release: 0.9.8.1 — audit-grade compliance PDFs, hardening fixes, log rotation

Compliance Dashboard
- Per-framework PDF restructured to a real audit-report layout (cover, disclaimer
  up front, executive summary with posture rating, top findings, scope of
  assessment, methodology, findings by severity, per-node coverage, per-family
  detail with severity column, appendix B remediation plan with priority and
  recommended timeline, appendix C evidence with verbose check output,
  appendix D glossary).
- Real CMMC L1/L2 (NIST 800-171), NIST 800-53 Mod, DISA STIG, ISO 27001:2022
  Annex A, BSI Grundschutz, VS-NfD control IDs mapped to PegaProx internal
  checks (47 controls × 7 frameworks). Lives in core/compliance_mapping.py.
- Per-control severity (high/medium/low/informational) and remediation
  timeline (within 30 / 90 / 180 days).
- "PegaProx control" column in the per-family / remediation tables matches
  the checkbox names in Settings → Compliance → Harden PVE Node, with an
  explicit operator-handoff note.
- New API endpoint GET /api/compliance/mapping serves the data structure.

Hardening
- pw_quality now wires pam_pwquality.so into /etc/pam.d/common-password.
- pw_history avoids use_authtok unless pwquality is configured ahead of it,
  preventing "Authentication token manipulation error" on every passwd call.
- New control: pam_password_repair (Repair PAM password stack — recovery)
  detects + fixes the broken stack in one click. Idempotent on healthy
  systems.

Logging
- Per-cluster operational log capped at 3h via new
  utils/log_handler.CappedTimedFileHandler (#345, #348). Audit log unaffected.
- SSH error log now shows the real stderr line instead of the SSH
  banner-padding asterisks.

Bugfixes
- Modern Layout Re-configure Cluster icon now works — setReconfigureCluster
  prop was missing in ClusterSidebarItem (#346).
- Manifest carry-over from #344: 4 new 0.9.8 modules in update_files.

Sponsors
- New Silver Sponsor: uvensys GmbH.

Author: mkellermann97

README.md

@@ -16,7 +16,7 @@
 </p>
 
 <p align="center">
-  <img src="https://img.shields.io/badge/version-0.9.8--beta-blue" alt="Version"/>
+  <img src="https://img.shields.io/badge/version-0.9.8.1--beta-blue" alt="Version"/>
   <img src="https://img.shields.io/badge/python-3.8+-green" alt="Python"/>
   <img src="https://img.shields.io/badge/license-AGPL--3.0--License-orange" alt="License"/>
 </p>
@@ -51,7 +51,9 @@ PegaProx is a powerful web-based management interface for Proxmox VE and XCP-ng
 ### 🥈 Silver
 
 <p align="center">
-  <em>Your logo here</em> — <a href="mailto:sponsor@pegaprox.com">Become a Silver Sponsor</a>
+  <a href="https://uvensys.de/">
+    <img src="images/sponsors/uvensys.png" alt="uvensys GmbH" width="160"/>
+  </a>
 </p>
 
 ### 🥉 Bronze

images/sponsors/uvensys.png

@@ -646,6 +646,49 @@ def apply_hardening(cluster_id, node):
     })
 
 
+# ============================================
+# Compliance framework mapping  -  MK Apr 2026
+# Frontend pulls these to render the compliance PDFs with real
+# CMMC / NIST / STIG / ISO / BSI control IDs instead of our internal
+# names like "pam_faillock". See pegaprox/core/compliance_mapping.py
+# ============================================
+
+@bp.route('/api/compliance/mapping', methods=['GET'])
+@require_auth()
+def compliance_mapping_api():
+    framework = (request.args.get('framework', '') or '').strip().lower()
+    from pegaprox.core import compliance_mapping as cm
+    payload_full = {
+        'family_labels':       cm.FAMILY_LABELS,
+        'mappings':            cm.FRAMEWORK_MAPPING,
+        'remediation':         cm.REMEDIATION,
+        'severity':            cm.SEVERITY,
+        'recommended_timeline': cm.RECOMMENDED_TIMELINE,
+        'priority_level':      cm.PRIORITY_LEVEL,
+        'framework_meta':      cm.FRAMEWORK_META,
+        'posture_levels':      cm.POSTURE_LEVELS,
+        'glossary':            cm.GLOSSARY,
+        'methodology':         cm.METHODOLOGY,
+    }
+    if not framework:
+        return jsonify(payload_full)
+    if framework not in cm.FRAMEWORK_MAPPING:
+        return jsonify({'error': f'unknown framework: {framework}'}), 400
+    return jsonify({
+        'framework':    framework,
+        'family_labels': cm.FAMILY_LABELS,
+        'mapping':      cm.FRAMEWORK_MAPPING[framework],
+        'remediation':  cm.REMEDIATION,
+        'severity':     cm.SEVERITY,
+        'recommended_timeline': cm.RECOMMENDED_TIMELINE,
+        'priority_level': cm.PRIORITY_LEVEL,
+        'framework_meta': cm.FRAMEWORK_META.get(framework, {}),
+        'posture_levels': cm.POSTURE_LEVELS,
+        'glossary':     cm.GLOSSARY,
+        'methodology':  cm.METHODOLOGY,
+    })
+
+
 # ============================================
 # Legacy Fallback Endpoints
 # old tags endpoints, kept for compat, these prevent 404s

