import scap-security-guide-0.1.47-2.el8
This commit is contained in:
parent
1e2db9da68
commit
7c9bce9777
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/scap-security-guide-0.1.44.tar.bz2
|
SOURCES/scap-security-guide-0.1.47.tar.bz2
|
||||||
|
@ -1 +1 @@
|
|||||||
909fd69f4a290ae8edec9edac9ffcee405becfa2 SOURCES/scap-security-guide-0.1.44.tar.bz2
|
4459787cf5bceb48e0743b84057196206e999ca4 SOURCES/scap-security-guide-0.1.47.tar.bz2
|
||||||
|
362
SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch
Normal file
362
SOURCES/scap-security-guide-0.1.48-e8_kickstarts.patch
Normal file
@ -0,0 +1,362 @@
|
|||||||
|
From 3cf5caec6f0705d24bc3f285e19d1831714bca16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Wed, 13 Nov 2019 18:05:32 +0100
|
||||||
|
Subject: [PATCH 1/4] Add simple kickstart file for e8 profiles
|
||||||
|
|
||||||
|
As the profile doesn't require a particular disk partition layout, I
|
||||||
|
went for the 'autopart' feature.
|
||||||
|
---
|
||||||
|
rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
|
||||||
|
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 122 ++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 244 insertions(+)
|
||||||
|
create mode 100644 rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
create mode 100644 rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
|
||||||
|
diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..9e44a87a86
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
@@ -0,0 +1,122 @@
|
||||||
|
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 7 Server
|
||||||
|
+# Version: 0.0.1
|
||||||
|
+# Date: 2019-11-13
|
||||||
|
+#
|
||||||
|
+# Based on:
|
||||||
|
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||||
|
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
||||||
|
+
|
||||||
|
+# Install a fresh new system (optional)
|
||||||
|
+install
|
||||||
|
+
|
||||||
|
+# Specify installation method to use for installation
|
||||||
|
+# To use a different one comment out the 'url' one below, update
|
||||||
|
+# the selected choice with proper options & un-comment it
|
||||||
|
+#
|
||||||
|
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||||
|
+# --url the URL to install from
|
||||||
|
+#
|
||||||
|
+# Example:
|
||||||
|
+#
|
||||||
|
+# url --url=http://192.168.122.1/image
|
||||||
|
+#
|
||||||
|
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||||
|
+# environment machine is to be installed in
|
||||||
|
+#
|
||||||
|
+# Other possible / supported installation methods:
|
||||||
|
+# * install from the first CD-ROM/DVD drive on the system:
|
||||||
|
+#
|
||||||
|
+# cdrom
|
||||||
|
+#
|
||||||
|
+# * install from a directory of ISO images on a local drive:
|
||||||
|
+#
|
||||||
|
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||||
|
+#
|
||||||
|
+# * install from provided NFS server:
|
||||||
|
+#
|
||||||
|
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||||
|
+lang en_US.UTF-8
|
||||||
|
+
|
||||||
|
+# Set system keyboard type / layout (required)
|
||||||
|
+keyboard us
|
||||||
|
+
|
||||||
|
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||||
|
+# --onboot enable device at a boot time
|
||||||
|
+# --device device to be activated and / or configured with the network command
|
||||||
|
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||||
|
+# --noipv6 disable IPv6 on this device
|
||||||
|
+#
|
||||||
|
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||||
|
+# "--bootproto=static" must be used. For example:
|
||||||
|
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||||
|
+#
|
||||||
|
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||||
|
+
|
||||||
|
+# Set the system's root password (required)
|
||||||
|
+# Plaintext password is: server
|
||||||
|
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||||
|
+# encrypted password form for different plaintext password
|
||||||
|
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||||
|
+
|
||||||
|
+# The selected profile will restrict root login
|
||||||
|
+# Add a user that can login and escalate privileges
|
||||||
|
+# Plaintext password is: admin123
|
||||||
|
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||||
|
+
|
||||||
|
+# Configure firewall settings for the system (optional)
|
||||||
|
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||||
|
+# --ssh allow sshd service through the firewall
|
||||||
|
+firewall --enabled --ssh
|
||||||
|
+
|
||||||
|
+# Set up the authentication options for the system (required)
|
||||||
|
+# --enableshadow enable shadowed passwords by default
|
||||||
|
+# --passalgo hash / crypt algorithm for new passwords
|
||||||
|
+# See the manual page for authconfig for a complete list of possible options.
