commit aae7e6be6574127e92b557e61a4b6906b870a627 Author: CentOS Sources Date: Fri Jun 11 18:21:15 2021 +0000 import scap-security-guide-0.1.56-1.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..541943d --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +SOURCES/scap-security-guide-0.1.56.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..d74b704 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1,2 @@ +b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +68280f72027ec89fda4b861fda932110d833d0d1 SOURCES/scap-security-guide-0.1.56.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch new file mode 100644 index 0000000..736a9ba --- /dev/null +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -0,0 +1,98 @@ +From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 3 Dec 2020 14:35:47 +0100 +Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 + +--- + rhel8/CMakeLists.txt | 6 ------ + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/ism_o.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 11 files changed, 10 insertions(+), 16 deletions(-) + +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index d61689c97..5e444a101 100644 +--- a/rhel8/CMakeLists.txt ++++ b/rhel8/CMakeLists.txt +@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + ssg_build_html_table_by_ref(${PRODUCT} "anssi") + +-ssg_build_html_nistrefs_table(${PRODUCT} "standard") + ssg_build_html_nistrefs_table(${PRODUCT} "ospp") + ssg_build_html_nistrefs_table(${PRODUCT} "stig") + +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") +- + ssg_build_html_cce_table(${PRODUCT}) + + ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) +diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 035d2705b..c6475f33e 100644 +--- a/rhel8/profiles/cjis.profile ++++ b/rhel8/profiles/cjis.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + metadata: + version: 5.4 +diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile +index a3c427c01..4605dea3b 100644 +--- a/rhel8/profiles/ism_o.profile ++++ b/rhel8/profiles/ism_o.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + metadata: + SMEs: +diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile +index 1efca5f44..c3d0b0964 100644 +--- a/rhel8/profiles/rhelh-stig.profile ++++ b/rhel8/profiles/rhelh-stig.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + +diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile +index 2baee6d66..8592d7aaf 100644 +--- a/rhel8/profiles/rhelh-vpp.profile ++++ b/rhel8/profiles/rhelh-vpp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + +diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index c84579592..164ec98c4 100644 +--- a/rhel8/profiles/rht-ccp.profile ++++ b/rhel8/profiles/rht-ccp.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + +diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 +--- a/rhel8/profiles/standard.profile ++++ b/rhel8/profiles/standard.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' + +-- +2.26.2 + diff --git a/SOURCES/scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch b/SOURCES/scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch new file mode 100644 index 0000000..77c3ca7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch @@ -0,0 +1,115 @@ +From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 5 Jan 2021 18:03:24 +0100 +Subject: [PATCH] Add rule sudo_add_passwd_timeout + +This rule configures sudo password prompt timeout. +--- + controls/anssi.yml | 3 +- + .../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++ + .../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++ + shared/references/cce-redhat-avail.txt | 2 - + 4 files changed, 63 insertions(+), 3 deletions(-) + create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml + create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 705f8e25aab..5120456230b 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -892,7 +892,8 @@ controls: + - var_sudo_umask=0027 + - sudo_add_ignore_dot + - sudo_add_env_reset +- # passwd_timeout=1 ++ - sudo_add_passwd_timeout ++ - var_sudo_passwd_timeout=1_minute + + - id: R59 + level: minimal +diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml +new file mode 100644 +index 00000000000..ae3399527f4 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml +@@ -0,0 +1,40 @@ ++documentation_complete: true ++ ++prodtype: ol7,ol8,rhel7,rhel8 ++ ++title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout' ++ ++description: |- ++ The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. ++{{%- if product in ["rhel7", "rhel8"] %}} ++ On {{{ full_name }}}, the default passwd_timeout value is 5 minutes. ++{{% endif %}} ++ The passwd_timeout should be configured by making sure that the ++ passwd_timeout=sub_var_value("var_sudo_passwd_timeout") tag exists in ++ /etc/sudoers configuration file or any sudo configuration snippets ++ in /etc/sudoers.d/. ++ ++rationale: |- ++ Reducing the time sudo waits for a a password reduces the time the process is exposed. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83963-9 ++ cce@rhel8: CCE-83964-7 ++ ++references: ++ anssi: BP28(R58) ++ ++ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo' ++ ++ocil: |- ++ To determine if passwd_timeout has been configured for sudo, run the following command: ++ 
$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/
