Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

7 changed files with 594 additions and 407 deletions

4
.gitignore vendored
View File

@ -1,3 +1 @@
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 SOURCES/scap-security-guide-0.1.69.tar.bz2
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
SOURCES/scap-security-guide-0.1.74.tar.bz2

View File

@ -1,3 +1 @@
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2

View File

@ -0,0 +1,52 @@
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Tue, 8 Aug 2023 15:15:21 +0200
Subject: [PATCH] Remove kernel cmdline check
The OVAL in rule enable_fips_mode contains multiple checks. One
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
Although this is useful for latest RHEL versions, this file doesn't
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
remediation on these RHEL versions.
We want the same OVAL behavior on all minor RHEL releases, therefore
we will remove this test from the OVAL completely.
Related to: https://github.com/ComplianceAsCode/content/pull/10897
---
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 88aae7aaab9..3b50e07060e 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -12,8 +12,6 @@
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
@@ -57,19 +55,6 @@
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
- check="all" check_existence="all_exist"
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:variable_test id="test_system_crypto_policy_value" version="1"
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />

View File

@ -0,0 +1,272 @@
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:02:08 +0200
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
This commit only improves readability without any technical impact in
the OVAL logic.
---
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
1 file changed, 50 insertions(+), 31 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fe3f96f52a5..0ec076a5fb7 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -1,32 +1,38 @@
<def-group>
- <definition class="compliance" id="enable_fips_mode" version="1">
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
+ <extend_definition definition_ref="etc_system_fips_exists"
+ comment="check /etc/system-fips exists"/>
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
+ comment="check sysctl crypto.fips_enabled = 1"/>
+ <extend_definition definition_ref="enable_dracut_fips_module"
+ comment="Dracut FIPS module is enabled"/>
+ <extend_definition definition_ref="configure_crypto_policy"
+ comment="system cryptography policy is configured"/>
+ <criterion test_ref="test_system_crypto_policy_value"
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
- <extend_definition comment="Generic test for s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for s390x architecture"/>
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
- <extend_definition comment="Generic test for NOT s390x architecture"
- definition_ref="system_info_architecture_s390_64" />
+ <extend_definition definition_ref="system_info_architecture_s390_64"
+ comment="Generic test for NOT s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
- test_ref="test_grubenv_fips_mode" />
+ <criterion test_ref="test_grubenv_fips_mode"
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -34,58 +40,71 @@
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
- check="all" check_existence="all_exist" version="1">
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
+
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
</ind:textfilecontent54_state>
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
- check="all" check_existence="all_exist" version="1">
+
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
+ check="all" check_existence="all_exist"
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
+
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
</ind:variable_object>
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
+
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
{{%- endif %}}
</ind:variable_state>
+
{{% if product in ["ol8","rhel8"] %}}
