From 09daa8f7a7af59f363b0bdd822c58af93d35bac7 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sun, 27 Feb 2022 05:26:19 +0000 Subject: [PATCH] import scap-security-guide-0.1.60-7.el8 --- ...e-0.1.61-delta_tailoring_fix-PR_8262.patch | 50 ++++++ ...ug_in_delta_tailering_script-PR_8245.patch | 22 +++ ...-0.1.61-fix_enable_fips_mode-PR_8255.patch | 116 ++++++++++++++ ...e_tmux_process_running_check-PR_8246.patch | 146 ++++++++++++++++++ ...e-anssi-kickstart-partitions-PR_8261.patch | 79 ++++++++++ SPECS/scap-security-guide.spec | 18 ++- 6 files changed, 430 insertions(+), 1 deletion(-) create mode 100644 SOURCES/scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch create mode 100644 SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch create mode 100644 SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch create mode 100644 SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch create mode 100644 SOURCES/scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch diff --git a/SOURCES/scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch b/SOURCES/scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch new file mode 100644 index 0000000..3b0e18d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch @@ -0,0 +1,50 @@ +From cd544b1ceec3cfc799faf24fc83e99f950d1c9c9 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Wed, 23 Feb 2022 12:21:17 -0600 +Subject: [PATCH] Ensure that get_implemented_stigs in + utils/create_scap_delta_tailoring.py works for all case + +Before this commit using resolved_rules_dir would deselect all rules +--- + utils/create_scap_delta_tailoring.py | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py +index 90e131cd01a..b1a44858a0f 100755 +--- a/utils/create_scap_delta_tailoring.py ++++ b/utils/create_scap_delta_tailoring.py +@@ -103,24 +103,22 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path, + build_root): + platform_rules = get_platform_rules(product, json_path, resolved_rules_dir, build_root) + +- if resolved_rules_dir: +- platform_rules_dict = dict() +- for rule in platform_rules: +- platform_rules_dict[rule['id']] = rule +- return platform_rules_dict + product_dir = os.path.join(root_path, "products", product) + product_yaml_path = os.path.join(product_dir, "product.yml") + env_yaml = ssg.environment.open_environment(build_config_yaml_path, str(product_yaml_path)) + + known_rules = dict() + for rule in platform_rules: +- try: +- rule_obj = handle_rule_yaml(product, rule['id'], +- rule['dir'], rule['guide'], env_yaml) +- except ssg.yaml.DocumentationNotComplete: +- sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id']) +- # Happens on non-debug build when a rule is "documentation-incomplete" +- continue ++ if resolved_rules_dir: ++ rule_obj = rule ++ else: ++ try: ++ rule_obj = handle_rule_yaml(product, rule['id'], ++ rule['dir'], rule['guide'], env_yaml) ++ except ssg.yaml.DocumentationNotComplete: ++ sys.stderr.write('Rule %s throw DocumentationNotComplete' % rule['id']) ++ # Happens on non-debug build when a rule is "documentation-incomplete" ++ continue + + if reference_str in rule_obj['references'].keys(): + ref = rule_obj['references'][reference_str] diff --git a/SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch b/SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch new file mode 100644 index 0000000..a1eb387 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch @@ -0,0 +1,22 @@ +From 50eb163d9e9751c2e8cf8129523a8cf7e07a5930 Mon Sep 17 00:00:00 2001 +From: Matthew Burket +Date: Thu, 17 Feb 2022 12:49:32 -0600 +Subject: [PATCH] get_implemented_stigs in utils/create_scap_delta_tailoring.py + should return the implemented stig items + +--- + utils/create_scap_delta_tailoring.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/utils/create_scap_delta_tailoring.py b/utils/create_scap_delta_tailoring.py +index 2c3c5d0df32..25ad1aef66e 100755 +--- a/utils/create_scap_delta_tailoring.py ++++ b/utils/create_scap_delta_tailoring.py +@@ -127,6 +127,7 @@ def get_implemented_stigs(product, root_path, build_config_yaml_path, + known_rules[ref].append(rule['id']) + else: + known_rules[ref] = [rule['id']] ++ return known_rules + + + get_implemented_stigs.__annotations__ = {'product': str, 'root_path': str, diff --git a/SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch b/SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch new file mode 100644 index 0000000..d305d02 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch @@ -0,0 +1,116 @@ +From bc2f72ff8a23b508cef88a363e75e73474625775 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 22 Feb 2022 17:15:43 +0100 +Subject: [PATCH 1/3] remove extend definition from ovals + +--- + .../software/integrity/fips/enable_fips_mode/oval/rhcos4.xml | 1 - + .../software/integrity/fips/enable_fips_mode/oval/shared.xml | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml +index c5ae0550e6b..52d86fd4478 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/rhcos4.xml +@@ -5,7 +5,6 @@ + + + +- + + + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 699dca06dd1..6c3f57e143f 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -6,7 +6,6 @@ + + + +- + + + + +From dbbea1998e189c4a27edc700478f55e2dfda56f8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 22 Feb 2022 17:17:28 +0100 +Subject: [PATCH 2/3] chang warning and description + +--- + .../integrity/fips/enable_fips_mode/rule.yml | 25 ++++--------------- + 1 file changed, 5 insertions(+), 20 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 9d89114b07f..6b055eac8ff 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -13,11 +13,9 @@ description: |- +
    +
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
    • +
  • Creating /etc/system-fips
    • +-
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
    • ++
  • Setting the system crypto policy in /etc/crypto-policies/config to {{{ xccdf_value("var_system_crypto_policy") }}}
    • +
  • Loading the Dracut fips module
    • +
+- This rule also ensures that the system policy is set to {{{ xccdf_value("var_system_crypto_policy") }}}. +- Furthermore, the system running in FIPS mode should be FIPS certified by NIST. + + rationale: |- + Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to +@@ -48,7 +46,7 @@ references: + ocil_clause: 'FIPS mode is not enabled' + + ocil: |- +- To verify that FIPS is enabled properly, run the following command: ++ To verify that FIPS mode is enabled properly, run the following command: + 
fips-mode-setup --check
+ The output should contain the following: + 
FIPS mode is enabled.
