Blame SPECS/scap-security-guide.spec

618a7c
# Base name of static rhel6 content tarball
618a7c
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
362bfa
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
362bfa
%global _vpath_builddir build
9e17c9
# global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
618a7c
575137
Name:		scap-security-guide
f386a0
Version:	0.1.63
9e17c9
Release:	4%{?dist}
575137
Summary:	Security guidance and baselines in SCAP formats
362bfa
License:	BSD-3-Clause
575137
Group:		Applications/System
575137
URL:		https://github.com/ComplianceAsCode/content/
575137
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
618a7c
# Include tarball with last released rhel6 content
618a7c
Source1:	%{_static_rhel6_content}.tar.bz2
475544
575137
BuildArch:	noarch
575137
9e17c9
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
9e17c9
Patch0:		disable-not-in-good-shape-profiles.patch
9e17c9
Patch1:		scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
9e17c9
Patch2:		scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
9e17c9
Patch3:		scap-security-guide-0.1.64-stig_aide-PR_9282.patch
9e17c9
Patch4:		scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
9e17c9
Patch5:		scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
9e17c9
Patch6:		scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
9e17c9
Patch7:		scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
9e17c9
Patch8:		scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
9e17c9
Patch9:		scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
9e17c9
Patch10:		scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
9e17c9
Patch11:		scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
9e17c9
Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
9e17c9
Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
9e17c9
Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
9e17c9
Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
9e17c9
Patch16:		scap-security-guide-0.1.64-fix_enable_fips_mode_s390x-PR_9355.patch
9e17c9
362bfa
BuildRequires:	libxslt
362bfa
BuildRequires:	expat
362bfa
BuildRequires:	openscap-scanner >= 1.2.5
362bfa
BuildRequires:	cmake >= 2.8
575137
# To get python3 inside the buildroot require its path explicitly in BuildRequires
575137
BuildRequires: /usr/bin/python3
362bfa
BuildRequires:	python%{python3_pkgversion}
362bfa
BuildRequires:	python%{python3_pkgversion}-jinja2
362bfa
BuildRequires:	python%{python3_pkgversion}-PyYAML
575137
Requires:	xml-common, openscap-scanner >= 1.2.5
575137
Obsoletes:	openscap-content < 0:0.9.13
575137
Provides:	openscap-content
575137
575137
%description
575137
The scap-security-guide project provides a guide for configuration of the
575137
system from the final system's security point of view. The guidance is specified
575137
in the Security Content Automation Protocol (SCAP) format and constitutes
575137
a catalog of practical hardening advice, linked to government requirements
575137
where applicable. The project bridges the gap between generalized policy
bdc918
requirements and specific implementation guidelines. The system
bdc918
administrator can use the oscap CLI tool from openscap-scanner package, or the
bdc918
scap-workbench GUI tool from scap-workbench package to verify that the system
bdc918
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
bdc918
further information.
575137
575137
%package	doc
575137
Summary:	HTML formatted security guides generated from XCCDF benchmarks
575137
Group:		System Environment/Base
575137
Requires:	%{name} = %{version}-%{release}
575137
575137
%description	doc
575137
The %{name}-doc package contains HTML formatted documents containing
575137
hardening guidances that have been generated from XCCDF benchmarks
575137
present in %{name} package.
575137
bdc918
%if ( %{defined rhel} && (! %{defined centos}) )
bdc918
%package	rule-playbooks
bdc918
Summary:	Ansible playbooks per each rule.
