Compare commits
No commits in common. "c8" and "c10s" have entirely different histories.
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
||||
1
|
63
.gitignore
vendored
63
.gitignore
vendored
@ -1,3 +1,60 @@
|
||||
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
SOURCES/scap-security-guide-0.1.74.tar.bz2
|
||||
/scap-security-guide-0.1-3.tar.gz
|
||||
/scap-security-guide-0.1.4.tar.gz
|
||||
/scap-security-guide-0.1-16.tar.gz
|
||||
/scap-security-guide-0.1.5.tar.gz
|
||||
/scap-security-guide-0.1.18.tar.gz
|
||||
/scap-security-guide-0.1.19.tar.gz
|
||||
/scap-security-guide-0.1.21.tar.gz
|
||||
/v0.1.22.tar.gz
|
||||
/v0.1.23.tar.gz
|
||||
/v0.1.24.tar.gz
|
||||
/v0.1.25.tar.gz
|
||||
/v0.1.26.tar.gz
|
||||
/v0.1.27.tar.gz
|
||||
/v0.1.28.tar.gz
|
||||
/scap-security-guide-0.1.29.tar.gz
|
||||
/0.1.29.tar.gz
|
||||
/v0.1.29.tar.gz
|
||||
/v0.1.30.tar.gz
|
||||
/scap-security-guide-0.1.31.tar.gz
|
||||
/scap-security-guide-0.1.32.tar.gz
|
||||
/scap-security-guide-0.1.33.tar.bz2
|
||||
/scap-security-guide-0.1.34.tar.bz2
|
||||
/scap-security-guide-0.1.35.tar.bz2
|
||||
/scap-security-guide-0.1.36.tar.bz2
|
||||
/scap-security-guide-0.1.37.tar.bz2
|
||||
/scap-security-guide-0.1.38.tar.bz2
|
||||
/scap-security-guide-0.1.39.tar.bz2
|
||||
/scap-security-guide-0.1.40.tar.bz2
|
||||
/scap-security-guide-0.1.41.tar.bz2
|
||||
/scap-security-guide-0.1.42.tar.bz2
|
||||
/scap-security-guide-0.1.43.tar.bz2
|
||||
/scap-security-guide-0.1.44.tar.bz2
|
||||
/scap-security-guide-0.1.45.tar.bz2
|
||||
/scap-security-guide-0.1.47.tar.bz2
|
||||
/scap-security-guide-0.1.48.tar.bz2
|
||||
/scap-security-guide-0.1.49.tar.bz2
|
||||
/scap-security-guide-0.1.51.tar.bz2
|
||||
/scap-security-guide-0.1.52.tar.bz2
|
||||
/scap-security-guide-0.1.53.tar.bz2
|
||||
/scap-security-guide-0.1.54.tar.bz2
|
||||
/scap-security-guide-0.1.55.tar.bz2
|
||||
/scap-security-guide-0.1.56.tar.bz2
|
||||
/scap-security-guide-0.1.57.tar.bz2
|
||||
/scap-security-guide-0.1.58.tar.bz2
|
||||
/scap-security-guide-0.1.59.tar.bz2
|
||||
/scap-security-guide-0.1.60.tar.bz2
|
||||
/scap-security-guide-0.1.61.tar.bz2
|
||||
/scap-security-guide-0.1.62.tar.bz2
|
||||
/scap-security-guide-0.1.63.tar.bz2
|
||||
/scap-security-guide-0.1.64.tar.bz2
|
||||
/scap-security-guide-0.1.65.tar.bz2
|
||||
/scap-security-guide-0.1.66.tar.bz2
|
||||
/scap-security-guide-0.1.67.tar.bz2
|
||||
/scap-security-guide-0.1.68.tar.bz2
|
||||
/scap-security-guide-0.1.69.tar.bz2
|
||||
/scap-security-guide-0.1.70.tar.bz2
|
||||
/scap-security-guide-0.1.71.tar.bz2
|
||||
/scap-security-guide-0.1.72.tar.bz2
|
||||
/scap-security-guide-0.1.73.tar.bz2
|
||||
/scap-security-guide-0.1.74.tar.bz2
|
||||
|
@ -1,3 +0,0 @@
|
||||
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
|
||||
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
|
||||
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2
|
@ -1,744 +0,0 @@
|
||||
# Base name of static rhel6 content tarball
|
||||
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
||||
# Base name of static rhel7 content tarball
|
||||
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.74
|
||||
Release: 3%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
Group: Applications/System
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Include tarball with last released rhel6 content
|
||||
Source1: %{_static_rhel6_content}.tar.bz2
|
||||
# Include tarball with last released rhel7 content
|
||||
Source2: %{_static_rhel7_content}.tar.bz2
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||
Obsoletes: openscap-content < 0:0.9.13
|
||||
Provides: openscap-content
|
||||
|
||||
%description
|
||||
The scap-security-guide project provides a guide for configuration of the
|
||||
system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description doc
|
||||
The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%setup -q -b1 -b2
|
||||
|
||||
%build
|
||||
mkdir -p build
|
||||
cd build
|
||||
%cmake \
|
||||
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
||||
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
||||
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
|
||||
%if %{defined centos}
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
|
||||
%else
|
||||
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%endif
|
||||
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
||||
%endif
|
||||
../
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
cd build
|
||||
%cmake_install
|
||||
|
||||
# Manually install pre-built rhel6 content
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# Manually install pre-built rhel7 content
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
|
||||
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
|
||||
|
||||
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
|
||||
# this is for backward compatibility
|
||||
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
|
||||
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
%{_datadir}/%{name}/ansible
|
||||
%{_datadir}/%{name}/bash
|
||||
%{_datadir}/%{name}/tailoring
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%doc %{_docdir}/%{name}/README.md
|
||||
%doc %{_docdir}/%{name}/Contributors.md
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
|
||||
- fix build
|
||||
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
|
||||
|
||||
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
|
||||
- include RHEL 7 artifacts from the last RHEL 7 build
|
||||
|
||||
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
|
||||
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
|
||||
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
|
||||
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
|
||||
|
||||
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
|
||||
- Switch gating to tmt plan (RHEL-43242)
|
||||
|
||||
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
||||
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
|
||||
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
|
||||
- Fix file path identification in Rsyslog configuration (RHEL-17202)
|
||||
- Use a correct chrony server address in STIG profile (RHEL-1814)
|
||||
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
|
||||
|
||||
