rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import scap-security-guide-0.1.56-1.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-06-11 18:21:15 +00:00 committed by Andrew Lukoshko
commit aae7e6be65
7 changed files with 1574 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.56.tar.bz2

2
.scap-security-guide.metadata Normal file
View File

@ -0,0 +1,2 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
68280f72027ec89fda4b861fda932110d833d0d1 SOURCES/scap-security-guide-0.1.56.tar.bz2

98
SOURCES/disable-not-in-good-shape-profiles.patch Normal file
View File

@ -0,0 +1,98 @@
From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 3 Dec 2020 14:35:47 +0100
Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
---
rhel8/CMakeLists.txt | 6 ------
rhel8/profiles/cjis.profile | 2 +-
rhel8/profiles/ism_o.profile | 2 +-
rhel8/profiles/rhelh-stig.profile | 2 +-
rhel8/profiles/rhelh-vpp.profile | 2 +-
rhel8/profiles/rht-ccp.profile | 2 +-
rhel8/profiles/standard.profile | 2 +-
11 files changed, 10 insertions(+), 16 deletions(-)
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index d61689c97..5e444a101 100644
--- a/rhel8/CMakeLists.txt
+++ b/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
ssg_build_html_table_by_ref(${PRODUCT} "anssi")
-ssg_build_html_nistrefs_table(${PRODUCT} "standard")
ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
ssg_build_html_nistrefs_table(${PRODUCT} "stig")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
-
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
--- a/rhel8/profiles/cjis.profile
+++ b/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
version: 5.4
diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
index a3c427c01..4605dea3b 100644
--- a/rhel8/profiles/ism_o.profile
+++ b/rhel8/profiles/ism_o.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
SMEs:
diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
index 1efca5f44..c3d0b0964 100644
--- a/rhel8/profiles/rhelh-stig.profile
+++ b/rhel8/profiles/rhelh-stig.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
index 2baee6d66..8592d7aaf 100644
--- a/rhel8/profiles/rhelh-vpp.profile
+++ b/rhel8/profiles/rhelh-vpp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
--- a/rhel8/profiles/rht-ccp.profile
+++ b/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
--- a/rhel8/profiles/standard.profile
+++ b/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.26.2

115
SOURCES/scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch Normal file
View File

@ -0,0 +1,115 @@
From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 5 Jan 2021 18:03:24 +0100
Subject: [PATCH] Add rule sudo_add_passwd_timeout
This rule configures sudo password prompt timeout.
---
controls/anssi.yml | 3 +-
.../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++
.../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++
shared/references/cce-redhat-avail.txt | 2 -
4 files changed, 63 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..5120456230b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -892,7 +892,8 @@ controls:
- var_sudo_umask=0027
- sudo_add_ignore_dot
- sudo_add_env_reset
- # passwd_timeout=1
+ - sudo_add_passwd_timeout
+ - var_sudo_passwd_timeout=1_minute
- id: R59
level: minimal
diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
new file mode 100644
index 00000000000..ae3399527f4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: ol7,ol8,rhel7,rhel8
+
+title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout'
+
+description: |-
+ The sudo <tt>passwd_timeout</tt> tag sets the amount of time sudo password prompt waits.
+{{%- if product in ["rhel7", "rhel8"] %}}
+ On {{{ full_name }}}, the default <tt>passwd_timeout</tt> value is 5 minutes.
+{{% endif %}}
+ The passwd_timeout should be configured by making sure that the
+ <tt>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</tt> tag exists in
+ <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
+ in <tt>/etc/sudoers.d/</tt>.
+
+rationale: |-
+ Reducing the time <tt>sudo</tt> waits for a a password reduces the time the process is exposed.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83963-9
+ cce@rhel8: CCE-83964-7
+
+references:
+ anssi: BP28(R58)
+
+ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo'
+
+ocil: |-
+ To determine if <tt>passwd_timeout</tt> has been configured for sudo, run the following command:
+ <pre>$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/</pre>
+ The command should return a matching output.
+
+template:
+ name: sudo_defaults_option
+ vars:
+ option: passwd_timeout
+ variable_name: "var_sudo_passwd_timeout"
diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
new file mode 100644
index 00000000000..4a9dcd5bb7b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Sudo - passwd_timeout value'
+
+description: |-
+ Defines the number of minutes before the <tt>sudo</tt> password prompt times out.
+ Defining 0 means no timeout. The default timeout value is 5 minutes.
