remove sysctl_fs_protected_* rules from rhel9 ospp

Resolves: rhbz#2081719
This commit is contained in:
Vojtech Polasek 2022-07-18 10:29:51 +02:00
parent 2ffa1e068f
commit e82ed5a624
2 changed files with 36 additions and 1 deletions

View File

@ -0,0 +1,30 @@
From 5b0ff05c2377a8a8a5ef13d34fc71ce0587ed6df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 1 Jul 2022 13:04:48 +0200
Subject: [PATCH] Remove sysctl_fs_protected_* rules from RHEL 9 OSPP
The sysctl_fs_protected_hardlinks and sysctl_fs_protected_symlinks rules
reenforce the RHEL 9 default value. While that protection is useful,
there is no specific OSPP SFR or other reason for the SCAP rules in the
OSPP profile.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2081719
---
products/rhel9/profiles/ospp.profile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 1fad0031749..5536dd7b2b6 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -141,10 +141,6 @@ selections:
- sysctl_net_core_bpf_jit_harden
- service_kdump_disabled
- ## File System Settings
- - sysctl_fs_protected_hardlinks
- - sysctl_fs_protected_symlinks
-
### Audit
- service_auditd_enabled
- var_auditd_flush=incremental_async

View File

@ -6,7 +6,7 @@
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.62 Version: 0.1.62
Release: 1%{?dist} Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
@ -24,6 +24,8 @@ BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5 Requires: xml-common, openscap-scanner >= 1.2.5
Patch0: scap-security-guide-0.1.63-remove_sysctl_proteced_fs_rules-PR_9081.patch
%description %description
The scap-security-guide project provides a guide for configuration of the The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified system from the final system's security point of view. The guidance is specified
@ -98,6 +100,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif %endif
%changelog %changelog
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563) - Rebase to a new upstream release (RHBZ#2070563)