commit
490fb9a1ab
@ -0,0 +1 @@
|
||||
SOURCES/scap-security-guide-0.1.69.tar.bz2
|
@ -0,0 +1 @@
|
||||
60f885bdfa51fa2fa707d0c2fd32e0b1f9ee9589 SOURCES/scap-security-guide-0.1.69.tar.bz2
|
@ -0,0 +1,52 @@
|
||||
From 75dd0e76be957e5fd92c98f01f7d672b2549fd3d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
|
||||
Date: Tue, 8 Aug 2023 15:15:21 +0200
|
||||
Subject: [PATCH] Remove kernel cmdline check
|
||||
|
||||
The OVAL in rule enable_fips_mode contains multiple checks. One
|
||||
of these checks tests presence of `fips=1` in `/etc/kernel/cmdline`.
|
||||
Although this is useful for latest RHEL versions, this file doesn't
|
||||
exist on RHEL 8.6 and 9.0. This causes that the rule fails after
|
||||
remediation on these RHEL versions.
|
||||
|
||||
We want the same OVAL behavior on all minor RHEL releases, therefore
|
||||
we will remove this test from the OVAL completely.
|
||||
|
||||
Related to: https://github.com/ComplianceAsCode/content/pull/10897
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 15 ---------------
|
||||
1 file changed, 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 88aae7aaab9..3b50e07060e 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -12,8 +12,6 @@
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
- <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
@@ -57,19 +55,6 @@
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
- check="all" check_existence="all_exist"
|
||||
- comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
- <ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
- <ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
- </ind:textfilecontent54_test>
|
||||
-
|
||||
- <ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
- <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
- <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
- <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
- </ind:textfilecontent54_object>
|
||||
-
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
@ -0,0 +1,272 @@
|
||||
From 9d00e0d296ad4a5ce503b2dfe9647de6806b7b60 Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:02:08 +0200
|
||||
Subject: [PATCH 1/2] Align the parameters ordering in OVAL objects
|
||||
|
||||
This commit only improves readability without any technical impact in
|
||||
the OVAL logic.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 81 ++++++++++++-------
|
||||
1 file changed, 50 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index fe3f96f52a5..0ec076a5fb7 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -1,32 +1,38 @@
|
||||
<def-group>
|
||||
- <definition class="compliance" id="enable_fips_mode" version="1">
|
||||
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
|
||||
- <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
|
||||
- <extend_definition comment="Dracut FIPS module is enabled" definition_ref="enable_dracut_fips_module" />
|
||||
- <extend_definition comment="system cryptography policy is configured" definition_ref="configure_crypto_policy" />
|
||||
- <criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="test_system_crypto_policy_value" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="test_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
+ <extend_definition definition_ref="etc_system_fips_exists"
|
||||
+ comment="check /etc/system-fips exists"/>
|
||||
+ <extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
+ comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ <extend_definition definition_ref="enable_dracut_fips_module"
|
||||
+ comment="Dracut FIPS module is enabled"/>
|
||||
+ <extend_definition definition_ref="configure_crypto_policy"
|
||||
+ comment="system cryptography policy is configured"/>
|
||||
+ <criterion test_ref="test_system_crypto_policy_value"
|
||||
+ comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
- <extend_definition comment="Generic test for s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for s390x architecture"/>
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
- <extend_definition comment="Generic test for NOT s390x architecture"
|
||||
- definition_ref="system_info_architecture_s390_64" />