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
- comment="Fips mode selected in running kernel opts" version="1">
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
+ check="all" check_existence="all_exist"
+ comment="Fips mode selected in running kernel opts">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
- version="1">
+
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
<ind:pattern operation="pattern match">fips=1</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
{{% endif %}}
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
+
+ <external_variable id="var_system_crypto_policy" version="1"
+ datatype="string" comment="defined crypto policy"/>
</def-group>
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 27 Jul 2023 10:20:33 +0200
Subject: [PATCH 2/2] Improve OVAL comments for better readability
Simplified the comments and aligned the respective lines to the
project Style Guides.
---
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 0ec076a5fb7..88aae7aaab9 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -3,36 +3,36 @@
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
<criteria operator="AND">
<extend_definition definition_ref="etc_system_fips_exists"
- comment="check /etc/system-fips exists"/>
+ comment="check /etc/system-fips file existence"/>
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
- comment="check sysctl crypto.fips_enabled = 1"/>
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
<extend_definition definition_ref="enable_dracut_fips_module"
- comment="Dracut FIPS module is enabled"/>
+ comment="dracut FIPS module is enabled"/>
<extend_definition definition_ref="configure_crypto_policy"
comment="system cryptography policy is configured"/>
<criterion test_ref="test_system_crypto_policy_value"
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
{{% if "ol" in product or "rhel" in product %}}
<criteria operator="OR">
<criteria operator="AND">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for s390x architecture"/>
+ comment="generic test for s390x architecture"/>
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
</criteria>
<criteria operator="AND">
<criteria negate="true">
<extend_definition definition_ref="system_info_architecture_s390_64"
- comment="Generic test for NOT s390x architecture"/>
+ comment="generic test for non-s390x architecture"/>
</criteria>
{{% if product in ["ol8", "rhel8"] %}}
<criterion test_ref="test_grubenv_fips_mode"
comment="check if the kernel boot parameter is configured for FIPS mode"/>
{{% else %}}
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
{{% endif %}}
</criteria>
</criteria>
@@ -42,7 +42,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -59,7 +59,7 @@
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
check="all" check_existence="all_exist"
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
</ind:textfilecontent54_test>
@@ -71,7 +71,7 @@
</ind:textfilecontent54_object>
<ind:variable_test id="test_system_crypto_policy_value" version="1"
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
<ind:object object_ref="obj_system_crypto_policy_value" />
<ind:state state_ref="ste_system_crypto_policy_value" />
</ind:variable_test>
@@ -81,7 +81,8 @@
</ind:variable_object>
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
+to a crypto policy module that further restricts the modified crypto policy.">
{{% if product in ["ol9","rhel9"] -%}}
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
{{%- else %}}
@@ -94,7 +95,7 @@
{{% if product in ["ol8","rhel8"] %}}
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
check="all" check_existence="all_exist"
- comment="Fips mode selected in running kernel opts">
+ comment="FIPS mode is selected in running kernel options">
<ind:object object_ref="obj_grubenv_fips_mode" />
</ind:textfilecontent54_test>
@@ -106,5 +107,5 @@
{{% endif %}}
<external_variable id="var_system_crypto_policy" version="1"
- datatype="string" comment="defined crypto policy"/>
+ datatype="string" comment="variable which selects the crypto policy"/>
</def-group>

