Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,3 +1,2 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.74.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||
|
@ -1,3 +1,2 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2
|
||||
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
|
||||
|
61
SOURCES/disable-not-in-good-shape-profiles.patch
Normal file
61
SOURCES/disable-not-in-good-shape-profiles.patch
Normal file
@ -0,0 +1,61 @@
|
||||
From 746381a4070fc561651ad65ec0fe9610e8590781 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Mon, 6 Feb 2023 14:44:17 +0100
|
||||
Subject: [PATCH] Disable profiles not in good shape
|
||||
|
||||
Patch-name: disable-not-in-good-shape-profiles.patch
|
||||
Patch-id: 0
|
||||
Patch-status: |
|
||||
Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
---
|
||||
products/rhel8/CMakeLists.txt | 1 -
|
||||
products/rhel8/profiles/cjis.profile | 2 +-
|
||||
products/rhel8/profiles/rht-ccp.profile | 2 +-
|
||||
products/rhel8/profiles/standard.profile | 2 +-
|
||||
4 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/products/rhel8/CMakeLists.txt b/products/rhel8/CMakeLists.txt
|
||||
index 9c044b68ab..8f6ca03de8 100644
|
||||
--- a/products/rhel8/CMakeLists.txt
|
||||
+++ b/products/rhel8/CMakeLists.txt
|
||||
@@ -10,7 +10,6 @@ ssg_build_product(${PRODUCT})
|
||||
ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-ospp" "${PRODUCT}" "ospp" "nist")
|
||||
-ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
|
||||
|
||||
ssg_build_html_profile_table("table-${PRODUCT}-anssirefs-bp28_minimal" "${PRODUCT}" "anssi_bp28_minimal" "anssi")
|
||||
diff --git a/products/rhel8/profiles/cjis.profile b/products/rhel8/profiles/cjis.profile
|
||||
index 22ae5aac72..f60b65bc06 100644
|
||||
--- a/products/rhel8/profiles/cjis.profile
|
||||
+++ b/products/rhel8/profiles/cjis.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
metadata:
|
||||
version: 5.4
|
||||
diff --git a/products/rhel8/profiles/rht-ccp.profile b/products/rhel8/profiles/rht-ccp.profile
|
||||
index b192461f95..ae1e7d5a15 100644
|
||||
--- a/products/rhel8/profiles/rht-ccp.profile
|
||||
+++ b/products/rhel8/profiles/rht-ccp.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
|
||||
|
||||
diff --git a/products/rhel8/profiles/standard.profile b/products/rhel8/profiles/standard.profile
|
||||
index a63ae2cf32..da669bb843 100644
|
||||
--- a/products/rhel8/profiles/standard.profile
|
||||
+++ b/products/rhel8/profiles/standard.profile
|
||||
@@ -1,4 +1,4 @@
|
||||
-documentation_complete: true
|
||||
+documentation_complete: false
|
||||
|
||||
title: 'Standard System Security Profile for Red Hat Enterprise Linux 8'
|
||||
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,52 @@
|
||||
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 8 Aug 2023 15:15:21 +0200
|
||||
Subject: [PATCH] Remove kernel cmdline check
|
||||
|
||||
The OVAL in rule enable_fips_mode contains multiple checks. One
|
||||
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
|
||||
Although this is useful for latest RHEL versions, this file doesn't
|
||||
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
|
||||
remediation on these RHEL versions.
|
||||
|
||||
We want the same OVAL behavior on all minor RHEL releases, therefore
|
||||
we will remove this test from the OVAL completely.
|
||||
|
||||
Related to: https://github.com/ComplianceAsCode/content/pull/10897
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
|
||||
1 file changed, 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 88aae7aaab9..3b50e07060e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -12,8 +12,6 @@
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
@@ -57,19 +55,6 @@
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
- check="all" check_existence="all_exist"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
- </ind:textfilecontent54_test>
|
||||
-
|
||||
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- </ind:textfilecontent54_object>
|
||||
-
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
@ -0,0 +1,272 @@
|
||||
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:02:08 +0200
|
||||
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
|
||||
|
||||
This commit only improves readability without any technical impact in
|
||||
the OVAL logic.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
|
||||
1 file changed, 50 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index fe3f96f52a5..0ec076a5fb7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -1,32 +1,38 @@
|
||||
<def-group>
|
||||
- <definition class="compliance" id="enable_fips_mode" version="1">
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
||||
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
||||
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
+ <extend_definition definition_ref="etc_system_fips_exists"
|
||||
+ comment="check /etc/system-fips exists"/>
|
||||
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
+ comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ <extend_definition definition_ref="enable_dracut_fips_module"
|
||||
+ comment="Dracut FIPS module is enabled"/>
|
||||
+ <extend_definition definition_ref="configure_crypto_policy"
|
||||
+ comment="system cryptography policy is configured"/>
|
||||
+ <criterion test_ref="test_system_crypto_policy_value"
|
||||
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="Generic test for s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for s390x architecture"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
- <extend_definition comment="Generic test for NOT s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for NOT s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
- test_ref="test_grubenv_fips_mode" />
|
||||
+ <criterion test_ref="test_grubenv_fips_mode"
|
||||
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -34,58 +40,71 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
|
||||
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
|
||||
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
+
|
||||
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
|
||||
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
||||
</ind:variable_object>
|
||||
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
||||
+
|
||||
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
|
||||
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
||||
{{%- endif %}}
|
||||
</ind:variable_state>
|
||||
+
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
|
||||
- comment="Fips mode selected in running kernel opts" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Fips mode selected in running kernel opts">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
|
||||
- version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
|
||||
