# Somehow, _pkgdocdir is already defined and points to unversioned docs dir

# RHEL 7.X uses versioned docs dir, hence the definition below

%global _pkgdocdir %{_docdir}/%{name}-%{version}

# Base name of static rhel6 content tarball

%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6

Name:		scap-security-guide

Version:	0.1.57

Release:	6%{?dist}

Summary:	Security guidance and baselines in SCAP formats

Group:		System Environment/Base

License:	BSD-3-Clause

URL:		https://github.com/ComplianceAsCode/content

Source0:	%{name}-%{version}.tar.bz2

# Include tarball with last shipped rhel6 content

Source1:	%{_static_rhel6_content}.tar.bz2

Patch0:	disable-not-in-good-shape-profiles.patch

Patch1:		scap-security-guide-0.1.58-fix_ansible_banner_remediation-PR_7228.patch

Patch2:		scap-security-guide-0.1.58-tests_for_playbooks_that_change_banners-PR_7376.patch

Patch3:		scap-security-guide-0.1.58-add_missing_unit_test_playbook-PR_7431.patch

Patch4:		scap-security-guide-0.1.58-RHEL_08_010630-PR_7250.patch

Patch5:		scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch

Patch6:		scap-security-guide-0.1.58-RHEL_08_010360-PR_7209.patch

Patch7:		scap-security-guide-0.1.58-RHEL_08_030610-PR_7256.patch

Patch8:		scap-security-guide-0.1.58-RHEL_08_010420-PR_7227.patch

Patch9:		scap-security-guide-0.1.58-rhel8_stig_08_010290-PR_7151.patch

Patch10:		scap-security-guide-0.1.58-rhel8_stig_08_010291-PR_7169.patch

Patch11:		scap-security-guide-0.1.58-split_file_ownership_var_log_audit-PR_7129.patch

Patch12:		scap-security-guide-0.1.58-rhel8_stig_08_020270-PR_7276.patch

Patch13:		scap-security-guide-0.1.58-add_rhel_minor_check-PR_7251.patch

Patch14:		scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch

Patch15:		scap-security-guide-0.1.58-RHEL_08_030710-PR_7268.patch

Patch16:		scap-security-guide-0.1.58-RHEL_08_020300-PR_7289.patch

Patch17:		scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch

Patch18:		scap-security-guide-0.1.58-update_stig_benchmark-PR_7326.patch

Patch19:		scap-security-guide-0.1.58-add_RHEL_08_020240-PR_7330.patch

Patch20:		scap-security-guide-0.1.58-audit_rhel8_stig-PR_6910.patch

Patch21:		scap-security-guide-0.1.58-bios_enable_execution_restrictions_srg-PR_7284.patch

Patch22:		scap-security-guide-0.1.58-update_stig_references_for_servives_rhel8_v1r3-PR_7299.patch

Patch23:		scap-security-guide-0.1.58-RHEL_08_040286-PR_7354.patch

Patch24:		scap-security-guide-0.1.58-RHEL_08_030650-PR_7283.patch

Patch25:		scap-security-guide-0.1.58-remove_RHEL_08_040162-PR_7369.patch

Patch26:		scap-security-guide-0.1.58-fix_STIG_references-PR_7371.patch

Patch27:		scap-security-guide-0.1.58-sshd_directory_config-PR_6926.patch

Patch28:		scap-security-guide-0.1.58-RHEL_08_030720-PR_7288.patch

Patch29:		scap-security-guide-0.1.58-RHEL_08_020320-PR_7303.patch

Patch30:		scap-security-guide-0.1.58-fix_missing_srgs-PR_7362.patch

Patch31:		scap-security-guide-0.1.58-update_rhel7_stig-PR_7217.patch

Patch32:		scap-security-guide-0.1.58-RHEL_08_010001-PR_7344.patch

Patch33:		scap-security-guide-0.1.58-RHEL_08_030730-PR_7323.patch

Patch34:		scap-security-guide-0.1.58-update_stig_gui_rhel7_version-PR_7340.patch

Patch35:		scap-security-guide-0.1.58-ansible_missing_metadata-PR_7357.patch

Patch36:		scap-security-guide-0.1.58-ensure_test_helper_scripts_executable-PR_7302.patch