|
||||
+ <extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
+ comment="Generic test for NOT s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
- <criterion comment="check if the kernel boot parameter is configured for FIPS mode"
|
||||
- test_ref="test_grubenv_fips_mode" />
|
||||
+ <criterion test_ref="test_grubenv_fips_mode"
|
||||
+ comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
- <criterion comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"
|
||||
- test_ref="test_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
+ <criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
+ comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -34,58 +40,71 @@
|
||||
</criteria>
|
||||
</definition>
|
||||
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_boot_loader_entries_conf" version="1">
|
||||
<ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
+
|
||||
<ind:textfilecontent54_state id="state_fips_1_argument_in_captured_group" version="1">
|
||||
<ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?fips=1(?:\s.*)?$</ind:subexpression>
|
||||
</ind:textfilecontent54_state>
|
||||
- <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline"
|
||||
- check="all" check_existence="all_exist" version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
+
|
||||
<ind:textfilecontent54_object id="object_fips_1_argument_in_etc_kernel_cmdline" version="1">
|
||||
<ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
|
||||
<ind:pattern operation="pattern match">^(.*)$</ind:pattern>
|
||||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
- <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="test_system_crypto_policy_value" version="1">
|
||||
+ <ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
+ check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
+
|
||||
<ind:variable_object id="obj_system_crypto_policy_value" version="1">
|
||||
<ind:var_ref>var_system_crypto_policy</ind:var_ref>
|
||||
</ind:variable_object>
|
||||
- <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="ste_system_crypto_policy_value" version="2">
|
||||
+
|
||||
+ <ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
- {{# Legacy and more relaxed list of crypto policies that were historically considered FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
+ {{# Legacy and more relaxed list of crypto policies that were historically considered
|
||||
+ FIPS-compatible. More recent products should use the more restricted list of options #}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
|
||||
{{%- endif %}}
|
||||
</ind:variable_state>
|
||||
+
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
- <ind:textfilecontent54_test check="all" check_existence="all_exist" id="test_grubenv_fips_mode"
|
||||
- comment="Fips mode selected in running kernel opts" version="1">
|
||||
+ <ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
+ check="all" check_existence="all_exist"
|
||||
+ comment="Fips mode selected in running kernel opts">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
- <ind:textfilecontent54_object id="obj_grubenv_fips_mode"
|
||||
- version="1">
|
||||
+
|
||||
+ <ind:textfilecontent54_object id="obj_grubenv_fips_mode" version="1">
|
||||
<ind:filepath>/boot/grub2/grubenv</ind:filepath>
|
||||
<ind:pattern operation="pattern match">fips=1</ind:pattern>
|
||||
<ind:instance datatype="int">1</ind:instance>
|
||||
</ind:textfilecontent54_object>
|
||||
{{% endif %}}
|
||||
- <external_variable comment="defined crypto policy" datatype="string" id="var_system_crypto_policy" version="1" />
|
||||
+
|
||||
+ <external_variable id="var_system_crypto_policy" version="1"
|
||||
+ datatype="string" comment="defined crypto policy"/>
|
||||
</def-group>
|
||||
|
||||
From 6a62a2f1b61e51326c7cadd2a0494200d98cc02e Mon Sep 17 00:00:00 2001
|
||||
From: Marcus Burghardt <maburgha@redhat.com>
|
||||
Date: Thu, 27 Jul 2023 10:20:33 +0200
|
||||
Subject: [PATCH 2/2] Improve OVAL comments for better readability
|
||||
|
||||
Simplified the comments and aligned the respective lines to the
|
||||
project Style Guides.
