Blame SPECS/scap-security-guide.spec

a297d8
# Base name of static rhel6 content tarball
a297d8
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
a297d8
54c0d5
Name:		scap-security-guide
a297d8
Version:	0.1.54
a297d8
Release:	5%{?dist}
54c0d5
Summary:	Security guidance and baselines in SCAP formats
54c0d5
Group:		Applications/System
54c0d5
License:	BSD
54c0d5
URL:		https://github.com/ComplianceAsCode/content/
54c0d5
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
a297d8
# Include tarball with last released rhel6 content
a297d8
Source1:	%{_static_rhel6_content}.tar.bz2
54c0d5
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
54c0d5
Patch0:		disable-not-in-good-shape-profiles.patch
a297d8
Patch1:		scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
a297d8
Patch2:		scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
a297d8
Patch3:		scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
a297d8
Patch4:		scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
a297d8
Patch5:		scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
a297d8
Patch6:		scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
a297d8
Patch7:		scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
a297d8
Patch8:		scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
a297d8
Patch9:		scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
a297d8
Patch10:		scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
a297d8
Patch11:		scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
a297d8
Patch12:		scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
a297d8
Patch13:		scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
a297d8
Patch14:		scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
a297d8
Patch15:		scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
a297d8
Patch16:		scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
a297d8
Patch17:		scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
a297d8
Patch18:		scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
a297d8
Patch19:		scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
a297d8
Patch20:		scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
a297d8
Patch21:		scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
a297d8
Patch22:		scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
a297d8
Patch23:		scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
a297d8
Patch24:		scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
a297d8
Patch25:		scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
a297d8
Patch26:		scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
a297d8
Patch27:		scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
a297d8
# Untill ANSSI High profile is shipped we drop the ks too
a297d8
Patch28:		remove-ANSSI-high-ks.patch
540324
54c0d5
BuildArch:	noarch
54c0d5
54c0d5
# To get python3 inside the buildroot require its path explicitly in BuildRequires
54c0d5
BuildRequires: /usr/bin/python3
54c0d5
BuildRequires:	libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
54c0d5
Requires:	xml-common, openscap-scanner >= 1.2.5
54c0d5
Obsoletes:	openscap-content < 0:0.9.13
54c0d5
Provides:	openscap-content
54c0d5
54c0d5
%description
54c0d5
The scap-security-guide project provides a guide for configuration of the
54c0d5
system from the final system's security point of view. The guidance is specified
54c0d5
in the Security Content Automation Protocol (SCAP) format and constitutes
54c0d5
a catalog of practical hardening advice, linked to government requirements
54c0d5
where applicable. The project bridges the gap between generalized policy
54c0d5
requirements and specific implementation guidelines. The Red Hat Enterprise
54c0d5
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
54c0d5
package, or the scap-workbench GUI tool from scap-workbench package to verify
54c0d5
that the system conforms to provided guideline. Refer to scap-security-guide(8)
54c0d5
manual page for further information.
54c0d5
54c0d5
%package	doc
54c0d5
Summary:	HTML formatted security guides generated from XCCDF benchmarks
54c0d5
Group:		System Environment/Base
54c0d5
Requires:	%{name} = %{version}-%{release}
54c0d5
54c0d5
%description	doc
54c0d5
The %{name}-doc package contains HTML formatted documents containing
54c0d5
hardening guidances that have been generated from XCCDF benchmarks
54c0d5
present in %{name} package.