+
+interactive: false
+
+type: string
+
+operator: equals
+
+options:
+ default: "5"
+ infinite: "0"
+ 1_minute: "1"
+ 2_minutes: "2"
+ 3_minutes: "3"
+ 5_minutes: "5"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 61391f50c2d..e095e405f66 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -349,8 +349,6 @@ CCE-83959-7
CCE-83960-5
CCE-83961-3
CCE-83962-1
-CCE-83963-9
-CCE-83964-7
CCE-83965-4
CCE-83966-2
CCE-83967-0

120
SOURCES/scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch Normal file
View File

@ -0,0 +1,120 @@
From 82c99e8de8f2ffef7d340fd7c1d9088367650eb5 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 10 May 2021 18:53:02 +0200
Subject: [PATCH] Update and select seboolean rules for R67
Fix description of sebool_deny_execmem, and warning about possible
issues.
Add rationale to rules the SELinux booleans.
---
controls/anssi.yml | 14 +++++++++---
.../sebool_deny_execmem/rule.yml | 22 ++++++++++++++-----
.../sebool_selinuxuser_execheap/rule.yml | 4 +++-
.../sebool_selinuxuser_execstack/rule.yml | 3 ++-
4 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..ef9356a6fea 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -967,10 +967,18 @@ controls:
allow_execstack to off, forbids processes to make their stack executable;
secure_mode_insmod to on, prohibits dynamic loading of modules by any process;
ssh_sysadm_login to off, forbids SSH logins to connect directly in sysadmin role.
+ notes:
+ In RHEL, the SELinux boolean allow_execheap is renamed to selinuxuser_execheap, and the
+ boolean allow_execstack is renamed to selinuxuser_execstack. And allow_execmem is not
+ available, deny_execmem provides the same functionality.
+ automated: yes
rules:
- # Add rule for sebool allow_execheap
- # Add rule for sebool allow_execmem
- # Add rule for sebool allow_execstack
+ - var_selinuxuser_execheap=off
+ - sebool_selinuxuser_execheap
+ - var_deny_execmem=on
+ - sebool_deny_execmem
+ - var_selinuxuser_execstack=off
+ - sebool_selinuxuser_execstack
- var_secure_mode_insmod=on
- sebool_secure_mode_insmod
- sebool_ssh_sysadm_login
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
index f340ea4be11..e8453fbfb8d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_deny_execmem/rule.yml
@@ -2,14 +2,16 @@ documentation_complete: true
prodtype: rhel7,rhel8,rhel9,rhv4
-title: 'Disable the deny_execmem SELinux Boolean'
+title: 'Enable the deny_execmem SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>deny_execmem</tt> is disabled.
- If this setting is enabled, it should be disabled.
+ If this setting is disabled, it should be enabled.
{{{ describe_sebool_disable(sebool="deny_execmem") }}}
-rationale: ""
+rationale: |-
+ Allowing user domain applications to map a memory region as both writable and
+ executable makes them more susceptible to data execution attacks.
severity: medium
@@ -19,10 +21,20 @@ identifiers:
references:
anssi: BP28(R67)
-
-{{{ complete_ocil_entry_sebool_disabled(sebool="deny_execmem") }}}
+
+{{{ complete_ocil_entry_sebool_enabled(sebool="deny_execmem") }}}
+
+warnings:
+ - general: |-
+ This rule doesn't come with a remediation, as enabling this SELinux boolean can cause
+ applications to malfunction, for example Graphical login managers and Firefox.
+ - functionality: |-
+ Proper function and stability should be assessed before applying enabling the SELinux boolean in production systems.
template:
name: sebool
vars:
seboolid: deny_execmem
+ backends:
+ bash: "off"
+ ansible: "off"
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
index 45aa81a1223..7fedaab6130 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execheap/rule.yml
@@ -6,10 +6,12 @@ title: 'Disable the selinuxuser_execheap SELinux Boolean'
description: |-
By default, the SELinux boolean <tt>selinuxuser_execheap</tt> is disabled.
+ When enabled this boolean is enabled it allows selinuxusers to execute code from the heap.
If this setting is enabled, it should be disabled.
{{{ describe_sebool_disable(sebool="selinuxuser_execheap") }}}
-rationale: ""
+rationale: |-
+ Disabling code execution from the heap blocks buffer overflow attacks.
severity: medium
diff --git a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
index 2b20d0bfe4f..2e0b19f881d 100644
--- a/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
+++ b/linux_os/guide/system/selinux/selinux-booleans/sebool_selinuxuser_execstack/rule.yml
@@ -10,7 +10,8 @@ description: |-
to make their stack executable.
