commit 2a1034d452e8b5a31f04a19f7ff19878b5955a6d Author: MSVSphere Packaging Team Date: Mon Oct 9 18:12:36 2023 +0300 import scap-security-guide-0.1.69-2.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1380026 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.69.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..1cc3399 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch new file mode 100644 index 0000000..af7d37e --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch @@ -0,0 +1,52 @@ +From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 8 Aug 2023 15:15:21 +0200 +Subject: [PATCH] Remove kernel cmdline check + +The OVAL in rule enable_fips_mode contains multiple checks. One +of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`. +Although this is useful for latest RHEL versions, this file doesn't +exist on RHEL 8.6 and 9.0. This causes that the rule fails after +remediation on these RHEL versions. + +We want the same OVAL behavior on all minor RHEL releases, therefore +we will remove this test from the OVAL completely. + +Related to: https://github.com/ComplianceAsCode/content/pull/10897 +--- + .../fips/enable_fips_mode/oval/shared.xml | 15 --------------- + 1 file changed, 15 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 88aae7aaab9..3b50e07060e 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -12,8 +12,6 @@ + comment="system cryptography policy is configured"/> + +- + {{% if "ol" in product or "rhel" in product %}} + + +@@ -57,19 +55,6 @@ + ^(?:.*\s)?fips=1(?:\s.*)?$ + + +- +- +- +- +- +- +- ^/etc/kernel/cmdline +- ^(.*)$ +- 1 +- +- + + diff --git a/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch new file mode 100644 index 0000000..fbc06d7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch @@ -0,0 +1,272 @@ +From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 27 Jul 2023 10:02:08 +0200 +Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects + +This commit only improves readability without any technical impact in +the OVAL logic. +--- + .../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++------- + 1 file changed, 50 insertions(+), 31 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index fe3f96f52a5..0ec076a5fb7 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -1,32 +1,38 @@ + +- ++ + {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} + +- +- +- +- +- +- ++ ++ ++ ++ ++ ++ + {{% if "ol" in product or "rhel" in product %}} + + +- +- ++ ++ + + + +- ++ + + {{% if product in ["ol8", "rhel8"] %}} +- ++ + {{% else %}} +- ++ + {{% endif %}} + + +@@ -34,58 +40,71 @@ + + + +- ++ + + + ++ + + ^/boot/loader/entries/.*.conf + ^options (.*)$ + 1 + ++ + + ^(?:.*\s)?fips=1(?:\s.*)?$ + +- ++ ++ + + + ++ + + ^/etc/kernel/cmdline + ^(.*)$ + 1 + + +- ++ + + + ++ + + var_system_crypto_policy + +- ++ ++ + {{% if product in ["ol9","rhel9"] -%}} + ^FIPS(:OSPP)?$ + {{%- else %}} +- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}} ++ {{# Legacy and more relaxed list of crypto policies that were historically considered ++ FIPS-compatible. More recent products should use the more restricted list of options #}} + ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$ + {{%- endif %}} + ++ + {{% if product in ["ol8","rhel8"] %}} +- ++ + + +- ++ ++ + /boot/grub2/grubenv + fips=1 + 1 + + {{% endif %}} +- ++ ++ + + +From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001 +From: Marcus Burghardt +Date: Thu, 27 Jul 2023 10:20:33 +0200 +Subject: [PATCH 2/2] Improve OVAL comments for better readability + +Simplified the comments and aligned the respective lines to the +project Style Guides. +--- + .../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++--------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +index 0ec076a5fb7..88aae7aaab9 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml +@@ -3,36 +3,36 @@ + {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}} + + ++ comment="check /etc/system-fips file existence"/> + ++ comment="check option crypto.fips_enabled = 1 in sysctl"/> + ++ comment="dracut FIPS module is enabled"/> + + ++ comment="check if var_system_crypto_policy variable selection is set to FIPS"/> + ++ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/> + {{% if "ol" in product or "rhel" in product %}} + + + ++ comment="generic test for s390x architecture"/> + ++ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> + + + + ++ comment="generic test for non-s390x architecture"/> + + {{% if product in ["ol8", "rhel8"] %}} + + {{% else %}} + ++ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/> + {{% endif %}} + + +@@ -42,7 +42,7 @@ + + ++ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf"> + + + +@@ -59,7 +59,7 @@ + + ++ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"> + + + +@@ -71,7 +71,7 @@ + + + ++ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS"> + + + +@@ -81,7 +81,8 @@ + + + ++ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds ++to a crypto policy module that further restricts the modified crypto policy."