import scap-security-guide-0.1.57-5.el8
This commit is contained in:
parent
38497d8b9b
commit
da76cca84d
@ -1,11 +1,5 @@
|
||||
commit 16a2f8d544019197b76aa572843a2f2dec390a8c
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Wed Sep 22 14:32:48 2021 +0200
|
||||
|
||||
Disable profiles that are not in good shape for products/rhel8
|
||||
|
||||
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
|
||||
index f0ce1eb..f1beaa2 100644
|
||||
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
|
||||
index d61689c97..5e444a101 100644
|
||||
--- a/products/rhel8/CMakeLists.txt
|
||||
+++ b/products/rhel8/CMakeLists.txt
|
||||
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
|
||||
@ -24,8 +18,8 @@ index f0ce1eb..f1beaa2 100644
|
||||
ssg_build_html_cce_table(${PRODUCT})
|
||||
|
||||
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index 1bd6df6..adeae4a 100644
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
|
||||
index 035d2705b..c6475f33e 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -34,8 +28,8 @@ index 1bd6df6..adeae4a 100644
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index 15abd98..d76bb38 100644
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
|
||||
index c84579592..164ec98c4 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -44,8 +38,8 @@ index 15abd98..d76bb38 100644
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
|
||||
index a63ae2c..da669bb 100644
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
|
||||
index a63ae2cf3..da669bb84 100644
|
||||
--- a/products/rhel8/profiles/standard.profile
|
||||
+++ b/products/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -54,3 +48,6 @@ index a63ae2c..da669bb 100644
|
||||
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -1,20 +0,0 @@
|
||||
commit a402f160639d830490d243609a1d8fbf8f802f23
|
||||
Author: Gabriel Becker <ggasparb@redhat.com>
|
||||
Date: Fri Oct 8 11:44:04 2021 +0200
|
||||
|
||||
Revert "Remove RHEL>7 prodtypes from docker-related rules"
|
||||
|
||||
This reverts commit 6343a61c9966bd54326b2bfbdeb95f9bb7107f9b.
|
||||
|
||||
diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
|
||||
index 4b8538b9d0..77a046fae2 100644
|
||||
--- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
|
||||
+++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
|
||||
@@ -1,6 +1,6 @@
|
||||
documentation_complete: true
|
||||
|
||||
-prodtype: rhel7
|
||||
+prodtype: rhel7,rhel8
|
||||
|
||||
title: 'Ensure SELinux support is enabled in Docker'
|
||||
|
@ -1,23 +0,0 @@
|
||||
From 272b1bb81fa0bb80be77ba23d4cb91ad36965520 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 20 Jul 2021 09:03:23 +0200
|
||||
Subject: [PATCH] Set package_rear_installed to notapplicable on s390x
|
||||
|
||||
Resolves: RHBZ#1958939
|
||||
---
|
||||
.../software/system-tools/package_rear_installed/rule.yml | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
index 2396f5bb118..077a56c1ffb 100644
|
||||
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
|
||||
@@ -22,6 +22,8 @@ ocil_clause: 'the package is not installed'
|
||||
|
||||
ocil: '{{{ ocil_package(package="rear") }}}'
|
||||
|
||||
+platform: not_s390x_arch
|
||||
+
|
||||
template:
|
||||
name: package_installed
|
||||
vars:
|
@ -5,7 +5,7 @@
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.57
|
||||
Release: 3%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -74,8 +74,6 @@ Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
|
||||
Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
|
||||
Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
|
||||
Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
|
||||
Patch57: revert_docker_selinux_enabled_to_rhel8.patch
|
||||
Patch58: scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
@ -96,11 +94,11 @@ system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The Red Hat Enterprise
|
||||
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
|
||||
package, or the scap-workbench GUI tool from scap-workbench package to verify
|
||||
that the system conforms to provided guideline. Refer to scap-security-guide(8)
|
||||
manual page for further information.
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
@ -112,6 +110,16 @@ The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -b1
|
||||
|
||||
@ -130,6 +138,9 @@ cd build
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%endif
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
||||
%endif
|
||||
../
|
||||
%cmake_build
|
||||
|
||||
@ -151,26 +162,51 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%doc %{_docdir}/%{name}/README.md
|
||||
%doc %{_docdir}/%{name}/Contributors.md
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 13 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
||||
- Reintroduce docker_selinux_enabled rule to RHEL8.
|
||||
- Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553)
|
||||
* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
|
||||
- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).
|
||||
|
||||
* Tue Oct 05 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
|
||||
- Remove ansible playbooks per rule generation.
|
||||
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
|
||||
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
|
||||
|
||||
* Fri Sep 17 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-1
|
||||
- Update to the latest upstream release (RHBZ#1997634)
|
||||
- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634)
|
||||
- Enable RHEL8 STIG with GUI profile (RHBZ#2005431)
|
||||
- Enable the ISM profile (RHBZ#2005891)
|
||||
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427)
|
||||
- Enable ANSSI High Profile (RHBZ#2005429)
|
||||
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
||||
- Fix remaining audit rules file permissions (RHBZ#1993056)
|
||||
- Mark a STIG service rule as machine only (RHBZ#1993056)
|
||||
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
|
||||
|
||||
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
|
||||
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
|
||||
- Include tests for Ansible Playbooks that remove and reintroduce files.
|
||||
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
|
||||
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
|
||||
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
|
||||
- Add Kickstart files for ISM profile (RHBZ#1955373)
|
||||
- Fix broken RHEL7 documentation links (RHBZ#1966577)
|
||||
|
||||
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Enable the ISM profile.
|
||||
|
||||
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
|
||||
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
|
||||
|
||||
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Add ANSSI High Profile (RHBZ#1955183)
|
||||
|
||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
||||
|
Loading…
Reference in New Issue
Block a user