diff --git a/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch b/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch new file mode 100644 index 0000000..a181eb5 --- /dev/null +++ b/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch @@ -0,0 +1,21 @@ +From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 15 Aug 2023 15:17:16 +0200 +Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile + +rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8 +--- + controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +index d5fe6e1327b..9d9dc579fc4 100644 +--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml ++++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +@@ -7,6 +7,4 @@ controls: + rules: + - sshd_enable_pam + - sysctl_crypto_fips_enabled +- - harden_sshd_ciphers_openssh_conf_crypto_policy +- - harden_sshd_macs_openssh_conf_crypto_policy + status: automated diff --git a/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch b/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch new file mode 100644 index 0000000..bf45744 --- /dev/null +++ b/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch @@ -0,0 +1,30 @@ +From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 17 Aug 2023 10:50:09 +0200 +Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high + +--- + products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ + products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel8/profiles/anssi_bp28_high.profile ++++ b/products/rhel8/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' +diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel9/profiles/anssi_bp28_high.profile ++++ b/products/rhel9/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 3042be9..057e653 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.69 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -14,6 +14,10 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio # Fix rule enable_fips_mode Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch +# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile +Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch +# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting +Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch BuildArch: noarch BuildRequires: libxslt @@ -101,6 +105,10 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Thu Aug 17 2023 Jan Černý - 0.1.69-2 +- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697) +- Fix ANSSI High profile with secure boot (RHBZ#2221697) + * Wed Aug 09 2023 Jan Černý - 0.1.69-1 - Rebase to a new upstream release 0.1.69 (RHBZ#2221697) - Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)