rpms
/
scap-security-guide
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:c9
Branches Tags
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9-inf1390
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:cs10
Branches Tags
rpms:i9c
rpms:c9
rpms:i8c
rpms:c8
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i9-inf1390
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

3 changed files with 128 additions and 194 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/scap-security-guide-0.1.75.tar.bz2
SOURCES/scap-security-guide-0.1.74.tar.bz2

2
.scap-security-guide.metadata
Unescape View File

@ -1 +1 @@
96a8823bf638cd2c656deb431686f74da8084694 SOURCES/scap-security-guide-0.1.75.tar.bz2
31288700eb6b3cd31d181592238babd8752d5074 SOURCES/scap-security-guide-0.1.74.tar.bz2

318
SPECS/scap-security-guide.spec
Unescape View File

@ -2,10 +2,9 @@
# For more details see:
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build
# global _default_patch_fuzz 2 # Normally shouldn't be needed as patches should apply cleanly
Name: scap-security-guide
Version: 0.1.75
Version: 0.1.74
Release: 1%{?dist}
Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause
@ -14,12 +13,15 @@ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{versio
BuildArch: noarch
BuildRequires: libxslt
BuildRequires: expat
BuildRequires: openscap-scanner >= 1.2.5
BuildRequires: cmake >= 2.8
BuildRequires: python%{python3_pkgversion}-devel
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires: python%{python3_pkgversion}
BuildRequires: python%{python3_pkgversion}-jinja2
BuildRequires: python%{python3_pkgversion}-PyYAML
BuildRequires: python%{python3_pkgversion}-setuptools
Requires: xml-common, openscap-scanner >= 1.2.5
%description
@ -43,7 +45,7 @@ The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%if ( %{defined rhel} && (! %{defined centos}) )
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
%package rule-playbooks
Summary: Ansible playbooks per each rule.
Group: System Environment/Base
@ -58,7 +60,7 @@ The %{name}-rule-playbooks package contains individual ansible playbooks per rul
%define cmake_defines_common -DSSG_SEPARATE_SCAP_FILES_ENABLED=OFF -DSSG_BASH_SCRIPTS_ENABLED=OFF -DSSG_BUILD_SCAP_12_DS=OFF
%define cmake_defines_specific %{nil}
%if 0%{?rhel}
%if 0%{?rhel} && ! %{defined eln}
%define cmake_defines_specific -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE -DSSG_PRODUCT_RHEL%{rhel}:BOOLEAN=TRUE -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF -DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON
%endif
%if 0%{?centos}
@ -76,12 +78,12 @@ rm %{buildroot}/%{_docdir}/%{name}/README.md
rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%files
# To Enabled once the content for RHEL 10
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible/*.yml
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%if ( %{defined rhel} && (! %{defined centos}) )
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
%endif
@ -89,201 +91,133 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html
%if ( %{defined rhel} && (! %{defined centos}) )
%if ( %{defined rhel} && (! %{defined centos}) && (! %{defined eln}) )
%files rule-playbooks
%defattr(-,root,root,-)
%{_datadir}/%{name}/ansible/rule_playbooks
%endif
%changelog
* Fri Nov 15 2024 Matthew Burket <mburket@redhat.com> - 0.1.75-1
- Rebase to new release (RHEL-66154)
- the rule sshd_use_priv_separation is no longer used (RHEL-66057)
- add a rule checking for presence of chrony to CIS RHEL 9 profile (RHEL-60005)
- remediation of Networkmanager DNS mode now remediates value "default" (RHEL-53426)
- Adjust mount_option_nodev_nonroot_local_partitions to work in Image Builder environments. (RHEL-45018)
- Adjusted rules related to sshd ensure constancy in checked values and ensure that drop in configuration files are checked. (RHEL-38206)
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com> - 0.1.74-1
- Rebase to a new upstream release 0.1.74 (RHEL-53865)
- Ensure authselect features are preserved by enable_authselect rule (RHEL-39383)
- Fix check for passwords last changed date (RHEL-47129)
- Remediations of Journald configuration files now include a correct section (RHEL-38531)
- Adjust service requirements for CIS profiles (RHEL-23852)
- Update password hashing settings for ANSSI-BP-028 (RHEL-44983)
* Wed Aug 07 2024 Milan Lysonek <mlysonek@redhat.com> - 0.1.73-2
- Switch gating to tmt plan (RHEL-43243)
* Mon May 20 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.73-1
- Rebase to a new upstream release 0.1.73 (RHEL-36663)
- Correctly parse sudo options even if they are not quoted (RHEL-31976)
- Ensure that web links within kickstart files are valid (RHEL-30735)
- Align set of allowed SSH ciphers with STIG requirement (RHEL-29684)
- Add audit rules on /etc/sysconfig/network-scripts (RHEL-29308)
- Remove rule restricting user namespaces from stig_gui profile (RHEL-10416)
- Add rule which enables auditing of files within /etc/sysconfig/network-scripts (RHEL-1093)
* Tue Feb 13 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
- Rebase to a new upstream release 0.1.72 (RHEL-21425)
- Check dropin files in /etc/systemd/journald.conf.d/ (RHEL-14484)
- Fix remediation to not update comments (RHEL-1484)
- Fix package check on SCAP tests for dnf settings (RHEL-17417)
- Update description for audit_rules_kernel_module_loading (RHEL-1489)
- Disable remediation for /dev/shm options in offline mode (RHEL-16801)
- Include explanatory comment in the remediation of CCE-83871-4 (RHEL-17418)
* Tue Dec 05 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-3
- Align STIG profile with official DISA STIG for RHEL 9 (RHEL-1807)
* Thu Aug 17 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-2
- Remove OpenSSH crypto policy hardening rules from STIG profile (RHBZ#2221697)
- Fix ANSSI High profile with secure boot (RHBZ#2221697)
* Wed Aug 09 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Rebase to a new upstream release 0.1.69 (RHBZ#2221697)
- Improve CIS benchmark rules related to auditing of kernel module related events (RHBZ#2209657)
- SSSD configuration files are now created with correct permissions whenever remediating SSSD related rules (RHBZ#2211511)
- add warning about migration of network configuration files when upgrading from RHEL 8 to RHEL 9 (RHBZ#2172555)
- Correct URL used to download CVE checks. (RHBZ#2223178)
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155790)
- Fixed excess quotes in journald configuration files (RHBZ#2193169)
- Change rules checking home directories to apply only to local users (RHBZ#2203791)
- Change rules checking password age to apply only to local users (RHBZ#2213958)
- Updated man page (RHBZ#2060028)
* Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
- Rebase to a new upstream release 0.1.66 (RHBZ#2169443)
- Fix remediation of audit watch rules (RHBZ#2169441)
- Fix check firewalld_sshd_port_enabled (RHBZ#2169443)
- Fix accepted control flags for pam_pwhistory (RHBZ#2169443)
- Unselect rule logind_session_timeout (RHBZ#2169443)
- Add support rainer scripts in rsyslog rules (RHBZ#2169445)
* Thu Aug 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.63-5
- OSPP: fix rule related to coredump (RHBZ#2081688)
* Tue Aug 23 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-4
- use sysctl_kernel_core_pattern rule again in RHEL9 OSPP (RHBZ#2081688)
* Thu Aug 11 2022 Matej Tyc <matyc@redhat.com> - 0.1.63-3
- Readd rules to the benchmark to be compatible across all minor versions of RHEL9 (RHBZ#2117669)
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
- OSPP: utilize different audit rule set for different hardware platforms (RHBZ#1998583)
- OSPP: update rules related to coredumps (RHBZ#2081688)
- OSPP: update rules related to BPF (RHBZ#2081728)
- fix description of require_singleuser_mode (RHBZ#2092799)
- fix remediation of OpenSSL cryptopolicy (RHBZ#2108569)
- OSPP: use minimal Authselect profile(RHBZ#2114979)
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
- Rebase to a new upstream release 0.1.63 (RHBZ#2070563)
