|
|
a297d8 |
# Base name of static rhel6 content tarball
|
|
|
a297d8 |
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
|
|
a297d8 |
|
|
|
54c0d5 |
Name: scap-security-guide
|
|
|
a297d8 |
Version: 0.1.54
|
|
|
a297d8 |
Release: 5%{?dist}
|
|
|
54c0d5 |
Summary: Security guidance and baselines in SCAP formats
|
|
|
54c0d5 |
Group: Applications/System
|
|
|
54c0d5 |
License: BSD
|
|
|
54c0d5 |
URL: https://github.com/ComplianceAsCode/content/
|
|
|
54c0d5 |
Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
|
|
|
a297d8 |
# Include tarball with last released rhel6 content
|
|
|
a297d8 |
Source1: %{_static_rhel6_content}.tar.bz2
|
|
|
54c0d5 |
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
|
|
|
54c0d5 |
Patch0: disable-not-in-good-shape-profiles.patch
|
|
|
a297d8 |
Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
|
|
|
a297d8 |
Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
|
|
|
a297d8 |
Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
|
|
|
a297d8 |
Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
|
|
|
a297d8 |
Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
|
|
|
a297d8 |
Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
|
|
|
a297d8 |
Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
|
|
|
a297d8 |
Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
|
|
|
a297d8 |
Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
|
|
|
a297d8 |
Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
|
|
|
a297d8 |
Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
|
|
|
a297d8 |
Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
|
|
|
a297d8 |
Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
|
|
|
a297d8 |
Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
|
|
|
a297d8 |
Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch
|
|
|
a297d8 |
Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch
|
|
|
a297d8 |
Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch
|
|
|
a297d8 |
Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
|
|
|
a297d8 |
Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch
|
|
|
a297d8 |
Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
|
|
|
a297d8 |
Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
|
|
|
a297d8 |
Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch
|
|
|
a297d8 |
Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
|
|
|
a297d8 |
Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch
|
|
|
a297d8 |
Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch
|
|
|
a297d8 |
Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch
|
|
|
a297d8 |
Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch
|
|
|
a297d8 |
# Untill ANSSI High profile is shipped we drop the ks too
|
|
|
a297d8 |
Patch28: remove-ANSSI-high-ks.patch
|
|
|
540324 |
|
|
|
54c0d5 |
BuildArch: noarch
|
|
|
54c0d5 |
|
|
|
54c0d5 |
# To get python3 inside the buildroot require its path explicitly in BuildRequires
|
|
|
54c0d5 |
BuildRequires: /usr/bin/python3
|
|
|
54c0d5 |
BuildRequires: libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
|
|
|
54c0d5 |
Requires: xml-common, openscap-scanner >= 1.2.5
|
|
|
54c0d5 |
Obsoletes: openscap-content < 0:0.9.13
|
|
|
54c0d5 |
Provides: openscap-content
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%description
|
|
|
54c0d5 |
The scap-security-guide project provides a guide for configuration of the
|
|
|
54c0d5 |
system from the final system's security point of view. The guidance is specified
|
|
|
54c0d5 |
in the Security Content Automation Protocol (SCAP) format and constitutes
|
|
|
54c0d5 |
a catalog of practical hardening advice, linked to government requirements
|
|
|
54c0d5 |
where applicable. The project bridges the gap between generalized policy
|
|
|
54c0d5 |
requirements and specific implementation guidelines. The Red Hat Enterprise
|
|
|
54c0d5 |
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
|
|
|
54c0d5 |
package, or the scap-workbench GUI tool from scap-workbench package to verify
|
|
|
54c0d5 |
that the system conforms to provided guideline. Refer to scap-security-guide(8)
|
|
|
54c0d5 |
manual page for further information.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%package doc
|
|
|
54c0d5 |
Summary: HTML formatted security guides generated from XCCDF benchmarks
|
|
|
54c0d5 |
Group: System Environment/Base
|
|
|
54c0d5 |
Requires: %{name} = %{version}-%{release}
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%description doc
|
|
|
54c0d5 |
The %{name}-doc package contains HTML formatted documents containing
|
|
|
54c0d5 |
hardening guidances that have been generated from XCCDF benchmarks
