From df3ea45e28b3f0fe7994fbf80bdb5c012658e814 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:24:02 +0000 Subject: import scap-security-guide-0.1.36-7.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6d68201 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/scap-security-guide-0.1.36.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata new file mode 100644 index 0000000..8589e93 --- /dev/null +++ b/.scap-security-guide.metadata @@ -0,0 +1 @@ +1c244d1053d58edb7e5020b7e906b9edc89db48c SOURCES/scap-security-guide-0.1.36.tar.bz2 diff --git a/README.md b/README.md deleted file mode 100644 index 98f42b4..0000000 --- a/README.md +++ /dev/null @@ -1,4 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch new file mode 100644 index 0000000..f37821c --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.33-update-upstream-manual-page.patch @@ -0,0 +1,29 @@ +diff --git a/docs/scap-security-guide.8 b/docs/scap-security-guide.8 +index 10b83bc..305957b 100644 +--- a/docs/scap-security-guide.8 ++++ b/docs/scap-security-guide.8 +@@ -301,24 +301,6 @@ This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publicati + for securing Controlled Unclassified Information (CUI). + + +-.SH Fedora PROFILES +-The Fedora SSG content is broken into 'profiles,' groupings of security settings that +-correlate to a known policy. Currently available profile: +- +-.I common +-.RS +-The common profile is intended to be used as a base, universal profile for +-scanning of general-purpose Fedora systems. +-.RE +- +-.I standard +-.RS +-The Standard System Security Profile contains rules to ensure standard security +-baseline of a Fedora system. +-Regardless of your system's workload all of these checks should pass. +-.RE +- +- + .SH EXAMPLES + To scan your system utilizing the OpenSCAP utility against the + ospp-rhel7 profile: diff --git a/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch new file mode 100644 index 0000000..928131d --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-Deprecate-RhostsRSAAuthentication.patch @@ -0,0 +1,57 @@ +From 44d270133421722ac0dfa0af9756b73d582f4d56 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 8 Dec 2017 11:59:13 -0700 +Subject: [PATCH] Deprecate RhostsRSAAuthentication as it have been deprecated + in 7.4 + +- Fixes #2478 +--- + shared/checks/oval/sshd_disable_rhosts_rsa.xml | 7 +++++-- + shared/xccdf/services/ssh.xml | 9 +++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +index d7e00fafc..2abf88c70 100644 +--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml ++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +@@ -15,8 +15,11 @@ + + +- ++ ++ ++ ++ + + + +diff --git a/shared/xccdf/services/ssh.xml b/shared/xccdf/services/ssh.xml +index 6edd47ab8..53c28faa9 100644 +--- a/shared/xccdf/services/ssh.xml ++++ b/shared/xccdf/services/ssh.xml +@@ -603,6 +603,11 @@ following line in /etc/ssh/sshd_config: +
RhostsRSAAuthentication no
+ + ++To check which SSH protocol version is allowed, check version of ++openssh-server with following command: ++
$ rpm -qi openssh-server | grep Version
++Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option. ++If version is lower than 7.4, run the following command to check configuration: + +
+ +@@ -610,6 +615,10 @@ Configuring this setting for the SSH daemon provides additional + assurance that remove login via SSH will require a password, even + in the event of misconfiguration elsewhere. + ++As of openssh-server version 7.4 and above, ++the RhostsRSAAuthentication option has been deprecated, and the line ++
RhostsRSAAuthentication no
in /etc/ssh/sshd_config is not ++necessary.
+ + + diff --git a/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch new file mode 100644 index 0000000..16e5eac --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-add-disa-stig-rule-id.patch @@ -0,0 +1,95 @@ +From 4bfc0f1d9cfe21ec672fc806f5421272f1c0b41f Mon Sep 17 00:00:00 2001 +From: Wesley Ceraso Prudencio +Date: Wed, 1 Nov 2017 14:17:24 +0100 +Subject: [PATCH] Enables the STIG Rule ID to be output + +Signed-off-by: Wesley Ceraso Prudencio +--- + cmake/SSGCommon.cmake | 5 ++++ + shared/utils/add_stig_references.py | 57 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 62 insertions(+) + create mode 100755 shared/utils/add_stig_references.py + +diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake +index 8ac826ef6..786e07532 100644 +--- a/cmake/SSGCommon.cmake ++++ b/cmake/SSGCommon.cmake +@@ -130,10 +130,15 @@ macro(ssg_build_shorthand_xml PRODUCT) + endmacro() + + macro(ssg_build_xccdf_unlinked PRODUCT) ++ file(GLOB STIG_REFERENCE_FILE_LIST "${SSG_SHARED_REFS}/disa-stig-${PRODUCT}-*-xccdf-manual.xml") ++ list(APPEND STIG_REFERENCE_FILE_LIST "not-found") ++ list(GET STIG_REFERENCE_FILE_LIST 0 STIG_REFERENCE_FILE) ++ + add_custom_command( + OUTPUT "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" + COMMAND "${XSLTPROC_EXECUTABLE}" --stringparam ssg_version "${SSG_VERSION}" --output "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" + COMMAND "${OPENSCAP_OSCAP_EXECUTABLE}" xccdf resolve -o "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" ++ COMMAND "${SSG_SHARED_UTILS}/add_stig_references.py" --disa-stig "${STIG_REFERENCE_FILE}" --unlinked-xccdf "${CMAKE_CURRENT_BINARY_DIR}/xccdf-unlinked-resolved.xml" + DEPENDS generate-internal-${PRODUCT}-shorthand.xml + DEPENDS "${CMAKE_CURRENT_BINARY_DIR}/shorthand.xml" + DEPENDS "${CMAKE_CURRENT_SOURCE_DIR}/transforms/shorthand2xccdf.xslt" +diff --git a/shared/utils/add_stig_references.py b/shared/utils/add_stig_references.py +new file mode 100755 +index 000000000..0ab208793 +--- /dev/null ++++ b/shared/utils/add_stig_references.py +@@ -0,0 +1,57 @@ ++#!