|
||||
---
|
||||
.../fips/enable_fips_mode/oval/shared.xml | 31 ++++++++++---------
|
||||
1 file changed, 16 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
index 0ec076a5fb7..88aae7aaab9 100644
|
||||
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
|
||||
@@ -3,36 +3,36 @@
|
||||
{{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="etc_system_fips_exists"
|
||||
- comment="check /etc/system-fips exists"/>
|
||||
+ comment="check /etc/system-fips file existence"/>
|
||||
<extend_definition definition_ref="sysctl_crypto_fips_enabled"
|
||||
- comment="check sysctl crypto.fips_enabled = 1"/>
|
||||
+ comment="check option crypto.fips_enabled = 1 in sysctl"/>
|
||||
<extend_definition definition_ref="enable_dracut_fips_module"
|
||||
- comment="Dracut FIPS module is enabled"/>
|
||||
+ comment="dracut FIPS module is enabled"/>
|
||||
<extend_definition definition_ref="configure_crypto_policy"
|
||||
comment="system cryptography policy is configured"/>
|
||||
<criterion test_ref="test_system_crypto_policy_value"
|
||||
- comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS"/>
|
||||
+ comment="check if var_system_crypto_policy variable selection is set to FIPS"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_etc_kernel_cmdline"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /etc/kernel/cmdline"/>
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline"/>
|
||||
{{% if "ol" in product or "rhel" in product %}}
|
||||
<criteria operator="OR">
|
||||
<criteria operator="AND">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for s390x architecture"/>
|
||||
+ comment="generic test for s390x architecture"/>
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
</criteria>
|
||||
<criteria operator="AND">
|
||||
<criteria negate="true">
|
||||
<extend_definition definition_ref="system_info_architecture_s390_64"
|
||||
- comment="Generic test for NOT s390x architecture"/>
|
||||
+ comment="generic test for non-s390x architecture"/>
|
||||
</criteria>
|
||||
{{% if product in ["ol8", "rhel8"] %}}
|
||||
<criterion test_ref="test_grubenv_fips_mode"
|
||||
comment="check if the kernel boot parameter is configured for FIPS mode"/>
|
||||
{{% else %}}
|
||||
<criterion test_ref="test_fips_1_argument_in_boot_loader_entries_conf"
|
||||
- comment="Check if argument fips=1 for Linux kernel is present in /boot/loader/entries/.*.conf"/>
|
||||
+ comment="check if kernel option fips=1 is present in /boot/loader/entries/.*.conf"/>
|
||||
{{% endif %}}
|
||||
</criteria>
|
||||
</criteria>
|
||||
@@ -42,7 +42,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_boot_loader_entries_conf" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf">
|
||||
+ comment="check if kernel option fips=1 is present in options in /boot/loader/entries/.*.conf">
|
||||
<ind:object object_ref="object_fips_1_argument_in_boot_loader_entries_conf" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -59,7 +59,7 @@
|
||||
|
||||
<ind:textfilecontent54_test id="test_fips_1_argument_in_etc_kernel_cmdline" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Check if argument fips=1 is present in /etc/kernel/cmdline">
|
||||
+ comment="check if kernel option fips=1 is present in /etc/kernel/cmdline">
|
||||
<ind:object object_ref="object_fips_1_argument_in_etc_kernel_cmdline" />
|
||||
<ind:state state_ref="state_fips_1_argument_in_captured_group" />
|
||||
</ind:textfilecontent54_test>
|
||||
@@ -71,7 +71,7 @@
|
||||
</ind:textfilecontent54_object>
|
||||
|
||||
