diff --git a/.gitignore b/.gitignore index 10b380a..6078794 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -SOURCES/scap-security-guide-0.1.69.tar.bz2 +SOURCES/scap-security-guide-0.1.72.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 64c981b..bcf37b6 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1,2 +1,2 @@ b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 -60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2 +e10feed870a3553b75798fbee88c27c95b84c7c2 SOURCES/scap-security-guide-0.1.72.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch deleted file mode 100644 index f883e6a..0000000 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Mon, 6 Feb 2023 14:44:17 +0100 -Subject: [PATCH] Disable profiles not in good shape - -Patch-name: disable-not-in-good-shape-profiles.patch -Patch-id: 0 -Patch-status: | - Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream ---- - products/rhel8/CMakeLists.txt | 1 - - products/rhel8/profiles/cjis.profile | 2 +- - products/rhel8/profiles/rht-ccp.profile | 2 +- - products/rhel8/profiles/standard.profile | 2 +- - 4 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt -index 9c044b68ab..8f6ca03de8 100644 ---- a/products/rhel8/CMakeLists.txt -+++ b/products/rhel8/CMakeLists.txt -@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT}) - ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss") - - ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist") --ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist") - ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist") - - ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi") -diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 22ae5aac72..f60b65bc06 100644 ---- a/products/rhel8/profiles/cjis.profile -+++ b/products/rhel8/profiles/cjis.profile -@@ -1,4 +1,4 @@ --documentation_complete: true -+documentation_complete: false - - metadata: - version: 5.4 -diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index b192461f95..ae1e7d5a15 100644 ---- a/products/rhel8/profiles/rht-ccp.profile -+++ b/products/rhel8/profiles/rht-ccp.profile -@@ -1,4 +1,4 @@ --documentation_complete: true -+documentation_complete: false - - title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' - -diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile -index a63ae2cf32..da669bb843 100644 ---- a/products/rhel8/profiles/standard.profile -+++ b/products/rhel8/profiles/standard.profile -@@ -1,4 +1,4 @@ --documentation_complete: true -+documentation_complete: false - - title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' - --- -2.39.1 - diff --git a/SOURCES/hide-profiles-not-in-good-shape-for-RHEL.patch b/SOURCES/hide-profiles-not-in-good-shape-for-RHEL.patch new file mode 100644 index 0000000..40a7a28 --- /dev/null +++ b/SOURCES/hide-profiles-not-in-good-shape-for-RHEL.patch @@ -0,0 +1,54 @@ +From e0f62e3828b9deda102f247b3789f68aeb4e518d Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Fri, 16 Feb 2024 12:07:36 +0100 +Subject: [PATCH] Hide profiles not in good shape for RHEL + +There are some profiles introduced long time ago but no longer +maintained. For compatibility purposes they are not removed from +datastream but are now hidden for RHEL8 to prevent people from +using them. +--- + products/rhel8/profiles/cjis.profile | 2 ++ + products/rhel8/profiles/rht-ccp.profile | 2 ++ + products/rhel8/profiles/standard.profile | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile +index 30843b692e..c44c63516f 100644 +--- a/products/rhel8/profiles/cjis.profile ++++ b/products/rhel8/profiles/cjis.profile +@@ -1,5 +1,7 @@ + documentation_complete: true + ++hidden: true ++ + metadata: + version: 5.4 + SMEs: +diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile +index 01133a9bde..3f6cb751c9 100644 +--- a/products/rhel8/profiles/rht-ccp.profile ++++ b/products/rhel8/profiles/rht-ccp.profile +@@ -1,5 +1,7 @@ + documentation_complete: true + ++hidden: true ++ + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + + description: |- +diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile +index 11d72da2d9..79b491113a 100644 +--- a/products/rhel8/profiles/standard.profile ++++ b/products/rhel8/profiles/standard.profile +@@ -1,5 +1,7 @@ + documentation_complete: true + ++hidden: true ++ + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + + description: |- +-- +2.43.1 + diff --git a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch deleted file mode 100644 index af7d37e..0000000 --- a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 8 Aug 2023 15:15:21 +0200 -Subject: [PATCH] Remove kernel cmdline check - -The OVAL in rule enable_fips_mode contains multiple checks. One -of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`. -Although this is useful for latest RHEL versions, this file doesn't -exist on RHEL 8.6 and 9.0. This causes that the rule fails after -remediation on these RHEL versions. - -We want the same OVAL behavior on all minor RHEL releases, therefore -we will remove this test from the OVAL completely. - -Related to: https://github.com/ComplianceAsCode/content/pull/10897 ---- - .../fips/enable_fips_mode/oval/shared.xml | 15 --------------- - 1 file changed, 15 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index 88aae7aaab9..3b50e07060e 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -12,8 +12,6 @@ - comment="system cryptography policy is configured"/> - -- - {{% if "ol" in product or "rhel" in product %}} - - -@@ -57,19 +55,6 @@ - ^(?:.*\s)?fips=1(?:\s.*)?$ - - -- -- -- -- -- -- -- ^/etc/kernel/cmdline -- ^(.*)$ -- 1 -- -- - - diff --git a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch deleted file mode 100644 index fbc06d7..0000000 --- a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch +++ /dev/null @@ -1,272 +0,0 @@ -From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 27 Jul 2023 10:02:08 +0200 -Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects - -This commit only improves readability without any technical impact in -the OVAL logic. ---- - .../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++------- - 1 file changed, 50 insertions(+), 31 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index fe3f96f52a5..0ec076a5fb7 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -1,32 +1,38 @@ - -- -+ - {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} - -- -- -- -- -- -- -+ -+ -+ -+ -+ -+ - {{% if "ol" in product or "rhel" in product %}} - - -- -- -+ -+ - - - -- -+ - - {{% if product in ["ol8", "rhel8"] %}} -- -+ - {{% else %}} -- -+ - {{% endif %}} - - -@@ -34,58 +40,71 @@ - - - -- -+ - - - -+ - - ^/boot/loader/entries/.*.conf - ^options (.*)$ - 1 - -+ - - ^(?:.*\s)?fips=1(?:\s.*)?$ - -- -+ -+ - - - -+ - - ^/etc/kernel/cmdline - ^(.*)$ - 1 - - -- -+ - - - -+ - - var_system_crypto_policy - -- -+ -+ - {{% if product in ["ol9","rhel9"] -%}} - ^FIPS(:OSPP)?$ - {{%- else %}} -- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}} -+ {{# Legacy and more relaxed list of crypto policies that were historically considered -+ FIPS-compatible. More recent products should use the more restricted list of options #}} - ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ - {{%- endif %}} - -+ - {{% if product in ["ol8","rhel8"] %}} -- -+ - - -- -+ -+ - /boot/grub2/grubenv - fips=1 - 1 - - {{% endif %}} -- -+ -+ - - -From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001 -From: Marcus Burghardt -Date: Thu, 27 Jul 2023 10:20:33 +0200 -Subject: [PATCH 2/2] Improve OVAL comments for better readability - -Simplified the comments and aligned the respective lines to the -project Style Guides. ---- - .../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++--------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -index 0ec076a5fb7..88aae7aaab9 100644 ---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml -@@ -3,36 +3,36 @@ - {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} - - -+ comment="check /etc/system-fips file existence"/> - -+ comment="check option crypto.fips_enabled = 1 in sysctl"/> - -+ comment="dracut FIPS module is enabled"/> - - -+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/> - -+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/> - {{% if "ol" in product or "rhel" in product %}} - - - -+ comment="generic test for s390x architecture"/> - -+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> - - - - -+ comment="generic test for non-s390x architecture"/> - - {{% if product in ["ol8", "rhel8"] %}} - - {{% else %}} - -+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> - {{% endif %}} - - -@@ -42,7 +42,7 @@ - - -+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf"> - - - -@@ -59,7 +59,7 @@ - - -+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"> - - - -@@ -71,7 +71,7 @@ - - - -+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS"> - - - -@@ -81,7 +81,8 @@ - - - -+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds -+to a crypto policy module that further restricts the modified crypto policy."