import scap-security-guide-0.1.57-5.el8

2021-11-09 04:58:29 -05:00 · 2021-11-09 04:58:29 -05:00 · da76cca84d
parent 38497d8b9b
commit da76cca84d
4 changed files with 67 additions and 77 deletions
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@ -1,11 +1,5 @@
-commit 16a2f8d544019197b76aa572843a2f2dec390a8c
-Author: Gabriel Becker <ggasparb@redhat.com>
-Date:   Wed Sep 22 14:32:48 2021 +0200
-
-    Disable profiles that are not in good shape for products/rhel8
-
-diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
-index f0ce1eb..f1beaa2 100644
+diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
+index d61689c97..5e444a101 100644
 --- a/products/rhel8/CMakeLists.txt
 +++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
@ -24,8 +18,8 @@ index f0ce1eb..f1beaa2 100644
 ssg_build_html_cce_table(${PRODUCT})
 
 ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
-diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
-index 1bd6df6..adeae4a 100644
+diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
+index 035d2705b..c6475f33e 100644
 --- a/products/rhel8/profiles/cjis.profile
 +++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -34,8 +28,8 @@ index 1bd6df6..adeae4a 100644
 
 metadata:
     version: 5.4
-diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
-index 15abd98..d76bb38 100644
+diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
+index c84579592..164ec98c4 100644
 --- a/products/rhel8/profiles/rht-ccp.profile
 +++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -44,8 +38,8 @@ index 15abd98..d76bb38 100644
 
 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
 
-diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
-index a63ae2c..da669bb 100644
+diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
+index a63ae2cf3..da669bb84 100644
 --- a/products/rhel8/profiles/standard.profile
 +++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -54,3 +48,6 @@ index a63ae2c..da669bb 100644
 
 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
 
+-- 
+2.26.2
+
--- a/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch
+++ b/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch
@ -1,20 +0,0 @@
-commit a402f160639d830490d243609a1d8fbf8f802f23
-Author: Gabriel Becker <ggasparb@redhat.com>
-Date:   Fri Oct 8 11:44:04 2021 +0200
-
-    Revert "Remove RHEL>7 prodtypes from docker-related rules"
-    
-    This reverts commit 6343a61c9966bd54326b2bfbdeb95f9bb7107f9b.
-
-diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
-index 4b8538b9d0..77a046fae2 100644
--- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
-+++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
-prodtype: rhel7
-+prodtype: rhel7,rhel8
- 
- title: 'Ensure SELinux support is enabled in Docker'
- 
--- a/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
+++ b/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
@ -1,23 +0,0 @@
-From 272b1bb81fa0bb80be77ba23d4cb91ad36965520 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
-Date: Tue, 20 Jul 2021 09:03:23 +0200
-Subject: [PATCH] Set package_rear_installed to notapplicable on s390x
-
-Resolves: RHBZ#1958939
---
- .../software/system-tools/package_rear_installed/rule.yml       | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
-index 2396f5bb118..077a56c1ffb 100644
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
-+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
-@@ -22,6 +22,8 @@ ocil_clause: 'the package is not installed'
- 
- ocil: '{{{ ocil_package(package="rear") }}}'
- 
-+platform: not_s390x_arch
-+
- template:
-     name: package_installed
-     vars:
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -5,7 +5,7 @@

 Name:		scap-security-guide
 Version:	0.1.57
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@ -74,8 +74,6 @@ Patch53:		scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
 Patch54:		scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
 Patch55:		scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
 Patch56:		scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
-Patch57:		revert_docker_selinux_enabled_to_rhel8.patch
-Patch58:		scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch

 BuildRequires:	libxslt
 BuildRequires:	expat
@ -96,11 +94,11 @@ system from the final system's security point of view. The guidance is specified
 in the Security Content Automation Protocol (SCAP) format and constitutes
 a catalog of practical hardening advice, linked to government requirements
 where applicable. The project bridges the gap between generalized policy
-requirements and specific implementation guidelines. The Red Hat Enterprise
-Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
-package, or the scap-workbench GUI tool from scap-workbench package to verify
-that the system conforms to provided guideline. Refer to scap-security-guide(8)
-manual page for further information.
+requirements and specific implementation guidelines. The system
+administrator can use the oscap CLI tool from openscap-scanner package, or the
+scap-workbench GUI tool from scap-workbench package to verify that the system
+conforms to provided guideline. Refer to scap-security-guide(8) manual page for
+further information.

 %package	doc
 Summary:	HTML formatted security guides generated from XCCDF benchmarks
@ -112,6 +110,16 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.

+%if ( %{defined rhel} && (! %{defined centos}) )
+%package	rule-playbooks
+Summary:	Ansible playbooks per each rule.
+Group:		System Environment/Base
+Requires:	%{name} = %{version}-%{release}
+
+%description	rule-playbooks
+The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
+%endif
+
 %prep
 %autosetup -p1 -b1

@ -130,6 +138,9 @@ cd build
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
 %endif
 -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
+%if ( %{defined rhel} && (! %{defined centos}) )
+-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
+%endif
 ../
 %cmake_build

@ -151,26 +162,51 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/Contributors.md
+%if ( %{defined rhel} && (! %{defined centos}) )
+%exclude %{_datadir}/%{name}/ansible/rule_playbooks
+%endif

 %files doc
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html

+%if ( %{defined rhel} && (! %{defined centos}) )
+%files rule-playbooks
+%defattr(-,root,root,-)
+%{_datadir}/%{name}/ansible/rule_playbooks
+%endif
+
 %changelog
-* Wed Oct 13 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Reintroduce docker_selinux_enabled rule to RHEL8.
- Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553)
+* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
+- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).

-* Tue Oct 05 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
- Remove ansible playbooks per rule generation.
+* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
+- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)

-* Fri Sep 17 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1997634)
- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634)
- Enable RHEL8 STIG with GUI profile (RHBZ#2005431)
- Enable the ISM profile (RHBZ#2005891)
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427)
- Enable ANSSI High Profile (RHBZ#2005429)
+* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
+- Fix remaining audit rules file permissions (RHBZ#1993056)
+- Mark a STIG service rule as machine only (RHBZ#1993056)
+- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
+
+* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
+- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
+- Include tests for Ansible Playbooks that remove and reintroduce files.
+- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
+- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
+- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
+- Add Kickstart files for ISM profile (RHBZ#1955373)
+- Fix broken RHEL7 documentation links (RHBZ#1966577)
+
+* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
+- Update to the latest upstream release (RHBZ#1966577)
+- Enable the ISM profile.
+
+* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
+- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
+
+* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
+- Update to the latest upstream release (RHBZ#1966577)
+- Add ANSSI High Profile (RHBZ#1955183)

 * Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
 - Remove Kickstart for not shipped profile (RHBZ#1778188)