bdc918
Group:		System Environment/Base
bdc918
Requires:	%{name} = %{version}-%{release}
bdc918
bdc918
%description	rule-playbooks
bdc918
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
bdc918
%endif
bdc918
575137
%prep
362bfa
%autosetup -p1 -b1
575137
575137
%build
362bfa
mkdir -p build
575137
cd build
575137
%cmake \
d0bfd3
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
d0bfd3
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
362bfa
%if %{defined centos}
362bfa
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
362bfa
%else
575137
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
362bfa
%endif
362bfa
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
bdc918
%if ( %{defined rhel} && (! %{defined centos}) )
bdc918
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
bdc918
%endif
362bfa
../
362bfa
%cmake_build
575137
575137
%install
575137
cd build
362bfa
%cmake_install
575137
618a7c
# Manually install pre-built rhel6 content
618a7c
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
618a7c
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
618a7c
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
618a7c
575137
%files
575137
%{_datadir}/xml/scap/ssg/content
575137
%{_datadir}/%{name}/kickstart
575137
%{_datadir}/%{name}/ansible
575137
%{_datadir}/%{name}/bash
5fd106
%{_datadir}/%{name}/tailoring
575137
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
575137
%doc %{_docdir}/%{name}/LICENSE
575137
%doc %{_docdir}/%{name}/README.md
575137
%doc %{_docdir}/%{name}/Contributors.md
bdc918
%if ( %{defined rhel} && (! %{defined centos}) )
bdc918
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
bdc918
%endif
575137
575137
%files doc
575137
%doc %{_docdir}/%{name}/guides/*.html
575137
%doc %{_docdir}/%{name}/tables/*.html
575137
bdc918
%if ( %{defined rhel} && (! %{defined centos}) )
bdc918
%files rule-playbooks
bdc918
%defattr(-,root,root,-)
bdc918
%{_datadir}/%{name}/ansible/rule_playbooks
bdc918
%endif
bdc918
575137
%changelog
9e17c9
* Wed Aug 17 2022 Watson Sato <wsato@redhat.com> - 0.1.63-4
9e17c9
- Fix check of enable_fips_mode on s390x (RHBZ#2070564)
9e17c9
9e17c9
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
9e17c9
- Fix Ansible partition conditional (RHBZ#2032403)
9e17c9
9e17c9
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
9e17c9
- aligning with the latest STIG update (RHBZ#2112937)
9e17c9
- OSPP: use Authselect minimal profile (RHBZ#2117192)
9e17c9
- OSPP: change rules for protecting of boot (RHBZ#2116440)
9e17c9
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
9e17c9
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
9e17c9
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
9e17c9
- fix handling of Rsyslog include directives (RHBZ#2075384)
9e17c9
9e17c9
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
9e17c9
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
9e17c9
9e17c9
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
9e17c9
- Rebase to a new upstream release (RHBZ#2070564)
f386a0
f89c37
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
9e17c9
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
9e17c9
- Fix Ansible sysctl remediation (RHBZ#2079241)
f89c37
f89c37
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
9e17c9
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
9e17c9
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
f89c37
5fd106
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
5fd106
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
5fd106
5fd106
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
5fd106
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
5fd106
5fd106
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
5fd106
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
5fd106
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
5fd106
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
5fd106
5fd106
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
5fd106
- Fix Ansible service disabled tasks (RHBZ#2014485)
5fd106
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
5fd106
5fd106
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
5fd106
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
5fd106
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
5fd106
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
5fd106
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
5fd106
- Update GRUB2 rule descriptions (RHBZ#2014485)
5fd106
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
5fd106
5fd106
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
5fd106
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
5fd106
- Align audit rules for OSPP profile (RHBZ#2000264)
5fd106
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
5fd106
5fd106
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
5fd106
- Rebase to a new upstream release (RHBZ#2014485)
5fd106
5fd106
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
5fd106
- Rebase to a new upstream release (RHBZ#2014485)
5fd106
5fd106
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
5fd106
- Rebase to a new upstream release. (RHBZ#2014485)
5fd106
- Add a VM wait handling to fix issues with tests.
bdc918
bdc918
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
bdc918
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
bdc918
bdc918
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
bdc918
- Fix remaining audit rules file permissions (RHBZ#1993056)
bdc918
- Mark a STIG service rule as machine only (RHBZ#1993056)
bdc918
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
bdc918
bdc918
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
bdc918
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
bdc918
- Include tests for Ansible Playbooks that remove and reintroduce files.
bdc918
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
bdc918
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
bdc918
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
bdc918
- Add Kickstart files for ISM profile (RHBZ#1955373)
bdc918
- Fix broken RHEL7 documentation links (RHBZ#1966577)
bdc918
bdc918
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
bdc918
- Update to the latest upstream release (RHBZ#1966577)
bdc918
- Enable the ISM profile.
