From 7c9bce97770529fa2767247e568a7063c431a7ec Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jan 2020 16:54:49 -0500 Subject: [PATCH] import scap-security-guide-0.1.47-2.el8 --- .gitignore | 2 +- .scap-security-guide.metadata | 2 +- ...-security-guide-0.1.48-e8_kickstarts.patch | 362 ++++++++++++++++++ ...scap-security-guide-0.1.48-e8_polish.patch | 60 +++ SPECS/scap-security-guide.spec | 58 ++- 5 files changed, 462 insertions(+), 22 deletions(-) create mode 100644 SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch create mode 100644 SOURCES/scap-security-guide-0.1.48-e8_polish.patch diff --git a/.gitignore b/.gitignore index b721383..d3d33d0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.44.tar.bz2 +SOURCES/scap-security-guide-0.1.47.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 5ac652c..3f50c30 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -909fd69f4a290ae8edec9edac9ffcee405becfa2 SOURCES/scap-security-guide-0.1.44.tar.bz2 +4459787cf5bceb48e0743b84057196206e999ca4 SOURCES/scap-security-guide-0.1.47.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch b/SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch new file mode 100644 index 0000000..9d425f5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch @@ -0,0 +1,362 @@ +From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Nov 2019 18:05:32 +0100 +Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles + +As the profile doesn't require a particular disk partition layout, I +went for the 'autopart' feature. +--- + rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++ + 2 files changed, 244 insertions(+) + create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg + create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg + +diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +new file mode 100644 +index 0000000000..9e44a87a86 +--- /dev/null ++++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +@@ -0,0 +1,122 @@ ++# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server ++# Version: 0.0.1 ++# Date: 2019-11-13 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_e8 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +new file mode 100644 +index 0000000000..3555f528cb +--- /dev/null ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -0,0 +1,122 @@ ++# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server ++# Version: 0.0.1 ++# Date: 2019-11-13 ++# ++# Based on: ++# http://fedoraproject.org/wiki/Anaconda/Kickstart ++# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++ ++# Install a fresh new system (optional) ++install ++ ++# Specify installation method to use for installation ++# To use a different one comment out the 'url' one below, update ++# the selected choice with proper options & un-comment it ++# ++# Install from an installation tree on a remote server via FTP or HTTP: ++# --url the URL to install from ++# ++# Example: ++# ++# url --url=http://192.168.122.1/image ++# ++# Modify concrete URL in the above example appropriately to reflect the actual ++# environment machine is to be installed in ++# ++# Other possible / supported installation methods: ++# * install from the first CD-ROM/DVD drive on the system: ++# ++# cdrom ++# ++# * install from a directory of ISO images on a local drive: ++# ++# harddrive --partition=hdb2 --dir=/tmp/install-tree ++# ++# * install from provided NFS server: ++# ++# nfs --server= --dir= [--opts=] ++# ++ ++# Set language to use during installation and the default language to use on the installed system (required) ++lang en_US.UTF-8 ++ ++# Set system keyboard type / layout (required) ++keyboard us ++ ++# Configure network information for target system and activate network devices in the installer environment (optional) ++# --onboot enable device at a boot time ++# --device device to be activated and / or configured with the network command ++# --bootproto method to obtain networking configuration for device (default dhcp) ++# --noipv6 disable IPv6 on this device ++# ++# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, ++# "--bootproto=static" must be used. For example: ++# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 ++# ++network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++ ++# Set the system's root password (required) ++# Plaintext password is: server ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 ++ ++# The selected profile will restrict root login ++# Add a user that can login and escalate privileges ++# Plaintext password is: admin123 ++user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted ++ ++# Configure firewall settings for the system (optional) ++# --enabled reject incoming connections that are not in response to outbound requests ++# --ssh allow sshd service through the firewall ++firewall --enabled --ssh ++ ++# Set up the authentication options for the system (required) ++# --enableshadow enable shadowed passwords by default ++# --passalgo hash / crypt algorithm for new passwords ++# See the manual page for authconfig for a complete list of possible options. ++authconfig --enableshadow --passalgo=sha512 ++ ++# State of SELinux on the installed system (optional) ++# Defaults to enforcing ++selinux --enforcing ++ ++# Set the system time zone (required) ++timezone --utc America/New_York ++ ++# Specify how the bootloader should be installed (required) ++# Plaintext password is: password ++# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create ++# encrypted password form for different plaintext password ++bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 ++ ++# Initialize (format) all disks (optional) ++zerombr ++ ++# The following partition layout scheme assumes disk of size 20GB or larger ++# Modify size of partitions appropriately to reflect actual machine's hardware ++# ++# Remove Linux partitions from the system prior to creating new ones (optional) ++# --linux erase all Linux partitions ++# --initlabel initialize the disk label to the default based on the underlying architecture ++clearpart --linux --initlabel ++ ++# Create primary system partitions (required for installs) ++autopart ++ ++%addon org_fedora_oscap ++ content-type = scap-security-guide ++ profile = xccdf_org.ssgproject.content_profile_e8 ++%end ++ ++# Packages selection (%packages section is required) ++%packages ++ ++# Require @Base ++@Base ++ ++%end # End of %packages section ++ ++# Reboot after the installation is complete (optional) ++# --eject attempt to eject CD or DVD media before rebooting ++reboot --eject + +From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Nov 2019 11:19:51 +0100 +Subject: [PATCH 2/4] Use authselect for el8 kickstart + +auth and authconfig are deprecated +--- + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index 3555f528cb..e814024e2e 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf + firewall --enabled --ssh + + # Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 ++# sssd profile sets sha512 to hash passwords ++# passwords are shadowed by default ++# See the manual page for authselect-profile for a complete list of possible options. ++authselect select sssd + + # State of SELinux on the installed system (optional) + # Defaults to enforcing + +From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 15 Nov 2019 11:22:31 +0100 +Subject: [PATCH 3/4] Updated kickstart documenation link for el8 + +--- + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index e814024e2e..41d4b3d654 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -4,7 +4,7 @@ + # + # Based on: + # http://fedoraproject.org/wiki/Anaconda/Kickstart +-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart + + # Install a fresh new system (optional) + install + +From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Nov 2019 13:31:18 +0100 +Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation + +--- + rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++ + rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +index 9e44a87a86..23f1bad7e1 100644 +--- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg +@@ -104,6 +104,9 @@ clearpart --linux --initlabel + # Create primary system partitions (required for installs) + autopart + ++# Harden installation with Essential Eight profile ++# For more details and configuration options see command %addon org_fedora_oscap in ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands + %addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 +diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +index 41d4b3d654..8380ea13a3 100644 +--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg +@@ -104,6 +104,9 @@ clearpart --linux --initlabel + # Create primary system partitions (required for installs) + autopart + ++# Harden installation with Essential Eight profile ++# For more details and configuration options see ++# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program + %addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_e8 diff --git a/SOURCES/scap-security-guide-0.1.48-e8_polish.patch b/SOURCES/scap-security-guide-0.1.48-e8_polish.patch new file mode 100644 index 0000000..0097c4b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.48-e8_polish.patch @@ -0,0 +1,60 @@ +From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Thu, 21 Nov 2019 16:28:23 +0100 +Subject: [PATCH 1/2] Updated the e8 profile for RHEL8. + +- removed obsolete SSHD settings. +- added rules for crypto policies. +--- + rhel8/profiles/e8.profile | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile +index 53b4c156e2..f0f19a4708 100644 +--- a/rhel8/profiles/e8.profile ++++ b/rhel8/profiles/e8.profile +@@ -123,14 +123,16 @@ selections: + - sshd_print_last_log + - sshd_use_priv_separation + - sshd_do_not_permit_user_env +- - sshd_disable_rhosts_rsa + - sshd_disable_rhosts +- - sshd_allow_only_protocol2 + - sshd_set_loglevel_info + - sshd_disable_empty_passwords + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + ++ - var_system_crypto_policy=default ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ + ### Application whitelisting + - package_fapolicyd_installed + - service_fapolicyd_enabled + +From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= +Date: Mon, 25 Nov 2019 16:42:37 +0100 +Subject: [PATCH 2/2] Update the crypto policy and rationale. + +--- + rhel8/profiles/e8.profile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile +index f0f19a4708..f78e908482 100644 +--- a/rhel8/profiles/e8.profile ++++ b/rhel8/profiles/e8.profile +@@ -129,7 +129,10 @@ selections: + - sshd_disable_user_known_hosts + - sshd_enable_strictmodes + +- - var_system_crypto_policy=default ++ # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this. ++ # TODO: Re-evaluate after another crypto policies become available. ++ # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography ++ - var_system_crypto_policy=future + - configure_crypto_policy + - configure_ssh_crypto_policy + diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 23335b5..4515602 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,12 +1,15 @@ Name: scap-security-guide -Version: 0.1.44 +Version: 0.1.47 Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.48-e8_kickstarts.patch +Patch2: scap-security-guide-0.1.48-e8_polish.patch BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -41,29 +44,19 @@ present in %{name} package. %prep %setup -q %patch0 -p1 +%patch1 -p1 +%patch2 -p1 mkdir build %build cd build %cmake \ --DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ --DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ --DSSG_PRODUCT_EAP6:BOOL=OFF \ --DSSG_PRODUCT_EXAMPLE:BOOL=OFF \ --DSSG_PRODUCT_FEDORA:BOOL=OFF \ --DSSG_PRODUCT_FUSE6:BOOL=OFF \ --DSSG_PRODUCT_OCP3:BOOL=OFF \ --DSSG_PRODUCT_OL7:BOOL=OFF \ --DSSG_PRODUCT_OL8:BOOL=OFF \ --DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ --DSSG_PRODUCT_RHOSP13:BOOL=OFF \ --DSSG_PRODUCT_RHV4:BOOL=OFF \ --DSSG_PRODUCT_SLE11:BOOL=OFF \ --DSSG_PRODUCT_SLE12:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \ --DSSG_PRODUCT_UBUNTU1804:BOOL=OFF \ --DSSG_PRODUCT_WRLINUX:BOOL=OFF \ +-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ +-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ +-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ +-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ %make_build @@ -87,6 +80,31 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Tue Nov 26 2019 Matěj Týč - 0.1.47-2 +- Improved the e8 profile (RHBZ#1755194) + +* Mon Nov 11 2019 Vojtech Polasek - 0.1.47-1 +- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762) + +* Wed Oct 16 2019 Gabriel Becker - 0.1.46-3 +- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821) + +* Wed Oct 09 2019 Watson Sato - 0.1.46-2 +- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919) + +* Mon Sep 02 2019 Watson Sato - 0.1.46-1 +- Update to latest upstream SCAP-Security-Guide-0.1.46 release +- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798) + +* Wed Aug 07 2019 Milan Lysonek - 0.1.45-2 +- Use crypto-policy rules in OSPP profile. +- Re-enable FIREFOX and JRE product in build. +- Change test suite logging message about missing profile from ERROR to WARNING. +- Build only one version of SCAP content at a time. + +* Tue Aug 06 2019 Milan Lysonek - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release + * Mon Jun 17 2019 Matěj Týč - 0.1.44-2 - Ported changelog from late 8.0 builds. - Disabled build of the OL8 product, updated other components of the cmake invocation. @@ -337,7 +355,7 @@ cd build * Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 - Add .gitignore for Fedora output directory - Set up Fedora release name and CPE based on build system properties -- Use correct file paths in scap-security-guide(8) manual page +- Use correct file paths in scap-security-guide(8) manual page (RH BZ#1018905, c#10) - Apply further changes motivated by scap-security-guide Fedora RPM review request (RH BZ#1018905, c#8):