diff --git a/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch b/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch new file mode 100644 index 0000000..2314eaf --- /dev/null +++ b/scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch @@ -0,0 +1,60 @@ +From b44f64edb4ff2631c7cda02866a07f1eb8888073 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 1 Jul 2022 14:55:53 +0200 +Subject: [PATCH] Remove rule zip_vsyscall_argument + +According to +https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html?highlight=vsyscall +vsyscall is applicable to X86-64 but ZIPl is used only on +s390x on RHEL, and likely on other OSes as well. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2060049 +--- + products/rhel8/profiles/ospp.profile | 3 --- + products/rhel9/profiles/ospp.profile | 1 - + tests/data/profile_stability/rhel8/ospp.profile | 3 --- + 3 files changed, 7 deletions(-) + +diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile +index e6a0dd75020..235ab3dcfad 100644 +--- a/products/rhel8/profiles/ospp.profile ++++ b/products/rhel8/profiles/ospp.profile +@@ -437,6 +437,3 @@ selections: + - zipl_audit_backlog_limit_argument + - zipl_slub_debug_argument + - zipl_page_poison_argument +- - zipl_vsyscall_argument +- - zipl_vsyscall_argument.role=unscored +- - zipl_vsyscall_argument.severity=info +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 1fad0031749..c5a291d5c69 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -406,6 +406,5 @@ selections: + - zipl_bootmap_is_up_to_date + - zipl_audit_argument + - zipl_audit_backlog_limit_argument +- - zipl_vsyscall_argument + - zipl_init_on_alloc_argument + - zipl_page_alloc_shuffle_argument +diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile +index f2a56411e6f..5757acf030e 100644 +--- a/tests/data/profile_stability/rhel8/ospp.profile ++++ b/tests/data/profile_stability/rhel8/ospp.profile +@@ -233,7 +233,6 @@ selections: + - zipl_bootmap_is_up_to_date + - zipl_page_poison_argument + - zipl_slub_debug_argument +-- zipl_vsyscall_argument + - var_sshd_set_keepalive=0 + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour +@@ -265,8 +264,6 @@ selections: + - grub2_vsyscall_argument.severity=info + - sysctl_user_max_user_namespaces.role=unscored + - sysctl_user_max_user_namespaces.severity=info +-- zipl_vsyscall_argument.role=unscored +-- zipl_vsyscall_argument.severity=info + platforms: !!set {} + cpe_names: !!set {} + platform: null diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 6a1bb14..a2d0381 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -26,6 +26,7 @@ Requires: xml-common, openscap-scanner >= 1.2.5 Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch Patch1: scap-security-guide-0.1.63-audit_access_success_unenforcing-PR_9082.patch +Patch2: scap-security-guide-0.1.63-drop_zipl_vsyscall_argument-PR_9083.patch %description The scap-security-guide project provides a guide for configuration of the @@ -104,6 +105,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md * Mon Jul 18 2022 Vojtech Polasek - 0.1.62-2 - Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) - Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154) +- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049) * Wed Jun 01 2022 Matej Tyc - 0.1.62-1 - Rebase to a new upstream release (RHBZ#2070563)