Patch37:		scap-security-guide-0.1.58-update_stig_overlay-PR_7287.patch

Patch38:		scap-security-guide-0.1.58-update_stig_mapping_table-PR_7327.patch

Patch39:		scap-security-guide-0.1.58-update_stig_references-PR_7366.patch

Patch40:		scap-security-guide-0.1.58-fix_stig_overlay_python2-PR_7317.patch

Patch41:		scap-security-guide-0.1.58-group_audit_syscalls-PR_7329.patch

Patch42:		scap-security-guide-0.1.58-rhel8_cis_identifier_update_1-PR_7356.patch

Patch43:		scap-security-guide-0.1.58-audit_privileged_rhel_cis-PR_7353.patch

Patch44:		scap-security-guide-0.1.58-cis_rhel7_updates-PR_7384.patch

Patch45:		scap-security-guide-0.1.58-fix_handling_of_variables_in_levels-PR_7226.patch

Patch46:		scap-security-guide-0.1.58-rhel_modular_cis-PR_6976.patch

Patch47:		scap-security-guide-0.1.58-rhel7_cis_kickstarts-PR_7382.patch

Patch48:		scap-security-guide-0.1.58-rhel8_cis_kickstarts-PR_7383.patch

Patch49:		scap-security-guide-0.1.58-ism_ks-PR_7392.patch

Patch50:		scap-security-guide-0.1.58-fix_rhel7_links-PR_7409.patch

Patch51:		scap-security-guide-0.1.58-fix_audit_file_permissions-PR_7440.patch

Patch52:		scap-security-guide-0.1.58-mark_rule_as_machine_only-PR_7442.patch

Patch53:		scap-security-guide-0.1.58-fix_rhel7_doc_link-PR_7443.patch

Patch54:		scap-security-guide-0.1.58-disable_ctrlaltdel_reboot_fix_test_scenario-PR_7444.patch

Patch55:		scap-security-guide-0.1.58-fix_cis_value_selector-PR_7452.patch

Patch56:		scap-security-guide-0.1.58-ism_usb_hid-PR_7493.patch

Patch57:		scap-security-guide-0.1.58-docs_controls_new_status_key-PR_7497.patch

Patch58:		scap-security-guide-0.1.58-controls_new_status_key-PR_7506.patch

Patch59:		scap-security-guide-0.1.59-remove_disable_prelink_from_rhel7_CIS-PR_7621.patch

Patch60:		scap-security-guide-0.1.59-CIS_login_banner-PR_7624.patch

Patch61:		scap-security-guide-0.1.59-new_rule_group_unique_name-PR_7676.patch

Patch62:		scap-security-guide-0.1.59-new_rule_sshd_enable_pam-PR_7602.patch

Patch63:		scap-security-guide-0.1.59-CIS_add_sshd_enable_pam-PR_7677.patch

Patch64:		scap-security-guide-0.1.59-new_rule_sshd_set_login_grace_time-PR_7678.patch

Patch65:		scap-security-guide-0.1.59-remove_stigid_sysctl_net_ipv4_tcp_invalid_ratelimit-PR_7674.patch

Patch66:		scap-security-guide-0.1.58-add_some_rules_to_rhel7_stig-PR_7484.patch

Patch67:		scap-security-guide-0.1.58-postfix_notapplicable-PR_7471.patch

Patch68:		scap-security-guide-0.1.58-rhel7_stig_add_two_grub_rules-PR_7438.patch

Patch69:		scap-security-guide-0.1.58-remove_stigid_audit_rules_privileged_commands_sudoedit-PR_7372.patch

Patch70:		scap-security-guide-0.1.59-stig_rhel7_remove_package_MFEhiplsm_installed-PR_7710.patch

Patch71:		scap-security-guide-0.1.59-return_rule_package_rsyslog-gnutls_installed-PR_7731.patch

