Security Compliance Management release notes

These are the new features, enhancements, and resolved issues for the Security Compliance Management (SCM) 3.x release series.

Security Compliance Management 3.3.0

Released 11 December 2024.

New in this release:

  • Additions to the Security Compliance Management API. Improved accessibility and efficiency of SCM functions by adding two new endpoints to the Security Compliance Management API:
    • Profiles API. Added four new endpoints (/v1/profiles, /v1/profiles/{id}, /v1/custom-profiles, /v1/custom-profiles/{id}) to retrieve information about benchmark profiles in SCM.
    • Custom Scan API. Added a new endpoint (/v1/custom-scan) to create ad-hoc custom scans, which can be run with a custom profile or a profile and benchmark.

  • Added non-root support. Added the ability to install Security Compliance Management as a non-root user.

  • Added a task to remove old CIS-CAT Pro Assessor versions. Added the remove_assessor task that allows you to remove old versions of the CIS-CAT Pro Assessor that are no longer in use.

  • CIS-CAT Pro Assessor v4.47.0. Security Compliance Management 3.3.0 contains the CIS-CAT Pro Assessor v4.47.0.
  • Benchmarks updated in this release:
    • AlmaLinux OS 9 Benchmark v2.0.0
    • Amazon Linux 2023 Benchmark v1.0.0
    • Apple macOS 13.0 Ventura Benchmark v3.0.0
    • Apple macOS 14.0 Sonoma Benchmark v2.0.0
    • Debian Linux 12 Benchmark v1.1.0
    • Microsoft Windows Server 2016 STIG Benchmark v3.0.0
    • Rocky Linux 9 Benchmark v2.0.0
    • SUSE Linux Enterprise 12 Benchmark v3.2.0
    • Ubuntu Linux 24.04 LTS Benchmark v1.0.0

Resolved in this release:

  • Server failing to complete Security Compliance Management scan. Fixed an issue where scans would not complete when running against machines running CIS-CAT Pro Assessor versions 4.37.0 and later.

    For Linux and macOS users, this fix requires the timeout package, which is installed on Linux hosts by default. Users on macOS may need to install this package.
  • Remove broken link for Assessor download. Removed a broken link for the Assessor download from the Settings page.
  • Containers sometimes fail to run. Fixed an issue in SCM 3.2.0 that could result in containers for components and services failing to run due to exceeded num_locks.
  • Default Windows 2022 benchmark incorrectly set. Fixed an issue affecting assessor versions 4.39.0, 4.41.0, 4.42.0, and 4.43.0 where the default benchmark for Windows 2022 was incorrectly set to Azure.
  • SCM fails to install when IPv6 is disabled. Fixed an issue where SCM NGINX components incorrectly depended on IPv6, preventing installation on systems with IPv6 disabled.
  • Restore from backup failing. Fixed a permission issue causing restore from backup to fail due to issues copying database backups into the container on the target host.
  • SCM fails to connect to the database after upgrade. Fixed an issue where upgrading to SCM 3.2.0 resulted in connection failures to the database due to permissions issues with the pg_hba.conf file.
  • Incorrect number of scanned nodes displayed. Fixed an issue where the Nodes tab on the Scan reports page could display an incorrect number of nodes: sometimes showing more or fewer nodes than were scanned.

Security fixes in this release:

  • CVE-2013-2028, CVE-2021-23017. Updated NGINX to 1.27.2 to address these vulnerabilities.

Security Compliance Management 3.2.0

Released 16 August 2024.

New in this release:

  • Added application configuration to Security Compliance Management. You can now set the inventory refresh interval and data retention policy from the Settings page.
  • Scheduled scans now support node groups. Node groups can now be added to scheduled scans. When a node is added to a node group, it is automatically included in the next scheduled scan for that node group.
  • CIS-CAT Pro Assessor v4.43.0.Security Compliance Management 3.3.0 contains the CIS-CAT Pro Assessor v4.43.0.
    • Benchmarks updated in this release: Apple macOS 12.0 Monterey Benchmark v3.1.0
    • Apple macOS 13.0 Ventura Benchmark v2.1.0
    • MicrosoftWindows Server 2019 Stand-alone v2.0.0
    • Oracle Linux 9 Benchmark v2.0.0
    • Red Hat Enterprise Linux 9 Benchmark v2.0.0

Security fixes in this release:

  • CVE-2023-2976. Updated KeyCloak to 25.0.0 to address this vulnerability.

