import scap-security-guide-0.1.57-5.el8

2021-11-09 04:58:29 -05:00 · 2021-11-09 04:58:29 -05:00 · da76cca84d
commit da76cca84d
parent 38497d8b9b
4 changed files with 67 additions and 77 deletions
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@ -1,11 +1,5 @@
-commit 16a2f8d544019197b76aa572843a2f2dec390a8c
+diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
-Author: Gabriel Becker <ggasparb@redhat.com>
+index d61689c97..5e444a101 100644
 Date:   Wed Sep 22 14:32:48 2021 +0200
    Disable profiles that are not in good shape for products/rhel8
 diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
 index f0ce1eb..f1beaa2 100644
 --- a/products/rhel8/CMakeLists.txt
 +++ b/products/rhel8/CMakeLists.txt
@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
@ -24,8 +18,8 @@ index f0ce1eb..f1beaa2 100644
 ssg_build_html_cce_table(${PRODUCT})
 ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
-diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
+diff --git a/products/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
-index 1bd6df6..adeae4a 100644
+index 035d2705b..c6475f33e 100644
 --- a/products/rhel8/profiles/cjis.profile
 +++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
@ -34,8 +28,8 @@ index 1bd6df6..adeae4a 100644
 metadata:
     version: 5.4
-diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
+diff --git a/products/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
-index 15abd98..d76bb38 100644
+index c84579592..164ec98c4 100644
 --- a/products/rhel8/profiles/rht-ccp.profile
 +++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
@ -44,8 +38,8 @@ index 15abd98..d76bb38 100644
 title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
-diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
+diff --git a/products/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
-index a63ae2c..da669bb 100644
+index a63ae2cf3..da669bb84 100644
 --- a/products/rhel8/profiles/standard.profile
 +++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
@ -54,3 +48,6 @@ index a63ae2c..da669bb 100644
 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
 -- 
 2.26.2
--- a/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch
+++ b/SOURCES/revert_docker_selinux_enabled_to_rhel8.patch
@ -1,20 +0,0 @@
 commit a402f160639d830490d243609a1d8fbf8f802f23
 Author: Gabriel Becker <ggasparb@redhat.com>
 Date:   Fri Oct 8 11:44:04 2021 +0200
    Revert "Remove RHEL>7 prodtypes from docker-related rules"
    This reverts commit 6343a61c9966bd54326b2bfbdeb95f9bb7107f9b.
 diff --git a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
 index 4b8538b9d0..77a046fae2 100644
 --- a/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
 +++ b/linux_os/guide/services/docker/docker_selinux_enabled/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 -prodtype: rhel7
 +prodtype: rhel7,rhel8
 title: 'Ensure SELinux support is enabled in Docker'
--- a/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
+++ b/SOURCES/scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
@ -1,23 +0,0 @@
 From 272b1bb81fa0bb80be77ba23d4cb91ad36965520 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
 Date: Tue, 20 Jul 2021 09:03:23 +0200
 Subject: [PATCH] Set package_rear_installed to notapplicable on s390x
 Resolves: RHBZ#1958939
 ---
 .../software/system-tools/package_rear_installed/rule.yml       | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
 index 2396f5bb118..077a56c1ffb 100644
 --- a/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
 +++ b/linux_os/guide/system/software/system-tools/package_rear_installed/rule.yml
@@ -22,6 +22,8 @@ ocil_clause: 'the package is not installed'
 ocil: '{{{ ocil_package(package="rear") }}}'
 +platform: not_s390x_arch
 +
 template:
     name: package_installed
     vars:
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@ -5,7 +5,7 @@
 Name:		scap-security-guide
 Version:	0.1.57
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 License:	BSD-3-Clause
 Group:		Applications/System
@ -74,8 +74,6 @@ Patch53:		scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
 Patch54:		scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
 Patch55:		scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
 Patch56:		scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
 Patch57:		revert_docker_selinux_enabled_to_rhel8.patch
 Patch58:		scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch
 BuildRequires:	libxslt
 BuildRequires:	expat
@ -96,11 +94,11 @@ system from the final system's security point of view. The guidance is specified
 in the Security Content Automation Protocol (SCAP) format and constitutes
 a catalog of practical hardening advice, linked to government requirements
 where applicable. The project bridges the gap between generalized policy
-requirements and specific implementation guidelines. The Red Hat Enterprise
+requirements and specific implementation guidelines. The system
-Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
+administrator can use the oscap CLI tool from openscap-scanner package, or the
-package, or the scap-workbench GUI tool from scap-workbench package to verify
+scap-workbench GUI tool from scap-workbench package to verify that the system
-that the system conforms to provided guideline. Refer to scap-security-guide(8)
+conforms to provided guideline. Refer to scap-security-guide(8) manual page for
-manual page for further information.
