From 1e6968b789bd01cced311d79a2e66c567de351bf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 19 2017 13:22:48 +0000 Subject: import scap-security-guide-0.1.33-6.el7_4 --- diff --git a/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch b/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch new file mode 100644 index 0000000..a080fd1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch @@ -0,0 +1,26 @@ +From 8098e6e16c1b7a403c27744508c9892d482061fa Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Thu, 14 Sep 2017 19:07:46 +0200 +Subject: [PATCH] Drop firewalld default zone and sshd port fixes + +Providing a fix for 'firewalld_sshd_port_enabled' can be very complicated +and will very likely not fit to everyone's use case. And because of that +we drop remediation for 'set_firewalld_sshd_port', which is causing the +remediated machine to refuse all connections. +--- + shared/templates/static/bash/set_firewalld_default_zone.sh | 10 ---- + 1 file changed, 10 deletions(-) + delete mode 100644 shared/templates/static/bash/set_firewalld_default_zone.sh + +diff --git a/shared/templates/static/bash/set_firewalld_default_zone.sh b/shared/templates/static/bash/set_firewalld_default_zone.sh +deleted file mode 100644 +index ada8b68a7..000000000 +--- a/shared/templates/static/bash/set_firewalld_default_zone.sh ++++ /dev/null +@@ -1,6 +0,0 @@ +-# platform = Red Hat Enterprise Linux 7 +-grep -q ^DefaultZone= /etc/firewalld/firewalld.conf && \ +- sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf +-if ! [ $? -eq 0 ]; then +- echo "DefaultZone=drop" >> /etc/firewalld/firewalld.conf +-fi diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index a25ce82..137fa78 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -6,7 +6,7 @@ Name: scap-security-guide Version: 0.1.%{redhatssgversion} -Release: 5%{?dist} +Release: 6%{?dist} Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base @@ -20,6 +20,7 @@ Patch4: scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove Patch5: scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch Patch6: scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch Patch7: scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch +Patch8: scap-security-guide-0.1.33-drop_set_firewalld_default_zone_remediation.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml, cmake >= 2.8 @@ -57,6 +58,8 @@ been generated from XCCDF benchmarks present in %{name} package. # Fix for rhbz#1449211 %patch6 -p1 -b .profile_nist_800_171_cui_malformed_title_fix %patch7 -p1 -b .anaconda-smart-card-auth +# Fix for rhbz#1478414, patch adapted from https://github.com/OpenSCAP/scap-security-guide/pull/2328 +%patch8 -p1 -b .drop_set_firewalld_default_zone_remediation %build %cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ @@ -99,6 +102,9 @@ make %{?_smp_mflags} %doc guides/ssg-*-guide-*.html %changelog +* Tue Sep 19 2017 Watson Sato 0.1.33-6 +- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414) + * Wed Jun 14 2017 Watson Sato 0.1.33-5 - Fix Anaconda Smartcard auth remediation (RHBZ#1461330)