|
|
|
54c0d5 |
present in %{name} package.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%prep
|
|
|
a297d8 |
%setup -q -b 1
|
|
|
54c0d5 |
%patch0 -p1
|
|
|
f8899d |
%patch1 -p1
|
|
|
f8899d |
%patch2 -p1
|
|
|
f8899d |
%patch3 -p1
|
|
|
f8899d |
%patch4 -p1
|
|
|
f8899d |
%patch5 -p1
|
|
|
f8899d |
%patch6 -p1
|
|
|
f8899d |
%patch7 -p1
|
|
|
f8899d |
%patch8 -p1
|
|
|
f8899d |
%patch9 -p1
|
|
|
f8899d |
%patch10 -p1
|
|
|
7303c7 |
%patch11 -p1
|
|
|
7303c7 |
%patch12 -p1
|
|
|
7303c7 |
%patch13 -p1
|
|
|
a297d8 |
%patch14 -p1
|
|
|
a297d8 |
%patch15 -p1
|
|
|
a297d8 |
%patch16 -p1
|
|
|
a297d8 |
%patch17 -p1
|
|
|
a297d8 |
%patch18 -p1
|
|
|
a297d8 |
%patch19 -p1
|
|
|
a297d8 |
%patch20 -p1
|
|
|
a297d8 |
%patch21 -p1
|
|
|
a297d8 |
%patch22 -p1
|
|
|
a297d8 |
%patch23 -p1
|
|
|
a297d8 |
%patch24 -p1
|
|
|
a297d8 |
%patch25 -p1
|
|
|
a297d8 |
%patch26 -p1
|
|
|
a297d8 |
%patch27 -p1
|
|
|
a297d8 |
%patch28 -p1
|
|
|
54c0d5 |
mkdir build
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%build
|
|
|
54c0d5 |
cd build
|
|
|
54c0d5 |
%cmake \
|
|
|
54c0d5 |
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
|
|
|
54c0d5 |
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
|
|
|
54c0d5 |
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
|
|
|
54c0d5 |
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
|
|
|
54c0d5 |
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
|
|
|
54c0d5 |
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
|
|
54c0d5 |
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
|
|
|
54c0d5 |
%make_build
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%install
|
|
|
54c0d5 |
cd build
|
|
|
54c0d5 |
%make_install
|
|
|
54c0d5 |
|
|
|
a297d8 |
# Manually install pre-built rhel6 content
|
|
|
a297d8 |
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
|
|
a297d8 |
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
|
|
|
a297d8 |
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
|
|
|
a297d8 |
|
|
|
54c0d5 |
%files
|
|
|
54c0d5 |
%{_datadir}/xml/scap/ssg/content
|
|
|
54c0d5 |
%{_datadir}/%{name}/kickstart
|
|
|
54c0d5 |
%{_datadir}/%{name}/ansible
|
|
|
54c0d5 |
%{_datadir}/%{name}/bash
|
|
|
54c0d5 |
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
|
|
|
54c0d5 |
%doc %{_docdir}/%{name}/LICENSE
|
|
|
54c0d5 |
%doc %{_docdir}/%{name}/README.md
|
|
|
54c0d5 |
%doc %{_docdir}/%{name}/Contributors.md
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%files doc
|
|
|
54c0d5 |
%doc %{_docdir}/%{name}/guides/*.html
|
|
|
54c0d5 |
%doc %{_docdir}/%{name}/tables/*.html
|
|
|
54c0d5 |
|
|
|
54c0d5 |
%changelog
|
|
|
a297d8 |
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
|
|
|
a297d8 |
- Remove Kickstart for not shipped profile (RHBZ#1778188)
|
|
|
a297d8 |
|
|
|
a297d8 |
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
|
|
|
a297d8 |
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
|
|
|
a297d8 |
|
|
|
a297d8 |
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
|
|
|
a297d8 |
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
|
|
|
a297d8 |
|
|
|
a297d8 |
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
|
|
|
a297d8 |
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
|
|
|
a297d8 |
|
|
|
a297d8 |
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
|
|
a297d8 |
- Update to the latest upstream release (RHBZ#1889344)
|
|
|
a297d8 |
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
|
|
|
a297d8 |
|
|
|
7303c7 |
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
|
|
|
7303c7 |
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
|
|
|
7303c7 |
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
|
|
|
7303c7 |
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
|
|
|
7303c7 |
|
|
|
f8899d |
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
|
|
|
f8899d |
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
|
|
|
f8899d |
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
|
|
|
f8899d |
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
|
|
|
f8899d |
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
|
|
|
f8899d |
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
|
|
|
f8899d |
|
|
|
971b3e |
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
|
|
|
971b3e |
- Update list of profiles built (RHBZ#1889344)
|
|
|
971b3e |
|
|
|
971b3e |
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
|
|
|
971b3e |
- Update to the latest upstream release (RHBZ#1889344)
|
|
|
971b3e |
|
|
|
510a3d |
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
|
|
|
510a3d |
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
|