+@@ -61,19 +59,6 @@ warnings: + - general: |- + The system needs to be rebooted for these changes to take effect. + - regulatory: |- +- System Crypto Modules must be provided by a vendor that undergoes +- FIPS-140 certifications. +- FIPS-140 is applicable to all Federal agencies that use +- cryptographic-based security systems to protect sensitive information +- in computer and telecommunication systems (including voice systems) as +- defined in Section 5131 of the Information Technology Management Reform +- Act of 1996, Public Law 104-106. This standard shall be used in +- designing and implementing cryptographic modules that Federal +- departments and agencies operate or are operated for them under +- contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} +- To meet this, the system has to have cryptographic software provided by +- a vendor that has undergone this certification. This means providing +- documentation, test results, design information, and independent third +- party review by an accredited lab. While open source software is +- capable of meeting this, it does not meet FIPS-140 unless the vendor +- submits to this process. ++ This rule DOES NOT CHECK if the components of the operating system are FIPS certified. ++ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}. ++ This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. + +From 3c72eec95c617ee295099522d2817c6d217a7e63 Mon Sep 17 00:00:00 2001 +From: vojtapolasek +Date: Wed, 23 Feb 2022 09:16:09 +0100 +Subject: [PATCH 3/3] Update + linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml + +Co-authored-by: Gabriel Becker +--- + .../system/software/integrity/fips/enable_fips_mode/rule.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 6b055eac8ff..30cbc939bed 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -60,5 +60,5 @@ warnings: + The system needs to be rebooted for these changes to take effect. + - regulatory: |- + This rule DOES NOT CHECK if the components of the operating system are FIPS certified. +- You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/1401vend.htm") }}}. ++ You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}. + This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. diff --git a/SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch b/SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch new file mode 100644 index 0000000..1f5cc1a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch @@ -0,0 +1,146 @@ +From 0ffb73fe67cb5773037f62895e6fdc93195f7c38 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 21 Feb 2022 12:55:10 +0100 +Subject: [PATCH] Remove tmux process runinng check from + configure_bashrc_exec_tmux. + +This check can cause troubles since the user must be logged to show up +as tmux running. For example, an evaluation happening through a cron job +wouldn't be able to make this rule work, since no terminal is being +used. +--- + .../configure_bashrc_exec_tmux/oval/shared.xml | 10 ---------- + .../configure_bashrc_exec_tmux/rule.yml | 14 +------------- + .../tests/correct_value.pass.sh | 1 - + .../tests/correct_value_d_directory.pass.sh | 1 - + .../tests/duplicate_value_multiple_files.pass.sh | 1 - + .../tests/tmux_not_running.fail.sh | 13 ------------- + .../tests/wrong_value.fail.sh | 2 -- + 7 files changed, 1 insertion(+), 41 deletions(-) + delete mode 100644 linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml +index 4cb2f9e0e04..58f91eadf66 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml +@@ -4,7 +4,6 @@ + + +- + + + if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi + 1 + +- +- +- +- +- +- +- ^tmux(?:|[\s]+.*)$ +- 0 +- + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +index 7afc5fc5e6b..9f224748894 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +@@ -8,19 +8,11 @@ description: |- + The tmux terminal multiplexer is used to implement + automatic session locking. It should be started from + /etc/bashrc or drop-in files within /etc/profile.d/. +- Additionally it must be ensured that the tmux process is running +- and it can be verified with the following command: +- 
ps all | grep tmux | grep -v grep
+ + rationale: |- + Unlike bash itself, the tmux terminal multiplexer + provides a mechanism to lock sessions after period of inactivity. + +-warnings: +- - general: |- +- The remediation does not start the tmux process, so it must be +- manually started or have the system rebooted after applying the fix. +- + severity: medium + + identifiers: +@@ -34,7 +26,7 @@ references: + stigid@ol8: OL08-00-020041 + stigid@rhel8: RHEL-08-020041 + +-ocil_clause: 'exec tmux is not present at the end of bashrc or tmux process is not running' ++ocil_clause: 'exec tmux is not present at the end of bashrc' + + ocil: |- + To verify that tmux is configured to execute, +@@ -46,9 +38,5 @@ ocil: |- + name=$(ps -o comm= -p $parent) + case "$name" in sshd|login) exec tmux ;; esac + fi +- To verify that the tmux process is running, +- run the following command: +- 
ps all | grep tmux | grep -v grep
