Security Compliance Management release notes

These are the new features, enhancements, and resolved issues for the Security Compliance Management (SCM) 3.x release series.

Security Compliance Management 3.2.0

Released 16 August 2024.

New in this release:

• Added application configuration to Security Compliance Management. You can now set the inventory refresh interval and data retention policy from the Settings page.
• Scheduled scans now support node groups. Node groups can now be added to scheduled scans. When a node is added to a node group, it is automatically included in the next scheduled scan for that node group.
• CIS-CAT Pro Assessor v4.43.0.Security Compliance Management 3.2.0 contains the CIS-CAT Pro Assessor v4.43.0.
• Benchmarks updated in this release: Apple macOS 12.0 Monterey Benchmark v3.1.0
• Apple macOS 13.0 Ventura Benchmark v2.1.0
• MicrosoftWindows Server 2019 Stand-alone v2.0.0
• Oracle Linux 9 Benchmark v2.0.0
• Red Hat Enterprise Linux 9 Benchmark v2.0.0

Security fixes in this release:

• CVE-2023-2976. Updated KeyCloak to 25.0.0 to address this vulnerability.

Security Compliance Management 3.1.0

Released 27 June 2024.

New in this release:

• Desired compliance can be set for operating systems. You can now set the desired compliance defaults for each operating system. Any node added to the operating system is automatically assigned the benchmark and profile you set for that operating system.
• Disaster recovery. Added instructions on how to back up your data and make it easier to restore your system if disaster recovery is needed.
• Documentation additions.
  • Added a REST API tutorial to the Security Compliance Management documentation.
  • Added instructions on how to use journald for logging.
• CIS-CAT Pro Assessor v4.42.0. Security Compliance Management 3.1.0 contains the CIS-CAT Pro Assessor v4.42.0.
• Benchmarks updated in this release:
  • Debian Linux 12 Benchmark v1.0.1
  • Microsoft Windows 11 Stand-alone Benchmark v3.0.0
  • Microsoft Windows Server 2019 Benchmark v3.0.1

Resolved in this release:

• Migrated scheduled scans not executing. Fixed an issue that could prevent existing scheduled scans from running after migrating from Security Compliance Management version 2.x to 3.x.
• Search box on exceptions page not accepting input. Fixed an issue affecting the search bar on the exceptions page.
• macOS not getting desired benchmark assigned. Fixed an issue that was causing macOS nodes to be listed as Darwin on the Inventory page, which prevented the desired compliance from being set for those nodes.

Security fixes in this release:

• CVE-2024-4068. Updated braces to address this vulnerability.
• CVE-2024-2961, CVE-2024-33599, CVE-2024-2700, CVE-2024-1132, CVE-2024-1249, CVE-2024-2419, CVE-2024-3656, GHSA-69fp-7c8p-crjr. Updated KeyCloak to address these vulnerabilities.
• CVE-2023-5363. Updated oauth2-proxy to address this vulnerability.

Security Compliance Management 3.0.0

Released 7 May 2024.

New in this release:

• Security Compliance Management is now included in the full Puppet Enterprise suite. The Puppet Enterprise license now covers the full Puppet Enterprise suite, which includes Security Compliance Management (formerly Puppet Comply®) and Continuous Delivery. If you have installed Puppet Enterprise, you can separately install and use the other parts of the suite. Additionally, by purchasing the Puppet Enterprise Advanced license, you can unlock the following premium features:
  • Security Compliance Enforcement (formerly CEM)
  • Advanced Impact Analysis capabilities within Continuous Delivery
• Bolt-based Security Compliance Management installer. The new Puppet Bolt-based installer for Security Compliance Management allows you to install, upgrade, and configure SCM through an easy wizard. For more information, visit Install Security Compliance Management. If you are on an air-gapped environment where SSH access is not permitted to the target node, visit Install Security Compliance Management on a host without SSH access.
• Migrate Security Compliance Management 2.x to a 3.x installation. To upgrade to the Security Compliance Management 3.x series from a version in the 2.x series, see Migrate from Security Compliance Management 2.x to 3.x.
• CIS-CAT Pro Assessor v4.41.0. Security Compliance Management 3.0.0 contains the CIS-CAT Pro Assessor v4.41.0.
• Benchmarks updated in this release:
  • Debian Linux 11 Benchmark v2.0.0
  • Microsoft Windows 10 Stand-alone Benchmark v3.0.0
  • Microsoft Windows Server 2016 Benchmark v3.0.0
  • Microsoft Windows Server 2019 Benchmark v3.0.0
  • Microsoft Windows Server 2022 Benchmark v3.0.0
  • Ubuntu Linux 18.04 LTS Benchmark v2.2.0
  • Ubuntu Linux 22.04 LTS Benchmark v2.0.0

Resolved in this release:

• Unable to reset the desired compliance when a node changes operating systems. Fixed an issue where you could not change the desired compliance after changing the OS on a node. You can now reset the desired compliance on a node when the OS of the node changes.

Security fixes in this release:

• Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.41.0:
  • PostgreSQL updated to v42.7.2.
  • xmlsec updated to v4.0.1.
  • cxf-core-updated to v3.5.8.
  • bouncycastle updated to v1.78.

For upgrade instructions, see Upgrading.