Compare commits

...

No commits in common. "changed/a9/scap-security-guide-0.1.63-5.el9.alma" and "c8" have entirely different histories.

13 changed files with 411 additions and 30768 deletions

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/scap-security-guide-0.1.63.tar.bz2
SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
SOURCES/scap-security-guide-0.1.74.tar.bz2

View File

@ -1 +1,3 @@
b77c67caa4f8818e95fa6a4c74adf3173ed8e3d2 SOURCES/scap-security-guide-0.1.63.tar.bz2
b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
17274daaa588330aa4df9a4d8df5ef448e40a696 SOURCES/scap-security-guide-0.1.73-1.el7_9-rhel7.tar.bz2
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2

File diff suppressed because it is too large Load Diff

File diff suppressed because one or more lines are too long

View File

@ -1,90 +0,0 @@
From 4ef59d44355179b6450ac493d4417a8b29d8ccf1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:15 +0200
Subject: [PATCH 1/4] fix ospp references
---
linux_os/guide/system/accounts/enable_authselect/rule.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/linux_os/guide/system/accounts/enable_authselect/rule.yml b/linux_os/guide/system/accounts/enable_authselect/rule.yml
index c151d3c4aa1..f9b46c51ddd 100644
--- a/linux_os/guide/system/accounts/enable_authselect/rule.yml
+++ b/linux_os/guide/system/accounts/enable_authselect/rule.yml
@@ -34,6 +34,7 @@ references:
disa: CCI-000213
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) # taken from require_singleuser_auth
nist: AC-3
+ ospp: FIA_UAU.1,FIA_AFL.1
srg: SRG-OS-000480-GPOS-00227
ocil: |-
From 05a0414b565097c155d0c4a1696d8c4f2da91298 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:42 +0200
Subject: [PATCH 2/4] change authselect profile to minimal in rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b47630c62b0..dcc41970043 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -115,7 +115,7 @@ selections:
- coredump_disable_storage
- coredump_disable_backtraces
- service_systemd-coredump_disabled
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- use_pam_wheel_for_su
From 350135aa0c49a8a383103f88034acbb3925bb556 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 11:45:54 +0200
Subject: [PATCH 3/4] change authselect profile to minimal in rhel8 ospp
---
products/rhel8/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel8/profiles/ospp.profile b/products/rhel8/profiles/ospp.profile
index 39ad1797c7a..ebec8a3a6f9 100644
--- a/products/rhel8/profiles/ospp.profile
+++ b/products/rhel8/profiles/ospp.profile
@@ -220,7 +220,7 @@ selections:
- var_accounts_max_concurrent_login_sessions=10
- accounts_max_concurrent_login_sessions
- securetty_root_login_console_only
- - var_authselect_profile=sssd
+ - var_authselect_profile=minimal
- enable_authselect
- var_password_pam_unix_remember=5
- accounts_password_pam_unix_remember
From 9d6014242b3fcda06b38ac35d73d5d4df75313a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 13:55:05 +0200
Subject: [PATCH 4/4] update profile stability test
---
tests/data/profile_stability/rhel8/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 5d73a8c6fef..21e93e310d5 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -242,7 +242,7 @@ selections:
- var_slub_debug_options=P
- var_auditd_flush=incremental_async
- var_accounts_max_concurrent_login_sessions=10
-- var_authselect_profile=sssd
+- var_authselect_profile=minimal
- var_password_pam_unix_remember=5
- var_selinux_state=enforcing
- var_selinux_policy_name=targeted