pegaprox/api/reports.py

@@ -8,8 +8,8 @@
 from pathlib import Path
 
 # Version
-PEGAPROX_VERSION = "Beta 0.9.8"
-PEGAPROX_BUILD = "2026.04.25"
+PEGAPROX_VERSION = "Beta 0.9.8.1"
+PEGAPROX_BUILD = "2026.04.28"
 
 # File Paths & Directories
 CONFIG_DIR = 'config'

pegaprox/constants.py

@@ -156,6 +156,24 @@ def _wrap_with_sudo(cmd):
     return f"echo {enc} | base64 -d | sudo -n bash"
 
 
+def _ssh_stderr_excerpt(stderr, max_chars=240):
+    """Last meaningful line of SSH stderr, capped.
+
+    OpenSSH dumps the full pre-auth banner (often a 70+ char asterisk border
+    followed by AUP text) BEFORE the actual error like
+    'Permission denied (publickey,password)' / 'Connection refused' /
+    'Host key verification failed'. Logging stderr[:200] then shows nothing
+    but banner. Take the last non-empty line — that's where SSH puts the
+    error. MK Apr 2026.
+    """
+    if not stderr:
+        return 'no error output'
+    lines = [ln.strip() for ln in stderr.splitlines() if ln.strip()]
+    if not lines:
+        return 'no error output'
+    return lines[-1][:max_chars]
+
+
 class PegaProxManager:
     """
     main cluster manager - NS
@@ -309,11 +327,11 @@ def __init__(self, cluster_id: str, config: PegaProxConfig):
         if self.logger.handlers:
             self.logger.handlers.clear()
 
-        # File handler - DEBUG level (for troubleshooting). Capped at 6h of data,
-        # rotated content is discarded — see #345 / #348 (#348: shipped VM was
-        # filling its own disk on busy clusters).
+        # File handler - DEBUG level (for troubleshooting). Capped at 3h of data,
+        # rotated content is discarded — see #345 / #348. 3h because 20+ node
+        # clusters can hit ~100 MB/h, 6h was still rough on small disks.
         from pegaprox.utils.log_handler import CappedTimedFileHandler
-        fh = CappedTimedFileHandler(f"{LOG_DIR}/{cluster_id}.log", when='H', interval=6, backupCount=0)
+        fh = CappedTimedFileHandler(f"{LOG_DIR}/{cluster_id}.log", when='H', interval=3, backupCount=0)
         fh.setLevel(logging.DEBUG)
 