54c0d5
54c0d5
%prep
a297d8
%setup -q -b 1
54c0d5
%patch0 -p1
f8899d
%patch1 -p1
f8899d
%patch2 -p1
f8899d
%patch3 -p1
f8899d
%patch4 -p1
f8899d
%patch5 -p1
f8899d
%patch6 -p1
f8899d
%patch7 -p1
f8899d
%patch8 -p1
f8899d
%patch9 -p1
f8899d
%patch10 -p1
7303c7
%patch11 -p1
7303c7
%patch12 -p1
7303c7
%patch13 -p1
a297d8
%patch14 -p1
a297d8
%patch15 -p1
a297d8
%patch16 -p1
a297d8
%patch17 -p1
a297d8
%patch18 -p1
a297d8
%patch19 -p1
a297d8
%patch20 -p1
a297d8
%patch21 -p1
a297d8
%patch22 -p1
a297d8
%patch23 -p1
a297d8
%patch24 -p1
a297d8
%patch25 -p1
a297d8
%patch26 -p1
a297d8
%patch27 -p1
a297d8
%patch28 -p1
54c0d5
mkdir build
54c0d5
54c0d5
%build
54c0d5
cd build
54c0d5
%cmake \
54c0d5
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
54c0d5
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
54c0d5
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
54c0d5
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
54c0d5
%make_build
54c0d5
54c0d5
%install
54c0d5
cd build
54c0d5
%make_install
54c0d5
a297d8
# Manually install pre-built rhel6 content
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
a297d8
54c0d5
%files
54c0d5
%{_datadir}/xml/scap/ssg/content
54c0d5
%{_datadir}/%{name}/kickstart
54c0d5
%{_datadir}/%{name}/ansible
54c0d5
%{_datadir}/%{name}/bash
54c0d5
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
54c0d5
%doc %{_docdir}/%{name}/LICENSE
54c0d5
%doc %{_docdir}/%{name}/README.md
54c0d5
%doc %{_docdir}/%{name}/Contributors.md
54c0d5
54c0d5
%files doc
54c0d5
%doc %{_docdir}/%{name}/guides/*.html
54c0d5
%doc %{_docdir}/%{name}/tables/*.html
54c0d5
54c0d5
%changelog
a297d8
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
a297d8
- Remove Kickstart for not shipped profile (RHBZ#1778188)
a297d8
a297d8
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
a297d8
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
a297d8
a297d8
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
a297d8
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
a297d8
a297d8
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
a297d8
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
a297d8
a297d8
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
a297d8
- Update to the latest upstream release (RHBZ#1889344)
a297d8
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
a297d8
7303c7
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
7303c7
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
7303c7
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
7303c7
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
7303c7
f8899d
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
f8899d
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
f8899d
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
f8899d
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
f8899d
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
f8899d
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
f8899d
971b3e
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
971b3e
- Update list of profiles built (RHBZ#1889344)
971b3e
971b3e
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
971b3e
- Update to the latest upstream release (RHBZ#1889344)
971b3e
510a3d
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
510a3d
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
510a3d
510a3d
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
510a3d
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
510a3d
814422
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
814422
- remove rationale from rules that contain defective links (rhbz#1854854)
814422
50ad7f
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
50ad7f
- fixed link in a grub2 rule description (rhbz#1854854)
50ad7f
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
50ad7f
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
50ad7f
540324
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
540324
- Update the scapval invocation (RHBZ#1815007)
540324
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
540324
- Change the spec file macro invocation from patch to Patch
540324
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
540324
540324
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
540324
- fix description of HIPAA profile (RHBZ#1867559)
540324
40a955
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
40a955
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
40a955
  - Remove CCM from TLS Ciphersuites
40a955
ac2e16
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
ac2e16
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
ac2e16
ac2e16
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
ac2e16
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
ac2e16
c99e83
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
c99e83
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
c99e83
c99e83
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
c99e83
- CIS Ansible fixes (RHBZ#1760734)
c99e83
- HIPAA Ansible fixes (RHBZ#1832760)
c99e83
c99e83
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
c99e83
 - HIPAA Profile (RHBZ#1832760)
c99e83