{{{ describe_sebool_disable(sebool="selinuxuser_execstack") }}}
-rationale: ""
+rationale: |-
+ Disabling code execution from the stack blocks buffer overflow attacks.
severity: medium

707
SOURCES/scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch Normal file
View File

@ -0,0 +1,707 @@
From 6006e997000ab19aa59df24b074feb285ec4e586 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:14:24 +0200
Subject: [PATCH 1/6] Update ANSSI metadata for High level hardening
---
controls/anssi.yml | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 2053de05c0..e9b9f1b803 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -70,6 +70,10 @@ controls:
It is recommended to use the mandatory access control (MAC) features in
addition to the traditional Unix user model (DAC), or possibly combine
them with partitioning mechanisms.
+ notes: >-
+ Other partitioning mechanisms can include chroot and containers and are not contemplated
+ in this requirement.
+ automated: partially
rules:
- selinux_state
- var_selinux_state=enforcing
@@ -161,6 +165,7 @@ controls:
The iommu = force directive must be added to the list of kernel parameters
during startup in addition to those already present in the configuration
files of the bootloader (/boot/grub/menu.lst or /etc/default/grub).
+ automated: yes
rules:
- grub2_enable_iommu_force
@@ -837,8 +842,8 @@ controls:
not locally stored in clear), or possibly stored on a separate machine
of the one on which the sealing is done.
Check section "Database and config signing in AIDE manual"
- https://github.com/aide/aide/blob/master/doc/manual.html
- # rules: TBD
+ https://aide.github.io/doc/#signing
+ automated: no
- id: R53
level: enhanced
@@ -946,7 +951,7 @@ controls:
title: Enable AppArmor security profiles
description: >-
All AppArmor security profiles on the system must be enabled by default.
- # rules: TBD
+ automated: no
- id: R66
level: high
@@ -990,6 +995,7 @@ controls:
description: >-
SELinux policy manipulation and debugging tools should not be installed
on a machine in production.
+ automated: yes
rules:
- package_setroubleshoot_removed
- package_setroubleshoot-server_removed
@@ -1000,4 +1006,5 @@ controls:
title: Confining interactive non-privileged users
description: >-
Interactive non-privileged users of a system must be confined by associating them with a SELinux confined user.
- # rules: TBD
+ notes: Interactive users who still need to perform administrative tasks should not be confined with user_u.
+ automated: no
From 98c310f893c31fb828c7ee17f9f8c7f7f11dde7a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:31:11 +0200
Subject: [PATCH 2/6] Update metadata of other ANSSI hardening levels
---
controls/anssi.yml | 91 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 75 insertions(+), 16 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index e9b9f1b803..291af65f58 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,8 +19,10 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Use of obsolete or insecure services is not recommended.
- The minimal install is a good starting point, but this doesn't provide any assurance over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended.
+ Performing a minimal install is a good starting point, but doesn't provide any assurance
+ over any package installed later.
rules:
- package_dhcp_removed
#- package_rsh_removed
@@ -45,10 +47,9 @@ controls:
problematic from a security point of view.
The features configured at the level of launched services should be limited to the strict
minimum.
+ automated: no
notes: >-
Define a list of most problematic components or features to be hardened or restricted.
- # potential components: sshd, pam, chrony?
- # rules: TBD
- id: R3
level: enhanced
@@ -109,7 +110,10 @@ controls:
Network services should as much as possible be hosted on isolated environments.
This avoids having other potentially affected services if one of them gets
compromised under the same environment.
- #rules: TBD
+ notes: >-
+ Manual analysis is required to determine if services are hosted appropriately in
+ separate or isolated system while maintaining functionality.
+ automated: no
- id: R7
level: enhanced
@@ -117,6 +121,7 @@ controls:
description: >-
The activities of the running system and services must be logged and
archived on an external, non-local system.
+ automated: yes
rules:
# The default remote loghost is logcollector.
# Change the default value to the hostname or IP of the system to send the logs to
@@ -235,6 +240,7 @@ controls:
notes: >-
The rule disabling auto-mount for /boot is commented until the rules checking for other
/boot mount options are updated to handle this usecase.
+ automated: no
#rules:
#- mount_option_boot_noauto
@@ -275,7 +281,7 @@ controls:
hardening measures.
Between two packages providing the same service, those subject to hardening
(at compilation, installation, or default configuration) must be preferred.
- #rules: TBD
+ automated: no
- id: R17
level: enhanced
@@ -283,6 +289,7 @@ controls:
description: >-
A boot loader to protect the password boot must be to be privileged.
