Blame SPECS/scap-security-guide.spec

7e5c3a
# Somehow, _pkgdocdir is already defined and points to unversioned docs dir
7e5c3a
# RHEL 7.X uses versioned docs dir, hence the definition below
7e5c3a
%global _pkgdocdir %{_docdir}/%{name}-%{version}
7e5c3a
7e5c3a
Name:		scap-security-guide
247868
Version:	0.1.49
247868
Release:	2%{?dist}
7e5c3a
Summary:	Security guidance and baselines in SCAP formats
7e5c3a
7e5c3a
Group:		System Environment/Base
7e5c3a
License:	BSD-3-Clause
7e5c3a
URL:		https://github.com/ComplianceAsCode/content
7e5c3a
Source0:	%{name}-%{version}.tar.bz2
247868
Patch0:	disable-not-in-good-shape-profiles.patch
247868
Patch1:	scap-security-guide-0.1.50-simplify_login_banner.patch
247868
Patch2:	scap-security-guide-0.1.50-fix_sysctl_rules_description.patch
247868
Patch3:	scap-security-guide-0.1.50-parametrize_sshd_approved_ciphers.patch
7e5c3a
BuildArch:	noarch
7e5c3a
7e5c3a
BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML
7e5c3a
Requires:	xml-common, openscap-scanner >= 1.2.5
7e5c3a
7e5c3a
%description
7e5c3a
The scap-security-guide project provides a guide for configuration of the
7e5c3a
system from the final system's security point of view. The guidance is
7e5c3a
specified in the Security Content Automation Protocol (SCAP) format and
7e5c3a
constitutes a catalog of practical hardening advice, linked to government
7e5c3a
requirements where applicable. The project bridges the gap between generalized
7e5c3a
policy requirements and specific implementation guidelines. The Red Hat
7e5c3a
Enterprise Linux 7 system administrator can use the oscap command-line tool
7e5c3a
from the openscap-utils package to verify that the system conforms to provided
7e5c3a
guideline. Refer to scap-security-guide(8) manual page for further information.
7e5c3a
7e5c3a
%package	doc
7e5c3a
Summary:	HTML formatted documents containing security guides generated from XCCDF benchmarks.
7e5c3a
Group:		System Environment/Base
7e5c3a
Requires:	%{name} = %{version}-%{release}
7e5c3a
7e5c3a
%description	doc
7e5c3a
The %{name}-doc package contains HTML formatted documents containing security guides that have
7e5c3a
been generated from XCCDF benchmarks present in %{name} package.
7e5c3a
7e5c3a
%prep
7e5c3a
%setup -q -n %{name}-%{version}
247868
%patch0 -p1
247868
%patch1 -p1
247868
%patch2 -p1
247868
%patch3 -p1
7e5c3a
# Workaround to remove Python byte cache files from the upstream sources
7e5c3a
# See https://github.com/ComplianceAsCode/content/issues/4042
7e5c3a
find . -name '*.pyc' -exec rm -f {} ';'
7e5c3a
mkdir build
7e5c3a
7e5c3a
%build
7e5c3a
mkdir -p build && cd build
7e5c3a
%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \
247868
-DSSG_PRODUCT_DEFAULT:BOOL=OFF \
7e5c3a
-DSSG_PRODUCT_FIREFOX:BOOL=ON \
7e5c3a
-DSSG_PRODUCT_JRE:BOOL=ON \
7e5c3a
-DSSG_PRODUCT_RHEL6:BOOL=ON \
7e5c3a
-DSSG_PRODUCT_RHEL7:BOOL=ON \
247868
-DSSG_PRODUCT_RHEL8:BOOL=ON \
7e5c3a
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
7e5c3a
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
7e5c3a
../
7e5c3a
make %{?_smp_mflags}
7e5c3a
7e5c3a
%install
7e5c3a
cd build
7e5c3a
%make_install
7e5c3a
7e5c3a
%files
7e5c3a
%defattr(-,root,root,-)
7e5c3a
%{_datadir}/xml/scap
7e5c3a
%{_datadir}/%{name}
7e5c3a
%lang(en) %{_mandir}/man8/scap-security-guide.8.gz
7e5c3a
%doc LICENSE
7e5c3a
%doc Contributors.md
7e5c3a
%doc README.md
7e5c3a
%doc DISCLAIMER
7e5c3a
# All files installed by cmake are automatically include in main package
7e5c3a
# We exclude the guides to here add them in doc package
7e5c3a
%exclude %{_pkgdocdir}/guides/
7e5c3a
7e5c3a
%files doc
7e5c3a
%defattr(-,root,root,-)
7e5c3a
%doc build/guides/ssg-*-guide-*.html
7e5c3a
7e5c3a
%changelog
247868
* Tue Mar 31 2020 Watson Sato <wsato@redhat.com> - 0.1.49-2
247868
- Fix remediation of dconf_gnome_login_banner_text (RHBZ#1776780)
247868
- Fix misleading sysctl rules description (RHBZ#1494606)
247868
- Update STIG FIPS approved SSHD ciphers (RHBZ#1781244)
247868
247868
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
247868
- Update to the latest upstream release (RHBZ#1815008)
247868
247868
* Thu Nov 28 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-11
247868
- Ship RHEL 8 content (RHBZ#1777862)
247868
247868
* Wed Nov 20 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.46-10
247868
- Added missing CCE for rule sudo_require_authentication. (RHBZ#1755192)
247868
- fix check and remediation for rule aide_periodic_cron_checking (RHBZ#1658036)
247868
247868
* Mon Nov 18 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-9
247868
- Fixed missing CCE for OSPP, E8 and STIG profiles. (RHBZ#1726698)
247868
- Added kickstart file for the Essential Eight (e8) profile. (RHBZ#1755192)
247868
247868
* Fri Nov 15 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-8
247868
- Fix an omission on backporting the patch which fixes krb_sec rule. (RHBZ#1726698)
247868
247868
* Fri Nov 15 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-7
247868
- Added support for the Essential Eight (e8) profile. (RHBZ#1755192)
247868
- Fixed issues with sshd rules used in the e8 profile. (RHBZ#1755192)
247868
247868
* Wed Nov 13 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-6
247868
- Updated ansible playbooks to use modules in favor of shell. (RHBZ#1726698)
247868
- Removed rule directory_access_var_log_audit from OSPP profile. (RHBZ#1726698)
247868
- Fixed ansible playbooks failing when running in --check mode. (RHBZ#1726698)
247868
247868
* Mon Nov 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-5
247868
- Fixed grub2_enable_fips_mode rule when installing RHEL on machines with AES-enabled processors. (RHBZ#1754532)
247868
247868
* Wed Nov 06 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-4
247868
- Fix evaluation and remediation of audit rules in PCI-DSS profile (RHBZ#1754550)
247868
- Fixed mtab handling of remediation of /dev/shm/noexec (RHBZ#1754553)
247868
247868
* Tue Nov 05 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-3
247868
- Made the cmake product selection future-proof. (RHBZ#1726698)
247868
247868
* Tue Nov 05 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-2
247868
- Fix rules file_permissions_unauthorized_suid and sgid (RHBZ#1693026)
247868
7e5c3a
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
7e5c3a
- Update to the latest upstream release 0.1.46 (RHBZ#1726698)
7e5c3a
7e5c3a
* Fri Aug 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.45-2
7e5c3a
- Added a patch not to build SCAP 1.2 datastreams, only SCAP 1.3 (RHBZ#1726698)
7e5c3a
7e5c3a
* Tue Aug 06 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
7e5c3a
- Update to the latest upstream release (RHBZ#1726698)
7e5c3a
7e5c3a
* Wed Jun 12 2019 Matěj Týč <matyc@redhat.com> - 0.1.43-13
7e5c3a
- Fixed the shared dconf bash remediation (RHBZ#1631378)
7e5c3a
7e5c3a
* Mon Jun 03 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-12
7e5c3a
- Make aide and smart card rules not applicable to containers (RHBZ#1711893)
7e5c3a
- Added rule dconf_db_up_to_date to ensure dconf databases are up-to-date (RHBZ#1631378)
7e5c3a
7e5c3a
* Fri May 24 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-11
7e5c3a
- Remove faulty dconf_use_text_backend rule from all profiles (Reverts RHBZ#1631378)
7e5c3a
7e5c3a
* Thu May 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-10
7e5c3a
- Fixed Ansible remediation for sssd_ssh_known_hosts_timeout (RHBZ#1599179)
7e5c3a
7e5c3a
* Mon May 20 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-9
7e5c3a
- Fixed missing Ansible tags and platform checks (RHBZ#1685950)
7e5c3a
7e5c3a
* Fri May 17 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-8
7e5c3a
- Fixed OVAL check for sssd_ssh_known_hosts_timeout and added bash remediation (RHBZ#1599179)
7e5c3a
7e5c3a
* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-7
7e5c3a
- Fix handling of package CPE during generation of Ansible playbooks (RHBZ#1647189)
7e5c3a
7e5c3a
* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-6
7e5c3a
- Deduplicated more CCEs assigned to rules (RHBZ#1703092)
7e5c3a
7e5c3a
* Thu Apr 25 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-5
7e5c3a
- Remove ensure_gpgcheck_repo_metadata rule from profiles (RHBZ#1703010)
7e5c3a
- Deduplicate CCE assigned to rules (RHBZ#1703092)
7e5c3a
7e5c3a
* Tue Apr 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-4
7e5c3a
- Mark SELinux rules as machine only (RHBZ#1630739)
7e5c3a
- Mark service disabled rules as machine only (RHBZ#1630739)
7e5c3a
7e5c3a
* Mon Apr 08 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-3
7e5c3a
- Mark rules which were not applicable for containers as machine only (RHBZ#1630739)
7e5c3a
- Fix content support for UBI-Minimal (RHBZ#1695213)
7e5c3a
7e5c3a
* Mon Mar 25 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-2
7e5c3a
- Fixes for smooth Ansible playbooks run (RHBZ#1647189)
7e5c3a
- Fix Ansible template for file permissions (RHBZ#1686007)
7e5c3a
- Fix remediation of rule rpm_verify_permissions (RHBZ#1686005)
7e5c3a
- Fix remediation of audit rules for privileged commands (RHBZ#1687826)
7e5c3a
7e5c3a
* Fri Mar 01 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-1
7e5c3a
- Update to the latest upstream release (RHBZ#1684545)
7e5c3a
7e5c3a
* Tue Sep 25 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-12
7e5c3a
- Fix malformed patch for removal of abrt and sendmail (RHBZ#1619689)
7e5c3a
7e5c3a
* Tue Sep 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-11
7e5c3a
- Fixes for RHBZ#1619689:
7e5c3a
- Added support for kernel parameters yama.ptrace_scope, kptr_restrict, dmesg_restrict and kexec_load_disabled.
7e5c3a
- Added support for boot parameters audit_backlog_limit=8192, slub_debug=P, page_poison=1 and vsyscall=none.
7e5c3a
- Added support for proper /dev/shm handling (noexec,nosuid,nodev,mode=1777)
7e5c3a
- Added support for checking that sendmail and abrt are not installed.
7e5c3a
- Introduced OSPP to the OSPP profile title.
7e5c3a
- Disabled linkcheck tests during the build.
7e5c3a
7e5c3a
* Sun Sep 23 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-10
7e5c3a
- Fix regression in file ownership and group OVAL. (RHBZ#1570802)
7e5c3a
7e5c3a
* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-9
7e5c3a
- Fix malformed patch for Audit Rules (RHBZ#1619689)
7e5c3a
7e5c3a
* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-8
7e5c3a
- Add Bash remediation for rule grub2_audit_arguments (RHBZ#1619689)
7e5c3a
- Allow remediation for rule dconf_gnome_screensaver_lock_delay to fix commented settings (RHBZ#1609122)
7e5c3a
- Select missing audit rules for privileged commands for OSPP4.2 Profile (RHBZ#1619689)
7e5c3a
7e5c3a
* Wed Sep 19 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-7
7e5c3a
- Fixed previously applied patches for OSPP 4.2 (RHBZ#1619689)
7e5c3a
7e5c3a
* Mon Sep 17 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-6
7e5c3a
- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)
7e5c3a
- Fixed the xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled check (RHBZ#1609122)
7e5c3a
7e5c3a
* Fri Sep 14 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-5
7e5c3a
- Re-fix FIPS patch. (RHBZ#1587911)
7e5c3a
7e5c3a
* Wed Sep 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-4
7e5c3a
- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)
7e5c3a
7e5c3a
* Tue Sep 11 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-3
7e5c3a
- Don't generate remediations for Anaconda for /dev/cdrom mount point (RHBZ#1618840)
7e5c3a
- Install dracut-fips when fips mode is enabled in the profile (RHBZ#1587911)
7e5c3a
7e5c3a
* Wed Aug 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-2
7e5c3a
- Don't generate remediations for Anaconda for /dev/shm mount point (RHBZ#1570956)
7e5c3a
7e5c3a
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
7e5c3a
- Update to upstream release 0.1.40
7e5c3a
- Underlying code has been deduplicated and unified, which fixes countless subtle bugs.
7e5c3a
- Updated Ansible playbooks, so they don't use deprecated constructs.
7e5c3a
- Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
7e5c3a
7e5c3a
* Thu Jul 19 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
7e5c3a
- Fix configuration to not build new products introduced in upstream
7e5c3a
- Test package with ctest
7e5c3a
7e5c3a
* Fri Jul 13 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
7e5c3a
- Update to upstream release 0.1.39
7e5c3a
- Profile IDs simplified
7e5c3a
- Common Profile removed in favor of Standard Profile
7e5c3a
- RHEL7 STIG reference updated to V1R4
7e5c3a
- RHEL6 STIG reference updated to V1R18
7e5c3a
- New License - BSD-3 Clause
7e5c3a
- Several remediation fixes
7e5c3a
- Better content support for DISA STIG Viewer (#2418)
7e5c3a
7e5c3a
* Mon Jan 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-7
7e5c3a
- Fix sshd_required unset (RHBZ#1522956)
7e5c3a
- Fix missing bash remediation functions include (RHBZ#1524738)
7e5c3a
- Fix empty columns in SRG HTML Table (RHBZ#1531105)
7e5c3a
- Fix reference to oudated PAM config manual (RHBZ#1447760)
7e5c3a
7e5c3a
* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-6
7e5c3a
- Rebuild with OpenSCAP 1.2.16
7e5c3a
7e5c3a
* Mon Dec 11 2017 Matěj Týč <matyc@redhat.com> - 0.1.36-5
7e5c3a
- Patched not to check library ownership in libexec.
7e5c3a
- Patched to fix title of DISA STIG profile.
7e5c3a
- Patched to deprecate RhostsRSAAuthentication.
7e5c3a
- Patched to fix umask_for_daemons.
7e5c3a
7e5c3a
* Thu Nov 16 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-4
7e5c3a
- Rebuild with OpenSCAP 1.2.16
7e5c3a
7e5c3a
* Tue Nov 14 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-3
7e5c3a
- Add DISA STIG Rule IDs to XCCDF Rules with STIGID
7e5c3a
7e5c3a
* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-2
7e5c3a
- Fix configuration to not build new products introduced in upstream
7e5c3a
7e5c3a
* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
7e5c3a
- Update to upstream release 0.1.36
7e5c3a
- Introduction of SCAP Security Guide Test Suite
7e5c3a
- Better alignment of RHEL6 and RHEL7 with DISA STIG
7e5c3a
- Remove JBoss EAP5 content due to being End-of-Life
7e5c3a
- New STIG Profile for JBOSS EAP 6
7e5c3a
- Updates in C2S Profile for RHEL 7
7e5c3a
- Variables can be directly tailored in Ansible roles
7e5c3a
- Content presents less false positives in containers
7e5c3a
- Changes in directory layout
7e5c3a
7e5c3a
* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-2
7e5c3a
- Do not build content for JBOSS EAP6
7e5c3a
7e5c3a
* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-1
7e5c3a
- Update to upstream release 0.1.35
7e5c3a
- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
7e5c3a
- Added several templates for OVAL checks
7e5c3a
- Many optimizations in build process
7e5c3a
- Different title for PCI-DSS Benchmark variants
7e5c3a
- Remediation roles moved to /usr/share/scap-security
7e5c3a
- Fix duplicated roles and guides (RHBZ#1465691)
7e5c3a
7e5c3a
* Tue Sep 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-6
7e5c3a
- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414)
7e5c3a
7e5c3a
* Wed Jun 14 2017 Watson Sato <wsato@redhat.com> 0.1.33-5
7e5c3a
- Fix Anaconda Smartcard auth remediation (RHBZ#1461330)
7e5c3a
7e5c3a
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-4
7e5c3a
- Fix specfile to not include tables twice
7e5c3a
7e5c3a
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-3
7e5c3a
- Fix malformed title of profile nist-800-171-cui
7e5c3a
7e5c3a
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-2
7e5c3a
- Fix emtpy ospp-rhel7 table
7e5c3a
- Fix Anaconda remediation templates (RHBZ#1450731)
7e5c3a
7e5c3a
* Mon May 01 2017 Watson Sato <wsato@redhat.com> 0.1.33-1
7e5c3a
- Update to upstream version 0.1.33
7e5c3a
- DISA RHEL7 STIG profile alignment improved
7e5c3a
- Introduction of remediation roles
7e5c3a
- RPM and DEB test packages are built by CMake with CPack
7e5c3a
- Lots of remediation fixes
7e5c3a
7e5c3a
* Tue Mar 28 2017 Watson Sato <wsato@redhat.com> 0.1.32-1
7e5c3a
- Update to upstream version 0.1.32
7e5c3a
- New CMake build system
7e5c3a
- Improved NIST 800-171 profile
7e5c3a
- Initial RHVH profile
7e5c3a
- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
7e5c3a
- Template clean up in lots of remediations
7e5c3a
7e5c3a
* Fri Mar 10 2017 Watson Sato <wsato@redhat.com> 0.1.30-6
7e5c3a
- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144)
7e5c3a
7e5c3a
* Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
7e5c3a
- Fix template remediation function used by SSHD remediation
7e5c3a
- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
7e5c3a
7e5c3a
* Tue Jan 31 2017 Watson Sato <wsato@redhat.com> 0.1.30-4
7e5c3a
- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
7e5c3a
7e5c3a
* Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3
7e5c3a
- Correct the remediation script for 'Enable Smart Card Login' rule
7e5c3a
  for Red Hat Enterprise Linux 7 (RH BZ#1357019)
7e5c3a
7e5c3a
* Thu Jul 14 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-2
7e5c3a
- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark
7e5c3a
  having the identical title (RH BZ#1351541)
7e5c3a
- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts'
7e5c3a
  rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root
7e5c3a
  Account for Failed Password Attempts' rule to report correct system status
7e5c3a
  WRT to these requirements also in the case the SSSD daemon is used
7e5c3a
  (RH BZ#1344581)
7e5c3a
- Include currently available kickstart files and produced HTML tables for
7e5c3a
  Red Hat Enterprise Linux 6 and 7 products into the produced RPM package
7e5c3a
  (RH BZ#1351751)
7e5c3a
7e5c3a
* Wed Jun 22 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-1
7e5c3a
- Update to upstream's 0.1.30 release:
7e5c3a
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
7e5c3a
  (RH BZ#1289533)
7e5c3a
- Drop remediation functions library since starting from 0.1.30 release
7e5c3a
  remediation scripts are part of the benchmarks directly
7e5c3a
- Drop three patches that have been accepted upstream in the meantime
7e5c3a
- Update drop-rpm-verify-permissions-rule patch to work properly against
7e5c3a
  0.1.30 release
7e5c3a
7e5c3a
* Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3
7e5c3a
- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS
7e5c3a
  profile for Red Hat Enterprise Linux 7 (RH BZ#1267861)
7e5c3a
7e5c3a
* Wed Sep 09 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-2
7e5c3a
- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7
7e5c3a
7e5c3a
* Wed Aug 19 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-1
7e5c3a
- Rebase to upstream 0.1.25 release
7e5c3a
7e5c3a
* Tue Aug 04 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-4
7e5c3a
- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny'
7e5c3a
  rule
7e5c3a
7e5c3a
* Mon Aug 03 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-3
7e5c3a
- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule
7e5c3a
  for Red Hat Enterprise Linux 7 product
7e5c3a
- Override title and description for all existing profiles for Red Hat
7e5c3a
  Enterprise Linux 6 product that are extending another SCAP profile
7e5c3a
  (RHBZ#1246529)
7e5c3a
- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile
7e5c3a
  kickstart file for Red Hat Enterprise Linux 7 product
7e5c3a
- Add remediation script for 'audit_rules_time_clock_settime' rule for
7e5c3a
  Red Hat Enterprise Linux 7 product
7e5c3a
- Add remediation scripts for 'audit_rules_time_adjtimex',
7e5c3a
  'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for
7e5c3a
  Red Hat Enterprise Linux 7 product
7e5c3a
- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with
7e5c3a
  "Draft" label
7e5c3a
- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise
7e5c3a
  Linux 7 product:
7e5c3a
  * dconf_gnome_screensaver_idle_delay -- missing remediation script,
7e5c3a
  * dconf_gnome_screensaver_idle_activation -- missing remediation script,
7e5c3a
  * dconf_gnome_screensaver_lock_enabled -- missing remediation script,
7e5c3a
  * audit_rules_login_events -- incorrect OVAL check (upstream issue #607),
7e5c3a
  * audit_rules_privileged_commands -- missing remediation script, and
7e5c3a
  * audit_rules_immutable -- missing remediation script.
7e5c3a
7e5c3a
* Mon Aug 03 2015 Martin Preisler <mpreisle@redhat.com> 0.1.24-2
7e5c3a
- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product
7e5c3a
  into multiple lines, prevents HTML guide UX issues
7e5c3a
7e5c3a
* Tue Jul 07 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-1
7e5c3a
- Rebase to upstream scap-security-guide-0.1.24 version
7e5c3a
- Start producing the -doc subpackage to provide the HTML formatted
7e5c3a
  documents containing security guides generated from shipped XCCDF benchmarks
7e5c3a
7e5c3a
* Mon Jun 22 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.23-1
7e5c3a
- Rebase to upstream scap-security-guide-0.1.23 version
7e5c3a
- Update upstream tarball source URL to GitHub archive location
7e5c3a
- Drop the following patches that have been accepted upstream:
7e5c3a
  * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
7e5c3a
  * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
7e5c3a
  * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
7e5c3a
  * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
7e5c3a
  * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
7e5c3a
  * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
7e5c3a
  * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
7e5c3a
  * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
7e5c3a
  * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
7e5c3a
- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks
7e5c3a
- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6
7e5c3a
7e5c3a
* Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2
7e5c3a
- Fix Limit Password Reuse remediation script error
7e5c3a
- Fix Set Deny For Failed Password Attempts remediation script error
7e5c3a
- Use RHT-CCP profile name when generating HTML guide
7e5c3a
- Describe RHT-CCP profile in the manual page
7e5c3a
7e5c3a
* Mon Sep 29 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-1
7e5c3a
- Include RHEL-7 content (RHT-CCP profile only)
7e5c3a
- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel
7e5c3a
- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools
7e5c3a
- Update manual page to be more appropriate for RHEL-7
7e5c3a
- Drop RHEL-6 C2S profile update patch since merged upstream
7e5c3a
7e5c3a
* Tue Sep 02 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-4
7e5c3a
- Initial build for Red Hat Enterprise Linux 7
7e5c3a
7e5c3a
* Thu Aug 28 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-3
7e5c3a
- Update C2S profile <description> per request from CIS
7e5c3a
7e5c3a
* Thu Jun 26 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-2
7e5c3a
- Include the upstream STIG for RHEL 6 Server profile disclaimer file too
7e5c3a
7e5c3a
* Sun Jun 22 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-1
7e5c3a
- Make new 0.1.18 release
7e5c3a
7e5c3a
* Wed May 14 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-2
7e5c3a
- Drop vendor line from the spec file. Let the build system to provide it.
7e5c3a
7e5c3a
* Fri May 09 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-1
7e5c3a
- Upgrade to upstream 0.1.17 version
7e5c3a
7e5c3a
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-2
7e5c3a
- Initial RPM for RHEL base channels
7e5c3a
7e5c3a
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-1
7e5c3a
- Change naming scheme (0.1-16 => 0.1.16-1)
7e5c3a
7e5c3a
* Fri Feb 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-16
7e5c3a
- Include datastream file into RHEL6 RPM package too
7e5c3a
- Bump version
7e5c3a
7e5c3a
* Tue Dec 24 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc2
7e5c3a
+ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
7e5c3a
7e5c3a
* Mon Dec 23 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc1
7e5c3a
- [bugfix] RHEL6 no_empty_passwords remediation script overwrote
7e5c3a
  system-auth symlink. Added --follow-symlink to sed command.
7e5c3a
7e5c3a
* Fri Nov 01 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15
7e5c3a
- Version bump
7e5c3a
7e5c3a
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc5
7e5c3a
- Point the spec's source to proper remote tarball location
7e5c3a
- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM
7e5c3a
7e5c3a
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc4
7e5c3a
- Don't include the table html files two times
7e5c3a
- Remove makewhatis
7e5c3a
7e5c3a
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc3
7e5c3a
- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*
7e5c3a
- Numberous XCCDF->OVAL naming schema updates
7e5c3a
- All rules now have CCE
7e5c3a
7e5c3a
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc2
7e5c3a
- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)
7e5c3a
7e5c3a
* Fri Oct 25 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc1
7e5c3a
- Apply spec file changes required by review request (RH BZ#1018905)
7e5c3a
7e5c3a
* Thu Oct 24 2013 Shawn Wells <shawn@redhat.com> 0.1-14
7e5c3a
- Formal RPM release
7e5c3a
- Inclusion of rht-ccp profile
7e5c3a
- OVAL unit testing patches
7e5c3a
- Bash remediation patches
7e5c3a
- Bugfixes
7e5c3a
7e5c3a
* Mon Oct 07 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-14.rc1
7e5c3a
- Change RPM versioning scheme to include release into tarball
7e5c3a
7e5c3a
* Sat Sep 28 2013 Shawn Wells <shawn@redhat.com> 0.1-13
7e5c3a
- Updated RPM spec file to fix rpmlint warnings
7e5c3a
7e5c3a
* Wed Jun 26 2013 Shawn Wells <shawn@redhat.com> 0.1-12
7e5c3a
- Updated RPM version to 0.1-12
7e5c3a
7e5c3a
* Fri Apr 26 2013 Shawn Wells <shawn@redhat.com> 0.1-11
7e5c3a
- Significant amount of OVAL bugfixes
7e5c3a
- Incorporation of Draft RHEL/6 STIG feedback
7e5c3a
7e5c3a
* Sat Feb 16 2013 Shawn Wells <shawn@redhat.com> 0.1-10
7e5c3a
- `man scap-security-guide`
7e5c3a
- OVAL bug fixes
7e5c3a
- NIST 800-53 mappings update
7e5c3a
7e5c3a
* Wed Nov 28 2012 Shawn Wells <shawn@redhat.com> 0.1-9
7e5c3a
- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!)
7e5c3a
- Reverting to noarch RPM
7e5c3a
7e5c3a
* Tue Nov 27 2012 Shawn Wells <shawn@redhat.com> 0.1-8
7e5c3a
- Significant copy editing to XCCDF rules per community
7e5c3a
  feedback on the DISA RHEL/6 STIG Initial Draft
7e5c3a
7e5c3a
* Thu Nov 1 2012 Shawn Wells <shawn@redhat.com> 0.1-7
7e5c3a
- Corrected XCCDF content errors
7e5c3a
- OpenSCAP now supports CPE dictionaries, important to
7e5c3a
  utilize --cpe-dict when scanning machines with OpenSCAP,
7e5c3a
  e.g.:
7e5c3a
  $ oscap xccdf eval --profile stig-server \
7e5c3a
   --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
7e5c3a
7e5c3a
* Mon Oct 22 2012 Shawn Wells <shawn@redhat.com> 0.1-6
7e5c3a
- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6)
7e5c3a
- Updated RPM includes feedback received from DoD Consensus meetings
7e5c3a
7e5c3a
* Fri Oct 5  2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-5
7e5c3a
- Adjusted installation directory to /usr/share/xml/scap.
7e5c3a
7e5c3a
* Tue Aug 28  2012 Spencer Shimko <sshimko@tresys.com> 1.0-4
7e5c3a
- Fix BuildRequires and Requires.
7e5c3a
7e5c3a
* Tue Jul 3 2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-3
7e5c3a
- Modified install section, made description more concise.
7e5c3a
7e5c3a
* Thu Apr 19 2012 Spencer Shimko <sshimko@tresys.com> 1.0-2
7e5c3a
- Minor updates to pass some variables in from build system.
7e5c3a
7e5c3a
* Mon Apr 02 2012 Shawn Wells <shawn@redhat.com> 1.0-1
7e5c3a
- First attempt at SSG RPM. May ${deity} help us...