++ The command should return a matching output. ++ ++template: ++ name: sudo_defaults_option ++ vars: ++ option: passwd_timeout ++ variable_name: "var_sudo_passwd_timeout" +diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var +new file mode 100644 +index 00000000000..4a9dcd5bb7b +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var +@@ -0,0 +1,21 @@ ++documentation_complete: true ++ ++title: 'Sudo - passwd_timeout value' ++ ++description: |- ++ Defines the number of minutes before the sudo password prompt times out. ++ Defining 0 means no timeout. The default timeout value is 5 minutes. ++ ++interactive: false ++ ++type: string ++ ++operator: equals ++ ++options: ++ default: "5" ++ infinite: "0" ++ 1_minute: "1" ++ 2_minutes: "2" ++ 3_minutes: "3" ++ 5_minutes: "5" +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 61391f50c2d..e095e405f66 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -349,8 +349,6 @@ CCE-83959-7 + CCE-83960-5 + CCE-83961-3 + CCE-83962-1 +-CCE-83963-9 +-CCE-83964-7 + CCE-83965-4 + CCE-83966-2 + CCE-83967-0 diff --git a/SOURCES/scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch b/SOURCES/scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch new file mode 100644 index 0000000..6456c7f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch @@ -0,0 +1,120 @@ +From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 10 May 2021 18:53:02 +0200 +Subject: [PATCH] Update and select seboolean rules for R67 + +Fix description of sebool_deny_execmem, and warning about possible +issues. +Add rationale to rules the SELinux booleans. +--- + controls/anssi.yml | 14 +++++++++--- + .../sebool_deny_execmem/rule.yml | 22 ++++++++++++++----- + .../sebool_selinuxuser_execheap/rule.yml | 4 +++- + .../sebool_selinuxuser_execstack/rule.yml | 3 ++- + 4 files changed, 33 insertions(+), 10 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 705f8e25aab..ef9356a6fea 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -967,10 +967,18 @@ controls: + allow_execstack to off, forbids processes to make their stack executable; + secure_mode_insmod to on, prohibits dynamic loading of modules by any process; + ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role. ++ notes: ++ In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the ++ boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not ++ available, deny_execmem provides the same functionality. ++ automated: yes + rules: +- # Add rule for sebool allow_execheap +- # Add rule for sebool allow_execmem +- # Add rule for sebool allow_execstack ++ - var_selinuxuser_execheap=off ++ - sebool_selinuxuser_execheap ++ - var_deny_execmem=on ++ - sebool_deny_execmem ++ - var_selinuxuser_execstack=off ++ - sebool_selinuxuser_execstack + - var_secure_mode_insmod=on + - sebool_secure_mode_insmod + - sebool_ssh_sysadm_login +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +index f340ea4be11..e8453fbfb8d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml +@@ -2,14 +2,16 @@ documentation_complete: true + + prodtype: rhel7,rhel8,rhel9,rhv4 + +-title: 'Disable the deny_execmem SELinux Boolean' ++title: 'Enable the deny_execmem SELinux Boolean' + + description: |- + By default, the SELinux boolean deny_execmem is disabled. +- If this setting is enabled, it should be disabled. ++ If this setting is disabled, it should be enabled. + {{{ describe_sebool_disable(sebool="deny_execmem") }}} + +-rationale: "" ++rationale: |- ++ Allowing user domain applications to map a memory region as both writable and ++ executable makes them more susceptible to data execution attacks. + + severity: medium + +@@ -19,10 +21,20 @@ identifiers: + + references: + anssi: BP28(R67) +- +-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}} ++ ++{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}} ++ ++warnings: ++ - general: |- ++ This rule doesn't come with a remediation, as enabling this SELinux boolean can cause ++ applications to malfunction, for example Graphical login managers and Firefox. ++ - functionality: |- ++ Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems. + + template: + name: sebool + vars: + seboolid: deny_execmem ++ backends: ++ bash: "off" ++ ansible: "off" +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +index 45aa81a1223..7fedaab6130 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml +@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean' + + description: |- + By default, the SELinux boolean selinuxuser_execheap is disabled. ++ When enabled this boolean is enabled it allows selinuxusers to execute code from the heap. + If this setting is enabled, it should be disabled. + {{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}} + +-rationale: "" ++rationale: |- ++ Disabling code execution from the heap blocks buffer overflow attacks. + + severity: medium + +diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +index 2b20d0bfe4f..2e0b19f881d 100644 +--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml ++++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml +@@ -10,7 +10,8 @@ description: |- + to make their stack executable. + {{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}} + +-rationale: "" ++rationale: |- ++ Disabling code execution from the stack blocks buffer overflow attacks. + + severity: medium + diff --git a/SOURCES/scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch b/SOURCES/scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch new file mode 100644 index 0000000..2fe2f50 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch @@ -0,0 +1,707 @@ +From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:14:24 +0200 +Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening + +--- + controls/anssi.yml | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 2053de05c0..e9b9f1b803 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -70,6 +70,10 @@ controls: + It is recommended to use the mandatory access control (MAC) features in + addition to the traditional Unix user model (DAC), or possibly combine + them with partitioning mechanisms. ++ notes: >- ++ Other partitioning mechanisms can include chroot and containers and are not contemplated ++ in this requirement. ++ automated: partially + rules: + - selinux_state + - var_selinux_state=enforcing +@@ -161,6 +165,7 @@ controls: + The iommu = force directive must be added to the list of kernel parameters + during startup in addition to those already present in the configuration + files of the bootloader (/boot/grub/menu.lst or /etc/default/grub). ++ automated: yes + rules: + - grub2_enable_iommu_force + +@@ -837,8 +842,8 @@ controls: + not locally stored in clear), or possibly stored on a separate machine + of the one on which the sealing is done. + Check section "Database and config signing in AIDE manual" +- https://github.com/aide/aide/blob/master/doc/manual.html +- # rules: TBD ++ https://aide.github.io/doc/#signing ++ automated: no + + - id: R53 + level: enhanced +@@ -946,7 +951,7 @@ controls: + title: Enable AppArmor security profiles + description: >- + All AppArmor security profiles on the system must be enabled by default. +- # rules: TBD ++ automated: no + + - id: R66 + level: high +@@ -990,6 +995,7 @@ controls: + description: >- + SELinux policy manipulation and debugging tools should not be installed + on a machine in production. ++ automated: yes + rules: + - package_setroubleshoot_removed + - package_setroubleshoot-server_removed +@@ -1000,4 +1006,5 @@ controls: + title: Confining interactive non-privileged users + description: >- + Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user. +- # rules: TBD ++ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u. ++ automated: no + +From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:31:11 +0200 +Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels + +--- + controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 75 insertions(+), 16 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index e9b9f1b803..291af65f58 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -19,8 +19,10 @@ controls: + Those whose presence can not be justified should be disabled, removed or deleted. + automated: partially # The list of essential services is not objective. + notes: >- +- Use of obsolete or insecure services is not recommended. +- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later. ++ Manual review is required to assess if the installed services are minimal. ++ In general, use of obsolete or insecure services is not recommended. ++ Performing a minimal install is a good starting point, but doesn't provide any assurance ++ over any package installed later. + rules: + - package_dhcp_removed + #- package_rsh_removed +@@ -45,10 +47,9 @@ controls: + problematic from a security point of view. + The features configured at the level of launched services should be limited to the strict + minimum. ++ automated: no + notes: >- + Define a list of most problematic components or features to be hardened or restricted. +- # potential components: sshd, pam, chrony? +- # rules: TBD + + - id: R3 + level: enhanced +@@ -109,7 +110,10 @@ controls: + Network services should as much as possible be hosted on isolated environments. + This avoids having other potentially affected services if one of them gets + compromised under the same environment. +- #rules: TBD ++ notes: >- ++ Manual analysis is required to determine if services are hosted appropriately in ++ separate or isolated system while maintaining functionality. ++ automated: no + + - id: R7 + level: enhanced +@@ -117,6 +121,7 @@ controls: + description: >- + The activities of the running system and services must be logged and + archived on an external, non-local system. ++ automated: yes + rules: + # The default remote loghost is logcollector. + # Change the default value to the hostname or IP of the system to send the logs to +@@ -235,6 +240,7 @@ controls: + notes: >- + The rule disabling auto-mount for /boot is commented until the rules checking for other + /boot mount options are updated to handle this usecase. ++ automated: no + #rules: + #- mount_option_boot_noauto + +@@ -275,7 +281,7 @@ controls: + hardening measures. + Between two packages providing the same service, those subject to hardening + (at compilation, installation, or default configuration) must be preferred. +- #rules: TBD ++ automated: no + + - id: R17 + level: enhanced +@@ -283,6 +289,7 @@ controls: + description: >- + A boot loader to protect the password boot must be to be privileged. + This password must prevent any user from changing their configuration options. ++ automated: yes # without remediation + rules: + - grub2_password + - grub2_uefi_password +@@ -358,12 +365,28 @@ controls: + must be set up as soon as the system is installed: account and administration + passwords, root authority certificates, public keys, or certificates of the + host (and their respective private key). +- # rules: TBD ++ notes: >- ++ This concerns two aspects, the first is administrative, and involves prompt ++ installation of secrets or trusted elements by the sysadmin. ++ The second involves removal of any default secret or trusted element ++ configured by the operating system during install process, e.g. default ++ known passwords. ++ automated: no + + - id: R21 + level: intermediary + title: Hardening and monitoring of services subject to arbitrary flows +- # rules: TBD ++ notes: >- ++ SELinux can provide confinement and monitoring of services, and AIDE provides ++ basic integrity checking. System logs are configured as part of R43. ++ Hardening of particular services should be done on a case by case basis and is ++ not automated by this content. ++ automated: partially ++ rules: ++ - selinux_state ++ - var_selinux_state=enforcing ++ - package_aide_installed ++ - aide_build_database + + - id: R22 + level: intermediary +@@ -535,6 +558,7 @@ controls: + sysctl kernel.modules_disabledconf: + Prohibition of loading modules (except those already loaded to this point) + kernel.modules_disabled = 1 ++ automated: yes # without remediation + rules: + - sysctl_kernel_modules_disabled + +@@ -545,6 +569,7 @@ controls: + It is recommended to load the Yama security module at startup (by example + passing the security = yama argument to the kernel) and configure the + sysctl kernel.yama.ptrace_scope to a value of at least 1. ++ automated: yes + rules: + - sysctl_kernel_yama_ptrace_scope + +@@ -553,13 +578,19 @@ controls: + title: Disabling unused user accounts + description: >- + Unused user accounts must be disabled at the system level. +- # rules: TBD ++ notes: >- ++ The definition of unused user accounts is broad. It can include accounts ++ whose owners don't use the system anymore, or users created by services ++ or applicatons that should not be used. ++ automated: no + + - id: R27 + title: Disabling service accounts + level: intermediary + notes: >- + It is difficult to generally identify the system's service accounts. ++ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ are not enforced by the OS and can be changed over time. + Assisting rules could list users which are not disabled for manual review. + automated: no + +@@ -568,7 +599,11 @@ controls: + title: Uniqueness and exclusivity of system service accounts + description: >- + Each service must have its own system account and be dedicated to it exclusively. +- # rules: TBD ++ notes: >- ++ It is not trivial to identify wether a user account is a service account. ++ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ are not enforced by the OS and can be changed over time. ++ automated: no + + - id: R29 + level: enhanced +@@ -778,6 +813,7 @@ controls: + description: >- + The syslog services must be isolated from the rest of the system in a + dedicated container. ++ automated: no + # rules: TBD + + - id: R46 +@@ -825,6 +861,7 @@ controls: + This includes: directories containing executables, libraries, + configuration files, as well as any files that may contain sensitive + elements (cryptographic keys, passwords, confidential data). ++ automated: yes + rules: + - package_aide_installed + - aide_build_database +@@ -851,7 +888,12 @@ controls: + description: >- + The deployed services must have their access restricted to the system + strict minimum, especially when it comes to files, processes or network. +- # rules: TBD ++ notes: >- ++ SELinux policies limit the privileges of services and daemons to only what they require. ++ automated: partially ++ rules: ++ - selinux_policytype ++ - var_selinux_policy_name=targeted + + - id: R54 + level: enhanced +@@ -859,17 +901,24 @@ controls: + description: >- + Each component supporting the virtualization must be hardened, especially + by applying technical measures to counter the exploit attempts. +- # rules: TBD ++ notes: >- ++ It may be interesting to point out virtulization components that are installed and ++ should be hardened. ++ automated: no + + - id: R55 + level: intermediary + title: chroot jail and access right for partitioned service +- # rules: TBD ++ notes: >- ++ Automation to restrict access and chroot services is not generally reliable. ++ autmated: no + + - id: R56 + level: intermediary + title: Enablement and usage of chroot by a service +- # rules: TBD ++ notes: >- ++ Automation to restrict access and chroot services is not generally reliable. ++ automated: no + + - id: R57 + level: intermediary +@@ -924,7 +973,10 @@ controls: + description: >- + The commands requiring the execution of sub-processes (EXEC tag) must be + explicitly listed and their use should be reduced to a strict minimum. +- # rules: TBD ++ notes: >- ++ Human review is required to assess if the commands requiring EXEC is minimal. ++ An auxiliary rule could list rules containing EXEC tag, for analysis. ++ automated: no + + - id: R62 + level: intermediary +@@ -944,7 +996,13 @@ controls: + - id: R64 + level: intermediary + title: Good use of sudoedit +- # rules: TBD ++ description: A file requiring sudo to be edited, must be edited through the sudoedit command. ++ notes: >- ++ In R62 we established that the sudoers files should not use negations, thus the approach ++ for this requirement is to ensure that sudoedit is the only text editor allowed. ++ But it is difficult to ensure that allowed binaries aren't text editors without human ++ review. ++ automated: no + + - id: R65 + level: high +@@ -959,6 +1017,7 @@ controls: + description: >- + It is recommended to enable the targeted policy when the distribution + support it and that it does not operate another security module than SELinux. ++ automated: yes + rules: + - selinux_policytype + - var_selinux_policy_name=targeted + +From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 11 May 2021 17:49:42 +0200 +Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles + +--- + rhel7/profiles/anssi_nt28_high.profile | 2 +- + rhel8/profiles/anssi_bp28_high.profile | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index 22efad9c09..560460b55f 