This password must prevent any user from changing their configuration options.
+ automated: yes # without remediation
rules:
- grub2_password
- grub2_uefi_password
@@ -358,12 +365,28 @@ controls:
must be set up as soon as the system is installed: account and administration
passwords, root authority certificates, public keys, or certificates of the
host (and their respective private key).
- # rules: TBD
+ notes: >-
+ This concerns two aspects, the first is administrative, and involves prompt
+ installation of secrets or trusted elements by the sysadmin.
+ The second involves removal of any default secret or trusted element
+ configured by the operating system during install process, e.g. default
+ known passwords.
+ automated: no
- id: R21
level: intermediary
title: Hardening and monitoring of services subject to arbitrary flows
- # rules: TBD
+ notes: >-
+ SELinux can provide confinement and monitoring of services, and AIDE provides
+ basic integrity checking. System logs are configured as part of R43.
+ Hardening of particular services should be done on a case by case basis and is
+ not automated by this content.
+ automated: partially
+ rules:
+ - selinux_state
+ - var_selinux_state=enforcing
+ - package_aide_installed
+ - aide_build_database
- id: R22
level: intermediary
@@ -535,6 +558,7 @@ controls:
sysctl kernel.modules_disabledconf:
Prohibition of loading modules (except those already loaded to this point)
kernel.modules_disabled = 1
+ automated: yes # without remediation
rules:
- sysctl_kernel_modules_disabled
@@ -545,6 +569,7 @@ controls:
It is recommended to load the Yama security module at startup (by example
passing the security = yama argument to the kernel) and configure the
sysctl kernel.yama.ptrace_scope to a value of at least 1.
+ automated: yes
rules:
- sysctl_kernel_yama_ptrace_scope
@@ -553,13 +578,19 @@ controls:
title: Disabling unused user accounts
description: >-
Unused user accounts must be disabled at the system level.
- # rules: TBD
+ notes: >-
+ The definition of unused user accounts is broad. It can include accounts
+ whose owners don't use the system anymore, or users created by services
+ or applicatons that should not be used.
+ automated: no
- id: R27
title: Disabling service accounts
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -568,7 +599,11 @@ controls:
title: Uniqueness and exclusivity of system service accounts
description: >-
Each service must have its own system account and be dedicated to it exclusively.
- # rules: TBD
+ notes: >-
+ It is not trivial to identify wether a user account is a service account.
+ UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ are not enforced by the OS and can be changed over time.
+ automated: no
- id: R29
level: enhanced
@@ -778,6 +813,7 @@ controls:
description: >-
The syslog services must be isolated from the rest of the system in a
dedicated container.
+ automated: no
# rules: TBD
- id: R46
@@ -825,6 +861,7 @@ controls:
This includes: directories containing executables, libraries,
configuration files, as well as any files that may contain sensitive
elements (cryptographic keys, passwords, confidential data).
+ automated: yes
rules:
- package_aide_installed
- aide_build_database
@@ -851,7 +888,12 @@ controls:
description: >-
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
- # rules: TBD
+ notes: >-
+ SELinux policies limit the privileges of services and daemons to only what they require.
+ automated: partially
+ rules:
+ - selinux_policytype
+ - var_selinux_policy_name=targeted
- id: R54
level: enhanced
@@ -859,17 +901,24 @@ controls:
description: >-
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
- # rules: TBD
+ notes: >-
+ It may be interesting to point out virtulization components that are installed and
+ should be hardened.
+ automated: no
- id: R55
level: intermediary
title: chroot jail and access right for partitioned service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ autmated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
- # rules: TBD
+ notes: >-
+ Automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R57
level: intermediary
@@ -924,7 +973,10 @@ controls:
description: >-
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
- # rules: TBD
+ notes: >-
+ Human review is required to assess if the commands requiring EXEC is minimal.
+ An auxiliary rule could list rules containing EXEC tag, for analysis.
+ automated: no
- id: R62
level: intermediary
@@ -944,7 +996,13 @@ controls:
- id: R64
level: intermediary
title: Good use of sudoedit
- # rules: TBD
+ description: A file requiring sudo to be edited, must be edited through the sudoedit command.
+ notes: >-
+ In R62 we established that the sudoers files should not use negations, thus the approach
+ for this requirement is to ensure that sudoedit is the only text editor allowed.
+ But it is difficult to ensure that allowed binaries aren't text editors without human
+ review.
+ automated: no
- id: R65
level: high
@@ -959,6 +1017,7 @@ controls:
description: >-
It is recommended to enable the targeted policy when the distribution
support it and that it does not operate another security module than SELinux.