View File

@ -0,0 +1,21 @@
From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 15 Aug 2023 15:17:16 +0200
Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
---
controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
1 file changed, 2 deletions(-)
diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
index d5fe6e1327b..9d9dc579fc4 100644
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
@@ -7,6 +7,4 @@ controls:
rules:
- sshd_enable_pam
- sysctl_crypto_fips_enabled
- - harden_sshd_ciphers_openssh_conf_crypto_policy
- - harden_sshd_macs_openssh_conf_crypto_policy
status: automated

View File

@ -0,0 +1,30 @@
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 17 Aug 2023 10:50:09 +0200
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
---
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
2 files changed, 4 insertions(+)
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel8/profiles/anssi_bp28_high.profile
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
index e2eeabbb78d..204e141b1f5 100644
--- a/products/rhel9/profiles/anssi_bp28_high.profile
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
@@ -17,3 +17,5 @@ description: |-
selections:
- anssi:all:high
+ # the following rule renders UEFI systems unbootable
+ - '!sebool_secure_mode_insmod'

View File

@ -1,37 +1,35 @@
# Base name of static rhel6 content tarball # SSG build system and tests count with build directory name `build`.
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 # For more details see:
# Base name of static rhel7 content tarball
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds # https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build %global _vpath_builddir build
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly # global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.74 Version: 0.1.69
Release: 3%{?dist} Release: 2%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
Group: Applications/System
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content # Fix rule enable_fips_mode
Source1: %{_static_rhel6_content}.tar.bz2 Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
# Include tarball with last released rhel7 content Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
Source2: %{_static_rhel7_content}.tar.bz2 # remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: expat BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5 BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8 BuildRequires: cmake >= 2.8
BuildRequires: python3-devel # To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python%{python3_pkgversion} BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2 BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5 Requires: xml-common, openscap-scanner >= 1.2.5
Obsoletes: openscap-content < 0:0.9.13
Provides: openscap-content
%description %description
The scap-security-guide project provides a guide for configuration of the The scap-security-guide project provides a guide for configuration of the
@ -47,7 +45,6 @@ further information.
%package doc %package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks Summary: HTML formatted security guides generated from XCCDF benchmarks
Group: System Environment/Base
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
%description doc %description doc
@ -66,58 +63,33 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%endif %endif
%prep %prep
%setup -q -b1 -b2 %autosetup -p1
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
%endif
%build
mkdir -p build mkdir -p build
cd build %build
%cmake \ %cmake %{cmake_defines_common} %{cmake_defines_specific}
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if ( %{defined rhel} && (! %{defined centos}) )
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
../
%cmake_build %cmake_build
%install %install
cd build
%cmake_install %cmake_install
rm %{buildroot}/%{_docdir}/%{name}/README.md
# Manually install pre-built rhel6 content rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
# Manually install pre-built rhel7 content
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
# this is for backward compatibility
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
%files %files
%{_datadir}/xml/scap/ssg/content %{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart %{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible %{_datadir}/%{name}/ansible/*.yml
%{_datadir}/%{name}/bash
%{_datadir}/%{name}/tailoring
%lang(en) %{_mandir}/man8/scap-security-guide.8.* %lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE %doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md
%if ( %{defined rhel} && (! %{defined centos}) ) %if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks %exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif %endif
@ -133,416 +105,260 @@ ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefo
%endif %endif
%changelog %changelog
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3 * Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
- fix build - Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files - Fix ANSSI High profile with secure boot (RHBZ#2221697)
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2 * Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- include RHEL 7 artifacts from the last RHEL 7 build - Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
- Correct URL used to download CVE checks. (RHBZ#2223178)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
- Fixed excess quotes in journald configuration files (RHBZ#2193169)
- Change rules checking home directories to apply only to local users (RHBZ#2203791)
- Change rules checking password age to apply only to local users (RHBZ#2213958)
- Updated man page (RHBZ#2060028)
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1 * Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.74 (RHEL-53913) - Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816) - Fix remediation of audit watch rules (RHBZ#2169441)
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390) - Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
- Unselect rule logind_session_timeout (RHBZ#2169443)
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2 * Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
- Switch gating to tmt plan (RHEL-43242) - OSPP: fix rule related to coredump (RHBZ#2081688)
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1 * Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733) - use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
- Fix file path identification in Rsyslog configuration (RHEL-17202)
- Use a correct chrony server address in STIG profile (RHEL-1814)
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2 * Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
- Unlist profiles no longer maintained in RHEL8. - Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
- Update PCI-DSS to v4 (RHEL-1808)
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
- Fixed CCE link URL (RHBZ#2178516)
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
- Fixed rules related to AIDE configuration (RHBZ#2175684)
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
- Correct URL used to download CVE checks (RHBZ#2222583)
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
- Unselect rule logind_session_timeout (RHBZ#2158404)
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