/usr/bin/env python2 ++ ++try: ++ from xml.etree import cElementTree as etree ++except ImportError: ++ import cElementTree as etree ++ ++import re ++import sys ++import argparse ++ ++parser = argparse.ArgumentParser( ++ description='Add STIG references to XCCDF files.') ++parser.add_argument( ++ "--disa-stig", help="DISA STIG Reference XCCDF file",dest="reference") ++parser.add_argument( ++ "--unlinked-xccdf", help="unlinked SSG XCCDF file", dest="destination") ++args = parser.parse_args() ++ ++reference = args.reference ++destination = args.destination ++ ++xccdf_namespace = "http://checklists.nist.gov/xccdf/1.1" ++stig_href = 'http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx' ++stig_references_beginning = 'http://iase.disa.mil/stigs/' ++ ++try: ++ reference_root = etree.parse(reference) ++except IOError as exception: ++ print 'INFO: DISA STIG Reference file not found for this platform' ++ sys.exit(0) ++ ++reference_rules = reference_root.findall('.//{%s}Rule' % xccdf_namespace) ++ ++dictionary = {} ++ ++for rule in reference_rules: ++ version = rule.find('.//{%s}version' % xccdf_namespace) ++ if version is not None and version.text: ++ dictionary[version.text] = rule.get('id') ++ ++target_root = etree.parse(destination) ++target_rules = target_root.findall('.//{%s}Rule' % xccdf_namespace) ++ ++for rule in target_rules: ++ refs = rule.findall('.//{%s}reference' % xccdf_namespace) ++ for ref in refs: ++ if (ref.get('href').startswith(stig_references_beginning) and ++ ref.text in dictionary): ++ index = rule.getchildren().index(ref) ++ new_ref = etree.Element( ++ '{%s}reference' % xccdf_namespace, {'href': stig_href}) ++ new_ref.text = dictionary[ref.text] ++ new_ref.tail = ref.tail ++ rule.insert(index + 1, new_ref) ++ ++target_root.write(destination) diff --git a/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch new file mode 100644 index 0000000..6289dcb --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-disable-check-libexec_ownership.patch @@ -0,0 +1,23 @@ +From 6f502074053282dd3afbb5ed1594fbbd524c9bc6 Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 8 Dec 2017 11:34:50 -0700 +Subject: [PATCH] Do not check library ownership in libexec + +- Fixes #2473 +--- + shared/checks/oval/file_ownership_library_dirs.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/checks/oval/file_ownership_library_dirs.xml b/shared/checks/oval/file_ownership_library_dirs.xml +index 41394a01e..186c99012 100644 +--- a/shared/checks/oval/file_ownership_library_dirs.xml ++++ b/shared/checks/oval/file_ownership_library_dirs.xml +@@ -34,7 +34,7 @@ + + + +- ^\/lib(|64)|^\/usr\/lib(|64) ++ ^\/lib(|64)\/|^\/usr\/lib(|64)\/ + ^.*$ + state_owner_libraries_not_root + diff --git a/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch new file mode 100644 index 0000000..83822b8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-missing-bash-remediation-include.patch @@ -0,0 +1,31 @@ +From 4f9987487d11001ef666408dc88abaf783fa7395 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Tue, 12 Dec 2017 00:04:39 +0100 +Subject: [PATCH] Fixed few remediation errors caused by missing include. + +--- + ...el7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh | 2 ++ + shared/fixes/bash/disable_ctrlaltdel_burstaction.sh | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh +index 26498471e..755d483ac 100644 +--- a/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh ++++ b/shared/bash_remediation_functions/rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation.sh +@@ -1,3 +1,5 @@ ++source fix_audit_syscall_rule.sh ++ + # Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit + # system calls on Red Hat Enterprise Linux 7 or Fedora OSes + function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation { +diff --git a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh +index ab01748c8..5266cf255 100644 +--- a/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh ++++ b/shared/fixes/bash/disable_ctrlaltdel_burstaction.sh +@@ -1,3 +1,6 @@ + # platform = Red Hat Enterprise Linux 7, multi_platform_fedora + ++# Include source function library. ++. /usr/share/scap-security-guide/remediation_functions ++ + replace_or_append '/etc/systemd/system.conf' '^CtrlAltDelBurstAction=' 'none' '@CCENUM@' '%s=%s' diff --git a/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path new file mode 100644 index 0000000..242934a --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-srg-table-empty-column.path @@ -0,0 +1,51 @@ +From 8b43d43533cf4a00de60da71a8aaa6e87776766f Mon Sep 17 00:00:00 2001 +From: Gabe +Date: Fri, 3 Nov 2017 10:36:57 -0600 +Subject: [PATCH] Remove CCI formatting from shared table-srgmap XSLT + +- CCI formatting is now done in earlier XSLT transformations. +- Fixes #2447 +--- + shared/transforms/shared_table-srgmap.xslt | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/shared/transforms/shared_table-srgmap.xslt b/shared/transforms/shared_table-srgmap.xslt +index 4a50dea33..7179f560e 100644 +--- a/shared/transforms/shared_table-srgmap.xslt ++++ b/shared/transforms/shared_table-srgmap.xslt +@@ -46,7 +46,7 @@ + + + +- ++ + + + +@@ -77,10 +77,9 @@ + + + +- +- +- +- ++ ++ ++ + + + +@@ -100,10 +99,9 @@ + + + +- +- ++ + +- ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch new file mode 100644 index 0000000..8aeb431 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-sshd_required-unset.patch @@ -0,0 +1,822 @@ +From 939d1cfd84b980e3a96dd1d82dfddcabf4b2a34a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 8 Dec 2017 15:14:26 +0100 +Subject: [PATCH 1/6] Drop check of package in sshd_required definitions + +This is not the best place to check if openssh-server is installed. + +We