|
|
9c64d1 |
# Somehow, _pkgdocdir is already defined and points to unversioned docs dir
|
|
|
9c64d1 |
# RHEL 7.X uses versioned docs dir, hence the definition below
|
|
|
9c64d1 |
%global _pkgdocdir %{_docdir}/%{name}-%{version}
|
|
|
2b7b16 |
|
|
|
d10e36 |
# Base name of static rhel6 content tarball
|
|
|
d10e36 |
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
|
|
|
d10e36 |
|
|
|
2b7b16 |
Name: scap-security-guide
|
|
|
000939 |
Version: 0.1.73
|
|
|
000939 |
Release: 1%{?dist}
|
|
|
2b7b16 |
Summary: Security guidance and baselines in SCAP formats
|
|
|
2b7b16 |
|
|
|
2b7b16 |
Group: System Environment/Base
|
|
|
7629ac |
License: BSD-3-Clause
|
|
|
0d5c10 |
URL: https://github.com/ComplianceAsCode/content
|
|
|
9c64d1 |
Source0: %{name}-%{version}.tar.bz2
|
|
|
d10e36 |
# Include tarball with last shipped rhel6 content
|
|
|
d10e36 |
Source1: %{_static_rhel6_content}.tar.bz2
|
|
|
0f521b |
|
|
|
2b7b16 |
BuildArch: noarch
|
|
|
2b7b16 |
|
|
|
bd46b7 |
BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, python-setuptools, cmake >= 2.8, PyYAML
|
|
|
fa25b6 |
Requires: xml-common, openscap-scanner >= 1.2.5
|
|
|
2b7b16 |
|
|
|
2b7b16 |
%description
|
|
|
2b7b16 |
The scap-security-guide project provides a guide for configuration of the
|
|
|
2b7b16 |
system from the final system's security point of view. The guidance is
|
|
|
2b7b16 |
specified in the Security Content Automation Protocol (SCAP) format and
|
|
|
2b7b16 |
constitutes a catalog of practical hardening advice, linked to government
|
|
|
2b7b16 |
requirements where applicable. The project bridges the gap between generalized
|
|
|
2b7b16 |
policy requirements and specific implementation guidelines. The Red Hat
|
|
|
2b7b16 |
Enterprise Linux 7 system administrator can use the oscap command-line tool
|
|
|
2b7b16 |
from the openscap-utils package to verify that the system conforms to provided
|
|
|
2b7b16 |
guideline. Refer to scap-security-guide(8) manual page for further information.
|
|
|
2b7b16 |
|
|
|
fa25b6 |
%package doc
|
|
|
fa25b6 |
Summary: HTML formatted documents containing security guides generated from XCCDF benchmarks.
|
|
|
fa25b6 |
Group: System Environment/Base
|
|
|
fa25b6 |
Requires: %{name} = %{version}-%{release}
|
|
|
fa25b6 |
|
|
|
fa25b6 |
%description doc
|
|
|
fa25b6 |
The %{name}-doc package contains HTML formatted documents containing security guides that have
|
|
|
fa25b6 |
been generated from XCCDF benchmarks present in %{name} package.
|
|
|
fa25b6 |
|
|
|
a8c580 |
%if %{defined rhel}
|
|
|
a8c580 |
%package rule-playbooks
|
|
|
a8c580 |
Summary: Ansible playbooks per each rule.
|
|
|
a8c580 |
Group: System Environment/Base
|
|
|
a8c580 |
Requires: %{name} = %{version}-%{release}
|
|
|
a8c580 |
|
|
|
a8c580 |
%description rule-playbooks
|
|
|
a8c580 |
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
|
|
|
a8c580 |
%endif
|
|
|
a8c580 |
|
|
|
2b7b16 |
%prep
|
|
|
9be3b2 |
%autosetup -p1 -b1
|
|
|
0f521b |
|
|
|
44eea6 |
# Workaround to remove Python byte cache files from the upstream sources
|
|
|
44eea6 |
# See https://github.com/ComplianceAsCode/content/issues/4042
|
|
|
44eea6 |
find . -name '*.pyc' -exec rm -f {} ';'
|
|
|
44eea6 |
mkdir build
|
|
|
ee8600 |
|
|
|
2b7b16 |
%build
|
|
|
7629ac |
mkdir -p build && cd build
|
|
|
9c64d1 |
%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \
|
|
|
44eea6 |
-DSSG_PRODUCT_DEFAULT:BOOL=OFF \
|
|
|
0d5c10 |
-DSSG_PRODUCT_FIREFOX:BOOL=ON \
|
|
|
44eea6 |
-DSSG_PRODUCT_JRE:BOOL=ON \
|
|
|
0d5c10 |
-DSSG_PRODUCT_RHEL7:BOOL=ON \
|
|
|
44eea6 |
-DSSG_PRODUCT_RHEL8:BOOL=ON \
|
|
|
a8c580 |
%if %{defined centos}
|
|
|
a8c580 |
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
|
|
|
a8c580 |
%else
|
|
|
dac76a |
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
|
|
|
a8c580 |
%endif
|
|
|
7629ac |
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
|
|
|
a8c580 |
%if %{defined rhel}
|
|
|
a8c580 |
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
|
|
|
a8c580 |
%endif
|
|
|
7629ac |
../
|
|
|
9c64d1 |
make %{?_smp_mflags}
|
|
|
2b7b16 |
|
|
|
2b7b16 |
%install
|
|
|
0950b5 |
cd build
|
|
|
7a1abb |
%make_install
|
|
|
d10e36 |
# Manually install pre-built rhel6 content
|
|
|
d10e36 |
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
|
|
|
d10e36 |
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}-%{version}
|
|
|
d10e36 |
# The guide files need to be put in the build system directory for the files section below
|
|
|
d10e36 |
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{version}/build
|
|
|
8ecd84 |
|
|
|
2b7b16 |
%files
|
|
|
2b7b16 |
%defattr(-,root,root,-)
|
|
|
2b7b16 |
%{_datadir}/xml/scap
|
|
|
fa25b6 |
%{_datadir}/%{name}
|
|
|
9c64d1 |
%lang(en) %{_mandir}/man8/scap-security-guide.8.gz
|
|
|
9c64d1 |
%doc LICENSE
|
|
|
9c64d1 |
%doc Contributors.md
|
|
|
9c64d1 |
%doc README.md
|
|
|
0950b5 |
%doc DISCLAIMER
