Release notes for Linux

Review the release notes to learn about updates and resolved issues in Security Compliance Enforcement (SCE) for Linux. You can also review the Known issues and limitations.

To take advantage of new features and resolved issues, install the latest module version. Only the latest version is supported.

v2.5.0

Released 30 September 2025

With this release, you can benefit from the latest advances in security by enforcing updated CIS Benchmarks on Red Hat Enterprise Linux 9 and three other operating systems.

New features and enhancements

• Updated CIS Benchmarks. You can now use SCE to enforce updated Center for Internet Security (CIS) Benchmarks on Red Hat Enterprise Linux 9, AlmaLinux 9, Oracle Linux 9, and Rocky Linux 9 operating systems. The CIS Benchmarks are updated from v1.0.0 to v2.0.0, Server Levels 1 and 2.
  For detailed information about controls that were added, changed, or removed, see the following topics:

  • Control updates introduced for CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0

  • Control updates introduced for CIS AlmaLinux 9 Benchmark v2.0.0

  • Control updates introduced for CIS Oracle Linux 9 Benchmark v2.0.0

  • Control updates introduced for CIS Rocky Linux 9 Benchmark v2.0.0

Resolved issue

• File verification with AIDE. In SCE for Linux v2.2.1, issues were detected during attempts to verify file integrity with the Advanced Intrusion Detection Environment (AIDE) tool. Commands issued by the cron scheduling utility and the systemd manager failed to verify file integrity because of incorrect paths. The paths are now updated to resolve the issue, which occurred on the Ubuntu Linux 20.04 system.

v2.4.0

Released 24 June 2025

This release expands the range of supported security standards by introducing DISA STIG controls on Red Hat Enterprise Linux (RHEL) 9 systems.

New features and enhancements

• DISA STIG support on RHEL 9. You can now use SCE to enforce Red Hat Enterprise Linux 9 STIG, Version 2, Release 4. Previously, SCE supported DISA STIG controls only on RHEL 7 and 8. The Security Technical Implementation Guide (STIG) controls, developed by the US Defense Information Systems Agency (DISA), enforce strict security measures and thus are often required to obtain government contracts.

• AI-powered search for product information. On the main page of the SCE documentation site, you can now enter a question to get an AI-generated answer. Answers combine content from the current version of the product documentation and the Perforce knowledge base. This new search experience helps you locate information more efficiently.

v2.3.3

Released 13 May 2025

This patch release resolves issues for users of the auditd service and the pluggable authentication module (PAM).

Resolved issues

• In SCE for Linux, users can specify settings for the auditd service, which collects and writes audit files. In previous releases, when users set a value of true for the manage_audit_rulesd parameter, they expected that all files and directories not managed by Puppet would be purged from the /etc/audit/rules.d directory. However, the setting did not work as expected, causing some files and directories to be left behind. In this release, the setting is correctly applied. For more information about the manage_audit_rulesd parameter, see the SCE for Linux Reference on Puppet Forge.

• When SCE for Linux v2.3.2 was run on an Ubuntu Linux 22.04 operating system, PAM configurations were not enforced. The issue occurred because the pam-auth-update command script failed to parse comments in the configuration files generated by SCE for Linux. The issue is resolved in this release by removing the comments from the generated files.

v2.3.2

Released 15 April 2025

This patch release resolves a system startup issue for Red Hat Enterprise Linux (RHEL) 8 users and a minor issue for Ubuntu Linux users.

Resolved issues

• When SCE for Linux is run on a RHEL 8 operating system to enforce DISA STIG controls, the next attempt to start the operating system might fail. This issue occurs after the initial Puppet run, which updates the settings in the /etc/default/grub configuration file and removes the rd.lvm.lv=rhel/root boot parameter. The issue is resolved to ensure that the boot parameter remains available, and the system can be restarted successfully.

• Resolved an issue affecting users who enforce CIS Control 2.1.16 on Ubuntu Linux 22.04 operating systems. Control 2.1.16 helps to prevent the use of Trivial File Transfer Protocol (TFTP) services, which support file transmission between TFTP servers and clients. For security reasons, the tftpd-hpa package should be removed if not used. However, due to a naming issue, the control failed to remove the package. The issue was fixed to ensure that the control is enforced.
  

v2.3.1

Released 4 February 2025

This patch release helps to ensure that Red Hat Enterprise Linux (RHEL) users can change passwords without encountering issues. Additional minor defects are also addressed.

