Security Compliance Management release notes

These are the new features, enhancements, and resolved issues for the Security Compliance Management (SCM) 3.x release series.

Security Compliance Management 3.1.0

Released 27 June 2024.

New in this release:

  • Desired compliance can be set for operating systems. You can now set the desired compliance defaults for each operating system. Any node added to the operating system is automatically assigned the benchmark and profile you set for that operating system.
  • Disaster recovery. Added instructions on how to back up your data and make it easier to restore your system if disaster recovery is needed.
  • Documentation additions.
  • CIS-CAT Pro Assessor v4.42.0. Security Compliance Management 3.1.0 contains the CIS-CAT Pro Assessor v4.42.0.
  • Benchmarks updated in this release:
    • Debian Linux 12 Benchmark v1.0.1
    • Microsoft Windows 11 Stand-alone Benchmark v3.0.0
    • Microsoft Windows Server 2019 Benchmark v3.0.1

Resolved in this release:

  • Migrated scheduled scans not executing. Fixed an issue that could prevent existing scheduled scans from running after migrating from Security Compliance Management version 2.x to 3.x.
  • Search box on exceptions page not accepting input. Fixed an issue affecting the search bar on the exceptions page.
  • macOS not getting desired benchmark assigned. Fixed an issue that was causing macOS nodes to be listed as Darwin on the Inventory page, which prevented the desired compliance from being set for those nodes.

Security fixes in this release:

  • CVE-2024-4068. Updated braces to address this vulnerability.
  • CVE-2024-2961, CVE-2024-33599, CVE-2024-2700, CVE-2024-1132, CVE-2024-1249, CVE-2024-2419, CVE-2024-3656, GHSA-69fp-7c8p-crjr. Updated KeyCloak to address these vulnerabilities.
  • CVE-2023-5363. Updated oauth2-proxy to address this vulnerability.

Security Compliance Management 3.0.0

Released 7 May 2024.

New in this release:

  • Security Compliance Management is now included in the full Puppet Enterprise suite. The Puppet Enterprise license now covers the full Puppet Enterprise suite, which includes Security Compliance Management (formerly Puppet Comply®) and Continuous Delivery. If you have installed Puppet Enterprise, you can separately install and use the other parts of the suite. Additionally, by purchasing the Puppet Enterprise Advanced license, you can unlock the following premium features:
    • Security Compliance Enforcement (formerly CEM)
    • Advanced Impact Analysis capabilities within Continuous Delivery
  • Bolt-based Security Compliance Management installer. The new Puppet Bolt- based installer for Security Compliance Management allows you to install, upgrade, and configure SCM through an easy wizard. For more information, visit Install Security Compliance Management. If you are on an air-gapped environment where SSH access is not permitted to the target node, visit Install Security Compliance Management on a host without SSH access.
  • Migrate Security Compliance Management 2.x to a 3.x installation. To upgrade to the Security Compliance Management 3.x series from a version in the 2.x series, see Migrate from Security Compliance Management 2.x to 3.x.
  • CIS-CAT Pro Assessor v4.41.0. Security Compliance Management 3.0.0 contains the CIS-CAT Pro Assessor v4.41.0.
  • Benchmarks updated in this release:
    • Debian Linux 11 Benchmark v2.0.0
    • Microsoft Windows 10 Stand-alone Benchmark v3.0.0
    • Microsoft Windows Server 2016 Benchmark v3.0.0
    • Microsoft Windows Server 2019 Benchmark v3.0.0
    • Microsoft Windows Server 2022 Benchmark v3.0.0
    • Ubuntu Linux 18.04 LTS Benchmark v2.2.0
    • Ubuntu Linux 22.04 LTS Benchmark v2.0.0

Resolved in this release:

  • Unable to reset the desired compliance when a node changes operating systems. Fixed an issue where you could not change the desired compliance after changing the OS on a node. You can now reset the desired compliance on a node when the OS of the node changes.

Security fixes in this release:

  • Resolved security vulnerabilities present in embedded, third-party dependencies of the CIS-CAT Pro Assessor v4.41.0:
    • PostgreSQL updated to v42.7.2.
    • xmlsec updated to v4.0.1.
    • cxf-core-updated to v3.5.8.
    • bouncycastle updated to v1.78.

For upgrade instructions, see Upgrading.