|
|
|
0950b5 |
# All files installed by cmake are automatically include in main package
|
|
|
0950b5 |
# We exclude the guides to here add them in doc package
|
|
|
0950b5 |
%exclude %{_pkgdocdir}/guides/
|
|
|
a8c580 |
%if %{defined rhel}
|
|
|
a8c580 |
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
|
|
|
a8c580 |
%endif
|
|
|
fa25b6 |
|
|
|
fa25b6 |
%files doc
|
|
|
fa25b6 |
%defattr(-,root,root,-)
|
|
|
d10e36 |
# Installing guide files from cmake install doens't work because of versioned docs
|
|
|
d10e36 |
# So we take them from the build directory
|
|
|
0950b5 |
%doc build/guides/ssg-*-guide-*.html
|
|
|
2b7b16 |
|
|
|
a8c580 |
%if %{defined rhel}
|
|
|
a8c580 |
%files rule-playbooks
|
|
|
a8c580 |
%defattr(-,root,root,-)
|
|
|
a8c580 |
%{_datadir}/%{name}/ansible/rule_playbooks
|
|
|
a8c580 |
%endif
|
|
|
a8c580 |
|
|
|
2b7b16 |
%changelog
|
|
|
000939 |
* Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1
|
|
|
000939 |
- Rebase scap-security-guide package to version 0.1.73 (RHEL-36739)
|
|
|
000939 |
|
|
|
4647e3 |
* Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2
|
|
|
4647e3 |
- Unlist profiles no longer maintained in RHEL8.
|
|
|
4647e3 |
|
|
|
4647e3 |
* Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1
|
|
|
4647e3 |
- Rebase to a new upstream release 0.1.72 (RHEL-25251)
|
|
|
4647e3 |
- Include filter to dracut files in audit_rules_privileged_commands rule (RHEL-11938)
|
|
|
4647e3 |
|
|
|
5633cc |
* Fri Aug 04 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1
|
|
|
5633cc |
- Rebase to the latest upstream release (RHBZ#2221694)
|
|
|
5633cc |
- Make IPv6 related rules applicable only in case IPv6 is actually enabled. (RHBZ#2210276)
|
|
|
5633cc |
- update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155793)
|
|
|
5633cc |
- Correct URL used to download CVE checks. (RHBZ#2223817)
|
|
|
5633cc |
|
|
|
e71555 |
* Tue Feb 14 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1
|
|
|
e71555 |
- Rebase to a new upstream release 0.1.66 (RHBZ#2158410)
|
|
|
e71555 |
- Update RHEL7 STIG profile to V3R10 (RHBZ#2152657)
|
|
|
e71555 |
- Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2123284)
|
|
|
e71555 |
- Fix remediation of audit watch rules (RHBZ#2123367)
|
|
|
e71555 |
- Fix check firewalld_sshd_port_enabled (RHBZ#2158410)
|
|
|
e71555 |
- Fix accepted control flags for pam_pwhistory (RHBZ#2158410)
|
|
|
e71555 |
- Unselect rule logind_session_timeout (RHBZ#2158410)
|
|
|
e71555 |
- Add support rainer scripts in rsyslog rules (RHBZ#2170038)
|
|
|
e71555 |
|
|
|
bd46b7 |
* Tue Aug 09 2022 Watson Sato <wsato@redhat.com> - 0.1.63-1
|
|
|
bd46b7 |
- Update to the latest upstream release (RHBZ#2116359)
|
|
|
bd46b7 |
- Fix SSH Key permissions (RHBZ#2021258)
|
|
|
bd46b7 |
- Remove PCI-DSS Benchmark(RHBZ2038165)
|
|
|
bd46b7 |
- Updated source of CVE data feed(RHBZ#2028432)
|
|
|
bd46b7 |
- Improved alignment with DISA's RHEL7 STIG(RHBZ#1967950)
|
|
|
bd46b7 |
- Update RHEL7 STIG profile to v3r8 (RHBZ#2112939)
|
|
|
bd46b7 |
- Add warning how to override audit buffer (RHBZ#1993822)
|
|
|
bd46b7 |
- Fix smartcard_auth rule for systems installed without authconfig (RHBZ#2116359)
|
|
|
bd46b7 |
- Fix check of enable_fips_mode on s390x (RHBZ#2116359)
|
|
|
bd46b7 |
- Fix applicability of pam_pkcs11 and grub2 rules on s390x (RHBZ#2116359)
|
|
|
bd46b7 |
|
|
|
e3b048 |
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.57-8
|
|
|
e3b048 |
- Remove warning how to override audit buffer (RHBZ#1993822)
|
|
|
e3b048 |
|
|
|
e3b048 |
* Wed Apr 27 2022 Watson Sato <wsato@redhat.com> - 0.1.57-7
|
|
|
e3b048 |
- Add warning how to override audit buffer (RHBZ#1993822)
|
|
|
e3b048 |
- Fix name of antivirus package in STIG profile (RHBZ#2066321)
|
|
|
e3b048 |
- Update RHEL7 DISA STIG profile to v3r7 (RHBZ#2079217)
|
|
|
e3b048 |
|
|
|
0c1482 |
* Fri Feb 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-6
|
|
|
0c1482 |
- Fix bash remediation of sudo_require_reauthentication (RHBZ#2049532)
|
|
|
0c1482 |
|
|
|
0c1482 |
* Thu Feb 17 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-5
|
|
|
0c1482 |
- Update RHEL7 DISA STIG profile to v3r6 (RHBZ#2049532)
|
|
|
0c1482 |
|
|
|
9be3b2 |
* Tue Nov 02 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
|
|
|
9be3b2 |
- Update RHEL7 DISA STIG profile to v3r5 (RHBZ#1996678)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
* Thu Oct 21 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
|
|
|
9be3b2 |
- Fix broken SELinux documentation links (RHBZ#1996678)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
* Wed Oct 20 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
|
|
|
9be3b2 |
- Fix auditd_overflow_action configuration path for RHEL7 (RHBZ#1996678)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
* Thu Oct 7 2021 Jan Černý <jcerny@redhat.com> - 0.1.57-1
|
|
|
9be3b2 |