<ind:variable_test id="test_system_crypto_policy_value" version="1"
|
||||
- check="at least one" comment="tests if var_system_crypto_policy is set to FIPS">
|
||||
+ check="at least one" comment="test if var_system_crypto_policy selection is set to FIPS">
|
||||
<ind:object object_ref="obj_system_crypto_policy_value" />
|
||||
<ind:state state_ref="ste_system_crypto_policy_value" />
|
||||
</ind:variable_test>
|
||||
@@ -81,7 +81,8 @@
|
||||
</ind:variable_object>
|
||||
|
||||
<ind:variable_state id="ste_system_crypto_policy_value" version="2"
|
||||
- comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy.">
|
||||
+ comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds
|
||||
+to a crypto policy module that further restricts the modified crypto policy.">
|
||||
{{% if product in ["ol9","rhel9"] -%}}
|
||||
<ind:value operation="pattern match" datatype="string">^FIPS(:OSPP)?$</ind:value>
|
||||
{{%- else %}}
|
||||
@@ -94,7 +95,7 @@
|
||||
{{% if product in ["ol8","rhel8"] %}}
|
||||
<ind:textfilecontent54_test id="test_grubenv_fips_mode" version="1"
|
||||
check="all" check_existence="all_exist"
|
||||
- comment="Fips mode selected in running kernel opts">
|
||||
+ comment="FIPS mode is selected in running kernel options">
|
||||
<ind:object object_ref="obj_grubenv_fips_mode" />
|
||||
</ind:textfilecontent54_test>
|
||||
|
||||
@@ -106,5 +107,5 @@
|
||||
{{% endif %}}
|
||||
|
||||
<external_variable id="var_system_crypto_policy" version="1"
|
||||
- datatype="string" comment="defined crypto policy"/>
|
||||
+ datatype="string" comment="variable which selects the crypto policy"/>
|
||||
</def-group>
|
@ -0,0 +1,21 @@
|
||||
From 509c117acea0cc7a8457752cbdb4b8e7a6ca27d7 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Tue, 15 Aug 2023 15:17:16 +0200
|
||||
Subject: [PATCH] remove rules not relevant to RHEL 9 from STIG profile
|
||||
|
||||
rules have no remediation for RHEL 9, syntax for RHEL 9 is also different than RHEL 8
|
||||
---
|
||||
controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml | 2 --
|
||||
1 file changed, 2 deletions(-)
|
||||
|
||||
diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
index d5fe6e1327b..9d9dc579fc4 100644
|
||||
--- a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
+++ b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
|
||||
@@ -7,6 +7,4 @@ controls:
|
||||
rules:
|
||||
- sshd_enable_pam
|
||||
- sysctl_crypto_fips_enabled
|
||||
- - harden_sshd_ciphers_openssh_conf_crypto_policy
|
||||
- - harden_sshd_macs_openssh_conf_crypto_policy
|
||||
status: automated
|
@ -0,0 +1,30 @@
|
||||
From 08b9f875630e119d90a5a1fc3694f6168ad19cb9 Mon Sep 17 00:00:00 2001
|
||||
From: Vojtech Polasek <vpolasek@redhat.com>
|
||||
Date: Thu, 17 Aug 2023 10:50:09 +0200
|
||||
Subject: [PATCH] remove sebool_secure_mode_insmod from RHEL ANSSI high
|
||||
|
||||
---
|
||||
products/rhel8/profiles/anssi_bp28_high.profile | 2 ++
|
||||
products/rhel9/profiles/anssi_bp28_high.profile | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel8/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
||||
diff --git a/products/rhel9/profiles/anssi_bp28_high.profile b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
index e2eeabbb78d..204e141b1f5 100644
|
||||
--- a/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
+++ b/products/rhel9/profiles/anssi_bp28_high.profile
|
||||
@@ -17,3 +17,5 @@ description: |-
|
||||
|
||||
selections:
|
||||
- anssi:all:high
|
||||
+ # the following rule renders UEFI systems unbootable
|
||||
+ - '!sebool_secure_mode_insmod'