|
|
510a3d |
|
|
|
510a3d |
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
|
|
|
510a3d |
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
|
|
|
510a3d |
|
|
|
814422 |
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
|
|
|
814422 |
- remove rationale from rules that contain defective links (rhbz#1854854)
|
|
|
814422 |
|
|
|
50ad7f |
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
|
|
|
50ad7f |
- fixed link in a grub2 rule description (rhbz#1854854)
|
|
|
50ad7f |
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
|
|
|
50ad7f |
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
|
|
|
50ad7f |
|
|
|
540324 |
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
|
|
|
540324 |
- Update the scapval invocation (RHBZ#1815007)
|
|
|
540324 |
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
|
|
|
540324 |
- Change the spec file macro invocation from patch to Patch
|
|
|
540324 |
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
|
|
|
540324 |
|
|
|
540324 |
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
|
|
|
540324 |
- fix description of HIPAA profile (RHBZ#1867559)
|
|
|
540324 |
|
|
|
40a955 |
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
|
|
|
40a955 |
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
|
|
|
40a955 |
- Remove CCM from TLS Ciphersuites
|
|
|
40a955 |
|
|
|
ac2e16 |
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
|
|
|
ac2e16 |
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
|
|
|
ac2e16 |
|
|
|
ac2e16 |
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
|
|
|
ac2e16 |
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
|
|
|
ac2e16 |
|
|
|
c99e83 |
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
|
|
|
c99e83 |
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
|
|
|
c99e83 |
|
|
|
c99e83 |
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
|
|
|
c99e83 |
- CIS Ansible fixes (RHBZ#1760734)
|
|
|
c99e83 |
- HIPAA Ansible fixes (RHBZ#1832760)
|
|
|
c99e83 |
|
|
|
c99e83 |
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
|
|
|
c99e83 |
- HIPAA Profile (RHBZ#1832760)
|
|
|
c99e83 |
- Enable build of RHEL8 HIPAA Profile
|
|
|
c99e83 |
- Add kickstarts for HIPAA
|
|
|
c99e83 |
- CIS Profile (RHBZ#1760734)
|
|
|
c99e83 |
- Add Ansible fix for sshd_set_max_sessions
|
|
|
c99e83 |
- Add CIS Profile content attribution to Center for Internet Security
|
|
|
c99e83 |
|
|
|
c99e83 |
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
|
|
c99e83 |
- Fix Ansible for no_direct_root_logins
|
|
|
c99e83 |
- Fix Ansible template for SELinux booleans
|
|
|
c99e83 |
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
|
|
|
c99e83 |
|
|
|
c99e83 |
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
|
|
|
c99e83 |
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
|
|
|
c99e83 |
|
|
|
c99e83 |
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
|
|
|
c99e83 |
- Update to the latest upstream release (RHBZ#1815007)
|
|
|
c99e83 |
|
|
|
f5dd42 |
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
|
|
|
f5dd42 |
- Update to the latest upstream release (RHBZ#1815007)
|
|
|
f5dd42 |
|
|
|
54c0d5 |
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
|
|
|
54c0d5 |
- Update baseline package list of OSPP profile
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
|
|
|
54c0d5 |
- Rebuilt with correct spec file
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
|
|
|
54c0d5 |
- Add SRG references to STIG rules (RHBZ#1755447)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
|
|
|
54c0d5 |
- Drop rsyslog rules from OSPP profile
|
|
|
54c0d5 |
- Update COBIT URI
|
|
|
54c0d5 |
- Add rules for strong source of RNG entropy
|
|
|
54c0d5 |
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
|
|
|
54c0d5 |
- STIG profile: added rsyslog rules and updated SRG mappings
|
|
|
54c0d5 |
- Split audit rules according to audit component (RHBZ#1791312)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
|
|
|
54c0d5 |
- Update crypto-policy test scenarios
|
|
|
54c0d5 |
- Update max-path-len test to skip tests/logs directory
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
|
|
|
54c0d5 |
- Fix list of tables that are generated for RHEL8
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
|
|
|
54c0d5 |
- Improved the e8 profile (RHBZ#1755194)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
|
|
|
54c0d5 |
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
|
|
|
54c0d5 |
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
|
|
|
54c0d5 |
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
|
|
|
54c0d5 |
- Use crypto-policy rules in OSPP profile.
