Blob Blame History Raw
# Base name of static rhel6 content tarball
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
%global _vpath_builddir build

Name:		scap-security-guide
Version:	0.1.57
Release:	3%{?dist}
Summary:	Security guidance and baselines in SCAP formats
License:	BSD-3-Clause
Group:		Applications/System
URL:		https://github.com/ComplianceAsCode/content/
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
# Include tarball with last released rhel6 content
Source1:	%{_static_rhel6_content}.tar.bz2

BuildArch:	noarch

# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
Patch0:		disable-not-in-good-shape-profiles.patch
Patch1:		scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch
Patch2:		scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch
Patch3:		scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch
Patch4:		scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch
Patch5:		scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch
Patch6:		scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch
Patch7:		scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch
Patch8:		scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch
Patch9:		scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch
Patch10:		scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch
Patch11:		scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch
Patch12:		scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch
Patch13:		scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch
Patch14:		scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch
Patch15:		scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch
Patch16:		scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch
Patch17:		scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch
Patch18:		scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch
Patch19:		scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch
Patch20:		scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch
Patch21:		scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch
Patch22:		scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch
Patch23:		scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch
Patch24:		scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch
Patch25:		scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch
Patch26:		scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch
Patch27:		scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch
Patch28:		scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch
Patch29:		scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch
Patch30:		scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch
Patch31:		scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch
Patch32:		scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch
Patch33:		scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch
Patch34:		scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch
Patch35:		scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch
Patch36:		scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch
Patch37:		scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch
Patch38:		scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch
Patch39:		scap-security-guide-0.1.58-update_stig_references-PR_7366.patch
Patch40:		scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch
Patch41:		scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch
Patch42:		scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch
Patch43:		scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch
Patch44:		scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch
Patch45:		scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch
Patch46:		scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch
Patch47:		scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch
Patch48:		scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch
Patch49:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch
Patch50:		scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch
Patch51:		scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch
Patch52:		scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch
Patch53:		scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch
Patch54:		scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch
Patch55:		scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch
Patch56:		scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch
Patch57:		revert_docker_selinux_enabled_to_rhel8.patch
Patch58:		scap-security-guide-0.1.58-rhbz1958939_rear_not_s390x-PR_7261.patch

BuildRequires:	libxslt
BuildRequires:	expat
BuildRequires:	openscap-scanner >= 1.2.5
BuildRequires:	cmake >= 2.8
# To get python3 inside the buildroot require its path explicitly in BuildRequires
BuildRequires: /usr/bin/python3
BuildRequires:	python%{python3_pkgversion}
BuildRequires:	python%{python3_pkgversion}-jinja2
BuildRequires:	python%{python3_pkgversion}-PyYAML
Requires:	xml-common, openscap-scanner >= 1.2.5
Obsoletes:	openscap-content < 0:0.9.13
Provides:	openscap-content

%description
The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The Red Hat Enterprise
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
package, or the scap-workbench GUI tool from scap-workbench package to verify
that the system conforms to provided guideline. Refer to scap-security-guide(8)
manual page for further information.

%package	doc
Summary:	HTML formatted security guides generated from XCCDF benchmarks
Group:		System Environment/Base
Requires:	%{name} = %{version}-%{release}

%description	doc
The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.

%prep
%autosetup -p1 -b1

%build
mkdir -p build
cd build
%cmake \
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
%if %{defined centos}
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
%else
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
%endif
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
../
%cmake_build

%install
cd build
%cmake_install

# Manually install pre-built rhel6 content
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}

%files
%{_datadir}/xml/scap/ssg/content
%{_datadir}/%{name}/kickstart
%{_datadir}/%{name}/ansible
%{_datadir}/%{name}/bash
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
%doc %{_docdir}/%{name}/LICENSE
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/Contributors.md

%files doc
%doc %{_docdir}/%{name}/guides/*.html
%doc %{_docdir}/%{name}/tables/*.html

%changelog
* Wed Oct 13 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
- Reintroduce docker_selinux_enabled rule to RHEL8.
- Set package_rear_installed not applicable on s390x arch. (RHBZ#2013553)

* Tue Oct 05 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2
- Remove ansible playbooks per rule generation.