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
|
||||
- Unlist profiles no longer maintained in RHEL8.
|
||||
|
||||
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
||||
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
|
||||
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
|
||||
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
|
||||
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
|
||||
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
|
||||
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
|
||||
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
|
||||
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
|
||||
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
|
||||
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
|
||||
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
|
||||
- Update PCI-DSS to v4 (RHEL-1808)
|
||||
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
|
||||
|
||||
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
|
||||
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
|
||||
|
||||
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
||||
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
|
||||
- Fixed CCE link URL (RHBZ#2178516)
|
||||
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
|
||||
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
|
||||
- Fixed rules related to AIDE configuration (RHBZ#2175684)
|
||||
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
|
||||
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
|
||||
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
|
||||
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
|
||||
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
|
||||
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
|
||||
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
|
||||
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
|
||||
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
|
||||
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
|
||||
- Correct URL used to download CVE checks (RHBZ#2222583)
|
||||
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
|
||||
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
|
||||
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
|
||||
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
|
||||
- Unselect rule logind_session_timeout (RHBZ#2158404)
|
||||
|
||||
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
|
||||
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
|
||||
- Fix levels of CIS rules (RHBZ#2162803)
|
||||
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
|
||||
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
|
||||
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
|
||||
- Add rule for audit immutable login uids (RHBZ#2151553)
|
||||
- Fix remediation of audit watch rules (RHBZ#2119356)
|
||||
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
|
||||
- Fix applicability of kerberos rules (RHBZ#2099394)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
|
||||
|
||||
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
|
||||
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
|
||||
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
|
||||
- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
|
||||
- Fix compatibility with Ansible 2.14
|
||||
|
||||
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
|
||||
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
|
||||
|
||||
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
|
||||
- Fix Ansible partition conditional (RHBZ#2032403)
|
||||
|
||||
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||
- aligning with the latest STIG update (RHBZ#2112937)
|
||||
- OSPP: use Authselect minimal profile (RHBZ#2117192)
|
||||
- OSPP: change rules for protecting of boot (RHBZ#2116440)
|
||||
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
|
||||
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
|
||||
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
|
||||
- fix handling of Rsyslog include directives (RHBZ#2075384)
|
||||
|
||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
|
||||
|
||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||
- Rebase to a new upstream release (RHBZ#2070564)
|
||||
|
||||
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
|
||||
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
|
||||
- Fix Ansible sysctl remediation (RHBZ#2079241)
|
||||
|
||||
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
|
||||
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
|
||||
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
|
||||
|
||||
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
|
||||
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
|
||||
|
||||
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
|
||||
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
||||
|
||||
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
|
||||
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
|
||||
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
|
||||
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
|
||||
|
||||
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014485)
|
||||
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
|
||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
|
||||
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
|
||||
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
|
||||
- Update GRUB2 rule descriptions (RHBZ#2014485)
|
||||
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
|
||||
|
||||
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
|
||||
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
|
||||
- Align audit rules for OSPP profile (RHBZ#2000264)
|
||||
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
|
||||
|
||||
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
||||
- Rebase to a new upstream release (RHBZ#2014485)
|
||||
|
||||
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
|
||||
- Rebase to a new upstream release (RHBZ#2014485)
|
||||
|
||||
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
|
||||
- Rebase to a new upstream release. (RHBZ#2014485)
|
||||
- Add a VM wait handling to fix issues with tests.