bdc918
bdc918
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
bdc918
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
bdc918
bdc918
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
bdc918
- Update to the latest upstream release (RHBZ#1966577)
bdc918
- Add ANSSI High Profile (RHBZ#1955183)
362bfa
618a7c
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
618a7c
- Remove Kickstart for not shipped profile (RHBZ#1778188)
618a7c
618a7c
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
618a7c
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
618a7c
618a7c
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
618a7c
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
618a7c
618a7c
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
618a7c
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
618a7c
618a7c
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
618a7c
- Update to the latest upstream release (RHBZ#1889344)
618a7c
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
618a7c
618a7c
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
618a7c
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
618a7c
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
618a7c
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
618a7c
618a7c
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
618a7c
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
618a7c
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
618a7c
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
618a7c
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
618a7c
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
618a7c
618a7c
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
618a7c
- Update list of profiles built (RHBZ#1889344)
973b04
618a7c
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
618a7c
- Update to the latest upstream release (RHBZ#1889344)
973b04
475544
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
475544
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
475544
475544
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
475544
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
475544
475544
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
475544
- remove rationale from rules that contain defective links (rhbz#1854854)
475544
475544
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
475544
- fixed link in a grub2 rule description (rhbz#1854854)
475544
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
475544
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
475544
475544
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
475544
- Update the scapval invocation (RHBZ#1815007)
475544
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
475544
- Change the spec file macro invocation from patch to Patch
475544
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
475544
475544
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
475544
- fix description of HIPAA profile (RHBZ#1867559)
475544
475544
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
475544
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
475544
  - Remove CCM from TLS Ciphersuites
475544
475544
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
475544
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
475544
475544
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
475544
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
475544
475544
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
475544
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
475544
475544
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
475544
- CIS Ansible fixes (RHBZ#1760734)
475544
- HIPAA Ansible fixes (RHBZ#1832760)
475544
475544
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
475544
 - HIPAA Profile (RHBZ#1832760)
475544
  - Enable build of RHEL8 HIPAA Profile
475544
  - Add kickstarts for HIPAA
475544
- CIS Profile (RHBZ#1760734)
475544
  - Add Ansible fix for sshd_set_max_sessions
475544
  - Add CIS Profile content attribution to Center for Internet Security
475544
475544
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
475544
- Fix Ansible for no_direct_root_logins
475544
- Fix Ansible template for SELinux booleans
475544
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
475544
475544
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
475544
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
475544
475544
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
475544
- Update to the latest upstream release (RHBZ#1815007)
475544
475544
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
475544
- Update to the latest upstream release (RHBZ#1815007)
475544
05062e
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
05062e
- Update baseline package list of OSPP profile
05062e
05062e
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
05062e
- Rebuilt with correct spec file
05062e
05062e
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
05062e
- Add SRG references to STIG rules (RHBZ#1755447)
05062e
05062e
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
05062e
- Drop rsyslog rules from OSPP profile
05062e
- Update COBIT URI
05062e
- Add rules for strong source of RNG entropy
05062e
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
05062e
- STIG profile: added rsyslog rules and updated SRG mappings
05062e
- Split audit rules according to audit component (RHBZ#1791312)
05062e
05062e
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
05062e
- Update crypto-policy test scenarios
05062e
- Update max-path-len test to skip tests/logs directory
05062e
05062e
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
05062e
- Fix list of tables that are generated for RHEL8
05062e
05062e
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
05062e
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
05062e
05062e
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
05062e
- Improved the e8 profile (RHBZ#1755194)
05062e
05062e
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
05062e
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
05062e
05062e
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
05062e
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
05062e
05062e
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
05062e
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
05062e
d0bfd3
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
d0bfd3
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
d0bfd3
d0bfd3
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
d0bfd3
- Use crypto-policy rules in OSPP profile.
d0bfd3
- Re-enable FIREFOX and JRE product in build.
d0bfd3
- Change test suite logging message about missing profile from ERROR to WARNING.
d0bfd3
- Build only one version of SCAP content at a time.
d0bfd3
d0bfd3
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
d0bfd3
d0bfd3
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
d0bfd3
- Ported changelog from late 8.0 builds.
d0bfd3
- Disabled build of the OL8 product, updated other components of the cmake invocation.
d0bfd3
d0bfd3
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
d0bfd3
575137
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
575137
- Assign CCE to rules from OSPP profile which were missing the identifier.