Patch72:		scap-security-guide-0.1.59-rhel7_add_rsyslog_tls_rules-PR_7733.patch

Patch73:		scap-security-guide-0.1.59-fix_auditd_overflow_action.patch

Patch74:		scap-security-guide-0.1.59-rhel_selinux_doc-PR_7724.patch

Patch75:		scap-security-guide-0.1.59-sshd_priv_keys_600-PR_7742.patch

Patch76:		scap-security-guide-0.1.59-stig_v3_r5_update-PR_7804.patch

Patch77:		scap-security-guide-0.1.61-rhel8_stig_v1r5-PR_8050.patch

Patch78:		scap-security-guide-0.1.61-update_RHEL_07_STIG-PR_8140.patch

Patch79:		scap-security-guide-0.1.61-update_accounts_password_template-PR_8164.patch

Patch80:		scap-security-guide-0.1.61-update_RHEL_08_010383-PR_8138.patch

Patch81:		scap-security-guide-0.1.61-update_RHEL_08_010385-PR_8220.patch

Patch82:		scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch

Patch83:		scap-security-guide-0.1.61-update_RHEL7_STIG-PR_8225.patch

Patch84:		add-include-remediation-back-to-sudo_require_reauthentication.patch

BuildArch:	noarch

BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML

Requires:	xml-common, openscap-scanner >= 1.2.5

%description

The scap-security-guide project provides a guide for configuration of the

system from the final system's security point of view. The guidance is

specified in the Security Content Automation Protocol (SCAP) format and

constitutes a catalog of practical hardening advice, linked to government

requirements where applicable. The project bridges the gap between generalized

policy requirements and specific implementation guidelines. The Red Hat

Enterprise Linux 7 system administrator can use the oscap command-line tool

from the openscap-utils package to verify that the system conforms to provided

guideline. Refer to scap-security-guide(8) manual page for further information.

%package	doc

Summary:	HTML formatted documents containing security guides generated from XCCDF benchmarks.

Group:		System Environment/Base

Requires:	%{name} = %{version}-%{release}

%description	doc

The %{name}-doc package contains HTML formatted documents containing security guides that have

been generated from XCCDF benchmarks present in %{name} package.

%if %{defined rhel}

%package	rule-playbooks

Summary:	Ansible playbooks per each rule.

Group:		System Environment/Base

Requires:	%{name} = %{version}-%{release}

%description	rule-playbooks

The %{name}-rule-playbooks package contains individual ansible playbooks per rule.

%endif

%prep

%autosetup -p1 -b1

# Workaround to remove Python byte cache files from the upstream sources

# See https://github.com/ComplianceAsCode/content/issues/4042

find . -name '*.pyc' -exec rm -f {} ';'

mkdir build

%build

mkdir -p build && cd build

%cmake -D CMAKE_INSTALL_DOCDIR=%{_pkgdocdir} \

-DSSG_PRODUCT_DEFAULT:BOOL=OFF \

-DSSG_PRODUCT_FIREFOX:BOOL=ON \

-DSSG_PRODUCT_JRE:BOOL=ON \

-DSSG_PRODUCT_RHEL7:BOOL=ON \

-DSSG_PRODUCT_RHEL8:BOOL=ON \

%if %{defined centos}

-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \

%else

-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \

%endif

-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \

%if %{defined rhel}

-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \

%endif

../

make %{?_smp_mflags}

%install

cd build

%make_install

# Manually install pre-built rhel6 content

cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}

cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}-%{version}

# The guide files need to be put in the build system directory for the files section below

cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{version}/build

%files

%defattr(-,root,root,-)

%{_datadir}/xml/scap

%{_datadir}/%{name}

%lang(en) %{_mandir}/man8/scap-security-guide.8.gz

%doc LICENSE

%doc Contributors.md

%doc README.md

%doc DISCLAIMER

# All files installed by cmake are automatically include in main package

# We exclude the guides to here add them in doc package

%exclude %{_pkgdocdir}/guides/

%if %{defined rhel}

%exclude %{_datadir}/%{name}/ansible/rule_playbooks

%endif

%files doc

%defattr(-,root,root,-)