  - Enable build of RHEL8 HIPAA Profile
c99e83
  - Add kickstarts for HIPAA
c99e83
- CIS Profile (RHBZ#1760734)
c99e83
  - Add Ansible fix for sshd_set_max_sessions
c99e83
  - Add CIS Profile content attribution to Center for Internet Security
c99e83
c99e83
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c99e83
- Fix Ansible for no_direct_root_logins
c99e83
- Fix Ansible template for SELinux booleans
c99e83
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
c99e83
c99e83
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c99e83
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
c99e83
c99e83
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
c99e83
- Update to the latest upstream release (RHBZ#1815007)
c99e83
f5dd42
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
f5dd42
- Update to the latest upstream release (RHBZ#1815007)
f5dd42
54c0d5
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
54c0d5
- Update baseline package list of OSPP profile
54c0d5
54c0d5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
54c0d5
- Rebuilt with correct spec file
54c0d5
54c0d5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
54c0d5
- Add SRG references to STIG rules (RHBZ#1755447)
54c0d5
54c0d5
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
54c0d5
- Drop rsyslog rules from OSPP profile
54c0d5
- Update COBIT URI
54c0d5
- Add rules for strong source of RNG entropy
54c0d5
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
54c0d5
- STIG profile: added rsyslog rules and updated SRG mappings
54c0d5
- Split audit rules according to audit component (RHBZ#1791312)
54c0d5
54c0d5
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
54c0d5
- Update crypto-policy test scenarios
54c0d5
- Update max-path-len test to skip tests/logs directory
54c0d5
54c0d5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
54c0d5
- Fix list of tables that are generated for RHEL8
54c0d5
54c0d5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
54c0d5
54c0d5
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
54c0d5
- Improved the e8 profile (RHBZ#1755194)
54c0d5
54c0d5
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
54c0d5
54c0d5
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
54c0d5
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
54c0d5
54c0d5
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
54c0d5
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
54c0d5
54c0d5
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
54c0d5
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
54c0d5
54c0d5
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
54c0d5
- Use crypto-policy rules in OSPP profile.
54c0d5
- Re-enable FIREFOX and JRE product in build.
54c0d5
- Change test suite logging message about missing profile from ERROR to WARNING.
54c0d5
- Build only one version of SCAP content at a time.
54c0d5
54c0d5
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
54c0d5
54c0d5
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
54c0d5
- Ported changelog from late 8.0 builds.
54c0d5
- Disabled build of the OL8 product, updated other components of the cmake invocation.
54c0d5
54c0d5
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
54c0d5
54c0d5
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
54c0d5
- Assign CCE to rules from OSPP profile which were missing the identifier.
54c0d5
- Fix regular expression for Audit rules ordering
54c0d5
- Account for Audit rules flags parameter position within syscall
54c0d5
- Add remediations for Audit rules file path
54c0d5
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
54c0d5
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
54c0d5
- Add a Bash remediation for Audit rules that require ordering
54c0d5
54c0d5
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
54c0d5
- Assign CCE identifier to rules used by RHEL8 profiles.
54c0d5
54c0d5
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
54c0d5
- Fixed Crypto Policy OVAL for NSS
54c0d5
- Got rid of rules requiring packages dropped in RHEL8.
54c0d5
- Profile descriptions fixes.
54c0d5
54c0d5
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
54c0d5
- Update applicable platforms in crypto policy tests
54c0d5
54c0d5
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
54c0d5
- Introduce Podman backend for SSG Test suite
54c0d5
- Update bind and libreswan crypto policy test scenarios
54c0d5
54c0d5
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
54c0d5
- Further fix of profiles descriptions, so they don't contain literal '\'.
54c0d5
- Removed obsolete sshd rule from the OSPP profile.
54c0d5
54c0d5
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
54c0d5
- Fixed profiles descriptions, so they don't contain literal '\n'.
54c0d5
- Made the configure_kerberos_crypto_policy OVAL more robust.
54c0d5
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
54c0d5
54c0d5
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
54c0d5
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
54c0d5
54c0d5
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
54c0d5
- Added FIPS mode rule for the OSPP profile.
