commit 0ac390339aa1e065acd4982e34b120634344cacd Author: CentOS Sources Date: Tue Nov 5 14:46:13 2019 -0500 import scap-security-guide-0.1.46-1.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ef19f89 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.46.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..26ee133 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +05a9c42472d6918e10d25df002ab6b3c3d379016 SOURCES/scap-security-guide-0.1.46.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..ae3d0dd --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,82 @@ +From c6c4eae7d085adb1571e5c45edb4bd982c242f4d Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 17 Dec 2018 13:30:06 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8. + +They raise too many errors and fails. +--- + rhel8/CMakeLists.txt | 3 ++- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/cui.profile | 2 +- + rhel8/profiles/hipaa.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 6 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index 99bccbed7..77f8ccaec 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,7 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") ++# Standard profile is disabled for RHEL8 as it is not in good shape ++#ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + + # Uncomment when anssi profiles are marked documentation_complete: true +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index a7f8c0b16..c460793be 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Criminal Justice Information Services (CJIS) Security Policy' + +diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile +index eb62252a4..e8f369708 100644 +--- a/rhel8/profiles/cui.profile ++++ b/rhel8/profiles/cui.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + +diff --git a/rhel8/profiles/hipaa.profile b/rhel8/profiles/hipaa.profile +index feb98007c..0667f65ed 100644 +--- a/rhel8/profiles/hipaa.profile ++++ b/rhel8/profiles/hipaa.profile +@@ -1,4 +1,4 @@ +-documentation_complete: True ++documentation_complete: false + + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index 023663b21..8b22bc711 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.19.2 + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..ac3e778 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,371 @@ +Name: scap-security-guide +Version: 0.1.46 +Release: 1%{?dist} +Summary: Security guidance and baselines in SCAP formats +Group: Applications/System +License: BSD +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream +Patch0: disable-not-in-good-shape-profiles.patch +BuildArch: noarch + +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 +Obsoletes: openscap-content < 0:0.9.13 +Provides: openscap-content + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The Red Hat Enterprise +Linux 8 system administrator can use the oscap CLI tool from openscap-scanner +package, or the scap-workbench GUI tool from scap-workbench package to verify +that the system conforms to provided guideline. Refer to scap-security-guide(8) +manual page for further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%prep +%setup -q +%patch0 -p1 +mkdir build + +%build +cd build +%cmake \ +-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ +-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ +-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ +-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ +%make_build + +%install +cd build +%make_install + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible +%{_datadir}/%{name}/bash +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%doc %{_docdir}/%{name}/README.md +%doc %{_docdir}/%{name}/Contributors.md + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%changelog +* Mon Sep 02 2019 Watson Sato - 0.1.46-1 +- Update to latest upstream SCAP-Security-Guide-0.1.46 release +- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798) + +* Wed Aug 07 2019 Milan Lysonek - 0.1.45-2 +- Use crypto-policy rules in OSPP profile. +- Re-enable FIREFOX and JRE product in build. +- Change test suite logging message about missing profile from ERROR to WARNING. +- Build only one version of SCAP content at a time. + +* Tue Aug 06 2019 Milan Lysonek - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release + +* Mon Jun 17 2019 Matěj Týč - 0.1.44-2 +- Ported changelog from late 8.0 builds. +- Disabled build of the OL8 product, updated other components of the cmake invocation. + +* Fri Jun 14 2019 Matěj Týč - 0.1.44-1 +- Update to latest upstream SCAP-Security-Guide-0.1.44 release + +* Mon Mar 11 2019 Gabriel Becker - 0.1.42-11 +- Assign CCE to rules from OSPP profile which were missing the identifier. +- Fix regular expression for Audit rules ordering +- Account for Audit rules flags parameter position within syscall +- Add remediations for Audit rules file path +- Add Audit rules for modification of /etc/shadow and /etc/gshadow +- Add Ansible and Bash remediations for directory_access_var_log_audit rule +- Add a Bash remediation for Audit rules that require ordering + +* Thu Mar 07 2019 Gabriel Becker - 0.1.42-10 +- Assign CCE identifier to rules used by RHEL8 profiles. + +* Thu Feb 14 2019 Matěj Týč - 0.1.42-9 +- Fixed Crypto Policy OVAL for NSS +- Got rid of rules requiring packages dropped in RHEL8. +- Profile descriptions fixes. + +* Tue Jan 22 2019 Jan Černý - 0.1.42-8 +- Update applicable platforms in crypto policy tests + +* Mon Jan 21 2019 Jan Černý - 0.1.42-7 +- Introduce Podman backend for SSG Test suite +- Update bind and libreswan crypto policy test scenarios + +* Fri Jan 11 2019 Matěj Týč - 0.1.42-6 +- Further fix of profiles descriptions, so they don't contain literal '\'. +- Removed obsolete sshd rule from the OSPP profile. + +* Tue Jan 08 2019 Matěj Týč - 0.1.42-5 +- Fixed profiles descriptions, so they don't contain literal '\n'. +- Made the configure_kerberos_crypto_policy OVAL more robust. +- Made OVAL for libreswan and bind work as expected when those packages are not installed. + +* Wed Jan 02 2019 Matěj Týč - 0.1.42-4 +- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs. + +* Tue Dec 18 2018 Matěj Týč - 0.1.42-3 +- Added FIPS mode rule for the OSPP profile. +- Split the installed_OS_is certified rule. +- Explicitly disabled OSP13, RHV4 and Example products. + +* Mon Dec 17 2018 Gabriel Becker - 0.1.42-2 +- Add missing kickstart files for RHEL8 +- Disable profiles that are not in good shape for RHEL8 + +* Wed Dec 12 2018 Matěj Týč - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- System-wide crypto policies are introduced for RHEL8 +- Patches introduced the RHEL8 product were dropped, as it has been upstreamed. + +* Wed Oct 10 2018 Watson Yuuma Sato - 0.1.41-2 +- Fix man page and package description + +* Mon Oct 08 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles + +* Mon Aug 13 2018 Watson Sato - 0.1.40-3 +- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot +- Only build content for rhel8 products + +* Fri Aug 10 2018 Watson Sato - 0.1.40-2 +- Update build of rhel8 content + +* Fri Aug 10 2018 Watson Sato - 0.1.40-1 +- Enable build of rhel8 content + +* Fri May 18 2018 Jan Černý - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 +- Fix spec file to build using Python 3 +- Fix License because upstream changed to BSD-3 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.