|
@ -0,0 +1,560 @@
|
||||
# SSG build system and tests count with build directory name `build`.
|
||||
# For more details see:
|
||||
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
%global _vpath_builddir build
|
||||
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.69
|
||||
Release: 2%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
||||
# Fix rule enable_fips_mode
|
||||
Patch1: scap-security-guide-0.1.70-improve_readability_enable_fips_mode-PR_10911.patch
|
||||
Patch2: scap-security-guide-0.1.70-fix_enable_fips_mode-PR_10961.patch
|
||||
# remove rules harden_sshd_(macs/ciphers)_openssh_conf_crypto_policy from STIG profile
|
||||
Patch3: scap-security-guide-0.1.70-remove_openssh_hardening_stig-PR_10996.patch
|
||||
# remove rule sebool_secure_mode_insmod from ANSSI high profile because it prevents UEFI-based systems from booting
|
||||
Patch4: scap-security-guide-0.1.70-remove_secure_mode_insmod_anssi-PR_11001.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
BuildRequires: openscap-scanner >= 1.2.5
|
||||
BuildRequires: cmake >= 2.8
|
||||
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
||||
BuildRequires: /usr/bin/python3
|
||||
BuildRequires: python%{python3_pkgversion}
|
||||
BuildRequires: python%{python3_pkgversion}-jinja2
|
||||
BuildRequires: python%{python3_pkgversion}-PyYAML
|
||||
Requires: xml-common, openscap-scanner >= 1.2.5
|
||||
|
||||
%description
|
||||
The scap-security-guide project provides a guide for configuration of the
|
||||
system from the final system's security point of view. The guidance is specified
|
||||
in the Security Content Automation Protocol (SCAP) format and constitutes
|
||||
a catalog of practical hardening advice, linked to government requirements
|
||||
where applicable. The project bridges the gap between generalized policy
|
||||
requirements and specific implementation guidelines. The system
|
||||
administrator can use the oscap CLI tool from openscap-scanner package, or the
|
||||
scap-workbench GUI tool from scap-workbench package to verify that the system
|
||||
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
|
||||
further information.
|
||||
|
||||
%package doc
|
||||
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description doc
|
||||
The %{name}-doc package contains HTML formatted documents containing
|
||||
hardening guidances that have been generated from XCCDF benchmarks
|
||||
present in %{name} package.
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%package rule-playbooks
|
||||
Summary: Ansible playbooks per each rule.
|
||||
Group: System Environment/Base
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
|
||||
%description rule-playbooks
|
||||
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
|
||||
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
|
||||
%define cmake_defines_specific %{nil}
|
||||
%if 0%{?rhel}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
|
||||
%endif
|
||||
%if 0%{?centos}
|
||||
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{centos}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON
|
||||
%endif
|
||||
|
||||
mkdir -p build
|
||||
%build
|
||||
%cmake %{cmake_defines_common} %{cmake_defines_specific}
|
||||
%cmake_build
|
||||
|
||||
%install
|
||||
%cmake_install
|
||||
rm %{buildroot}/%{_docdir}/%{name}/README.md
|
||||
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
|
||||
%files
|
||||
%{_datadir}/xml/scap/ssg/content
|
||||
%{_datadir}/%{name}/kickstart
|
||||
%{_datadir}/%{name}/ansible/*.yml
|
||||
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
||||
%doc %{_docdir}/%{name}/LICENSE
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%files doc
|
||||
%doc %{_docdir}/%{name}/guides/*.html
|
||||
%doc %{_docdir}/%{name}/tables/*.html
|
||||
|
||||
%if ( %{defined rhel} && (! %{defined centos}) )
|
||||
%files rule-playbooks
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/ansible/rule_playbooks
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
|
||||
- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
|
||||
- Fix ANSSI High profile with secure boot (RHBZ#2221697)
|
||||
|
||||
* Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
||||
- Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
|
||||
- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
|
||||
- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
|
||||
- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
|
||||
- Correct URL used to download CVE checks. (RHBZ#2223178)
|
||||
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
|
||||
- Fixed excess quotes in journald configuration files (RHBZ#2193169)
|
||||
- Change rules checking home directories to apply only to local users (RHBZ#2203791)
|
||||
- Change rules checking password age to apply only to local users (RHBZ#2213958)
|
||||
- Updated man page (RHBZ#2060028)
|
||||
|
||||
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
||||
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
|
||||
- Fix remediation of audit watch rules (RHBZ#2169441)
|
||||
- Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
|
||||
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
|
||||
- Unselect rule logind_session_timeout (RHBZ#2169443)
|
||||
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
|
||||
|
||||
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
|
||||
- OSPP: fix rule related to coredump (RHBZ#2081688)
|
||||
|
||||
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
|
||||
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
|
||||
|
||||
* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
|
||||
- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
|
||||
|
||||
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
|
||||
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
|
||||
- OSPP: update rules related to coredumps (RHBZ#2081688)
|
||||
- OSPP: update rules related to BPF (RHBZ#2081728)
|
||||
- fix description of require_singleuser_mode (RHBZ#2092799)
|
||||
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
|
||||
- OSPP: use minimal Authselect profile(RHBZ#2114979)
|
||||
|
||||
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
|
||||
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
|
||||
|
||||
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
|
||||