54c0d5
- Split the installed_OS_is certified rule.
54c0d5
- Explicitly disabled OSP13, RHV4 and Example products.
54c0d5
54c0d5
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
54c0d5
- Add missing kickstart files for RHEL8
54c0d5
- Disable profiles that are not in good shape for RHEL8
54c0d5
54c0d5
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
54c0d5
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
54c0d5
- System-wide crypto policies are introduced for RHEL8
54c0d5
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
54c0d5
54c0d5
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
54c0d5
- Fix man page and package description
54c0d5
54c0d5
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
54c0d5
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
54c0d5
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
54c0d5
54c0d5
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
54c0d5
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
54c0d5
- Only build content for rhel8 products
54c0d5
54c0d5
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
54c0d5
- Update build of rhel8 content
54c0d5
54c0d5
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
54c0d5
- Enable build of rhel8 content
54c0d5
54c0d5
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
54c0d5
- Fix spec file to build using Python 3
54c0d5
- Fix License because upstream changed to BSD-3
54c0d5
54c0d5
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
54c0d5
54c0d5
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
54c0d5
54c0d5
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
54c0d5
54c0d5
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
54c0d5
54c0d5
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
54c0d5
54c0d5
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
54c0d5
54c0d5
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
54c0d5
54c0d5
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
54c0d5
- use make_build and make_install RPM macros
54c0d5
54c0d5
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
54c0d5
- update to the latest upstream release
54c0d5
- new default location for content /usr/share/scap/ssg
54c0d5
- install HTML tables in the doc subpackage
54c0d5
54c0d5
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
54c0d5
- Correct currently failing parallel SCAP Security Guide build
54c0d5
54c0d5
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
54c0d5
- Drop shell library for remediation functions since it is not required
54c0d5
  starting from 0.1.30 release any more
54c0d5
54c0d5
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
54c0d5
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
54c0d5
  in 0.1.29 upstream release
54c0d5
54c0d5
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
54c0d5
54c0d5
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
54c0d5
- upgrade to the latest upstream release
54c0d5
54c0d5
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
54c0d5
- update to the latest upstream release
54c0d5
- created doc sub-package to ship all the guides
54c0d5
- start distributing centos and scientific linux content
54c0d5
- rename java content to jre
54c0d5
54c0d5
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
54c0d5
54c0d5
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
54c0d5
- update to the latest upstream release
54c0d5
- only DataStream file is now available for Fedora
54c0d5
- start distributing security baseline for Firefox
54c0d5
- start distributing security baseline for Java RunTime deployments
54c0d5
54c0d5
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
54c0d5
- update to the latest upstream release
54c0d5
- move content to /usr/share/scap/ssg/content
54c0d5
54c0d5
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
54c0d5
- require only openscap-scanner, not whole openscap-utils package
54c0d5
54c0d5
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
54c0d5
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
54c0d5
- Add STIG DISCLAIMER to the shipped documentation
54c0d5
54c0d5
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
54c0d5
54c0d5
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
54c0d5
- Fix fedora-srpm and fedora-rpm Make targets to work again
54c0d5
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
54c0d5
- EOL for Fedora 18 support
54c0d5
- Include Fedora datastream file for remote Fedora system scans
54c0d5
54c0d5
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
54c0d5
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
54c0d5
54c0d5
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
54c0d5
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
54c0d5