- Fix levels of CIS rules (RHBZ#2162803)
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
- Add rule for audit immutable login uids (RHBZ#2151553)
- Fix remediation of audit watch rules (RHBZ#2119356)
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
- Fix applicability of kerberos rules (RHBZ#2099394)
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
- Fix compatibility with Ansible 2.14
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
- Fix Ansible partition conditional (RHBZ#2032403)
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2 * Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- aligning with the latest STIG update (RHBZ#2112937) - OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
- OSPP: use Authselect minimal profile (RHBZ#2117192) - OSPP: update rules related to coredumps (RHBZ#2081688)
- OSPP: change rules for protecting of boot (RHBZ#2116440) - OSPP: update rules related to BPF (RHBZ#2081728)
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974) - fix description of require_singleuser_mode (RHBZ#2092799)
- fix handling of Defaults clause in sudoers (RHBZ#2083109) - fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403) - OSPP: use minimal Authselect profile(RHBZ#2114979)
- fix handling of Rsyslog include directives (RHBZ#2075384)
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1 * Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564) - Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
- Remove rules related to NIS services (RHBZ#2096602)
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1 * Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070564) - Rebase to a new upstream release (RHBZ#2070563)
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
- Fix Ansible sysctl remediation (RHBZ#2079241)
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5 * Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860) - Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485) - Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485) - Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4 * Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014485) - Fix Ansible service disabled tasks (RHBZ#2014561)
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149) - Update description of OSPP profile (RHBZ#2045386)
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3 * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555) - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555) - Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301) - Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966) - Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
- Update GRUB2 rule descriptions (RHBZ#2014485) - Update GRUB2 rule descriptions (RHBZ#2020623)
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485) - Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2 * Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555) - Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
- Align audit rules for OSPP profile (RHBZ#2000264)
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1 * Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Rebase to a new upstream release (RHBZ#2014485) - Rebase to a new upstream release (RHBZ#2014561)
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1 * Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014485) - Rebase to a new upstream release (RHBZ#2014561)
- Enable Centos Stream 9 content (RHBZ#2021284)
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1 * Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
- Rebase to a new upstream release. (RHBZ#2014485) - Rebase to a new upstream release (RHBZ#2014561)
- Disable profiles that we disable in RHEL8
- Add a VM wait handling to fix issues with tests. - Add a VM wait handling to fix issues with tests.
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4 * Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197) - Fix remediations applicability of zipl rules
Resolves: rhbz#1996847
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3 * Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
- Fix remaining audit rules file permissions (RHBZ#1993056) - Fix a broken HTTP link
- Mark a STIG service rule as machine only (RHBZ#1993056) Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577) Resolves: rhbz#1962564
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2 * Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179) - Use SSHD directory-based configuration.
- Include tests for Ansible Playbooks that remove and reintroduce files. Resolves: rhbz#1962564
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) - Introduce ISM kickstarts
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483) Resolves: rhbz#1978290
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197) - Deliver numerous RHEL9 fixes to rules - see related BZs for details.
- Add Kickstart files for ISM profile (RHBZ#1955373) TLDR: Enable remediations by means of platform metadata,
- Fix broken RHEL7 documentation links (RHBZ#1966577) enable the RHEL9 GPG rule, introduce the s390x platform,
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
address the subscription-manager package merge, and
enable and select more rules applicable to RHEL9.
Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Update to the latest upstream release (RHBZ#1966577) - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- Enable the ISM profile. Related: rhbz#1991688
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2 * Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604) - Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1 * Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Update to the latest upstream release (RHBZ#1966577) - Introduced the playbooks subpackage.
- Add ANSSI High Profile (RHBZ#1955183) - Enabled CentOS content on CentOS systems.
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5 * Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Remove Kickstart for not shipped profile (RHBZ#1778188) - Enable more RHEL9 rules and introduce RHEL9 profile stubs
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4 * Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742) - Upgrade to the latest upstream release
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019) - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2 * Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742) - fix definition of build directory
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1 * Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344) - Update to latest upstream SCAP-Security-Guide-0.1.54 release:
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188) https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193) - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3 * Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062) - Update to latest upstream SCAP-Security-Guide-0.1.53 release:
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032) https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2 * Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
- Update list of profiles built (RHBZ#1889344) - revert previous rework, it did not solve the problem
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1 * Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
- Update to the latest upstream release (RHBZ#1889344) - rewrite solution for CMake out of source builds
