Lawyer guidance for free/publicly available software Feature 30656 Remove SCC custom implementation of HKCU registry hive to scan all ntuser.dat files (replaced with SCAP 1.3 ntuser test) Feature 30639 Include NIST National Checklist content for MacOS 10.15 (Catalina) and 11.0 (Big Sur) Feature 30638 Digitally sign all Windows exe's and installer with DOD approved code signing certificate (CS.NIWC-ATLANTIC.001) Feature 30637 Update DISA STIG content to December 2020 releases Feature 30632 Force XML validation of SCAP content listed as OVAL 5.11 to use OVAL 5.11.2 to prevent XML validation issues Feature 30627 Add support for Cisco IOS XE OVAL 'line' test Feature 30626 Add support for Cisco IOS XE OVAL 'global' test Feature 30625 Add support for Cisco IOS XE OVAL 'version' test Feature 30621 Update windows registry test to support Not Equal for hive Feature 30602 Update tailoring to support tailoring of multiple profiles in a single content stream (profile1_tailored, profile2_tailored) Feature 30594 Add XCCDF severity level (low, medium, high) to XCCDF tailoring form and search box Feature 30570 Add support for Mac OS plist511 test Feature 30560 Add SCC application checking configuration options to cscc --config -> Updates Feature 30557 Add documentation on how to make an offline SCAP content repository Feature 30556 Add ability to check to see if SCC installation is up to date via CSCC (--checkForSCCUpdates) Feature 30554 Add option to automatically disable, archive or delete older content when installing newer versions of the same benchmark Feature 30553 Add ability to check to see if SCC installation is up to date via Help -> Check for SCC App Updates Feature 30548 Update SCAP content repository URL to DISA's github repository Feature 30546 Add feature to automatically check for SCAP content updates on a periodic basis (if enabled) GUI and CLUI Feature 30545 Add SCAP content update view details form in the GUI Feature 30544 Add SCAP Content update options to command line interface (--checkForContentUpdates) Feature 30532 Add SCAP Content update options to GUI Feature 30482 Add support for new OVAL 5.11 mac OS X authorizationDB test Feature 30475 Update Windows command line --wmi --ou to support scanning multiple organizational units separated by ; Feature 30474 Update Windows host file creation to support entire domain or selected OU's Feature 30473 Add new trusted root certificate to support SCAP 1.3 validation Feature 30459 User Manual Needs Update to Reflect UserData -> UserConfig/UserResults Change Feature 30454 Add command line parameters to scan entire windows domain or OU via WMI method Feature 30442 Save size/location of SCC GUI for re-opening based on end user resizing of main form. Feature 30441 Update Windows GUI to support scanning entire Active Directory Domain or selected Organizational Unit(s) Feature 30429 Update auto-accept hostkeys feature to be enabled by default when importing a hostfile for SSH host/credential management Feature 30351 Update Remote SSH scanning to officially support Ubuntu 16, SLES 12 and Oracle Linux 7 Feature 30291 Redesign Windows registry test to use a database backend Feature 30287 Redesign Windows password oval test to use a database backend Feature 30284 Redesign Windows WMI57 OVAL probe to use database backend Feature 30283 Redesign Windows WMI OVAL probe to use database backend Feature 30239 Replace usage of log4Perl with a custom logger for more flexibility and lower memory usage Feature 30190 Improve remote scanning to improve reporting of results returned, and if no content was applicable Feature 30171 Redesign SCC Service for Windows to make fully functional with Windows Service controller and 'sc' commands Feature 29910 Add command line argument for scripted Windows remote WMI scanning Feature 28822 Update SCC's handled of reg_multi_sz values with no values per OVAL 5.11.2 changes Feature 26853 Update windows registry test to support pattern match for hive Feature 26054 Add support for new OVAL 5.11 mac OS X gatekeeper_test, SCAP Compliance Checker 5.4 Defects Resolved =============================================================================== Type IssueID Summary ------------------------------------------------------------------------------- Defect 30895 Fix application slowdown on WMI or SSH scans with a large number of hosts, and table is manually sorted during scan Defect 30887 Entering in 0 or 'back' for Remote SSH Directory in SSH File Transfer Options Menu is considered invalid input Defect 30849 Error reporting for classic remote review wmi tests when attempting to access namespace security\microsoftvolumeencryption Defect 30848 WMI Test reports wmi query is successful and no data returned if WMI query errors out Defect 30783 Fix issues with very slow Windows computers not able to launch cscc or scc Defect 30774 AccessToken test removes domain name from trustee name from domain built-in groups during member servers review Defect 30733 Fix issues with cscc -V on non-Windows: Undefined subroutine &Term::Size::Any::chars called at script/SCC.pm line 245. Defect 30655 Add lower memory system 'tar.exe' method for installing UNIX plugin on Windows if available RAM is less than 2 GB Defect 30650 Update tailoring tree to be sorted consistently Defect 30617 Fix Remote SSH Scanning issue on RHEL 7.7 which Returns "Failed to create remote directory" Error Defect 30569 Update UNIX to exclude GlusterFS mounted filesystems when option to ignore remote filesystems is enabled Defect 30543 Fix RHEL8 RPM to be digitally signed with SCC GPG Key Defect 30539 Fix SSH remote scanning issues with ipv6 addresses Defect 30520 Fix issue running SCC on Solaris 10: /opt/scc_5.3.1/Resources/Compiled/scccache/c6c8f73d.so Libgcc_s.so.1 no such file Defect 30506 Fix user configuration directory issues on Windows with concurrent RDP sessions underway Defect 30505 Fix UNIX freespace monitor to support partition larger than 1 TB Defect 30461 XCCDF Tailoring is not loading rules enabled based on profile selected Defect 30361 Fix issues running SCC on RHEL 8 with FIPS enabled Defect 30346 Disable setting of restricted permissions of logs and results when SCC is run via service Defect 30219 Fix screen resolution issue with Save/Cancel buttons on Option form with screen resolution set to 1366x768 Defect 30201 Fix deviation form to reload data correctly after clearing deviation data Defect 30189 Fix issues finding option file when specified via -o when running cscc via Powershell on Windows Defect 29590 Fix issue with OpenSuse GUI crashing on startup