# Installing guide files from cmake install doens't work because of versioned docs

# So we take them from the build directory

%doc build/guides/ssg-*-guide-*.html

%if %{defined rhel}

%files rule-playbooks

%defattr(-,root,root,-)

%{_datadir}/%{name}/ansible/rule_playbooks

%endif

%changelog

* Fri Feb 25 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-6

- Fix bash remediation of sudo_require_reauthentication (RHBZ#2049532)

* Thu Feb 17 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-5

- Update RHEL7 DISA STIG profile to v3r6 (RHBZ#2049532)

* Tue Nov 02 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4

- Update RHEL7 DISA STIG profile to v3r5 (RHBZ#1996678)

* Thu Oct 21 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3

- Fix broken SELinux documentation links (RHBZ#1996678)

* Wed Oct 20 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-2

- Fix auditd_overflow_action configuration path for RHEL7 (RHBZ#1996678)

* Thu Oct 7 2021 Jan Černý <jcerny@redhat.com> - 0.1.57-1

- Rebase to the 0.1.57 upstream release

- Update RHEL7 DISA STIG profile to v3r4 (RHBZ#1996678)

- Split CIS profile (RHBZ#1953787)

* Wed Jun 30 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-7

- Generate HTML STIG reference tables also for stig_gui profile (RHBZ#1958789)

* Fri Jun 11 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-6

- Add kickstart files for RHEL 7 stig and stig_gui profiles (RHBZ#1958789)

* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-5

- Create subpackage to hold ansible playbooks per rule (RHBZ#1966589)

- Fix Bash remediation of dconf_gnome_login_retries (RHBZ#1967566)

* Mon May 10 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-4

- Update RHEL 7 STIG profile to V3R3 (RHBZ#1958789)

- Update ANSSI High Profile (RHBZ#1955180)

* Wed Feb 24 2021 Watson Sato <wsato@redhat.com> - 0.1.54-3

- Realign PCI-DSS rules selection to v0.1.54 (RHBZ#1497415)

* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-2

- Remove Kickstart for not shipped profile (RHBZ#1497415)

- Fix STIG id reference format for sshd_x11_use_localhost (RHBZ#1921643)

* Wed Feb 03 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1

- Rebase to incorporate ANSSI Profile (RHBZ#1497415)

- Update RHEL7 STIG profile to V3R2 (RHBZ#1921643)

- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1497415)

* Fri Nov 27 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-2

- Update RHEL7 DISA STIG to V3R1 (RHBZ#1665233)

* Thu Oct 08 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-1

- Update to the latest upstream release (RHBZ#1665233)

- Update RHEL7 DISA STIG to V2R8 (RHBZ#1665233)

* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.49-13

- Add example kickstart for RHEL7 HIPAA (RHBZ#1513087)

- Fix Test Suite to run on Python3

* Thu May 21 2020 Watson Sato <wsato@redhat.com> - 0.1.49-12

- CIS Profile (RHBZ#1821633)

  - Make sure boot target is multi-user.target when xorg package is removed

  - Add CIS Profile content attribution to Center for Internet Security

* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.49-11

- HIPAA Profile improvement (RHBZ#1513087)

  - Add Ansible remediation for audit_rules_system_shutdown

* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.49-10

- CIS Profile fixes (RHBZ#1821633)

  - Fix Ansible mount_option template

  - Re-order rpm_verify_permissions to avoid file permission conflicts

* Tue May 12 2020 Watson Sato <wsato@redhat.com> - 0.1.49-9

- CIS Profile fixes (RHBZ#1821633)

  - Fix Ansible mount_option template

  - Add Ansible for ensure_logrotate_activated

  - Add warnings to rpm_verify_permissions and ownership about findindings that may need further inspection

* Mon May 11 2020 Watson Sato <wsato@redhat.com> - 0.1.49-8

- Fix specfile to apply patch (RHBZ#1691877)

