From 00cfd2d541f716802714bb93b89b337b67990509 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sun, 20 Feb 2022 20:18:42 +0000 Subject: [PATCH] import scap-security-guide-0.1.60-4.el8 --- ...ve-krb5-workstation-on-ovirt-PR_8233.patch | 26 +++++++++++ ...nsible-service-disabled-task-PR_8226.patch | 44 +++++++++++++++++++ SPECS/scap-security-guide.spec | 8 +++- 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch create mode 100644 SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch diff --git a/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch b/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch new file mode 100644 index 0000000..588fa8e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch @@ -0,0 +1,26 @@ +From 9c57a8718f82458fe3784263fdb1e51bd08fff83 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 16 Feb 2022 12:46:21 +0100 +Subject: [PATCH] Do not remove krb5-workstation package on oVirt + +--- + .../system-tools/package_krb5-workstation_removed/rule.yml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +index 4d8951a9148..813474842ec 100644 +--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +@@ -27,6 +27,12 @@ references: + stigid@ol8: OL08-00-010162 + stigid@rhel8: RHEL-08-010162 + ++platforms: ++{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}} ++ ++warnings: ++{{{ ovirt_rule_notapplicable_warning("RHV hosts require ipa-client package, which has dependency on krb5-workstation") | indent(4) }}} ++ + {{{ complete_ocil_entry_package(package="krb5-workstation") }}} + + template: diff --git a/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch b/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch new file mode 100644 index 0000000..7103ed1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch @@ -0,0 +1,44 @@ +From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 15 Feb 2022 14:12:55 +0100 +Subject: [PATCH] Simply mask services that should be disabled + +At some point Ansible started to return much more services in +ansible_facts.services, including services that are not installed. +This caused the task to think that the service exists, attempt to stop +and mask the service. +But systemd module fatal errors on non existing services, although the +module ends up masking the service in question. + +The bash remediations simply mask the service, even if it is not +installed. +Let's do the same with Ansible, mask the service and ignore errors. + +One down side is that every non-existing service is reported as an +error, which is ignored. But still a fatal error. +--- + shared/templates/service_disabled/ansible.template | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template +index 550ed563056..254f41ac7fd 100644 +--- a/shared/templates/service_disabled/ansible.template ++++ b/shared/templates/service_disabled/ansible.template +@@ -6,16 +6,13 @@ + {{%- if init_system == "systemd" %}} + - name: Disable service {{{ SERVICENAME }}} + block: +- - name: Gather the service facts +- service_facts: +- + - name: Disable service {{{ SERVICENAME }}} + systemd: + name: "{{{ DAEMONNAME }}}.service" + enabled: "no" + state: "stopped" + masked: "yes" +- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services' ++ ignore_errors: 'yes' + + - name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket" + command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 56d46f3..2b63dce 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.60 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -58,6 +58,8 @@ Patch36: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch Patch37: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch Patch38: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch Patch39: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch +Patch40: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch +Patch41: scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch BuildRequires: libxslt BuildRequires: expat @@ -162,6 +164,10 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Wed Feb 16 2022 Watson Sato - 0.1.60-4 +- Fix Ansible service disabled tasks (RHBZ#2014485) +- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149) + * Mon Feb 14 2022 Gabriel Becker - 0.1.60-3 - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555) - Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)