  it to /shared
54c0d5
- Add shared remediations for sshd disable empty passwords and
54c0d5
  sshd set idle timeout
54c0d5
- Shared remediation for sshd disable root login
54c0d5
- Add empty -compat subpackage to ensure backward-compatibility with
54c0d5
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
54c0d5
- OVAL check for sshd disable root login
54c0d5
- Fix typo in OVAL check for sshd disable empty passwords
54c0d5
- OVAL check for sshd disable empty passwords
54c0d5
- Unselect no shelllogin for systemaccounts rule from being run by default
54c0d5
- Rename XCCDF rules
54c0d5
- Revert Set up Fedora release name and CPE based on build system properties
54c0d5
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
54c0d5
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
54c0d5
- Shared OVAL check for Verify that System Executables Have Root Ownership
54c0d5
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
54c0d5
  Permissions
54c0d5
- Fix remediation for Disable Prelinking rule
54c0d5
- OVAL check and remediation for sshd's ClientAliveCountMax rule
54c0d5
- OVAL check for sshd's ClientAliveInterval rule
54c0d5
- Include descriptions for permissions section, and rules for checking
54c0d5
  permissions and ownership of shared library files and system executables
54c0d5
- Disable selected rules by default
54c0d5
- Add remediation for Disable Prelinking rule
54c0d5
- Adjust service-enable-macro, service-disable-macro XSLT transforms
54c0d5
  definition to evaluate to proper systemd syntax
54c0d5
- Fix service_ntpd_enabled OVAL check make validate to pass again
54c0d5
- Include patch from Šimon Lukašík to obsolete openscap-content
54c0d5
  package (RH BZ#1028706)
54c0d5
- Add OVAL check to test if there's is remote NTP server configured for
54c0d5
  time data
54c0d5
- Add system settings section for the guide (to track system wide
54c0d5
  hardening configurations)
54c0d5
- Include disable prelink rule and OVAL check for it
54c0d5
- Initial OVAL check if ntpd service is enabled. Add package_installed
54c0d5
  OVAL templating directory structure and functionality.
54c0d5
- Include services section, and XCCDF description for selected ntpd's
54c0d5
  sshd's service rules
54c0d5
- Include remediations for login.defs' based password minimum, maximum and
54c0d5
  warning age rules
54c0d5
- Include directory structure to support remediations
54c0d5
- Add SCAP "replace or append pattern value in text file based on variable"
54c0d5
  remediation script generator
54c0d5
- Add remediation for "Set Password Minimum Length in login.defs" rule
54c0d5
54c0d5
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
54c0d5
- Update versioning scheme - move fedorassgrelease to be part of
54c0d5
  upstream version. Rename it to fedorassgversion to avoid name collision
54c0d5
  with Fedora package release.
54c0d5
54c0d5
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
54c0d5
- Add .gitignore for Fedora output directory
54c0d5
- Set up Fedora release name and CPE based on build system properties
54c0d5
- Use correct file paths in scap-security-guide(8) manual page
54c0d5
  (RH BZ#1018905, c#10)
54c0d5
- Apply further changes motivated by scap-security-guide Fedora RPM review
54c0d5
  request (RH BZ#1018905, c#8):
54c0d5
  * update package description,
54c0d5
  * make content files to be owned by the scap-security-guide package,
54c0d5
  * remove Fedora release number from generated content files,
54c0d5
  * move HTML form of the guide under the doc directory (together
54c0d5
    with that drop fedora/content subdir and place the content
54c0d5
    directly under fedora/ subdir).
54c0d5
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
54c0d5
  * drop Fedora release from package provided files' final path (c#5),
54c0d5
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
54c0d5
    manual page, don't gzip man page (c#4),
54c0d5
  * change package's description (c#4),
54c0d5
  * include PD license text (#c4).
54c0d5
54c0d5
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
54c0d5
- Provide manual page for scap-security-guide
54c0d5
- Remove percent sign from spec's changelog to silence rpmlint warning
54c0d5
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
54c0d5
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
54c0d5
- Introduce 'Account and Access Control' section
54c0d5
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
54c0d5
  rules to Fedora
54c0d5
- Set proper name of the build directory in the spec's setup macro.
54c0d5
- Replace hard-coded paths with macros. Preserve attributes when copying files.
54c0d5
54c0d5
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
54c0d5
- Initial Fedora SSG RPM.