Blame SPECS/scap-security-guide.spec

1002d6
Name:		scap-security-guide
aa23b3
Version:	0.1.47
1002d6
Release:	2%{?dist}
1002d6
Summary:	Security guidance and baselines in SCAP formats
1002d6
Group:		Applications/System
1002d6
License:	BSD
1002d6
URL:		https://github.com/ComplianceAsCode/content/
1002d6
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
aa23b3
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
1002d6
Patch0:		disable-not-in-good-shape-profiles.patch
aa23b3
Patch1:		scap-security-guide-0.1.48-e8_kickstarts.patch
aa23b3
Patch2:		scap-security-guide-0.1.48-e8_polish.patch
1002d6
BuildArch:	noarch
1002d6
1002d6
# To get python3 inside the buildroot require its path explicitly in BuildRequires
1002d6
BuildRequires: /usr/bin/python3
1002d6
BuildRequires:	libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
1002d6
Requires:	xml-common, openscap-scanner >= 1.2.5
1002d6
Obsoletes:	openscap-content < 0:0.9.13
1002d6
Provides:	openscap-content
1002d6
1002d6
%description
1002d6
The scap-security-guide project provides a guide for configuration of the
1002d6
system from the final system's security point of view. The guidance is specified
1002d6
in the Security Content Automation Protocol (SCAP) format and constitutes
1002d6
a catalog of practical hardening advice, linked to government requirements
1002d6
where applicable. The project bridges the gap between generalized policy
1002d6
requirements and specific implementation guidelines. The Red Hat Enterprise
1002d6
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
1002d6
package, or the scap-workbench GUI tool from scap-workbench package to verify
1002d6
that the system conforms to provided guideline. Refer to scap-security-guide(8)
1002d6
manual page for further information.
1002d6
1002d6
%package	doc
1002d6
Summary:	HTML formatted security guides generated from XCCDF benchmarks
1002d6
Group:		System Environment/Base
1002d6
Requires:	%{name} = %{version}-%{release}
1002d6
1002d6
%description	doc
1002d6
The %{name}-doc package contains HTML formatted documents containing
1002d6
hardening guidances that have been generated from XCCDF benchmarks
1002d6
present in %{name} package.
1002d6
1002d6
%prep
1002d6
%setup -q
1002d6
%patch0 -p1
aa23b3
%patch1 -p1
aa23b3
%patch2 -p1
1002d6
mkdir build
1002d6
1002d6
%build
1002d6
cd build
1002d6
%cmake \
aa23b3
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
aa23b3
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
aa23b3
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
1002d6
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
1002d6
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
1002d6
%make_build
1002d6
1002d6
%install
1002d6
cd build
1002d6
%make_install
1002d6
1002d6
%files
1002d6
%{_datadir}/xml/scap/ssg/content
1002d6
%{_datadir}/%{name}/kickstart
1002d6
%{_datadir}/%{name}/ansible
1002d6
%{_datadir}/%{name}/bash
1002d6
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
1002d6
%doc %{_docdir}/%{name}/LICENSE
1002d6
%doc %{_docdir}/%{name}/README.md
1002d6
%doc %{_docdir}/%{name}/Contributors.md
1002d6
1002d6
%files doc
1002d6
%doc %{_docdir}/%{name}/guides/*.html
1002d6
%doc %{_docdir}/%{name}/tables/*.html
1002d6
1002d6
%changelog
aa23b3
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
aa23b3
- Improved the e8 profile (RHBZ#1755194)
aa23b3
aa23b3
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
aa23b3
aa23b3
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
aa23b3
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
aa23b3
aa23b3
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
aa23b3
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
aa23b3
aa23b3
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
aa23b3
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
aa23b3
aa23b3
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
aa23b3
- Use crypto-policy rules in OSPP profile.
aa23b3
- Re-enable FIREFOX and JRE product in build.
aa23b3
- Change test suite logging message about missing profile from ERROR to WARNING.
aa23b3
- Build only one version of SCAP content at a time.
aa23b3
aa23b3
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
aa23b3
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
aa23b3
1002d6
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
1002d6
- Ported changelog from late 8.0 builds.
1002d6
- Disabled build of the OL8 product, updated other components of the cmake invocation.
1002d6
1002d6
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
1002d6
1002d6
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
1002d6
- Assign CCE to rules from OSPP profile which were missing the identifier.