575137
- Fix regular expression for Audit rules ordering
575137
- Account for Audit rules flags parameter position within syscall
575137
- Add remediations for Audit rules file path
575137
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
575137
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
575137
- Add a Bash remediation for Audit rules that require ordering
575137
575137
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
575137
- Assign CCE identifier to rules used by RHEL8 profiles.
575137
575137
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
575137
- Fixed Crypto Policy OVAL for NSS
575137
- Got rid of rules requiring packages dropped in RHEL8.
575137
- Profile descriptions fixes.
575137
575137
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
575137
- Update applicable platforms in crypto policy tests
575137
575137
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
575137
- Introduce Podman backend for SSG Test suite
575137
- Update bind and libreswan crypto policy test scenarios
575137
575137
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
575137
- Further fix of profiles descriptions, so they don't contain literal '\'.
575137
- Removed obsolete sshd rule from the OSPP profile.
575137
575137
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
575137
- Fixed profiles descriptions, so they don't contain literal '\n'.
575137
- Made the configure_kerberos_crypto_policy OVAL more robust.
575137
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
575137
575137
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
575137
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
575137
575137
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
575137
- Added FIPS mode rule for the OSPP profile.
575137
- Split the installed_OS_is certified rule.
575137
- Explicitly disabled OSP13, RHV4 and Example products.
575137
575137
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
575137
- Add missing kickstart files for RHEL8
575137
- Disable profiles that are not in good shape for RHEL8
575137
575137
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
575137
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
575137
- System-wide crypto policies are introduced for RHEL8
575137
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
575137
575137
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
575137
- Fix man page and package description
575137
575137
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
575137
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
575137
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
575137
575137
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
575137
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
575137
- Only build content for rhel8 products
575137
575137
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
575137
- Update build of rhel8 content
575137
575137
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
575137
- Enable build of rhel8 content
575137
575137
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
575137
- Fix spec file to build using Python 3
575137
- Fix License because upstream changed to BSD-3
575137
575137
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
575137
575137
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
575137
575137
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
575137
575137
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
575137
575137
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
575137
575137
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
575137
575137
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
575137
- updated to latest upstream release
575137
575137
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
575137
- updated to latest upstream release
575137
575137
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
575137
- updated to latest upstream release
575137
575137
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
575137
575137
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
575137
- use make_build and make_install RPM macros
575137
575137
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
575137
- update to the latest upstream release
575137
- new default location for content /usr/share/scap/ssg
575137
- install HTML tables in the doc subpackage
575137
575137
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
575137
- Correct currently failing parallel SCAP Security Guide build
575137
575137
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
575137
- Drop shell library for remediation functions since it is not required
575137
  starting from 0.1.30 release any more
575137
575137
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
575137
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
575137
  in 0.1.29 upstream release
575137
575137
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
575137
575137
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
575137
- upgrade to the latest upstream release
575137
575137
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
575137
- update to the latest upstream release
575137
575137
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
575137
- update to the latest upstream release
575137
575137
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
575137
- update to the latest upstream release
575137
575137
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
575137
- update to the latest upstream release
575137
- created doc sub-package to ship all the guides
575137
- start distributing centos and scientific linux content
575137
- rename java content to jre
575137
575137
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
575137
575137
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
575137
- update to the latest upstream release
575137
- only DataStream file is now available for Fedora
575137
- start distributing security baseline for Firefox
575137
- start distributing security baseline for Java RunTime deployments
