import scap-security-guide-0.1.60-4.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
322d963314
commit
00cfd2d541
|
|
@ -0,0 +1,26 @@
|
|||
From 9c57a8718f82458fe3784263fdb1e51bd08fff83 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Wed, 16 Feb 2022 12:46:21 +0100
|
||||
Subject: [PATCH] Do not remove krb5-workstation package on oVirt
|
||||
|
||||
---
|
||||
.../system-tools/package_krb5-workstation_removed/rule.yml | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
index 4d8951a9148..813474842ec 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
|
||||
@@ -27,6 +27,12 @@ references:
|
||||
stigid@ol8: OL08-00-010162
|
||||
stigid@rhel8: RHEL-08-010162
|
||||
|
||||
+platforms:
|
||||
+{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}}
|
||||
+
|
||||
+warnings:
|
||||
+{{{ ovirt_rule_notapplicable_warning("RHV hosts require ipa-client package, which has dependency on krb5-workstation") | indent(4) }}}
|
||||
+
|
||||
{{{ complete_ocil_entry_package(package="krb5-workstation") }}}
|
||||
|
||||
template:
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 15 Feb 2022 14:12:55 +0100
|
||||
Subject: [PATCH] Simply mask services that should be disabled
|
||||
|
||||
At some point Ansible started to return much more services in
|
||||
ansible_facts.services, including services that are not installed.
|
||||
This caused the task to think that the service exists, attempt to stop
|
||||
and mask the service.
|
||||
But systemd module fatal errors on non existing services, although the
|
||||
module ends up masking the service in question.
|
||||
|
||||
The bash remediations simply mask the service, even if it is not
|
||||
installed.
|
||||
Let's do the same with Ansible, mask the service and ignore errors.
|
||||
|
||||
One down side is that every non-existing service is reported as an
|
||||
error, which is ignored. But still a fatal error.
|
||||
---
|
||||
shared/templates/service_disabled/ansible.template | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 550ed563056..254f41ac7fd 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -6,16 +6,13 @@
|
||||
{{%- if init_system == "systemd" %}}
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
block:
|
||||
- - name: Gather the service facts
|
||||
- service_facts:
|
||||
-
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
systemd:
|
||||
name: "{{{ DAEMONNAME }}}.service"
|
||||
enabled: "no"
|
||||
state: "stopped"
|
||||
masked: "yes"
|
||||
- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
|
||||
+ ignore_errors: 'yes'
|
||||
|
||||
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.60
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
|
|
@ -58,6 +58,8 @@ Patch36: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
|
|||
Patch37: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
|
||||
Patch38: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
|
||||
Patch39: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
|
||||
Patch40: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
|
||||
Patch41: scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
|
|
@ -162,6 +164,10 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014485)
|
||||
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
|
||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
|
||||
|
|
|
|||
Loading…
Reference in New Issue