can check for openssh-server package when sshd is required and not +required. +But when sshd_required is not set, we don't check if openssh-server is +installed or not, because both are valid states. + +This gives the impression that when extending sshd_required_or_unset +and sshd_not_required_or_unset there is no need to check for +openssh-server package, which is not true. + +The only purpose of these definitions should be to check for state of +sshd_required value. +--- + shared/checks/oval/sshd_not_required_or_unset.xml | 6 +----- + shared/checks/oval/sshd_required_or_unset.xml | 6 +----- + 2 files changed, 2 insertions(+), 10 deletions(-) + +diff --git a/shared/checks/oval/sshd_not_required_or_unset.xml b/shared/checks/oval/sshd_not_required_or_unset.xml +index 76bf1b9b4..206b1b474 100644 +--- a/shared/checks/oval/sshd_not_required_or_unset.xml ++++ b/shared/checks/oval/sshd_not_required_or_unset.xml +@@ -9,11 +9,7 @@ + If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good. + + +- +- +- +- ++ + + +diff --git a/shared/checks/oval/sshd_required_or_unset.xml b/shared/checks/oval/sshd_required_or_unset.xml +index 04d6a687b..4518b181f 100644 +--- a/shared/checks/oval/sshd_required_or_unset.xml ++++ b/shared/checks/oval/sshd_required_or_unset.xml +@@ -9,11 +9,7 @@ + If SSHD is required, we check it is installed. If SSH requirement is unset, we are good. + + +- +- +- +- ++ + + + +From 0b02493e535e9b529af9eb71bf97f5b02d04c89e Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Dec 2017 18:09:47 +0100 +Subject: [PATCH 2/6] Also check state openssh-server package when + sshd_required is unset + +Explicitly check state of openssh-server package. +When openssh-server is installed, system should be configured, when not +installed, system is ok. +When sshd_required is set, either to required or not required, they act +as selector of openssh-server package state. If sshd_required is unset, +the state of openssh-server package selects whether system should be +configured or not. +--- + rhel7/checks/oval/sshd_disable_compression.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_disable_gssapi_auth.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_disable_kerb_auth.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_enable_strictmodes.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- + rhel7/checks/oval/sshd_use_priv_separation.xml | 14 ++++++++++---- + shared/checks/oval/disable_host_auth.xml | 15 +++++++++++---- + shared/checks/oval/sshd_allow_only_protocol2.xml | 15 +++++++++++---- + shared/checks/oval/sshd_disable_empty_passwords.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_rhosts.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_rhosts_rsa.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_root_login.xml | 14 ++++++++++---- + shared/checks/oval/sshd_disable_user_known_hosts.xml | 15 +++++++++++---- + shared/checks/oval/sshd_do_not_permit_user_env.xml | 14 ++++++++++---- + shared/checks/oval/sshd_enable_warning_banner.xml | 14 ++++++++++---- + shared/checks/oval/sshd_enable_x11_forwarding.xml | 14 ++++++++++---- + shared/checks/oval/sshd_print_last_log.xml | 14 ++++++++++---- + shared/checks/oval/sshd_set_idle_timeout.xml | 18 ++++++++++++------ + shared/checks/oval/sshd_set_keepalive.xml | 14 ++++++++++---- + shared/checks/oval/sshd_use_approved_ciphers.xml | 18 ++++++++++++------ + shared/checks/oval/sshd_use_approved_macs.xml | 14 ++++++++++---- + 21 files changed, 217 insertions(+), 88 deletions(-) + +diff --git a/rhel7/checks/oval/sshd_disable_compression.xml b/rhel7/checks/oval/sshd_disable_compression.xml +index 8a4334f06..014741fe1 100644 +--- a/rhel7/checks/oval/sshd_disable_compression.xml ++++ b/rhel7/checks/oval/sshd_disable_compression.xml +@@ -7,13 +7,19 @@ + + SSH should either have compression disabled or set to delayed. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml +index ee184b8e8..5f32edc1e 100644 +--- a/rhel7/checks/oval/sshd_disable_gssapi_auth.xml ++++ b/rhel7/checks/oval/sshd_disable_gssapi_auth.xml +@@ -8,13 +8,19 @@ + Unless needed, disable the GSSAPI authentication option for + the SSH Server. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_disable_kerb_auth.xml b/rhel7/checks/oval/sshd_disable_kerb_auth.xml +index c63cef03e..6f0e0babe 100644 +--- a/rhel7/checks/oval/sshd_disable_kerb_auth.xml ++++ b/rhel7/checks/oval/sshd_disable_kerb_auth.xml +@@ -8,13 +8,19 @@ + Unless needed, disable the Kerberos authentication option for + the SSH Server. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_enable_strictmodes.xml b/rhel7/checks/oval/sshd_enable_strictmodes.xml +index 1346191d5..7728f6ae6 100644 +--- a/rhel7/checks/oval/sshd_enable_strictmodes.xml ++++ b/rhel7/checks/oval/sshd_enable_strictmodes.xml +@@ -8,13 +8,19 @@ + Enable StrictMode to check users home directory permissions + and configurations. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_use_approved_macs.xml b/rhel7/checks/oval/sshd_use_approved_macs.xml +index bd05a5152..20b57041b 100644 +--- a/rhel7/checks/oval/sshd_use_approved_macs.xml ++++ b/rhel7/checks/oval/sshd_use_approved_macs.xml +@@ -9,13 +9,19 @@ + + + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/rhel7/checks/oval/sshd_use_priv_separation.xml b/rhel7/checks/oval/sshd_use_priv_separation.xml +index c5ae32c27..2ec883fea 100644 +--- a/rhel7/checks/oval/sshd_use_priv_separation.xml ++++ b/rhel7/checks/oval/sshd_use_priv_separation.xml +@@ -8,13 +8,19 @@ + Use priviledge separation to cause the SSH process to drop + root privileges when not needed. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/disable_host_auth.xml b/shared/checks/oval/disable_host_auth.xml +index 3e4cc5aea..3a00964ab 100644 +--- a/shared/checks/oval/disable_host_auth.xml ++++ b/shared/checks/oval/disable_host_auth.xml +@@ -7,12 +7,19 @@ + + SSH host-based authentication should be disabled. + +- +- ++ ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_allow_only_protocol2.xml b/shared/checks/oval/sshd_allow_only_protocol2.xml +index 0a7ace128..224010263 100644 +--- a/shared/checks/oval/sshd_allow_only_protocol2.xml ++++ b/shared/checks/oval/sshd_allow_only_protocol2.xml +@@ -9,12 +9,19 @@ + + The OpenSSH daemon should be running protocol 2. + +- +- ++ ++ ++ ++ ++ + +- ++ + + + Remote connections from accounts with empty passwords should + be disabled (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_rhosts.xml b/shared/checks/oval/sshd_disable_rhosts.xml +index 86eb94a22..163ccfca5 100644 +--- a/shared/checks/oval/sshd_disable_rhosts.xml ++++ b/shared/checks/oval/sshd_disable_rhosts.xml +@@ -8,13 +8,19 @@ + Emulation of the rsh command through the ssh server should + be disabled (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_rhosts_rsa.xml b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +index 2abf88c70..e949fb031 100644 +--- a/shared/checks/oval/sshd_disable_rhosts_rsa.xml ++++ b/shared/checks/oval/sshd_disable_rhosts_rsa.xml +@@ -8,13 +8,19 @@ + SSH can allow authentication through the obsolete rsh command + through the use of the authenticating user's SSH keys. This should be disabled. + +- +- ++ ++ ++ ++ + +- ++ + + + Root login via SSH should be disabled (and dependencies are + met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_disable_user_known_hosts.xml b/shared/checks/oval/sshd_disable_user_known_hosts.xml +index cc01ec6ca..0e121d496 100644 +--- a/shared/checks/oval/sshd_disable_user_known_hosts.xml ++++ b/shared/checks/oval/sshd_disable_user_known_hosts.xml +@@ -9,12 +9,19 @@ + to connect to systems if a cache of the remote systems public keys are available. + This should be disabled. + +- +- ++ ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_do_not_permit_user_env.xml b/shared/checks/oval/sshd_do_not_permit_user_env.xml +index ad8ecdf68..afb799e20 100644 +--- a/shared/checks/oval/sshd_do_not_permit_user_env.xml ++++ b/shared/checks/oval/sshd_do_not_permit_user_env.xml +@@ -7,13 +7,19 @@ + + PermitUserEnvironment should be disabled + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_enable_warning_banner.xml b/shared/checks/oval/sshd_enable_warning_banner.xml +index 933822eb6..cd14ec9e9 100644 +--- a/shared/checks/oval/sshd_enable_warning_banner.xml ++++ b/shared/checks/oval/sshd_enable_warning_banner.xml +@@ -8,13 +8,19 @@ + SSH warning banner should be enabled (and dependencies are + met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_enable_x11_forwarding.xml b/shared/checks/oval/sshd_enable_x11_forwarding.xml +index 3aa45e51b..0a0e1bafd 100644 +--- a/shared/checks/oval/sshd_enable_x11_forwarding.xml ++++ b/shared/checks/oval/sshd_enable_x11_forwarding.xml +@@ -7,13 +7,19 @@ + + Enable X11Forwarding to encrypt X11 remote connections over SSH. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_print_last_log.xml b/shared/checks/oval/sshd_print_last_log.xml +index 29367969d..83bc0df79 100644 +--- a/shared/checks/oval/sshd_print_last_log.xml ++++ b/shared/checks/oval/sshd_print_last_log.xml +@@ -8,13 +8,19 @@ + Enable PrintLastLog to display user's last login time + and date. + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_set_idle_timeout.xml b/shared/checks/oval/sshd_set_idle_timeout.xml +index a414790a0..180e87d83 100644 +--- a/shared/checks/oval/sshd_set_idle_timeout.xml ++++ b/shared/checks/oval/sshd_set_idle_timeout.xml +@@ -8,14 +8,20 @@ + The SSH idle timeout interval should be set to an + appropriate value. + +- +- ++ +- +- +- ++ ++ ++ ++ ++ + + +diff --git a/shared/checks/oval/sshd_set_keepalive.xml b/shared/checks/oval/sshd_set_keepalive.xml +index 5640638ae..8774e1d25 100644 +--- a/shared/checks/oval/sshd_set_keepalive.xml ++++ b/shared/checks/oval/sshd_set_keepalive.xml +@@ -8,13 +8,19 @@ + The SSH ClientAliveCountMax should be set to an appropriate + value (and dependencies are met) + +- +- ++ ++ ++ ++ + +- ++ + + +diff --git a/shared/checks/oval/sshd_use_approved_ciphers.xml b/shared/checks/oval/sshd_use_approved_ciphers.xml +index 84088aa5c..5a4e3a1f9 100644 +--- a/shared/checks/oval/sshd_use_approved_ciphers.xml ++++ b/shared/checks/oval/sshd_use_approved_ciphers.xml +@@ -9,13 +9,19 @@ + + + +- +- +- +- ++ ++ ++ ++ ++ ++ ++ + + +diff --git a/shared/checks/oval/sshd_use_approved_macs.xml b/shared/checks/oval/sshd_use_approved_macs.xml +index d2f622af1..b403d0449 100644 +--- a/shared/checks/oval/sshd_use_approved_macs.xml ++++ b/shared/checks/oval/sshd_use_approved_macs.xml +@@ -9,13 +9,19 @@ + + + +- +- ++ ++ ++ ++ + +- ++ + + + +From 441881052627a5b14be015d74d36d271f9268908 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 13 Dec 2017 18:22:29 +0100 +Subject: [PATCH 3/6] Remove backslashes from echo command + +Echo command output is literal, there is no need for backslashes +--- + .../rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh +index 227611543..7172539c7 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_approved_ciphers/correct_scrambled.pass.sh +@@ -5,5 +5,5 @@ + if grep -q "^Ciphers" /etc/ssh/sshd_config; then + sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config + else +- echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config ++ echo "Ciphers aes128-ctr,aes192-ctr,aes192-cbc,aes256-cbc,aes256-ctr,aes128-cbc,3des-cbc,rijndael-cbc@lysator.liu.se" >> /etc/ssh/sshd_config + fi + +From 995a5e64eb841c73849571395cc985f94607c4cb Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:12:13 +0100 +Subject: [PATCH 4/6] Fix test scenarios for sshd_use_priv_separation + +As of PR #2162 the Rule checks for "sandbox" +--- + .../rule_sshd_use_priv_separation/correct_value.pass.