> + {{% if product in ["ol9","rhel9"] -%}} + ^FIPS(:OSPP)?$ + {{%- else %}} +@@ -94,7 +95,7 @@ + {{% if product in ["ol8","rhel8"] %}} + ++ comment="FIPS mode is selected in running kernel options"> + + + +@@ -106,5 +107,5 @@ + {{% endif %}} + + ++ datatype="string" comment="variable which selects the crypto policy"/> + diff --git a/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch new file mode 100644 index 0000000..a181eb5 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch @@ -0,0 +1,21 @@ +From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 15 Aug 2023 15:17:16 +0200 +Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile + +rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8 +--- + controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +index d5fe6e1327b..9d9dc579fc4 100644 +--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml ++++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml +@@ -7,6 +7,4 @@ controls: + rules: + - sshd_enable_pam + - sysctl_crypto_fips_enabled +- - harden_sshd_ciphers_openssh_conf_crypto_policy +- - harden_sshd_macs_openssh_conf_crypto_policy + status: automated diff --git a/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch new file mode 100644 index 0000000..bf45744 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch @@ -0,0 +1,30 @@ +From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 17 Aug 2023 10:50:09 +0200 +Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high + +--- + products/rhel8/profiles/anssi_bp28_high.profile | 2 ++ + products/rhel9/profiles/anssi_bp28_high.profile | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel8/profiles/anssi_bp28_high.profile ++++ b/products/rhel8/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' +diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile +index e2eeabbb78d..204e141b1f5 100644 +--- a/products/rhel9/profiles/anssi_bp28_high.profile ++++ b/products/rhel9/profiles/anssi_bp28_high.profile +@@ -17,3 +17,5 @@ description: |- + + selections: + - anssi:all:high ++ # the following rule renders UEFI systems unbootable ++ - '!sebool_secure_mode_insmod' diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec new file mode 100644 index 0000000..4a59af4 --- /dev/null +++ b/SPECS/scap-security-guide.spec @@ -0,0 +1,563 @@ +# SSG build system and tests count with build directory name `build`. +# For more details see: +# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds +%global _vpath_builddir build +# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly + +Name: scap-security-guide +Version: 0.1.69 +Release: 2%{?dist} +Summary: Security guidance and baselines in SCAP formats +License: BSD-3-Clause +URL: https://github.com/ComplianceAsCode/content/ +Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Fix rule enable_fips_mode +Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch +Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch +# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile +Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch +# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting +Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch +BuildArch: noarch + +BuildRequires: libxslt +BuildRequires: expat +BuildRequires: openscap-scanner >= 1.2.5 +BuildRequires: cmake >= 2.8 +# To get python3 inside the buildroot require its path explicitly in BuildRequires +BuildRequires: /usr/bin/python3 +BuildRequires: python%{python3_pkgversion} +BuildRequires: python%{python3_pkgversion}-jinja2 +BuildRequires: python%{python3_pkgversion}-PyYAML +Requires: xml-common, openscap-scanner >= 1.2.5 + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is specified +in the Security Content Automation Protocol (SCAP) format and constitutes +a catalog of practical hardening advice, linked to government requirements +where applicable. The project bridges the gap between generalized policy +requirements and specific implementation guidelines. The system +administrator can use the oscap CLI tool from openscap-scanner package, or the +scap-workbench GUI tool from scap-workbench package to verify that the system +conforms to provided guideline. Refer to scap-security-guide(8) manual page for +further information. + +%package doc +Summary: HTML formatted security guides generated from XCCDF benchmarks +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing +hardening guidances that have been generated from XCCDF benchmarks +present in %{name} package. + +%if ( %{defined rhel} && (! %{defined centos}) ) +%package rule-playbooks +Summary: Ansible playbooks per each rule. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description rule-playbooks +The %{name}-rule-playbooks package contains individual ansible playbooks per rule. +%endif + +%prep +%autosetup -p1 + +%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF +%define cmake_defines_specific %{nil} +%if 0%{?rhel} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON +%endif +%if 0%{?centos} +%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON +%endif + +mkdir -p build +%build +%cmake %{cmake_defines_common} %{cmake_defines_specific} +%cmake_build + +%install +%cmake_install +rm %{buildroot}/%{_docdir}/%{name}/README.md +rm %{buildroot}/%{_docdir}/%{name}/Contributors.md + +%files +%{_datadir}/xml/scap/ssg/content +%{_datadir}/%{name}/kickstart +%{_datadir}/%{name}/ansible/*.yml +%lang(en) %{_mandir}/man8/scap-security-guide.8.* +%doc %{_docdir}/%{name}/LICENSE +%if ( %{defined rhel} && (! %{defined centos}) ) +%exclude %{_datadir}/%{name}/ansible/rule_playbooks +%endif + +%files doc +%doc %{_docdir}/%{name}/guides/*.html +%doc %{_docdir}/%{name}/tables/*.html + +%if ( %{defined rhel} && (! %{defined centos}) ) +%files rule-playbooks +%defattr(-,root,root,-) +%{_datadir}/%{name}/ansible/rule_playbooks +%endif + +%changelog +* Mon Oct 09 2023 MSVSphere Packaging Team - 0.1.69-2 +- Rebuilt for MSVSphere 9.3 beta + +* Thu Aug 17 2023 Jan Černý - 0.1.69-2 +- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697) +- Fix ANSSI High profile with secure boot (RHBZ#2221697) + +* Wed Aug 09 2023 Jan Černý - 0.1.69-1 +- Rebase to a new upstream release 0.1.69 (RHBZ#2221697) +- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657) +- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511) +- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555) +- Correct URL used to download CVE checks. (RHBZ#2223178) +- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790) +- Fixed excess quotes in journald configuration files (RHBZ#2193169) +- Change rules checking home directories to apply only to local users (RHBZ#2203791) +- Change rules checking password age to apply only to local users (RHBZ#2213958) +- Updated man page (RHBZ#2060028) + +* Mon Feb 13 2023 Watson Sato - 0.1.66-1 +- Rebase to a new upstream release 0.1.66 (RHBZ#2169443) +- Fix remediation of audit watch rules (RHBZ#2169441) +- Fix check firewalld_sshd_port_enabled (RHBZ#2169443) +- Fix accepted control flags for pam_pwhistory (RHBZ#2169443) +- Unselect rule logind_session_timeout (RHBZ#2169443) +- Add support rainer scripts in rsyslog rules (RHBZ#2169445) + +* Thu Aug 25 2022 Gabriel Becker - 0.1.63-5 +- OSPP: fix rule related to coredump (RHBZ#2081688) + +* Tue Aug 23 2022 Vojtech Polasek - 0.1.63-4 +- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688) + +* Thu Aug 11 2022 Matej Tyc - 0.1.63-3 +- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669) + +* Wed Aug 10 2022 Vojtech Polasek - 0.1.63-2 +- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583) +- OSPP: update rules related to coredumps (RHBZ#2081688) +- OSPP: update rules related to BPF (RHBZ#2081728) +- fix description of require_singleuser_mode (RHBZ#2092799) +- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569) +- OSPP: use minimal Authselect profile(RHBZ#2114979) + +* Mon Aug 01 2022 Vojtech Polasek - 0.1.63-1 +- Rebase to a new upstream release 0.1.63 (RHBZ#2070563) + +* Mon Jul 18 2022 Vojtech Polasek - 0.1.62-2 +- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719) +- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154) +- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049) +- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716) +- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708) +- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809) +- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840) +- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040) +- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016) +- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278) +- Remove rules related to NIS services (RHBZ#2096602) +- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082) + +* Wed Jun 01 2022 Matej Tyc - 0.1.62-1 +- Rebase to a new upstream release (RHBZ#2070563) + +* Mon Feb 21 2022 Gabriel Becker - 0.1.60-5 +- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847) +- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561) +- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457) + +* Tue Feb 15 2022 Watson Sato - 0.1.60-4 +- Fix Ansible service disabled tasks (RHBZ#2014561) +- Update description of OSPP profile (RHBZ#2045386) +- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118) + +* Mon Feb 14 2022 Gabriel Becker - 0.1.60-3 +- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) +- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403) +- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403) +- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561) +- Update GRUB2 rule descriptions (RHBZ#2020623) +- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561) + +* Fri