diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch new file mode 100644 index 0000000..b5fd3d3 --- /dev/null +++ b/SOURCES/centos-debranding.patch @@ -0,0 +1,241 @@ +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile 2020-04-02 00:12:34.138435758 +0000 +@@ -2,7 +2,8 @@ documentation_complete: true + + title: 'DRAFT - ANSSI DAT-NT28 (minimal)' + +-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des ++description: ' **Not applicable to CentOS Linux, included for reference only** ++ Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des + systèmes d''information. Based on https://www.ssi.gouv.fr/.' + + selections: +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile 2020-04-02 00:13:40.055578160 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - C2S for Docker' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile demonstrates compliance against the + U.S. Government Commercial Cloud Services (C2S) baseline. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.46/rhel7/profiles/C2S.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/C2S.profile 2020-04-02 00:13:14.710523405 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'C2S for Red Hat Enterprise Linux 7' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile demonstrates compliance against the + U.S. Government Commercial Cloud Services (C2S) baseline. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.46/rhel7/profiles/cjis.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/cjis.profile 2020-04-02 00:14:09.815642451 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'Criminal Justice Information Services (CJIS) Security Policy' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile is derived from FBI's CJIS v5.4 + Security Policy. A copy of this policy can be found at the CJIS Security + Policy Resource Center: +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile scap-security-guide-0.1.46/rhel7/profiles/cui.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/cui.profile 2020-04-02 00:14:39.735707092 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + From NIST 800-171, Section 2.2: + Security requirements for protecting the confidentiality of CUI in non-federal + information systems and organizations have a well-defined structure that +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile 2020-04-02 00:15:08.697769654 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - Standard Docker Host Security Profile' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains rules to ensure standard security + baseline of Red Hat Enterprise Linux 7 system running docker. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile scap-security-guide-0.1.46/rhel7/profiles/e8.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile 2020-04-02 00:07:38.530797155 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/e8.profile 2020-04-02 00:15:34.521825440 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'Australian Cyber Security Centre (ACSC) Essential Eight' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains configuration checks for Red Hat Enterprise Linux 7 + that align to the Australian Cyber Security Centre (ACSC) Essential Eight. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile 2020-04-02 00:16:12.605907713 +0000 +@@ -3,6 +3,8 @@ documentation_complete: True + title: 'Health Insurance Portability and Accountability Act (HIPAA)' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + The HIPAA Security Rule establishes U.S. national standards to protect individuals’ + electronic personal health information that is created, received, used, or + maintained by a covered entity. The Security Rule requires appropriate +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile 2020-04-02 00:16:43.191973788 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - DISA STIG for Apache HTTP on Red Hat Enterprise Linux 7' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains configuration checks that align to the + DISA STIG for Apache HTTP web server. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile 2020-04-02 00:17:03.371017390 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - DISA STIG for Red Hat IdM' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This is a *draft* profile for STIG. This profile is being + developed under the DoD consensus model to become a STIG in + coordination with DISA FSO. +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile scap-security-guide-0.1.46/rhel7/profiles/ncp.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/ncp.profile 2020-04-02 00:19:00.198269763 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'NIST National Checklist Program Security Guide' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This compliance profile reflects the core set of security + related configuration settings for deployment of Red Hat Enterprise + Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.46/rhel7/profiles/ospp.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile 2020-04-02 00:07:38.523797140 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/ospp.profile 2020-04-02 00:18:53.448255187 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile reflects mandatory configuration controls identified in the + NIAP Configuration Annex to the Protection Profile for General Purpose + Operating Systems (Protection Profile Version 4.2.1). +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile 2020-04-02 00:19:22.109317098 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + Ensures PCI-DSS v3.2.1 security configuration settings are applied. + + selections: +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile 2020-04-02 00:20:04.168407959 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This *draft* profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH). + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile 2020-04-02 00:18:01.448142852 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This compliance profile reflects the core set of security + related configuration settings for deployment of Red Hat Enterprise + Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies. +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile 2020-04-02 00:20:25.205453406 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains the minimum security relevant + configuration settings recommended by Red Hat, Inc for + Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile 2020-04-02 00:20:44.967496099 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - DISA STIG for Red Hat Satellite' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This is a *draft* profile for STIG. This profile is being + developed under the DoD consensus model to become a STIG in + coordination with DISA FSO. +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.46/rhel7/profiles/standard.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/standard.profile 2020-04-02 00:21:05.637540751 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'Standard System Security Profile for Red Hat Enterprise Linux 7' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains rules to ensure standard security baseline + of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload + all of these checks should pass. +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile scap-security-guide-0.1.46/rhel7/profiles/stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/stig.profile 2019-08-28 13:46:33.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/stig.profile 2020-04-02 00:21:23.477579298 +0000 +@@ -3,6 +3,8 @@ documentation_complete: true + title: 'DISA STIG for Red Hat Enterprise Linux 7' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This profile contains configuration checks that align to the + DISA STIG for Red Hat Enterprise Linux V1R4. + +diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile +--- scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile 2019-08-28 12:35:00.000000000 +0000 ++++ scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile 2020-04-02 00:21:44.885625545 +0000 +@@ -3,6 +3,8 @@ documentation_complete: false + title: 'DRAFT - DISA STIG for Red Hat Ansible Tower' + + description: |- ++ **Not applicable to CentOS Linux, included for reference only** ++ + This is a *draft* profile for STIG. This profile is being + developed under the DoD consensus model to become a STIG in + coordination with DISA FSO. diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 59c8712..1d52ce5 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -28,6 +28,7 @@ Patch14: scap-security-guide-0.1.48-add_e8_profile_kickstart.patch Patch15: scap-security-guide-0.1.48-fix_aide_periodic_crontab_check.patch Patch16: scap-security-guide-0.1.47-add_missing_cce_sudo_require_authentication.patch Patch17: disable-not-in-good-shape-profiles.patch +Patch999: centos-debranding.patch BuildArch: noarch BuildRequires: libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML @@ -72,6 +73,7 @@ been generated from XCCDF benchmarks present in %{name} package. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch999 -p1 # Workaround to remove Python byte cache files from the upstream sources # See https://github.com/ComplianceAsCode/content/issues/4042 find . -name '*.pyc' -exec rm -f {} ';' @@ -86,7 +88,7 @@ mkdir -p build && cd build -DSSG_PRODUCT_RHEL6:BOOL=ON \ -DSSG_PRODUCT_RHEL7:BOOL=ON \ -DSSG_PRODUCT_RHEL8:BOOL=ON \ --DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \ +-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \ -DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \ ../ make %{?_smp_mflags}