From 9c64d10fe983e4071424613c740999d1bd6a820c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:43:29 +0000 Subject: import scap-security-guide-0.1.33-5.el7 --- diff --git a/.gitignore b/.gitignore index ea97346..7a06ebd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/scap-security-guide-0.1.30.tar.gz +SOURCES/scap-security-guide-0.1.33.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index 2d6f46b..ec8edd4 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1 @@ -6630e157fce94380bc4610538b1fb8cccfaf5f57 SOURCES/scap-security-guide-0.1.30.tar.gz +165667e0ac14d568b3544e42170d16761b637b3b SOURCES/scap-security-guide-0.1.33.tar.bz2 diff --git a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch b/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch deleted file mode 100644 index cda0a9d..0000000 --- a/SOURCES/scap-security-guide-0.1.25-centos-menu-branding.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml ---- scap-security-guide-0.1.30/RHEL/7/input/profiles/C2S.xml 2016-06-22 12:56:46.000000000 +0000 -+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/C2S.xml 2016-11-15 16:20:21.101599393 +0000 -@@ -1,10 +1,10 @@ - --C2S for Red Hat Enterprise Linux 7 -+C2S for CentOS Linux 7 - This profile demonstrates compliance against the - U.S. Government Commercial Cloud Services (C2S) baseline. - - This baseline was inspired by the Center for Internet Security --(CIS) Red Hat Enterprise Linux 7 Benchmark, v1.1.0 - 04-02-2015. -+(CIS) CentOS Linux 7 Benchmark, v1.1.0 - 04-02-2015. - For the SCAP Security Guide project to remain in compliance with - CIS' terms and conditions, specifically Restrictions(8), note - there is no representation or claim that the C2S profile will -diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml ---- scap-security-guide-0.1.30/RHEL/7/input/profiles/nist-CL-IL-AL.xml 2016-06-22 12:56:46.000000000 +0000 -+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/nist-CL-IL-AL.xml 2016-11-15 18:30:22.535473255 +0000 -@@ -1,5 +1,5 @@ - --CNSSI 1253 Low/Low/Low Control Baseline for Red Hat Enterprise Linux 7 -+CNSSI 1253 Low/Low/Low Control Baseline for CentOS Linux 7 - This profile follows the Committee on National Security Systems Instruction - (CNSSI) No. 1253, "Security Categorization and Control Selection for National Security - Systems" on security controls to meet low confidentiality, low integrity, and low -diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml ---- scap-security-guide-0.1.30/RHEL/7/input/profiles/ospp-rhel7-server.xml 2016-06-22 12:56:46.000000000 +0000 -+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/ospp-rhel7-server.xml 2016-11-15 18:30:44.136480430 +0000 -@@ -1,6 +1,6 @@ - - United States Government Configuration Baseline (USGCB / STIG) --This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure Red Hat Enteprise Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against RHEL7 Server. -+This is a *draft* profile for NIAP OSPP v4.0. This profile is being developed under the National Information Assurance Partnership. The scope of this profile is to configure CentOS Linux 7 against the NIAP Protection Profile for General Purpose Operating Systems v4.0. The NIAP OSPP profile also serves as a working draft for USGCB submission against CentOS7 Server. - - -+ - - - -diff -uNrp scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml ---- scap-security-guide-0.1.30/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml 2016-06-22 12:56:46.000000000 +0000 -+++ scap-security-guide-0.1.30.new/RHEL/7/input/profiles/stig-rhel7-server-gui-upstream.xml 2016-11-15 18:32:48.434522900 +0000 -@@ -1,5 +1,5 @@ - --STIG for Red Hat Enterprise Linux 7 Server Running GUIs -+STIG for CentOS Linux 7 Server Running GUIs - This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO. - - -- -+ - - - -@@ -141,4 +141,4 @@ - - - -- - diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch deleted file mode 100644 index e9d4f21..0000000 --- a/SOURCES/scap-security-guide-0.1.30-rhbz#1344581.