575137
575137
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
575137
- update to the latest upstream release
575137
- move content to /usr/share/scap/ssg/content
575137
575137
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
575137
- update to the latest upstream release
575137
575137
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
575137
- require only openscap-scanner, not whole openscap-utils package
575137
575137
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
575137
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
575137
- Add STIG DISCLAIMER to the shipped documentation
575137
575137
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
575137
575137
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
575137
- Fix fedora-srpm and fedora-rpm Make targets to work again
575137
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
575137
- EOL for Fedora 18 support
575137
- Include Fedora datastream file for remote Fedora system scans
575137
575137
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
575137
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
575137
575137
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
575137
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
575137
  it to /shared
575137
- Add shared remediations for sshd disable empty passwords and
575137
  sshd set idle timeout
575137
- Shared remediation for sshd disable root login
575137
- Add empty -compat subpackage to ensure backward-compatibility with
575137
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
575137
- OVAL check for sshd disable root login
575137
- Fix typo in OVAL check for sshd disable empty passwords
575137
- OVAL check for sshd disable empty passwords
575137
- Unselect no shelllogin for systemaccounts rule from being run by default
575137
- Rename XCCDF rules
575137
- Revert Set up Fedora release name and CPE based on build system properties
575137
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
575137
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
575137
- Shared OVAL check for Verify that System Executables Have Root Ownership
575137
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
575137
  Permissions
575137
- Fix remediation for Disable Prelinking rule
575137
- OVAL check and remediation for sshd's ClientAliveCountMax rule
575137
- OVAL check for sshd's ClientAliveInterval rule
575137
- Include descriptions for permissions section, and rules for checking
575137
  permissions and ownership of shared library files and system executables
575137
- Disable selected rules by default
575137
- Add remediation for Disable Prelinking rule
575137
- Adjust service-enable-macro, service-disable-macro XSLT transforms
575137
  definition to evaluate to proper systemd syntax
575137
- Fix service_ntpd_enabled OVAL check make validate to pass again
575137
- Include patch from Šimon Lukašík to obsolete openscap-content
575137
  package (RH BZ#1028706)
575137
- Add OVAL check to test if there's is remote NTP server configured for
575137
  time data
575137
- Add system settings section for the guide (to track system wide
575137
  hardening configurations)
575137
- Include disable prelink rule and OVAL check for it
575137
- Initial OVAL check if ntpd service is enabled. Add package_installed
575137
  OVAL templating directory structure and functionality.
575137
- Include services section, and XCCDF description for selected ntpd's
575137
  sshd's service rules
575137
- Include remediations for login.defs' based password minimum, maximum and
575137
  warning age rules
575137
- Include directory structure to support remediations
575137
- Add SCAP "replace or append pattern value in text file based on variable"
575137
  remediation script generator
575137
- Add remediation for "Set Password Minimum Length in login.defs" rule
575137
575137
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
575137
- Update versioning scheme - move fedorassgrelease to be part of
575137
  upstream version. Rename it to fedorassgversion to avoid name collision
575137
  with Fedora package release.
575137
575137
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
575137
- Add .gitignore for Fedora output directory
575137
- Set up Fedora release name and CPE based on build system properties
05062e
- Use correct file paths in scap-security-guide(8) manual page
575137
  (RH BZ#1018905, c#10)
575137
- Apply further changes motivated by scap-security-guide Fedora RPM review
575137
  request (RH BZ#1018905, c#8):
575137
  * update package description,
575137
  * make content files to be owned by the scap-security-guide package,
575137
  * remove Fedora release number from generated content files,
575137
  * move HTML form of the guide under the doc directory (together
575137
    with that drop fedora/content subdir and place the content
575137
    directly under fedora/ subdir).
575137
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
575137
  * drop Fedora release from package provided files' final path (c#5),
575137
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
575137
    manual page, don't gzip man page (c#4),
575137
  * change package's description (c#4),
575137
  * include PD license text (#c4).
575137
575137
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
575137
- Provide manual page for scap-security-guide
575137
- Remove percent sign from spec's changelog to silence rpmlint warning
575137
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
575137
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
575137
- Introduce 'Account and Access Control' section
575137
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
575137
  rules to Fedora
575137
- Set proper name of the build directory in the spec's setup macro.
575137
- Replace hard-coded paths with macros. Preserve attributes when copying files.
575137
575137
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
575137
- Initial Fedora SSG RPM.