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -1,6 +1,6 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI-BP-028 (high)' ++title: 'ANSSI-BP-028 (high)' + + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index 22efad9c09..560460b55f 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,6 +1,6 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI-BP-028 (high)' ++title: 'ANSSI-BP-028 (high)' + + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + +From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001 +From: Watson Yuuma Sato +Date: Fri, 14 May 2021 10:58:50 +0200 +Subject: [PATCH 4/6] Fix typos and improve language + +Co-authored-by: vojtapolasek +--- + controls/anssi.yml | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 291af65f58..81d099e98b 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -581,7 +581,7 @@ controls: + notes: >- + The definition of unused user accounts is broad. It can include accounts + whose owners don't use the system anymore, or users created by services +- or applicatons that should not be used. ++ or applications that should not be used. + automated: no + + - id: R27 +@@ -589,7 +589,7 @@ controls: + level: intermediary + notes: >- + It is difficult to generally identify the system's service accounts. +- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + Assisting rules could list users which are not disabled for manual review. + automated: no +@@ -600,8 +600,8 @@ controls: + description: >- + Each service must have its own system account and be dedicated to it exclusively. + notes: >- +- It is not trivial to identify wether a user account is a service account. +- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values ++ It is not trivial to identify whether a user account is a service account. ++ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values + are not enforced by the OS and can be changed over time. + automated: no + +@@ -889,7 +889,7 @@ controls: + The deployed services must have their access restricted to the system + strict minimum, especially when it comes to files, processes or network. + notes: >- +- SELinux policies limit the privileges of services and daemons to only what they require. ++ SELinux policies limit the privileges of services and daemons just to those which are required. + automated: partially + rules: + - selinux_policytype +@@ -902,7 +902,7 @@ controls: + Each component supporting the virtualization must be hardened, especially + by applying technical measures to counter the exploit attempts. + notes: >- +- It may be interesting to point out virtulization components that are installed and ++ It may be interesting to point out virtualization components that are installed and + should be hardened. + automated: no + +@@ -910,14 +910,14 @@ controls: + level: intermediary + title: chroot jail and access right for partitioned service + notes: >- +- Automation to restrict access and chroot services is not generally reliable. +- autmated: no ++ Using automation to restrict access and chroot services is not generally reliable. ++ automated: no + + - id: R56 + level: intermediary + title: Enablement and usage of chroot by a service + notes: >- +- Automation to restrict access and chroot services is not generally reliable. ++ Using automation to restrict access and chroot services is not generally reliable. + automated: no + + - id: R57 +@@ -974,7 +974,7 @@ controls: + The commands requiring the execution of sub-processes (EXEC tag) must be + explicitly listed and their use should be reduced to a strict minimum. + notes: >- +- Human review is required to assess if the commands requiring EXEC is minimal. ++ Human review is required to assess if the set of commands requiring EXEC is minimal. + An auxiliary rule could list rules containing EXEC tag, for analysis. + automated: no + + +From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 14 May 2021 11:41:30 +0200 +Subject: [PATCH 5/6] Update R1 notes and selected rule + +--- + controls/anssi.yml | 28 +++++++++---------- + .../package_xinetd_removed/rule.yml | 1 + + .../nis/package_ypbind_removed/rule.yml | 1 + + .../nis/package_ypserv_removed/rule.yml | 1 + + .../package_rsh-server_removed/rule.yml | 1 + + .../r_services/package_rsh_removed/rule.yml | 1 + + .../talk/package_talk-server_removed/rule.yml | 1 + + .../talk/package_talk_removed/rule.yml | 1 + + .../package_telnet-server_removed/rule.yml | 1 + + .../telnet/package_telnet_removed/rule.yml | 1 + + .../tftp/package_tftp-server_removed/rule.yml | 1 + + .../tftp/package_tftp_removed/rule.yml | 4 +++ + shared/references/cce-redhat-avail.txt | 1 - + 13 files changed, 28 insertions(+), 15 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 81d099e98b..ebee9c4259 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -19,25 +19,25 @@ controls: + Those whose presence can not be justified should be disabled, removed or deleted. + automated: partially # The list of essential services is not objective. + notes: >- +- Manual review is required to assess if the installed services are minimal. +- In general, use of obsolete or insecure services is not recommended. + Performing a minimal install is a good starting point, but doesn't provide any assurance + over any package installed later. ++ Manual review is required to assess if the installed services are minimal. ++ In general, use of obsolete or insecure services is not recommended and we remove some ++ of these in this recommendation. + rules: + - package_dhcp_removed +- #- package_rsh_removed +- #- package_rsh-server_removed ++ - package_rsh_removed ++ - package_rsh-server_removed + - package_sendmail_removed +- - package_telnetd_removed +- #- package_talk_removed +- #- package_talk-server_removed +- #- package_telnet_removed +- #- package_telnet-server_removed +- #- package_tftp_removed +- #- package_tftp-server_removed +- #- package_xinetd_removed +- #- package_ypbind_removed +- #- package_ypserv_removed ++ - package_talk_removed ++ - package_talk-server_removed ++ - package_telnet_removed ++ - package_telnet-server_removed ++ - package_tftp_removed ++ - package_tftp-server_removed ++ - package_xinetd_removed ++ - package_ypbind_removed ++ - package_ypserv_removed + + - id: R2 + level: intermediary +diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +index e2431be9c5..9494025449 100644 +--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + cce@rhel8: CCE-80850-1 + + references: ++ anssi: BP28(R1) + cis@rhel8: 2.1.1 + disa: CCI-000305 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +index 97e27e2a4c..e836dc6fb1 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +@@ -24,6 +24,7 @@ identifiers: + cce@rhel8: CCE-82181-9 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.1 + cis@rhel8: 2.3.1 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +index ac1d8e6f4c..7ca7a67e69 100644 +--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82432-6 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-020010 + cis@rhel7: 2.2.16 + cis@rhel8: 2.2.17 +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +index 21f4d7bae6..33c36cde67 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82184-3 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-020000 + disa: CCI-000381 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +index c8f4673a3a..dbc6bd7329 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@rhel8: CCE-82183-5 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.2 + cui: 3.1.13 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) +diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +index 12971558e9..e46e4f55d0 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + cce@rhel8: CCE-82180-1 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.2.18 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + +diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +index 68e804ba38..24743fc2d6 100644 +--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@rhel8: CCE-80848-5 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.3 + hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii) + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 7bb5ed5da3..24cf50ff29 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -31,6 +31,7 @@ identifiers: + cce@sle15: CCE-83273-3 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-021710 + cis@rhel7: 2.1.19 + disa: CCI-000381 +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +index 1b0128ec06..afef488734 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml +@@ -21,6 +21,7 @@ identifiers: + cce@rhel8: CCE-80849-3 + + references: ++ anssi: BP28(R1) + cis@rhel7: 2.3.4 + cis@rhel8: 2.3.2 + cui: 3.1.13 +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index 3fcc8db4c8..ca25bb2124 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + cce@rhel8: CCE-82436-7 + + references: ++ anssi: BP28(R1) + stigid@ol7: OL07-00-040700 + disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814 + nist: CM-7(a),CM-7(b),CM-6(a) +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +index c3a501259c..0be9a60d38 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml +@@ -19,6 +19,10 @@ severity: low + + identifiers: + cce@rhel7: CCE-80443-5 ++ cce@rhel8: CCE-83590-0 ++ ++references: ++ anssi: BP28(R1) + + ocil: '{{{ describe_package_remove(package="tftp") }}}' + +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4c4f8c3aa3..b719186add 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -91,7 +91,6 @@ CCE-83584-3 + CCE-83587-6 + CCE-83588-4 + CCE-83589-2 +-CCE-83590-0 + CCE-83592-6 + CCE-83594-2 + CCE-83595-9 + +From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 14 May 2021 11:43:32 +0200 +Subject: [PATCH 6/6] Update R5 notes and rule selection + +Note commented rules as related, and potentially useful. +--- + controls/anssi.yml | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index ebee9c4259..bba7148da9 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -88,20 +88,22 @@ controls: + automated: partially + notes: >- + Defense in-depth can be broadly divided into three areas - physical, technical and +- administrative. The security profile is best suitedto protect the technical area. ++ administrative. The security profile is best suited to protect the technical area. + Among the barriers that can be implemented within the technical area are antivirus software, + authentication, multi-factor authentication, encryption, logging, auditing, sandboxing, + intrusion detection systems, firewalls and vulnerability scanners. ++ The selection below is not in any way exaustive and should be adapted to the system's needs. + rules: +- #- package_audit_installed +- #- service_auditd_enabled + - sudo_remove_no_authenticate + - package_rsyslog_installed + - service_rsyslog_enabled +- #- package_ntp_installed +- #- package_firewalld_installed +- #- service_firewalld_enabled +- #- sssd_enable_smartcards ++ related_rules: ++ - package_audit_installed ++ - service_auditd_enabled ++ - package_ntp_installed ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - sssd_enable_smartcards + + - id: R6 + level: enhanced diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..3168f54 