Resolved issues

• Resolved an issue related to root passwords on RHEL 8 systems. In SCE for Linux versions 2.0.0 and 2.3.0, an attempt to change the root password resulted in failure with the message:
  
  passwd: Authentication token manipulation error
  
  The passwords can now be successfully changed.
• Resolved an issue that caused fact resolutions to fail with the message:
  
  Error: Facter: Error while resolving custom fact fact='sce_mount_info'
  
  The issue occurred because the Puppet agent attempted to detect user home directories in all mounted file systems when resolving the sce_mount_info fact. If any file systems were inaccessible to the agent because of permission issues, errors were reported regardless of whether user home directories existed on the file systems. To resolve the issue, the sce_mount_info fact was updated to ensure that any home directories that are inaccessible to the Puppet agent due to permissions are not reported on.
• Resolved an issue for users of SCE for Linux v2.2.1 on the Ubuntu Linux 20.04 operating system. The Advanced Intrusion Detection Environment (AIDE) configuration checks were not being set correctly. The issue was resolved by ensuring that all configuration checks are now specified with the conf_checks parameter under the ensure_aide_is_installed control.

v2.3.0

Released 10 December 2024

Support for CentOS 7, which has reached end of life (EOL), is discontinued in this release. In addition, this release resolves issues to help ensure that chrony time synchronization works as designed on the Ubuntu Linux 20.04 operating system.

Resolved issues

• Resolved several issues related to chrony time synchronization on the Ubuntu Linux 20.04 operating system. The following issues occurred in SCE for Linux v2.2.1:

  • The chrony time servers specified by users failed to load because of a missing include directive. The issue was resolved by adding the missing directive to the chrony.conf file.

  • When users added chrony time servers to the configuration, existing time servers remained unaffected. As a result, user-specified and default time servers were active simultaneously. To resolve the issue, a new top-level parameter, fully_manage_timeservers, was introduced. When this parameter is set to true, SCE removes all time servers except for those explicitly configured by the user. If you specify true, you must configure at least one time server to ensure that chrony works as expected. The default parameter setting is false.

  • After the chrony time servers specified by users were updated, SCE for Linux did not reload the servers. This issue occurred because the version of the chronyc program shipped with Ubuntu Linux 20.04 does not have a reload_sources option. To ensure that chrony time servers are reloaded, SCE for Linux was updated to restart the chrony service automatically.

  • Scan failures occurred because of a missing sce_chrony.sources file. The missing file is now added.

  • A STIG control was enforced even though a CIS Benchmark was specified. The STIG control was Ensure the SSH daemon does not allow authentication using known host's authentication. The issue occurred because, in the sce_linux::utils::packages::ssh class, the ignore_user_known_hosts parameter was set to yes by default. To resolve the issue, the default parameter value was changed to undef, and the parameter was made optional. This update does not require any configuration changes by the user.

• Resolved an issue related to the GnuTLS Transport Layer Security Library, which is used by client applications to start secure sessions. In SCE for Linux v2.2.0, the exec resource sce_gnutls_version was enforced during each Puppet run, even when not necessary. The issue is resolved to prevent unnecessary activity.

Deprecations

The CentOS 7 operating system reached EOL in June 2024. Support for CentOS 7 is discontinued starting with the SCE for Linux v2.3.0 release. If you configured SCE to enforce Center for Internet Security (CIS) controls on the CentOS 7 operating system, and you are now planning a transition to a different operating system and different CIS Benchmark, you might have to update the configuration to avoid operational issues.

v2.2.1

Released 12 November 2024

SCE for Linux v2.2.1 replaces legacy facts, which were deprecated in Puppet 8, and resolves an issue with password enforcement on Red Hat Enterprise Linux (RHEL) 8 systems. The release also resolves issues for users of DISA STIG controls on RHEL 7 systems.

New features and enhancements

Updates were introduced to replace facts deprecated in Puppet 8. In SCE for Linux v2.2.1, several providers were updated to ensure that current facts are used as arguments in their constraint methods. This update does not change the functionality of the providers. However, the update helps to prevent issues in environments where code is scanned to prevent legacy fact use.

Resolved issues

• Resolved an issue related to password enforcement on RHEL 8 systems. In SCE for Linux v2.2.0, STIG Control V-230364 did not correctly enforce the minimum lifetime requirement for passwords. In SCE for Linux v2.2.1, the control enforces a minimum password lifetime of 24 hours. This setting helps to secure systems by preventing repeated password changes in a short period.

• Resolved issues for users of US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) controls on RHEL 7 operating systems:

  • Previously, STIG Control V-204449 was incorrectly set to a default value of bin/true. Now, the control is set to bin/false to disable the use of USB mass storage. This setting helps to prevent the introduction of unknown devices into a system.