View File

@ -1,302 +0,0 @@
From 694af59f0c400d34b11e80b29b66cdb82ad080b6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 27 Jul 2022 13:49:05 +0200
Subject: [PATCH 1/8] remove unneeded coredump related rules from rhel9 ospp
---
products/rhel9/profiles/ospp.profile | 3 ---
1 file changed, 3 deletions(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index dcc41970043..0902abf58db 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,10 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - disable_users_coredumps
- sysctl_kernel_core_pattern
- - coredump_disable_storage
- - coredump_disable_backtraces
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From da50ca7abc0358b6b5db72f26173843454461dcf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 12:17:27 +0200
Subject: [PATCH 2/8] remove conditional from sysctl templated OVAL
actually now it is quite common that the sysctlval can be undefined. In this case, XCCDF variable is used. See documentation for sysctl template.
I don't think there is a need to have this special regex. Moreover, the regex was checking only for numbers.
---
shared/templates/sysctl/oval.template | 5 -----
1 file changed, 5 deletions(-)
diff --git a/shared/templates/sysctl/oval.template b/shared/templates/sysctl/oval.template
index 1a7c4979bbe..e0c6f72f928 100644
--- a/shared/templates/sysctl/oval.template
+++ b/shared/templates/sysctl/oval.template
@@ -17,13 +17,8 @@
{{% endif %}}
{{%- endmacro -%}}
{{%- macro sysctl_match() -%}}
-{{%- if SYSCTLVAL == "" -%}}
- <ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- else -%}}
<ind:pattern operation="pattern match">^[\s]*{{{ SYSCTLVAR }}}[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-{{%- endif -%}}
{{%- endmacro -%}}
{{%- if "P" in FLAGS -%}}
From 9b9110cd969afe7ba3796030a33dd795432a9373 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:00:45 +0200
Subject: [PATCH 3/8] add new rule sysctl_kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 36 +++++++++++++++++++
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
new file mode 100644
index 00000000000..7fa36fb940e
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Configure file name of core dumps'
+
+description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
+
+rationale: |-
+ The default coredump filename is <pre>core</pre>. By setting
+ <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
+ <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
+ <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
+ <pre>.PID</pre> will be appended to the filename.
+
+severity: medium
+
+identifiers:
+ cce@rhel9: CCE-86003-1
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+
+ocil: |-
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_uses_pid
+ datatype: int
+ sysctlval: '0'
From 04dbd2db9469082a450e9b062d91e47190abe552 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 09:08:37 +0200
Subject: [PATCH 4/8] add new rule setting kernel.core_pattern to empty string
---
.../rule.yml | 49 +++++++++++++++++++
2 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
new file mode 100644
index 00000000000..089bb1481aa
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -0,0 +1,49 @@
+documentation_complete: true
+
+prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+
+title: 'Disable storing core dumps'
+
+description: |-
+ The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
+ name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+ behaves differently based on another related option. If
+ <tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
+ <tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
+ created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
+ <tt>0</tt>, no coredump is saved.
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data and is generally useful
+ only for developers trying to debug problems.
+
+severity: medium
+
+requires:
+ - sysctl_kernel_core_uses_pid
+
+conflicts:
+ - sysctl_kernel_core_pattern
+
+identifiers:
+ cce@rhel9: CCE-86005-6
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: |-
+ the returned line does not have a value of ''.
+
+ocil: |
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+
+platform: machine
+
+template:
+ name: sysctl
+ vars:
+ sysctlvar: kernel.core_pattern
+ sysctlval: "''"
+ datatype: string
From 42690d39487d5483693fc4ce32c0c95d11ee3203 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:40:47 +0200
Subject: [PATCH 5/8] add rule to RHEL9 OSPP profile
---
products/rhel9/profiles/ospp.profile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 0902abf58db..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,8 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern
+ - sysctl_kernel_core_pattern_empty_string
+ - sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
- enable_authselect
From d7e194f1998757d3b5a7691c598a71549215f97b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 3 Aug 2022 13:01:12 +0200
Subject: [PATCH 6/8] describe beneficial dependency between
sysctl_kernel_core_pattern_empty_string and sysctl:kernel_core_uses_pid
---
.../sysctl_kernel_core_uses_pid/rule.yml | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index 7fa36fb940e..d6d2c468c10 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -7,11 +7,14 @@ title: 'Configure file name of core dumps'
description: '{{{ describe_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}'
rationale: |-
- The default coredump filename is <pre>core</pre>. By setting
- <pre>core_uses_pid</pre> to <pre>1</pre>, the coredump filename becomes
- <pre>core.PID</pre>. If <pre>core_pattern</pre> does not include
- <pre>%p</pre> (default does not) and <pre>core_uses_pid</pre> is set, then
- <pre>.PID</pre> will be appended to the filename.
+ The default coredump filename is <tt>core</tt>. By setting
+ <tt>core_uses_pid</tt> to <tt>1</tt>, the coredump filename becomes
+ <tt>core.PID</tt>. If <tt>core_pattern</tt> does not include
+ <tt>%p</tt> (default does not) and <tt>core_uses_pid</tt> is set, then
+ <tt>.PID</tt> will be appended to the filename.
+ When combined with <tt>kernel.core_pattern = ""</tt> configuration, it
+ is ensured that no core dumps are generated and also no confusing error
+ messages are printed by a shell.
severity: medium
From cd0f5491d57bf42e5901c681e290a9378eade3e6 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 5 Aug 2022 10:53:37 +0200
Subject: [PATCH 7/8] make sysctl_kernel_core_pattern conflicting with
sysctl_kernel_core_pattern_empty_string
they are modifying the same configuration
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 771c4d40e0f..c27a9e7ecf3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
severity: medium
+conflicts:
+ - sysctl_kernel_core_pattern_empty_string
+
identifiers:
cce@rhcos4: CCE-82527-3
cce@rhel8: CCE-82215-5
From 62b0e48e7db9ed7e82940d7ca3a34a121f67c6cf Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 9 Aug 2022 16:43:20 +0200
Subject: [PATCH 8/8] fix ocils
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 5 ++++-
.../restrictions/sysctl_kernel_core_uses_pid/rule.yml | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index c27a9e7ecf3..1a540ce20b3 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -29,7 +29,10 @@ references:
stigid@ol8: OL08-00-010671
stigid@rhel8: RHEL-08-010671
-ocil_clause: 'the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: |-
+ the returned line does not have a value of "|/bin/false", or a line is not
+ returned and the need for core dumps is not documented with the Information
+ System Security Officer (ISSO) as an operational requirement
ocil: |
{{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}}
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
index d6d2c468c10..8f51f97c16c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_uses_pid/rule.yml
@@ -24,10 +24,10 @@ identifiers:
references:
ospp: FMT_SMF_EXT.1
-ocil_clause: 'the returned line does not have a value of 0, or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement'
+ocil_clause: 'the returned line does not have a value of 0'
ocil: |-
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value=0) }}}
+ {{{ ocil_sysctl_option_value(sysctl="kernel.core_uses_pid", value=0) }}}
platform: machine