- Rebase to the 0.1.57 upstream release
|
|
|
9be3b2 |
- Update RHEL7 DISA STIG profile to v3r4 (RHBZ#1996678)
|
|
|
9be3b2 |
- Split CIS profile (RHBZ#1953787)
|
|
|
9be3b2 |
|
|
|
a8c580 |
* Wed Jun 30 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-7
|
|
|
a8c580 |
- Generate HTML STIG reference tables also for stig_gui profile (RHBZ#1958789)
|
|
|
a8c580 |
|
|
|
a8c580 |
* Fri Jun 11 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-6
|
|
|
a8c580 |
- Add kickstart files for RHEL 7 stig and stig_gui profiles (RHBZ#1958789)
|
|
|
a8c580 |
|
|
|
a8c580 |
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-5
|
|
|
a8c580 |
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966589)
|
|
|
a8c580 |
- Fix Bash remediation of dconf_gnome_login_retries (RHBZ#1967566)
|
|
|
a8c580 |
|
|
|
a8c580 |
* Mon May 10 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-4
|
|
|
a8c580 |
- Update RHEL 7 STIG profile to V3R3 (RHBZ#1958789)
|
|
|
a8c580 |
- Update ANSSI High Profile (RHBZ#1955180)
|
|
|
a8c580 |
|
|
|
d10e36 |
* Wed Feb 24 2021 Watson Sato <wsato@redhat.com> - 0.1.54-3
|
|
|
d10e36 |
- Realign PCI-DSS rules selection to v0.1.54 (RHBZ#1497415)
|
|
|
d10e36 |
|
|
|
d10e36 |
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-2
|
|
|
d10e36 |
- Remove Kickstart for not shipped profile (RHBZ#1497415)
|
|
|
d10e36 |
- Fix STIG id reference format for sshd_x11_use_localhost (RHBZ#1921643)
|
|
|
d10e36 |
|
|
|
d10e36 |
* Wed Feb 03 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
|
|
|
d10e36 |
- Rebase to incorporate ANSSI Profile (RHBZ#1497415)
|
|
|
d10e36 |
- Update RHEL7 STIG profile to V3R2 (RHBZ#1921643)
|
|
|
d10e36 |
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1497415)
|
|
|
d10e36 |
|
|
|
fe0dde |
* Fri Nov 27 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-2
|
|
|
fe0dde |
- Update RHEL7 DISA STIG to V3R1 (RHBZ#1665233)
|
|
|
fe0dde |
|
|
|
fe0dde |
* Thu Oct 08 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-1
|
|
|
fe0dde |
- Update to the latest upstream release (RHBZ#1665233)
|
|
|
fe0dde |
- Update RHEL7 DISA STIG to V2R8 (RHBZ#1665233)
|
|
|
fe0dde |
|
|
|
dac76a |
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.49-13
|
|
|
dac76a |
- Add example kickstart for RHEL7 HIPAA (RHBZ#1513087)
|
|
|
dac76a |
- Fix Test Suite to run on Python3
|
|
|
dac76a |
|
|
|
dac76a |
* Thu May 21 2020 Watson Sato <wsato@redhat.com> - 0.1.49-12
|
|
|
dac76a |
- CIS Profile (RHBZ#1821633)
|
|
|
dac76a |
- Make sure boot target is multi-user.target when xorg package is removed
|
|
|
dac76a |
- Add CIS Profile content attribution to Center for Internet Security
|
|
|
dac76a |
|
|
|
dac76a |
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.49-11
|
|
|
dac76a |
- HIPAA Profile improvement (RHBZ#1513087)
|
|
|
dac76a |
- Add Ansible remediation for audit_rules_system_shutdown
|
|
|
dac76a |
|
|
|
dac76a |
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.49-10
|
|
|
dac76a |
- CIS Profile fixes (RHBZ#1821633)
|
|
|
dac76a |
- Fix Ansible mount_option template
|
|
|
dac76a |
- Re-order rpm_verify_permissions to avoid file permission conflicts
|
|
|
dac76a |
|
|
|
dac76a |
* Tue May 12 2020 Watson Sato <wsato@redhat.com> - 0.1.49-9
|
|
|
dac76a |
- CIS Profile fixes (RHBZ#1821633)
|
|
|
dac76a |
- Fix Ansible mount_option template
|
|
|
dac76a |
- Add Ansible for ensure_logrotate_activated
|
|
|
dac76a |
- Add warnings to rpm_verify_permissions and ownership about findindings that may need further inspection
|
|
|
dac76a |
|
|
|
dac76a |
* Mon May 11 2020 Watson Sato <wsato@redhat.com> - 0.1.49-8
|
|
|
dac76a |
- Fix specfile to apply patch (RHBZ#1691877)
|
|
|
dac76a |
|
|
|
dac76a |
* Mon May 04 2020 Watson Sato <wsato@redhat.com> - 0.1.49-7
|
|
|
dac76a |
- Bug fixes on CIS profile (RHBZ#1821633)
|
|
|
dac76a |
Added Ansible remediations
|
|
|
dac76a |
Fixed CIS references
|
|
|
dac76a |
Fixed integration issues with CIS profile
|
|
|
dac76a |
|
|
|
dac76a |
* Mon May 04 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.49-6
|
|
|
dac76a |
- Added a patch fixing audit_rules_privileged_commands (RHBZ#1691877)
|
|
|
dac76a |
|
|
|
dac76a |
* Thu Apr 30 2020 Matěj Týč <matyc@redhat.com> - 0.1.49-5
|
|
|
dac76a |
- Added a patch fix for sshd_allow_protocol_2 (RHBZ#1823576)
|
|
|
dac76a |
|
|
|
dac76a |
* Mon Apr 27 2020 Matěj Týč <matyc@redhat.com> - 0.1.49-5
|
|
|
dac76a |
- Added a patch warning about non-local users/groups are not considered by some rules (RHBZ#1721439, RHBZ#1544765, RHBZ#1829743)
|
|
|
dac76a |
|
|
|
dac76a |
* Thu Apr 23 2020 Jan Černý <jcerny@redhat.com> - 0.1.49-4
|
|
|
dac76a |
- Fix removable media options rules (RHBZ#1691579)
|
|
|
dac76a |
|
|
|
dac76a |
* Mon Apr 06 2020 Watson Sato <wsato@redhat.com> - 0.1.49-3
|
|
|
dac76a |
- Add new rules and references for RHEL7 CIS (RHBZ#1821633)
|
|
|
dac76a |
|
|
|
dac76a |