+ automated: yes
rules:
- selinux_policytype
- var_selinux_policy_name=targeted
From 655c8ab2d778f0826cb9cb9f3052bb5d49fcbbc4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 11 May 2021 17:49:42 +0200
Subject: [PATCH 3/6] Undraft RHEL ANSSI High profiles
---
rhel7/profiles/anssi_nt28_high.profile | 2 +-
rhel8/profiles/anssi_bp28_high.profile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel7/profiles/anssi_nt28_high.profile
+++ b/rhel7/profiles/anssi_nt28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
index 22efad9c09..560460b55f 100644
--- a/rhel8/profiles/anssi_bp28_high.profile
+++ b/rhel8/profiles/anssi_bp28_high.profile
@@ -1,6 +1,6 @@
documentation_complete: true
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
description: |-
This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
From 227baf32a959a94df241f49016aa23da2917de88 Mon Sep 17 00:00:00 2001
From: Watson Yuuma Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 10:58:50 +0200
Subject: [PATCH 4/6] Fix typos and improve language
Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
controls/anssi.yml | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 291af65f58..81d099e98b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -581,7 +581,7 @@ controls:
notes: >-
The definition of unused user accounts is broad. It can include accounts
whose owners don't use the system anymore, or users created by services
- or applicatons that should not be used.
+ or applications that should not be used.
automated: no
- id: R27
@@ -589,7 +589,7 @@ controls:
level: intermediary
notes: >-
It is difficult to generally identify the system's service accounts.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
Assisting rules could list users which are not disabled for manual review.
automated: no
@@ -600,8 +600,8 @@ controls:
description: >-
Each service must have its own system account and be dedicated to it exclusively.
notes: >-
- It is not trivial to identify wether a user account is a service account.
- UID of such accounts are generally between SYS_UID_MIN and UID_SYS_MAX, but its values
+ It is not trivial to identify whether a user account is a service account.
+ UIDs of such accounts are generally between SYS_UID_MIN and SYS_UID_MAX, but their values
are not enforced by the OS and can be changed over time.
automated: no
@@ -889,7 +889,7 @@ controls:
The deployed services must have their access restricted to the system
strict minimum, especially when it comes to files, processes or network.
notes: >-
- SELinux policies limit the privileges of services and daemons to only what they require.
+ SELinux policies limit the privileges of services and daemons just to those which are required.
automated: partially
rules:
- selinux_policytype
@@ -902,7 +902,7 @@ controls:
Each component supporting the virtualization must be hardened, especially
by applying technical measures to counter the exploit attempts.
notes: >-
- It may be interesting to point out virtulization components that are installed and
+ It may be interesting to point out virtualization components that are installed and
should be hardened.
automated: no
@@ -910,14 +910,14 @@ controls:
level: intermediary
title: chroot jail and access right for partitioned service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
- autmated: no
+ Using automation to restrict access and chroot services is not generally reliable.
+ automated: no
- id: R56
level: intermediary
title: Enablement and usage of chroot by a service
notes: >-
- Automation to restrict access and chroot services is not generally reliable.
+ Using automation to restrict access and chroot services is not generally reliable.
automated: no
- id: R57
@@ -974,7 +974,7 @@ controls:
The commands requiring the execution of sub-processes (EXEC tag) must be
explicitly listed and their use should be reduced to a strict minimum.
notes: >-
- Human review is required to assess if the commands requiring EXEC is minimal.
+ Human review is required to assess if the set of commands requiring EXEC is minimal.
An auxiliary rule could list rules containing EXEC tag, for analysis.
automated: no
From 7bf2131e20bcf5a64e21b66afba48008324b058a Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:41:30 +0200
Subject: [PATCH 5/6] Update R1 notes and selected rule
---
controls/anssi.yml | 28 +++++++++----------
.../package_xinetd_removed/rule.yml | 1 +
.../nis/package_ypbind_removed/rule.yml | 1 +
.../nis/package_ypserv_removed/rule.yml | 1 +
.../package_rsh-server_removed/rule.yml | 1 +
.../r_services/package_rsh_removed/rule.yml | 1 +
.../talk/package_talk-server_removed/rule.yml | 1 +
.../talk/package_talk_removed/rule.yml | 1 +
.../package_telnet-server_removed/rule.yml | 1 +
.../telnet/package_telnet_removed/rule.yml | 1 +
.../tftp/package_tftp-server_removed/rule.yml | 1 +
.../tftp/package_tftp_removed/rule.yml | 4 +++
shared/references/cce-redhat-avail.txt | 1 -
13 files changed, 28 insertions(+), 15 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index 81d099e98b..ebee9c4259 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -19,25 +19,25 @@ controls:
Those whose presence can not be justified should be disabled, removed or deleted.
automated: partially # The list of essential services is not objective.
notes: >-
- Manual review is required to assess if the installed services are minimal.