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 2276972999ecb8c54ddea8ad40bdc15a7ea86a3a Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky -Date: Fri, 1 Jul 2016 15:02:12 +0200 -Subject: [PATCH] [BugFix] Enhance the OVAL checks for: * - accounts_passwords_pam_faillock_deny_root * - accounts_passwords_pam_faillock_deny - -rules to work properly also in case sssd package is installed -and sssd daemon is running - -Fixes downstream: https://bugzilla.redhat.com/show_bug.cgi?id=1344581 ---- - RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml | 8 ++++---- - shared/oval/accounts_passwords_pam_faillock_deny.xml | 8 ++++---- - 2 files changed, 8 insertions(+), 8 deletions(-) - -diff --git a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml -index 50f2e5a..7b60d22 100644 ---- a/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml -+++ b/RHEL/7/input/oval/accounts_passwords_pam_faillock_deny_root.xml -@@ -34,7 +34,7 @@ - /etc/pam.d/system-auth - -- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] -+ [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] - - 1 - -@@ -51,7 +51,7 @@ - - /etc/pam.d/system-auth - -- [\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] -+ [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] - - 1 - -@@ -69,7 +69,7 @@ - /etc/pam.d/password-auth - -- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] -+ [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*even_deny_root[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] - - 1 - -@@ -86,7 +86,7 @@ - - /etc/pam.d/password-auth - -- [\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] -+ [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*even_deny_root[^\n]*[\n] - - 1 - -diff --git a/shared/oval/accounts_passwords_pam_faillock_deny.xml b/shared/oval/accounts_passwords_pam_faillock_deny.xml -index 96b5043..0923dc9 100644 ---- a/shared/oval/accounts_passwords_pam_faillock_deny.xml -+++ b/shared/oval/accounts_passwords_pam_faillock_deny.xml -@@ -51,7 +51,7 @@ - /etc/pam.d/system-auth - -- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] -+ [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] - - 1 - -@@ -69,7 +69,7 @@ - - /etc/pam.d/system-auth - -- [\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n] -+ [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n] - - 1 - -@@ -106,7 +106,7 @@ - /etc/pam.d/password-auth - -- [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*[^\n]*[\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]*[\n] -+ [\n][\s]*auth[\s]+required[\s]+pam_faillock\.so[\s]+preauth[\s]+silent[\s]+[^\n]*deny=([0-9]+)[\s]*(?s).*[\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]*[\n] - - 1 - -@@ -124,7 +124,7 @@ - - /etc/pam.d/password-auth - -- [\n][\s]*auth[\s]+sufficient[\s]+pam_unix\.so[^\n]+[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n] -+ [\n][\s]*auth[\s]+(?:(?:sufficient)|(?:\[.*default=die.*\]))[\s]+pam_unix\.so[^\n]+(?s).*[\n][\s]*auth[\s]+\[default=die\][\s]+pam_faillock\.so[\s]+authfail[\s]+[^\n]*deny=([0-9]+)[^\n]*[\n] - - 1 - diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch deleted file mode 100644 index f775f47..0000000 --- a/SOURCES/scap-security-guide-0.1.30-rhbz#1351541.patch +++ /dev/null @@ -1,22 +0,0 @@ -From e4d8a19ff626f416a4972344b529ff9fd5bc1c6f Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky -Date: Thu, 30 Jun 2016 14:30:52 +0200 -Subject: [PATCH] [BugFix] [RHEL/6] Make the title of the RHEL-6 - stig-rhel6-server-gui-upstream profile consistent with its RHEL-7 equivalent - -Fixes #1319 ---- - RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml -index 669ac2b..d5351d8 100644 ---- a/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml -+++ b/RHEL/6/input/profiles/stig-rhel6-server-gui-upstream.xml -@@ -1,5 +1,5 @@ - --Upstream STIG for Red Hat Enterprise Linux 6 Server -+Upstream STIG for Red Hat Enterprise Linux 6 Server Running GUIs - This profile is developed under the DoD consensus model and DISA FSO Vendor STIG process, - serving as the upstream development environment for the Red Hat Enterprise Linux 6 Server STIG. - diff --git a/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch b/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch deleted file mode 100644 index 862fd9d..0000000 --- a/SOURCES/scap-security-guide-0.1.30-rhbz#1351751.