|
||||||
|
+authconfig --enableshadow --passalgo=sha512
|
||||||
|
+
|
||||||
|
+# State of SELinux on the installed system (optional)
|
||||||
|
+# Defaults to enforcing
|
||||||
|
+selinux --enforcing
|
||||||
|
+
|
||||||
|
+# Set the system time zone (required)
|
||||||
|
+timezone --utc America/New_York
|
||||||
|
+
|
||||||
|
+# Specify how the bootloader should be installed (required)
|
||||||
|
+# Plaintext password is: password
|
||||||
|
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||||
|
+# encrypted password form for different plaintext password
|
||||||
|
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||||
|
+
|
||||||
|
+# Initialize (format) all disks (optional)
|
||||||
|
+zerombr
|
||||||
|
+
|
||||||
|
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||||
|
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||||
|
+#
|
||||||
|
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||||
|
+# --linux erase all Linux partitions
|
||||||
|
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||||
|
+clearpart --linux --initlabel
|
||||||
|
+
|
||||||
|
+# Create primary system partitions (required for installs)
|
||||||
|
+autopart
|
||||||
|
+
|
||||||
|
+%addon org_fedora_oscap
|
||||||
|
+ content-type = scap-security-guide
|
||||||
|
+ profile = xccdf_org.ssgproject.content_profile_e8
|
||||||
|
+%end
|
||||||
|
+
|
||||||
|
+# Packages selection (%packages section is required)
|
||||||
|
+%packages
|
||||||
|
+
|
||||||
|
+# Require @Base
|
||||||
|
+@Base
|
||||||
|
+
|
||||||
|
+%end # End of %packages section
|
||||||
|
+
|
||||||
|
+# Reboot after the installation is complete (optional)
|
||||||
|
+# --eject attempt to eject CD or DVD media before rebooting
|
||||||
|
+reboot --eject
|
||||||
|
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..3555f528cb
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
@@ -0,0 +1,122 @@
|
||||||
|
+# SCAP Security Guide Essential Eight profile kickstart for Red Hat Enterprise Linux 8 Server
|
||||||
|
+# Version: 0.0.1
|
||||||
|
+# Date: 2019-11-13
|
||||||
|
+#
|
||||||
|
+# Based on:
|
||||||
|
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||||
|
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
||||||
|
+
|
||||||
|
+# Install a fresh new system (optional)
|
||||||
|
+install
|
||||||
|
+
|
||||||
|
+# Specify installation method to use for installation
|
||||||
|
+# To use a different one comment out the 'url' one below, update
|
||||||
|
+# the selected choice with proper options & un-comment it
|
||||||
|
+#
|
||||||
|
+# Install from an installation tree on a remote server via FTP or HTTP:
|
||||||
|
+# --url the URL to install from
|
||||||
|
+#
|
||||||
|
+# Example:
|
||||||
|
+#
|
||||||
|
+# url --url=http://192.168.122.1/image
|
||||||
|
+#
|
||||||
|
+# Modify concrete URL in the above example appropriately to reflect the actual
|
||||||
|
+# environment machine is to be installed in
|
||||||
|
+#
|
||||||
|
+# Other possible / supported installation methods:
|
||||||
|
+# * install from the first CD-ROM/DVD drive on the system:
|
||||||
|
+#
|
||||||
|
+# cdrom
|
||||||
|
+#
|
||||||
|
+# * install from a directory of ISO images on a local drive:
|
||||||
|
+#
|
||||||
|
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
||||||
|
+#
|
||||||
|
+# * install from provided NFS server:
|
||||||
|
+#
|
||||||
|
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+# Set language to use during installation and the default language to use on the installed system (required)
|
||||||
|
+lang en_US.UTF-8
|
||||||
|
+
|
||||||
|
+# Set system keyboard type / layout (required)
|
||||||
|
+keyboard us
|
||||||
|
+
|
||||||
|
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
||||||
|
+# --onboot enable device at a boot time
|
||||||
|
+# --device device to be activated and / or configured with the network command
|
||||||
|
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
||||||
|
+# --noipv6 disable IPv6 on this device
|
||||||
|
+#
|
||||||
|
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
||||||
|
+# "--bootproto=static" must be used. For example:
|
||||||
|
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
||||||
|
+#
|
||||||
|
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
||||||
|
+
|
||||||
|
+# Set the system's root password (required)
|
||||||
|
+# Plaintext password is: server
|
||||||
|
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||||
|
+# encrypted password form for different plaintext password
|
||||||
|
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
|
||||||
|
+
|
||||||
|
+# The selected profile will restrict root login
|
||||||
|
+# Add a user that can login and escalate privileges
|
||||||
|
+# Plaintext password is: admin123
|
||||||
|
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
||||||
|
+
|
||||||
|
+# Configure firewall settings for the system (optional)
|
||||||
|
+# --enabled reject incoming connections that are not in response to outbound requests
|
||||||
|
+# --ssh allow sshd service through the firewall
|
||||||
|
+firewall --enabled --ssh
|
||||||
|
+
|
||||||
|
+# Set up the authentication options for the system (required)
|
||||||
|
+# --enableshadow enable shadowed passwords by default
|
||||||
|
+# --passalgo hash / crypt algorithm for new passwords
|
||||||
|
+# See the manual page for authconfig for a complete list of possible options.