* Fri Sep 17 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-1
- Update to the latest upstream release (RHBZ#1997634)
- Update RHEL8 STIG profile to V1R3 (RHBZ#1997634)
- Enable RHEL8 STIG with GUI profile (RHBZ#2005431)
- Enable the ISM profile (RHBZ#2005891)
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#2005427)
- Enable ANSSI High Profile (RHBZ#2005429)

* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
- Remove Kickstart for not shipped profile (RHBZ#1778188)

* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)

* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)

* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)

* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
- Update to the latest upstream release (RHBZ#1889344)
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)

* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)

* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
- Disable usbguard rules on s390x architecture (RHBZ#1899059)

* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
- Update list of profiles built (RHBZ#1889344)

* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
- Update to the latest upstream release (RHBZ#1889344)

* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)

* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)

* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
- remove rationale from rules that contain defective links (rhbz#1854854)

* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
- fixed link in a grub2 rule description (rhbz#1854854)
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)

* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
- Update the scapval invocation (RHBZ#1815007)
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
- Change the spec file macro invocation from patch to Patch
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)

* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
- fix description of HIPAA profile (RHBZ#1867559)

* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
  - Remove CCM from TLS Ciphersuites

* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)

* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)

* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)

* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
- CIS Ansible fixes (RHBZ#1760734)
- HIPAA Ansible fixes (RHBZ#1832760)

* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
 - HIPAA Profile (RHBZ#1832760)
  - Enable build of RHEL8 HIPAA Profile
  - Add kickstarts for HIPAA
- CIS Profile (RHBZ#1760734)
  - Add Ansible fix for sshd_set_max_sessions
  - Add CIS Profile content attribution to Center for Internet Security

* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Fix Ansible for no_direct_root_logins
- Fix Ansible template for SELinux booleans
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)

* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)

* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
- Update to the latest upstream release (RHBZ#1815007)

* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
- Update to the latest upstream release (RHBZ#1815007)

* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
- Update baseline package list of OSPP profile

* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
- Rebuilt with correct spec file

* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
- Add SRG references to STIG rules (RHBZ#1755447)

* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
- Drop rsyslog rules from OSPP profile
- Update COBIT URI
- Add rules for strong source of RNG entropy
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
- STIG profile: added rsyslog rules and updated SRG mappings
- Split audit rules according to audit component (RHBZ#1791312)

* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
- Update crypto-policy test scenarios
- Update max-path-len test to skip tests/logs directory

* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
- Fix list of tables that are generated for RHEL8

* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
- Update to latest upstream SCAP-Security-Guide-0.1.48 release

* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
- Improved the e8 profile (RHBZ#1755194)

* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)

* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)

* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)

* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)

* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
- Use crypto-policy rules in OSPP profile.
- Re-enable FIREFOX and JRE product in build.
- Change test suite logging message about missing profile from ERROR to WARNING.
- Build only one version of SCAP content at a time.

* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
- Update to latest upstream SCAP-Security-Guide-0.1.45 release

* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
- Ported changelog from late 8.0 builds.
- Disabled build of the OL8 product, updated other components of the cmake invocation.

* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
- Update to latest upstream SCAP-Security-Guide-0.1.44 release

* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
- Assign CCE to rules from OSPP profile which were missing the identifier.
- Fix regular expression for Audit rules ordering
- Account for Audit rules flags parameter position within syscall
- Add remediations for Audit rules file path
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
- Add a Bash remediation for Audit rules that require ordering

* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
- Assign CCE identifier to rules used by RHEL8 profiles.

* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
- Fixed Crypto Policy OVAL for NSS
- Got rid of rules requiring packages dropped in RHEL8.
- Profile descriptions fixes.

* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
- Update applicable platforms in crypto policy tests

* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
- Introduce Podman backend for SSG Test suite
- Update bind and libreswan crypto policy test scenarios

* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
- Further fix of profiles descriptions, so they don't contain literal '\'.
- Removed obsolete sshd rule from the OSPP profile.

* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
- Fixed profiles descriptions, so they don't contain literal '\n'.
- Made the configure_kerberos_crypto_policy OVAL more robust.
- Made OVAL for libreswan and bind work as expected when those packages are not installed.

* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.

* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
- Added FIPS mode rule for the OSPP profile.
- Split the installed_OS_is certified rule.
- Explicitly disabled OSP13, RHV4 and Example products.

* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
- Add missing kickstart files for RHEL8
- Disable profiles that are not in good shape for RHEL8

* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
- System-wide crypto policies are introduced for RHEL8
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.

* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
- Fix man page and package description

* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles

* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
- Only build content for rhel8 products

* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
- Update build of rhel8 content

* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
- Enable build of rhel8 content

* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
- Fix spec file to build using Python 3
- Fix License because upstream changed to BSD-3

* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38

* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37

* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36

* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
- updated to latest upstream release

* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
- updated to latest upstream release

* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
- updated to latest upstream release

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
- use make_build and make_install RPM macros

* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
- update to the latest upstream release
- new default location for content /usr/share/scap/ssg
- install HTML tables in the doc subpackage

* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
- Correct currently failing parallel SCAP Security Guide build

* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
- Drop shell library for remediation functions since it is not required
  starting from 0.1.30 release any more

* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
  in 0.1.29 upstream release

* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
- upgrade to the latest upstream release

* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
- update to the latest upstream release

* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
- update to the latest upstream release

* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
- update to the latest upstream release

* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
- update to the latest upstream release
- created doc sub-package to ship all the guides
- start distributing centos and scientific linux content
- rename java content to jre

* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
- update to the latest upstream release
- only DataStream file is now available for Fedora
- start distributing security baseline for Firefox
- start distributing security baseline for Java RunTime deployments

* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
- update to the latest upstream release
- move content to /usr/share/scap/ssg/content

* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
- update to the latest upstream release

* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
- require only openscap-scanner, not whole openscap-utils package

* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
- Add STIG DISCLAIMER to the shipped documentation

* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
- Fix fedora-srpm and fedora-rpm Make targets to work again
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
- EOL for Fedora 18 support
- Include Fedora datastream file for remote Fedora system scans

* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)

* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
  it to /shared
- Add shared remediations for sshd disable empty passwords and
  sshd set idle timeout
- Shared remediation for sshd disable root login
- Add empty -compat subpackage to ensure backward-compatibility with
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
- OVAL check for sshd disable root login
- Fix typo in OVAL check for sshd disable empty passwords
- OVAL check for sshd disable empty passwords
- Unselect no shelllogin for systemaccounts rule from being run by default
- Rename XCCDF rules
- Revert Set up Fedora release name and CPE based on build system properties
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
- Shared OVAL check for Verify that System Executables Have Root Ownership
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
  Permissions
- Fix remediation for Disable Prelinking rule
- OVAL check and remediation for sshd's ClientAliveCountMax rule
- OVAL check for sshd's ClientAliveInterval rule
- Include descriptions for permissions section, and rules for checking
  permissions and ownership of shared library files and system executables
- Disable selected rules by default
- Add remediation for Disable Prelinking rule
- Adjust service-enable-macro, service-disable-macro XSLT transforms
  definition to evaluate to proper systemd syntax
- Fix service_ntpd_enabled OVAL check make validate to pass again
- Include patch from Šimon Lukašík to obsolete openscap-content
  package (RH BZ#1028706)
- Add OVAL check to test if there's is remote NTP server configured for
  time data
- Add system settings section for the guide (to track system wide
  hardening configurations)
- Include disable prelink rule and OVAL check for it
- Initial OVAL check if ntpd service is enabled. Add package_installed
  OVAL templating directory structure and functionality.
- Include services section, and XCCDF description for selected ntpd's
  sshd's service rules
- Include remediations for login.defs' based password minimum, maximum and
  warning age rules
- Include directory structure to support remediations
- Add SCAP "replace or append pattern value in text file based on variable"
  remediation script generator
- Add remediation for "Set Password Minimum Length in login.defs" rule

* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
- Update versioning scheme - move fedorassgrelease to be part of
  upstream version. Rename it to fedorassgversion to avoid name collision
  with Fedora package release.

* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
- Add .gitignore for Fedora output directory
- Set up Fedora release name and CPE based on build system properties
- Use correct file paths in scap-security-guide(8) manual page
  (RH BZ#1018905, c#10)
- Apply further changes motivated by scap-security-guide Fedora RPM review
  request (RH BZ#1018905, c#8):
  * update package description,
  * make content files to be owned by the scap-security-guide package,
  * remove Fedora release number from generated content files,
  * move HTML form of the guide under the doc directory (together
    with that drop fedora/content subdir and place the content
    directly under fedora/ subdir).
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
  * drop Fedora release from package provided files' final path (c#5),
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
    manual page, don't gzip man page (c#4),
  * change package's description (c#4),
  * include PD license text (#c4).

* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
- Provide manual page for scap-security-guide
- Remove percent sign from spec's changelog to silence rpmlint warning
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
- Introduce 'Account and Access Control' section
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
  rules to Fedora
- Set proper name of the build directory in the spec's setup macro.
- Replace hard-coded paths with macros. Preserve attributes when copying files.

* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
- Initial Fedora SSG RPM.