Commit Graph

54 Commits

Author SHA1 Message Date
Marcus Burghardt
c171f5d9dd Rebase to new upstream version 0.1.72
Resolves: RHEL-21425
Resolves: RHEL-14484
Resolves: RHEL-1484
Resolves: RHEL-17417
Resolves: RHEL-1489
Resolves: RHEL-16801
Resolves: RHEL-17418
2024-02-13 13:11:57 +01:00
Jan Černý
047fb57760 Align STIG profile with official DISA STIG for RHEL 9
Resolves: RHEL-1807
2023-12-06 10:38:09 +01:00
Jan Černý
70a32329b3 Update STIG and ANSSI for RHEL 9.3
- Remove OpenSSH crypto policy hardening rules from STIG profile
- Fix ANSSI High profile with secure boot

Resolves: rhbz#2221697
2023-08-17 13:38:26 +02:00
Jan Černý
611c1d3d69 Rebase to new upstream version 0.1.69
Resolves: rhbz#2221697
Resolves: rhbz#2209657
Resolves: rhbz#2211511
Resolves: rhbz#2172555
Resolves: rhbz#2223178
Resolves: rhbz#2155790
Resolves: rhbz#2193169
Resolves: rhbz#2203791
Resolves: rhbz#2213958
Resolves: rhbz#2060028
2023-08-10 10:43:42 +02:00
Watson Sato
5e6a5eeb83 Add rsyslog rainer support and rebase fixes
Resolves: rhbz#2169443
Resolves: rhbz#2169441
Resolves: rhbz#2169445
2023-02-13 17:52:36 +01:00
Watson Sato
b734798dc6 Rebase to a new upstream version 0.1.66
Resolves: rhbz#2169443
Resolves: rhbz#2169441
2023-02-13 17:45:04 +01:00
Gabriel Becker
fabf824399 OSPP: fix rule related to coredump.
Resolves: RHBZ#2081688
2022-08-25 17:28:44 +02:00
Vojtech Polasek
3453b75d6f use sysctl_kernel_core_pattern instead of sysctl_kernel_core_pattern_empty_strin in RHEL9 OSPP
Resolves: rhbz#2081688
2022-08-23 17:10:35 +02:00
Matej Tyc
037ebbc98f Readd rules to the benchmark
to be compatible across all minor versions of RHEL9

Resolves: rhbz#2117669
2022-08-11 17:19:26 +02:00
Vojtech Polasek
34b3a0af53 apply updates related to RHEL9 OSPP profile
Resolves: rhbz#1998583
Resolves: rhbz#2081688
Resolves: rhbz#2081728
Resolves: rhbz#2092799
Resolves: rhbz#2108569
Resolves: rhbz#2114979
2022-08-10 14:39:57 +02:00
Vojtech Polasek
14378e5ed6 rebase to upstream version 0.1.63
Resolves: rhbz#2070563
    Resolves: rhbz#2108158
    Resolves: rhbz#2108167
    Resolves: rhbz#2108173
    Resolves: rhbz#2108224
    Resolves: rhbz#2108226
    Resolves: rhbz#2109984
    Resolves: rhbz#2109992
    Resolves: rhbz#2109994
    Resolves: rhbz#2110347
    Resolves: rhbz#2110350
2022-08-01 11:25:54 +02:00
Vojtech Polasek
17023b428c make rule stricter when checking for fips crypto-policies
Resolves: rhbz#2057082
2022-07-18 15:27:25 +02:00
Vojtech Polasek
5d949040cc remove rules related to NIS services
Resolves: rhbz#2096602
2022-07-18 15:27:25 +02:00
Vojtech Polasek
7856efa997 remove sshd_enable_strictmodes from ospp
Resolves: rhbz#2105278
2022-07-18 15:27:25 +02:00
Vojtech Polasek
e5303b05ff remove rules related to remote logging from RHEL9 OSPP
Resolves: rhbz#2105016
2022-07-18 15:27:25 +02:00
Vojtech Polasek
38ee77d936 remove rule accounts_password_minlen_login_defs from all profiles
Resolves: rhbz#2073040
2022-07-18 15:27:25 +02:00
Vojtech Polasek
11b3fb7bd6 add rules to check that systemd.debug-shell argument is absent from boot command line
Resolves: rhbz#2092840
2022-07-18 15:27:25 +02:00
Vojtech Polasek
2838eb99d0 add new rule to check only for grub2 recovery disabled to RHEL9 OSPP
Resolves: rhbz#2092809
2022-07-18 15:27:25 +02:00
Vojtech Polasek
71a4d79910 remove network-related sysctl rules from rhel9 ospp
Resolves:rhbz#2081708
2022-07-18 15:27:25 +02:00
Vojtech Polasek
3c0a847089 make sysctl_user_max_user_namespaces enforcing in RHEL9 OSPP
Resolves: rhbz#2083716
2022-07-18 15:27:25 +02:00
Vojtech Polasek
ac5b9ee8a7 drop zipl_vsyscall_argument from OSPP profiles
Resolves: rhbz#2060049
2022-07-18 15:27:25 +02:00
Vojtech Polasek
b76ea12151 make audit_access_success unenforcing for rhel9 ospp
Resolves: rhbz#2058154
2022-07-18 15:27:04 +02:00
Vojtech Polasek
e82ed5a624 remove sysctl_fs_protected_* rules from rhel9 ospp
Resolves: rhbz#2081719
2022-07-18 10:29:51 +02:00
Matej Tyc
2ffa1e068f Rebase to 0.1.62
Resolves: rhbz#2070563
2022-06-01 11:36:32 +02:00
Gabriel Becker
71131794a9 Update rule enable_fips_mode to check only for technical state.
Resolves: rhbz#2057457
2022-02-23 14:49:52 +01:00
Gabriel Becker
517528cda1 Fix issue with getting STIG items in create_scap_delta_tailoring.py.
Resolves: rhbz#2014561
2022-02-23 14:49:49 +01:00
Gabriel Becker
3afe98eab5 Remove tmux process runinng check in configure_bashrc_exec_tmux.
Resolves: rhbz#2056847
2022-02-23 14:49:09 +01:00
Watson Sato
1dd162f258 Add page_aloc.shuffle rules for OSPP profile
Resolves: rhbz#2055118
2022-02-16 16:42:13 +01:00
Watson Sato
fb47aa3e38 Update description of OSPP profile
Resolves: rhbz#2045386
2022-02-16 12:39:50 +01:00
Watson Sato
5145dcab43 Fix fatal errors on Anible service disabled tasks
Resolves: rhbz#2014561
2022-02-15 19:10:19 +01:00
Gabriel Becker
cd3b90bce2 Updates to RHEL-9.0.0 content
Update sudoers rules in RHEL8 STIG V1R5
Add missing SRG references in RHEL8 STIG V1R5 rules
Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives
Fix GRUB2 rule template to configure the module correctly on RHEL8
Update GRUB2 rule descriptions
Make package_rear_installed not applicable on AARCH64