* Mon May 04 2020 Watson Sato <wsato@redhat.com> - 0.1.49-7

- Bug fixes on CIS profile (RHBZ#1821633)

  Added Ansible remediations

  Fixed CIS references

  Fixed integration issues with CIS profile

* Mon May 04 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.49-6

- Added a patch fixing audit_rules_privileged_commands (RHBZ#1691877)

* Thu Apr 30 2020 Matěj Týč <matyc@redhat.com> - 0.1.49-5

- Added a patch fix for sshd_allow_protocol_2 (RHBZ#1823576)

* Mon Apr 27 2020 Matěj Týč <matyc@redhat.com> - 0.1.49-5

- Added a patch warning about non-local users/groups are not considered by some rules (RHBZ#1721439, RHBZ#1544765, RHBZ#1829743)

* Thu Apr 23 2020 Jan Černý <jcerny@redhat.com> - 0.1.49-4

- Fix removable media options rules (RHBZ#1691579)

* Mon Apr 06 2020 Watson Sato <wsato@redhat.com> - 0.1.49-3

- Add new rules and references for RHEL7 CIS (RHBZ#1821633)

* Tue Mar 31 2020 Watson Sato <wsato@redhat.com> - 0.1.49-2

- Fix remediation of dconf_gnome_login_banner_text (RHBZ#1776780)

- Fix misleading sysctl rules description (RHBZ#1494606)

- Update STIG FIPS approved SSHD ciphers (RHBZ#1781244)

* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1

- Update to the latest upstream release (RHBZ#1815008)

* Thu Nov 28 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-11

- Ship RHEL 8 content (RHBZ#1777862)

* Wed Nov 20 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.46-10

- Added missing CCE for rule sudo_require_authentication. (RHBZ#1755192)

- fix check and remediation for rule aide_periodic_cron_checking (RHBZ#1658036)

* Mon Nov 18 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-9

- Fixed missing CCE for OSPP, E8 and STIG profiles. (RHBZ#1726698)

- Added kickstart file for the Essential Eight (e8) profile. (RHBZ#1755192)

* Fri Nov 15 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-8

- Fix an omission on backporting the patch which fixes krb_sec rule. (RHBZ#1726698)

* Fri Nov 15 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-7

- Added support for the Essential Eight (e8) profile. (RHBZ#1755192)

- Fixed issues with sshd rules used in the e8 profile. (RHBZ#1755192)

* Wed Nov 13 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-6

- Updated ansible playbooks to use modules in favor of shell. (RHBZ#1726698)

- Removed rule directory_access_var_log_audit from OSPP profile. (RHBZ#1726698)

- Fixed ansible playbooks failing when running in --check mode. (RHBZ#1726698)

* Mon Nov 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-5

- Fixed grub2_enable_fips_mode rule when installing RHEL on machines with AES-enabled processors. (RHBZ#1754532)

* Wed Nov 06 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-4

- Fix evaluation and remediation of audit rules in PCI-DSS profile (RHBZ#1754550)

- Fixed mtab handling of remediation of /dev/shm/noexec (RHBZ#1754553)

* Tue Nov 05 2019 Matěj Týč <matyc@redhat.com> - 0.1.46-3

- Made the cmake product selection future-proof. (RHBZ#1726698)

* Tue Nov 05 2019 Jan Černý <jcerny@redhat.com> - 0.1.46-2

- Fix rules file_permissions_unauthorized_suid and sgid (RHBZ#1693026)

* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1

- Update to the latest upstream release 0.1.46 (RHBZ#1726698)

* Fri Aug 09 2019 Matěj Týč <matyc@redhat.com> - 0.1.45-2

- Added a patch not to build SCAP 1.2 datastreams, only SCAP 1.3 (RHBZ#1726698)

* Tue Aug 06 2019 Watson Sato <wsato@redhat.com> - 0.1.45-1

- Update to the latest upstream release (RHBZ#1726698)

* Wed Jun 12 2019 Matěj Týč <matyc@redhat.com> - 0.1.43-13

- Fixed the shared dconf bash remediation (RHBZ#1631378)