|
||||
|
||||
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
|
||||
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
|
||||
|
||||
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
||||
- Fix remaining audit rules file permissions (RHBZ#1993056)
|
||||
- Mark a STIG service rule as machine only (RHBZ#1993056)
|
||||
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
|
||||
|
||||
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
|
||||
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
|
||||
- Include tests for Ansible Playbooks that remove and reintroduce files.
|
||||
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
|
||||
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
|
||||
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
|
||||
- Add Kickstart files for ISM profile (RHBZ#1955373)
|
||||
- Fix broken RHEL7 documentation links (RHBZ#1966577)
|
||||
|
||||
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Enable the ISM profile.
|
||||
|
||||
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
|
||||
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
|
||||
|
||||
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
|
||||
- Update to the latest upstream release (RHBZ#1966577)
|
||||
- Add ANSSI High Profile (RHBZ#1955183)
|
||||
|
||||
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
||||
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
||||
|
||||
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
|
||||
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
|
||||
|
||||
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
|
||||
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
|
||||
|
||||
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
|
||||
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
|
||||
|
||||
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
|
||||
|
||||
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
|
||||
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
|
||||
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
|
||||
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
|
||||
|
||||
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
|
||||
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
|
||||
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
|
||||
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
|
||||
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
|
||||
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
|
||||
|
||||
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
|
||||
- Update list of profiles built (RHBZ#1889344)
|
||||
|
||||
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||
- Update to the latest upstream release (RHBZ#1889344)
|
||||
|
||||
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
|
||||
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
|
||||
|
||||
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
|
||||
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
|
||||
|
||||
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
|
||||
- remove rationale from rules that contain defective links (rhbz#1854854)
|
||||
|
||||
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
|
||||
- fixed link in a grub2 rule description (rhbz#1854854)
|
||||
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
|
||||
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
|
||||
|
||||
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
|
||||
- Update the scapval invocation (RHBZ#1815007)
|
||||
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
|
||||
- Change the spec file macro invocation from patch to Patch
|
||||
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
|
||||
|
||||
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
|
||||
- fix description of HIPAA profile (RHBZ#1867559)
|
||||
|
||||
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
|
||||
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
|
||||
- Remove CCM from TLS Ciphersuites
|
||||
|
||||
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
|
||||
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
|
||||
|
||||
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
|
||||
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
|
||||
|
||||
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
|
||||
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
|
||||
|
||||
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
|
||||
- CIS Ansible fixes (RHBZ#1760734)
|
||||
- HIPAA Ansible fixes (RHBZ#1832760)
|
||||
|
||||
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
|
||||
- HIPAA Profile (RHBZ#1832760)
|
||||
- Enable build of RHEL8 HIPAA Profile
|
||||
- Add kickstarts for HIPAA
|
||||
- CIS Profile (RHBZ#1760734)
|
||||
- Add Ansible fix for sshd_set_max_sessions
|
||||
- Add CIS Profile content attribution to Center for Internet Security
|
||||
|
||||