|
|
|
54c0d5 |
- Re-enable FIREFOX and JRE product in build.
|
|
|
54c0d5 |
- Change test suite logging message about missing profile from ERROR to WARNING.
|
|
|
54c0d5 |
- Build only one version of SCAP content at a time.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
|
|
|
54c0d5 |
- Ported changelog from late 8.0 builds.
|
|
|
54c0d5 |
- Disabled build of the OL8 product, updated other components of the cmake invocation.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
|
|
|
54c0d5 |
- Assign CCE to rules from OSPP profile which were missing the identifier.
|
|
|
54c0d5 |
- Fix regular expression for Audit rules ordering
|
|
|
54c0d5 |
- Account for Audit rules flags parameter position within syscall
|
|
|
54c0d5 |
- Add remediations for Audit rules file path
|
|
|
54c0d5 |
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
|
|
|
54c0d5 |
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
|
|
|
54c0d5 |
- Add a Bash remediation for Audit rules that require ordering
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
|
|
|
54c0d5 |
- Assign CCE identifier to rules used by RHEL8 profiles.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
|
|
|
54c0d5 |
- Fixed Crypto Policy OVAL for NSS
|
|
|
54c0d5 |
- Got rid of rules requiring packages dropped in RHEL8.
|
|
|
54c0d5 |
- Profile descriptions fixes.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
|
|
|
54c0d5 |
- Update applicable platforms in crypto policy tests
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
|
|
|
54c0d5 |
- Introduce Podman backend for SSG Test suite
|
|
|
54c0d5 |
- Update bind and libreswan crypto policy test scenarios
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
|
|
|
54c0d5 |
- Further fix of profiles descriptions, so they don't contain literal '\'.
|
|
|
54c0d5 |
- Removed obsolete sshd rule from the OSPP profile.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
|
|
|
54c0d5 |
- Fixed profiles descriptions, so they don't contain literal '\n'.
|
|
|
54c0d5 |
- Made the configure_kerberos_crypto_policy OVAL more robust.
|
|
|
54c0d5 |
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
|
|
|
54c0d5 |
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
|
|
|
54c0d5 |
- Added FIPS mode rule for the OSPP profile.
|
|
|
54c0d5 |
- Split the installed_OS_is certified rule.