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
|
||||
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
|
||||
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
|
||||
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
|
||||
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
|
||||
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
|
||||
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
|
||||
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
|
||||
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
|
||||
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
|
||||
- Remove rules related to NIS services (RHBZ#2096602)
|
||||
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
|
||||
|
||||
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
|
||||
- Rebase to a new upstream release (RHBZ#2070563)
|
||||
|
||||
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
|
||||
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
|
||||
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
|
||||
- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
|
||||
|
||||
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014561)
|
||||
- Update description of OSPP profile (RHBZ#2045386)
|
||||
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
|
||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
|
||||
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
|
||||
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
|
||||
- Update GRUB2 rule descriptions (RHBZ#2020623)
|
||||
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
|
||||
|
||||
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
|
||||
- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
|
||||
|
||||
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
|
||||
- Rebase to a new upstream release (RHBZ#2014561)
|
||||
|
||||
* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
|
||||
- Rebase to a new upstream release (RHBZ#2014561)
|
||||
- Enable Centos Stream 9 content (RHBZ#2021284)
|
||||
|
||||
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
|
||||
- Rebase to a new upstream release (RHBZ#2014561)
|
||||
- Disable profiles that we disable in RHEL8
|
||||
- Add a VM wait handling to fix issues with tests.
|
||||
|
||||
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
|
||||
- Fix remediations applicability of zipl rules
|
||||
Resolves: rhbz#1996847
|
||||
|
||||
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
|
||||
- Fix a broken HTTP link
|
||||
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
|
||||
Resolves: rhbz#1962564
|
||||
|
||||
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
|
||||
- Use SSHD directory-based configuration.
|
||||
Resolves: rhbz#1962564
|
||||
- Introduce ISM kickstarts
|
||||
Resolves: rhbz#1978290
|
||||
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
|
||||
TLDR: Enable remediations by means of platform metadata,
|
||||
enable the RHEL9 GPG rule, introduce the s390x platform,
|
||||
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
|
||||
address the subscription-manager package merge, and
|
||||
enable and select more rules applicable to RHEL9.
|
||||
Resolves: rhbz#1987227
|
||||
Resolves: rhbz#1987226
|
||||
Resolves: rhbz#1987231
|
||||
Resolves: rhbz#1988289
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
|
||||
- Upgrade to the latest upstream release
|
||||
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
|
||||
|
||||
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
|
||||
- Introduced the playbooks subpackage.
|
||||
- Enabled CentOS content on CentOS systems.
|
||||
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
|
||||
|
||||
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
|
||||
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
|
||||
|
||||
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
|
||||
- Upgrade to the latest upstream release
|
||||
- remove README.md and Contributors.md
|
||||
- remove SCAP component files
|
||||
- remove SCAP 1.2 source data streams
|
||||
- remove HTML guides for the virtual “(default)” profile
|
||||
- remove profile Bash remediation scripts
|
||||
- build only RHEL9 content
|
||||
- remove other products
|
||||
- use autosetup in %prep phase
|
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
|
||||
- fix definition of build directory
|
||||
|
||||
* Fri Feb 05 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.54 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.54
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.53-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Mon Nov 16 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.53 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53
|
||||
|
||||
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-3
|
||||
- revert previous rework, it did not solve the problem
|
||||
|
||||
* Wed Sep 23 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-2
|
||||
- rewrite solution for CMake out of source builds
|
||||
|
||||
* Mon Sep 21 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.52-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.52 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.52
|
||||
|
||||
* Tue Aug 04 2020 Jan Černý <jcerny@redhat.com> - 0.1.51-4
|
||||
- Update for new CMake out of source builds
|
||||
https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
|
||||
- Fix FTBS in Rawhide/F33 (RHBZ#1863741)
|
||||
|
||||
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-3
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.51-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Fri Jul 17 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.51-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.51 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.51
|
||||
|
||||
* Mon Mar 23 2020 Watson Sato <wsato@redhat.com> - 0.1.49-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.49 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.49
|
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.48-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Thu Jan 16 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.48 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.48
|
||||
|
||||
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
||||
- Hotfix of the XML parsing fix.