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
||||
- Fix Ansible for no_direct_root_logins
|
||||
- Fix Ansible template for SELinux booleans
|
||||
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
|
||||
|
||||
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
||||
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
|
||||
|
||||
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
|
||||
- Update to the latest upstream release (RHBZ#1815007)
|
||||
|
||||
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
|
||||
- Update to the latest upstream release (RHBZ#1815007)
|
||||
|
||||
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
|
||||
- Update baseline package list of OSPP profile
|
||||
|
||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
|
||||
- Rebuilt with correct spec file
|
||||
|
||||
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
|
||||
- Add SRG references to STIG rules (RHBZ#1755447)
|
||||
|
||||
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
|
||||
- Drop rsyslog rules from OSPP profile
|
||||
- Update COBIT URI
|
||||
- Add rules for strong source of RNG entropy
|
||||
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
|
||||
- STIG profile: added rsyslog rules and updated SRG mappings
|
||||
- Split audit rules according to audit component (RHBZ#1791312)
|
||||
|
||||
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
|
||||
- Update crypto-policy test scenarios
|
||||
- Update max-path-len test to skip tests/logs directory
|
||||
|
||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
|
||||
- Fix list of tables that are generated for RHEL8
|
||||
|
||||
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
|
||||
|
||||
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||
- Improved the e8 profile (RHBZ#1755194)
|
||||
|
||||
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
|
||||
|
||||
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
|
||||
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
|
||||
|
||||
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
|
||||
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
|
||||
|
||||
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
|
||||
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
|
||||
|
||||
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
|
||||
- Use crypto-policy rules in OSPP profile.
|
||||
- Re-enable FIREFOX and JRE product in build.
|
||||
- Change test suite logging message about missing profile from ERROR to WARNING.
|
||||
- Build only one version of SCAP content at a time.
|
||||
|
||||
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
|
||||
|
||||
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
|
||||
- Ported changelog from late 8.0 builds.
|
||||
- Disabled build of the OL8 product, updated other components of the cmake invocation.
|
||||
|
||||
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
|
||||
|
||||
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
|
||||
- Assign CCE to rules from OSPP profile which were missing the identifier.
|
||||
- Fix regular expression for Audit rules ordering
|
||||
- Account for Audit rules flags parameter position within syscall
|
||||
- Add remediations for Audit rules file path
|
||||
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
|
||||
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
|
||||
- Add a Bash remediation for Audit rules that require ordering
|
||||
|
||||
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
|
||||
- Assign CCE identifier to rules used by RHEL8 profiles.
|
||||
|
||||
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
|
||||
- Fixed Crypto Policy OVAL for NSS
|
||||
- Got rid of rules requiring packages dropped in RHEL8.
|
||||
- Profile descriptions fixes.
|
||||
|
||||
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
|
||||
- Update applicable platforms in crypto policy tests
|
||||
|
||||
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
|
||||
- Introduce Podman backend for SSG Test suite
|
||||
- Update bind and libreswan crypto policy test scenarios
|
||||
|
||||
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
|
||||
- Further fix of profiles descriptions, so they don't contain literal '\'.
|
||||
- Removed obsolete sshd rule from the OSPP profile.
|
||||
|
||||
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
|
||||
- Fixed profiles descriptions, so they don't contain literal '\n'.
|
||||
- Made the configure_kerberos_crypto_policy OVAL more robust.
|
||||
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
|
||||
|
||||
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
|
||||
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
|
||||
|
||||
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
|
||||
- Added FIPS mode rule for the OSPP profile.
|
||||
- Split the installed_OS_is certified rule.
|
||||
- Explicitly disabled OSP13, RHV4 and Example products.