|
||||||
|
+authconfig --enableshadow --passalgo=sha512
|
||||||
|
+
|
||||||
|
+# State of SELinux on the installed system (optional)
|
||||||
|
+# Defaults to enforcing
|
||||||
|
+selinux --enforcing
|
||||||
|
+
|
||||||
|
+# Set the system time zone (required)
|
||||||
|
+timezone --utc America/New_York
|
||||||
|
+
|
||||||
|
+# Specify how the bootloader should be installed (required)
|
||||||
|
+# Plaintext password is: password
|
||||||
|
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
|
||||||
|
+# encrypted password form for different plaintext password
|
||||||
|
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
|
||||||
|
+
|
||||||
|
+# Initialize (format) all disks (optional)
|
||||||
|
+zerombr
|
||||||
|
+
|
||||||
|
+# The following partition layout scheme assumes disk of size 20GB or larger
|
||||||
|
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
||||||
|
+#
|
||||||
|
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
||||||
|
+# --linux erase all Linux partitions
|
||||||
|
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
||||||
|
+clearpart --linux --initlabel
|
||||||
|
+
|
||||||
|
+# Create primary system partitions (required for installs)
|
||||||
|
+autopart
|
||||||
|
+
|
||||||
|
+%addon org_fedora_oscap
|
||||||
|
+ content-type = scap-security-guide
|
||||||
|
+ profile = xccdf_org.ssgproject.content_profile_e8
|
||||||
|
+%end
|
||||||
|
+
|
||||||
|
+# Packages selection (%packages section is required)
|
||||||
|
+%packages
|
||||||
|
+
|
||||||
|
+# Require @Base
|
||||||
|
+@Base
|
||||||
|
+
|
||||||
|
+%end # End of %packages section
|
||||||
|
+
|
||||||
|
+# Reboot after the installation is complete (optional)
|
||||||
|
+# --eject attempt to eject CD or DVD media before rebooting
|
||||||
|
+reboot --eject
|
||||||
|
|
||||||
|
From 94249bce4b61c33e52f59efdb112e2082b4acf46 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Fri, 15 Nov 2019 11:19:51 +0100
|
||||||
|
Subject: [PATCH 2/4] Use authselect for el8 kickstart
|
||||||
|
|
||||||
|
auth and authconfig are deprecated
|
||||||
|
---
|
||||||
|
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
index 3555f528cb..e814024e2e 100644
|
||||||
|
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
@@ -72,10 +72,10 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
|
||||||
|
firewall --enabled --ssh
|
||||||
|
|
||||||
|
# Set up the authentication options for the system (required)
|
||||||
|
-# --enableshadow enable shadowed passwords by default
|
||||||
|
-# --passalgo hash / crypt algorithm for new passwords
|
||||||
|
-# See the manual page for authconfig for a complete list of possible options.
|
||||||
|
-authconfig --enableshadow --passalgo=sha512
|
||||||
|
+# sssd profile sets sha512 to hash passwords
|
||||||
|
+# passwords are shadowed by default
|
||||||
|
+# See the manual page for authselect-profile for a complete list of possible options.