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh +index d63caa85b..36e8c1bba 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_use_priv_separation/correct_value.pass.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + + if grep -q "^UsePrivilegeSeparation" /etc/ssh/sshd_config; then +- sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/" /etc/ssh/sshd_config ++ sed -i "s/^UsePrivilegeSeparation.*/UsePrivilegeSeparation sandbox/" /etc/ssh/sshd_config + else +- echo "UsePrivilegeSeparation yes" >> /etc/ssh/sshd_config ++ echo "UsePrivilegeSeparation sandbox" >> /etc/ssh/sshd_config + fi + +From 877f3620d7462e2af6727a9feff16d6a7f08a239 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:40:07 +0100 +Subject: [PATCH 5/6] Fix test scenarios for sshd_disable_kerb_auth + +As of Pr #2463, the definition checks for ausence of +"KerberosAuthentication yes", as default setting is not enabled. +--- + .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh | 9 --------- + .../group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh | 9 +++++++++ + .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 + 3 files changed, 9 insertions(+), 9 deletions(-) + delete mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh + create mode 100644 tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh +deleted file mode 100644 +index 3ae082173..000000000 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.fail.sh ++++ /dev/null +@@ -1,9 +0,0 @@ +-#!/bin/bash +-# +-# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 +- +-if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then +- sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication no/" /etc/ssh/sshd_config +-else +- echo "# KerberosAuthentication no" >> /etc/ssh/sshd_config +-fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh +new file mode 100644 +index 000000000..c7d58fbc6 +--- /dev/null ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/comment.pass.sh +@@ -0,0 +1,9 @@ ++#!/bin/bash ++# ++# profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 ++ ++if grep -q "^KerberosAuthentication" /etc/ssh/sshd_config; then ++ sed -i "s/^KerberosAuthentication.*/# KerberosAuthentication yes/" /etc/ssh/sshd_config ++else ++ echo "# KerberosAuthentication yes" >> /etc/ssh/sshd_config ++fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh +similarity index 100% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_disable_kerb_auth/line_not_there.pass.sh + +From 4ebe165ede448c8998251257998cc94ea5cf3786 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Dec 2017 11:52:39 +0100 +Subject: [PATCH 6/6] Fix test scenarios for sshd_enable_strictmodes + +As of Pr #2463, the definition checks fo ausence of "StrictModes no", as +default value is enabled already. +--- + .../rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} | 4 ++-- + .../{line_not_there.fail.sh => line_not_there.pass.sh} | 0 + 2 files changed, 2 insertions(+), 2 deletions(-) + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{comment.fail.sh => comment.pass.sh} (53%) + rename tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/{line_not_there.fail.sh => line_not_there.pass.sh} (100%) + +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +similarity index 53% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +index 3d3b90875..bac02cb4f 100644 +--- a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.fail.sh ++++ b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/comment.pass.sh +@@ -3,7 +3,7 @@ + # profiles = xccdf_org.ssgproject.content_profile_ospp-rhel7 + + if grep -q "^StrictModes" /etc/ssh/sshd_config; then +- sed -i "s/^StrictModes.*/# StrictModes yes/" /etc/ssh/sshd_config ++ sed -i "s/^StrictModes.*/# StrictModes no/" /etc/ssh/sshd_config + else +- echo "# StrictModes yes" >> /etc/ssh/sshd_config ++ echo "# StrictModes no" >> /etc/ssh/sshd_config + fi +diff --git a/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh b/tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh +similarity index 100% +rename from tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.fail.sh +rename to tests/data/group_services/group_ssh/group_ssh_server/rule_sshd_enable_strictmodes/line_not_there.pass.sh diff --git a/SOURCES/scap-security-guide-0.1.37-fix-title.patch b/SOURCES/scap-security-guide-0.1.37-fix-title.patch new file mode 100644 index 0000000..7d41a1b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-title.patch @@ -0,0 +1,20 @@ +From a29a5b25a537298144d43a1deba5f8fe14fd1472 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Sat, 9 Dec 2017 00:21:10 +0100 +Subject: [PATCH] Fix title of DISA STIG profile in RHEL6 DS. + +--- + rhel6/profiles/stig-rhel6-disa.