|
||||
|
||||
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
|
||||
- Add missing kickstart files for RHEL8
|
||||
- Disable profiles that are not in good shape for RHEL8
|
||||
|
||||
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
||||
- System-wide crypto policies are introduced for RHEL8
|
||||
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
|
||||
|
||||
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
|
||||
- Fix man page and package description
|
||||
|
||||
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
||||
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
|
||||
|
||||
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
|
||||
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
|
||||
- Only build content for rhel8 products
|
||||
|
||||
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
|
||||
- Update build of rhel8 content
|
||||
|
||||
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
|
||||
- Enable build of rhel8 content
|
||||
|
||||
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
||||
- Fix spec file to build using Python 3
|
||||
- Fix License because upstream changed to BSD-3
|
||||
|
||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
|
||||
|
||||
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
|
||||
|
||||
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
|
||||
- use make_build and make_install RPM macros
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
|
||||
- update to the latest upstream release
|
||||
- new default location for content /usr/share/scap/ssg
|
||||
- install HTML tables in the doc subpackage
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
|
||||
- Correct currently failing parallel SCAP Security Guide build
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
|
||||
- Drop shell library for remediation functions since it is not required
|
||||
starting from 0.1.30 release any more
|
||||
|
||||
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
|
||||
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
|
||||
in 0.1.29 upstream release
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
|
||||
- upgrade to the latest upstream release
|
||||
|
||||
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
|
||||
- update to the latest upstream release
|
||||
- created doc sub-package to ship all the guides
|
||||
- start distributing centos and scientific linux content
|
||||
- rename java content to jre
|
||||
|
||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
|
||||
- update to the latest upstream release
|
||||
- only DataStream file is now available for Fedora
|
||||
- start distributing security baseline for Firefox
|
||||
- start distributing security baseline for Java RunTime deployments
|
||||
|
||||
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
|
||||
- update to the latest upstream release
|
||||
- move content to /usr/share/scap/ssg/content
|
||||
|
||||
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
|
||||
- require only openscap-scanner, not whole openscap-utils package
|
||||
|
||||
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
|
||||
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
|
||||
- Add STIG DISCLAIMER to the shipped documentation
|
||||
|
||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
|
||||
- Fix fedora-srpm and fedora-rpm Make targets to work again
|
||||
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
|
||||
- EOL for Fedora 18 support
|
||||
- Include Fedora datastream file for remote Fedora system scans
|
||||
|
||||
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
|
||||
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
|
||||
|
||||
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
|
||||
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
|
||||
it to /shared
|
||||
- Add shared remediations for sshd disable empty passwords and
|
||||
sshd set idle timeout
|
||||
- Shared remediation for sshd disable root login
|
||||
- Add empty -compat subpackage to ensure backward-compatibility with
|
||||
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
|
||||
- OVAL check for sshd disable root login
|
||||
- Fix typo in OVAL check for sshd disable empty passwords
|
||||
- OVAL check for sshd disable empty passwords
|
||||
- Unselect no shelllogin for systemaccounts rule from being run by default
|
||||
- Rename XCCDF rules
|
||||
- Revert Set up Fedora release name and CPE based on build system properties
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
|
||||
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
|
||||
- Shared OVAL check for Verify that System Executables Have Root Ownership
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
|
||||
Permissions
|
||||
- Fix remediation for Disable Prelinking rule
|
||||
- OVAL check and remediation for sshd's ClientAliveCountMax rule
|
||||
- OVAL check for sshd's ClientAliveInterval rule
|
||||
- Include descriptions for permissions section, and rules for checking
|
||||
permissions and ownership of shared library files and system executables
|
||||
- Disable selected rules by default
|
||||
- Add remediation for Disable Prelinking rule
|
||||
- Adjust service-enable-macro, service-disable-macro XSLT transforms
|
||||
definition to evaluate to proper systemd syntax
|
||||
- Fix service_ntpd_enabled OVAL check make validate to pass again
|
||||
- Include patch from Šimon Lukašík to obsolete openscap-content
|
||||
package (RH BZ#1028706)
|
||||
- Add OVAL check to test if there's is remote NTP server configured for
|
||||
time data
|
||||
- Add system settings section for the guide (to track system wide
|
||||
hardening configurations)
|
||||
- Include disable prelink rule and OVAL check for it
|
||||
- Initial OVAL check if ntpd service is enabled. Add package_installed
|
||||
OVAL templating directory structure and functionality.
|
||||
- Include services section, and XCCDF description for selected ntpd's
|
||||
sshd's service rules
|
||||
- Include remediations for login.defs' based password minimum, maximum and
|
||||
warning age rules
|
||||
- Include directory structure to support remediations
|
||||
- Add SCAP "replace or append pattern value in text file based on variable"
|
||||
remediation script generator
|
||||
- Add remediation for "Set Password Minimum Length in login.defs" rule
|
||||
|
||||
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
|
||||
- Update versioning scheme - move fedorassgrelease to be part of
|
||||
upstream version. Rename it to fedorassgversion to avoid name collision
|
||||
with Fedora package release.
|
||||
|
||||
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
|
||||
- Add .gitignore for Fedora output directory
|
||||
- Set up Fedora release name and CPE based on build system properties
|
||||
- Use correct file paths in scap-security-guide(8) manual page
|
||||
(RH BZ#1018905, c#10)
|
||||
- Apply further changes motivated by scap-security-guide Fedora RPM review
|
||||
request (RH BZ#1018905, c#8):
|
||||
* update package description,
|
||||
* make content files to be owned by the scap-security-guide package,
|
||||
* remove Fedora release number from generated content files,
|
||||
* move HTML form of the guide under the doc directory (together
|
||||
with that drop fedora/content subdir and place the content
|
||||
directly under fedora/ subdir).
|
||||
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
|
||||
* drop Fedora release from package provided files' final path (c#5),
|
||||
* drop BuildRoot, selected Requires:, clean section, drop chcon for
|
||||
manual page, don't gzip man page (c#4),
|
||||
* change package's description (c#4),
|
||||
* include PD license text (#c4).
|
||||
|
||||
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
|
||||
- Provide manual page for scap-security-guide
|
||||
- Remove percent sign from spec's changelog to silence rpmlint warning
|
||||
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
|
||||
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
|
||||
- Introduce 'Account and Access Control' section
|
||||
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
|
||||
rules to Fedora
|
||||
- Set proper name of the build directory in the spec's setup macro.
|
||||
- Replace hard-coded paths with macros. Preserve attributes when copying files.
|
||||
|
||||
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
|
||||
- Initial Fedora SSG RPM.
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-10
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/tier1.functional}
|
6
plans/ci.fmf
Normal file
6
plans/ci.fmf
Normal file
@ -0,0 +1,6 @@
|
||||
summary: CI test plan
|
||||
/tier1:
|
||||
plan:
|
||||
import:
|
||||
url: https://github.com/RHSecurityCompliance/contest.git
|
||||
name: /plans/gating-ci
|
529
scap-security-guide.spec
Normal file
529
scap-security-guide.spec
Normal file
@ -0,0 +1,529 @@
|
||||
# SSG build system and tests count with build directory name `build`.
|
||||
# For more details see:
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.74
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
BuildRequires: python%{python3_pkgversion}-setuptools
|
||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||
|
||||
%description
|
||||
The scap-security-guide project provides a guide for configuration of the
|
||||
system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description doc
|
||||
The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
|
||||
%define cmake_defines_specific %{nil}
|
||||
%if 0%{?rhel} && ! %{defined eln}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||
%endif
|
||||
%if 0%{?centos}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
|
||||
%endif
|
||||
|
||||
mkdir -p build
|
||||
%build
|
||||
%cmake %{cmake_defines_common} %{cmake_defines_specific}
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
%cmake_install
|
||||
rm %{buildroot}/%{_docdir}/%{name}/README.md
|
||||
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
|
||||
%files
|
||||
# To Enabled once the content for RHEL 10
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/ansible/*.yml
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.1.74-2
|
||||
- Bump release for October 2024 mass rebuild:
|
||||
Resolves: RHEL-64018
|
||||
|
||||
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com>
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.74 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.74
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.1.73-2
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
* Wed May 22 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
||||
- Upgrade to the latest upstream release
|
||||
|
||||
* Wed Mar 27 2024 Matthew Burket <mburket@redhat.com> - 0.1.72-2
|
||||
- Add RHEL10 Product
|
||||
|
||||
* Fri Feb 09 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.72-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.72 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72
|
||||
|
||||
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.71-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
||||
* Tue Dec 19 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.71-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.71 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.71
|
||||
|
||||
* Thu Oct 12 2023 Matthew Burket <mburket@redhat.com> - 0.1.70-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.70 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.70
|
||||
|
||||
* Thu Aug 03 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.69 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.69
|
||||
|
||||
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.68-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
|
||||
|
||||
* Thu Jun 15 2023 Jan Černý <jcerny@redhat.com> - 0.1.68-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.68 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.68
|
||||
|
||||
* Wed Apr 12 2023 Matthew Burket <mburket@redhat.com> - 0.1.67-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.67 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.67
|
||||
|
||||
|
||||
* Fri Feb 03 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.66-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.66 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.66
|
||||
|
||||
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.65-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||
|
||||
* Tue Dec 06 2022 Marcus Burghardt <maburgha@redhat.com> - 0.1.65-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.65 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65
|
||||
|
||||
* Tue Oct 04 2022 Watson Sato <wsato@redhat.com> - 0.1.64-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.64 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64
|
||||
|
||||
* Mon Aug 01 2022 Watson Sato <wsato@redhat.com> - 0.1.63-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.63 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.63
|
||||
|
||||
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.62-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
||||
|
||||
* Thu Jun 09 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
|
||||
- rebuild, the release did not get propagated into rawhide
|
||||
|
||||
* Mon May 30 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.62 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.62
|
||||
|
||||
* Wed May 04 2022 Watson Sato <wsato@redhat.com> - 0.1.61-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.61 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.61
|
||||
|
||||
* Fri Jan 28 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.60 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.60
|
||||
|
||||
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.59-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.59 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.59
|
||||
- Fix loading of jinja files
|
||||
|
||||
* Thu Sep 30 2021 Watson Sato <wsato@redhat.com> - 0.1.58-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.58 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.58
|
||||
- Fix license warning.