* Tue Mar 31 2020 Watson Sato <wsato@redhat.com> - 0.1.49-2
|
|
|
dac76a |
- Fix remediation of dconf_gnome_login_banner_text (RHBZ#1776780)
|
|
|
dac76a |
- Fix misleading sysctl rules description (RHBZ#1494606)
|
|
|
dac76a |
- Update STIG FIPS approved SSHD ciphers (RHBZ#1781244)
|
|
|
dac76a |
|
|
|
dac76a |
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
|
|
|
dac76a |
- Update to the latest upstream release (RHBZ#1815008)
|
|
|
dac76a |
|
|
|
44eea6 |
* Thu Nov 28 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-11
|
|
|
44eea6 |
- Ship RHEL 8 content (RHBZ#1777862)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Wed Nov 20 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.46-10
|
|
|
44eea6 |
- Added missing CCE for rule sudo_require_authentication. (RHBZ#1755192)
|
|
|
44eea6 |
- fix check and remediation for rule aide_periodic_cron_checking (RHBZ#1658036)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Mon Nov 18 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-9
|
|
|
44eea6 |
- Fixed missing CCE for OSPP, E8 and STIG profiles. (RHBZ#1726698)
|
|
|
44eea6 |
- Added kickstart file for the Essential Eight (e8) profile. (RHBZ#1755192)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Fri Nov 15 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-8
|
|
|
44eea6 |
- Fix an omission on backporting the patch which fixes krb_sec rule. (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Fri Nov 15 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-7
|
|
|
44eea6 |
- Added support for the Essential Eight (e8) profile. (RHBZ#1755192)
|
|
|
44eea6 |
- Fixed issues with sshd rules used in the e8 profile. (RHBZ#1755192)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Wed Nov 13 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-6
|
|
|
44eea6 |
- Updated ansible playbooks to use modules in favor of shell. (RHBZ#1726698)
|
|
|
44eea6 |
- Removed rule directory_access_var_log_audit from OSPP profile. (RHBZ#1726698)
|
|
|
44eea6 |
- Fixed ansible playbooks failing when running in --check mode. (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Mon Nov 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-5
|
|
|
44eea6 |
- Fixed grub2_enable_fips_mode rule when installing RHEL on machines with AES-enabled processors. (RHBZ#1754532)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Wed Nov 06 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-4
|
|
|
44eea6 |
- Fix evaluation and remediation of audit rules in PCI-DSS profile (RHBZ#1754550)
|
|
|
44eea6 |
- Fixed mtab handling of remediation of /dev/shm/noexec (RHBZ#1754553)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Tue Nov 05 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-3
|
|
|
44eea6 |
- Made the cmake product selection future-proof. (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Tue Nov 05 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-2
|
|
|
44eea6 |
- Fix rules file_permissions_unauthorized_suid and sgid (RHBZ#1693026)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
|
|
|
44eea6 |
- Update to the latest upstream release 0.1.46 (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Fri Aug 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.45-2
|
|
|
44eea6 |
- Added a patch not to build SCAP 1.2 datastreams, only SCAP 1.3 (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
44eea6 |
* Tue Aug 06 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1
|
|
|
44eea6 |
- Update to the latest upstream release (RHBZ#1726698)
|
|
|
44eea6 |
|
|
|
0d5c10 |
* Wed Jun 12 2019 Matěj Týč <matyc@redhat.com> - 0.1.43-13
|
|
|
0d5c10 |
- Fixed the shared dconf bash remediation (RHBZ#1631378)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Mon Jun 03 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-12
|
|
|
0d5c10 |
- Make aide and smart card rules not applicable to containers (RHBZ#1711893)
|
|
|
0d5c10 |
- Added rule dconf_db_up_to_date to ensure dconf databases are up-to-date (RHBZ#1631378)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Fri May 24 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-11
|
|
|
0d5c10 |
- Remove faulty dconf_use_text_backend rule from all profiles (Reverts RHBZ#1631378)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Thu May 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-10
|
|
|
0d5c10 |
- Fixed Ansible remediation for sssd_ssh_known_hosts_timeout (RHBZ#1599179)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Mon May 20 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-9
|
|
|
0d5c10 |
- Fixed missing Ansible tags and platform checks (RHBZ#1685950)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Fri May 17 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-8
|
|
|
0d5c10 |
- Fixed OVAL check for sssd_ssh_known_hosts_timeout and added bash remediation (RHBZ#1599179)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-7