Feb 11 2022 Watson Sato - 0.1.60-2 +- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289) + +* Thu Jan 27 2022 Watson Sato - 0.1.60-1 +- Rebase to a new upstream release (RHBZ#2014561) + +* Wed Dec 08 2021 Gabriel Becker - 0.1.59-1 +- Rebase to a new upstream release (RHBZ#2014561) +- Enable Centos Stream 9 content (RHBZ#2021284) + +* Fri Oct 15 2021 Matej Tyc - 0.1.58-1 +- Rebase to a new upstream release (RHBZ#2014561) +- Disable profiles that we disable in RHEL8 +- Add a VM wait handling to fix issues with tests. + +* Wed Aug 25 2021 Matej Tyc - 0.1.57-5 +- Fix remediations applicability of zipl rules + Resolves: rhbz#1996847 + +* Tue Aug 24 2021 Matej Tyc - 0.1.57-4 +- Fix a broken HTTP link + Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage + Resolves: rhbz#1962564 + +* Tue Aug 17 2021 Matej Tyc - 0.1.57-3 +- Use SSHD directory-based configuration. + Resolves: rhbz#1962564 +- Introduce ISM kickstarts + Resolves: rhbz#1978290 +- Deliver numerous RHEL9 fixes to rules - see related BZs for details. + TLDR: Enable remediations by means of platform metadata, + enable the RHEL9 GPG rule, introduce the s390x platform, + fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location, + address the subscription-manager package merge, and + enable and select more rules applicable to RHEL9. + Resolves: rhbz#1987227 + Resolves: rhbz#1987226 + Resolves: rhbz#1987231 + Resolves: rhbz#1988289 + +* Tue Aug 10 2021 Mohan Boddu - 0.1.57-2 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 28 2021 Matej Tyc - 0.1.57-1 +- Upgrade to the latest upstream release +- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts. + +* Wed Jul 07 2021 Matej Tyc - 0.1.56-3 +- Introduced the playbooks subpackage. +- Enabled CentOS content on CentOS systems. +- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them. + +* Mon Jun 28 2021 Matej Tyc - 0.1.56-2 +- Enable more RHEL9 rules and introduce RHEL9 profile stubs + +* Wed May 19 2021 Jan Černý - 0.1.56-1 +- Upgrade to the latest upstream release +- remove README.md and Contributors.md +- remove SCAP component files +- remove SCAP 1.2 source data streams +- remove HTML guides for the virtual “(default)” profile +- remove profile Bash remediation scripts +- build only RHEL9 content +- remove other products +- use autosetup in %prep phase + +* Fri Apr 16 2021 Mohan Boddu - 0.1.54-3 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Fri Feb 12 2021 Vojtech Polasek - 0.1.54-2 +- fix definition of build directory + +* Fri Feb 05 2021 Vojtech Polasek - 0.1.54-1 +- Update to latest upstream SCAP-Security-Guide-0.1.54 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54 + +* Wed Jan 27 2021 Fedora Release Engineering - 0.1.53-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Nov 16 2020 Vojtech Polasek - 0.1.53-1 +- Update to latest upstream SCAP-Security-Guide-0.1.53 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53 + +* Wed Sep 23 2020 Vojtech Polasek - 0.1.52-3 +- revert previous rework, it did not solve the problem + +* Wed Sep 23 2020 Vojtech Polasek - 0.1.52-2 +- rewrite solution for CMake out of source builds + +* Mon Sep 21 2020 Vojtech Polasek - 0.1.52-1 +- Update to latest upstream SCAP-Security-Guide-0.1.52 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52 + +* Tue Aug 04 2020 Jan Černý - 0.1.51-4 +- Update for new CMake out of source builds + https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds +- Fix FTBS in Rawhide/F33 (RHBZ#1863741) + +* Sat Aug 01 2020 Fedora Release Engineering - 0.1.51-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 0.1.51-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 17 2020 Vojtech Polasek - 0.1.51-1 +- Update to latest upstream SCAP-Security-Guide-0.1.51 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51 + +* Mon Mar 23 2020 Watson Sato - 0.1.49-1 +- Update to latest upstream SCAP-Security-Guide-0.1.49 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49 + +* Thu Jan 30 2020 Fedora Release Engineering - 0.1.48-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Thu Jan 16 2020 Watson Sato - 0.1.48-1 +- Update to latest upstream SCAP-Security-Guide-0.1.48 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48 + +* Mon Dec 09 2019 Matěj Týč - 0.1.47-2 +- Hotfix of the XML parsing fix. + +* Mon Dec 09 2019 Matěj Týč - 0.1.47-1 +- Update to latest upstream SCAP-Security-Guide-0.1.47 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47 +- Fixed XML parsing of remediation functions. + +* Mon Jul 29 2019 Watson Sato - 0.1.45-1 +- Update to latest upstream SCAP-Security-Guide-0.1.45 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45 + +* Fri Jul 26 2019 Fedora Release Engineering - 0.1.44-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon May 06 2019 Watson Yuuma Sato - 0.1.44-1 +- Update to latest upstream SCAP-Security-Guide-0.1.44 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44 + +* Fri Feb 22 2019 Watson Yuuma Sato - 0.1.43-1 +- Update to latest upstream SCAP-Security-Guide-0.1.43 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43 +- Update URL and source URL + +* Sat Feb 02 2019 Fedora Release Engineering - 0.1.42-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Wed Dec 12 2018 Watson Yuuma Sato - 0.1.42-1 +- Update to latest upstream SCAP-Security-Guide-0.1.42 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42 +- Fix man page build dependency on derivative content + +* Mon Oct 01 2018 Watson Yuuma Sato - 0.1.41-1 +- Update to latest upstream SCAP-Security-Guide-0.1.41 release: + https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41 +- Fix Licence of this package + +* Wed Jul 25 2018 Matěj Týč - 0.1.40-1 +- Update to latest upstream SCAP-Security-Guide-0.1.40 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40 +- Update to use Python3 for build. + +* Sat Jul 14 2018 Fedora Release Engineering - 0.1.39-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 04 2018 Watson Yuuma Sato - 0.1.39-2 +- Add python version to python2-jinja2 package + +* Fri May 04 2018 Watson Yuuma Sato - 0.1.39-1 +- Update to latest upstream SCAP-Security-Guide-0.1.39 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39 + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-2 +- Add python version to python package prefixes + +* Mon Mar 05 2018 Watson Yuuma Sato - 0.1.38-1 +- Update to latest upstream SCAP-Security-Guide-0.1.38 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 04 2018 Watson Yuuma Sato - 0.1.37-1 +- Update to latest upstream SCAP-Security-Guide-0.1.37 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37 + +* Wed Nov 01 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to latest upstream SCAP-Security-Guide-0.1.36 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36 + +* Tue Aug 29 2017 Watson Sato - 0.1.35-1 +- Update to latest upstream SCAP-Security-Guide-0.1.35 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35 + +* Thu Jul 27 2017 Fedora Release Engineering - 0.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Mon Jul 03 2017 Watson Sato - 0.1.34-1 +- updated to latest upstream release + +* Mon May 01 2017 Martin Preisler - 0.1.33-1 +- updated to latest upstream release + +* Thu Mar 30 2017 Martin Preisler - 0.1.32-1 +- updated to latest upstream release + +* Sat Feb 11 2017 Fedora Release Engineering - 0.1.31-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-2 +- use make_build and make_install RPM macros + +* Mon Nov 28 2016 Martin Preisler - 0.1.31-1 +- update to the latest upstream release +- new default location for content /usr/share/scap/ssg +- install HTML tables in the doc subpackage + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-2 +- Correct currently failing parallel SCAP Security Guide build + +* Mon Jun 27 2016 Jan iankko Lieskovsky - 0.1.30-1 +- Update to latest upstream SCAP-Security-Guide-0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 +- Drop shell library for remediation functions since it is not required + starting from 0.1.30 release any more + +* Thu May 05 2016 Jan iankko Lieskovsky - 0.1.29-1 +- Update to latest upstream SCAP-Security-Guide-0.1.29 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29 +- Do not ship Firefox/DISCLAIMER documentation file since it has been removed + in 0.1.29 upstream release + +* Thu Feb 04 2016 Fedora Release Engineering - 0.1.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 20 2016 Šimon Lukašík - 0.1.28-1 +- upgrade to the latest upstream release + +* Fri Dec 11 2015 Šimon Lukašík - 0.1.27-1 +- update to the latest upstream release + +* Tue Oct 20 2015 Šimon Lukašík - 0.1.26-1 +- update to the latest upstream release + +* Sat Sep 05 2015 Šimon Lukašík - 0.1.25-1 +- update to the latest upstream release + +* Thu Jul 09 2015 Šimon Lukašík - 0.1.24-1 +- update to the latest upstream release +- created doc sub-package to ship all the guides +- start distributing centos and scientific linux content +- rename java content to jre + +* Fri Jun 19 2015 Fedora Release Engineering - 0.1.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 05 2015 Šimon Lukašík - 0.1.22-1 +- update to the latest upstream release +- only DataStream file is now available for Fedora +- start distributing security baseline for Firefox +- start distributing security baseline for Java RunTime deployments + +* Wed Mar 04 2015 Šimon Lukašík - 0.1.21-1 +- update to the latest upstream release +- move content to /usr/share/scap/ssg/content + +* Thu Oct 02 2014 Šimon Lukašík - 0.1.19-1 +- update to the latest upstream release + +* Mon Jul 14 2014 Šimon Lukašík - 0.1.5-4 +- require only openscap-scanner, not whole openscap-utils package + +* Tue Jul 01 2014 Šimon Lukašík - 0.1.5-3 +- Rebase the RHEL part of SSG to the latest upstream version (0.1.18) +- Add STIG DISCLAIMER to the shipped documentation + +* Sun Jun 08 2014 Fedora Release Engineering - 0.1.