import scap-security-guide-0.1.57-5.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:58:29 -05:00 committed by Stepan Oksanichenko
parent 38497d8b9b
commit da76cca84d
4 changed files with 67 additions and 77 deletions

View File

@ -1,11 +1,5 @@
commit 16a2f8d544019197b76aa572843a2f2dec390a8c
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Wed Sep 22 14:32:48 2021 +0200
Disable profiles that are not in good shape for products/rhel8
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
index f0ce1eb..f1beaa2 100644
diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
index d61689c97..5e444a101 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
@ -24,8 +18,8 @@ index f0ce1eb..f1beaa2 100644
ssg_build_html_cce_table(${PRODUCT})
ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 1bd6df6..adeae4a 100644
diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
index 035d2705b..c6475f33e 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -34,8 +28,8 @@ index 1bd6df6..adeae4a 100644
metadata:
version: 5.4
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index 15abd98..d76bb38 100644
diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
index c84579592..164ec98c4 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -44,8 +38,8 @@ index 15abd98..d76bb38 100644
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index a63ae2c..da669bb 100644
diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
index a63ae2cf3..da669bb84 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -54,3 +48,6 @@ index a63ae2c..da669bb 100644
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.26.2

View File

@ -1,20 +0,0 @@
commit a402f160639d830490d243609a1d8fbf8f802f23
Author: Gabriel Becker <ggasparb@redhat.com>
Date: Fri Oct 8 11:44:04 2021 +0200
Revert "Remove RHEL>7 prodtypes from docker-related rules"
This reverts commit 6343a61c9966bd54326b2bfbdeb95f9bb7107f9b.
diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
index 4b8538b9d0..77a046fae2 100644
--- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
+++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: rhel7,rhel8
title: 'Ensure SELinux support is enabled in Docker'

View File

@ -1,23 +0,0 @@
From 272b1bb81fa0bb80be77ba23d4cb91ad36965520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 20 Jul 2021 09:03:23 +0200
Subject: [PATCH] Set package_rear_installed to notapplicable on s390x
Resolves: RHBZ#1958939
---
.../software/system-tools/package_rear_installed/rule.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
index 2396f5bb118..077a56c1ffb 100644
--- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
@@ -22,6 +22,8 @@ ocil_clause: 'the package is not installed'
ocil: '{{{ ocil_package(package="rear") }}}'
+platform: not_s390x_arch
+
template:
name: package_installed
vars:

View File

@ -5,7 +5,7 @@
Name: scap-security-guide
Version: 0.1.57
Release: 3%{?dist}
Release: 5%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -74,8 +74,6 @@ Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
Patch57: revert_docker_selinux_enabled_to_rhel8.patch
Patch58: scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
BuildRequires: libxslt
BuildRequires: expat
@ -96,11 +94,11 @@ system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The Red Hat Enterprise
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
package, or the scap-workbench GUI tool from scap-workbench package to verify
that the system conforms to provided guideline. Refer to scap-security-guide(8)
manual page for further information.
requirements and specific implementation guidelines. The system
administrator can use the oscap CLI tool from openscap-scanner package, or the
scap-workbench GUI tool from scap-workbench package to verify that the system
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
further information.
%package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks
@ -112,6 +110,16 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if ( %{defined rhel} && (! %{defined centos}) )
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description rule-playbooks
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
%endif
%prep
%autosetup -p1 -b1
@ -130,6 +138,9 @@ cd build
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if ( %{defined rhel} && (! %{defined centos}) )
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
../
%cmake_build
@ -151,26 +162,51 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md
%if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if ( %{defined rhel} && (! %{defined centos}) )
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Wed Oct 13 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Reintroduce docker_selinux_enabled rule to RHEL8.
- Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553)
* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).
* Tue Oct 05 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
- Remove ansible playbooks per rule generation.
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
* Fri Sep 17 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1997634)
- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634)
- Enable RHEL8 STIG with GUI profile (RHBZ#2005431)
- Enable the ISM profile (RHBZ#2005891)
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427)
- Enable ANSSI High Profile (RHBZ#2005429)
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Fix remaining audit rules file permissions (RHBZ#1993056)
- Mark a STIG service rule as machine only (RHBZ#1993056)
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
- Include tests for Ansible Playbooks that remove and reintroduce files.
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
- Add Kickstart files for ISM profile (RHBZ#1955373)
- Fix broken RHEL7 documentation links (RHBZ#1966577)
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1966577)
- Enable the ISM profile.
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
- Update to the latest upstream release (RHBZ#1966577)
- Add ANSSI High Profile (RHBZ#1955183)
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Remove Kickstart for not shipped profile (RHBZ#1778188)