> - {{% if product in ["ol9","rhel9"] -%}} - ^FIPS(:OSPP)?$ - {{%- else %}} -@@ -94,7 +95,7 @@ - {{% if product in ["ol8","rhel8"] %}} - -+ comment="FIPS mode is selected in running kernel options"> - - - -@@ -106,5 +107,5 @@ - {{% endif %}} - - -+ datatype="string" comment="variable which selects the crypto policy"/> - diff --git a/SOURCES/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch b/SOURCES/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch deleted file mode 100644 index bf45744..0000000 --- a/SOURCES/scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 17 Aug 2023 10:50:09 +0200 -Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high - ---- - products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ - products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile -index e2eeabbb78d..204e141b1f5 100644 ---- a/products/rhel8/profiles/anssi_bp28_high.profile -+++ b/products/rhel8/profiles/anssi_bp28_high.profile -@@ -17,3 +17,5 @@ description: |- - - selections: - - anssi:all:high -+ # the following rule renders UEFI systems unbootable -+ - '!sebool_secure_mode_insmod' -diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile -index e2eeabbb78d..204e141b1f5 100644 ---- a/products/rhel9/profiles/anssi_bp28_high.profile -+++ b/products/rhel9/profiles/anssi_bp28_high.profile -@@ -17,3 +17,5 @@ description: |- - - selections: - - anssi:all:high -+ # the following rule renders UEFI systems unbootable -+ - '!sebool_secure_mode_insmod' diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 05c2a55..66dbdf0 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,8 +5,8 @@ # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly Name: scap-security-guide -Version: 0.1.69 -Release: 2%{?dist}.alma.1 +Version: 0.1.72 +Release: 2%{?dist}.alma Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -14,13 +14,8 @@ URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 # Include tarball with last released rhel6 content Source1: %{_static_rhel6_content}.tar.bz2 -# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream -Patch0: disable-not-in-good-shape-profiles.patch -# Fix rule enable_fips_mode -Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch -Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch -# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting -Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch +# Patch hides cjis, rht-ccp and standard profiles for RHEL8 +Patch0: hide-profiles-not-in-good-shape-for-RHEL.patch # AlmaLinux patches @@ -121,9 +116,26 @@ cd build %{_datadir}/%{name}/ansible/rule_playbooks %changelog -* Mon Oct 30 2023 Andrew Lukoshko - 0.1.69-2.alma.1 +* Tue Feb 27 2024 Andrew Lukoshko - 0.1.72-2.alma - Add AlmaLinux support +* Fri Feb 16 2024 Marcus Burghardt - 0.1.72-2 +- Unlist profiles no longer maintained in RHEL8. +* Wed Feb 14 2024 Marcus Burghardt - 0.1.72-1 +- Rebase to a new upstream release 0.1.72 (RHEL-25250) +- Increase CIS standards coverage regarding SSH and cron (RHEL-1314) +- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811) +- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313) +- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819) +- Add rule to terminate idle user sessions after defined time (RHEL-1801) +- Allow spaces around equal sign in /etc/sudoers (RHEL-1904) +- Add remediation for rule fapolicy_default_deny (RHEL-1817) +- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127) +- Refactor ensure_pam_wheel_group_empty (RHEL-1905) +- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809) +- Update PCI-DSS to v4 (RHEL-1808) +- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820) + * Thu Aug 17 2023 Vojtech Polasek - 0.1.69-2 - remove problematic rule from ANSSI High profile (RHBZ#2221695)