import scap-security-guide-0.1.60-9.el8
This commit is contained in:
parent
06250daca2
commit
1ad79bab40
@ -0,0 +1,24 @@
|
|||||||
|
From 4385fd471749b21fd2e7e5febe7ba273592a0633 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Becker <A-Beck@users.noreply.github.com>
|
||||||
|
Date: Wed, 30 Mar 2022 16:58:04 -0400
|
||||||
|
Subject: [PATCH] Fix variable path access issue
|
||||||
|
|
||||||
|
Reference the path in the item dictionary, instead of the item dictionary itself
|
||||||
|
Addresses Issue #8275
|
||||||
|
---
|
||||||
|
shared/templates/sysctl/ansible.template | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
||||||
|
index 3837b313e13..f525cf873f7 100644
|
||||||
|
--- a/shared/templates/sysctl/ansible.template
|
||||||
|
+++ b/shared/templates/sysctl/ansible.template
|
||||||
|
@@ -13,7 +13,7 @@
|
||||||
|
|
||||||
|
- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||||
|
replace:
|
||||||
|
- path: "{{ item }}"
|
||||||
|
+ path: "{{ item.path }}"
|
||||||
|
regexp: '^[\s]*{{{ SYSCTLVAR }}}'
|
||||||
|
replace: '#{{{ SYSCTLVAR }}}'
|
||||||
|
loop: "{{ find_sysctl_d.files }}"
|
@ -0,0 +1,32 @@
|
|||||||
|
From 2a7e57d7714e9931ec4d43a0d25269258dd4af2a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 10:24:26 +0200
|
||||||
|
Subject: [PATCH] Do not include symlink_state in 5.10 content
|
||||||
|
|
||||||
|
The symlink_test, object and state were added in OVAL 5.11. These
|
||||||
|
elements should not be included in OVAL 5.10 content because they break
|
||||||
|
validation.
|
||||||
|
---
|
||||||
|
shared/templates/sysctl/oval.template | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
|
||||||
|
index e21b0344cb6..207052664a4 100644
|
||||||
|
--- a/shared/templates/sysctl/oval.template
|
||||||
|
+++ b/shared/templates/sysctl/oval.template
|
||||||
|
@@ -222,7 +222,6 @@
|
||||||
|
<unix:filepath operation="equals" var_ref="local_var_conf_files_{{{ SYSCTLID }}}" />
|
||||||
|
<filter action="exclude">state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}</filter>
|
||||||
|
</unix:symlink_object>
|
||||||
|
-{{% endif %}}
|
||||||
|
|
||||||
|
<!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
|
||||||
|
^/etc/sysctl.conf$
|
||||||
|
@@ -232,6 +231,7 @@
|
||||||
|
<unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_{{{ SYSCTLID }}}" version="1">
|
||||||
|
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
|
||||||
|
</unix:symlink_state>
|
||||||
|
+{{% endif %}}
|
||||||
|
|
||||||
|
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
|
||||||
|
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
|
@ -1,7 +1,7 @@
|
|||||||
From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
|
From 2275e47e111ba89595658f5d91964454c1a65323 Mon Sep 17 00:00:00 2001
|
||||||
From: Watson Sato <wsato@redhat.com>
|
From: Watson Sato <wsato@redhat.com>
|
||||||
Date: Wed, 4 May 2022 19:21:04 +0200
|
Date: Wed, 4 May 2022 19:21:04 +0200
|
||||||
Subject: [PATCH 1/2] Add tests to ensure valid symlinks are checked
|
Subject: [PATCH 1/3] Add tests to ensure valid symlinks are checked
|
||||||
|
|
||||||
These sysctl tests help check cases when:
|
These sysctl tests help check cases when:
|
||||||
- A symlink points to a file out of the default default dirs
|
- A symlink points to a file out of the default default dirs
|
||||||
@ -83,7 +83,7 @@ index 00000000000..6164d0b1ca9
|
|||||||
From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
|
From 4f4bb24620338b2ff8f59d173b575d2089618357 Mon Sep 17 00:00:00 2001
|
||||||
From: Watson Sato <wsato@redhat.com>
|
From: Watson Sato <wsato@redhat.com>
|
||||||
Date: Wed, 4 May 2022 19:23:41 +0200
|
Date: Wed, 4 May 2022 19:23:41 +0200
|
||||||
Subject: [PATCH 2/2] Filter out symlinks referencing default dirs
|
Subject: [PATCH 2/3] Filter out symlinks referencing default dirs
|
||||||
|
|
||||||
Apply a filter on the collected symlinks and exclude the ones that
|
Apply a filter on the collected symlinks and exclude the ones that
|
||||||
don't point to the default dirs.
|
don't point to the default dirs.
|
||||||
@ -120,3 +120,26 @@ index 0b5cde45045..ac395d545c3 100644
|
|||||||
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
|
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_{{{ SYSCTLID }}}" version="1">
|
||||||
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
|
<object_component object_ref="object_static_set_unfiltered_sysctls_{{{ SYSCTLID }}}" item_field="filepath" />
|
||||||
</local_variable>
|
</local_variable>
|
||||||
|
|
||||||
|
From 156291af3ae48fc0dff668b05e9e0bbdd42868b2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gabriel Becker <ggasparb@redhat.com>
|
||||||
|
Date: Fri, 6 May 2022 11:49:00 +0200
|
||||||
|
Subject: [PATCH 3/3] Consider file/link/dir while applying ansible remediation
|
||||||
|
on sysctl template.
|
||||||
|
|
||||||
|
---
|
||||||
|
shared/templates/sysctl/ansible.template | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
|
||||||
|
index f525cf873f7..5a178fa7f49 100644
|
||||||
|
--- a/shared/templates/sysctl/ansible.template
|
||||||
|
+++ b/shared/templates/sysctl/ansible.template
|
||||||
|
@@ -9,6 +9,7 @@
|
||||||
|
paths: "/etc/sysctl.d/"
|
||||||
|
contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'
|
||||||
|
patterns: "*.conf"
|
||||||
|
+ file_type: any
|
||||||
|
register: find_sysctl_d
|
||||||
|
|
||||||
|
- name: Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
|
|
||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.60
|
Version: 0.1.60
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
License: BSD-3-Clause
|
License: BSD-3-Clause
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
@ -72,6 +72,8 @@ Patch50: scap-security-guide-0.1.62-sysctl_dont_ignore_all_symlinks-PR_8707.pat
|
|||||||
Patch51: scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
|
Patch51: scap-security-guide-0.1.62-sysctl_dont_scan_usr_lib-PR_8718.patch
|
||||||
Patch52: scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
|
Patch52: scap-security-guide-0.1.62-sysctl-restrict_symlink_test_to_oval_5_10-PR_8721.patch
|
||||||
Patch53: scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch
|
Patch53: scap-security-guide-0.1.62-update_rhel8_stig_v1r6-PR_8670.patch
|
||||||
|
Patch54: scap-security-guide-0.1.62-fix_oval_5_10_validation-PR_8782.patch
|
||||||
|
Patch55: scap-security-guide-0.1.62-fix_loop_variable_path-PR_8462.patch
|
||||||
|
|
||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: expat
|
BuildRequires: expat
|
||||||
@ -176,9 +178,13 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
|
||||||
|
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
|
||||||
|
- Fix Ansible sysctl remediation (RHBZ#2079241)
|
||||||
|
|
||||||
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
||||||
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2082556)
|
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
|
||||||
- Update RHEL8 STIG profile to V1R6 (RHBZ#2082556)
|
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
|
||||||
|
|
||||||
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
||||||
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
||||||
|
Loading…
Reference in New Issue
Block a user