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 989cb130cb7d03f27294313c3ee2f1f4d61568db Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky -Date: Tue, 28 Jun 2016 13:04:24 +0200 -Subject: [PATCH 1/2] [Enhancement] [RHEL/6] [RHEL/7] Include the generated - HTML tables for RHEL-6 and RHEL-7 products into the produced RPM package - -Part of #1297 ---- - RHEL/6/Makefile | 5 +++-- - RHEL/7/Makefile | 2 ++ - scap-security-guide.spec.in | 36 +++++++++++++++++++++++------------- - 3 files changed, 28 insertions(+), 15 deletions(-) - -diff --git a/RHEL/6/Makefile b/RHEL/6/Makefile -index 782d0f7..ac7d74e 100644 ---- a/RHEL/6/Makefile -+++ b/RHEL/6/Makefile -@@ -69,8 +69,7 @@ table-stigs: $(OUT)/xccdf-unlinked-final.xml table-srgmap checks - $(TRANS)/xccdf-apply-overlay-stig.xslt $< - xsltproc -o $(OUT)/table-$(PROD)-stig.html $(TRANS)/xccdf2table-stig.xslt $(OUT)/unlinked-stig-$(PROD)-xccdf.xml - --tables: table-refs table-idents table-stigs --#tables: table-refs table-idents table-srgmap table-stigs -+tables: table-refs table-idents table-srgmap table-stigs - - content: $(OUT)/xccdf-unlinked-final.xml checks - cp $< $(OUT)/unlinked-$(PROD)-xccdf.xml -@@ -180,6 +179,8 @@ dist: tables guide content - cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content - cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content - cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content -+ mkdir -p $(DIST)/tables -+ cp $(OUT)/table-*.{x,}html $(DIST)/tables - mkdir -p $(DIST)/guide - cp $(OUT)/*-guide-*.html $(DIST)/guide - cp $(OUT)/$(ID)-centos6-xccdf.xml $(DIST)/content -diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile -index fc9f284..0cafa7c 100644 ---- a/RHEL/7/Makefile -+++ b/RHEL/7/Makefile -@@ -183,6 +183,8 @@ dist: tables guide content - cp $(OUT)/$(ID)-$(PROD)-cpe-dictionary.xml $(DIST)/content - cp $(OUT)/$(ID)-$(PROD)-cpe-oval.xml $(DIST)/content - cp $(OUT)/$(ID)-$(PROD)-ds.xml $(DIST)/content -+ mkdir -p $(DIST)/tables -+ cp $(OUT)/table-*.{x,}html $(DIST)/tables - mkdir -p $(DIST)/guide - cp $(OUT)/*-guide-*.html $(DIST)/guide - cp $(OUT)/$(ID)-centos7-xccdf.xml $(DIST)/content -diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in -index ae3cc05..6fbb800 100644 ---- a/scap-security-guide.spec.in -+++ b/scap-security-guide.spec.in -@@ -82,30 +82,40 @@ rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-cpe-dictionary.xml - # We do this after the filtering on Fedora because we don't ship JBossEAP5 datastreams - cp -a JBossEAP5/eap5-* %{buildroot}%{_datadir}/xml/scap/ssg/content/ - --# Docs --mkdir -p %{buildroot}/%{_docdir}/%{name}/guides --cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides --cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides --cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides --cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides -+# Add in HTML tables for selected products -+mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/tables -+cp -a RHEL/6/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables -+cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables -+ -+# Add in LICENSE and README.md -+cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version} -+ -+# scap-security-guide-doc subpackage contains just HTML guides for supported products -+mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides - # outside of the normal build system, different guide --cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}/guides -+cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides - - %if 0%{?fedora} --cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides --cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides --#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}/guides -+cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -+#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}-%{version}/guides - %endif - - %files - %{_datadir}/xml/scap - %{_datadir}/%{name} - %lang(en) %{_mandir}/en/man8/scap-security-guide.8.* --%doc LICENSE --%doc README.md -+%doc %{_docdir}/%{name}-%{version}/tables/*.html -+%doc %{_docdir}/%{name}-%{version}/tables/*.xhtml -+%doc %{_docdir}/%{name}-%{version}/LICENSE -+%doc %{_docdir}/%{name}-%{version}/README.md - - %files doc --%doc %{_docdir}/%{name}/guides/*.html -+%doc %{_docdir}/%{name}-%{version}/guides/*.html - - %changelog - * __DATE__ __REL_MANAGER__ <__REL_MANAGER_MAIL__> __VERSION__-__RELEASE__ - -From 33ea7d73d7a53b465c15ac6289fe8833749622dc Mon Sep 17 00:00:00 2001 -From: Jan Lieskovsky -Date: Tue, 28 Jun 2016 18:50:17 +0200 -Subject: [PATCH 2/2] [Enhancement][RHEL/6][RHEL/7] Provide currently available - RHEL-6 and RHEL-7 kickstart files in the produced RPM package - -Fixes (together with previous commit): #1297 ---- - scap-security-guide.spec.in | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/scap-security-guide.spec.in b/scap-security-guide.spec.in -index 6fbb800..056e84c 100644 ---- a/scap-security-guide.spec.in -+++ b/scap-security-guide.spec.in -@@ -90,6 +90,11 @@ cp -a RHEL/7/dist/tables/* %{buildroot}/%{_docdir}/%{name}-%{version}/tables - # Add in LICENSE and README.md - cp -a LICENSE README.md %{buildroot}/%{_docdir}/%{name}-%{version} - -+# Add in kickstart files for selected products -+mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart -+cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart -+cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart -+ - # scap-security-guide-doc subpackage contains just HTML guides for supported products - mkdir -p %{buildroot}/%{_docdir}/%{name}-%{version}/guides - cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/guides -@@ -107,7 +112,7 @@ cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}-%{version}/ - - %files - %{_datadir}/xml/scap --%{_datadir}/%{name} -+%{_datadir}/%{name}/kickstart - %lang(en) %{_mandir}/en/man8/scap-security-guide.8.* - %doc %{_docdir}/%{name}-%{version}/tables/*.html - %doc %{_docdir}/%{name}-%{version}/tables/*.xhtml diff --git a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch b/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch deleted file mode 100644 index 648d7d2..0000000 --- a/SOURCES/scap-security-guide-0.1.30-zstream-rhbz#1415152.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/shared/remediations/bash/templates/remediation_functions b/shared/remediations/bash/templates/remediation_functions -index 1ef7e19..40d8ad3 100644 ---- a/shared/remediations/bash/templates/remediation_functions -+++ b/shared/remediations/bash/templates/remediation_functions -@@ -774,7 +774,7 @@ function replace_or_append { - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. -- stripped_key=${key//[!a-zA-Z]/} -+ stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key) - - # If there is no print format specified in the last arg, use the default format. - if ! [ "x$format" = x ] ; then -diff --git a/shared/remediations/bash/sshd_use_approved_macs.sh b/shared/remediations/bash/sshd_use_approved_macs.sh -index c6e1c29..b93809a 100644 ---- a/shared/remediations/bash/sshd_use_approved_macs.sh -+++ b/shared/remediations/bash/sshd_use_approved_macs.sh -@@ -1,6 +1,6 @@ - # platform = multi_platform_rhel --grep -qi ^MACs /etc/ssh/sshd_config && \ -- sed -i "s/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1/gI" /etc/ssh/sshd_config --if ! [ $? -eq 0 ]; then -- echo "MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1" >> /etc/ssh/sshd_config --fi -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+replace_or_append '/etc/ssh/sshd_config' '^MACs' 'hmac-sha2-512,hmac-sha2-256,hmac-sha1' 'CCENUM' '%s %s' -diff --git a/shared/xccdf/remediation_functions.xml b/shared/xccdf/remediation_functions.xml -index dc14346..f2f2e62 100644 ---- a/shared/xccdf/remediation_functions.xml -+++ b/shared/xccdf/remediation_functions.xml -@@ -1152,7 +1152,7 @@ function replace_or_append { - - # Strip any search characters in the key arg so that the key can be replaced without - # adding any search characters to the config file. -- stripped_key=${key//[!a-zA-Z]/} -+ stripped_key=$(sed "s/[\^=\$,;+]*//g" <<< $key) - - # If there is no print format specified in the last arg, use the default format. - if ! [ "x$format" = x ] ; then diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch new file mode 100644 index 0000000..15650cb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch @@ -0,0 +1,31 @@ +From 96e23141350598de62a0265b5a5007f107bb2525 Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Thu, 18 May 2017 11:23:35 -0400 +Subject: [PATCH] Use double dash instead of a single dash in ANACONDA + remediation templates + +--- + shared/templates/template_ANACONDA_package_installed | 2 +- + shared/templates/template_ANACONDA_package_removed | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shared/templates/template_ANACONDA_package_installed b/shared/templates/template_ANACONDA_package_installed +index 0fb9ba08d..9adffa7e6 100644 +--- a/shared/templates/template_ANACONDA_package_installed ++++ b/shared/templates/template_ANACONDA_package_installed +@@ -4,4 +4,4 @@ + # complexity = low + # disruption = low + +-package -add=PKGNAME ++package --add=PKGNAME +diff --git a/shared/templates/template_ANACONDA_package_removed b/shared/templates/template_ANACONDA_package_removed +index 21d950692..1882c0deb 100644 +--- a/shared/templates/template_ANACONDA_package_removed ++++ b/shared/templates/template_ANACONDA_package_removed +@@ -4,4 +4,4 @@ + # complexity = low + # disruption = low + +-package -remove=PKGNAME ++package --remove=PKGNAME diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch new file mode 100644 index 0000000..5b682ad --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch @@ -0,0 +1,19 @@ +From 1b25ec4ff54215a7668a8cfdcf83ec6c6bb0f4bf Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Thu, 18 May 2017 09:31:43 -0600 +Subject: [PATCH] Fix typo in ANACONDA static templates + +--- + shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda +index 992562ebf..b10200ab1 100644 +--- a/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda ++++ b/shared/templates/static/anaconda/mount_option_tmp_nodev.anaconda +@@ -4,4 +4,4 @@ + # complexity = low + # disruption = high + +-part /tmp -mountoptions="nodev" ++part /tmp --mountoptions="nodev" diff --git a/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch new file mode 100644 index 0000000..e1006a1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch @@ -0,0 +1,22 @@ +From 620d6704401d8c9538d590c7e8bfdd18cb33034c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Wed, 14 Jun 2017 15:32:30 +0200 +Subject: [PATCH] RHBZ#1461330: Add Anaconda remediation for rule + "smartcard_auth" + +Packages pam_pkcs11 and esc weren't installed by Anaconda during +installing, which caused that users can't log in. +--- + shared/templates/static/anaconda/smartcard_auth.anaconda | 3 +++ + 1 file changed, 3 insertions(+) + create mode 100644 shared/templates/static/anaconda/smartcard_auth.anaconda + +diff --git a/shared/templates/static/anaconda/smartcard_auth.anaconda b/shared/templates/static/anaconda/smartcard_auth.anaconda +new file mode 100644 +index 000000000..fbe3aa984 +--- /dev/null ++++ b/shared/templates/static/anaconda/smartcard_auth.anaconda +@@ -0,0 +1,3 @@ ++# platform = multi_platform_rhel ++ ++package --add=pam_pkcs11 --add=esc diff --git a/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch new file mode 100644 index 0000000..65640f6 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-guide-role-install-dir.patch @@ -0,0 +1,56 @@ +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 45a841f..83a3ad0 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -753,7 +753,7 @@ macro(ssg_build_product PRODUCT) + install( + CODE " + file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${PRODUCT}-guide-*.html\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" + TYPE FILE FILES \${GUIDE_FILES} + )" + COMPONENT doc +@@ -761,14 +761,14 @@ macro(ssg_build_product PRODUCT) + install( + CODE " + file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.yml\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" + TYPE FILE FILES \${ROLE_FILES} + )" + ) + install( + CODE " + file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${PRODUCT}-role-*.sh\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" + TYPE