         # Console handler - INFO level (no DEBUG spam)
@@ -5013,7 +5031,7 @@ def _ssh_run_command_output(self, host: str, user: str, command: str, timeout: i
             )
             if result.returncode == 0:
                 return result.stdout
-            self.logger.debug(f"[SSH] Command failed on {host}: {result.stderr[:200] if result.stderr else 'no error output'}")
+            self.logger.debug(f"[SSH] Command failed on {host}: {_ssh_stderr_excerpt(result.stderr)}")
             return None
         except subprocess.TimeoutExpired:
             self.logger.debug(f"[SSH] Command timed out on {host}")
@@ -5054,7 +5072,7 @@ def _ssh_run_command_with_key_output(self, host: str, user: str, command: str, k
                 )
                 if result.returncode == 0:
                     return result.stdout
-                self.logger.debug(f"[SSH] Key auth failed on {host}: {result.stderr[:200] if result.stderr else 'no error output'}")
+                self.logger.debug(f"[SSH] Key auth failed on {host}: {_ssh_stderr_excerpt(result.stderr)}")
                 return None
             finally:
                 os.unlink(key_file)
@@ -5092,7 +5110,7 @@ def _ssh_run_command_with_password_output(self, host: str, user: str, command: s
             )
             if result.returncode == 0:
                 return result.stdout
-            self.logger.debug(f"[SSH] Password auth failed on {host}: {result.stderr[:200] if result.stderr else 'no error output'}")
+            self.logger.debug(f"[SSH] Password auth failed on {host}: {_ssh_stderr_excerpt(result.stderr)}")
             return None
         except FileNotFoundError:
             self.logger.debug(f"[SSH] sshpass not installed - cannot use password auth")
@@ -12623,16 +12641,24 @@ def scan_node_packages(self, node_name):
         },
         'pw_history': {
             'check': """grep -q 'pam_pwhistory.so' /etc/pam.d/common-password 2>/dev/null && echo OK || echo FAIL""",
+            # MK Apr 2026 — bugfix: do NOT use_authtok unless pam_pwquality.so is already
+            # in the stack ahead of us. Without a prior module to set the authtok the
+            # `passwd` command dies with "Authentication token manipulation error" because
+            # pwhistory is asked to use a token that nobody set. Reported by NS while
+            # testing CIS hardening on PVE 9.
             'apply': """if ! grep -q pam_pwhistory /etc/pam.d/common-password 2>/dev/null; then
   if grep -q 'pam_unix.so' /etc/pam.d/common-password 2>/dev/null; then
     cp /etc/pam.d/common-password /etc/pam.d/common-password.bak.cis
-    sed -i '/pam_unix.so/i password    required    pam_pwhistory.so remember=24 use_authtok' /etc/pam.d/common-password
-    # verify PAM still valid, rollback if broken
-    if ! pam_tally2 --help >/dev/null 2>&1 && ! pamtester --help >/dev/null 2>&1; then
-      # no PAM test tool available, at least verify file not empty
-      if [ ! -s /etc/pam.d/common-password ]; then
-        cp /etc/pam.d/common-password.bak.cis /etc/pam.d/common-password
-      fi
+    if grep -q 'pam_pwquality.so' /etc/pam.d/common-password 2>/dev/null; then
+      PWHIST_LINE='password    required    pam_pwhistory.so remember=24 use_authtok'
+    else
+      # No pwquality yet — let pwhistory prompt itself instead of expecting a chained token.
+      PWHIST_LINE='password    required    pam_pwhistory.so remember=24'
+    fi
+    sed -i "/pam_unix.so/i $PWHIST_LINE" /etc/pam.d/common-password
+    # rollback if file ended up empty (sed misbehavior on weird locales etc.)
+    if [ ! -s /etc/pam.d/common-password ]; then
+      cp /etc/pam.d/common-password.bak.cis /etc/pam.d/common-password
     fi
   fi
 fi
@@ -12698,7 +12724,12 @@ def scan_node_packages(self, node_name):
 echo DONE""",
         },
         'pw_quality': {
-            'check': """dpkg -l libpam-pwquality 2>/dev/null | grep -q '^ii' && echo OK || echo FAIL""",
+            # MK Apr 2026 — also add pam_pwquality.so to the PAM stack. Previous version
+            # only installed the package + wrote pwquality.conf which did nothing because
+            # the module was never wired into common-password. Insert BEFORE pam_pwhistory
+            # if it's already there (so pwquality runs first → sets authtok → pwhistory
+            # uses_authtok), else before pam_unix.
+            'check': """dpkg -l libpam-pwquality 2>/dev/null | grep -q '^ii' && grep -q 'pam_pwquality.so' /etc/pam.d/common-password 2>/dev/null && echo OK || echo FAIL""",
