rpms/scap-security-guide
7
0
Fork 0
Code Issues Pull Requests Releases Activity

remove problematic rule from ANSSI High profile

Browse Source 
Resolves: rhbz#2221695
This commit is contained in:
Vojtech Polasek 2023-08-17 16:55:27 +02:00
parent da4a9bc5df
commit c28597b10f
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch Normal file
View File

@ -0,0 +1,30 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

7
scap-security-guide.spec
View File

@ -6,7 +6,7 @@
Name: scap-security-guide
Version: 0.1.69
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -19,6 +19,8 @@ Patch0: disable-not-in-good-shape-profiles.patch
# Fix rule enable_fips_mode
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch
BuildArch: noarch
@ -125,6 +127,9 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%endif
%changelog
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
- Fixed CCE link URL (RHBZ#2178516)