|
|
|
0d5c10 |
- Fix handling of package CPE during generation of Ansible playbooks (RHBZ#1647189)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-6
|
|
|
0d5c10 |
- Deduplicated more CCEs assigned to rules (RHBZ#1703092)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Thu Apr 25 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-5
|
|
|
0d5c10 |
- Remove ensure_gpgcheck_repo_metadata rule from profiles (RHBZ#1703010)
|
|
|
0d5c10 |
- Deduplicate CCE assigned to rules (RHBZ#1703092)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Tue Apr 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-4
|
|
|
0d5c10 |
- Mark SELinux rules as machine only (RHBZ#1630739)
|
|
|
0d5c10 |
- Mark service disabled rules as machine only (RHBZ#1630739)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Mon Apr 08 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-3
|
|
|
0d5c10 |
- Mark rules which were not applicable for containers as machine only (RHBZ#1630739)
|
|
|
0d5c10 |
- Fix content support for UBI-Minimal (RHBZ#1695213)
|
|
|
0d5c10 |
|
|
|
0d5c10 |
* Mon Mar 25 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-2
|
|
|
0d5c10 |
- Fixes for smooth Ansible playbooks run (RHBZ#1647189)
|
|
|
0d5c10 |
- Fix Ansible template for file permissions (RHBZ#1686007)
|
|
|
0d5c10 |
- Fix remediation of rule rpm_verify_permissions (RHBZ#1686005)
|
|
|
0d5c10 |
- Fix remediation of audit rules for privileged commands (RHBZ#1687826)
|
|
|
877cb5 |
|
|
|
0d5c10 |
* Fri Mar 01 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-1
|
|
|
0d5c10 |
- Update to the latest upstream release (RHBZ#1684545)
|
|
|
94594a |
|
|
|
7629ac |
* Tue Sep 25 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-12
|
|
|
7629ac |
- Fix malformed patch for removal of abrt and sendmail (RHBZ#1619689)
|
|
|
7629ac |
|
|
|
7629ac |
* Tue Sep 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-11
|
|
|
7629ac |
- Fixes for RHBZ#1619689:
|
|
|
7629ac |
- Added support for kernel parameters yama.ptrace_scope, kptr_restrict, dmesg_restrict and kexec_load_disabled.
|
|
|
7629ac |
- Added support for boot parameters audit_backlog_limit=8192, slub_debug=P, page_poison=1 and vsyscall=none.
|
|
|
7629ac |
- Added support for proper /dev/shm handling (noexec,nosuid,nodev,mode=1777)
|
|
|
7629ac |
- Added support for checking that sendmail and abrt are not installed.
|
|
|
7629ac |
- Introduced OSPP to the OSPP profile title.
|
|
|
7629ac |
- Disabled linkcheck tests during the build.
|
|
|
7629ac |
|
|
|
7629ac |
* Sun Sep 23 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-10
|
|
|
7629ac |
- Fix regression in file ownership and group OVAL. (RHBZ#1570802)
|
|
|
7629ac |
|
|
|
7629ac |
* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-9
|
|
|
7629ac |
- Fix malformed patch for Audit Rules (RHBZ#1619689)
|
|
|
7629ac |
|
|
|
7629ac |
* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-8
|
|
|
7629ac |
- Add Bash remediation for rule grub2_audit_arguments (RHBZ#1619689)
|
|
|
7629ac |
- Allow remediation for rule dconf_gnome_screensaver_lock_delay to fix commented settings (RHBZ#1609122)
|
|
|
7629ac |
- Select missing audit rules for privileged commands for OSPP4.2 Profile (RHBZ#1619689)
|
|
|
7629ac |
|
|
|
7629ac |
* Wed Sep 19 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-7
|
|
|
7629ac |
- Fixed previously applied patches for OSPP 4.2 (RHBZ#1619689)
|
|
|
7629ac |
|
|
|
7629ac |
* Mon Sep 17 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-6
|
|
|
7629ac |
- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)
|
|
|
7629ac |
- Fixed the xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled check (RHBZ#1609122)
|
|
|
7629ac |
|
|
|
7629ac |
* Fri Sep 14 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-5
|
|
|
7629ac |
- Re-fix FIPS patch. (RHBZ#1587911)
|
|
|
7629ac |
|
|
|
7629ac |
* Wed Sep 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-4
|
|
|
7629ac |
- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)
|
|
|
7629ac |
|
|
|
7629ac |
* Tue Sep 11 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-3
|
|
|
7629ac |
- Don't generate remediations for Anaconda for /dev/cdrom mount point (RHBZ#1618840)
|
|
|
7629ac |
- Install dracut-fips when fips mode is enabled in the profile (RHBZ#1587911)
|
|
|
7629ac |
|
|
|
7629ac |
* Wed Aug 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-2
|
|
|
7629ac |
- Don't generate remediations for Anaconda for /dev/shm mount point (RHBZ#1570956)
|
|
|
7629ac |
|
|
|
7629ac |
* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1
|
|
|
7629ac |
- Update to upstream release 0.1.40
|
|
|
7629ac |
- Underlying code has been deduplicated and unified, which fixes countless subtle bugs.
|
|
|
7629ac |
- Updated Ansible playbooks, so they don't use deprecated constructs.
|
|
|
7629ac |
- Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.