  • Previously, STIG Control V-204450 was set to bin/true. Now, the control is set to bin/false to ensure that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. Disabling DCCP helps to protect systems against exploitation of possible flaws in protocol implementation.

Deprecations

The CentOS 7 operating system reached end of life (EOL) in June 2024. SCE support for CentOS 7 will be discontinued in a future release.

v2.2.0

Released 15 October 2024

With SCE for Linux v2.2.0, you can enforce a higher level of security on Ubuntu Linux systems and apply updated DISA STIG security standards to Red Hat Enterprise Linux (RHEL) 8 systems. This release also simplifies common tasks such as setting parameters and specifying audit permissions, and resolves several user-reported issues.

New features and enhancements

• SCE for Linux supports the following Center for Internet Security (CIS) Benchmarks:

  • Ubuntu Linux 22.04, v2.0.0, Level 2 - Server

  • Ubuntu Linux 20.04, v2.0.1, Level 2 – Server

• SCE for Linux supports an updated US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG standard was upgraded from RHEL 8 STIG, Version 1, Release 11, to Version 1, Release 14. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 14.

• You can now use Hiera Automatic Parameter Lookup (APL) to override any parameter implemented by a resource used by SCE for Linux. When you specify parameters with APL, you override the values set in control configurations and the parameter defaults set by Hiera at the SCE module level. For more information about APL, see Automatic lookup of class parameters.

• You can now reference a new topic, Run tasks and plans, to learn about the tasks and plans that are available to SCE for Linux users. In some cases, you can run tasks or plans to facilitate the manual configuration of CIS controls. In addition, the Reference section on Puppet Forge is updated to indicate which controls can be used with tasks and plans.

• Usability improvements were implemented for the Bolt plan linux_users_and_groups. The plan is used to enforce user-specific and group-specific security settings on all applicable users and groups in a system. Error handling was improved for the tasks in the plan to help provide detailed information in case of failures. Many errors now have non-blocking status to ensure that other aspects of the plan continue to function even when minor errors are detected.

Resolved issues

• Resolved an issue related to audit log files. Starting with this release, /var/log/audit/audit.log file permissions are managed in the same way as all other files in the /var/log/audit directory.

• Resolved an issue in the automatically generated reference topics in SCE for Linux v2.1.0. For some parameters in some controls, more than one default value was listed. The issue is fixed to ensure that only one default value is listed.

• Resolved a password issue on RHEL 8 operating systems. By default, CIS control 5.3.3.4.1 - Ensure pam_unix does not include nullok - is set to 'true'. This setting applies to the pluggable authentication module (PAM) and helps to prevent users with blank passwords from accessing systems. In previous releases, this control was not enforced as expected. The issue is now resolved to ensure that users can enforce their specified setting with the CIS control and can use the remove_nullok parameter in the password_creation_requirement resource to ensure that any instances of nullok are removed from PAM password-auth and system-auth configuration files.

• Resolved an issue affecting the grub2 bootloader password. Previously, the password was sometimes hashed incorrectly, which caused it to be nonfunctional. The issue is corrected to help ensure that the password is always hashed correctly and can be used to provide an extra layer of protection for systems.

• Resolved compilation errors sometimes seen by users running SCE with Puppet Enterprise 2021.7.8 and 2021.7.9. Error messages were generated because the filter_map method could not be found in the JRuby version included in Puppet Enterprise. To prevent the compilation errors, Ruby code was updated in SCE.

• Resolved an issue related to journald, a service that collects and stores log data. On Ubuntu Linux 22.04 systems, scan failures were seen because storage was not configured for journald. SCE for Linux now specifies the persistent setting for journald storage to resolve the issue.

• Resolved an issue that was causing scan failures related to the Gnome Desktop Manager (GDM) banner message. Previously, configurations that enabled and specified these banner messages were in separate files, but the CIS controls attempted to detect the configurations in a single file. To resolve the issue, both configurations were moved to the same file, and rarely used GDM parameters were deprecated. During Puppet runs, users of the rarely used parameters will now see deprecation notices and reconfiguration instructions.

• Resolved an issue related to screen locks for Gnome Desktop Manager (GDM) users. According to CIS recommendations, screen locks should be enforced during periods of inactivity to help prevent unauthorized access to unattended systems. In SCE for Linux v2.1.0 on Ubuntu 22.04, however, the screen locks were not enforced by default. The default setting was updated to provide enforcement.