+further information.
 %package	doc
 Summary:	HTML formatted security guides generated from XCCDF benchmarks
@ -112,6 +110,16 @@ The %{name}-doc package contains HTML formatted documents containing
 hardening guidances that have been generated from XCCDF benchmarks
 present in %{name} package.
 %if ( %{defined rhel} && (! %{defined centos}) )
 %package	rule-playbooks
 Summary:	Ansible playbooks per each rule.
 Group:		System Environment/Base
 Requires:	%{name} = %{version}-%{release}
 %description	rule-playbooks
 The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
 %endif
 %prep
 %autosetup -p1 -b1
@ -130,6 +138,9 @@ cd build
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
 %endif
 -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
 %if ( %{defined rhel} && (! %{defined centos}) )
 -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
 %endif
 ../
 %cmake_build
@ -151,26 +162,51 @@ cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name
 %doc %{_docdir}/%{name}/LICENSE
 %doc %{_docdir}/%{name}/README.md
 %doc %{_docdir}/%{name}/Contributors.md
 %if ( %{defined rhel} && (! %{defined centos}) )
 %exclude %{_datadir}/%{name}/ansible/rule_playbooks
 %endif
 %files doc
 %doc %{_docdir}/%{name}/guides/*.html
 %doc %{_docdir}/%{name}/tables/*.html
 %if ( %{defined rhel} && (! %{defined centos}) )
 %files rule-playbooks
 %defattr(-,root,root,-)
 %{_datadir}/%{name}/ansible/rule_playbooks
 %endif
 %changelog
-* Wed Oct 13 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
+* Thu Sep 02 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Reintroduce docker_selinux_enabled rule to RHEL8.
+- Add USB HID rules to the ISM profile, so it is usable after the installation (RHBZ#1999423).
 - Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553)
-* Tue Oct 05 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
+* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
- Remove ansible playbooks per rule generation.
+- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
-* Fri Sep 17 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-1
+* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Update to the latest upstream release (RHBZ#1997634)
+- Fix remaining audit rules file permissions (RHBZ#1993056)
- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634)
+- Mark a STIG service rule as machine only (RHBZ#1993056)
- Enable RHEL8 STIG with GUI profile (RHBZ#2005431)
+- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
- Enable the ISM profile (RHBZ#2005891)
+
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427)
+* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
- Enable ANSSI High Profile (RHBZ#2005429)
+- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
 - Include tests for Ansible Playbooks that remove and reintroduce files.
 - Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
 - Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
 - Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
 - Add Kickstart files for ISM profile (RHBZ#1955373)
 - Fix broken RHEL7 documentation links (RHBZ#1966577)
 * Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
 - Update to the latest upstream release (RHBZ#1966577)
 - Enable the ISM profile.
 * Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
 - Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
 * Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
 - Update to the latest upstream release (RHBZ#1966577)
 - Add ANSSI High Profile (RHBZ#1955183)
 * Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
 - Remove Kickstart for not shipped profile (RHBZ#1778188)