|
||||||
|
+authselect select sssd
|
||||||
|
|
||||||
|
# State of SELinux on the installed system (optional)
|
||||||
|
# Defaults to enforcing
|
||||||
|
|
||||||
|
From 1ff6ab4ec0449074c4608eed0194903123eda34b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Fri, 15 Nov 2019 11:22:31 +0100
|
||||||
|
Subject: [PATCH 3/4] Updated kickstart documenation link for el8
|
||||||
|
|
||||||
|
---
|
||||||
|
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
index e814024e2e..41d4b3d654 100644
|
||||||
|
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
@@ -4,7 +4,7 @@
|
||||||
|
#
|
||||||
|
# Based on:
|
||||||
|
# http://fedoraproject.org/wiki/Anaconda/Kickstart
|
||||||
|
-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
||||||
|
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
|
||||||
|
|
||||||
|
# Install a fresh new system (optional)
|
||||||
|
install
|
||||||
|
|
||||||
|
From ef5edccc3ec58131644f31481ec3df20ab345229 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Watson Sato <wsato@redhat.com>
|
||||||
|
Date: Mon, 18 Nov 2019 13:31:18 +0100
|
||||||
|
Subject: [PATCH 4/4] Add link to oscap-anaconda-addon documentation
|
||||||
|
|
||||||
|
---
|
||||||
|
rhel7/kickstart/ssg-rhel7-e8-ks.cfg | 3 +++
|
||||||
|
rhel8/kickstart/ssg-rhel8-e8-ks.cfg | 3 +++
|
||||||
|
2 files changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
index 9e44a87a86..23f1bad7e1 100644
|
||||||
|
--- a/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
+++ b/rhel7/kickstart/ssg-rhel7-e8-ks.cfg
|
||||||
|
@@ -104,6 +104,9 @@ clearpart --linux --initlabel
|
||||||
|
# Create primary system partitions (required for installs)
|
||||||
|
autopart
|
||||||
|
|
||||||
|
+# Harden installation with Essential Eight profile
|
||||||
|
+# For more details and configuration options see command %addon org_fedora_oscap in
|
||||||
|
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
||||||
|
%addon org_fedora_oscap
|
||||||
|
content-type = scap-security-guide
|
||||||
|
profile = xccdf_org.ssgproject.content_profile_e8
|
||||||
|
diff --git a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
index 41d4b3d654..8380ea13a3 100644
|
||||||
|
--- a/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
+++ b/rhel8/kickstart/ssg-rhel8-e8-ks.cfg
|
||||||
|
@@ -104,6 +104,9 @@ clearpart --linux --initlabel
|
||||||
|
# Create primary system partitions (required for installs)
|
||||||
|
autopart
|
||||||
|
|
||||||
|
+# Harden installation with Essential Eight profile
|
||||||
|
+# For more details and configuration options see
|
||||||
|
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
|
||||||
|
%addon org_fedora_oscap
|
||||||
|
content-type = scap-security-guide
|
||||||
|
profile = xccdf_org.ssgproject.content_profile_e8
|
60
SOURCES/scap-security-guide-0.1.48-e8_polish.patch
Normal file
60
SOURCES/scap-security-guide-0.1.48-e8_polish.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 5f4e807cb6e54744ad69cd1e7d622c85ae4e8803 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Thu, 21 Nov 2019 16:28:23 +0100
|
||||||
|
Subject: [PATCH 1/2] Updated the e8 profile for RHEL8.
|
||||||
|
|
||||||
|
- removed obsolete SSHD settings.
|
||||||
|
- added rules for crypto policies.
|
||||||
|
---
|
||||||
|
rhel8/profiles/e8.profile | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
|
||||||
|
index 53b4c156e2..f0f19a4708 100644
|
||||||
|
--- a/rhel8/profiles/e8.profile
|
||||||
|
+++ b/rhel8/profiles/e8.profile
|
||||||
|
@@ -123,14 +123,16 @@ selections:
|
||||||
|
- sshd_print_last_log
|
||||||
|
- sshd_use_priv_separation
|
||||||
|
- sshd_do_not_permit_user_env
|
||||||
|
- - sshd_disable_rhosts_rsa
|
||||||
|
- sshd_disable_rhosts
|
||||||
|
- - sshd_allow_only_protocol2
|
||||||
|
- sshd_set_loglevel_info
|
||||||
|
- sshd_disable_empty_passwords
|
||||||
|
- sshd_disable_user_known_hosts
|
||||||
|
- sshd_enable_strictmodes
|
||||||
|
|
||||||
|
+ - var_system_crypto_policy=default
|
||||||
|
+ - configure_crypto_policy
|
||||||
|
+ - configure_ssh_crypto_policy
|
||||||
|
+
|
||||||
|
### Application whitelisting
|
||||||
|
- package_fapolicyd_installed
|
||||||
|
- service_fapolicyd_enabled
|
||||||
|
|
||||||
|
From 659326a1d4db99dc30c4807b5b5ce4c97db37709 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
|
||||||
|
Date: Mon, 25 Nov 2019 16:42:37 +0100
|
||||||
|
Subject: [PATCH 2/2] Update the crypto policy and rationale.