1002d6
- Fix regular expression for Audit rules ordering
1002d6
- Account for Audit rules flags parameter position within syscall
1002d6
- Add remediations for Audit rules file path
1002d6
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
1002d6
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
1002d6
- Add a Bash remediation for Audit rules that require ordering
1002d6
1002d6
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
1002d6
- Assign CCE identifier to rules used by RHEL8 profiles.
1002d6
1002d6
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
1002d6
- Fixed Crypto Policy OVAL for NSS
1002d6
- Got rid of rules requiring packages dropped in RHEL8.
1002d6
- Profile descriptions fixes.
1002d6
1002d6
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
1002d6
- Update applicable platforms in crypto policy tests
1002d6
1002d6
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
1002d6
- Introduce Podman backend for SSG Test suite
1002d6
- Update bind and libreswan crypto policy test scenarios
1002d6
1002d6
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
1002d6
- Further fix of profiles descriptions, so they don't contain literal '\'.
1002d6
- Removed obsolete sshd rule from the OSPP profile.
1002d6
1002d6
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
1002d6
- Fixed profiles descriptions, so they don't contain literal '\n'.
1002d6
- Made the configure_kerberos_crypto_policy OVAL more robust.
1002d6
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
1002d6
1002d6
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
1002d6
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
1002d6
1002d6
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
1002d6
- Added FIPS mode rule for the OSPP profile.
1002d6
- Split the installed_OS_is certified rule.
1002d6
- Explicitly disabled OSP13, RHV4 and Example products.
1002d6
1002d6
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
1002d6
- Add missing kickstart files for RHEL8
1002d6
- Disable profiles that are not in good shape for RHEL8
1002d6
1002d6
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
1002d6
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
1002d6
- System-wide crypto policies are introduced for RHEL8
1002d6
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
1002d6
1002d6
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
1002d6
- Fix man page and package description
1002d6
1002d6
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
1002d6
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
1002d6
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
1002d6
1002d6
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
1002d6
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
1002d6
- Only build content for rhel8 products
1002d6
1002d6
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
1002d6
- Update build of rhel8 content
1002d6
1002d6
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
1002d6
- Enable build of rhel8 content
1002d6
1002d6
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
1002d6
- Fix spec file to build using Python 3
1002d6
- Fix License because upstream changed to BSD-3
1002d6
1002d6
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
1002d6
1002d6
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
1002d6
1002d6
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
1002d6
1002d6
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
1002d6
1002d6
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
1002d6
1002d6
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
1002d6
1002d6
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
1002d6
- updated to latest upstream release
1002d6
1002d6
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
1002d6
1002d6
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
1002d6
- use make_build and make_install RPM macros
1002d6
1002d6
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
1002d6
- update to the latest upstream release
1002d6
- new default location for content /usr/share/scap/ssg
1002d6
- install HTML tables in the doc subpackage
1002d6
1002d6
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
1002d6
- Correct currently failing parallel SCAP Security Guide build
1002d6
1002d6
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
1002d6
- Drop shell library for remediation functions since it is not required
1002d6
  starting from 0.1.30 release any more
1002d6
1002d6
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
1002d6
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
1002d6
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
1002d6
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
1002d6
  in 0.1.29 upstream release
1002d6
1002d6
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
1002d6
1002d6
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
1002d6
- upgrade to the latest upstream release
1002d6
1002d6
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
1002d6
- update to the latest upstream release
1002d6
- created doc sub-package to ship all the guides
1002d6
- start distributing centos and scientific linux content
1002d6
- rename java content to jre
1002d6
1002d6
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
1002d6
1002d6
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
1002d6
- update to the latest upstream release
1002d6
- only DataStream file is now available for Fedora
1002d6
- start distributing security baseline for Firefox
1002d6
- start distributing security baseline for Java RunTime deployments
1002d6
1002d6
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
1002d6
- update to the latest upstream release
1002d6
- move content to /usr/share/scap/ssg/content
1002d6
1002d6
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
