Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2024-02-27 04:27:40 +00:00 committed by root
commit 37fa15ce36
8 changed files with 78 additions and 427 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.69.tar.bz2
SOURCES/scap-security-guide-0.1.72.tar.bz2

View File

@ -1,2 +1,2 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
e10feed870a3553b75798fbee88c27c95b84c7c2 SOURCES/scap-security-guide-0.1.72.tar.bz2

View File

@ -1,61 +0,0 @@
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 6 Feb 2023 14:44:17 +0100
Subject: [PATCH] Disable profiles not in good shape
Patch-name: disable-not-in-good-shape-profiles.patch
Patch-id: 0
Patch-status: |
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
---
products/rhel8/CMakeLists.txt | 1 -
products/rhel8/profiles/cjis.profile | 2 +-
products/rhel8/profiles/rht-ccp.profile | 2 +-
products/rhel8/profiles/standard.profile | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
index 9c044b68ab..8f6ca03de8 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
-ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 22ae5aac72..f60b65bc06 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
version: 5.4
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index b192461f95..ae1e7d5a15 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index a63ae2cf32..da669bb843 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.39.1

View File

@ -0,0 +1,54 @@
From e0f62e3828b9deda102f247b3789f68aeb4e518d Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Fri, 16 Feb 2024 12:07:36 +0100
Subject: [PATCH] Hide profiles not in good shape for RHEL
There are some profiles introduced long time ago but no longer
maintained. For compatibility purposes they are not removed from
datastream but are now hidden for RHEL8 to prevent people from
using them.
---
products/rhel8/profiles/cjis.profile | 2 ++
products/rhel8/profiles/rht-ccp.profile | 2 ++
products/rhel8/profiles/standard.profile | 2 ++
3 files changed, 6 insertions(+)
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 30843b692e..c44c63516f 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,5 +1,7 @@
documentation_complete: true
+hidden: true
+
metadata:
version: 5.4
SMEs:
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 01133a9bde..3f6cb751c9 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,5 +1,7 @@
documentation_complete: true
+hidden: true
+
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
description: |-
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index 11d72da2d9..79b491113a 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,5 +1,7 @@
documentation_complete: true
+hidden: true
+
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
description: |-
--
2.43.1

View File

@ -1,52 +0,0 @@
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 8 Aug 2023 15:15:21 +0200
Subject: [PATCH] Remove kernel cmdline check
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.
We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.
Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
@@ -57,19 +55,6 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
- check="all" check_existence="all_exist"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:variable_test id="test_system_crypto_policy_value" version="1"
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />

View File

@ -1,272 +0,0 @@
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:02:08 +0200
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
This commit only improves readability without any technical impact in
the OVAL logic.
---
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
1 file changed, 50 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
<def-group>
- <definition class="compliance" id="enable_fips_mode" version="1">
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+ <extend_definition definition_ref="etc_system_fips_exists"
+ comment="check /etc/system-fips exists"/>
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
+ comment="check sysctl crypto.fips_enabled = 1"/>
+ <extend_definition definition_ref="enable_dracut_fips_module"
+ comment="Dracut FIPS module is enabled"/>
+ <extend_definition definition_ref="configure_crypto_policy"
+ comment="system cryptography policy is configured"/>
+ <criterion test_ref="test_system_crypto_policy_value"
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
- <extend_definition comment="Generic test for s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for s390x architecture"/>
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
- <extend_definition comment="Generic test for NOT s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for NOT s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
- test_ref="test_grubenv_fips_mode" />
+ <criterion test_ref="test_grubenv_fips_mode"
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -34,58 +40,71 @@
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
- check="all" check_existence="all_exist" version="1">
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
- check="all" check_existence="all_exist" version="1">
+
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
+
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
{{%- endif %}}
</ind:variable_state>
+
{{% if product in ["ol8","rhel8"] %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
- comment="Fips mode selected in running kernel opts" version="1">
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
+ check="all" check_existence="all_exist"
+ comment="Fips mode selected in running kernel opts">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
- version="1">
+
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">fips=1</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+
+ <external_variable id="var_system_crypto_policy" version="1"
+ datatype="string" comment="defined crypto policy"/>
</def-group>
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:20:33 +0200
Subject: [PATCH 2/2] Improve OVAL comments for better readability
Simplified the comments and aligned the respective lines to the
project Style Guides.
---
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
<extend_definition definition_ref="etc_system_fips_exists"
- comment="check /etc/system-fips exists"/>
+ comment="check /etc/system-fips file existence"/>
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
- comment="check sysctl crypto.fips_enabled = 1"/>
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
<extend_definition definition_ref="enable_dracut_fips_module"
- comment="Dracut FIPS module is enabled"/>
+ comment="dracut FIPS module is enabled"/>
<extend_definition definition_ref="configure_crypto_policy"
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for s390x architecture"/>
+ comment="generic test for s390x architecture"/>
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for NOT s390x architecture"/>
+ comment="generic test for non-s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion test_ref="test_grubenv_fips_mode"
comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -42,7 +42,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
</ind:textfilecontent54_object>
<ind:variable_test id="test_system_crypto_policy_value" version="1"
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
@@ -81,7 +81,8 @@
</ind:variable_object>
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
+to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
@@ -94,7 +95,7 @@
{{% if product in ["ol8","rhel8"] %}}
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
check="all" check_existence="all_exist"
- comment="Fips mode selected in running kernel opts">
+ comment="FIPS mode is selected in running kernel options">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
{{% endif %}}
<external_variable id="var_system_crypto_policy" version="1"
- datatype="string" comment="defined crypto policy"/>
+ datatype="string" comment="variable which selects the crypto policy"/>
</def-group>

View File

@ -1,30 +0,0 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

View File

@ -5,8 +5,8 @@
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.69
Release: 2%{?dist}.alma.1
Version: 0.1.72
Release: 2%{?dist}.alma
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -14,13 +14,8 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
# Fix rule enable_fips_mode
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch
# Patch hides cjis, rht-ccp and standard profiles for RHEL8
Patch0: hide-profiles-not-in-good-shape-for-RHEL.patch
# AlmaLinux patches
@ -121,9 +116,26 @@ cd build
%{_datadir}/%{name}/ansible/rule_playbooks
%changelog
* Mon Oct 30 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.69-2.alma.1
* Tue Feb 27 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.72-2.alma
- Add AlmaLinux support
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
- Unlist profiles no longer maintained in RHEL8.
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
- Update PCI-DSS to v4 (RHEL-1808)
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
- remove problematic rule from ANSSI High profile (RHBZ#2221695)