FILE FILES \${ROLE_FILES} + )" + ) +@@ -878,7 +878,7 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + install( + CODE " + file(GLOB GUIDE_FILES \"${CMAKE_BINARY_DIR}/guides/ssg-${DERIVATIVE}-guide-*.html\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_GUIDE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_GUIDE_INSTALL_DIR}\" + TYPE FILE FILES \${GUIDE_FILES} + )" + COMPONENT doc +@@ -886,14 +886,14 @@ macro(ssg_build_derivative_product ORIGINAL SHORTNAME DERIVATIVE) + install( + CODE " + file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.yml\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" + TYPE FILE FILES \${ROLE_FILES} + )" + ) + install( + CODE " + file(GLOB ROLE_FILES \"${CMAKE_BINARY_DIR}/roles/ssg-${DERIVATIVE}-role-*.sh\") \n +- file(INSTALL DESTINATION \"\${CMAKE_INSTALL_PREFIX}/${SSG_ROLE_INSTALL_DIR}\" ++ file(INSTALL DESTINATION \"${SSG_ROLE_INSTALL_DIR}\" + TYPE FILE FILES \${ROLE_FILES} + )" + ) diff --git a/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch new file mode 100644 index 0000000..c2a1579 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch @@ -0,0 +1,23 @@ +From 17c80ede5d0e9d6253b2fa0c70714dd64e349eca Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 15 May 2017 17:25:35 +0200 +Subject: [PATCH] Build table for ospp-rhel7, not ospp-rhel7-server + +The profile has been renamed from ospp-rhel7-server to ospp-rhel7. +--- + RHEL/7/CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/RHEL/7/CMakeLists.txt b/RHEL/7/CMakeLists.txt +index b49f556e8..5253b3a9f 100644 +--- a/RHEL/7/CMakeLists.txt ++++ b/RHEL/7/CMakeLists.txt +@@ -10,7 +10,7 @@ ssg_build_html_table_by_ref(${PRODUCT} "cui") + ssg_build_html_table_by_ref(${PRODUCT} "pcidss") + + ssg_build_html_nistrefs_table(${PRODUCT} "common") +-ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}-server") ++ssg_build_html_nistrefs_table(${PRODUCT} "ospp-${PRODUCT}") + ssg_build_html_nistrefs_table(${PRODUCT} "C2S") + ssg_build_html_nistrefs_table(${PRODUCT} "stig-${PRODUCT}-disa") + diff --git a/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch new file mode 100644 index 0000000..f297c49 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch @@ -0,0 +1,23 @@ +From cca881e45751b0abd4f7044813079dc61d5a53ec Mon Sep 17 00:00:00 2001 +From: Martin Preisler +Date: Tue, 9 May 2017 15:51:55 -0400 +Subject: [PATCH] Use @override for NIST 800 171 CUI profile + +Otherwise the name of the profile gets concatenated with the name of the +profile it extends. +--- + RHEL/7/input/profiles/nist-800-171-cui.xml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/RHEL/7/input/profiles/nist-800-171-cui.xml b/RHEL/7/input/profiles/nist-800-171-cui.xml +index 0a3ea2550..a021035f9 100644 +--- a/RHEL/7/input/profiles/nist-800-171-cui.xml ++++ b/RHEL/7/input/profiles/nist-800-171-cui.xml +@@ -1,6 +1,5 @@ + +-Unclassified Information in Non-federal Information Systems and +-Organizations (NIST 800-171) ++Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) + From NIST 800-171, Section 2.2: + Security requirements for protecting the confidentiality of CUI in nonfederal + information systems and organizations have a well-defined structure that diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch new file mode 100644 index 0000000..aae4ece --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch @@ -0,0 +1,29 @@ +diff --git a/docs/scap-security-guide.8 b/docs/scap-security-guide.8 +index 10b83bc..305957b 100644 +--- a/docs/scap-security-guide.8 ++++ b/docs/scap-security-guide.8 +@@ -301,24 +301,6 @@ This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publicati + for securing Controlled Unclassified Information (CUI). + + +-.SH Fedora PROFILES +-The Fedora SSG content is broken into 'profiles,' groupings of security settings that +-correlate to a known policy. Currently available profile: +- +-.I common +-.RS +-The common profile is intended to be used as a base, universal profile for +-scanning of general-purpose Fedora systems. +-.RE +- +-.I standard +-.RS +-The Standard System Security Profile contains rules to ensure standard security +-baseline of a Fedora