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel6/profiles/stig-rhel6-disa.xml b/rhel6/profiles/stig-rhel6-disa.xml +index eec5e92e5..9694d6591 100644 +--- a/rhel6/profiles/stig-rhel6-disa.xml ++++ b/rhel6/profiles/stig-rhel6-disa.xml +@@ -1,5 +1,5 @@ + +-DISA STIG for Red Hat Enterprise Linux 6 ++DISA STIG for Red Hat Enterprise Linux 6 + + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux 6. diff --git a/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch new file mode 100644 index 0000000..06a0fa1 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.37-fix-umask_for_daemons.patch @@ -0,0 +1,39 @@ +From 810c6774166d8b591300322e269acd6a1d3554ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Tue, 5 Dec 2017 16:15:46 +0100 +Subject: [PATCH] RHBZ #1520493: Fix umask_for_daemons + +OpenSCAP evaluated this rule as "error" because it tried to evauluate +the variable 'var_umask_for_daemons_umask_as_number', which was defined +as external, but in fact is created in other definition. OpenSCAP +could not find its value. The fix is very similar to PR #1945. +--- + shared/checks/oval/umask_for_daemons.xml | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/shared/checks/oval/umask_for_daemons.xml b/shared/checks/oval/umask_for_daemons.xml +index 7f54e4957..a8ce76275 100644 +--- a/shared/checks/oval/umask_for_daemons.xml ++++ b/shared/checks/oval/umask_for_daemons.xml +@@ -61,12 +61,6 @@ + + + +- +- +- + + +@@ -77,6 +71,8 @@ + var_etc_init_d_functions_umask_as_number + + ++ + + + diff --git a/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch new file mode 100644 index 0000000..9e484b4 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.38-fix-reference-to-pam-config-manual.patch @@ -0,0 +1,22 @@ +From b0b3bf1153e72f178400ef91b722d7fcdab94277 Mon Sep 17 00:00:00 2001 +From: Marek Haicman +Date: Fri, 5 Jan 2018 22:54:11 +0100 +Subject: [PATCH] Fixing reference to outdated PAM configuration manual + +--- + shared/xccdf/system/accounts/pam.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shared/xccdf/system/accounts/pam.xml b/shared/xccdf/system/accounts/pam.xml +index 5ba904da1..572a1216c 100644 +--- a/shared/xccdf/system/accounts/pam.xml ++++ b/shared/xccdf/system/accounts/pam.xml +@@ -39,7 +39,7 @@ most users. + files, destroying any manually made changes and replacing them with + a series of system defaults. One reference to the configuration + file syntax can be found at +- ++ + . + + = 1.2.5, python-lxml, cmake >= 2.8 +Requires: xml-common, openscap-scanner >= 1.2.5 + +%description +The scap-security-guide project provides a guide for configuration of the +system from the final system's security point of view. The guidance is +specified in the Security Content Automation Protocol (SCAP) format and +constitutes a catalog of practical hardening advice, linked to government +requirements where applicable. The project bridges the gap between generalized +policy requirements and specific implementation guidelines. The Red Hat +Enterprise Linux 7 system administrator can use the oscap command-line tool +from the openscap-utils package to verify that the system conforms to provided +guideline. Refer to scap-security-guide(8) manual page for further information. + +%package doc +Summary: HTML formatted documents containing security guides generated from XCCDF benchmarks. +Group: System Environment/Base +Requires: %{name} = %{version}-%{release} + +%description doc +The %{name}-doc package contains HTML formatted documents containing security guides that have +been generated from XCCDF benchmarks present in %{name} package. + +%prep +%setup -q -n %{name}-%{version} +# Update manual page to drop the part dedicated to Fedora content +%patch1 -p1 -b .man_page_update +%patch2 -p1 -b .add_disa_stig_rule_id +# patch2 introduces a script that build system needs to execute +chmod u+x shared/utils/add_stig_references.py +mkdir build +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523809 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2479 +%patch3 -p1 -b .libexec_ownership +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521081 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2481 +%patch4 -p1 -b .title +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523827 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2480 +%patch5 -p1 -b .RhostsRSAAuthentication +# Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1520493 +# Taken from https://github.com/OpenSCAP/scap-security-guide/pull/2476 +%patch6 -p1 -b .umask_for_daemons +%patch7 -p1 -b .sshd_required_unset +%patch8 -p1 -b .bash_remediation_include +%patch9 -p1 -b .srg_table_column_empty +%patch10 -p1 -b .reference_pam_config + +%build +cd build +%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \ +-DSSG_PRODUCT_CHROMIUM:BOOL=OFF \ +-DSSG_PRODUCT_DEBIAN8:BOOL=OFF \ +-DSSG_PRODUCT_FEDORA:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_EAP6:BOOL=OFF \ +-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF \ +-DSSG_PRODUCT_OCP3:BOOL=OFF \ +-DSSG_PRODUCT_OPENSUSE:BOOL=OFF \ +-DSSG_PRODUCT_OSP7:BOOL=OFF \ +-DSSG_PRODUCT_RHEV3:BOOL=OFF \ +-DSSG_PRODUCT_SUSE11:BOOL=OFF \ +-DSSG_PRODUCT_SUSE12:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU14:BOOL=OFF \ +-DSSG_PRODUCT_UBUNTU16:BOOL=OFF \ +-DSSG_PRODUCT_WRLINUX:BOOL=OFF \ +-DSSG_PRODUCT_WEBMIN:BOOL=OFF \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../ +make %{?_smp_mflags} + +%install +cd build +%make_install + +%files +%defattr(-,root,root,-) +%{_datadir}/xml/scap +%{_datadir}/%{name} +%lang(en) %{_mandir}/man8/scap-security-guide.8.gz +%doc LICENSE +%doc Contributors.md +%doc README.md +%doc DISCLAIMER +# All files installed by cmake are automatically include in main package +# We exclude the guides to here add them in doc package +%exclude %{_pkgdocdir}/guides/ + +%files doc +%defattr(-,root,root,-) +%doc build/guides/ssg-*-guide-*.html + +%changelog +* Mon Jan 08 2018 Watson Yuuma Sato - 0.1.36-7 +- Fix sshd_required unset (RHBZ#1522956) +- Fix missing bash remediation functions include (RHBZ#1524738) +- Fix empty columns in SRG HTML Table (RHBZ#1531105) +- Fix reference to oudated PAM config manual (RHBZ#1447760) + +* Tue Dec 12 2017 Watson Yuuma Sato - 0.1.36-6 +- Rebuild with OpenSCAP 1.2.16 + +* Mon Dec 11 2017 Matěj Týč - 0.1.36-5 +- Patched not to check library ownership in libexec. +- Patched to fix title of DISA STIG profile. +- Patched to deprecate RhostsRSAAuthentication. +- Patched to fix umask_for_daemons. + +* Thu Nov 16 2017 