|
|
|
7629ac |
|
|
|
7629ac |
* Thu Jul 19 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2
|
|
|
7629ac |
- Fix configuration to not build new products introduced in upstream
|
|
|
7629ac |
- Test package with ctest
|
|
|
7629ac |
|
|
|
7629ac |
* Fri Jul 13 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1
|
|
|
7629ac |
- Update to upstream release 0.1.39
|
|
|
7629ac |
- Profile IDs simplified
|
|
|
7629ac |
- Common Profile removed in favor of Standard Profile
|
|
|
7629ac |
- RHEL7 STIG reference updated to V1R4
|
|
|
7629ac |
- RHEL6 STIG reference updated to V1R18
|
|
|
7629ac |
- New License - BSD-3 Clause
|
|
|
7629ac |
- Several remediation fixes
|
|
|
7629ac |
- Better content support for DISA STIG Viewer (#2418)
|
|
|
1c7659 |
|
|
|
0950b5 |
* Mon Jan 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-7
|
|
|
0950b5 |
- Fix sshd_required unset (RHBZ#1522956)
|
|
|
0950b5 |
- Fix missing bash remediation functions include (RHBZ#1524738)
|
|
|
0950b5 |
- Fix empty columns in SRG HTML Table (RHBZ#1531105)
|
|
|
0950b5 |
- Fix reference to oudated PAM config manual (RHBZ#1447760)
|
|
|
0950b5 |
|
|
|
0950b5 |
* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-6
|
|
|
0950b5 |
- Rebuild with OpenSCAP 1.2.16
|
|
|
0950b5 |
|
|
|
0950b5 |
* Mon Dec 11 2017 Matěj Týč <matyc@redhat.com> - 0.1.36-5
|
|
|
0950b5 |
- Patched not to check library ownership in libexec.
|
|
|
0950b5 |
- Patched to fix title of DISA STIG profile.
|
|
|
0950b5 |
- Patched to deprecate RhostsRSAAuthentication.
|
|
|
0950b5 |
- Patched to fix umask_for_daemons.
|
|
|
0950b5 |
|
|
|
0950b5 |
* Thu Nov 16 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-4
|
|
|
0950b5 |
- Rebuild with OpenSCAP 1.2.16
|
|
|
0950b5 |
|
|
|
0950b5 |
* Tue Nov 14 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-3
|
|
|
0950b5 |
- Add DISA STIG Rule IDs to XCCDF Rules with STIGID
|
|
|
0950b5 |
|
|
|
0950b5 |
* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-2
|
|
|
0950b5 |
- Fix configuration to not build new products introduced in upstream
|
|
|
0950b5 |
|
|
|
0950b5 |
* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
|
|
|
0950b5 |
- Update to upstream release 0.1.36
|
|
|
0950b5 |
- Introduction of SCAP Security Guide Test Suite
|
|
|
0950b5 |
- Better alignment of RHEL6 and RHEL7 with DISA STIG
|
|
|
0950b5 |
- Remove JBoss EAP5 content due to being End-of-Life
|
|
|
0950b5 |
- New STIG Profile for JBOSS EAP 6
|
|
|
0950b5 |
- Updates in C2S Profile for RHEL 7
|
|
|
0950b5 |
- Variables can be directly tailored in Ansible roles
|
|
|
0950b5 |
- Content presents less false positives in containers
|
|
|
0950b5 |
- Changes in directory layout
|
|
|
0950b5 |
|
|
|
0950b5 |
* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-2
|
|
|
0950b5 |
- Do not build content for JBOSS EAP6
|
|
|
0950b5 |
|
|
|
0950b5 |
* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-1
|
|
|
0950b5 |
- Update to upstream release 0.1.35
|
|
|
0950b5 |
- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017
|
|
|
0950b5 |
- Added several templates for OVAL checks
|
|
|
0950b5 |
- Many optimizations in build process
|
|
|
0950b5 |
- Different title for PCI-DSS Benchmark variants
|
|
|
0950b5 |
- Remediation roles moved to /usr/share/scap-security
|
|
|
0950b5 |
- Fix duplicated roles and guides (RHBZ#1465691)
|
|
|
650d98 |
|
|
|
1e6968 |
* Tue Sep 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-6
|
|
|
1e6968 |
- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414)
|
|
|
1e6968 |
|
|
|
9c64d1 |
* Wed Jun 14 2017 Watson Sato <wsato@redhat.com> 0.1.33-5
|
|
|
9c64d1 |
- Fix Anaconda Smartcard auth remediation (RHBZ#1461330)
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-4
|
|
|
9c64d1 |
- Fix specfile to not include tables twice
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-3
|
|
|
9c64d1 |
- Fix malformed title of profile nist-800-171-cui
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-2
|
|
|
9c64d1 |
- Fix emtpy ospp-rhel7 table
|
|
|
9c64d1 |
- Fix Anaconda remediation templates (RHBZ#1450731)
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Mon May 01 2017 Watson Sato <wsato@redhat.com> 0.1.33-1
|
|
|
9c64d1 |
- Update to upstream version 0.1.33
|
|
|
9c64d1 |
- DISA RHEL7 STIG profile alignment improved
|
|
|
9c64d1 |
- Introduction of remediation roles
|
|
|
9c64d1 |
- RPM and DEB test packages are built by CMake with CPack
|
|
|
9c64d1 |
- Lots of remediation fixes
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Tue Mar 28 2017 Watson Sato <wsato@redhat.com> 0.1.32-1
|
|
|
9c64d1 |
- Update to upstream version 0.1.32
|
|
|
9c64d1 |
- New CMake build system
|
|
|
9c64d1 |
- Improved NIST 800-171 profile
|
|
|
9c64d1 |
