rpms
/
scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.60-7.el8

This commit is contained in:
CentOS Sources 2022-02-27 05:26:19 +00:00 committed by Stepan Oksanichenko
parent 00cfd2d541
commit 09daa8f7a7
6 changed files with 430 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
SOURCES/scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch Normal file
View File

@ -0,0 +1,50 @@
From cd544b1ceec3cfc799faf24fc83e99f950d1c9c9 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 23 Feb 2022 12:21:17 -0600
Subject: [PATCH] Ensure that get_implemented_stigs in
utils/create_scap_delta_tailoring.py works for all case
Before this commit using resolved_rules_dir would deselect all rules
---
utils/create_scap_delta_tailoring.py | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
index 90e131cd01a..b1a44858a0f 100755
--- a/utils/create_scap_delta_tailoring.py
+++ b/utils/create_scap_delta_tailoring.py
@@ -103,24 +103,22 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path,
build_root):
platform_rules = get_platform_rules(product, json_path, resolved_rules_dir, build_root)
- if resolved_rules_dir:
- platform_rules_dict = dict()
- for rule in platform_rules:
- platform_rules_dict[rule['id']] = rule
- return platform_rules_dict
product_dir = os.path.join(root_path, "products", product)
product_yaml_path = os.path.join(product_dir, "product.yml")
env_yaml = ssg.environment.open_environment(build_config_yaml_path, str(product_yaml_path))
known_rules = dict()
for rule in platform_rules:
- try:
- rule_obj = handle_rule_yaml(product, rule['id'],
- rule['dir'], rule['guide'], env_yaml)
- except ssg.yaml.DocumentationNotComplete:
- sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id'])
- # Happens on non-debug build when a rule is "documentation-incomplete"
- continue
+ if resolved_rules_dir:
+ rule_obj = rule
+ else:
+ try:
+ rule_obj = handle_rule_yaml(product, rule['id'],
+ rule['dir'], rule['guide'], env_yaml)
+ except ssg.yaml.DocumentationNotComplete:
+ sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id'])
+ # Happens on non-debug build when a rule is "documentation-incomplete"
+ continue
if reference_str in rule_obj['references'].keys():
ref = rule_obj['references'][reference_str]

22
SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch Normal file
View File

@ -0,0 +1,22 @@
From 50eb163d9e9751c2e8cf8129523a8cf7e07a5930 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 17 Feb 2022 12:49:32 -0600
Subject: [PATCH] get_implemented_stigs in utils/create_scap_delta_tailoring.py
should return the implemented stig items
---
utils/create_scap_delta_tailoring.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py
index 2c3c5d0df32..25ad1aef66e 100755
--- a/utils/create_scap_delta_tailoring.py
+++ b/utils/create_scap_delta_tailoring.py
@@ -127,6 +127,7 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path,
known_rules[ref].append(rule['id'])
else:
known_rules[ref] = [rule['id']]
+ return known_rules
get_implemented_stigs.__annotations__ = {'product': str, 'root_path': str,