- In general, use of obsolete or insecure services is not recommended.
Performing a minimal install is a good starting point, but doesn't provide any assurance
over any package installed later.
+ Manual review is required to assess if the installed services are minimal.
+ In general, use of obsolete or insecure services is not recommended and we remove some
+ of these in this recommendation.
rules:
- package_dhcp_removed
- #- package_rsh_removed
- #- package_rsh-server_removed
+ - package_rsh_removed
+ - package_rsh-server_removed
- package_sendmail_removed
- - package_telnetd_removed
- #- package_talk_removed
- #- package_talk-server_removed
- #- package_telnet_removed
- #- package_telnet-server_removed
- #- package_tftp_removed
- #- package_tftp-server_removed
- #- package_xinetd_removed
- #- package_ypbind_removed
- #- package_ypserv_removed
+ - package_talk_removed
+ - package_talk-server_removed
+ - package_telnet_removed
+ - package_telnet-server_removed
+ - package_tftp_removed
+ - package_tftp-server_removed
+ - package_xinetd_removed
+ - package_ypbind_removed
+ - package_ypserv_removed
- id: R2
level: intermediary
diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
index e2431be9c5..9494025449 100644
--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-80850-1
references:
+ anssi: BP28(R1)
cis@rhel8: 2.1.1
disa: CCI-000305
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index 97e27e2a4c..e836dc6fb1 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel8: CCE-82181-9
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.1
cis@rhel8: 2.3.1
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ac1d8e6f4c..7ca7a67e69 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82432-6
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020010
cis@rhel7: 2.2.16
cis@rhel8: 2.2.17
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
index 21f4d7bae6..33c36cde67 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82184-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-020000
disa: CCI-000381
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
index c8f4673a3a..dbc6bd7329 100644
--- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-82183-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.2
cui: 3.1.13
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
index 12971558e9..e46e4f55d0 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml
@@ -18,6 +18,7 @@ identifiers:
cce@rhel8: CCE-82180-1
references:
+ anssi: BP28(R1)
cis@rhel7: 2.2.18
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
index 68e804ba38..24743fc2d6 100644
--- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel8: CCE-80848-5
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.3
hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
index 7bb5ed5da3..24cf50ff29 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
@@ -31,6 +31,7 @@ identifiers:
cce@sle15: CCE-83273-3
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-021710
cis@rhel7: 2.1.19
disa: CCI-000381
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
index 1b0128ec06..afef488734 100644
--- a/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet_removed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
cce@rhel8: CCE-80849-3
references:
+ anssi: BP28(R1)
cis@rhel7: 2.3.4
cis@rhel8: 2.3.2
cui: 3.1.13
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
index 3fcc8db4c8..ca25bb2124 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml
@@ -22,6 +22,7 @@ identifiers:
cce@rhel8: CCE-82436-7
references:
+ anssi: BP28(R1)
stigid@ol7: OL07-00-040700
disa: CCI-000318,CCI-000366,CCI-000368,CCI-001812,CCI-001813,CCI-001814
nist: CM-7(a),CM-7(b),CM-6(a)
diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
index c3a501259c..0be9a60d38 100644
--- a/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/tftp/package_tftp_removed/rule.yml
@@ -19,6 +19,10 @@ severity: low
identifiers:
cce@rhel7: CCE-80443-5
+ cce@rhel8: CCE-83590-0
+
+references:
+ anssi: BP28(R1)
ocil: '{{{ describe_package_remove(package="tftp") }}}'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4c4f8c3aa3..b719186add 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -91,7 +91,6 @@ CCE-83584-3
CCE-83587-6
CCE-83588-4
CCE-83589-2
-CCE-83590-0
CCE-83592-6
CCE-83594-2
CCE-83595-9
From c8124b72c208951b3ac2a4da1f8c64157f6be69b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 14 May 2021 11:43:32 +0200
Subject: [PATCH 6/6] Update R5 notes and rule selection
Note commented rules as related, and potentially useful.
---
controls/anssi.yml | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/controls/anssi.yml b/controls/anssi.yml
index ebee9c4259..bba7148da9 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -88,20 +88,22 @@ controls:
automated: partially
notes: >-
Defense in-depth can be broadly divided into three areas - physical, technical and
- administrative. The security profile is best suitedto protect the technical area.