- Initial RHVH profile
|
|
|
9c64d1 |
- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)
|
|
|
9c64d1 |
- Template clean up in lots of remediations
|
|
|
9c64d1 |
|
|
|
9c64d1 |
* Fri Mar 10 2017 Watson Sato <wsato@redhat.com> 0.1.30-6
|
|
|
9c64d1 |
- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144)
|
|
|
721d24 |
|
|
|
7a35c8 |
* Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
|
|
|
7a35c8 |
- Fix template remediation function used by SSHD remediation
|
|
|
7a35c8 |
- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
|
|
|
ee8600 |
|
|
|
9c64d1 |
* Tue Jan 31 2017 Watson Sato <wsato@redhat.com> 0.1.30-4
|
|
|
7a35c8 |
- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
|
|
|
ee8600 |
|
|
|
f04235 |
* Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3
|
|
|
f04235 |
- Correct the remediation script for 'Enable Smart Card Login' rule
|
|
|
f04235 |
for Red Hat Enterprise Linux 7 (RH BZ#1357019)
|
|
|
f04235 |
|
|
|
f04235 |
* Thu Jul 14 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-2
|
|
|
f04235 |
- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark
|
|
|
f04235 |
having the identical title (RH BZ#1351541)
|
|
|
f04235 |
- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts'
|
|
|
f04235 |
rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root
|
|
|
f04235 |
Account for Failed Password Attempts' rule to report correct system status
|
|
|
f04235 |
WRT to these requirements also in the case the SSSD daemon is used
|
|
|
f04235 |
(RH BZ#1344581)
|
|
|
f04235 |
- Include currently available kickstart files and produced HTML tables for
|
|
|
f04235 |
Red Hat Enterprise Linux 6 and 7 products into the produced RPM package
|
|
|
f04235 |
(RH BZ#1351751)
|
|
|
f04235 |
|
|
|
f04235 |
* Wed Jun 22 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-1
|
|
|
f04235 |
- Update to upstream's 0.1.30 release:
|
|
|
f04235 |
https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
|
|
|
f04235 |
(RH BZ#1289533)
|
|
|
f04235 |
- Drop remediation functions library since starting from 0.1.30 release
|
|
|
f04235 |
remediation scripts are part of the benchmarks directly
|
|
|
f04235 |
- Drop three patches that have been accepted upstream in the meantime
|
|
|
f04235 |
- Update drop-rpm-verify-permissions-rule patch to work properly against
|
|
|
f04235 |
0.1.30 release
|
|
|
6c1a7a |
|
|
|
fa25b6 |
* Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3
|
|
|
fa25b6 |
- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS
|
|
|
fa25b6 |
profile for Red Hat Enterprise Linux 7 (RH BZ#1267861)
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Wed Sep 09 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-2
|
|
|
fa25b6 |
- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Wed Aug 19 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-1
|
|
|
fa25b6 |
- Rebase to upstream 0.1.25 release
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Tue Aug 04 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-4
|
|
|
fa25b6 |
- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny'
|
|
|
fa25b6 |
rule
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Mon Aug 03 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-3
|
|
|
fa25b6 |
- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule
|
|
|
fa25b6 |
for Red Hat Enterprise Linux 7 product
|
|
|
fa25b6 |
- Override title and description for all existing profiles for Red Hat
|
|
|
fa25b6 |
Enterprise Linux 6 product that are extending another SCAP profile
|
|
|
fa25b6 |
(RHBZ#1246529)
|
|
|
fa25b6 |
- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile
|
|
|
fa25b6 |
kickstart file for Red Hat Enterprise Linux 7 product
|
|
|
fa25b6 |
- Add remediation script for 'audit_rules_time_clock_settime' rule for
|
|
|
fa25b6 |
Red Hat Enterprise Linux 7 product
|
|
|
fa25b6 |
- Add remediation scripts for 'audit_rules_time_adjtimex',
|
|
|
fa25b6 |
'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for
|
|
|
fa25b6 |
Red Hat Enterprise Linux 7 product
|
|
|
fa25b6 |
- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with
|
|
|
fa25b6 |
"Draft" label
|
|
|
fa25b6 |
- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise
|
|
|
fa25b6 |
Linux 7 product:
|
|
|
fa25b6 |
* dconf_gnome_screensaver_idle_delay -- missing remediation script,
|
|
|
fa25b6 |
* dconf_gnome_screensaver_idle_activation -- missing remediation script,
|
|
|
fa25b6 |
* dconf_gnome_screensaver_lock_enabled -- missing remediation script,
|
|
|
fa25b6 |
* audit_rules_login_events -- incorrect OVAL check (upstream issue #607),
|
|
|
fa25b6 |
* audit_rules_privileged_commands -- missing remediation script, and
|
|
|
fa25b6 |
* audit_rules_immutable -- missing remediation script.