116
SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch Normal file
View File

@ -0,0 +1,116 @@
From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 22 Feb 2022 17:15:43 +0100
Subject: [PATCH 1/3] remove extend definition from ovals
---
.../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml | 1 -
.../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 -
2 files changed, 2 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
index c5ae0550e6b..52d86fd4478 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml
@@ -5,7 +5,6 @@
<extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="proc_sys_crypto_fips_enabled" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
</criteria>
</definition>
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 699dca06dd1..6c3f57e143f 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -6,7 +6,6 @@
<extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
<extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
<extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
<criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
</criteria>
</definition>
From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 22 Feb 2022 17:17:28 +0100
Subject: [PATCH 2/3] chang warning and description
---
.../integrity/fips/enable_fips_mode/rule.yml | 25 ++++---------------
1 file changed, 5 insertions(+), 20 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 9d89114b07f..6b055eac8ff 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -13,11 +13,9 @@ description: |-
<ul>
<li>Setting the kernel FIPS mode flag (<tt>/proc/sys/crypto/fips_enabled</tt>) to <tt>1</tt></li>
<li>Creating <tt>/etc/system-fips</tt></li>
- <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>FIPS</tt></li>
+ <li>Setting the system crypto policy in <tt>/etc/crypto-policies/config</tt> to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt></li>
<li>Loading the Dracut <tt>fips</tt> module</li>
</ul>
- This rule also ensures that the system policy is set to <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>.
- Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
rationale: |-
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
@@ -48,7 +46,7 @@ references:
ocil_clause: 'FIPS mode is not enabled'
ocil: |-
- To verify that FIPS is enabled properly, run the following command:
+ To verify that FIPS mode is enabled properly, run the following command:
<pre>fips-mode-setup --check</pre>
The output should contain the following:
<pre>FIPS mode is enabled.</pre>
@@ -61,19 +59,6 @@ warnings:
- general: |-
The system needs to be rebooted for these changes to take effect.
- regulatory: |-
- System Crypto Modules must be provided by a vendor that undergoes
- FIPS-140 certifications.
- FIPS-140 is applicable to all Federal agencies that use
- cryptographic-based security systems to protect sensitive information
- in computer and telecommunication systems (including voice systems) as
- defined in Section 5131 of the Information Technology Management Reform
- Act of 1996, Public Law 104-106. This standard shall be used in
- designing and implementing cryptographic modules that Federal
- departments and agencies operate or are operated for them under
- contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
- To meet this, the system has to have cryptographic software provided by
- a vendor that has undergone this certification. This means providing
- documentation, test results, design information, and independent third
- party review by an accredited lab. While open source software is
- capable of meeting this, it does not meet FIPS-140 unless the vendor
- submits to this process.
+ This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
+ This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001
From: vojtapolasek <krecoun@gmail.com>
Date: Wed, 23 Feb 2022 09:16:09 +0100
Subject: [PATCH 3/3] Update
linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
.../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 6b055eac8ff..30cbc939bed 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -60,5 +60,5 @@ warnings:
The system needs to be rebooted for these changes to take effect.
- regulatory: |-
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
- You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}.
+ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}.
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.