View File

@ -1,826 +0,0 @@
From 796d3630621847b478896ee4a773cdb605821882 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 18 Aug 2022 13:06:49 +0200
Subject: [PATCH 1/8] Create custom sysctl_kernel_core_pattern_empty_string
content.
---
.../ansible/shared.yml | 32 +++
.../bash/shared.sh | 60 +++++
.../oval/shared.xml | 221 ++++++++++++++++++
.../rule.yml | 23 +-
.../tests/correct_value.pass.sh | 10 +
.../tests/wrong_value.fail.sh | 10 +
.../tests/wrong_value_three_entries.fail.sh | 11 +
.../tests/wrong_value_two_entries.fail.sh | 10 +
products/rhel9/profiles/ospp.profile | 2 +-
9 files changed, 366 insertions(+), 13 deletions(-)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
new file mode 100644
index 00000000000..a6e7bf54b56
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_all
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+- name: List /etc/sysctl.d/*.conf files
+ find:
+ paths:
+ - /etc/sysctl.d/
+ - /run/sysctl.d/
+ contains: ^[\s]*kernel.core_pattern.*$
+ patterns: '*.conf'
+ file_type: any
+ register: find_sysctl_d
+- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
+ files
+ replace:
+ path: '{{ item.path }}'
+ regexp: ^[\s]*kernel.core_pattern
+ replace: '#kernel.core_pattern'
+ loop: '{{ find_sysctl_d.files }}'
+- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
+ replace:
+ path: /etc/sysctl.conf
+ regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
+ replace: '#kernel.core_pattern'
+- name: Ensure sysctl kernel.core_pattern is set to empty
+ sysctl:
+ name: kernel.core_pattern
+ value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces
+ state: present
+ reload: true
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
new file mode 100644
index 00000000000..989987250bc
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
@@ -0,0 +1,60 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# reboot = true
+# strategy = disable
+# complexity = low
+# disruption = medium
+# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+# Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files
+
+for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do
+
+ matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq )
+ if ! test -z "$matching_list"; then
+ while IFS= read -r entry; do
+ escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
+ # comment out "kernel.core_pattern" matches to preserve user data
+ sed -i "s/^${escaped_entry}$/# &/g" $f
+ done <<< "$matching_list"
+ fi
+done
+
+#
+# Set runtime for kernel.core_pattern
+#
+/sbin/sysctl -q -n -w kernel.core_pattern=""
+
+#
+# If kernel.core_pattern present in /etc/sysctl.conf, change value to empty
+# else, add "kernel.core_pattern =" to /etc/sysctl.conf
+#
+# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
+# Otherwise, regular sed command will do.
+sed_command=('sed' '-i')
+if test -L "/etc/sysctl.conf"; then
+ sed_command+=('--follow-symlinks')
+fi
+
+# Strip any search characters in the key arg so that the key can be replaced without
+# adding any search characters to the config file.
+stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern")
+
+# shellcheck disable=SC2059
+printf -v formatted_output "%s=" "$stripped_key"
+
+# If the key exists, change it. Otherwise, add it to the config_file.
+# We search for the key string followed by a word boundary (matched by \>),
+# so if we search for 'setting', 'setting2' won't match.
+if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then
+ escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
+ "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf"
+else
+ # \n is precaution for case where file ends without trailing newline
+
+ printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf"
+fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
new file mode 100644
index 00000000000..39654259dcb
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
@@ -0,0 +1,221 @@
+
+
+<def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
+ <criteria operator="AND">
+ <extend_definition comment="kernel.core_pattern configuration setting check"
+ definition_ref="sysctl_kernel_core_pattern_empty_string_static"/>
+ <extend_definition comment="kernel.core_pattern runtime setting check"
+ definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
+ </criteria>
+ </definition>
+</def-group><def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
+ <criteria operator="AND">
+ <criterion comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_runtime"/>
+ </criteria>
+ </definition>
+
+ <unix:sysctl_test id="test_sysctl_kernel_core_pattern_empty_string_runtime" version="1"
+ comment="kernel runtime parameter kernel.core_pattern set to an empty string"
+ check="all" check_existence="all_exist" state_operator="OR">
+ <unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+ <unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
+
+ </unix:sysctl_test>
+
+ <unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+ <unix:name>kernel.core_pattern</unix:name>
+ </unix:sysctl_object>
+
+
+ <unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
+
+ <unix:value datatype="string"
+ operation="equals"></unix:value>
+
+ </unix:sysctl_state>
+
+</def-group>
+<def-group>
+ <definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_static" version="3">
+ {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.") }}}
+ <criteria operator="AND">
+ <criteria operator="OR">
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static"/>
+ <!-- see sysctl.d(5) -->
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /etc/sysctl.d/*.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
+ <criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
+ test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
+
+ </criteria>
+
+ <criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
+ check="all" check_existence="all_exist"
+ comment="kernel.core_pattern static configuration" state_operator="OR">
+ <ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
+ comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
+ <ind:object object_ref="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld" version="1" check="all"
+ comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
+ <ind:object object_ref="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+ <ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
+
+ </ind:textfilecontent54_test>
+ <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern"
+ id="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:object object_ref="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ <ind:state state_ref="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
+ </ind:variable_test>
+
+ <ind:variable_object id="object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:var_ref>local_var_sysctl_kernel_core_pattern_empty_string_counter</ind:var_ref>
+ </ind:variable_object>
+
+ <ind:variable_state id="state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" version="1">
+ <ind:value operation="equals" datatype="int">1</ind:value>
+ </ind:variable_state>
+
+ <local_variable comment="Count unique sysctls" datatype="int" id="local_var_sysctl_kernel_core_pattern_empty_string_counter" version="1">
+ <count>
+ <unique>
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" item_field="filepath" />
+ </unique>
+ </count>
+ </local_variable>
+
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls" version="1">
+ <set>
+ <object_reference>object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered</object_reference>
+ <filter action="exclude">state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink</filter>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state id="state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink" version="1">
+ <ind:filepath operation="equals" var_check="at least one" var_ref="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" datatype="string" />
+ </ind:textfilecontent54_state>
+
+ <!-- <no symlink handling> -->
+ <!-- We craft a variable with blank string to combine with the symlink paths found.
+ This ultimately avoids referencing a variable with "no values",