|
|
|
54c0d5 |
- Explicitly disabled OSP13, RHV4 and Example products.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
|
|
|
54c0d5 |
- Add missing kickstart files for RHEL8
|
|
|
54c0d5 |
- Disable profiles that are not in good shape for RHEL8
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
|
|
|
54c0d5 |
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
|
|
|
54c0d5 |
- System-wide crypto policies are introduced for RHEL8
|
|
|
54c0d5 |
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
|
|
|
54c0d5 |
- Fix man page and package description
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
|
|
|
54c0d5 |
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
|
|
|
54c0d5 |
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
|
|
|
54c0d5 |
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
|
|
|
54c0d5 |
- Only build content for rhel8 products
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
|
|
|
54c0d5 |
- Update build of rhel8 content
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
|
|
|
54c0d5 |
- Enable build of rhel8 content
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
|
|
|
54c0d5 |
- Fix spec file to build using Python 3
|
|
|
54c0d5 |
- Fix License because upstream changed to BSD-3
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
|
|
|
54c0d5 |
- updated to latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
|
|
|
54c0d5 |
- updated to latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
|
|
|
54c0d5 |
- updated to latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
|
|
|
54c0d5 |
- use make_build and make_install RPM macros
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
- new default location for content /usr/share/scap/ssg
|
|
|
54c0d5 |
- install HTML tables in the doc subpackage
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
|
|
|
54c0d5 |
- Correct currently failing parallel SCAP Security Guide build
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
|
|
|
54c0d5 |
- Drop shell library for remediation functions since it is not required
|
|
|
54c0d5 |
starting from 0.1.30 release any more
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
|
|
|
54c0d5 |
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
|
|
|
54c0d5 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
|
|
|
54c0d5 |
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
|
|
|
54c0d5 |
in 0.1.29 upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
|
|
|
54c0d5 |
- upgrade to the latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
- created doc sub-package to ship all the guides
|
|
|
54c0d5 |
- start distributing centos and scientific linux content
|
|
|
54c0d5 |
- rename java content to jre
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
- only DataStream file is now available for Fedora
|
|
|
54c0d5 |
- start distributing security baseline for Firefox
|
|
|
54c0d5 |
- start distributing security baseline for Java RunTime deployments
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
- move content to /usr/share/scap/ssg/content
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
|
|
|
54c0d5 |
- update to the latest upstream release
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
|
|
|
54c0d5 |
- require only openscap-scanner, not whole openscap-utils package
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
|
|
|
54c0d5 |
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
|
|
|
54c0d5 |
- Add STIG DISCLAIMER to the shipped documentation
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
|
|
|
54c0d5 |
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
|
|
|
54c0d5 |
- Fix fedora-srpm and fedora-rpm Make targets to work again
|
|
|
54c0d5 |
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
|
|
|
54c0d5 |
- EOL for Fedora 18 support
|
|
|
54c0d5 |
- Include Fedora datastream file for remote Fedora system scans
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
|
|
|
54c0d5 |
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
|
|
|
54c0d5 |
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
|
|
|
54c0d5 |
it to /shared
|
|
|
54c0d5 |
- Add shared remediations for sshd disable empty passwords and
|
|
|
54c0d5 |
sshd set idle timeout
|
|
|
54c0d5 |
- Shared remediation for sshd disable root login
|
|
|
54c0d5 |
- Add empty -compat subpackage to ensure backward-compatibility with
|
|
|
54c0d5 |
openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
|
|
|
54c0d5 |
- OVAL check for sshd disable root login
|
|
|
54c0d5 |
- Fix typo in OVAL check for sshd disable empty passwords
|
|
|
54c0d5 |
- OVAL check for sshd disable empty passwords
|
|
|
54c0d5 |
- Unselect no shelllogin for systemaccounts rule from being run by default
|
|
|
54c0d5 |
- Rename XCCDF rules
|
|
|
54c0d5 |
- Revert Set up Fedora release name and CPE based on build system properties
|
|
|
54c0d5 |
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
|
|
|
54c0d5 |
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
|
|
|
54c0d5 |
- Shared OVAL check for Verify that System Executables Have Root Ownership
|
|
|
54c0d5 |
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
|
|
|
54c0d5 |
Permissions
|
|
|
54c0d5 |
- Fix remediation for Disable Prelinking rule
|
|
|
54c0d5 |
- OVAL check and remediation for sshd's ClientAliveCountMax rule
|
|
|
54c0d5 |
- OVAL check for sshd's ClientAliveInterval rule
|
|
|
54c0d5 |
- Include descriptions for permissions section, and rules for checking
|
|
|
54c0d5 |
permissions and ownership of shared library files and system executables
|
|
|
54c0d5 |
- Disable selected rules by default
|
|
|
54c0d5 |
- Add remediation for Disable Prelinking rule
|
|
|
54c0d5 |
- Adjust service-enable-macro, service-disable-macro XSLT transforms
|
|
|
54c0d5 |
definition to evaluate to proper systemd syntax
|
|
|
54c0d5 |
- Fix service_ntpd_enabled OVAL check make validate to pass again
|
|
|
54c0d5 |
- Include patch from Šimon Lukašík to obsolete openscap-content
|
|
|
54c0d5 |
package (RH BZ#1028706)
|
|
|
54c0d5 |
- Add OVAL check to test if there's is remote NTP server configured for
|
|
|
54c0d5 |
time data
|
|
|
54c0d5 |
- Add system settings section for the guide (to track system wide
|
|
|
54c0d5 |
hardening configurations)
|
|
|
54c0d5 |
- Include disable prelink rule and OVAL check for it
|
|
|
54c0d5 |
- Initial OVAL check if ntpd service is enabled. Add package_installed
|
|
|
54c0d5 |
OVAL templating directory structure and functionality.