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,530 @@ +# Base name of static rhel6 content tarball +%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 + +Name: scap-security-guide +Version: 0.1.56 +Release: 1%{?dist} +Summary: Security guidance and baselines in SCAP formats +Group: Applications/System +License: BSD +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Include tarball with last released rhel6 content +Source1: %{_static_rhel6_content}.tar.bz2 +# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream +Patch0: disable-not-in-good-shape-profiles.patch +Patch1: scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch +Patch2: scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch +Patch3: scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch + +BuildArch: noarch + +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 +Obsoletes: openscap-content < 0:0.9.13 +Provides: openscap-content + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The Red Hat Enterprise +Linux 8 system administrator can use the oscap CLI tool from openscap-scanner +package, or the scap-workbench GUI tool from scap-workbench package to verify +that the system conforms to provided guideline. Refer to scap-security-guide(8) +manual page for further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%prep +%setup -q -b 1 +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +mkdir build + +%build +cd build +%cmake \ +-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ +-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ +-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ +-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ +-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \ +%if %{defined centos} +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ +%else +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +%endif +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ +%make_build + +%install +cd build +%make_install + +# Manually install pre-built rhel6 content +cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot} +cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name} +cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name} + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible +%{_datadir}/%{name}/bash +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%doc %{_docdir}/%{name}/README.md +%doc %{_docdir}/%{name}/Contributors.md + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%changelog +* Tue Jun 01 2021 Watson Sato - 0.1.56-1 +- Update to the latest upstream release (RHBZ#1966577) +- Add ANSSI High Profile (RHBZ#1955183) + +* Wed Feb 17 2021 Watson Sato - 0.1.54-5 +- Remove Kickstart for not shipped profile (RHBZ#1778188) + +* Tue Feb 16 2021 Gabriel Becker - 0.1.54-4 +- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742) + +* Tue Feb 16 2021 Vojtech Polasek - 0.1.54-3 +- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019) + +* Fri Feb 12 2021 Gabriel Becker - 0.1.54-2 +- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742) + +* Thu Feb 04 2021 Watson Sato - 0.1.54-1 +- Update to the latest upstream release (RHBZ#1889344) +- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188) + +* Fri Jan 08 2021 Gabriel Becker - 0.1.53-4 +- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193) +- Fix RHEL6 CPE dictionary (RHBZ#1899059) +- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853) + +* Tue Dec 15 2020 Gabriel Becker - 0.1.53-3 +- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062) +- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032) +- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041) +- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067) +- Disable usbguard rules on s390x architecture (RHBZ#1899059) + +* Thu Dec 03 2020 Watson Sato - 0.1.53-2 +- Update list of profiles built (RHBZ#1889344) + +* Wed Nov 25 2020 Vojtech Polasek - 0.1.53-1 +- Update to the latest upstream release (RHBZ#1889344) + +* Wed Sep 02 2020 Matěj Týč - 0.1.50-14 +- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962) + +* Tue Aug 25 2020 Watson Sato - 0.1.50-13 +- Enable build of RHEL-8 CUI Profile (RHBZ#1762962) + +* Fri Aug 21 2020 Matěj Týč - 0.1.50-12 +- remove rationale from rules that contain defective links (rhbz#1854854) + +* Thu Aug 20 2020 Matěj Týč - 0.1.50-11 +- fixed link in a grub2 rule description (rhbz#1854854) +- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367) +- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873) + +* Mon Aug 17 2020 Matěj Týč - 0.1.50-10 +- Update the scapval invocation (RHBZ#1815007) +- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007) +- Change the spec file macro invocation from patch to Patch +- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066) + +* Wed Aug 05 2020 Vojtech Polasek - 0.1.50-9 +- fix description of HIPAA profile (RHBZ#1867559) + +* Fri Jul 17 2020 Watson Sato - 0.1.50-8 +- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) + - Remove CCM from TLS Ciphersuites + +* Mon Jun 29 2020 Matěj Týč - 0.1.50-7 +- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543) + +* Mon Jun 22 2020 Gabriel Becker - 0.1.50-6 +- Fix rsyslog permissions/ownership rules (RHBZ#1781606) + +* Thu May 28 2020 Gabriel Becker - 0.1.50-5 +- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526) + +* Tue May 26 2020 Watson Sato - 0.1.50-4 +- CIS Ansible fixes (RHBZ#1760734) +- HIPAA Ansible fixes (RHBZ#1832760) + +* Mon May 25 2020 Watson Sato - 0.1.50-3 + - HIPAA Profile (RHBZ#1832760) + - Enable build of RHEL8 HIPAA Profile + - Add kickstarts for HIPAA +- CIS