* Mon Jun 03 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-12

- Make aide and smart card rules not applicable to containers (RHBZ#1711893)

- Added rule dconf_db_up_to_date to ensure dconf databases are up-to-date (RHBZ#1631378)

* Fri May 24 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-11

- Remove faulty dconf_use_text_backend rule from all profiles (Reverts RHBZ#1631378)

* Thu May 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-10

- Fixed Ansible remediation for sssd_ssh_known_hosts_timeout (RHBZ#1599179)

* Mon May 20 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-9

- Fixed missing Ansible tags and platform checks (RHBZ#1685950)

* Fri May 17 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-8

- Fixed OVAL check for sssd_ssh_known_hosts_timeout and added bash remediation (RHBZ#1599179)

* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-7

- Fix handling of package CPE during generation of Ansible playbooks (RHBZ#1647189)

* Fri May 10 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-6

- Deduplicated more CCEs assigned to rules (RHBZ#1703092)

* Thu Apr 25 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-5

- Remove ensure_gpgcheck_repo_metadata rule from profiles (RHBZ#1703010)

- Deduplicate CCE assigned to rules (RHBZ#1703092)

* Tue Apr 23 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-4

- Mark SELinux rules as machine only (RHBZ#1630739)

- Mark service disabled rules as machine only (RHBZ#1630739)

* Mon Apr 08 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.43-3

- Mark rules which were not applicable for containers as machine only (RHBZ#1630739)

- Fix content support for UBI-Minimal (RHBZ#1695213)

* Mon Mar 25 2019 Watson Yuuma Sato <wsato@redhat.com> - 0.1.43-2

- Fixes for smooth Ansible playbooks run (RHBZ#1647189)

- Fix Ansible template for file permissions (RHBZ#1686007)

- Fix remediation of rule rpm_verify_permissions (RHBZ#1686005)

- Fix remediation of audit rules for privileged commands (RHBZ#1687826)

* Fri Mar 01 2019 Jan Černý <jcerny@redhat.com> - 0.1.43-1

- Update to the latest upstream release (RHBZ#1684545)

* Tue Sep 25 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-12

- Fix malformed patch for removal of abrt and sendmail (RHBZ#1619689)

* Tue Sep 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-11

- Fixes for RHBZ#1619689:

- Added support for kernel parameters yama.ptrace_scope, kptr_restrict, dmesg_restrict and kexec_load_disabled.

- Added support for boot parameters audit_backlog_limit=8192, slub_debug=P, page_poison=1 and vsyscall=none.

- Added support for proper /dev/shm handling (noexec,nosuid,nodev,mode=1777)

- Added support for checking that sendmail and abrt are not installed.

- Introduced OSPP to the OSPP profile title.

- Disabled linkcheck tests during the build.

* Sun Sep 23 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-10

- Fix regression in file ownership and group OVAL. (RHBZ#1570802)

* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-9

- Fix malformed patch for Audit Rules (RHBZ#1619689)

* Fri Sep 21 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-8

- Add Bash remediation for rule grub2_audit_arguments (RHBZ#1619689)

- Allow remediation for rule dconf_gnome_screensaver_lock_delay to fix commented settings (RHBZ#1609122)

- Select missing audit rules for privileged commands for OSPP4.2 Profile (RHBZ#1619689)

* Wed Sep 19 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-7

- Fixed previously applied patches for OSPP 4.2 (RHBZ#1619689)

* Mon Sep 17 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-6

- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)

- Fixed the xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled check (RHBZ#1609122)

* Fri Sep 14 2018 Marek Haičman <mhaicman@redhat.com> - 0.1.40-5

- Re-fix FIPS patch. (RHBZ#1587911)

* Wed Sep 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-4

- Applied a batch of patches that improve OSPP 4.2 profile support for RHEL7 (RHBZ#1619689)

* Tue Sep 11 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-3

- Don't generate remediations for Anaconda for /dev/cdrom mount point (RHBZ#1618840)

- Install dracut-fips when fips mode is enabled in the profile (RHBZ#1587911)

* Wed Aug 01 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.40-2

- Don't generate remediations for Anaconda for /dev/shm mount point (RHBZ#1570956)

* Wed Jul 25 2018 Matěj Týč <matyc@redhat.com> - 0.1.40-1

- Update to upstream release 0.1.40

- Underlying code has been deduplicated and unified, which fixes countless subtle bugs.

