From e82ed5a6245eb2a9f42db1f9127dd7c12cb8e37d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 18 Jul 2022 10:29:51 +0200 Subject: [PATCH] remove sysctl_fs_protected_* rules from rhel9 ospp Resolves: rhbz#2081719 --- ...ove_sysctl_proteced_fs_rules-PR_9081.patch | 30 +++++++++++++++++++ scap-security-guide.spec | 7 ++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch diff --git a/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch b/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch new file mode 100644 index 0000000..271f117 --- /dev/null +++ b/scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch @@ -0,0 +1,30 @@ +From 5b0ff05c2377a8a8a5ef13d34fc71ce0587ed6df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Fri, 1 Jul 2022 13:04:48 +0200 +Subject: [PATCH] Remove sysctl_fs_protected_* rules from RHEL 9 OSPP + +The sysctl_fs_protected_hardlinks and sysctl_fs_protected_symlinks rules +reenforce the RHEL 9 default value. While that protection is useful, +there is no specific OSPP SFR or other reason for the SCAP rules in the +OSPP profile. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2081719 +--- + products/rhel9/profiles/ospp.profile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile +index 1fad0031749..5536dd7b2b6 100644 +--- a/products/rhel9/profiles/ospp.profile ++++ b/products/rhel9/profiles/ospp.profile +@@ -141,10 +141,6 @@ selections: + - sysctl_net_core_bpf_jit_harden + - service_kdump_disabled + +- ## File System Settings +- - sysctl_fs_protected_hardlinks +- - sysctl_fs_protected_symlinks +- + ### Audit + - service_auditd_enabled + - var_auditd_flush=incremental_async diff --git a/scap-security-guide.spec b/scap-security-guide.spec index fbaf46f..a178f78 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.62 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Security guidance and baselines in SCAP formats License: BSD-3-Clause URL: https://github.com/ComplianceAsCode/content/ @@ -24,6 +24,8 @@ BuildRequires: python%{python3_pkgversion}-jinja2 BuildRequires: python%{python3_pkgversion}-PyYAML Requires: xml-common, openscap-scanner >= 1.2.5 +Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch + %description The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified @@ -98,6 +100,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md %endif %changelog +* Mon Jul 18 2022 Vojtech Polasek - 0.1.62-2 +- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) + * Wed Jun 01 2022 Matej Tyc - 0.1.62-1 - Rebase to a new upstream release (RHBZ#2070563)