+ we reference a variable with a blank string -->
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks" version="1">
+ <unique>
+ <object_component object_ref="var_object_symlink_sysctl_kernel_core_pattern_empty_string" item_field="value" />
+ </unique>
+ </local_variable>
+
+ <ind:variable_object id="var_object_symlink_sysctl_kernel_core_pattern_empty_string" comment="combine the blank string with symlink paths found" version="1">
+ <set>
+ <object_reference>var_obj_symlink_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>var_obj_blank_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:variable_object>
+
+ <ind:variable_object id="var_obj_blank_sysctl_kernel_core_pattern_empty_string" comment="variable object of the blank string" version="1">
+ <ind:var_ref>local_var_blank_path_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+ </ind:variable_object>
+
+ <local_variable comment="Blank string" datatype="string" id="local_var_blank_path_sysctl_kernel_core_pattern_empty_string" version="1">
+ <literal_component datatype="string"></literal_component>
+ </local_variable>
+
+ <ind:variable_object id="var_obj_symlink_sysctl_kernel_core_pattern_empty_string" comment="variable object of the symlinks found" version="1">
+ <ind:var_ref>local_var_symlinks_sysctl_kernel_core_pattern_empty_string</ind:var_ref>
+ </ind:variable_object>
+ <!-- </no symlink handling> -->
+
+ <local_variable comment="Unique list of symlink conf files" datatype="string" id="local_var_symlinks_sysctl_kernel_core_pattern_empty_string" version="1">
+ <unique>
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_symlinks" item_field="filepath" />
+ </unique>
+ </local_variable>
+
+ <!-- "pattern match" doesn't seem to work with symlink_object, not sure if a bug or not.
+ Workaround by querying for all conf files found -->
+ <unix:symlink_object comment="Symlinks referencing files in default dirs" id="object_sysctl_kernel_core_pattern_empty_string_symlinks" version="1">
+ <unix:filepath operation="equals" var_ref="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" />
+ <filter action="exclude">state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string</filter>
+ </unix:symlink_object>
+
+ <!-- The state matches symlinks that don't point to the default dirs, i.e. paths that are not:
+ ^/etc/sysctl.conf$
+ ^/etc/sysctl.d/.*$
+ ^/run/sysctl.d/.*$
+ ^/usr/lib/sysctl.d/.*$ -->
+ <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string" version="1">
+ <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
+ </unix:symlink_state>
+
+
+ <local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
+ <object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
+ </local_variable>
+
+ <!-- Avoid directly referencing a possibly empty collection, one empty collection will cause the
+ variable to have no value even when there are valid objects. -->
+ <ind:textfilecontent54_object id="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" version="1">
+ <set>
+ <object_reference>object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+ <set>
+ <object_reference>object_static_sysctl_sysctl_kernel_core_pattern_empty_string</object_reference>
+ <object_reference>object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
+ <set>
+ <object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
+
+ </set>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_sysctl_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:filepath>/etc/sysctl.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:path>/etc/sysctl.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+ <ind:path>/run/sysctl.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ <ind:pattern operation="pattern match">^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$</ind:pattern>
+ <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
+
+ <ind:subexpression operation="equals" datatype="string"></ind:subexpression>
+
+ </ind:textfilecontent54_state>
+
+</def-group>
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
index dc21f53c98c..2babb28e361 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -1,18 +1,18 @@
documentation_complete: true
-prodtype: fedora,ol8,ol9,rhcos4,rhel8,rhel9
+prodtype: rhel9
title: 'Disable storing core dumps'
description: |-
The <tt>kernel.core_pattern</tt> option specifies the core dumpfile pattern
- name. It can be set to an empty string <tt>''</tt>. In this case, the kernel
+ name. It can be set to an empty string. In this case, the kernel
behaves differently based on another related option. If
<tt>kernel.core_uses_pid</tt> is set to <tt>1</tt>, then a file named as
<tt>.PID</tt> (where <tt>PID</tt> is process ID of the crashed process) is
created in the working directory. If <tt>kernel.core_uses_pid</tt> is set to
<tt>0</tt>, no coredump is saved.
- {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}'
+ {{{ describe_sysctl_option_value(sysctl="kernel.core_pattern", value="") }}}
rationale: |-
A core dump includes a memory image taken at the time the operating system
@@ -30,17 +30,16 @@ conflicts:
identifiers:
cce@rhel9: CCE-86005-6
+references:
+ ospp: FMT_SMF_EXT.1
+
ocil_clause: |-
- the returned line does not have a value of ''.
+ the returned line does not have an empty string
ocil: |
- {{{ ocil_sysctl_option_value(sysctl="kernel.core_pattern", value="''") }}}
+ The runtime status of the <code>kernel.core_pattern</code> kernel parameter can be queried
+ by running the following command:
+ <pre>$ sysctl kernel.core_pattern | cat -A</pre>
+ <code>kernel.core_pattern = $</code>
platform: machine
-
-template:
- name: sysctl
- vars:
- sysctlvar: kernel.core_pattern
- sysctlval: "''"
- datatype: string
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..71f0f5db142
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..1c5fabcc136
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
new file mode 100644
index 00000000000..e56e927ec56
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_three_entries.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
new file mode 100644
index 00000000000..6c065b1e038
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_two_entries.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index 9fdd1354e38..b1b18261d48 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern
+ - sysctl_kernel_core_pattern_empty_string
- sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
From a77abaf442d411fe7bc59e94a1c0330163e03a16 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:13:04 +0200
Subject: [PATCH 2/8] Make the conflicts attribute appblicable only to RHEL9.
The new rule empty is applicable only to RHEL9 and if there would not be
the restriction, then dangling references would be produced.
---
.../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
index 1a540ce20b3..e369854060b 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml
@@ -13,8 +13,10 @@ rationale: |-
severity: medium
+{{% if product in ["rhel9"] %}}
conflicts:
- sysctl_kernel_core_pattern_empty_string
+{{% endif %}}
identifiers:
cce@rhcos4: CCE-82527-3
From ec71ac98b89cc8295324c90b1610a5ff01126895 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:16:41 +0200
Subject: [PATCH 3/8] Switch bash remediation applicable to all products in
sysctl_kernel_core_pattern_empty_string.
---
.../sysctl_kernel_core_pattern_empty_string/bash/shared.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
index 989987250bc..9e84d41056d 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_all
# reboot = true
# strategy = disable
# complexity = low
From bac544446d3c5a1d87a2b4934cbb94ebc00d2ce9 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 11:23:04 +0200
Subject: [PATCH 4/8] Address feedback.
---
.../ansible/shared.yml | 3 +++
.../oval/shared.xml | 19 +++++--------------
2 files changed, 8 insertions(+), 14 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
index a6e7bf54b56..22a8d99dae8 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -12,6 +12,7 @@
patterns: '*.conf'
file_type: any
register: find_sysctl_d
+
- name: Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf
files
replace:
@@ -19,11 +20,13 @@
regexp: ^[\s]*kernel.core_pattern
replace: '#kernel.core_pattern'
loop: '{{ find_sysctl_d.files }}'
+
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
replace:
path: /etc/sysctl.conf
regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
replace: '#kernel.core_pattern'
+
- name: Ensure sysctl kernel.core_pattern is set to empty
sysctl:
name: kernel.core_pattern
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
index 39654259dcb..1c3bbfd9a3e 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml
@@ -10,7 +10,9 @@
definition_ref="sysctl_kernel_core_pattern_empty_string_runtime"/>
</criteria>
</definition>
-</def-group><def-group>
+</def-group>
+
+<def-group>
<definition class="compliance" id="sysctl_kernel_core_pattern_empty_string_runtime" version="3">
{{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system runtime.") }}}
<criteria operator="AND">
@@ -23,21 +25,15 @@
comment="kernel runtime parameter kernel.core_pattern set to an empty string"
check="all" check_existence="all_exist" state_operator="OR">
<unix:object object_ref="object_sysctl_kernel_core_pattern_empty_string_runtime"/>
-
<unix:state state_ref="state_sysctl_kernel_core_pattern_empty_string_runtime"/>
-
</unix:sysctl_test>
<unix:sysctl_object id="object_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
<unix:name>kernel.core_pattern</unix:name>
</unix:sysctl_object>
-
<unix:sysctl_state id="state_sysctl_kernel_core_pattern_empty_string_runtime" version="1">
-
- <unix:value datatype="string"
- operation="equals"></unix:value>
-
+ <unix:value datatype="string" operation="equals"></unix:value>
</unix:sysctl_state>
</def-group>
@@ -53,18 +49,17 @@
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld"/>
<criterion comment="kernel static parameter kernel.core_pattern set to an empty string in /run/sysctl.d/*.conf"
test_ref="test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld"/>
-
</criteria>
<criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file" />
</criteria>
</definition>
+
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static" version="1"
check="all" check_existence="all_exist"
comment="kernel.core_pattern static configuration" state_operator="OR">
<ind:object object_ref="object_static_sysctl_sysctl_kernel_core_pattern_empty_string"/>
<ind:state state_ref="state_static_sysctld_sysctl_kernel_core_pattern_empty_string"/>
-
</ind:textfilecontent54_test>
<ind:textfilecontent54_test id="test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld" version="1" check="all"
@@ -165,7 +160,6 @@
<unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
</unix:symlink_state>
-
<local_variable comment="List of conf files" datatype="string" id="local_var_conf_files_sysctl_kernel_core_pattern_empty_string" version="1">
<object_component object_ref="object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered" item_field="filepath" />
</local_variable>
@@ -189,7 +183,6 @@
<ind:textfilecontent54_object id="object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string" version="1">
<set>
<object_reference>object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string</object_reference>
-
</set>
</ind:textfilecontent54_object>
@@ -213,9 +206,7 @@
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_state id="state_static_sysctld_sysctl_kernel_core_pattern_empty_string" version="1">
-
<ind:subexpression operation="equals" datatype="string"></ind:subexpression>
-
</ind:textfilecontent54_state>
</def-group>
From 39bb8e75c95c469a4f6428664f24f7f9688ffa87 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 14:46:15 +0200
Subject: [PATCH 5/8] Fix test parse affected to support OVAL with multiple
def-group tags.
---
tests/test_parse_affected.py | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
index 8407794b972..947b56636c0 100755
--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
@@ -3,6 +3,7 @@
from __future__ import print_function
import os
+import re
import sys
import ssg.constants
@@ -73,19 +74,24 @@ def parse_affected(cur_dir, env_yaml):
if not xml_content:
continue
- oval_contents = ssg.utils.split_string_content(xml_content)
+ # split multiple def group into a list so multiple definitions in one OVAL also work
+ # this findall does not preserv the <def-group> tag but it's not necessary for the
+ # purpose of the test
+ xml_content_list = re.findall(r'<def-group>(.+?)</def-group>', xml_content, re.DOTALL)
+ for item in xml_content_list:
+ oval_contents = ssg.utils.split_string_content(item)
- try:
- results = ssg.oval.parse_affected(oval_contents)
+ try:
+ results = ssg.oval.parse_affected(oval_contents)
- assert len(results) == 3
- assert isinstance(results[0], int)
- assert isinstance(results[1], int)
+ assert len(results) == 3
+ assert isinstance(results[0], int)
+ assert isinstance(results[1], int)
- except ValueError as e:
- print("No <affected> element found in file {}. "
- " Parsed XML was:\n{}".format(oval, xml_content))
- raise e
+ except ValueError as e:
+ print("No <affected> element found in file {}. "
+ " Parsed XML was:\n{}".format(oval, item))
+ raise e
if __name__ == "__main__":
From 8d6176c1f96f983aaa0134d19cc66fd3c7b29e15 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 15:14:57 +0200
Subject: [PATCH 6/8] Fix ansible remediation to preserve old non compliant
values.
Comment out any offending line.
---
.../ansible/shared.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
index 22a8d99dae8..f4dc5110fee 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml
@@ -24,8 +24,8 @@
- name: Comment out any occurrences of kernel.core_pattern with value from /etc/sysctl.conf files
replace:
path: /etc/sysctl.conf
- regexp: ^[\s]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*\S+
- replace: '#kernel.core_pattern'
+ regexp: '^[\s]*kernel.core_pattern([ \t]*=[ \t]*\S+)'
+ replace: '#kernel.core_pattern\1'
- name: Ensure sysctl kernel.core_pattern is set to empty
sysctl:
From c5bcea37000f54f3273d529237e02fe0979e6d6d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 15:20:41 +0200
Subject: [PATCH 7/8] Fix PEP8 issue.
---
tests/test_parse_affected.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_parse_affected.py b/tests/test_parse_affected.py
index 947b56636c0..53690df5ce1 100755
--- a/tests/test_parse_affected.py
+++ b/tests/test_parse_affected.py
@@ -90,7 +90,7 @@ def parse_affected(cur_dir, env_yaml):
except ValueError as e:
print("No <affected> element found in file {}. "
- " Parsed XML was:\n{}".format(oval, item))
+ " Parsed XML was:\n{}".format(oval, item))
raise e
From 243347ad56fcd4f83f0b77e9b3b7fcd98d0d4acb Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 25 Aug 2022 16:31:31 +0200
Subject: [PATCH 8/8] Add more test scenarios for
sysctl_kernel_core_pattern_empty_string.
---
.../tests/correct_value_with_spaces.pass.sh | 10 ++++++++++
.../tests/wrong_value_d_directory.fail.sh | 9 +++++++++
.../tests/wrong_value_runtime.fail.sh | 10 ++++++++++
3 files changed, 29 insertions(+)
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
new file mode 100644
index 00000000000..b6688e6ca91
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/correct_value_with_spaces.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern= " >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
new file mode 100644
index 00000000000..6c574b92762
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_d_directory.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/98-sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern=""
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
new file mode 100644
index 00000000000..8c729677b86
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/tests/wrong_value_runtime.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Clean sysctl config directories
+rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/*
+
+sed -i "/kernel.core_pattern/d" /etc/sysctl.conf
+echo "kernel.core_pattern=" >> /etc/sysctl.conf
+
+# set correct runtime value to check if the filesystem configuration is evaluated properly
+sysctl -w kernel.core_pattern="|/bin/false"