+ administrative. The security profile is best suited to protect the technical area.
Among the barriers that can be implemented within the technical area are antivirus software,
authentication, multi-factor authentication, encryption, logging, auditing, sandboxing,
intrusion detection systems, firewalls and vulnerability scanners.
+ The selection below is not in any way exaustive and should be adapted to the system's needs.
rules:
- #- package_audit_installed
- #- service_auditd_enabled
- sudo_remove_no_authenticate
- package_rsyslog_installed
- service_rsyslog_enabled
- #- package_ntp_installed
- #- package_firewalld_installed
- #- service_firewalld_enabled
- #- sssd_enable_smartcards
+ related_rules:
+ - package_audit_installed
+ - service_auditd_enabled
+ - package_ntp_installed
+ - package_firewalld_installed
+ - service_firewalld_enabled
+ - sssd_enable_smartcards
- id: R6
level: enhanced

530
SPECS/scap-security-guide.spec Normal file
View File

@ -0,0 +1,530 @@
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
Name: scap-security-guide
Version: 0.1.56
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
Group: Applications/System
License: BSD
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
Patch1: scap-security-guide-0.1.57-select_seboolean_rules_for_ANSSI-PR_6988.patch
Patch2: scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch
Patch3: scap-security-guide-0.1.57-update_ANSSI_profiles_metadata-PR_6997.patch
BuildArch: noarch
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5
Obsoletes: openscap-content < 0:0.9.13
Provides: openscap-content
%description
The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The Red Hat Enterprise
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
package, or the scap-workbench GUI tool from scap-workbench package to verify
that the system conforms to provided guideline. Refer to scap-security-guide(8)
manual page for further information.
%package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description doc
The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%prep
%setup -q -b 1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
mkdir build
%build
cd build
%cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
%make_build
%install
cd build
%make_install
# Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
%files
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible
%{_datadir}/%{name}/bash
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%changelog
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
- Update to the latest upstream release (RHBZ#1966577)
- Add ANSSI High Profile (RHBZ#1955183)
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Remove Kickstart for not shipped profile (RHBZ#1778188)
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344)
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to the latest upstream release (RHBZ#1889344)
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
- fixed link in a grub2 rule description (rhbz#1854854)
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
- Update the scapval invocation (RHBZ#1815007)
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
- fix description of HIPAA profile (RHBZ#1867559)
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
- Remove CCM from TLS Ciphersuites
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
- CIS Ansible fixes (RHBZ#1760734)
- HIPAA Ansible fixes (RHBZ#1832760)
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
- HIPAA Profile (RHBZ#1832760)
- Enable build of RHEL8 HIPAA Profile
- Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
- Add Ansible fix for sshd_set_max_sessions
- Add CIS Profile content attribution to Center for Internet Security
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Fix Ansible for no_direct_root_logins
- Fix Ansible template for SELinux booleans
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
- Update to the latest upstream release (RHBZ#1815007)
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
- Use crypto-policy rules in OSPP profile.
- Re-enable FIREFOX and JRE product in build.
- Change test suite logging message about missing profile from ERROR to WARNING.
- Build only one version of SCAP content at a time.
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
- Ported changelog from late 8.0 builds.
- Disabled build of the OL8 product, updated other components of the cmake invocation.
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
- Assign CCE to rules from OSPP profile which were missing the identifier.
- Fix regular expression for Audit rules ordering
- Account for Audit rules flags parameter position within syscall
- Add remediations for Audit rules file path
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
- Add a Bash remediation for Audit rules that require ordering
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
- Assign CCE identifier to rules used by RHEL8 profiles.
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
- Fixed Crypto Policy OVAL for NSS
- Got rid of rules requiring packages dropped in RHEL8.
- Profile descriptions fixes.
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
- Update applicable platforms in crypto policy tests
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
- Introduce Podman backend for SSG Test suite
- Update bind and libreswan crypto policy test scenarios
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
- Further fix of profiles descriptions, so they don't contain literal '\'.
- Removed obsolete sshd rule from the OSPP profile.
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
- Fixed profiles descriptions, so they don't contain literal '\n'.
- Made the configure_kerberos_crypto_policy OVAL more robust.
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
- Added FIPS mode rule for the OSPP profile.
- Split the installed_OS_is certified rule.
- Explicitly disabled OSP13, RHV4 and Example products.