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14 * Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962) - Update to latest upstream SCAP-Security-Guide-0.1.52 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13 * Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962) - Update for new CMake out of source builds
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
- remove rationale from rules that contain defective links (rhbz#1854854) - Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
- fixed link in a grub2 rule description (rhbz#1854854) - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10 * Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
- Update the scapval invocation (RHBZ#1815007) - Update to latest upstream SCAP-Security-Guide-0.1.51 release:
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007) https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9 * Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
- fix description of HIPAA profile (RHBZ#1867559) - Update to latest upstream SCAP-Security-Guide-0.1.49 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
- Remove CCM from TLS Ciphersuites
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7 * Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543) - Update to latest upstream SCAP-Security-Guide-0.1.48 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6 * Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Fix rsyslog permissions/ownership rules (RHBZ#1781606) - Hotfix of the XML parsing fix.
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5 * Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526) - Update to latest upstream SCAP-Security-Guide-0.1.47 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
- Fixed XML parsing of remediation functions.
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4 * Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
- CIS Ansible fixes (RHBZ#1760734) - Update to latest upstream SCAP-Security-Guide-0.1.45 release:
- HIPAA Ansible fixes (RHBZ#1832760) https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
- HIPAA Profile (RHBZ#1832760) - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
- Enable build of RHEL8 HIPAA Profile
- Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
- Add Ansible fix for sshd_set_max_sessions
- Add CIS Profile content attribution to Center for Internet Security
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2 * Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
- Fix Ansible for no_direct_root_logins - Update to latest upstream SCAP-Security-Guide-0.1.44 release:
- Fix Ansible template for SELinux booleans https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2 * Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
- Update selections in RHEL8 CIS Profile (RHBZ#1760734) - Update to latest upstream SCAP-Security-Guide-0.1.43 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
- Update URL and source URL
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
- Update to the latest upstream release (RHBZ#1815007) - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1 * Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
- Update to the latest upstream release (RHBZ#1815007)
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
- Use crypto-policy rules in OSPP profile.
- Re-enable FIREFOX and JRE product in build.
- Change test suite logging message about missing profile from ERROR to WARNING.
- Build only one version of SCAP content at a time.
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
- Ported changelog from late 8.0 builds.
- Disabled build of the OL8 product, updated other components of the cmake invocation.
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
- Assign CCE to rules from OSPP profile which were missing the identifier.
- Fix regular expression for Audit rules ordering
- Account for Audit rules flags parameter position within syscall
- Add remediations for Audit rules file path
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
- Add a Bash remediation for Audit rules that require ordering
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
- Assign CCE identifier to rules used by RHEL8 profiles.
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
- Fixed Crypto Policy OVAL for NSS
- Got rid of rules requiring packages dropped in RHEL8.
- Profile descriptions fixes.
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
- Update applicable platforms in crypto policy tests
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
- Introduce Podman backend for SSG Test suite
- Update bind and libreswan crypto policy test scenarios
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
- Further fix of profiles descriptions, so they don't contain literal '\'.
- Removed obsolete sshd rule from the OSPP profile.
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
- Fixed profiles descriptions, so they don't contain literal '\n'.
- Made the configure_kerberos_crypto_policy OVAL more robust.
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
- Added FIPS mode rule for the OSPP profile.
- Split the installed_OS_is certified rule.
- Explicitly disabled OSP13, RHV4 and Example products.
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
- Add missing kickstart files for RHEL8
- Disable profiles that are not in good shape for RHEL8
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
- Update to latest upstream SCAP-Security-Guide-0.1.42 release: - Update to latest upstream SCAP-Security-Guide-0.1.42 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- System-wide crypto policies are introduced for RHEL8 - Fix man page build dependency on derivative content
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2 * Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Fix man page and package description
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Update to latest upstream SCAP-Security-Guide-0.1.41 release: - Update to latest upstream SCAP-Security-Guide-0.1.41 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles - Fix Licence of this package
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3 * Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot - Update to latest upstream SCAP-Security-Guide-0.1.40 release:
- Only build content for rhel8 products https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
- Update to use Python3 for build.
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
- Update build of rhel8 content - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1 * Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
- Enable build of rhel8 content - Add python version to python2-jinja2 package
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1 * Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
- Update to latest upstream SCAP-Security-Guide-0.1.39 release: - Update to latest upstream SCAP-Security-Guide-0.1.39 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
- Fix spec file to build using Python 3
- Fix License because upstream changed to BSD-3 * Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
- Add python version to python package prefixes
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1 * Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
- Update to latest upstream SCAP-Security-Guide-0.1.38 release: - Update to latest upstream SCAP-Security-Guide-0.1.38 release: