Blame SPECS/scap-security-guide.spec

b5e178
# Base name of static rhel6 content tarball
b5e178
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
889f2b
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
889f2b
%global _vpath_builddir build
b5e178
1002d6
Name:		scap-security-guide
889f2b
Version:	0.1.57
889f2b
Release:	4%{?dist}
1002d6
Summary:	Security guidance and baselines in SCAP formats
889f2b
License:	BSD-3-Clause
1002d6
Group:		Applications/System
1002d6
URL:		https://github.com/ComplianceAsCode/content/
1002d6
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
b5e178
# Include tarball with last released rhel6 content
b5e178
Source1:	%{_static_rhel6_content}.tar.bz2
b5e178
1002d6
BuildArch:	noarch
1002d6
889f2b
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
889f2b
Patch0:		disable-not-in-good-shape-profiles.patch
889f2b
Patch1:		scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch
889f2b
Patch2:		scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch
889f2b
Patch3:		scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch
889f2b
Patch4:		scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch
889f2b
Patch5:		scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch
889f2b
Patch6:		scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch
889f2b
Patch7:		scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch
889f2b
Patch8:		scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch
889f2b
Patch9:		scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch
889f2b
Patch10:		scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch
889f2b
Patch11:		scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch
889f2b
Patch12:		scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch
889f2b
Patch13:		scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch
889f2b
Patch14:		scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch
889f2b
Patch15:		scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch
889f2b
Patch16:		scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch
889f2b
Patch17:		scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch
889f2b
Patch18:		scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch
889f2b
Patch19:		scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch
889f2b
Patch20:		scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch
889f2b
Patch21:		scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch
889f2b
Patch22:		scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch
889f2b
Patch23:		scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch
889f2b
Patch24:		scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch
889f2b
Patch25:		scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch
889f2b
Patch26:		scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch
889f2b
Patch27:		scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch
889f2b
Patch28:		scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch
889f2b
Patch29:		scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch
889f2b
Patch30:		scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch
889f2b
Patch31:		scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch
889f2b
Patch32:		scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch
889f2b
Patch33:		scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch
889f2b
Patch34:		scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch
889f2b
Patch35:		scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch
889f2b
Patch36:		scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch
889f2b
Patch37:		scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch
889f2b
Patch38:		scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch
889f2b
Patch39:		scap-security-guide-0.1.58-update_stig_references-PR_7366.patch
889f2b
Patch40:		scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch
889f2b
Patch41:		scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch
889f2b
Patch42:		scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch
889f2b
Patch43:		scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch
889f2b
Patch44:		scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch
889f2b
Patch45:		scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch
889f2b
Patch46:		scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch
889f2b
Patch47:		scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch
889f2b
Patch48:		scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch
889f2b
Patch49:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch
889f2b
Patch50:		scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch
889f2b
Patch51:		scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch
889f2b
Patch52:		scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch
889f2b
Patch53:		scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
889f2b
Patch54:		scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
889f2b
Patch55:		scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
889f2b
889f2b
BuildRequires:	libxslt
889f2b
BuildRequires:	expat
889f2b
BuildRequires:	openscap-scanner >= 1.2.5
889f2b
BuildRequires:	cmake >= 2.8
1002d6
# To get python3 inside the buildroot require its path explicitly in BuildRequires
1002d6
BuildRequires: /usr/bin/python3
889f2b
BuildRequires:	python%{python3_pkgversion}
889f2b
BuildRequires:	python%{python3_pkgversion}-jinja2
889f2b
BuildRequires:	python%{python3_pkgversion}-PyYAML
1002d6
Requires:	xml-common, openscap-scanner >= 1.2.5
1002d6
Obsoletes:	openscap-content < 0:0.9.13
1002d6
Provides:	openscap-content
1002d6
1002d6
%description
1002d6
The scap-security-guide project provides a guide for configuration of the
1002d6
system from the final system's security point of view. The guidance is specified
1002d6
in the Security Content Automation Protocol (SCAP) format and constitutes
1002d6
a catalog of practical hardening advice, linked to government requirements
1002d6
where applicable. The project bridges the gap between generalized policy
889f2b
requirements and specific implementation guidelines. The system
889f2b
administrator can use the oscap CLI tool from openscap-scanner package, or the
889f2b
scap-workbench GUI tool from scap-workbench package to verify that the system
889f2b
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
889f2b
further information.
1002d6
1002d6
%package	doc
1002d6
Summary:	HTML formatted security guides generated from XCCDF benchmarks
1002d6
Group:		System Environment/Base
1002d6
Requires:	%{name} = %{version}-%{release}
1002d6
1002d6
%description	doc
1002d6
The %{name}-doc package contains HTML formatted documents containing
1002d6
hardening guidances that have been generated from XCCDF benchmarks
1002d6
present in %{name} package.
1002d6
889f2b
%if ( %{defined rhel} && (! %{defined centos}) )
889f2b
%package	rule-playbooks
889f2b
Summary:	Ansible playbooks per each rule.
889f2b
Group:		System Environment/Base
889f2b
Requires:	%{name} = %{version}-%{release}
889f2b
889f2b
%description	rule-playbooks
889f2b
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
889f2b
%endif
889f2b
1002d6
%prep
889f2b
%autosetup -p1 -b1
1002d6
1002d6
%build
889f2b
mkdir -p build
1002d6
cd build
1002d6
%cmake \
aa23b3
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
aa23b3
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
889f2b
%if %{defined centos}
889f2b
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
889f2b
%else
1002d6
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
889f2b
%endif
889f2b
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
889f2b
%if ( %{defined rhel} && (! %{defined centos}) )
889f2b
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
889f2b
%endif
889f2b
../
889f2b
%cmake_build
1002d6
1002d6
%install
1002d6
cd build
889f2b
%cmake_install
1002d6
b5e178
# Manually install pre-built rhel6 content
b5e178
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
b5e178
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
b5e178
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
b5e178
1002d6
%files
1002d6
%{_datadir}/xml/scap/ssg/content
1002d6
%{_datadir}/%{name}/kickstart
1002d6
%{_datadir}/%{name}/ansible
1002d6
%{_datadir}/%{name}/bash
1002d6
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
1002d6
%doc %{_docdir}/%{name}/LICENSE
1002d6
%doc %{_docdir}/%{name}/README.md
1002d6
%doc %{_docdir}/%{name}/Contributors.md
889f2b
%if ( %{defined rhel} && (! %{defined centos}) )
889f2b
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
889f2b
%endif
1002d6
1002d6
%files doc
1002d6
%doc %{_docdir}/%{name}/guides/*.html
1002d6
%doc %{_docdir}/%{name}/tables/*.html
1002d6
889f2b
%if ( %{defined rhel} && (! %{defined centos}) )
889f2b
%files rule-playbooks
889f2b
%defattr(-,root,root,-)
889f2b
%{_datadir}/%{name}/ansible/rule_playbooks
889f2b
%endif
889f2b
1002d6
%changelog
889f2b
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
889f2b
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
889f2b
889f2b
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
889f2b
- Fix remaining audit rules file permissions (RHBZ#1993056)
889f2b
- Mark a STIG service rule as machine only (RHBZ#1993056)
889f2b
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
889f2b
889f2b
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
889f2b
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
889f2b
- Include tests for Ansible Playbooks that remove and reintroduce files.
889f2b
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
889f2b
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
889f2b
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
889f2b
- Add Kickstart files for ISM profile (RHBZ#1955373)
889f2b
- Fix broken RHEL7 documentation links (RHBZ#1966577)
889f2b
889f2b
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
889f2b
- Update to the latest upstream release (RHBZ#1966577)
889f2b
- Enable the ISM profile.
889f2b
889f2b
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
889f2b
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
889f2b
889f2b
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
889f2b
- Update to the latest upstream release (RHBZ#1966577)
889f2b
- Add ANSSI High Profile (RHBZ#1955183)
889f2b
b5e178
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
b5e178
- Remove Kickstart for not shipped profile (RHBZ#1778188)
b5e178
b5e178
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
b5e178
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
b5e178
b5e178
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
b5e178
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
b5e178
b5e178
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
b5e178
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
b5e178
b5e178
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
b5e178
- Update to the latest upstream release (RHBZ#1889344)
b5e178
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
b5e178
b5e178
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
b5e178
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
b5e178
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
b5e178
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
b5e178
b5e178
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
b5e178
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
b5e178
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
b5e178
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
b5e178
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
b5e178
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
b5e178
b5e178
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
b5e178
- Update list of profiles built (RHBZ#1889344)
b5e178
b5e178
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
b5e178
- Update to the latest upstream release (RHBZ#1889344)
b5e178
b5e178
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
b5e178
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
b5e178
b5e178
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
b5e178
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
b5e178
b5e178
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
b5e178
- remove rationale from rules that contain defective links (rhbz#1854854)
b5e178
b5e178
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
b5e178
- fixed link in a grub2 rule description (rhbz#1854854)
b5e178
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
b5e178
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
b5e178
b5e178
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
b5e178
- Update the scapval invocation (RHBZ#1815007)
b5e178
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
b5e178
- Change the spec file macro invocation from patch to Patch
b5e178
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
b5e178
b5e178
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
b5e178
- fix description of HIPAA profile (RHBZ#1867559)
b5e178
b5e178
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
b5e178
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
b5e178
  - Remove CCM from TLS Ciphersuites
b5e178
b5e178
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
b5e178
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
b5e178
c862b5
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
c862b5
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
c862b5
c862b5
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
c862b5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
c862b5
c862b5
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
c862b5
- CIS Ansible fixes (RHBZ#1760734)
c862b5
- HIPAA Ansible fixes (RHBZ#1832760)
c862b5
c862b5
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
c862b5
 - HIPAA Profile (RHBZ#1832760)
c862b5
  - Enable build of RHEL8 HIPAA Profile
c862b5
  - Add kickstarts for HIPAA
c862b5
- CIS Profile (RHBZ#1760734)
c862b5
  - Add Ansible fix for sshd_set_max_sessions
c862b5
  - Add CIS Profile content attribution to Center for Internet Security
c862b5
c862b5
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c862b5
- Fix Ansible for no_direct_root_logins
c862b5
- Fix Ansible template for SELinux booleans
c862b5
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
c862b5
c862b5
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c862b5
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
c862b5
c862b5
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
c862b5
- Update to the latest upstream release (RHBZ#1815007)
c862b5
c862b5
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
c862b5
- Update to the latest upstream release (RHBZ#1815007)
c862b5
c862b5
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
c862b5
- Update baseline package list of OSPP profile
c862b5
c862b5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
c862b5
- Rebuilt with correct spec file
c862b5
c862b5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
c862b5
- Add SRG references to STIG rules (RHBZ#1755447)
c862b5
c862b5
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
c862b5
- Drop rsyslog rules from OSPP profile
c862b5
- Update COBIT URI
c862b5
- Add rules for strong source of RNG entropy
c862b5
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
c862b5
- STIG profile: added rsyslog rules and updated SRG mappings
c862b5
- Split audit rules according to audit component (RHBZ#1791312)
c862b5
c862b5
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
c862b5
- Update crypto-policy test scenarios
c862b5
- Update max-path-len test to skip tests/logs directory
c862b5
c862b5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
c862b5
- Fix list of tables that are generated for RHEL8
c862b5
c862b5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
c862b5
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
c862b5
aa23b3
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
aa23b3
- Improved the e8 profile (RHBZ#1755194)
aa23b3
aa23b3
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
aa23b3
aa23b3
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
aa23b3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
aa23b3
aa23b3
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
aa23b3
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
aa23b3
aa23b3
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
aa23b3
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
aa23b3
aa23b3
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
aa23b3
- Use crypto-policy rules in OSPP profile.
aa23b3
- Re-enable FIREFOX and JRE product in build.
aa23b3
- Change test suite logging message about missing profile from ERROR to WARNING.
aa23b3
- Build only one version of SCAP content at a time.
aa23b3
aa23b3
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
aa23b3
1002d6
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
1002d6
- Ported changelog from late 8.0 builds.
1002d6
- Disabled build of the OL8 product, updated other components of the cmake invocation.
1002d6
1002d6
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
1002d6
1002d6
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
1002d6
- Assign CCE to rules from OSPP profile which were missing the identifier.
1002d6
- Fix regular expression for Audit rules ordering
1002d6
- Account for Audit rules flags parameter position within syscall
1002d6
- Add remediations for Audit rules file path
1002d6
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
1002d6
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
1002d6
- Add a Bash remediation for Audit rules that require ordering
1002d6
1002d6
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
1002d6
- Assign CCE identifier to rules used by RHEL8 profiles.
1002d6
1002d6
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
1002d6
- Fixed Crypto Policy OVAL for NSS
1002d6
- Got rid of rules requiring packages dropped in RHEL8.
1002d6
- Profile descriptions fixes.
1002d6
1002d6
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
1002d6
- Update applicable platforms in crypto policy tests
1002d6
1002d6
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
1002d6
- Introduce Podman backend for SSG Test suite
1002d6
- Update bind and libreswan crypto policy test scenarios
1002d6
1002d6
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
1002d6
- Further fix of profiles descriptions, so they don't contain literal '\'.
1002d6
- Removed obsolete sshd rule from the OSPP profile.
1002d6
1002d6
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
1002d6
- Fixed profiles descriptions, so they don't contain literal '\n'.
1002d6
- Made the configure_kerberos_crypto_policy OVAL more robust.
1002d6
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
1002d6
1002d6
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
1002d6
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
1002d6
1002d6
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
1002d6
- Added FIPS mode rule for the OSPP profile.
1002d6
- Split the installed_OS_is certified rule.
1002d6
- Explicitly disabled OSP13, RHV4 and Example products.
1002d6
1002d6
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
1002d6
- Add missing kickstart files for RHEL8
1002d6
- Disable profiles that are not in good shape for RHEL8
1002d6
1002d6
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
1002d6
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
1002d6
- System-wide crypto policies are introduced for RHEL8
1002d6
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
1002d6
1002d6
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
1002d6
- Fix man page and package description
1002d6
1002d6
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
1002d6
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
1002d6
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
1002d6
1002d6
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
1002d6
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
1002d6
- Only build content for rhel8 products
1002d6
1002d6
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
1002d6
- Update build of rhel8 content
1002d6
1002d6
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
1002d6
- Enable build of rhel8 content
1002d6
1002d6
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
1002d6
- Fix spec file to build using Python 3
1002d6
- Fix License because upstream changed to BSD-3
1002d6
1002d6
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
1002d6
1002d6
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
1002d6
1002d6
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
1002d6
1002d6
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
1002d6
1002d6
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
1002d6
1002d6
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
1002d6
1002d6
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
1002d6
1002d6
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
1002d6
- use make_build and make_install RPM macros
1002d6
1002d6
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
1002d6
- update to the latest upstream release
1002d6
- new default location for content /usr/share/scap/ssg
1002d6
- install HTML tables in the doc subpackage
1002d6
1002d6
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
1002d6
- Correct currently failing parallel SCAP Security Guide build
1002d6
1002d6
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
1002d6
- Drop shell library for remediation functions since it is not required
1002d6
  starting from 0.1.30 release any more
1002d6
1002d6
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
1002d6
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
1002d6
  in 0.1.29 upstream release
1002d6
1002d6
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
1002d6
1002d6
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
1002d6
- upgrade to the latest upstream release
1002d6
1002d6
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
1002d6
- update to the latest upstream release
1002d6
- created doc sub-package to ship all the guides
1002d6
- start distributing centos and scientific linux content
1002d6
- rename java content to jre
1002d6
1002d6
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
1002d6
1002d6
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
1002d6
- update to the latest upstream release
1002d6
- only DataStream file is now available for Fedora
1002d6
- start distributing security baseline for Firefox
1002d6
- start distributing security baseline for Java RunTime deployments
1002d6
1002d6
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
1002d6
- update to the latest upstream release
1002d6
- move content to /usr/share/scap/ssg/content
1002d6
1002d6
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
1002d6