|
|
|
54c0d5 |
- Include services section, and XCCDF description for selected ntpd's
|
|
|
54c0d5 |
sshd's service rules
|
|
|
54c0d5 |
- Include remediations for login.defs' based password minimum, maximum and
|
|
|
54c0d5 |
warning age rules
|
|
|
54c0d5 |
- Include directory structure to support remediations
|
|
|
54c0d5 |
- Add SCAP "replace or append pattern value in text file based on variable"
|
|
|
54c0d5 |
remediation script generator
|
|
|
54c0d5 |
- Add remediation for "Set Password Minimum Length in login.defs" rule
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
|
|
|
54c0d5 |
- Update versioning scheme - move fedorassgrelease to be part of
|
|
|
54c0d5 |
upstream version. Rename it to fedorassgversion to avoid name collision
|
|
|
54c0d5 |
with Fedora package release.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
|
|
|
54c0d5 |
- Add .gitignore for Fedora output directory
|
|
|
54c0d5 |
- Set up Fedora release name and CPE based on build system properties
|
|
|
54c0d5 |
- Use correct file paths in scap-security-guide(8) manual page
|
|
|
54c0d5 |
(RH BZ#1018905, c#10)
|
|
|
54c0d5 |
- Apply further changes motivated by scap-security-guide Fedora RPM review
|
|
|
54c0d5 |
request (RH BZ#1018905, c#8):
|
|
|
54c0d5 |
* update package description,
|
|
|
54c0d5 |
* make content files to be owned by the scap-security-guide package,
|
|
|
54c0d5 |
* remove Fedora release number from generated content files,
|
|
|
54c0d5 |
* move HTML form of the guide under the doc directory (together
|
|
|
54c0d5 |
with that drop fedora/content subdir and place the content
|
|
|
54c0d5 |
directly under fedora/ subdir).
|
|
|
54c0d5 |
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
|
|
|
54c0d5 |
* drop Fedora release from package provided files' final path (c#5),
|
|
|
54c0d5 |
* drop BuildRoot, selected Requires:, clean section, drop chcon for
|
|
|
54c0d5 |
manual page, don't gzip man page (c#4),
|
|
|
54c0d5 |
* change package's description (c#4),
|
|
|
54c0d5 |
* include PD license text (#c4).
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
|
|
|
54c0d5 |
- Provide manual page for scap-security-guide
|
|
|
54c0d5 |
- Remove percent sign from spec's changelog to silence rpmlint warning
|
|
|
54c0d5 |
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
|
|
|
54c0d5 |
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
|
|
|
54c0d5 |
- Introduce 'Account and Access Control' section
|
|
|
54c0d5 |
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
|
|
|
54c0d5 |
rules to Fedora
|
|
|
54c0d5 |
- Set proper name of the build directory in the spec's setup macro.
|
|
|
54c0d5 |
- Replace hard-coded paths with macros. Preserve attributes when copying files.
|
|
|
54c0d5 |
|
|
|
54c0d5 |
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
|
|
|
54c0d5 |
- Initial Fedora SSG RPM.
|