|
||||||
|
|
||||||
|
---
|
||||||
|
rhel8/profiles/e8.profile | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/rhel8/profiles/e8.profile b/rhel8/profiles/e8.profile
|
||||||
|
index f0f19a4708..f78e908482 100644
|
||||||
|
--- a/rhel8/profiles/e8.profile
|
||||||
|
+++ b/rhel8/profiles/e8.profile
|
||||||
|
@@ -129,7 +129,10 @@ selections:
|
||||||
|
- sshd_disable_user_known_hosts
|
||||||
|
- sshd_enable_strictmodes
|
||||||
|
|
||||||
|
- - var_system_crypto_policy=default
|
||||||
|
+ # The E8 profile bans usage of SHA-1, and as of 11/2019 the FUTURE crypto policy is the only one that ensures this.
|
||||||
|
+ # TODO: Re-evaluate after another crypto policies become available.
|
||||||
|
+ # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
|
||||||
|
+ - var_system_crypto_policy=future
|
||||||
|
- configure_crypto_policy
|
||||||
|
- configure_ssh_crypto_policy
|
||||||
|
|
@ -1,12 +1,15 @@
|
|||||||
Name: scap-security-guide
|
Name: scap-security-guide
|
||||||
Version: 0.1.44
|
Version: 0.1.47
|
||||||
Release: 2%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: Security guidance and baselines in SCAP formats
|
Summary: Security guidance and baselines in SCAP formats
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: https://github.com/ComplianceAsCode/content/
|
URL: https://github.com/ComplianceAsCode/content/
|
||||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||||
|
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
|
||||||
Patch0: disable-not-in-good-shape-profiles.patch
|
Patch0: disable-not-in-good-shape-profiles.patch
|
||||||
|
Patch1: scap-security-guide-0.1.48-e8_kickstarts.patch
|
||||||
|
Patch2: scap-security-guide-0.1.48-e8_polish.patch
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||||
@ -41,29 +44,19 @@ present in %{name} package.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
mkdir build
|
mkdir build
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cd build
|
cd build
|
||||||
%cmake \
|
%cmake \
|
||||||
-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \
|
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||||
-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \
|
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
|
||||||
-DSSG_PRODUCT_EAP6:BOOL=OFF \
|
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
||||||
-DSSG_PRODUCT_EXAMPLE:BOOL=OFF \
|
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
||||||
-DSSG_PRODUCT_FEDORA:BOOL=OFF \
|
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
||||||
-DSSG_PRODUCT_FUSE6:BOOL=OFF \
|
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
|
||||||
-DSSG_PRODUCT_OCP3:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_OL7:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_OL8:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_RHOSP13:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_RHV4:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_SLE11:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_SLE12:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_UBUNTU1804:BOOL=OFF \
|
|
||||||
-DSSG_PRODUCT_WRLINUX:BOOL=OFF \
|
|
||||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
|
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
|
||||||
%make_build
|
%make_build
|
||||||
@ -87,6 +80,31 @@ cd build
|
|||||||
%doc %{_docdir}/%{name}/tables/*.html
|
%doc %{_docdir}/%{name}/tables/*.html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||||
|
- Improved the e8 profile (RHBZ#1755194)
|
||||||
|
|
||||||
|
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
|
||||||
|
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
|
||||||
|
|
||||||
|
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
|
||||||
|
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
|
||||||
|
|
||||||
|
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
|
||||||
|
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
|
||||||
|
|
||||||
|
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
||||||
|
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
|
||||||
|
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
|
||||||
|
|
||||||
|
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
|
||||||
|
- Use crypto-policy rules in OSPP profile.
|
||||||
|
- Re-enable FIREFOX and JRE product in build.
|
||||||
|
- Change test suite logging message about missing profile from ERROR to WARNING.
|
||||||
|
- Build only one version of SCAP content at a time.
|
||||||
|
|
||||||
|
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
|
||||||
|
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
|
||||||
|
|
||||||
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
|
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
|
||||||
- Ported changelog from late 8.0 builds.
|
- Ported changelog from late 8.0 builds.
|
||||||
- Disabled build of the OL8 product, updated other components of the cmake invocation.
|
- Disabled build of the OL8 product, updated other components of the cmake invocation.
|
||||||
|
Loading…
Reference in New Issue
Block a user