* Mon Jul 18 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- Remove sysctl_fs_protected_* rules from RHEL9 OSPP (RHBZ#2081719)
- Make rule audit_access_success_ unenforcing in RHEL9 OSPP (RHBZ#2058154)
- Drop zipl_vsyscall_argument rule from RHEL9 OSPP profile (RHBZ#2060049)
- make sysctl_user_max_user_namespaces in RHEL9 OSPP (RHBZ#2083716)
- Remove some sysctl rules related to network from RHEL9 OSPP (RHBZ#2081708)
- Add rule to check if Grub2 recovery is disabled to RHEL9 OSPP (RHBZ#2092809)
- Add rule grub2_systemd_debug-shell_argument_absent (RHBZ#2092840)
- Remove rule accounts_password_minlen_login_defs from all profiles (RHBZ#2073040)
- Remove rules related to remove logging from RHEL9 OSPP (RHBZ#2105016)
- Remove sshd_enable_strictmodes from OSPP (RHBZ#2105278)
- Remove rules related to NIS services (RHBZ#2096602)
- Make rule stricter when checking for FIPS crypto-policies (RHBZ#2057082)
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
- Rebase to a new upstream release (RHBZ#2070563)
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2056847)
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014561)
- Update rule enable_fips_mode to check only for technical state (RHBZ#2057457)
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014561)
- Update description of OSPP profile (RHBZ#2045386)
- Add page_aloc.shuffle rules for OSPP profile (RHBZ#2055118)
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2045403)
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2014561)
- Update GRUB2 rule descriptions (RHBZ#2020623)
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014561)
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
- Update OSPP profile (RHBZ#2016038, RHBZ#2043036, RHBZ#2020670, RHBZ#2046289)
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Rebase to a new upstream release (RHBZ#2014561)
* Wed Dec 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.59-1
- Rebase to a new upstream release (RHBZ#2014561)
- Enable Centos Stream 9 content (RHBZ#2021284)
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
- Rebase to a new upstream release (RHBZ#2014561)
- Disable profiles that we disable in RHEL8
- Add a VM wait handling to fix issues with tests.
* Wed Aug 25 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-5
- Fix remediations applicability of zipl rules
Resolves: rhbz#1996847
* Tue Aug 24 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-4
- Fix a broken HTTP link
Add CIS profile based on RHEL8 CIS, fix its Crypto Policy usage
Resolves: rhbz#1962564
* Tue Aug 17 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-3
- Use SSHD directory-based configuration.
Resolves: rhbz#1962564
- Introduce ISM kickstarts
Resolves: rhbz#1978290
- Deliver numerous RHEL9 fixes to rules - see related BZs for details.
TLDR: Enable remediations by means of platform metadata,
enable the RHEL9 GPG rule, introduce the s390x platform,
fix the ctrl-alt-del reboot disable, fix grub2 UEFI config file location,
address the subscription-manager package merge, and
enable and select more rules applicable to RHEL9.
Resolves: rhbz#1987227
Resolves: rhbz#1987226
Resolves: rhbz#1987231
Resolves: rhbz#1988289
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.57-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
* Fri Aug 09 2024 Matthew Burket <mburket@redhat.com>
- Update to latest upstream SCAP-Security-Guide-0.1.74 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.74
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.1.73-2
- Bump release for June 2024 mass rebuild
* Wed May 22 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
- Upgrade to the latest upstream release
- Introduce more complete RHEL9 content in terms of rules, profiles and kickstarts.
* Wed Jul 07 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-3
- Introduced the playbooks subpackage.
- Enabled CentOS content on CentOS systems.
- Solved missing CCEs problem by unselecting problematic rules by means of editing patches or by porting PRs that unselect them.