             'apply': """apt-get install -y libpam-pwquality >/dev/null 2>&1
 cat > /etc/security/pwquality.conf << 'PWEOF'
 # Lynis AUTH-9262: Password quality requirements
@@ -12712,6 +12743,90 @@ def scan_node_packages(self, node_name):
 gecoscheck = 1
 dictcheck = 1
 PWEOF
+if ! grep -q 'pam_pwquality.so' /etc/pam.d/common-password 2>/dev/null; then
+  if grep -q 'pam_unix.so' /etc/pam.d/common-password 2>/dev/null; then
+    cp /etc/pam.d/common-password /etc/pam.d/common-password.bak.cis-pwq
+    if grep -q 'pam_pwhistory.so' /etc/pam.d/common-password 2>/dev/null; then
+      sed -i '/pam_pwhistory.so/i password    requisite    pam_pwquality.so retry=3' /etc/pam.d/common-password
+    else
+      sed -i '/pam_unix.so/i password    requisite    pam_pwquality.so retry=3' /etc/pam.d/common-password
+    fi
+    if [ ! -s /etc/pam.d/common-password ]; then
+      cp /etc/pam.d/common-password.bak.cis-pwq /etc/pam.d/common-password
+    fi
+  fi
+fi
+echo DONE""",
+        },
+        # MK Apr 2026 — Recovery control for PAM password stack. Detects the
+        # `pam_pwhistory.so use_authtok` without prior `pam_pwquality.so` situation
+        # (causes "Authentication token manipulation error" on every passwd call),
+        # repairs by either inserting pam_pwquality before pwhistory or stripping
+        # use_authtok if libpam-pwquality isn't installed. Idempotent — re-running
+        # on a healthy system is a no-op.
+        'pam_password_repair': {
+            # MK Apr 2026 — IMPORTANT: this check runs as part of a composite
+            # `{ check1; }; { check2; }; ...` chain. Brace groups share the parent
+            # shell's process, so a stray `exit 0` here would terminate ALL
+            # subsequent control checks. Use elif chain instead — no exits.
+            'check': """COMMON=/etc/pam.d/common-password
+if [ ! -f "$COMMON" ]; then
+  echo OK
+elif ! grep -q 'pam_pwhistory.so' "$COMMON" 2>/dev/null; then
+  echo OK
+elif ! grep 'pam_pwhistory.so' "$COMMON" | grep -q 'use_authtok'; then
+  echo OK
+elif awk '/pam_pwquality.so/{q=NR} /pam_pwhistory.so/{h=NR} END{exit !(q && q<h)}' "$COMMON"; then
+  echo OK
+else
+  echo FAIL
+fi""",
+            'verbose_check': """COMMON=/etc/pam.d/common-password
+echo '--- /etc/pam.d/common-password (password-stack lines) ---'
+grep -nE 'password\\s+(required|requisite|sufficient|optional)' "$COMMON" 2>/dev/null || echo '(no password lines found)'
+echo '--- libpam-pwquality status ---'
+dpkg -l libpam-pwquality 2>/dev/null | tail -1 || echo '(not installed)'""",
+            'apply': """COMMON=/etc/pam.d/common-password
+if [ ! -f "$COMMON" ]; then
+  echo "(no $COMMON — nothing to repair)"
+  echo DONE; exit 0
+fi
+if ! grep -q 'pam_pwhistory.so' "$COMMON" 2>/dev/null; then
+  echo "(pam_pwhistory not configured — nothing to repair)"
+  echo DONE; exit 0
+fi
+# already healthy?
+if awk '/pam_pwquality.so/{q=NR} /pam_pwhistory.so/{h=NR} END{exit !(q && q<h)}' "$COMMON"; then
+  if grep 'pam_pwhistory.so' "$COMMON" | grep -q 'use_authtok'; then
+    echo "(pam stack healthy: pwquality > pwhistory)"
+    echo DONE; exit 0
+  fi
+fi
+# also healthy if pwhistory has no use_authtok (it prompts itself, no chain needed)
+if ! grep 'pam_pwhistory.so' "$COMMON" | grep -q 'use_authtok'; then
+  echo "(pam stack healthy: pwhistory standalone, no use_authtok)"
+  echo DONE; exit 0
+fi
+TS=$(date +%s)
+cp "$COMMON" "$COMMON.bak.repair-$TS"
+# Prefer wiring in pwquality if the package is installed, else strip use_authtok.
+if dpkg -l libpam-pwquality 2>/dev/null | grep -q '^ii'; then
+  # remove any malformed pwquality line first
+  sed -i '/pam_pwquality.so/d' "$COMMON"
+  # insert pwquality requisite line right BEFORE the pwhistory line
+  sed -i '/pam_pwhistory.so/i password    requisite    pam_pwquality.so retry=3' "$COMMON"
+  echo "added pam_pwquality.so before pam_pwhistory.so (backup: $COMMON.bak.repair-$TS)"
+else
+  # no pwquality package — strip use_authtok so pwhistory prompts itself
+  sed -i 's| use_authtok||g' "$COMMON"
+  echo "removed use_authtok from pam_pwhistory.so (libpam-pwquality not installed) (backup: $COMMON.bak.repair-$TS)"
+fi
+# safety: empty file? roll back
+if [ ! -s "$COMMON" ]; then
+  cp "$COMMON.bak.repair-$TS" "$COMMON"
+  echo "ROLLED BACK — file was emptied by sed"
+  exit 1
+fi
 echo DONE""",
         },
         'pw_aging': {

