diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index 77ce1fd..c5b8d9a 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,11 +1,5 @@ -commit 16a2f8d544019197b76aa572843a2f2dec390a8c -Author: Gabriel Becker -Date: Wed Sep 22 14:32:48 2021 +0200 - - Disable profiles that are not in good shape for products/rhel8 - -diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt -index f0ce1eb..f1beaa2 100644 +diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt +index d61689c97..5e444a101 100644 --- a/products/rhel8/CMakeLists.txt +++ b/products/rhel8/CMakeLists.txt @@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") @@ -24,8 +18,8 @@ index f0ce1eb..f1beaa2 100644 ssg_build_html_cce_table(${PRODUCT}) ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) -diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile -index 1bd6df6..adeae4a 100644 +diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile +index 035d2705b..c6475f33e 100644 --- a/products/rhel8/profiles/cjis.profile +++ b/products/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ @@ -34,8 +28,8 @@ index 1bd6df6..adeae4a 100644 metadata: version: 5.4 -diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile -index 15abd98..d76bb38 100644 +diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile +index c84579592..164ec98c4 100644 --- a/products/rhel8/profiles/rht-ccp.profile +++ b/products/rhel8/profiles/rht-ccp.profile @@ -1,4 +1,4 @@ @@ -44,8 +38,8 @@ index 15abd98..d76bb38 100644 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' -diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile -index a63ae2c..da669bb 100644 +diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile +index a63ae2cf3..da669bb84 100644 --- a/products/rhel8/profiles/standard.profile +++ b/products/rhel8/profiles/standard.profile @@ -1,4 +1,4 @@ @@ -54,3 +48,6 @@ index a63ae2c..da669bb 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' +-- +2.26.2 + diff --git a/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch b/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch deleted file mode 100644 index 20798b2..0000000 --- a/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch +++ /dev/null @@ -1,20 +0,0 @@ -commit a402f160639d830490d243609a1d8fbf8f802f23 -Author: Gabriel Becker -Date: Fri Oct 8 11:44:04 2021 +0200 - - Revert "Remove RHEL>7 prodtypes from docker-related rules" - - This reverts commit 6343a61c9966bd54326b2bfbdeb95f9bb7107f9b. - -diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml -index 4b8538b9d0..77a046fae2 100644 ---- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml -+++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml -@@ -1,6 +1,6 @@ - documentation_complete: true - --prodtype: rhel7 -+prodtype: rhel7,rhel8 - - title: 'Ensure SELinux support is enabled in Docker' - diff --git a/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch b/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch deleted file mode 100644 index 17674c0..0000000 --- a/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 272b1bb81fa0bb80be77ba23d4cb91ad36965520 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= -Date: Tue, 20 Jul 2021 09:03:23 +0200 -Subject: [PATCH] Set package_rear_installed to notapplicable on s390x - -Resolves: RHBZ#1958939 ---- - .../software/system-tools/package_rear_installed/rule.yml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -index 2396f5bb118..077a56c1ffb 100644 ---- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -+++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml -@@ -22,6 +22,8 @@ ocil_clause: 'the package is not installed' - - ocil: '{{{ ocil_package(package="rear") }}}' - -+platform: not_s390x_arch -+ - template: - name: package_installed - vars: diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index c8e3087..3d79e8e 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -5,7 +5,7 @@ Name: scap-security-guide Version: 0.1.57 -Release: 3%{?dist} +Release: 5%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause Group: Applications/System @@ -74,8 +74,6 @@ Patch53: scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch Patch54: scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch Patch55: scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch Patch56: scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch -Patch57: revert_docker_selinux_enabled_to_rhel8.patch -Patch58: scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch BuildRequires: libxslt BuildRequires: expat @@ -96,11 +94,11 @@ system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy -requirements and specific implementation guidelines. The Red Hat Enterprise -Linux 8 system administrator can use the oscap CLI tool from openscap-scanner -package, or the scap-workbench GUI tool from scap-workbench package to verify -that the system conforms to provided guideline. Refer to scap-security-guide(8) -manual page for further information. +requirements and specific implementation guidelines. The system +administrator can use the oscap CLI tool from openscap-scanner package, or the +scap-workbench GUI tool from scap-workbench package to verify that the system +conforms to provided guideline. Refer to scap-security-guide(8) manual page for +further information. %package doc Summary: HTML formatted security guides generated from XCCDF benchmarks @@ -112,6 +110,16 @@ The %{name}-doc package contains HTML formatted documents containing hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. +%if ( %{defined rhel} && (! %{defined centos}) ) +%package rule-playbooks +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description rule-playbooks +The %{name}-rule-playbooks package contains individual ansible playbooks per rule. +%endif + %prep %autosetup -p1 -b1 @@ -130,6 +138,9 @@ cd build -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ %endif -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ +%if ( %{defined rhel} && (! %{defined centos}) ) +-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \ +%endif ../ %cmake_build @@ -151,26 +162,51 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name %doc %{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/README.md %doc %{_docdir}/%{name}/Contributors.md +%if ( %{defined rhel} && (! %{defined centos}) ) +%exclude %{_datadir}/%{name}/ansible/rule_playbooks +%endif %files doc %doc %{_docdir}/%{name}/guides/*.html %doc %{_docdir}/%{name}/tables/*.html +%if ( %{defined rhel} && (! %{defined centos}) ) +%files rule-playbooks +%defattr(-,root,root,-) +%{_datadir}/%{name}/ansible/rule_playbooks +%endif + %changelog -* Wed Oct 13 2021 Gabriel Becker - 0.1.57-3 -- Reintroduce docker_selinux_enabled rule to RHEL8. -- Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553) +* Thu Sep 02 2021 Matej Tyc - 0.1.57-5 +- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423). -* Tue Oct 05 2021 Gabriel Becker - 0.1.57-2 -- Remove ansible playbooks per rule generation. +* Tue Aug 24 2021 Gabriel Becker - 0.1.57-4 +- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197) -* Fri Sep 17 2021 Gabriel Becker - 0.1.57-1 -- Update to the latest upstream release (RHBZ#1997634) -- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634) -- Enable RHEL8 STIG with GUI profile (RHBZ#2005431) -- Enable the ISM profile (RHBZ#2005891) -- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427) -- Enable ANSSI High Profile (RHBZ#2005429) +* Mon Aug 23 2021 Gabriel Becker - 0.1.57-3 +- Fix remaining audit rules file permissions (RHBZ#1993056) +- Mark a STIG service rule as machine only (RHBZ#1993056) +- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577) + +* Fri Aug 20 2021 Marcus Burghardt - 0.1.57-2 +- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179) +- Include tests for Ansible Playbooks that remove and reintroduce files. +- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) +- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483) +- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197) +- Add Kickstart files for ISM profile (RHBZ#1955373) +- Fix broken RHEL7 documentation links (RHBZ#1966577) + +* Fri Jul 30 2021 Matej Tyc - 0.1.57-1 +- Update to the latest upstream release (RHBZ#1966577) +- Enable the ISM profile. + +* Tue Jun 8 2021 Gabriel Becker - 0.1.56-2 +- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604) + +* Tue Jun 01 2021 Watson Sato - 0.1.56-1 +- Update to the latest upstream release (RHBZ#1966577) +- Add ANSSI High Profile (RHBZ#1955183) * Wed Feb 17 2021 Watson Sato - 0.1.54-5 - Remove Kickstart for not shipped profile (RHBZ#1778188)