+- If the command does not produce output, this is a finding. + + platform: machine +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh +index 221c18665ef..fbc7590f27d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh +@@ -9,4 +9,3 @@ if [ "$PS1" ]; then + fi + EOF + +-tmux new-session -s root -d +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh +index 1702bb17e79..6107f86f248 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh +@@ -10,4 +10,3 @@ if [ "$PS1" ]; then + fi + EOF + +-tmux new-session -s root -d +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh +index 16d4acfcb5a..c662221eca1 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh +@@ -17,4 +17,3 @@ if [ "$PS1" ]; then + fi + EOF + +-tmux new-session -s root -d +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh +deleted file mode 100644 +index 6cb9d83efc5..00000000000 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/tmux_not_running.fail.sh ++++ /dev/null +@@ -1,13 +0,0 @@ +-#!/bin/bash +-# packages = tmux +-# remediation = none +- +-cat >> /etc/bashrc <<'EOF' +-if [ "$PS1" ]; then +- parent=$(ps -o ppid= -p $$) +- name=$(ps -o comm= -p $parent) +- case "$name" in sshd|login) exec tmux ;; esac +-fi +-EOF +- +-killall tmux || true +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh +index f13a8b038e4..9b461654572 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/wrong_value.fail.sh +@@ -101,5 +101,3 @@ if [ -z "$BASHRCSOURCED" ]; then + fi + # vim:ts=4:sw=4 + EOF +- +-tmux new-session -s root -d diff --git a/SOURCES/scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch b/SOURCES/scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch new file mode 100644 index 0000000..19105ff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch @@ -0,0 +1,79 @@ +From ea49c71011c1815b2889c5a004c79c99faff4a1c Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 23 Feb 2022 18:23:22 +0100 +Subject: [PATCH] Adjsut partitions sizes to acomodate a GUI install + +The GUI requires more room in the /usr partition. +Let's reduce /otp, /srv and /home, which should not have any data. +--- + .../rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 8 ++++---- + products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 8 ++++---- + .../kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 8 ++++---- + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +index 9c02e5c2ac1..cc18e8cd16f 100644 +--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg ++++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01 + # Create particular logical volumes (optional) + logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/tmp Located On Separate Partition +diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +index 68729408698..3e99b4d0f99 100644 +--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg ++++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +@@ -104,13 +104,13 @@ volgroup VolGroup --pesize=4096 pv.01 + # Create particular logical volumes (optional) + logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/tmp Located On Separate Partition +diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +index 1f703d127e5..31d10a7e97e 100644 +--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg ++++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +@@ -100,13 +100,13 @@ volgroup VolGroup --pesize=4096 pv.01 + # Create particular logical volumes (optional) + logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" ++logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=6536 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" ++logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" + # Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" ++logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/tmp Located On Separate Partition diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 2b63dce..5db91ce 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.60 -Release: 4%{?dist} +Release: 7%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -60,6 +60,11 @@ Patch38: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch Patch39: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch Patch40: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch Patch41: scap-security-guide-0.1.61-dont-remove-krb5-workstation-on-ovirt-PR_8233.patch +Patch42: scap-security-guide-0.1.61-remove_tmux_process_running_check-PR_8246.patch +Patch43: scap-security-guide-0.1.61-fix_bug_in_delta_tailering_script-PR_8245.patch +Patch44: scap-security-guide-0.1.61-fix_enable_fips_mode-PR_8255.patch +Patch45: scap-security-guide-0.1.61-delta_tailoring_fix-PR_8262.patch +Patch46: scap-security-guide-0.1.61-resize-anssi-kickstart-partitions-PR_8261.patch BuildRequires: libxslt BuildRequires: expat @@ -164,6 +169,17 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Thu Feb 24 2022 Watson Sato - 0.1.60-7 +- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033) + +* Wed Feb 23 2022 Matthew Burket - 0.1.60-6 +- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485) + +* Mon Feb 21 2022 Gabriel Becker - 0.1.60-5 +- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860) +- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485) +- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485) + * Wed Feb 16 2022 Watson Sato - 0.1.60-4 - Fix Ansible service disabled tasks (RHBZ#2014485) - Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)