|
||||
|
||||
* Thu Jul 29 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.57 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.57
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.56-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Tue Jun 08 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
|
||||
- Updated the packaging according to the RHEL development trends.
|
||||
- Don't ship 1.2 datastreams and Bash remediations.
|
||||
- Clean up dependencies and other package metadata.
|
||||
- Change the RHEL target.
|
||||
|
||||
* Wed May 26 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.56-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.56 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.56
|
||||
|
||||
* Fri Mar 19 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.55-2
|
||||
- rebuilt
|
||||
|
||||
* Fri Mar 19 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.55-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.55 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.55
|
||||
|
||||
* Fri Feb 12 2021 Matej Tyc <matyc@redhat.com> - 0.1.54-3
|
||||
- Moved the spec file closer to the RHEL one.
|
||||
|
||||
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
|
||||
- fix definition of build directory
|
||||
|
||||
* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
|
||||
|
||||
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
|
||||
- revert previous rework, it did not solve the problem
|
||||
|
||||
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
|
||||
- rewrite solution for CMake out of source builds
|
||||
|
||||
* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
|
||||
|
||||
* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
|
||||
- Update for new CMake out of source builds
|
||||
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
|
||||
|
||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
|
||||
|
||||
* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
|
||||
|
||||
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||
- Hotfix of the XML parsing fix.
|
||||
|
||||
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
|
||||
- Fixed XML parsing of remediation functions.
|
||||
|
||||
* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
|
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
|
||||
|
||||
* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
|
||||
- Update URL and source URL
|
||||
|
||||
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
||||
- Fix man page build dependency on derivative content
|
||||
|
||||
* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
||||
- Fix Licence of this package
|
||||
|
||||
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
|
||||
- Update to use Python3 for build.
|
||||
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
|
||||
- Add python version to python2-jinja2 package
|
||||
|
||||
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
||||
|
||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
|
||||
- Add python version to python package prefixes
|
||||
|
||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
|
||||
|
||||
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
|
||||
|
||||
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
|
||||
- use make_build and make_install RPM macros
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
|
||||
- update to the latest upstream release
|
||||
- new default location for content /usr/share/scap/ssg
|
||||
- install HTML tables in the doc subpackage
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
|
||||
- Correct currently failing parallel SCAP Security Guide build
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
|
||||
- Drop shell library for remediation functions since it is not required
|
||||
starting from 0.1.30 release any more
|
||||
|
||||
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
|
||||
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
|
||||
in 0.1.29 upstream release
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
|
||||
- upgrade to the latest upstream release
|
||||
|
||||
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
|
||||
- update to the latest upstream release
|
||||
- created doc sub-package to ship all the guides
|
||||
- start distributing centos and scientific linux content
|
||||
- rename java content to jre
|
||||
|
||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
|
||||
- update to the latest upstream release
|
||||
- only DataStream file is now available for Fedora
|
||||
- start distributing security baseline for Firefox
|
||||
- start distributing security baseline for Java RunTime deployments
|
||||
|
||||
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
|
||||
- update to the latest upstream release
|
||||
- move content to /usr/share/scap/ssg/content
|
||||
|
||||
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
|
||||
- require only openscap-scanner, not whole openscap-utils package
|
||||
|
||||
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
|
||||
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
|
||||
- Add STIG DISCLAIMER to the shipped documentation
|
||||
|