Resolves: rhbz#2045403
Resolves: rhbz#2014561
Resolves: rhbz#2020623
2022-02-14 19:24:32 +01:00
Watson Sato
9887c6a84e Update OSPP Profile
Resolves: rhbz#2016038
Resolves: rhbz#2043036
Resolves: rhbz#2020670
Resolves: rhbz#2046289
2022-02-11 22:37:28 +01:00
Watson Sato
a44269807e Rebase to the 0.1.60 upstream version
Resolves: rhbz#2014561
2022-01-27 17:21:52 +01:00
Gabriel Becker
21b368fa76 Enable Centos Stream 9 content
Resolves: rhbz#2021284
2021-12-15 14:31:02 +01:00
Gabriel Becker
24b45263d8 Rebase to the 0.1.59 upstream version
Resolves: rhbz#2014561
2021-12-15 14:29:01 +01:00
Matej Tyc
8449267905 Rebase to the 0.1.58 upstream version
Resolves: rhbz#2014561
2021-11-08 11:14:49 +01:00
Matej Tyc
30760905b3 Fix remediations applicability of zipl rules
Resolves: rhbz#1996847
2021-08-25 14:24:09 +02:00
Matej Tyc
bd64402d52 Fix a broken HTTP link, add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
Resolves: rhbz#1962564
2021-08-24 17:14:29 +02:00
Matej Tyc
c9032c1d61 Deliver numerous RHEL9 fixes to rules
Deliver ISM kickstarts

Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
Resolves: rhbz#1978290
2021-08-20 09:41:48 +02:00
Matej Tyc
cae8e44f84 Use SSHD directory configuration
Resolves: rhbz#1962564
2021-08-19 16:40:55 +02:00
Mohan Boddu
1f83058625 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-10 00:47:35 +00:00
Matej Tyc
dac4498bd5 Rebase to a new upstream release
Resolves: rhbz#1962564
2021-07-29 18:03:43 +02:00
Matus Marhefka
d304e27197 Add kickstarts in %files section
Kickstarts are already available in the upstream
and we need them in `%files` section in order to
create a test build from upstream.

Resolves: rhbz#1962564
2021-07-19 09:30:39 +02:00
Matej Tyc
ffdbed0b4e Fix earlier omissions
Fix cmake options listing - all options have to have trailing backslashes except the last one.
Port a PR that implements support for per-rule playbooks.

Resolves: rhbz#1962564
2021-07-09 12:19:13 +02:00
Matej Tyc
a300600b35 >Port 8.5 changes to the package to RHEL9
Also deal with missing CCE issues.

Resolves: rhbz#1962564
2021-07-09 11:23:22 +02:00
Matej Tyc
5f5226d27a Ported more rules and profiles to RHEL9
Resolves: rhbz#1962564
2021-07-02 10:47:13 +02:00
Jan Černý
449d853fce First release of SSG for RHEL9
- rebase the package to the latest upstream release (0.1.56)
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase

Resolves: rhbz#1962564
2021-06-03 10:58:04 +02:00
Mohan Boddu
c48b2c6da0 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 05:33:22 +00:00
DistroBaker
d6d729cb9f Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/scap-security-guide.git#21f968f5122fa835fd6f720c7086eb99a350453c
2021-02-12 10:00:24 +00:00
Matus Marhefka
7eff8e155c Define _vpath_builddir macro as build
SSG build system and tests count with build directory name build.
For more details see:
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
2021-02-11 15:57:54 +01:00