system. +-Regardless of your system's workload all of these checks should pass. +-.RE +- +- + .SH EXAMPLES + To scan your system utilizing the OpenSCAP utility against the + stig-rhel6-server-upstream profile: diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index a75ac4d..a25ce82 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,4 +1,8 @@ -%global redhatssgversion 30 +%global redhatssgversion 33 + +# Somehow, _pkgdocdir is already defined and points to unversioned docs dir +# RHEL 7.X uses versioned docs dir, hence the definition below +%global _pkgdocdir %{_docdir}/%{name}-%{version} Name: scap-security-guide Version: 0.1.%{redhatssgversion} @@ -8,19 +12,17 @@ Summary: Security guidance and baselines in SCAP formats Group: System Environment/Base License: Public Domain URL: https://github.com/OpenSCAP/scap-security-guide -Source0: %{name}-%{version}.tar.gz -Patch1: scap-security-guide-0.1.25-update-upstream-manual-page.patch -Patch2: scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch -Patch3: scap-security-guide-0.1.30-rhbz#1351541.patch -Patch4: scap-security-guide-0.1.30-rhbz#1344581.patch -Patch5: scap-security-guide-0.1.30-rhbz#1351751.patch -Patch6: scap-security-guide-0.1.30-downstream-rhbz#1357019.patch -Patch7: scap-security-guide-0.1.30-zstream-rhbz#1415152.patch -Patch99: scap-security-guide-0.1.25-centos-menu-branding.patch -Patch100: scap-security-guide-0.1.30-centos-menu-branding-2.patch +Source0: %{name}-%{version}.tar.bz2 +Patch1: scap-security-guide-0.1.33-update-upstream-manual-page.patch +Patch2: scap-security-guide-0.1.33-fix-guide-role-install-dir.patch +Patch3: scap-security-guide-0.1.33-fix-ospp-rhel7-table.patch +Patch4: scap-security-guide-0.1.33-fix-anaconda-remediation-template-add-remove-package.patch +Patch5: scap-security-guide-0.1.33-fix-anaconda-remediation-template-partition-mountoptions.patch +Patch6: scap-security-guide-0.1.33-fix-profile_nist-800-171-cui-malformed-title.patch +Patch7: scap-security-guide-0.1.33-fix-anaconda-smart-card-remediation_1461330.patch BuildArch: noarch -BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml +BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml, cmake >= 2.8 Requires: xml-common, openscap-scanner >= 1.2.5 %description @@ -47,99 +49,92 @@ been generated from XCCDF benchmarks present in %{name} package. %setup -q -n %{name}-%{version} # Update manual page to drop the part dedicated to Fedora content %patch1 -p1 -b .man_page_update -# Temporarily drop "Verify and Correct File Permissions with RPM" -# rule from RHEL-7's PCI-DSS profile (RH BZ#1267861) -%patch2 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule -# Fix for RHBZ#1351541 -%patch3 -p1 -b .rhbz#1351541 -# Fix for RHBZ#1344581 -%patch4 -p1 -b .rhbz#1344581 -# Fix for RHBZ#1351751 -%patch5 -p1 -b .rhbz#1351751 -# Downstream fix for RHBZ#1357019 (slightly differs from upstream -# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1388.patch -# version because 'smartcard-auth.sh' remediation in upstream got moved -# to different location already). The rest of the change (except the path) -# is identical with upstream form -%patch6 -p1 -b .rhbz#1357019 -# Z-stream fix for RHBZ#1415152 -# Patch consists of upstream -# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1555.diff -# and modified version of upstream -# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1471.diff -# Patch for PR 1471 was modified to remove unrelated changes, and remediations files got -# moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly -# different due to commit c6730b867f6760b94ec193e95484a16054b27f48a). -%patch7 -p1 -b .rhbz#1415152 -%patch99 -p1 -%patch100 -p1 - -# Remove the RHEL Certified Cloud Provider profile for debranding purposes -%{__rm} RHEL/7/input/profiles/rht-ccp.xml +%patch2 -p1 -b .guide_role_dir_fix +%patch3 -p1 -b .ospp_rhel7_table_fix +# Patches 4 and 5 fixes rhbz#1450731 +%patch4 -p1 -b .anaconda_template_add_remove_package_fix +%patch5 -p1 -b .anaconda_template_partition_mountoptions_fix +# Fix for rhbz#1449211 +%patch6 -p1 -b .profile_nist_800_171_cui_malformed_title_fix +%patch7 -p1 -b .anaconda-smart-card-auth %build -(cd RHEL/7 && make dist) -(cd RHEL/6 && make dist) -(cd Firefox && make dist) -(cd JRE && make dist) +%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ +-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ +-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ +-DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ +-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ +-DSSG_PRODUCT_OSP7:BOOL=OFF \ +-DSSG_PRODUCT_RHEL5:BOOL=OFF \ +-DSSG_PRODUCT_RHEV3:BOOL=OFF \ +-DSSG_PRODUCT_SUSE11:BOOL=OFF \ +-DSSG_PRODUCT_SUSE12:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF \ +-DSSG_PRODUCT_WRLINUX:BOOL=OFF \ +-DSSG_PRODUCT_WEBMIN:BOOL=OFF \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF . +make %{?_smp_mflags} %install - -mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content -mkdir -p %{buildroot}%{_mandir}/en/man8/ - -# Add in RHEL-7 core content (SCAP) -cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ -cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ -cp -a RHEL/7/dist/content/ssg-centos7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ -cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ -cp -a RHEL/7/dist/content/ssg-centos7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/ - -# Add in RHEL-6 datastream (SCAP) -cp -a RHEL/6/dist/content/ssg-centos6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content - -# Add in Firefox datastream (SCAP) -cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content - -# Add in Java Runtime Environment (JRE) datastream (SCAP) -cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content - -# Add in currently available kickstart files -mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart -cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart -cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart - -# Add in manpage -cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8 +%make_install %files %defattr(-,root,root,-) %{_datadir}/xml/scap %{_datadir}/%{name} -%lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz -%doc RHEL/6/dist/tables/*.html -%doc RHEL/6/dist/tables/*.xhtml -%doc RHEL/7/dist/tables/*.html -%doc RHEL/7/dist/tables/*.xhtml -%doc ./LICENSE +%lang(en) %{_mandir}/man8/scap-security-guide.8.gz +%doc LICENSE +%doc Contributors.md +%doc README.md %doc RHEL/6/input/auxiliary/DISCLAIMER %files doc %defattr(-,root,root,-) -%doc RHEL/6/output/ssg-centos6-guide-*.html -%doc RHEL/7/output/ssg-centos7-guide-*.html -%doc JRE/output/ssg-jre-guide-*.html -%doc Firefox/output/ssg-firefox-guide-*.html +%doc roles/ssg-*-role*.yml +%doc roles/ssg-*-role*.sh +%doc guides/ssg-*-guide-*.html %changelog -* Fri Mar 3 2017 Johnny Hughes 0.1.30-5 -- Manual CentOS Debranding +* Wed Jun 14 2017 Watson Sato 0.1.33-5 +- Fix Anaconda Smartcard auth remediation (RHBZ#1461330) + +* Fri May 19 2017 Watson Sato 0.1.33-4 +- Fix specfile to not include tables twice + +* Fri May 19 2017 Watson Sato 0.1.33-3 +- Fix malformed title of profile nist-800-171-cui + +* Fri May 19 2017 Watson Sato 0.1.33-2 +- Fix emtpy ospp-rhel7 table +- Fix Anaconda remediation templates (RHBZ#1450731) + +* Mon May 01 2017 Watson Sato 0.1.33-1 +- Update to upstream version 0.1.33 +- DISA RHEL7 STIG profile alignment improved +- Introduction of remediation roles +- RPM and DEB test packages are built by CMake with CPack +- Lots of remediation fixes + +* Tue Mar 28 2017 Watson Sato 0.1.32-1 +- Update to upstream version 0.1.32 +- New CMake build system +- Improved NIST 800-171 profile +- Initial RHVH profile +- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container) +- Template clean up in lots of remediations + +* Fri Mar 10 2017 Watson Sato 0.1.30-6 +- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144) * Tue Feb 14 2017 Watson Sato 0.1.30-5 - Fix template remediation function used by SSHD remediation - Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152) -* Tue Jan 31 2017 Jan Watson Sato 0.1.30-4 +* Tue Jan 31 2017 Watson Sato 0.1.30-4 - Correct remediation for SSHD which caused it not to start (RH BZ#1415152) * Wed Aug 10 2016 Jan iankko Lieskovsky 0.1.30-3