||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
|
||||
- Fix fedora-srpm and fedora-rpm Make targets to work again
|
||||
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
|
||||
- EOL for Fedora 18 support
|
||||
- Include Fedora datastream file for remote Fedora system scans
|
||||
|
||||
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
|
||||
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
|
||||
|
||||
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
|
||||
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
|
||||
it to /shared
|
||||
- Add shared remediations for sshd disable empty passwords and
|
||||
sshd set idle timeout
|
||||
- Shared remediation for sshd disable root login
|
||||
- Add empty -compat subpackage to ensure backward-compatibility with
|
||||
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
|
||||
- OVAL check for sshd disable root login
|
||||
- Fix typo in OVAL check for sshd disable empty passwords
|
||||
- OVAL check for sshd disable empty passwords
|
||||
- Unselect no shelllogin for systemaccounts rule from being run by default
|
||||
- Rename XCCDF rules
|
||||
- Revert Set up Fedora release name and CPE based on build system properties
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
|
||||
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
|
||||
- Shared OVAL check for Verify that System Executables Have Root Ownership
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
|
||||
Permissions
|
||||
- Fix remediation for Disable Prelinking rule
|
||||
- OVAL check and remediation for sshd's ClientAliveCountMax rule
|
||||
- OVAL check for sshd's ClientAliveInterval rule
|
||||
- Include descriptions for permissions section, and rules for checking
|
||||
permissions and ownership of shared library files and system executables
|
||||
- Disable selected rules by default
|
||||
- Add remediation for Disable Prelinking rule
|
||||
- Adjust service-enable-macro, service-disable-macro XSLT transforms
|
||||
definition to evaluate to proper systemd syntax
|
||||
- Fix service_ntpd_enabled OVAL check make validate to pass again
|
||||
- Include patch from Šimon Lukašík to obsolete openscap-content
|
||||
package (RH BZ#1028706)
|
||||
- Add OVAL check to test if there's is remote NTP server configured for
|
||||
time data
|
||||
- Add system settings section for the guide (to track system wide
|
||||
hardening configurations)
|
||||
- Include disable prelink rule and OVAL check for it
|
||||
- Initial OVAL check if ntpd service is enabled. Add package_installed
|
||||
OVAL templating directory structure and functionality.
|
||||
- Include services section, and XCCDF description for selected ntpd's
|
||||
sshd's service rules
|
||||
- Include remediations for login.defs' based password minimum, maximum and
|
||||
warning age rules
|
||||
- Include directory structure to support remediations
|
||||
- Add SCAP "replace or append pattern value in text file based on variable"
|
||||
remediation script generator
|
||||
- Add remediation for "Set Password Minimum Length in login.defs" rule
|
||||
|
||||
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
|
||||
- Update versioning scheme - move fedorassgrelease to be part of
|
||||
upstream version. Rename it to fedorassgversion to avoid name collision
|
||||
with Fedora package release.
|
||||
|
||||
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
|
||||
- Add .gitignore for Fedora output directory
|
||||
- Set up Fedora release name and CPE based on build system properties
|
||||
- Use correct file paths in scap-security-guide(8) manual page
|
||||
(RH BZ#1018905, c#10)
|
||||
- Apply further changes motivated by scap-security-guide Fedora RPM review
|
||||
request (RH BZ#1018905, c#8):
|
||||
* update package description,
|
||||
* make content files to be owned by the scap-security-guide package,
|
||||
* remove Fedora release number from generated content files,
|
||||
* move HTML form of the guide under the doc directory (together
|
||||
with that drop fedora/content subdir and place the content
|
||||
directly under fedora/ subdir).
|
||||
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
|
||||
* drop Fedora release from package provided files' final path (c#5),
|
||||
* drop BuildRoot, selected Requires:, clean section, drop chcon for
|
||||
manual page, don't gzip man page (c#4),
|
||||
* change package's description (c#4),
|
||||
* include PD license text (#c4).
|
||||
|
||||
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
|
||||
- Provide manual page for scap-security-guide
|
||||
- Remove percent sign from spec's changelog to silence rpmlint warning
|
||||
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
|
||||
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
|
||||
- Introduce 'Account and Access Control' section
|
||||
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
|
||||
rules to Fedora
|
||||
- Set proper name of the build directory in the spec's setup macro.
|
||||
- Replace hard-coded paths with macros. Preserve attributes when copying files.
|
||||
|
||||
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
|
||||
- Initial Fedora SSG RPM.
|
Loading…
Reference in New Issue
Block a user