View File

@ -1,47 +0,0 @@
From 21124e8524967788d4c95d47dd41259a0c7f958c Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Wed, 20 Jul 2022 14:18:13 +0200
Subject: [PATCH] change remediations to include the "=" sign
---
.../crypto/configure_openssl_crypto_policy/ansible/shared.yml | 4 ++--
.../crypto/configure_openssl_crypto_policy/bash/shared.sh | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
index c335a9e7fa2..852ca18cf79 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/ansible/shared.yml
@@ -20,7 +20,7 @@
lineinfile:
create: yes
insertafter: '^\s*\[\s*crypto_policy\s*]\s*'
- line: ".include /etc/crypto-policies/back-ends/opensslcnf.config"
+ line: ".include = /etc/crypto-policies/back-ends/opensslcnf.config"
path: {{{ openssl_cnf_path }}}
when:
- test_crypto_policy_group.stdout is defined
@@ -29,7 +29,7 @@
- name: "Add crypto_policy group and set include opensslcnf.config"
lineinfile:
create: yes
- line: "[crypto_policy]\n.include /etc/crypto-policies/back-ends/opensslcnf.config"
+ line: "[crypto_policy]\n.include = /etc/crypto-policies/back-ends/opensslcnf.config"
path: {{{ openssl_cnf_path }}}
when:
- test_crypto_policy_group.stdout is defined
diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
index 21edb780a2f..79eb5cff189 100644
--- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/bash/shared.sh
@@ -2,8 +2,8 @@
OPENSSL_CRYPTO_POLICY_SECTION='[ crypto_policy ]'
OPENSSL_CRYPTO_POLICY_SECTION_REGEX='\[\s*crypto_policy\s*\]'
-OPENSSL_CRYPTO_POLICY_INCLUSION='.include /etc/crypto-policies/back-ends/opensslcnf.config'
-OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*/etc/crypto-policies/back-ends/opensslcnf.config$'
+OPENSSL_CRYPTO_POLICY_INCLUSION='.include = /etc/crypto-policies/back-ends/opensslcnf.config'
+OPENSSL_CRYPTO_POLICY_INCLUSION_REGEX='^\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config$'
{{% if 'sle' in product %}}
{{% set openssl_cnf_path="/etc/ssl/openssl.cnf" %}}

View File

@ -1,29 +0,0 @@
From eef5cb155b9f820439ca32f993cebf1f68b29e80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 28 Jul 2022 15:08:15 +0200
Subject: [PATCH] Remove a confusing sentence
In the rule description, there are 2 conflicting sentences, they
both start by "By default ...", but they negate each other.
In fact, the second of them is true, so the first one could be
removed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2092799
---
.../accounts-physical/require_singleuser_auth/rule.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 932d76c36d9..332712ea1dd 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -8,8 +8,7 @@ title: 'Require Authentication for Single User Mode'
description: |-
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
- providing a boot option at startup. By default, no authentication
- is performed if single-user mode is selected.
+ providing a boot option at startup.
<br /><br />
By default, single-user mode is protected by requiring a password and is set
in <tt>/usr/lib/systemd/system/rescue.service</tt>.

View File

@ -1,48 +0,0 @@
From d76e93e697755e63d5c833747adef4af23c3256b Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 22 Aug 2022 13:51:28 +0200
Subject: [PATCH 1/2] switch sysctl_kernel_core_pattern_empty_string for
sysctl_kernel_core_pattern
---
products/rhel9/profiles/ospp.profile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/products/rhel9/profiles/ospp.profile b/products/rhel9/profiles/ospp.profile
index b1b18261d48..9fdd1354e38 100644
--- a/products/rhel9/profiles/ospp.profile
+++ b/products/rhel9/profiles/ospp.profile
@@ -110,7 +110,7 @@ selections:
- package_gnutls-utils_installed
### Login
- - sysctl_kernel_core_pattern_empty_string
+ - sysctl_kernel_core_pattern
- sysctl_kernel_core_uses_pid
- service_systemd-coredump_disabled
- var_authselect_profile=minimal
From d304b9f0037bfac6e20b1365e0d320f714ce09a3 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 22 Aug 2022 13:51:55 +0200
Subject: [PATCH 2/2] remove ospp reference from
sysctl_kernel_core_pattern_empty_string
---
.../sysctl_kernel_core_pattern_empty_string/rule.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
index 089bb1481aa..dc21f53c98c 100644
--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/rule.yml
@@ -30,9 +30,6 @@ conflicts:
identifiers:
cce@rhel9: CCE-86005-6
-references:
- ospp: FMT_SMF_EXT.1
-
ocil_clause: |-
the returned line does not have a value of ''.

View File

@ -1,60 +0,0 @@
From be2aba89ab61767fd301ee1ac4f4e64bf5a66887 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 11 Aug 2022 16:53:48 +0200
Subject: [PATCH] add 4 rules back to RHEL9 datastream
---
.../services/kerberos/package_krb5-server_removed/rule.yml | 2 +-
.../guide/services/obsolete/nis/package_ypbind_removed/rule.yml | 2 +-
.../guide/services/obsolete/nis/package_ypserv_removed/rule.yml | 2 +-
.../system-tools/package_krb5-workstation_removed/rule.yml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
index 78577046409..17d742d9692 100644
--- a/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
+++ b/linux_os/guide/services/kerberos/package_krb5-server_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8,rhel9
title: 'Remove the Kerberos Server Package'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
index d8a3910ff4d..9be95ffed5c 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: alinux2,alinux3,ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Remove NIS Client'
diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
index ee7ccb2d8da..0f7ad7c0431 100644
--- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
+++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: ol7,ol8,rhel7,rhel8,rhel9,rhv4,sle12,sle15
title: 'Uninstall ypserv Package'
diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
index 7a02459825d..4750fd6b266 100644
--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
+++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8
+prodtype: fedora,ol7,ol8,ol9,rhel7,rhel8,rhel9
title: 'Uninstall krb5-workstation Package'