Security Compliance Management 3.1.0

Released 27 June 2024.

New in this release:

  • Desired compliance can be set for operating systems. You can now set the desired compliance defaults for each operating system. Any node added to the operating system is automatically assigned the benchmark and profile you set for that operating system.
  • Disaster recovery. Added instructions on how to back up your data and make it easier to restore your system if disaster recovery is needed.
  • Documentation additions.
  • CIS-CAT Pro Assessor v4.42.0. Security Compliance Management 3.1.0 contains the CIS-CAT Pro Assessor v4.42.0.
  • Benchmarks updated in this release:
    • Debian Linux 12 Benchmark v1.0.1
    • Microsoft Windows 11 Stand-alone Benchmark v3.0.0
    • Microsoft Windows Server 2019 Benchmark v3.0.1

Resolved in this release:

  • Migrated scheduled scans not executing. Fixed an issue that could prevent existing scheduled scans from running after migrating from Security Compliance Management version 2.x to 3.x.
  • Search box on exceptions page not accepting input. Fixed an issue affecting the search bar on the exceptions page.
  • macOS not getting desired benchmark assigned. Fixed an issue that was causing macOS nodes to be listed as Darwin on the Inventory page, which prevented the desired compliance from being set for those nodes.

Security fixes in this release:

  • CVE-2024-4068. Updated braces to address this vulnerability.
  • CVE-2024-2961, CVE-2024-33599, CVE-2024-2700, CVE-2024-1132, CVE-2024-1249, CVE-2024-2419, CVE-2024-3656, GHSA-69fp-7c8p-crjr. Updated KeyCloak to address these vulnerabilities.
  • CVE-2023-5363. Updated oauth2-proxy to address this vulnerability.

Security Compliance Management 3.0.0

Released 7 May 2024.

New in this release:

  • Security Compliance Management is now included in the full Puppet Enterprise suite. The Puppet Enterprise license now covers the full Puppet Enterprise suite, which includes Security Compliance Management (formerly Puppet Comply®) and Continuous Delivery. If you have installed Puppet Enterprise, you can separately install and use the other parts of the suite. Additionally, by purchasing the Puppet Enterprise Advanced license, you can unlock the following premium features:
    • Security Compliance Enforcement (formerly CEM)
    • Advanced Impact Analysis capabilities within Continuous Delivery
  • Bolt-based Security Compliance Management installer. The new Puppet Bolt-based installer for Security Compliance Management allows you to install, upgrade, and configure SCM through an easy wizard. For more information, visit Install Security Compliance Management. If you are on an air-gapped environment where SSH access is not permitted to the target node, visit Install Security Compliance Management on a host without SSH access.
  • Migrate Security Compliance Management 2.x to a 3.x installation. To upgrade to the Security Compliance Management 3.x series from a version in the 2.x series, see Migrate from Security Compliance Management 2.x to 3.x.
  • CIS-CAT Pro Assessor v4.41.0. Security Compliance Management 3.0.0 contains the CIS-CAT Pro Assessor v4.41.0.
  • Benchmarks updated in this release:
    • Debian Linux 11 Benchmark v2.0.0
    • Microsoft Windows 10 Stand-alone Benchmark v3.0.0
    • Microsoft Windows Server 2016 Benchmark v3.0.0
    • Microsoft Windows Server 2019 Benchmark v3.0.0
    • Microsoft Windows Server 2022 Benchmark v3.0.0
    • Ubuntu Linux 18.04 LTS Benchmark v2.2.0
    • Ubuntu Linux 22.04 LTS Benchmark v2.0.0

Resolved in this release:

  • Unable to reset the desired compliance when a node changes operating systems. Fixed an issue where you could not change the desired compliance after changing the OS on a node. You can now reset the desired compliance on a node when the OS of the node changes.

Security fixes in this release:

  • Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.41.0:
    • PostgreSQL updated to v42.7.2.
    • xmlsec updated to v4.0.1.
    • cxf-core-updated to v3.5.8.
    • bouncycastle updated to v1.78.

For upgrade instructions, see Upgrading.