* Wed Mar 27 2024 Matthew Burket <mburket@redhat.com> - 0.1.72-2
- Add RHEL10 Product
* Mon Jun 28 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Enable more RHEL9 rules and introduce RHEL9 profile stubs
* Fri Feb 09 2024 Vojtech Polasek <vpolasek@redhat.com> - 0.1.72-1
- Update to latest upstream SCAP-Security-Guide-0.1.72 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.72
* Wed May 19 2021 Jan Černý <jcerny@redhat.com> - 0.1.56-1
- Upgrade to the latest upstream release
- remove README.md and Contributors.md
- remove SCAP component files
- remove SCAP 1.2 source data streams
- remove HTML guides for the virtual “(default)” profile
- remove profile Bash remediation scripts
- build only RHEL9 content
- remove other products
- use autosetup in %prep phase
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.1.54-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.71-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Dec 19 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.71-1
- Update to latest upstream SCAP-Security-Guide-0.1.71 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.71
* Thu Oct 12 2023 Matthew Burket <mburket@redhat.com> - 0.1.70-1
- Update to latest upstream SCAP-Security-Guide-0.1.70 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.70
* Thu Aug 03 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
- Update to latest upstream SCAP-Security-Guide-0.1.69 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.69
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.68-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 15 2023 Jan Černý <jcerny@redhat.com> - 0.1.68-1
- Update to latest upstream SCAP-Security-Guide-0.1.68 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.68
* Wed Apr 12 2023 Matthew Burket <mburket@redhat.com> - 0.1.67-1
- Update to latest upstream SCAP-Security-Guide-0.1.67 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.67
* Fri Feb 03 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.66-1
- Update to latest upstream SCAP-Security-Guide-0.1.66 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.66
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.65-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Dec 06 2022 Marcus Burghardt <maburgha@redhat.com> - 0.1.65-1
- Update to latest upstream SCAP-Security-Guide-0.1.65 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.65
* Tue Oct 04 2022 Watson Sato <wsato@redhat.com> - 0.1.64-1
- Update to latest upstream SCAP-Security-Guide-0.1.64 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.64
* Mon Aug 01 2022 Watson Sato <wsato@redhat.com> - 0.1.63-1
- Update to latest upstream SCAP-Security-Guide-0.1.63 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.63
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.62-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jun 09 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-2
- rebuild, the release did not get propagated into rawhide
* Mon May 30 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.62-1
- Update to latest upstream SCAP-Security-Guide-0.1.62 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.62
* Wed May 04 2022 Watson Sato <wsato@redhat.com> - 0.1.61-1
- Update to latest upstream SCAP-Security-Guide-0.1.61 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.61
* Fri Jan 28 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
- Update to latest upstream SCAP-Security-Guide-0.1.60 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.60
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.59-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
- Update to latest upstream SCAP-Security-Guide-0.1.59 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.59
- Fix loading of jinja files
* Thu Sep 30 2021 Watson Sato <wsato@redhat.com> - 0.1.58-1
- Update to latest upstream SCAP-Security-Guide-0.1.58 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.58
- Fix license warning.
* Thu Jul 29 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
- Update to latest upstream SCAP-Security-Guide-0.1.57 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.57
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.56-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jun 08 2021 Matej Tyc <matyc@redhat.com> - 0.1.56-2
- Updated the packaging according to the RHEL development trends.
- Don't ship 1.2 datastreams and Bash remediations.
- Clean up dependencies and other package metadata.
- Change the RHEL target.
* Wed May 26 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.56-1
- Update to latest upstream SCAP-Security-Guide-0.1.56 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.56
* Fri Mar 19 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.55-2
- rebuilt
* Fri Mar 19 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.55-1
- Update to latest upstream SCAP-Security-Guide-0.1.55 release:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.55
* Fri Feb 12 2021 Matej Tyc <matyc@redhat.com> - 0.1.54-3
- Moved the spec file closer to the RHEL one.
* Fri Feb 12 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-2
- fix definition of build directory

Write Preview
Loading…
Cancel
Save