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
|
||||
<ind:pattern operation="pattern match">fips=1</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
{{% endif %}}
|
||||
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
||||
+
|
||||
+ <external_variable id="var_system_crypto_policy" version="1"
|
||||
+ datatype="string" comment="defined crypto policy"/>
|
||||
</def-group>
|
||||
|
||||
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:20:33 +0200
|
||||
Subject: [PATCH 2/2] Improve OVAL comments for better readability
|
||||
|
||||
Simplified the comments and aligned the respective lines to the
|
||||
project Style Guides.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
|
||||
1 file changed, 16 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 0ec076a5fb7..88aae7aaab9 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -3,36 +3,36 @@
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="etc_system_fips_exists"
|
||||
- comment="check /etc/system-fips exists"/>
|
||||
+ comment="check /etc/system-fips file existence"/>
|
||||
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
- comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
|
||||
<extend_definition definition_ref="enable_dracut_fips_module"
|
||||
- comment="Dracut FIPS module is enabled"/>
|
||||
+ comment="dracut FIPS module is enabled"/>
|
||||
<extend_definition definition_ref="configure_crypto_policy"
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for s390x architecture"/>
|
||||
+ comment="generic test for s390x architecture"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for NOT s390x architecture"/>
|
||||
+ comment="generic test for non-s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
<criterion test_ref="test_grubenv_fips_mode"
|
||||
comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -42,7 +42,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -59,7 +59,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -71,7 +71,7 @@
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
@@ -81,7 +81,8 @@
|
||||
</ind:variable_object>
|
||||
|
||||
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
|
||||
+to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
@@ -94,7 +95,7 @@
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Fips mode selected in running kernel opts">
|
||||
+ comment="FIPS mode is selected in running kernel options">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
@@ -106,5 +107,5 @@
|
||||
{{% endif %}}
|
||||
|
||||
<external_variable id="var_system_crypto_policy" version="1"
|
||||
- datatype="string" comment="defined crypto policy"/>
|
||||
+ datatype="string" comment="variable which selects the crypto policy"/>
|
||||
</def-group>
|
@ -0,0 +1,30 @@
|
||||
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 17 Aug 2023 10:50:09 +0200
|
||||
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
|
||||
|
||||
---
|
||||
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
|
||||
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
||||
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
@ -1,14 +1,12 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
# Base name of static rhel7 content tarball
|
||||
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.74
|
||||
Release: 3%{?dist}
|
||||
Version: 0.1.69
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
@ -16,8 +14,13 @@ URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Include tarball with last released rhel7 content
|
||||
Source2: %{_static_rhel7_content}.tar.bz2
|
||||
# Patch prevents cjis, rht-ccp and standard profiles in RHEL8 datastream
|
||||
Patch0: disable-not-in-good-shape-profiles.patch
|
||||
# Fix rule enable_fips_mode
|
||||
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
|
||||
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
|
||||
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
|
||||
Patch3: scap-security-guide-0.1.70-remove_sebool_secure_insmod_from_anssi-PR_11001.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -25,7 +28,8 @@ BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
BuildRequires: python3-devel
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
@ -66,7 +70,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -b1 -b2
|
||||
%autosetup -p1 -b1
|
||||
|
||||
%build
|
||||
mkdir -p build
|
||||
@ -98,16 +102,6 @@ cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# Manually install pre-built rhel7 content
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
|
||||
# this is for backward compatibility
|
||||
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
|
||||
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
@ -133,46 +127,6 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
|
||||
- fix build
|
||||
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
|
||||
|
||||
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
|
||||
- include RHEL 7 artifacts from the last RHEL 7 build
|
||||
|
||||
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
|
||||
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
|
||||
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
|
||||
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
|
||||
|
||||
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
|
||||
- Switch gating to tmt plan (RHEL-43242)
|
||||
|
||||
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
||||
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
|
||||
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
|
||||
- Fix file path identification in Rsyslog configuration (RHEL-17202)
|
||||
- Use a correct chrony server address in STIG profile (RHEL-1814)
|
||||
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
|
||||
|
||||
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
|
||||
- Unlist profiles no longer maintained in RHEL8.
|
||||
|
||||
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
||||
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
|
||||
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
|
||||
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
|
||||
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
|
||||
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
|
||||
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
|
||||
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
|
||||
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
|
||||
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
|
||||
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
|
||||
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
|
||||
- Update PCI-DSS to v4 (RHEL-1808)
|
||||
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
|
||||
|
||||
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
|
||||
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user