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Mon Aug 03 2015 Martin Preisler <mpreisle@redhat.com> 0.1.24-2
|
|
|
fa25b6 |
- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product
|
|
|
fa25b6 |
into multiple lines, prevents HTML guide UX issues
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Tue Jul 07 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-1
|
|
|
fa25b6 |
- Rebase to upstream scap-security-guide-0.1.24 version
|
|
|
fa25b6 |
- Start producing the -doc subpackage to provide the HTML formatted
|
|
|
fa25b6 |
documents containing security guides generated from shipped XCCDF benchmarks
|
|
|
fa25b6 |
|
|
|
fa25b6 |
* Mon Jun 22 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.23-1
|
|
|
fa25b6 |
- Rebase to upstream scap-security-guide-0.1.23 version
|
|
|
fa25b6 |
- Update upstream tarball source URL to GitHub archive location
|
|
|
fa25b6 |
- Drop the following patches that have been accepted upstream:
|
|
|
fa25b6 |
* scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
|
|
|
fa25b6 |
* scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
|
|
|
fa25b6 |
- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks
|
|
|
fa25b6 |
- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6
|
|
|
fa25b6 |
|
|
|
2b7b16 |
* Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2
|
|
|
2b7b16 |
- Fix Limit Password Reuse remediation script error
|
|
|
2b7b16 |
- Fix Set Deny For Failed Password Attempts remediation script error
|
|
|
2b7b16 |
- Use RHT-CCP profile name when generating HTML guide
|
|
|
2b7b16 |
- Describe RHT-CCP profile in the manual page
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon Sep 29 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-1
|
|
|
2b7b16 |
- Include RHEL-7 content (RHT-CCP profile only)
|
|
|
2b7b16 |
- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel
|
|
|
2b7b16 |
- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools
|
|
|
2b7b16 |
- Update manual page to be more appropriate for RHEL-7
|
|
|
2b7b16 |
- Drop RHEL-6 C2S profile update patch since merged upstream
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Tue Sep 02 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-4
|
|
|
2b7b16 |
- Initial build for Red Hat Enterprise Linux 7
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Thu Aug 28 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-3
|
|
|
2b7b16 |
- Update C2S profile <description> per request from CIS
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Thu Jun 26 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-2
|
|
|
2b7b16 |
- Include the upstream STIG for RHEL 6 Server profile disclaimer file too
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Sun Jun 22 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-1
|
|
|
2b7b16 |
- Make new 0.1.18 release
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Wed May 14 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-2
|
|
|
2b7b16 |
- Drop vendor line from the spec file. Let the build system to provide it.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri May 09 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-1
|
|
|
2b7b16 |
- Upgrade to upstream 0.1.17 version
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-2
|
|
|
2b7b16 |
- Initial RPM for RHEL base channels
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-1
|
|
|
2b7b16 |
- Change naming scheme (0.1-16 => 0.1.16-1)
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Feb 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-16
|
|
|
2b7b16 |
- Include datastream file into RHEL6 RPM package too
|
|
|
2b7b16 |
- Bump version
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Tue Dec 24 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc2
|
|
|
2b7b16 |
+ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon Dec 23 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc1
|
|
|
2b7b16 |
- [bugfix] RHEL6 no_empty_passwords remediation script overwrote
|
|
|
2b7b16 |
system-auth symlink. Added --follow-symlink to sed command.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Nov 01 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15
|
|
|
2b7b16 |
- Version bump
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc5
|
|
|
2b7b16 |
- Point the spec's source to proper remote tarball location
|
|
|
2b7b16 |
- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc4
|
|
|
2b7b16 |
- Don't include the table html files two times
|
|
|
2b7b16 |
- Remove makewhatis
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc3
|
|
|
2b7b16 |
- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*
|
|
|
2b7b16 |
- Numberous XCCDF->OVAL naming schema updates
|
|
|
2b7b16 |
- All rules now have CCE
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc2
|
|
|
2b7b16 |
- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Oct 25 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc1
|
|
|
2b7b16 |
- Apply spec file changes required by review request (RH BZ#1018905)
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Thu Oct 24 2013 Shawn Wells <shawn@redhat.com> 0.1-14
|
|
|
2b7b16 |
- Formal RPM release
|
|
|
2b7b16 |
- Inclusion of rht-ccp profile
|
|
|
2b7b16 |
- OVAL unit testing patches
|
|
|
2b7b16 |
- Bash remediation patches
|
|
|
2b7b16 |
- Bugfixes
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon Oct 07 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-14.rc1
|
|
|
2b7b16 |
- Change RPM versioning scheme to include release into tarball
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Sat Sep 28 2013 Shawn Wells <shawn@redhat.com> 0.1-13
|
|
|
2b7b16 |
- Updated RPM spec file to fix rpmlint warnings
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Wed Jun 26 2013 Shawn Wells <shawn@redhat.com> 0.1-12
|
|
|
2b7b16 |
- Updated RPM version to 0.1-12
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Apr 26 2013 Shawn Wells <shawn@redhat.com> 0.1-11
|
|
|
2b7b16 |
- Significant amount of OVAL bugfixes
|
|
|
2b7b16 |
- Incorporation of Draft RHEL/6 STIG feedback
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Sat Feb 16 2013 Shawn Wells <shawn@redhat.com> 0.1-10
|
|
|
2b7b16 |
- `man scap-security-guide`
|
|
|
2b7b16 |
- OVAL bug fixes
|
|
|
2b7b16 |
- NIST 800-53 mappings update
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Wed Nov 28 2012 Shawn Wells <shawn@redhat.com> 0.1-9
|
|
|
2b7b16 |
- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!)
|
|
|
2b7b16 |
- Reverting to noarch RPM
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Tue Nov 27 2012 Shawn Wells <shawn@redhat.com> 0.1-8
|
|
|
2b7b16 |
- Significant copy editing to XCCDF rules per community
|
|
|
2b7b16 |
feedback on the DISA RHEL/6 STIG Initial Draft
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Thu Nov 1 2012 Shawn Wells <shawn@redhat.com> 0.1-7
|
|
|
2b7b16 |
- Corrected XCCDF content errors
|
|
|
2b7b16 |
- OpenSCAP now supports CPE dictionaries, important to
|
|
|
2b7b16 |
utilize --cpe-dict when scanning machines with OpenSCAP,
|
|
|
2b7b16 |
e.g.:
|
|
|
2b7b16 |
$ oscap xccdf eval --profile stig-server \
|
|
|
2b7b16 |
--cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon Oct 22 2012 Shawn Wells <shawn@redhat.com> 0.1-6
|
|
|
2b7b16 |
- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6)
|
|
|
2b7b16 |
- Updated RPM includes feedback received from DoD Consensus meetings
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Fri Oct 5 2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-5
|
|
|
2b7b16 |
- Adjusted installation directory to /usr/share/xml/scap.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Tue Aug 28 2012 Spencer Shimko <sshimko@tresys.com> 1.0-4
|
|
|
2b7b16 |
- Fix BuildRequires and Requires.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Tue Jul 3 2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-3
|
|
|
2b7b16 |
- Modified install section, made description more concise.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Thu Apr 19 2012 Spencer Shimko <sshimko@tresys.com> 1.0-2
|
|
|
2b7b16 |
- Minor updates to pass some variables in from build system.
|
|
|
2b7b16 |
|
|
|
2b7b16 |
* Mon Apr 02 2012 Shawn Wells <shawn@redhat.com> 1.0-1
|
|
|
2b7b16 |
- First attempt at SSG RPM. May ${deity} help us...
|