pegaprox/core/compliance_mapping.py

@@ -135,9 +135,9 @@ def __init__(self, cluster_id: str, config):
         self.logger.propagate = False
         if self.logger.handlers:
             self.logger.handlers.clear()
-        # 6h cap on the per-cluster log to keep disk under control (#345/#348)
+        # 3h cap on the per-cluster log to keep disk under control (#345/#348)
         from pegaprox.utils.log_handler import CappedTimedFileHandler
-        fh = CappedTimedFileHandler(f"{LOG_DIR}/{cluster_id}.log", when='H', interval=6, backupCount=0)
+        fh = CappedTimedFileHandler(f"{LOG_DIR}/{cluster_id}.log", when='H', interval=3, backupCount=0)
         fh.setLevel(logging.DEBUG)
         ch = logging.StreamHandler()
         ch.setLevel(logging.INFO)

pegaprox/core/manager.py

@@ -1,8 +1,19 @@
 {
-    "version": "0.9.8",
-    "build": "2026.04.25",
-    "release_date": "2026-04-25",
+    "version": "0.9.8.1",
+    "build": "2026.04.28",
+    "release_date": "2026-04-28",
     "changelog": [
+        "Compliance Dashboard: per-framework PDFs restructured to a real audit-report layout (cover, executive summary, scope, methodology, findings by severity, per-family detail with severity column, remediation appendix with priority + recommended timeline, evidence appendix with verbose check output, glossary)",
+        "Compliance: real CMMC L1/L2 (NIST 800-171), NIST 800-53, DISA STIG, ISO 27001 Annex A 2022, BSI Grundschutz, VS-NfD control IDs mapped to PegaProx internal checks (47 controls × 7 frameworks)",
+        "Compliance: per-control severity rating (high/medium/low/informational) and recommended remediation timeline (within 30/90/180 days)",
+        "Hardening: pw_quality now wires pam_pwquality.so into the PAM password stack (previous version only installed the package + wrote pwquality.conf)",
+        "Hardening: pw_history avoids use_authtok unless pam_pwquality.so is configured ahead of it — fixes 'Authentication token manipulation error' on every passwd call",
+        "Hardening: new recovery control 'Repair PAM password stack' (pam_password_repair) — one-click fix for systems with the broken PAM stack",
+        "Per-cluster operational log capped at 3h of writes — bounded disk use even on 20+-node clusters (#345, #348). Audit log unaffected",
+        "SSH error logging now shows the actual error instead of the SSH banner asterisks",
+        "Modern Layout: Re-configure Cluster icon now works (setReconfigureCluster prop was missing in the sidebar component) (#346)",
+        "Manifest fix: 4 new 0.9.8 modules (webauthn, metrics_exporter, ssh_pool, webhooks) added to update_files for incremental updaters (#344)",
+        "New Silver Sponsor: uvensys GmbH — thanks!",
         "ESXi → Proxmox migration: near-zero-downtime live mirror, multi-disk Windows support, 4K LUN compatibility",
         "Optional VirtIO driver pre-staging for migrated Windows guests (works on LVM, ZFS, Ceph RBD and NFS targets)",
         "Better ESXi connection reliability — periodic keepalive + auto-reconnect on stale sessions",
@@ -32,6 +43,7 @@
         "images/sponsors/sponsor1.png",
         "images/sponsors/sponsor2.png",
         "images/sponsors/idkmanager.png",
+        "images/sponsors/uvensys.png",
         "misc/proxmox-lxc-appliance-creator.sh",
         "pegaprox/__init__.py",
         "pegaprox/api/__init__.py",
@@ -75,6 +87,7 @@
         "pegaprox/constants.py",
         "pegaprox/core/__init__.py",
         "pegaprox/core/cache.py",
+        "pegaprox/core/compliance_mapping.py",
         "pegaprox/core/config.py",
         "pegaprox/core/db.py",
         "pegaprox/core/manager.py",