146
SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch Normal file
View File

@ -0,0 +1,146 @@
From 0ffb73fe67cb5773037f62895e6fdc93195f7c38 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Feb 2022 12:55:10 +0100
Subject: [PATCH] Remove tmux process runinng check from
configure_bashrc_exec_tmux.
This check can cause troubles since the user must be logged to show up
as tmux running. For example, an evaluation happening through a cron job
wouldn't be able to make this rule work, since no terminal is being
used.
---
.../configure_bashrc_exec_tmux/oval/shared.xml | 10 ----------
.../configure_bashrc_exec_tmux/rule.yml | 14 +-------------
.../tests/correct_value.pass.sh | 1 -
.../tests/correct_value_d_directory.pass.sh | 1 -
.../tests/duplicate_value_multiple_files.pass.sh | 1 -
.../tests/tmux_not_running.fail.sh | 13 -------------
.../tests/wrong_value.fail.sh | 2 --
7 files changed, 1 insertion(+), 41 deletions(-)
delete mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
index 4cb2f9e0e04..58f91eadf66 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
@@ -4,7 +4,6 @@
<criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
<criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
test_ref="test_configure_bashrc_exec_tmux" />
- <criterion comment="check tmux is running" test_ref="test_tmux_running"/>
</criteria>
</definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist"
@@ -18,13 +17,4 @@
<ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
-
- <unix:process58_test check="all" id="test_tmux_running" comment="is tmux running" version="1">
- <unix:object object_ref="obj_tmux_running"/>
- </unix:process58_test>
-
- <unix:process58_object id="obj_tmux_running" version="1">
- <unix:command_line operation="pattern match">^tmux(?:|[\s]+.*)$</unix:command_line>
- <unix:pid datatype="int" operation="greater than">0</unix:pid>
- </unix:process58_object>
</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
index 7afc5fc5e6b..9f224748894 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml
@@ -8,19 +8,11 @@ description: |-
The <tt>tmux</tt> terminal multiplexer is used to implement
automatic session locking. It should be started from
<tt>/etc/bashrc</tt> or drop-in files within <tt>/etc/profile.d/</tt>.
- Additionally it must be ensured that the <tt>tmux</tt> process is running
- and it can be verified with the following command:
- <pre>ps all | grep tmux | grep -v grep</pre>
rationale: |-
Unlike <tt>bash</tt> itself, the <tt>tmux</tt> terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
-warnings:
- - general: |-
- The remediation does not start the tmux process, so it must be
- manually started or have the system rebooted after applying the fix.
-
severity: medium
identifiers:
@@ -34,7 +26,7 @@ references:
stigid@ol8: OL08-00-020041
stigid@rhel8: RHEL-08-020041
-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running'
+ocil_clause: 'exec tmux is not present at the end of bashrc'
ocil: |-
To verify that tmux is configured to execute,
@@ -46,9 +38,5 @@ ocil: |-
name=$(ps -o comm= -p $parent)
case "$name" in sshd|login) exec tmux ;; esac
fi</pre>
- To verify that the tmux process is running,
- run the following command:
- <pre>ps all | grep tmux | grep -v grep</pre>
- If the command does not produce output, this is a finding.
platform: machine
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
index 221c18665ef..fbc7590f27d 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh
@@ -9,4 +9,3 @@ if [ "$PS1" ]; then
fi
EOF
-tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
index 1702bb17e79..6107f86f248 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh
@@ -10,4 +10,3 @@ if [ "$PS1" ]; then
fi
EOF
-tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
index 16d4acfcb5a..c662221eca1 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh
@@ -17,4 +17,3 @@ if [ "$PS1" ]; then
fi
EOF
-tmux new-session -s root -d
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
deleted file mode 100644
index 6cb9d83efc5..00000000000
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-# packages = tmux
-# remediation = none
-
-cat >> /etc/bashrc <<'EOF'
-if [ "$PS1" ]; then
- parent=$(ps -o ppid= -p $$)
- name=$(ps -o comm= -p $parent)
- case "$name" in sshd|login) exec tmux ;; esac
-fi
-EOF
-
-killall tmux || true
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
index f13a8b038e4..9b461654572 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh
@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then
fi
# vim:ts=4:sw=4
EOF
-
-tmux new-session -s root -d

79
SOURCES/scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch Normal file
View File

@ -0,0 +1,79 @@
From ea49c71011c1815b2889c5a004c79c99faff4a1c Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Wed, 23 Feb 2022 18:23:22 +0100
Subject: [PATCH] Adjsut partitions sizes to acomodate a GUI install
The GUI requires more room in the /usr partition.
Let's reduce /otp, /srv and /home, which should not have any data.
---
.../rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 8 ++++----
products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 8 ++++----
.../kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 8 ++++----
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 9c02e5c2ac1..cc18e8cd16f 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/tmp Located On Separate Partition
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 68729408698..3e99b4d0f99 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -104,13 +104,13 @@ volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/tmp Located On Separate Partition
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 1f703d127e5..31d10a7e97e 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
# Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev"
# Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
# Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/tmp Located On Separate Partition

18
SPECS/scap-security-guide.spec
View File

@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.60
Release: 4%{?dist}
Release: 7%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -60,6 +60,11 @@ Patch38: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
Patch39: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
Patch40: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
Patch41: scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch
Patch42: scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch
Patch43: scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch
Patch44: scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch
Patch45: scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch
Patch46: scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch
BuildRequires: libxslt
BuildRequires: expat
@ -164,6 +169,17 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014485)
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)