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
- Add missing kickstart files for RHEL8
- Disable profiles that are not in good shape for RHEL8
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- System-wide crypto policies are introduced for RHEL8
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
- Fix man page and package description
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
- Only build content for rhel8 products
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
- Update build of rhel8 content
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
- Enable build of rhel8 content
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
- Fix spec file to build using Python 3
- Fix License because upstream changed to BSD-3
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
- updated to latest upstream release
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
- updated to latest upstream release
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
- updated to latest upstream release
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
- use make_build and make_install RPM macros
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
- update to the latest upstream release
- new default location for content /usr/share/scap/ssg
- install HTML tables in the doc subpackage
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
- Correct currently failing parallel SCAP Security Guide build
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
- Drop shell library for remediation functions since it is not required
starting from 0.1.30 release any more
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
in 0.1.29 upstream release
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
- upgrade to the latest upstream release
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
- update to the latest upstream release
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
- update to the latest upstream release
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
- update to the latest upstream release
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
- update to the latest upstream release
- created doc sub-package to ship all the guides
- start distributing centos and scientific linux content
- rename java content to jre
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
- update to the latest upstream release
- only DataStream file is now available for Fedora
- start distributing security baseline for Firefox
- start distributing security baseline for Java RunTime deployments
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
- update to the latest upstream release
- move content to /usr/share/scap/ssg/content
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
- update to the latest upstream release
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
- require only openscap-scanner, not whole openscap-utils package
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
- Add STIG DISCLAIMER to the shipped documentation
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
- Fix fedora-srpm and fedora-rpm Make targets to work again
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
- EOL for Fedora 18 support
- Include Fedora datastream file for remote Fedora system scans
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
it to /shared
- Add shared remediations for sshd disable empty passwords and
sshd set idle timeout
- Shared remediation for sshd disable root login
- Add empty -compat subpackage to ensure backward-compatibility with
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
- OVAL check for sshd disable root login
- Fix typo in OVAL check for sshd disable empty passwords
- OVAL check for sshd disable empty passwords
- Unselect no shelllogin for systemaccounts rule from being run by default
- Rename XCCDF rules
- Revert Set up Fedora release name and CPE based on build system properties
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
- Shared OVAL check for Verify that System Executables Have Root Ownership
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
Permissions
- Fix remediation for Disable Prelinking rule
- OVAL check and remediation for sshd's ClientAliveCountMax rule
- OVAL check for sshd's ClientAliveInterval rule
- Include descriptions for permissions section, and rules for checking
permissions and ownership of shared library files and system executables
- Disable selected rules by default
- Add remediation for Disable Prelinking rule
- Adjust service-enable-macro, service-disable-macro XSLT transforms
definition to evaluate to proper systemd syntax
- Fix service_ntpd_enabled OVAL check make validate to pass again
- Include patch from Šimon Lukašík to obsolete openscap-content
package (RH BZ#1028706)
- Add OVAL check to test if there's is remote NTP server configured for
time data
- Add system settings section for the guide (to track system wide
hardening configurations)
- Include disable prelink rule and OVAL check for it
- Initial OVAL check if ntpd service is enabled. Add package_installed
OVAL templating directory structure and functionality.
- Include services section, and XCCDF description for selected ntpd's
sshd's service rules
- Include remediations for login.defs' based password minimum, maximum and
warning age rules
- Include directory structure to support remediations
- Add SCAP "replace or append pattern value in text file based on variable"
remediation script generator
- Add remediation for "Set Password Minimum Length in login.defs" rule
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
- Update versioning scheme - move fedorassgrelease to be part of
upstream version. Rename it to fedorassgversion to avoid name collision
with Fedora package release.
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
- Add .gitignore for Fedora output directory
- Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page
(RH BZ#1018905, c#10)
- Apply further changes motivated by scap-security-guide Fedora RPM review
request (RH BZ#1018905, c#8):
* update package description,
* make content files to be owned by the scap-security-guide package,
* remove Fedora release number from generated content files,
* move HTML form of the guide under the doc directory (together
with that drop fedora/content subdir and place the content
directly under fedora/ subdir).
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
* drop Fedora release from package provided files' final path (c#5),
* drop BuildRoot, selected Requires:, clean section, drop chcon for
manual page, don't gzip man page (c#4),
* change package's description (c#4),
* include PD license text (#c4).
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
- Provide manual page for scap-security-guide
- Remove percent sign from spec's changelog to silence rpmlint warning
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
- Introduce 'Account and Access Control' section
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
rules to Fedora
- Set proper name of the build directory in the spec's setup macro.
- Replace hard-coded paths with macros. Preserve attributes when copying files.
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
- Initial Fedora SSG RPM.