Watson Yuuma Sato - 0.1.36-4 +- Rebuild with OpenSCAP 1.2.16 + +* Tue Nov 14 2017 Watson Yuuma Sato - 0.1.36-3 +- Add DISA STIG Rule IDs to XCCDF Rules with STIGID + +* Fri Nov 03 2017 Watson Yuuma Sato - 0.1.36-2 +- Fix configuration to not build new products introduced in upstream + +* Fri Nov 03 2017 Watson Yuuma Sato - 0.1.36-1 +- Update to upstream release 0.1.36 +- Introduction of SCAP Security Guide Test Suite +- Better alignment of RHEL6 and RHEL7 with DISA STIG +- Remove JBoss EAP5 content due to being End-of-Life +- New STIG Profile for JBOSS EAP 6 +- Updates in C2S Profile for RHEL 7 +- Variables can be directly tailored in Ansible roles +- Content presents less false positives in containers +- Changes in directory layout + +* Wed Sep 20 2017 Watson Yuuma Sato - 0.1.35-2 +- Do not build content for JBOSS EAP6 + +* Wed Sep 20 2017 Watson Yuuma Sato - 0.1.35-1 +- Update to upstream release 0.1.35 +- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017 +- Added several templates for OVAL checks +- Many optimizations in build process +- Different title for PCI-DSS Benchmark variants +- Remediation roles moved to /usr/share/scap-security +- Fix duplicated roles and guides (RHBZ#1465691) + +* Tue Sep 19 2017 Watson Sato 0.1.33-6 +- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414) + +* Wed Jun 14 2017 Watson Sato 0.1.33-5 +- Fix Anaconda Smartcard auth remediation (RHBZ#1461330) + +* Fri May 19 2017 Watson Sato 0.1.33-4 +- Fix specfile to not include tables twice + +* Fri May 19 2017 Watson Sato 0.1.33-3 +- Fix malformed title of profile nist-800-171-cui + +* Fri May 19 2017 Watson Sato 0.1.33-2 +- Fix emtpy ospp-rhel7 table +- Fix Anaconda remediation templates (RHBZ#1450731) + +* Mon May 01 2017 Watson Sato 0.1.33-1 +- Update to upstream version 0.1.33 +- DISA RHEL7 STIG profile alignment improved +- Introduction of remediation roles +- RPM and DEB test packages are built by CMake with CPack +- Lots of remediation fixes + +* Tue Mar 28 2017 Watson Sato 0.1.32-1 +- Update to upstream version 0.1.32 +- New CMake build system +- Improved NIST 800-171 profile +- Initial RHVH profile +- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container) +- Template clean up in lots of remediations + +* Fri Mar 10 2017 Watson Sato 0.1.30-6 +- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144) + +* Tue Feb 14 2017 Watson Sato 0.1.30-5 +- Fix template remediation function used by SSHD remediation +- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152) + +* Tue Jan 31 2017 Watson Sato 0.1.30-4 +- Correct remediation for SSHD which caused it not to start (RH BZ#1415152) + +* Wed Aug 10 2016 Jan iankko Lieskovsky 0.1.30-3 +- Correct the remediation script for 'Enable Smart Card Login' rule + for Red Hat Enterprise Linux 7 (RH BZ#1357019) + +* Thu Jul 14 2016 Jan iankko Lieskovsky 0.1.30-2 +- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark + having the identical title (RH BZ#1351541) +- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts' + rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root + Account for Failed Password Attempts' rule to report correct system status + WRT to these requirements also in the case the SSSD daemon is used + (RH BZ#1344581) +- Include currently available kickstart files and produced HTML tables for + Red Hat Enterprise Linux 6 and 7 products into the produced RPM package + (RH BZ#1351751) + +* Wed Jun 22 2016 Jan iankko Lieskovsky 0.1.30-1 +- Update to upstream's 0.1.30 release: + https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30 + (RH BZ#1289533) +- Drop remediation functions library since starting from 0.1.30 release + remediation scripts are part of the benchmarks directly +- Drop three patches that have been accepted upstream in the meantime +- Update drop-rpm-verify-permissions-rule patch to work properly against + 0.1.30 release + +* Fri Oct 02 2015 Jan iankko Lieskovsky 0.1.25-3 +- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS + profile for Red Hat Enterprise Linux 7 (RH BZ#1267861) + +* Wed Sep 09 2015 Jan iankko Lieskovsky 0.1.25-2 +- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7 + +* Wed Aug 19 2015 Jan iankko Lieskovsky 0.1.25-1 +- Rebase to upstream 0.1.25 release + +* Tue Aug 04 2015 Jan iankko Lieskovsky 0.1.24-4 +- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny' + rule + +* Mon Aug 03 2015 Jan iankko Lieskovsky 0.1.24-3 +- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule + for Red Hat Enterprise Linux 7 product +- Override title and description for all existing profiles for Red Hat + Enterprise Linux 6 product that are extending another SCAP profile + (RHBZ#1246529) +- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile + kickstart file for Red Hat Enterprise Linux 7 product +- Add remediation script for 'audit_rules_time_clock_settime' rule for + Red Hat Enterprise Linux 7 product +- Add remediation scripts for 'audit_rules_time_adjtimex', + 'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for + Red Hat Enterprise Linux 7 product +- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with + "Draft" label +- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise + Linux 7 product: + * dconf_gnome_screensaver_idle_delay -- missing remediation script, + * dconf_gnome_screensaver_idle_activation -- missing remediation script, + * dconf_gnome_screensaver_lock_enabled -- missing remediation script, + * audit_rules_login_events -- incorrect OVAL check (upstream issue #607), + * audit_rules_privileged_commands -- missing remediation script, and + * audit_rules_immutable -- missing remediation script. + +* Mon Aug 03 2015 Martin Preisler 0.1.24-2 +- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product + into multiple lines, prevents HTML guide UX issues + +* Tue Jul 07 2015 Jan iankko Lieskovsky 0.1.24-1 +- Rebase to upstream scap-security-guide-0.1.24 version +- Start producing the -doc subpackage to provide the HTML formatted + documents containing security guides generated from shipped XCCDF benchmarks + +* Mon Jun 22 2015 Jan iankko Lieskovsky 0.1.23-1 +- Rebase to upstream scap-security-guide-0.1.23 version +- Update upstream tarball source URL to GitHub archive location +- Drop the following patches that have been accepted upstream: + * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch + * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch + * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch + * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch + * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch + * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch + * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch + * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch + * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch +- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks +- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6 + +* Tue Oct 21 2014 Jan iankko Lieskovsky 0.1.19-2 +- Fix Limit Password Reuse remediation script error +- Fix Set Deny For Failed Password Attempts remediation script error +- Use RHT-CCP profile name when generating HTML guide +- Describe RHT-CCP profile in the manual page + +* Mon Sep 29 2014 Jan iankko Lieskovsky 0.1.19-1 +- Include RHEL-7 content (RHT-CCP profile only) +- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel +- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools +- Update manual page to be more appropriate for RHEL-7 +- Drop RHEL-6 C2S profile update patch since merged upstream + +* Tue Sep 02 2014 Jan iankko Lieskovsky 0.1.18-4 +- Initial build for Red Hat Enterprise Linux 7 + +* Thu Aug 28 2014 Jan iankko Lieskovsky 0.1.18-3 +- Update C2S profile per request from CIS + +* Thu Jun 26 2014 Jan iankko Lieskovsky 0.1.18-2 +- Include the upstream STIG for RHEL 6 Server profile disclaimer file too + +* Sun Jun 22 2014 Jan iankko Lieskovsky 0.1.18-1 +- Make new 0.1.18 release + +* Wed May 14 2014 Jan iankko Lieskovsky 0.1.17-2 +- Drop vendor line from the spec file. Let the build system to provide it. + +* Fri May 09 2014 Jan iankko Lieskovsky 0.1.17-1 +- Upgrade to upstream 0.1.17 version + +* Mon May 05 2014 Jan iankko Lieskovsky 0.1.16-2 +- Initial RPM for RHEL base channels + +* Mon May 05 2014 Jan iankko Lieskovsky 0.1.16-1 +- Change naming scheme (0.1-16 => 0.1.16-1) + +* Fri Feb 21 2014 Jan iankko Lieskovsky 0.1-16 +- Include datastream file into RHEL6 RPM package too +- Bump version + +* Tue Dec 24 2013 Shawn Wells 0.1-16.rc2 ++ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream + +* Mon Dec 23 2013 Shawn Wells 0.1-16.rc1 +- [bugfix] RHEL6 no_empty_passwords remediation script overwrote + system-auth symlink. Added --follow-symlink to sed command. + +* Fri Nov 01 2013 Jan iankko Lieskovsky 0.1-15 +- Version bump + +* Sat Oct 26 2013 Jan iankko Lieskovsky 0.1-15.rc5 +- Point the spec's source to proper remote tarball location +- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM + +* Sat Oct 26 2013 Jan iankko Lieskovsky 0.1-15.rc4 +- Don't include the table html files two times +- Remove makewhatis + +* Fri Oct 25 2013 Shawn Wells 0.1-15.rc3 +- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/* +- Numberous XCCDF->OVAL naming schema updates +- All rules now have CCE + +* Fri Oct 25 2013 Shawn Wells 0.1-15.rc2 +- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6) + +* Fri Oct 25 2013 Jan iankko Lieskovsky 0.1-15.rc1 +- Apply spec file changes required by review request (RH BZ#1018905) + +* Thu Oct 24 2013 Shawn Wells 0.1-14 +- Formal RPM release +- Inclusion of rht-ccp profile +- OVAL unit testing patches +- Bash remediation patches +- Bugfixes + +* Mon Oct 07 2013 Jan iankko Lieskovsky 0.1-14.rc1 +- Change RPM versioning scheme to include release into tarball + +* Sat Sep 28 2013 Shawn Wells 0.1-13 +- Updated RPM spec file to fix rpmlint warnings + +* Wed Jun 26 2013 Shawn Wells 0.1-12 +- Updated RPM version to 0.1-12 + +* Fri Apr 26 2013 Shawn Wells 0.1-11 +- Significant amount of OVAL bugfixes +- Incorporation of Draft RHEL/6 STIG feedback + +* Sat Feb 16 2013 Shawn Wells 0.1-10 +- `man scap-security-guide` +- OVAL bug fixes +- NIST 800-53 mappings update + +* Wed Nov 28 2012 Shawn Wells 0.1-9 +- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!) +- Reverting to noarch RPM + +* Tue Nov 27 2012 Shawn Wells 0.1-8 +- Significant copy editing to XCCDF rules per community + feedback on the DISA RHEL/6 STIG Initial Draft + +* Thu Nov 1 2012 Shawn Wells 0.1-7 +- Corrected XCCDF content errors +- OpenSCAP now supports CPE dictionaries, important to + utilize --cpe-dict when scanning machines with OpenSCAP, + e.g.: + $ oscap xccdf eval --profile stig-server \ + --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml + +* Mon Oct 22 2012 Shawn Wells 0.1-6 +- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6) +- Updated RPM includes feedback received from DoD Consensus meetings + +* Fri Oct 5 2012 Jeffrey Blank 1.0-5 +- Adjusted installation directory to /usr/share/xml/scap. + +* Tue Aug 28 2012 Spencer Shimko 1.0-4 +- Fix BuildRequires and Requires. + +* Tue Jul 3 2012 Jeffrey Blank 1.0-3 +- Modified install section, made description more concise. + +* Thu Apr 19 2012 Spencer Shimko 1.0-2 +- Minor updates to pass some variables in from build system. + +* Mon Apr 02 2012 Shawn Wells 1.0-1 +- First attempt at SSG RPM. May ${deity} help us...