Update STIG and ANSSI for RHEL 9.3

- Remove OpenSSH crypto policy hardening rules from STIG profile
- Fix ANSSI High profile with secure boot

Resolves: rhbz#2221697

scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch

@@ -0,0 +1,21 @@
+From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 15 Aug 2023 15:17:16 +0200
+Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
+
+rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
+---
+ controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
+index d5fe6e1327b..9d9dc579fc4 100644
+--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
++++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
+@@ -7,6 +7,4 @@ controls:
+         rules:
+             - sshd_enable_pam
+             - sysctl_crypto_fips_enabled
+-            - harden_sshd_ciphers_openssh_conf_crypto_policy
+-            - harden_sshd_macs_openssh_conf_crypto_policy
+         status: automated

scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch

@@ -0,0 +1,30 @@
+From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 17 Aug 2023 10:50:09 +0200
+Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
+
+---
+ products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
+ products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
+index e2eeabbb78d..204e141b1f5 100644
+--- a/products/rhel8/profiles/anssi_bp28_high.profile
++++ b/products/rhel8/profiles/anssi_bp28_high.profile
+@@ -17,3 +17,5 @@ description: |-
+ 
+ selections:
+     - anssi:all:high
++    # the following rule renders UEFI systems unbootable
++    - '!sebool_secure_mode_insmod'
+diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
+index e2eeabbb78d..204e141b1f5 100644
+--- a/products/rhel9/profiles/anssi_bp28_high.profile
++++ b/products/rhel9/profiles/anssi_bp28_high.profile
+@@ -17,3 +17,5 @@ description: |-
+ 
+ selections:
+     - anssi:all:high
++    # the following rule renders UEFI systems unbootable
++    - '!sebool_secure_mode_insmod'

scap-security-guide.spec

@@ -6,7 +6,7 @@
 
 Name:		scap-security-guide
 Version:	0.1.69
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content/
@@ -14,6 +14,10 @@ Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{versio
 # Fix rule enable_fips_mode
 Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
 Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
+# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
+Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
+# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
+Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
 BuildArch:	noarch
 
 BuildRequires:	libxslt
@@ -101,6 +105,10 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 %endif
 
 %changelog
+* Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
+- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
+- Fix ANSSI High profile with secure boot (RHBZ#2221697)
+
 * Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
 - Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
 - Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)