1002d6
- update to the latest upstream release
1002d6
1002d6
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
1002d6
- require only openscap-scanner, not whole openscap-utils package
1002d6
1002d6
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
1002d6
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
1002d6
- Add STIG DISCLAIMER to the shipped documentation
1002d6
1002d6
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
1002d6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
1002d6
1002d6
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
1002d6
- Fix fedora-srpm and fedora-rpm Make targets to work again
1002d6
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
1002d6
- EOL for Fedora 18 support
1002d6
- Include Fedora datastream file for remote Fedora system scans
1002d6
1002d6
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
1002d6
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
1002d6
1002d6
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
1002d6
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
1002d6
  it to /shared
1002d6
- Add shared remediations for sshd disable empty passwords and
1002d6
  sshd set idle timeout
1002d6
- Shared remediation for sshd disable root login
1002d6
- Add empty -compat subpackage to ensure backward-compatibility with
1002d6
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
1002d6
- OVAL check for sshd disable root login
1002d6
- Fix typo in OVAL check for sshd disable empty passwords
1002d6
- OVAL check for sshd disable empty passwords
1002d6
- Unselect no shelllogin for systemaccounts rule from being run by default
1002d6
- Rename XCCDF rules
1002d6
- Revert Set up Fedora release name and CPE based on build system properties
1002d6
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
1002d6
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
1002d6
- Shared OVAL check for Verify that System Executables Have Root Ownership
1002d6
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
1002d6
  Permissions
1002d6
- Fix remediation for Disable Prelinking rule
1002d6
- OVAL check and remediation for sshd's ClientAliveCountMax rule
1002d6
- OVAL check for sshd's ClientAliveInterval rule
1002d6
- Include descriptions for permissions section, and rules for checking
1002d6
  permissions and ownership of shared library files and system executables
1002d6
- Disable selected rules by default
1002d6
- Add remediation for Disable Prelinking rule
1002d6
- Adjust service-enable-macro, service-disable-macro XSLT transforms
1002d6
  definition to evaluate to proper systemd syntax
1002d6
- Fix service_ntpd_enabled OVAL check make validate to pass again
1002d6
- Include patch from Šimon Lukašík to obsolete openscap-content
1002d6
  package (RH BZ#1028706)
1002d6
- Add OVAL check to test if there's is remote NTP server configured for
1002d6
  time data
1002d6
- Add system settings section for the guide (to track system wide
1002d6
  hardening configurations)
1002d6
- Include disable prelink rule and OVAL check for it
1002d6
- Initial OVAL check if ntpd service is enabled. Add package_installed
1002d6
  OVAL templating directory structure and functionality.
1002d6
- Include services section, and XCCDF description for selected ntpd's
1002d6
  sshd's service rules
1002d6
- Include remediations for login.defs' based password minimum, maximum and
1002d6
  warning age rules
1002d6
- Include directory structure to support remediations
1002d6
- Add SCAP "replace or append pattern value in text file based on variable"
1002d6
  remediation script generator
1002d6
- Add remediation for "Set Password Minimum Length in login.defs" rule
1002d6
1002d6
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
1002d6
- Update versioning scheme - move fedorassgrelease to be part of
1002d6
  upstream version. Rename it to fedorassgversion to avoid name collision
1002d6
  with Fedora package release.
1002d6
1002d6
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
1002d6
- Add .gitignore for Fedora output directory
1002d6
- Set up Fedora release name and CPE based on build system properties
aa23b3
- Use correct file paths in scap-security-guide(8) manual page
1002d6
  (RH BZ#1018905, c#10)
1002d6
- Apply further changes motivated by scap-security-guide Fedora RPM review
1002d6
  request (RH BZ#1018905, c#8):
1002d6
  * update package description,
1002d6
  * make content files to be owned by the scap-security-guide package,
1002d6
  * remove Fedora release number from generated content files,
1002d6
  * move HTML form of the guide under the doc directory (together
1002d6
    with that drop fedora/content subdir and place the content
1002d6
    directly under fedora/ subdir).
1002d6
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
1002d6
  * drop Fedora release from package provided files' final path (c#5),
1002d6
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
1002d6
    manual page, don't gzip man page (c#4),
1002d6
  * change package's description (c#4),
1002d6
  * include PD license text (#c4).
1002d6
1002d6
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
1002d6
- Provide manual page for scap-security-guide
1002d6
- Remove percent sign from spec's changelog to silence rpmlint warning
1002d6
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
1002d6
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
1002d6
- Introduce 'Account and Access Control' section
1002d6
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
1002d6
  rules to Fedora
1002d6
- Set proper name of the build directory in the spec's setup macro.
1002d6
- Replace hard-coded paths with macros. Preserve attributes when copying files.
1002d6
1002d6
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
1002d6
- Initial Fedora SSG RPM.