From 0fe9f1c48119199f12a2b6022f00fc68ae9ee350 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 17 Sep 2021 17:45:36 +0000 Subject: [PATCH] import scap-security-guide-0.1.57-5.el8 --- ...ity-guide-0.1.58-ism_usb_hid-PR_7493.patch | 36 +++++++++++++++++++ SPECS/scap-security-guide.spec | 6 +++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 SOURCES/scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch diff --git a/SOURCES/scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch b/SOURCES/scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch new file mode 100644 index 0000000..bdf85b5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch @@ -0,0 +1,36 @@ +From 7189a9f4aa319b823e241ca11a798762bd62515f Mon Sep 17 00:00:00 2001 +From: Matej Tyc +Date: Tue, 31 Aug 2021 13:58:00 +0200 +Subject: [PATCH] Allow HID USB in the ISM profile + +The usbguard is too strict without this rule, +and its default setting blocks keyboard and mouse. +--- + products/rhel8/profiles/ism_o.profile | 1 + + products/rhel9/profiles/ism_o.profile | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/products/rhel8/profiles/ism_o.profile b/products/rhel8/profiles/ism_o.profile +index 95cdfc4ede..2e78dc8776 100644 +--- a/products/rhel8/profiles/ism_o.profile ++++ b/products/rhel8/profiles/ism_o.profile +@@ -52,6 +52,7 @@ selections: + ## Identifiers 1418 + - package_usbguard_installed + - service_usbguard_enabled ++ - usbguard_allow_hid_and_hub + + ## Authentication hardening + ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 +diff --git a/products/rhel9/profiles/ism_o.profile b/products/rhel9/profiles/ism_o.profile +index 6fc919da12..b395b0e9cb 100644 +--- a/products/rhel9/profiles/ism_o.profile ++++ b/products/rhel9/profiles/ism_o.profile +@@ -52,6 +52,7 @@ selections: + ## Identifiers 1418 + - package_usbguard_installed + - service_usbguard_enabled ++ - usbguard_allow_hid_and_hub + + ## Authentication hardening + ## Identifiers 1546 / 0974 / 1173 / 1504 / 1505 / 1401 / 1559 / 1560 diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index ca97eef..3d79e8e 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,7 +5,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -73,6 +73,7 @@ Patch52: scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch +Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch BuildRequires: libxslt BuildRequires: expat @@ -176,6 +177,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %endif %changelog +* Thu Sep 02 2021 Matej Tyc - 0.1.57-5 +- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423). + * Tue Aug 24 2021 Gabriel Becker - 0.1.57-4 - Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)