- require only openscap-scanner, not whole openscap-utils package
1002d6
1002d6
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
1002d6
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
1002d6
- Add STIG DISCLAIMER to the shipped documentation
1002d6
1002d6
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
1002d6
1002d6
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
1002d6
- Fix fedora-srpm and fedora-rpm Make targets to work again
1002d6
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
1002d6
- EOL for Fedora 18 support
1002d6
- Include Fedora datastream file for remote Fedora system scans
1002d6
1002d6
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
1002d6
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
1002d6
1002d6
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
1002d6
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
1002d6
  it to /shared
1002d6
- Add shared remediations for sshd disable empty passwords and
1002d6
  sshd set idle timeout
1002d6
- Shared remediation for sshd disable root login
1002d6
- Add empty -compat subpackage to ensure backward-compatibility with
1002d6
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
1002d6
- OVAL check for sshd disable root login
1002d6
- Fix typo in OVAL check for sshd disable empty passwords
1002d6
- OVAL check for sshd disable empty passwords
1002d6
- Unselect no shelllogin for systemaccounts rule from being run by default
1002d6
- Rename XCCDF rules
1002d6
- Revert Set up Fedora release name and CPE based on build system properties
1002d6
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
1002d6
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
1002d6
- Shared OVAL check for Verify that System Executables Have Root Ownership
1002d6
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
1002d6
  Permissions
1002d6
- Fix remediation for Disable Prelinking rule
1002d6
- OVAL check and remediation for sshd's ClientAliveCountMax rule
1002d6
- OVAL check for sshd's ClientAliveInterval rule
1002d6
- Include descriptions for permissions section, and rules for checking
1002d6
  permissions and ownership of shared library files and system executables
1002d6
- Disable selected rules by default
1002d6
- Add remediation for Disable Prelinking rule
1002d6
- Adjust service-enable-macro, service-disable-macro XSLT transforms
1002d6
  definition to evaluate to proper systemd syntax
1002d6
- Fix service_ntpd_enabled OVAL check make validate to pass again
1002d6
- Include patch from Šimon Lukašík to obsolete openscap-content
1002d6
  package (RH BZ#1028706)
1002d6
- Add OVAL check to test if there's is remote NTP server configured for
1002d6
  time data
1002d6
- Add system settings section for the guide (to track system wide
1002d6
  hardening configurations)
1002d6
- Include disable prelink rule and OVAL check for it
1002d6
- Initial OVAL check if ntpd service is enabled. Add package_installed
1002d6
  OVAL templating directory structure and functionality.
1002d6
- Include services section, and XCCDF description for selected ntpd's
1002d6
  sshd's service rules
1002d6
- Include remediations for login.defs' based password minimum, maximum and
1002d6
  warning age rules
1002d6
- Include directory structure to support remediations
1002d6
- Add SCAP "replace or append pattern value in text file based on variable"
1002d6
  remediation script generator
1002d6
- Add remediation for "Set Password Minimum Length in login.defs" rule
1002d6
1002d6
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
1002d6
- Update versioning scheme - move fedorassgrelease to be part of
1002d6
  upstream version. Rename it to fedorassgversion to avoid name collision
1002d6
  with Fedora package release.
1002d6
1002d6
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
1002d6
- Add .gitignore for Fedora output directory
1002d6
- Set up Fedora release name and CPE based on build system properties
aa23b3
- Use correct file paths in scap-security-guide(8) manual page
1002d6
  (RH BZ#1018905, c#10)
1002d6
- Apply further changes motivated by scap-security-guide Fedora RPM review
1002d6
  request (RH BZ#1018905, c#8):
1002d6
  * update package description,
1002d6
  * make content files to be owned by the scap-security-guide package,
1002d6
  * remove Fedora release number from generated content files,
1002d6
  * move HTML form of the guide under the doc directory (together
1002d6
    with that drop fedora/content subdir and place the content
1002d6
    directly under fedora/ subdir).
1002d6
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
1002d6
  * drop Fedora release from package provided files' final path (c#5),
1002d6
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
1002d6
    manual page, don't gzip man page (c#4),
1002d6
  * change package's description (c#4),
1002d6
  * include PD license text (#c4).
1002d6
1002d6
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
1002d6
- Provide manual page for scap-security-guide
1002d6
- Remove percent sign from spec's changelog to silence rpmlint warning
1002d6
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
1002d6
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
1002d6
- Introduce 'Account and Access Control' section
1002d6
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
1002d6
  rules to Fedora
1002d6
- Set proper name of the build directory in the spec's setup macro.
1002d6
- Replace hard-coded paths with macros. Preserve attributes when copying files.
1002d6
1002d6
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
1002d6
- Initial Fedora SSG RPM.