|
||||
|
||||
* Mon Dec 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.47 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.47
|
||||
- Fixed XML parsing of remediation functions.
|
||||
|
||||
* Mon Jul 29 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.45 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.45
|
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.44-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Mon May 06 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.44-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.44 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.44
|
||||
|
||||
* Fri Feb 22 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.43 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.43
|
||||
- Update URL and source URL
|
||||
|
||||
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.42-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Wed Dec 12 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.42-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
||||
- Fix man page build dependency on derivative content
|
||||
|
||||
* Mon Oct 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
||||
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
||||
- Fix Licence of this package
|
||||
|
||||
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.40 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.40
|
||||
- Update to use Python3 for build.
|
||||
|
||||
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.39-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
|
||||
- Add python version to python2-jinja2 package
|
||||
|
||||
* Fri May 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
||||
|
||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-2
|
||||
- Add python version to python package prefixes
|
||||
|
||||
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
|
||||
|
||||
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
|
||||
|
||||
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
|
||||
|
||||
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
|
||||
- updated to latest upstream release
|
||||
|
||||
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
|
||||
- use make_build and make_install RPM macros
|
||||
|
||||
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
|
||||
- update to the latest upstream release
|
||||
- new default location for content /usr/share/scap/ssg
|
||||
- install HTML tables in the doc subpackage
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
|
||||
- Correct currently failing parallel SCAP Security Guide build
|
||||
|
||||
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
|
||||
- Drop shell library for remediation functions since it is not required
|
||||
starting from 0.1.30 release any more
|
||||
|
||||
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
|
||||
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
|
||||
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
|
||||
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
|
||||
in 0.1.29 upstream release
|
||||
|
||||
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
|
||||
- upgrade to the latest upstream release
|
||||
|
||||
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
|
||||
- update to the latest upstream release
|
||||
- created doc sub-package to ship all the guides
|
||||
- start distributing centos and scientific linux content
|
||||
- rename java content to jre
|
||||
|
||||
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
|
||||
- update to the latest upstream release
|
||||
- only DataStream file is now available for Fedora
|
||||
- start distributing security baseline for Firefox
|
||||
- start distributing security baseline for Java RunTime deployments
|
||||
|
||||
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
|
||||
- update to the latest upstream release
|
||||
- move content to /usr/share/scap/ssg/content
|
||||
|
||||
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
|
||||
- update to the latest upstream release
|
||||
|
||||
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
|
||||
- require only openscap-scanner, not whole openscap-utils package
|
||||
|
||||
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
|
||||
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
|
||||
- Add STIG DISCLAIMER to the shipped documentation
|
||||
|
||||
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
|
||||
- Fix fedora-srpm and fedora-rpm Make targets to work again
|
||||
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
|
||||
- EOL for Fedora 18 support
|
||||
- Include Fedora datastream file for remote Fedora system scans
|
||||
|
||||
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
|
||||
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