View File

@ -1,41 +1,37 @@
# SSG build system and tests count with build directory name `build`.
# For more details see:
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# Base name of static rhel7 content tarball
%global _static_rhel7_content %{name}-0.1.73-1.el7_9-rhel7
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.63
Release: 5%{?dist}.alma
Version: 0.1.74
Release: 3%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
Group: Applications/System
URL: https://github.com/ComplianceAsCode/content/
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1: %{_static_rhel6_content}.tar.bz2
# Include tarball with last released rhel7 content
Source2: %{_static_rhel7_content}.tar.bz2
BuildArch: noarch
Patch0: scap-security-guide-0.1.64-audit_rules_for_ppc64le-PR_9124.patch
Patch1: scap-security-guide-0.1.64-fix_openssl_cryptopolicy_remediation-PR_9194.patch
Patch2: scap-security-guide-0.1.64-sysctl_template_extension_and_bpf_rules-PR_9147.patch
Patch3: scap-security-guide-0.1.64-fix_require_single_user_description-PR_9256.patch
Patch4: scap-security-guide-0.1.64-authselect_minimal_for_ospp-PR_9298.patch
Patch5: scap-security-guide-0.1.64-coredump_rules_for_ospp-PR_9285.patch
Patch6: scap-security-guide-0.1.64-readd_rules-PR_9334.patch
Patch7: scap-security-guide-0.1.64-put_back_kernel_core_pattern_bin_false-PR_9384.patch
Patch8: scap-security-guide-0.1.64-fix_core_pattern_empty_string-PR_9396.patch
# AlmaLinux 9
Patch1000: scap-security-guide-0.1.60-add-almalinux9-product.patch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python3-devel
BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
Requires: xml-common, openscap-scanner >= 1.2.5
Obsoletes: openscap-content < 0:0.9.13
Provides: openscap-content
%description
The scap-security-guide project provides a guide for configuration of the
@ -51,6 +47,7 @@ further information.
%package doc
Summary: HTML formatted security guides generated from XCCDF benchmarks
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description doc
@ -58,7 +55,7 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if %{defined rhel}
%if ( %{defined rhel} && (! %{defined centos}) )
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
@ -69,36 +66,58 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%endif
%prep
%autosetup -p1
%setup -q -b1 -b2
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
%endif
%if 0%{?almalinux}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_ALMALINUX%{almalinux}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
mkdir -p build
%build
%cmake %{cmake_defines_common} %{cmake_defines_specific}
mkdir -p build
cd build
%cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
%if ( %{defined rhel} && (! %{defined centos}) )
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
%endif
../
%cmake_build
%install
cd build
%cmake_install
rm %{buildroot}/%{_docdir}/%{name}/README.md
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
# Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
# Manually install pre-built rhel7 content
cp -r %{_builddir}/%{_static_rhel7_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel7_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel7_content}/guides %{buildroot}%{_docdir}/%{name}
# create symlinks for ssg-<product>-ds-1.2.xml to ssg-<product>-ds.xml
# this is for backward compatibility
ln -s ssg-rhel8-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml
ln -s ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ssg-firefox-ds-1.2.xml
%files
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible/*.yml
%{_datadir}/%{name}/ansible
%{_datadir}/%{name}/bash
%{_datadir}/%{name}/tailoring
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md
%if ( %{defined rhel} && (! %{defined centos}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
@ -107,246 +126,423 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if %{defined rhel}
%if ( %{defined rhel} && (! %{defined centos}) )
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Tue Nov 15 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 0.1.63-5.alma
- Add AlmaLinux 9 support
* Mon Aug 19 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-3
- fix build
- keep firefox and rhel8 ds-1.2 files in the package in form of symbolic links to regular ds files
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
- OSPP: fix rule related to coredump (RHBZ#2081688)
* Fri Aug 16 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.74-2
- include RHEL 7 artifacts from the last RHEL 7 build
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
- Rebase to a new upstream release 0.1.74 (RHEL-53913)
- Improve Rsyslog rules to support RainerScript syntax (RHEL-1816)
- Update password hashing settings for ANSSI-BP-028 (RHEL-54390)
* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
- Switch gating to tmt plan (RHEL-43242)
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
- Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
- Fix file path identification in Rsyslog configuration (RHEL-17202)
- Use a correct chrony server address in STIG profile (RHEL-1814)
- Don't BuildRequire /usr/bin/python3 (RHEL-2244)
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
- Unlist profiles no longer maintained in RHEL8.
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-25250)
- Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
- Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
- Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
- Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
- Add rule to terminate idle user sessions after defined time (RHEL-1801)
- Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
- Add remediation for rule fapolicy_default_deny (RHEL-1817)
- Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
- Refactor ensure_pam_wheel_group_empty (RHEL-1905)
- Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
- Update PCI-DSS to v4 (RHEL-1808)
- Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)
* Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2
- remove problematic rule from ANSSI High profile (RHBZ#2221695)
* Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
- Fixed CCE link URL (RHBZ#2178516)
- align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
- Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
- Fixed rules related to AIDE configuration (RHBZ#2175684)
- Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
- Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
- improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
- unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
- make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
- Fixed excess quotes in journald configuration files (RHBZ#2169857)
- rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
- evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
- do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
- Correct URL used to download CVE checks (RHBZ#2222583)
- mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
- make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
- improve checks determining if FIPS mode is enabled (RHBZ#2129100)
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2
- Unselect rule logind_session_timeout (RHBZ#2158404)
* Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
- Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
- Fix levels of CIS rules (RHBZ#2162803)
- Remove unused RHEL8 STIG control file (RHBZ#2156192)
- Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
- Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
- Add rule for audit immutable login uids (RHBZ#2151553)
- Fix remediation of audit watch rules (RHBZ#2119356)
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
- Fix applicability of kerberos rules (RHBZ#2099394)
- Add support rainer scripts in rsyslog rules (RHBZ#2072444)
* Tue Jan 10 2023 Watson Sato <wsato@redhat.com> - 0.1.63-5
- Update RHEL8 STIG profile to V1R8 (RHBZ#2148446)
- Add rule warning for sysctl IPv4 forwarding config (RHBZ#2118758)
- Fix remediation for firewalld_sshd_port_enabled (RHBZ#2116474)
- Fix compatibility with Ansible 2.14
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
- Fix Ansible partition conditional (RHBZ#2032403)
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
- OSPP: update rules related to coredumps (RHBZ#2081688)
- OSPP: update rules related to BPF (RHBZ#2081728)
- fix description of require_singleuser_mode (RHBZ#2092799)
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
- OSPP: use minimal Authselect profile(RHBZ#2114979)
- aligning with the latest STIG update (RHBZ#2112937)
- OSPP: use Authselect minimal profile (RHBZ#2117192)
- OSPP: change rules for protecting of boot (RHBZ#2116440)
