Comply release notes

These are the new features, enhancements, and resolved issues for the Puppet Comply 1.x release series.

Comply 1.0.4

Released May 2021.

New in this release:

  • CIS-CAT Pro Assessor v4.6.0. Comply 1.0.4 includes the latest version of the CIS-CAT assessor and its associated benchmarks:
    • CentOS Linux 7 v3.1.0
    • Microsoft Windows Server 2019 Benchmark v1.2.0
    • Microsoft Windows Server 2019 STIG Benchmark v1.0.0
    • Red Hat Enterprise Linux 7 Benchmark v3.1.0
    • Red Hat Enterprise Linux 7 STIG Benchmark v1.0.1
    • SUSE Linux Enterprise Server 12 Benchmark v3.0.0
    • Ubuntu Linux 20.04 LTS Benchmark v1.1.0
  • Windows 2016 Datacenter. The Windows 2016 Datacenter is now available as a desired compliance benchmark.
  • Updated module dependencies. The comply module now includes the latest dependency releases.

Resolved in this release:

  • License check errors. This release fixes an issue where the licence check returned an error if you installed Comply at the same time as Continuous Delivery for PE.

Security notice:

  • Vulnerability in bluemonday dependency. This release updates the bluemonday package to version 1.0.9.

Comply 1.0.3

Released April 2021.

New in this release:

  • CIS-CAT Pro Assessor v4.4.0. Comply 1.0.3 includes the latest version of the CIS-CAT assessor and its associated benchmarks:
    • CentOS Linux 6 v3.0.0
    • Microsoft Windows 10 Enterprise Release 20H2 v1.10.0
    • Oracle Linux 6 v2.0.0
    • Red Hat Enterprise Linux 6 v3.0.0
  • Mac OS X benchmark support. Comply now supports Mac OS X 10.14 and 10.15 benchmarks.
  • Windows 10 Enterprise benchmark support. Comply now supports Windows 10 Enterprise benchmarks. Note that these are compatible with Windows PRO.
  • The oauth2-proxy file server v7.1.1. The oauth2-proxy image, that provides authentication in Comply, has been updated to version 7.1.1.
  • Benchmark name displayed in tables. Comply now includes the benchmark name in the Desired compliance set column on the Inventory page.
  • Updated navigation icon for Inventory. Comply has a new custom icon for Inventory in the side navigation bar.

Resolved in this release:

  • Node results table shows incorrect time. This release fixes an issue in the node results table that showed the last scan as being an hour behind the current time.

Security notice:

  • Vulnerability remediation in the handlebars dependency. This release updates handlebars to version 4.7.7, remediating the vulnerability.

  • Vulnerability remediation in the ejs dependency. This release updates bull-board to 1.3.0, which includes version 3.1.6 of the ejs dependency, remediating the vulnerability.

  • Vulnerabilities remediation in the OpenSSL dependency. These vulnerabilities are remediated for all images except postgres and oauth2_proxy, and resolves the following CVEs:

Comply 1.0.2

Released March 2021.

New in this release:

  • CIS assessor upgraded to 4.3.1. Comply now uses a licensed version of the CIS assessor. To upgrade, see Upgrade the CIS assessor.
  • Windows Server 2016 STIG benchmark. This new benchmark includes the Level 3 STIG Domain Controller profile.

Resolved in this release:

  • Activity feed empty. Previously, the activity feed broke when the job had been purged in Puppet Enterprise (PE). This is now fixed.
  • TheQ logs not included. TheQ logs are now included in the support bundle.
  • Large reports cannot be ingested. Comply can now ingest XML files up to 32MB.
  • UI sending incorrect parameters. This release fixes an issue where custom profile rules could not be updated.
  • Timeout prevents assessor download. This release fixes an issue that prevented the assessor archive from downloading.
  • Custom profile ID not passing. Comply now passes the custom profile ID in a scan task.
  • License uses incorrect casing. This release fixes incorrect casing of the scarp response in the Comply license.

Security notice:

Comply 1.0.1

Released February 2021.

New in this release:

  • Preflight check for volume use. This preflight check verifies the Ceph storage layer.
  • Preflight check to verify hostname is reachable. This preflight check ensures that the Comply application can communicate with the configured hostname.
  • Support bundle analyzers. Support bundles now include analyzers for preflight checks and issues with application components. Preflight checks also verify that schedulable CPU and memory capacity are available to perform upgrades.
  • Updated log levels. A new configuration option in the KOTS admin allows you to modify Comply's debugging output.

Resolved in this release:

  • Pre-flight false positive. The hostname preflight check no longer returns false positives.
  • Report files left in queue. Report files are no longer left in the queue service filesystem.

Security notice:

  • Comply UI vulnerabilities. This release fixes UI service vulnerabilities.
  • Queue service vulnerabilities. This release fixes queue service vulnerabilities.
  • Postgres container base image issues. This release updates the postgres container to fix the following security issues: CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363.

Comply 1.0.0

Released December 2020.

Features in this release:

  • CIS scans. Check the compliance of your nodes against CIS Benchmarks. For a list of supported operating systems, see system requirements.
  • Desired compliance. Set a default benchmark and profile that you want your scans to be measured against.
  • Custom profiles. Customize profiles to specify which rules you want visible in scan reports.
  • Compliance status.The Compliance dashboard shows the compliance status of your nodes based on the latest scan results.
  • Node breakdown. The Node compliance page shows an individual node's compliance status.
  • Rule breakdown. The Rules results page shows the status of a rule on each node that is checked, why the rule is important, and specific operating system steps you can take to fix a rule that is failing scans.