|
||||
|
||||
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
|
||||
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
|
||||
it to /shared
|
||||
- Add shared remediations for sshd disable empty passwords and
|
||||
sshd set idle timeout
|
||||
- Shared remediation for sshd disable root login
|
||||
- Add empty -compat subpackage to ensure backward-compatibility with
|
||||
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
|
||||
- OVAL check for sshd disable root login
|
||||
- Fix typo in OVAL check for sshd disable empty passwords
|
||||
- OVAL check for sshd disable empty passwords
|
||||
- Unselect no shelllogin for systemaccounts rule from being run by default
|
||||
- Rename XCCDF rules
|
||||
- Revert Set up Fedora release name and CPE based on build system properties
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
|
||||
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
|
||||
- Shared OVAL check for Verify that System Executables Have Root Ownership
|
||||
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
|
||||
Permissions
|
||||
- Fix remediation for Disable Prelinking rule
|
||||
- OVAL check and remediation for sshd's ClientAliveCountMax rule
|
||||
- OVAL check for sshd's ClientAliveInterval rule
|
||||
- Include descriptions for permissions section, and rules for checking
|
||||
permissions and ownership of shared library files and system executables
|
||||
- Disable selected rules by default
|
||||
- Add remediation for Disable Prelinking rule
|
||||
- Adjust service-enable-macro, service-disable-macro XSLT transforms
|
||||
definition to evaluate to proper systemd syntax
|
||||
- Fix service_ntpd_enabled OVAL check make validate to pass again
|
||||
- Include patch from Šimon Lukašík to obsolete openscap-content
|
||||
package (RH BZ#1028706)
|
||||
- Add OVAL check to test if there's is remote NTP server configured for
|
||||
time data
|
||||
- Add system settings section for the guide (to track system wide
|
||||
hardening configurations)
|
||||
- Include disable prelink rule and OVAL check for it
|
||||
- Initial OVAL check if ntpd service is enabled. Add package_installed
|
||||
OVAL templating directory structure and functionality.
|
||||
- Include services section, and XCCDF description for selected ntpd's
|
||||
sshd's service rules
|
||||
- Include remediations for login.defs' based password minimum, maximum and
|
||||
warning age rules
|
||||
- Include directory structure to support remediations
|
||||
- Add SCAP "replace or append pattern value in text file based on variable"
|
||||
remediation script generator
|
||||
- Add remediation for "Set Password Minimum Length in login.defs" rule
|
||||
|
||||
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
|
||||
- Update versioning scheme - move fedorassgrelease to be part of
|
||||
upstream version. Rename it to fedorassgversion to avoid name collision
|
||||
with Fedora package release.
|
||||
|
||||
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
|
||||
- Add .gitignore for Fedora output directory
|
||||
- Set up Fedora release name and CPE based on build system properties
|
||||
- Use correct file paths in scap-security-guide(8) manual page
|
||||
(RH BZ#1018905, c#10)
|
||||
- Apply further changes motivated by scap-security-guide Fedora RPM review
|
||||
request (RH BZ#1018905, c#8):
|
||||
* update package description,
|
||||
* make content files to be owned by the scap-security-guide package,
|
||||
* remove Fedora release number from generated content files,
|
||||
* move HTML form of the guide under the doc directory (together
|
||||
with that drop fedora/content subdir and place the content
|
||||
directly under fedora/ subdir).
|
||||
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
|
||||
* drop Fedora release from package provided files' final path (c#5),
|
||||
* drop BuildRoot, selected Requires:, clean section, drop chcon for
|
||||
manual page, don't gzip man page (c#4),
|
||||
* change package's description (c#4),
|
||||
* include PD license text (#c4).
|
||||
|
||||
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
|
||||
- Provide manual page for scap-security-guide
|
||||
- Remove percent sign from spec's changelog to silence rpmlint warning
|
||||
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
|
||||
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
|
||||
- Introduce 'Account and Access Control' section
|
||||
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
|
||||
rules to Fedora
|
||||
- Set proper name of the build directory in the spec's setup macro.
|
||||
- Replace hard-coded paths with macros. Preserve attributes when copying files.
|
||||
|
||||
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
|
||||
- Initial Fedora SSG RPM.
|
Loading…
Reference in new issue