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Feb 27 2014 Jan iankko Lieskovsky 0.1.5-1 +- Fix fedora-srpm and fedora-rpm Make targets to work again +- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans +- EOL for Fedora 18 support +- Include Fedora datastream file for remote Fedora system scans + +* Mon Jan 06 2014 Jan iankko Lieskovsky 0.1.4-2 +- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14) + +* Fri Dec 20 2013 Jan iankko Lieskovsky 0.1.4-1 +- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move + it to /shared +- Add shared remediations for sshd disable empty passwords and + sshd set idle timeout +- Shared remediation for sshd disable root login +- Add empty -compat subpackage to ensure backward-compatibility with + openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335) +- OVAL check for sshd disable root login +- Fix typo in OVAL check for sshd disable empty passwords +- OVAL check for sshd disable empty passwords +- Unselect no shelllogin for systemaccounts rule from being run by default +- Rename XCCDF rules +- Revert Set up Fedora release name and CPE based on build system properties +- Shared OVAL check for Verify that Shared Library Files Have Root Ownership +- Shared OVAL check for Verify that System Executables Have Restrictive Permissions +- Shared OVAL check for Verify that System Executables Have Root Ownership +- Shared OVAL check for Verify that Shared Library Files Have Restrictive + Permissions +- Fix remediation for Disable Prelinking rule +- OVAL check and remediation for sshd's ClientAliveCountMax rule +- OVAL check for sshd's ClientAliveInterval rule +- Include descriptions for permissions section, and rules for checking + permissions and ownership of shared library files and system executables +- Disable selected rules by default +- Add remediation for Disable Prelinking rule +- Adjust service-enable-macro, service-disable-macro XSLT transforms + definition to evaluate to proper systemd syntax +- Fix service_ntpd_enabled OVAL check make validate to pass again +- Include patch from Šimon Lukašík to obsolete openscap-content + package (RH BZ#1028706) +- Add OVAL check to test if there's is remote NTP server configured for + time data +- Add system settings section for the guide (to track system wide + hardening configurations) +- Include disable prelink rule and OVAL check for it +- Initial OVAL check if ntpd service is enabled. Add package_installed + OVAL templating directory structure and functionality. +- Include services section, and XCCDF description for selected ntpd's + sshd's service rules +- Include remediations for login.defs' based password minimum, maximum and + warning age rules +- Include directory structure to support remediations +- Add SCAP "replace or append pattern value in text file based on variable" + remediation script generator +- Add remediation for "Set Password Minimum Length in login.defs" rule + +* Mon Nov 18 2013 Jan iankko Lieskovsky 0.1.3-1 +- Update versioning scheme - move fedorassgrelease to be part of + upstream version. Rename it to fedorassgversion to avoid name collision + with Fedora package release. + +* Tue Oct 22 2013 Jan iankko Lieskovsky 0.1-3 +- Add .gitignore for Fedora output directory +- Set up Fedora release name and CPE based on build system properties +- Use correct file paths in scap-security-guide(8) manual page + (RH BZ#1018905, c#10) +- Apply further changes motivated by scap-security-guide Fedora RPM review + request (RH BZ#1018905, c#8): + * update package description, + * make content files to be owned by the scap-security-guide package, + * remove Fedora release number from generated content files, + * move HTML form of the guide under the doc directory (together + with that drop fedora/content subdir and place the content + directly under fedora/ subdir). +- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905): + * drop Fedora release from package provided files' final path (c#5), + * drop BuildRoot, selected Requires:, clean section, drop chcon for + manual page, don't gzip man page (c#4), + * change package's description (c#4), + * include PD license text (#c4). + +* Mon Oct 14 2013 Jan iankko Lieskovsky 0.1-2 +- Provide manual page for scap-security-guide +- Remove percent sign from spec's changelog to silence rpmlint warning +- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora +- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora +- Introduce 'Account and Access Control' section +- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's + rules to Fedora +- Set proper name of the build directory in the spec's setup macro. +- Replace hard-coded paths with macros. Preserve attributes when copying files. + +* Tue Sep 17 2013 Jan iankko Lieskovsky 0.1-1 +- Initial Fedora SSG RPM.