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
- fix handling of Rsyslog include directives (RHBZ#2075384)
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
- Remove rules related to NIS services (RHBZ#2096602)
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563)
- Rebase to a new upstream release (RHBZ#2070564)
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
- Fix Ansible sysctl remediation (RHBZ#2079241)
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014561)
- Update description of OSPP profile (RHBZ#2045386)
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014485)
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
- Update GRUB2 rule descriptions (RHBZ#2020623)
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
- Update GRUB2 rule descriptions (RHBZ#2014485)
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
- Align audit rules for OSPP profile (RHBZ#2000264)
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Rebase to a new upstream release (RHBZ#2014561)
- Rebase to a new upstream release (RHBZ#2014485)
* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014561)
- Enable Centos Stream 9 content (RHBZ#2021284)
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014485)
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
- Rebase to a new upstream release (RHBZ#2014561)
- Disable profiles that we disable in RHEL8
- Rebase to a new upstream release. (RHBZ#2014485)
- Add a VM wait handling to fix issues with tests.
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix remediations applicability of zipl rules
Resolves: rhbz#1996847
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
- Fix a broken HTTP link
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
Resolves: rhbz#1962564
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Fix remaining audit rules file permissions (RHBZ#1993056)
- Mark a STIG service rule as machine only (RHBZ#1993056)
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Use SSHD directory-based configuration.
Resolves: rhbz#1962564
- Introduce ISM kickstarts
Resolves: rhbz#1978290
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
TLDR: Enable remediations by means of platform metadata,
enable the RHEL9 GPG rule, introduce the s390x platform,
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
address the subscription-manager package merge, and
enable and select more rules applicable to RHEL9.
Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
- Include tests for Ansible Playbooks that remove and reintroduce files.
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056)
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
- Add Kickstart files for ISM profile (RHBZ#1955373)
- Fix broken RHEL7 documentation links (RHBZ#1966577)
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1966577)
- Enable the ISM profile.
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Introduced the playbooks subpackage.
- Enabled CentOS content on CentOS systems.
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
- Update to the latest upstream release (RHBZ#1966577)
- Add ANSSI High Profile (RHBZ#1955183)
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Remove Kickstart for not shipped profile (RHBZ#1778188)
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
- Upgrade to the latest upstream release
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
- fix definition of build directory
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344)
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
- revert previous rework, it did not solve the problem
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
- rewrite solution for CMake out of source builds
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to the latest upstream release (RHBZ#1889344)
* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
- Update for new CMake out of source builds
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
- fixed link in a grub2 rule description (rhbz#1854854)
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
- Update the scapval invocation (RHBZ#1815007)
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
- fix description of HIPAA profile (RHBZ#1867559)
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
- Remove CCM from TLS Ciphersuites
* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Hotfix of the XML parsing fix.
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
- Fixed XML parsing of remediation functions.
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
- CIS Ansible fixes (RHBZ#1760734)
- HIPAA Ansible fixes (RHBZ#1832760)
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
- HIPAA Profile (RHBZ#1832760)
- Enable build of RHEL8 HIPAA Profile
- Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
- Add Ansible fix for sshd_set_max_sessions
- Add CIS Profile content attribution to Center for Internet Security
* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Fix Ansible for no_direct_root_logins
- Fix Ansible template for SELinux booleans
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
- Update URL and source URL
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
- Update to the latest upstream release (RHBZ#1815007)
* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
- Use crypto-policy rules in OSPP profile.
- Re-enable FIREFOX and JRE product in build.
- Change test suite logging message about missing profile from ERROR to WARNING.
- Build only one version of SCAP content at a time.
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
- Ported changelog from late 8.0 builds.
- Disabled build of the OL8 product, updated other components of the cmake invocation.
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
- Assign CCE to rules from OSPP profile which were missing the identifier.
- Fix regular expression for Audit rules ordering
- Account for Audit rules flags parameter position within syscall
- Add remediations for Audit rules file path
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
- Add a Bash remediation for Audit rules that require ordering
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
- Assign CCE identifier to rules used by RHEL8 profiles.
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
- Fixed Crypto Policy OVAL for NSS
- Got rid of rules requiring packages dropped in RHEL8.
- Profile descriptions fixes.
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
- Update applicable platforms in crypto policy tests
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
- Introduce Podman backend for SSG Test suite
- Update bind and libreswan crypto policy test scenarios
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
- Further fix of profiles descriptions, so they don't contain literal '\'.
- Removed obsolete sshd rule from the OSPP profile.
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
- Fixed profiles descriptions, so they don't contain literal '\n'.
- Made the configure_kerberos_crypto_policy OVAL more robust.
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
- Added FIPS mode rule for the OSPP profile.
- Split the installed_OS_is certified rule.
- Explicitly disabled OSP13, RHV4 and Example products.
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
- Add missing kickstart files for RHEL8
- Disable profiles that are not in good shape for RHEL8
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- Fix man page build dependency on derivative content
- System-wide crypto policies are introduced for RHEL8
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
- Fix man page and package description
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Fix Licence of this package
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
- Update to use Python3 for build.
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
- Only build content for rhel8 products
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
- Update build of rhel8 content
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
- Add python version to python2-jinja2 package
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
- Enable build of rhel8 content
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
- Add python version to python package prefixes
- Fix spec file to build using Python 3
- Fix License because upstream changed to BSD-3
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
@ -516,7 +712,7 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
- Add .gitignore for Fedora output directory
- Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page
- Use correct file paths in scap-security-guide(8) manual page
(RH BZ#1018905, c#10)
- Apply further changes motivated by scap-security-guide Fedora RPM review
request (RH BZ#1018905, c#8):