- Updated Ansible playbooks, so they don't use deprecated constructs.

- Service disable family of rules take the corresponding socket deactivation into account if applicable in check and in remediations.

* Thu Jul 19 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-2

- Fix configuration to not build new products introduced in upstream

- Test package with ctest

* Fri Jul 13 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.39-1

- Update to upstream release 0.1.39

- Profile IDs simplified

- Common Profile removed in favor of Standard Profile

- RHEL7 STIG reference updated to V1R4

- RHEL6 STIG reference updated to V1R18

- New License - BSD-3 Clause

- Several remediation fixes

- Better content support for DISA STIG Viewer (#2418)

* Mon Jan 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-7

- Fix sshd_required unset (RHBZ#1522956)

- Fix missing bash remediation functions include (RHBZ#1524738)

- Fix empty columns in SRG HTML Table (RHBZ#1531105)

- Fix reference to oudated PAM config manual (RHBZ#1447760)

* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-6

- Rebuild with OpenSCAP 1.2.16

* Mon Dec 11 2017 Matěj Týč <matyc@redhat.com> - 0.1.36-5

- Patched not to check library ownership in libexec.

- Patched to fix title of DISA STIG profile.

- Patched to deprecate RhostsRSAAuthentication.

- Patched to fix umask_for_daemons.

* Thu Nov 16 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-4

- Rebuild with OpenSCAP 1.2.16

* Tue Nov 14 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-3

- Add DISA STIG Rule IDs to XCCDF Rules with STIGID

* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-2

- Fix configuration to not build new products introduced in upstream

* Fri Nov 03 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1

- Update to upstream release 0.1.36

- Introduction of SCAP Security Guide Test Suite

- Better alignment of RHEL6 and RHEL7 with DISA STIG

- Remove JBoss EAP5 content due to being End-of-Life

- New STIG Profile for JBOSS EAP 6

- Updates in C2S Profile for RHEL 7

- Variables can be directly tailored in Ansible roles

- Content presents less false positives in containers

- Changes in directory layout

* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-2

- Do not build content for JBOSS EAP6

* Wed Sep 20 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.35-1

- Update to upstream release 0.1.35

- Remove Red Hat Enterprise Linux 5 content due to being End-of-Life March 31, 2017

- Added several templates for OVAL checks

- Many optimizations in build process

- Different title for PCI-DSS Benchmark variants

- Remediation roles moved to /usr/share/scap-security

- Fix duplicated roles and guides (RHBZ#1465691)

* Tue Sep 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-6

- Dropped remediation that makes system not accessible by SSH (RHBZ#1478414)

* Wed Jun 14 2017 Watson Sato <wsato@redhat.com> 0.1.33-5

- Fix Anaconda Smartcard auth remediation (RHBZ#1461330)

* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-4

- Fix specfile to not include tables twice

* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-3

- Fix malformed title of profile nist-800-171-cui

* Fri May 19 2017 Watson Sato <wsato@redhat.com> 0.1.33-2

- Fix emtpy ospp-rhel7 table

- Fix Anaconda remediation templates (RHBZ#1450731)

* Mon May 01 2017 Watson Sato <wsato@redhat.com> 0.1.33-1

- Update to upstream version 0.1.33

- DISA RHEL7 STIG profile alignment improved

- Introduction of remediation roles

- RPM and DEB test packages are built by CMake with CPack

- Lots of remediation fixes

* Tue Mar 28 2017 Watson Sato <wsato@redhat.com> 0.1.32-1

- Update to upstream version 0.1.32

- New CMake build system

- Improved NIST 800-171 profile

- Initial RHVH profile

- New CPE to identify systems like machines (bare-metal and VM) and containers (image and container)