Profile (RHBZ#1760734) + - Add Ansible fix for sshd_set_max_sessions + - Add CIS Profile content attribution to Center for Internet Security + +* Fri May 22 2020 Watson Sato - 0.1.50-2 +- Fix Ansible for no_direct_root_logins +- Fix Ansible template for SELinux booleans +- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734) + +* Wed May 20 2020 Watson Sato - 0.1.50-2 +- Update selections in RHEL8 CIS Profile (RHBZ#1760734) + +* Tue May 19 2020 Watson Sato - 0.1.50-1 +- Update to the latest upstream release (RHBZ#1815007) + +* Thu Mar 19 2020 Gabriel Becker - 0.1.49-1 +- Update to the latest upstream release (RHBZ#1815007) + +* Tue Feb 11 2020 Watson Sato - 0.1.48-7 +- Update baseline package list of OSPP profile + +* Thu Feb 06 2020 Watson Sato - 0.1.48-6 +- Rebuilt with correct spec file + +* Thu Feb 06 2020 Watson Sato - 0.1.48-5 +- Add SRG references to STIG rules (RHBZ#1755447) + +* Mon Feb 03 2020 Vojtech Polasek - 0.1.48-4 +- Drop rsyslog rules from OSPP profile +- Update COBIT URI +- Add rules for strong source of RNG entropy +- Enable build of RHEL8 STIG Profile (RHBZ#1755447) +- STIG profile: added rsyslog rules and updated SRG mappings +- Split audit rules according to audit component (RHBZ#1791312) + +* Tue Jan 21 2020 Watson Sato - 0.1.48-3 +- Update crypto-policy test scenarios +- Update max-path-len test to skip tests/logs directory + +* Fri Jan 17 2020 Watson Sato - 0.1.48-2 +- Fix list of tables that are generated for RHEL8 + +* Fri Jan 17 2020 Watson Sato - 0.1.48-1 +- Update to latest upstream SCAP-Security-Guide-0.1.48 release + +* Tue Nov 26 2019 Matěj Týč - 0.1.47-2 +- Improved the e8 profile (RHBZ#1755194) + +* Mon Nov 11 2019 Vojtech Polasek - 0.1.47-1 +- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762) + +* Wed Oct 16 2019 Gabriel Becker - 0.1.46-3 +- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821) + +* Wed Oct 09 2019 Watson Sato - 0.1.46-2 +- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919) + +* Mon Sep 02 2019 Watson Sato - 0.1.46-1 +- Update to latest upstream SCAP-Security-Guide-0.1.46 release +- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798) + +* Wed Aug 07 2019 Milan Lysonek - 0.1.45-2 +- Use crypto-policy rules in OSPP profile. +- Re-enable FIREFOX and JRE product in build. +- Change test suite logging message about missing profile from ERROR to WARNING. +- Build only one version of SCAP content at a time. + +* Tue Aug 06 2019 Milan Lysonek - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release + +* Mon Jun 17 2019 Matěj Týč - 0.1.44-2 +- Ported changelog from late 8.0 builds. +- Disabled build of the OL8 product, updated other components of the cmake invocation. + +* Fri Jun 14 2019 Matěj Týč - 0.1.44-1 +- Update to latest upstream SCAP-Security-Guide-0.1.44 release + +* Mon Mar 11 2019 Gabriel Becker - 0.1.42-11 +- Assign CCE to rules from OSPP profile which were missing the identifier. +- Fix regular expression for Audit rules ordering +- Account for Audit rules flags parameter position within syscall +- Add remediations for Audit rules file path +- Add Audit rules for modification of /etc/shadow and /etc/gshadow +- Add Ansible and Bash remediations for directory_access_var_log_audit rule +- Add a Bash remediation for Audit rules that require ordering + +* Thu Mar 07 2019 Gabriel Becker - 0.1.42-10 +- Assign CCE identifier to rules used by RHEL8 profiles. + +* Thu Feb 14 2019 Matěj Týč - 0.1.42-9 +- Fixed Crypto Policy OVAL for NSS +- Got rid of rules requiring packages dropped in RHEL8. +- Profile descriptions fixes. + +* Tue Jan 22 2019 Jan Černý - 0.1.42-8 +- Update applicable platforms in crypto policy tests + +* Mon Jan 21 2019 Jan Černý - 0.1.42-7 +- Introduce Podman backend for SSG Test suite +- Update bind and libreswan crypto policy test scenarios + +* Fri Jan 11 2019 Matěj Týč - 0.1.42-6 +- Further fix of profiles descriptions, so they don't contain literal '\'. +- Removed obsolete sshd rule from the OSPP profile. + +* Tue Jan 08 2019 Matěj Týč - 0.1.42-5 +- Fixed profiles descriptions, so they don't contain literal '\n'. +- Made the configure_kerberos_crypto_policy OVAL more robust. +- Made OVAL for libreswan and bind work as expected when those packages are not installed. + +* Wed Jan 02 2019 Matěj Týč - 0.1.42-4 +- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs. + +* Tue Dec 18 2018 Matěj Týč - 0.1.42-3 +- Added FIPS mode rule for the OSPP profile. +- Split the installed_OS_is certified rule. +- Explicitly disabled OSP13, RHV4 and Example products. + +* Mon Dec 17 2018 Gabriel Becker - 0.1.42-2 +- Add missing kickstart files for RHEL8 +- Disable profiles that are not in good shape for RHEL8 + +* Wed Dec 12 2018 Matěj Týč - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- System-wide crypto policies are introduced for RHEL8 +- Patches introduced the RHEL8 product were dropped, as it has been upstreamed. + +* Wed Oct 10 2018 Watson Yuuma Sato - 0.1.41-2 +- Fix man page and package description + +* Mon Oct 08 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles + +* Mon Aug 13 2018 Watson Sato - 0.1.40-3 +- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot +- Only build content for rhel8 products + +* Fri Aug 10 2018 Watson Sato - 0.1.40-2 +- Update build of rhel8 content + +* Fri Aug 10 2018 Watson Sato - 0.1.40-1 +- Enable build of rhel8 content + +* Fri May 18 2018 Jan Černý - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 +- Fix spec file to build using Python 3 +- Fix License because upstream changed to BSD-3 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.