Compare commits

...

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

7 changed files with 429 additions and 62 deletions

3
.gitignore vendored
View File

@ -1,3 +1,2 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
SOURCES/scap-security-guide-0.1.74.tar.bz2
SOURCES/scap-security-guide-0.1.69.tar.bz2

View File

@ -1,3 +1,2 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2

View File

@ -0,0 +1,61 @@
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Mon, 6 Feb 2023 14:44:17 +0100
Subject: [PATCH] Disable profiles not in good shape
Patch-name: disable-not-in-good-shape-profiles.patch
Patch-id: 0
Patch-status: |
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
---
products/rhel8/CMakeLists.txt | 1 -
products/rhel8/profiles/cjis.profile | 2 +-
products/rhel8/profiles/rht-ccp.profile | 2 +-
products/rhel8/profiles/standard.profile | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
index 9c044b68ab..8f6ca03de8 100644
--- a/products/rhel8/CMakeLists.txt
+++ b/products/rhel8/CMakeLists.txt
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
-ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
index 22ae5aac72..f60b65bc06 100644
--- a/products/rhel8/profiles/cjis.profile
+++ b/products/rhel8/profiles/cjis.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
metadata:
version: 5.4
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
index b192461f95..ae1e7d5a15 100644
--- a/products/rhel8/profiles/rht-ccp.profile
+++ b/products/rhel8/profiles/rht-ccp.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
index a63ae2cf32..da669bb843 100644
--- a/products/rhel8/profiles/standard.profile
+++ b/products/rhel8/profiles/standard.profile
@@ -1,4 +1,4 @@
-documentation_complete: true
+documentation_complete: false
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
--
2.39.1

View File

@ -0,0 +1,52 @@
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 8 Aug 2023 15:15:21 +0200
Subject: [PATCH] Remove kernel cmdline check
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.
We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.
Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
@@ -57,19 +55,6 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
- check="all" check_existence="all_exist"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:variable_test id="test_system_crypto_policy_value" version="1"
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />

View File

@ -0,0 +1,272 @@
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:02:08 +0200
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
This commit only improves readability without any technical impact in
the OVAL logic.
---
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
1 file changed, 50 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
<def-group>
- <definition class="compliance" id="enable_fips_mode" version="1">
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+ <extend_definition definition_ref="etc_system_fips_exists"
+ comment="check /etc/system-fips exists"/>
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
+ comment="check sysctl crypto.fips_enabled = 1"/>
+ <extend_definition definition_ref="enable_dracut_fips_module"
+ comment="Dracut FIPS module is enabled"/>
+ <extend_definition definition_ref="configure_crypto_policy"
+ comment="system cryptography policy is configured"/>
+ <criterion test_ref="test_system_crypto_policy_value"
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
- <extend_definition comment="Generic test for s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for s390x architecture"/>
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
- <extend_definition comment="Generic test for NOT s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for NOT s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
- test_ref="test_grubenv_fips_mode" />
+ <criterion test_ref="test_grubenv_fips_mode"
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -34,58 +40,71 @@
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
- check="all" check_existence="all_exist" version="1">
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
- check="all" check_existence="all_exist" version="1">
+
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
+
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
{{%- endif %}}
</ind:variable_state>
+
{{% if product in ["ol8","rhel8"] %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
- comment="Fips mode selected in running kernel opts" version="1">
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
+ check="all" check_existence="all_exist"
+ comment="Fips mode selected in running kernel opts">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
- version="1">
+
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">fips=1</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+
+ <external_variable id="var_system_crypto_policy" version="1"
+ datatype="string" comment="defined crypto policy"/>
</def-group>
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:20:33 +0200
Subject: [PATCH 2/2] Improve OVAL comments for better readability
Simplified the comments and aligned the respective lines to the
project Style Guides.
---
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
<extend_definition definition_ref="etc_system_fips_exists"
- comment="check /etc/system-fips exists"/>
+ comment="check /etc/system-fips file existence"/>
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
- comment="check sysctl crypto.fips_enabled = 1"/>
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
<extend_definition definition_ref="enable_dracut_fips_module"
- comment="Dracut FIPS module is enabled"/>
+ comment="dracut FIPS module is enabled"/>
<extend_definition definition_ref="configure_crypto_policy"
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for s390x architecture"/>
+ comment="generic test for s390x architecture"/>
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for NOT s390x architecture"/>
+ comment="generic test for non-s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion test_ref="test_grubenv_fips_mode"
comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -42,7 +42,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
</ind:textfilecontent54_object>
<ind:variable_test id="test_system_crypto_policy_value" version="1"
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
@@ -81,7 +81,8 @@
</ind:variable_object>
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
+to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
@@ -94,7 +95,7 @@
{{% if product in ["ol8","rhel8"] %}}
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
check="all" check_existence="all_exist"
- comment="Fips mode selected in running kernel opts">
+ comment="FIPS mode is selected in running kernel options">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
{{% endif %}}
<external_variable id="var_system_crypto_policy" version="1"
- datatype="string" comment="defined crypto policy"/>
+ datatype="string" comment="variable which selects the crypto policy"/>
</def-group>

View File

@ -0,0 +1,30 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

View File

@ -1,14 +1,12 @@
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# Base name of static rhel7 content tarball
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.74
Release: 3%{?dist}
Version: 0.1.69
Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
@ -16,8 +14,13 @@ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Include tarball with last released rhel7 content
Source2: %{_static_rhel7_content}.tar.bz2
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
Patch0: disable-not-in-good-shape-profiles.patch
# Fix rule enable_fips_mode
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch
BuildArch: noarch
@ -25,7 +28,8 @@ BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
BuildRequires: python3-devel
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
@ -66,7 +70,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%endif
%prep
%setup -q -b1 -b2
%autosetup -p1 -b1
%build
mkdir -p build
@ -98,16 +102,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
# Manually install pre-built rhel7 content
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
# this is for backward compatibility
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
%files
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
@ -133,46 +127,6 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo
%endif
%changelog
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
- fix build
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
- include RHEL 7 artifacts from the last RHEL 7 build
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
- Switch gating to tmt plan (RHEL-43242)
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
- Fix file path identification in Rsyslog configuration (RHEL-17202)
- Use a correct chrony server address in STIG profile (RHEL-1814)
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
- Unlist profiles no longer maintained in RHEL8.
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
- Update PCI-DSS to v4 (RHEL-1808)
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
- remove problematic rule from ANSSI High profile (RHBZ#2221695)