• Resolved an issue related to the Postfix mail transfer agent. Based on CIS and STIG recommendations, Postfix either should not be installed or, if installed, should be restricted to local emails or configured to prevent connections from unknown or untrusted networks. Previously, some controls were enforced by installing Postfix if it was not installed and then configuring Postfix to meet requirements. Now, the controls are enforced only if Postfix is installed. The following controls are affected:

  • On RHEL 7, STIG Control V-204619

  • On RHEL 8, STIG Control V-230550

  • On Ubuntu Linux 20.04, CIS Control 'Ensure mail transfer agent is configured for local-only mode'

  • On Ubuntu Linux 22.04, CIS Control 'Ensure mail transfer agent is configured for local-only mode'

Deprecations

The CentOS 7 operating system reached end of life (EOL) in June 2024. SCE support for CentOS 7 will be discontinued in a future release.

v2.1.0

Released 13 August 2024

With SCE for Linux v2.1.0, you can now enforce security controls on a broader range of operating systems. SCE now enforces the following Center for Internet Security (CIS) Benchmarks: AlmaLinux 9, v1.0.0; Rocky Linux 9, v1.0.0; and Ubuntu 22.04, v2.0.0. You can also enforce updated CIS benchmarks on Red Hat Enterprise Linux (RHEL) 7 and Oracle Linux 7 operating systems.

New features and enhancements

• The CIS AlmaLinux 9 Benchmark v1.0.0 is supported at Server Levels 1 and 2.

• The CIS Rocky Linux 9 Benchmark v1.0.0 is supported at Server Levels 1 and 2.

• The CIS Ubuntu 22.04 Benchmark v2.0.0 is supported at Server Level 1.

• The CIS RHEL 7 Benchmark v4.0.0 is supported at Server Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 .

• The CIS Oracle Linux 7 Benchmark v4.0.0 is supported at Server Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Oracle Linux 7 Benchmark v4.0.0.

• You can now enjoy more flexibility when specifying CIS or STIG controls to enforce. Starting with this release, you can apply both the only and ignore keys in a single configuration file. If both keys are used, SCE first applies the only key to narrow the scope, and then applies the ignore key to exclude specific controls from that group. For more information, see Enforce and ignore controls within a single configuration.

• An update was introduced to improve usability of the vlock utility, which locks virtual console sessions to prevent unauthorized access. Previously, if vlock locked a sudo shell session, the user was prompted for the root account password. Now, users can specify a setting in the control_config hash to prompt for the non-sudo account password, as shown in the following example:
  set -g lock-command 'if [ -z "$SUDO_USER" ];then vlock;else sudo -u $SUDO_USER vlock;fi'

• You can now use new parameters to modify the permissions and ownership of the /var/log/audit/ directory, where audit logs are stored. Previously, the directory permissions were hard-coded when enforcing certain controls. Now, the directory permissions are fully configurable. To find detailed information about parameters for the controls that you are enforcing, see the Reference tab on Puppet Forge.

• An update was introduced to support more flexibility in assigning mount options. With this update, if /tmp is a mounted directory using a file system other than the Temporary File System (tmpfs), the noexec, nosuid, and nodev options will be directly assigned to the file system in /etc/fstab. If /tmp is mounted using tmpfs, or if no mount for /tmp exists, systemd is used to mount /tmp with the tmpfs file system, as in previous releases. To restore the previous behavior, you can set the parameter force_tmpfs to true on the controls that manage /tmp mount options.

Resolved issues

• Resolved an issue that occurred when configuring custom firewall rules in SCE for Linux. The issue generated error messages about dependency cycles. The issue is resolved, and the documentation is updated to provide a custom configuration example. See Configure the firewall type.

• Resolved an issue to ensure that the process of specifying permissions for audit files works as designed. Previously, any specified audit permissions were applied only to the configuration (.conf) files in the etc/audit directory. With this update, all configuration files in the etc/audit directory and subdirectories will have permissions set.

• Fixed a defect that could disrupt SSH connectivity on some nodes. Previously, because of an incorrect default value, the SSH_USE_STRONG_RNG=32 setting in the /etc/sysconfig/sshd file was applied to systems that did not require this setting. The default value has been fixed, and this setting will no longer be applied to all systems.

• Fixed an audit rule issue that caused Puppet run failures in rare circumstances. The issue occurred when controls enforced auditd rules for privileged commands. Depending on a node's file system configurations, the Linux find command would fail when attempting to enumerate privileged command binaries from mounted file systems. Starting with this release, if the find command fails, error messages are sent to the puppetserver log, but the Puppet run continues and other controls are enforced.

Deprecations

The CentOS 7 operating system is end of life (EOL). SCE support for CentOS 7 will be discontinued in a future release.