- Template clean up in lots of remediations

* Fri Mar 10 2017 Watson Sato <wsato@redhat.com> 0.1.30-6

- Ship separate OCIL definitions for Red Hat Enterprise Linux 7 (RHBZ#1428144)

* Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5

- Fix template remediation function used by SSHD remediation

- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)

* Tue Jan 31 2017 Watson Sato <wsato@redhat.com> 0.1.30-4

- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)

* Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3

- Correct the remediation script for 'Enable Smart Card Login' rule

  for Red Hat Enterprise Linux 7 (RH BZ#1357019)

* Thu Jul 14 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-2

- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark

  having the identical title (RH BZ#1351541)

- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts'

  rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root

  Account for Failed Password Attempts' rule to report correct system status

  WRT to these requirements also in the case the SSSD daemon is used

  (RH BZ#1344581)

- Include currently available kickstart files and produced HTML tables for

  Red Hat Enterprise Linux 6 and 7 products into the produced RPM package

  (RH BZ#1351751)

* Wed Jun 22 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-1

- Update to upstream's 0.1.30 release:

  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30

  (RH BZ#1289533)

- Drop remediation functions library since starting from 0.1.30 release

  remediation scripts are part of the benchmarks directly

- Drop three patches that have been accepted upstream in the meantime

- Update drop-rpm-verify-permissions-rule patch to work properly against

  0.1.30 release

* Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3

- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS

  profile for Red Hat Enterprise Linux 7 (RH BZ#1267861)

* Wed Sep 09 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-2

- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7

* Wed Aug 19 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-1

- Rebase to upstream 0.1.25 release

* Tue Aug 04 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-4

- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny'

  rule

* Mon Aug 03 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-3

- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule

  for Red Hat Enterprise Linux 7 product

- Override title and description for all existing profiles for Red Hat

  Enterprise Linux 6 product that are extending another SCAP profile

  (RHBZ#1246529)

- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile

  kickstart file for Red Hat Enterprise Linux 7 product

- Add remediation script for 'audit_rules_time_clock_settime' rule for

  Red Hat Enterprise Linux 7 product

- Add remediation scripts for 'audit_rules_time_adjtimex',

  'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for

  Red Hat Enterprise Linux 7 product

- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with

  "Draft" label

- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise

  Linux 7 product:

  * dconf_gnome_screensaver_idle_delay -- missing remediation script,

  * dconf_gnome_screensaver_idle_activation -- missing remediation script,

  * dconf_gnome_screensaver_lock_enabled -- missing remediation script,

  * audit_rules_login_events -- incorrect OVAL check (upstream issue #607),

  * audit_rules_privileged_commands -- missing remediation script, and

  * audit_rules_immutable -- missing remediation script.

* Mon Aug 03 2015 Martin Preisler <mpreisle@redhat.com> 0.1.24-2

- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product

  into multiple lines, prevents HTML guide UX issues

* Tue Jul 07 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-1

- Rebase to upstream scap-security-guide-0.1.24 version

- Start producing the -doc subpackage to provide the HTML formatted

  documents containing security guides generated from shipped XCCDF benchmarks

* Mon Jun 22 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.23-1

- Rebase to upstream scap-security-guide-0.1.23 version

- Update upstream tarball source URL to GitHub archive location

- Drop the following patches that have been accepted upstream:

  * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch

  * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch

  * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch

  * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch

  * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch

  * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch

  * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch

  * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch

  * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch

- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks

- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6

* Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2

- Fix Limit Password Reuse remediation script error

- Fix Set Deny For Failed Password Attempts remediation script error

- Use RHT-CCP profile name when generating HTML guide

- Describe RHT-CCP profile in the manual page

* Mon Sep 29 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-1

- Include RHEL-7 content (RHT-CCP profile only)

- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel

- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools

- Update manual page to be more appropriate for RHEL-7

- Drop RHEL-6 C2S profile update patch since merged upstream

* Tue Sep 02 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-4

- Initial build for Red Hat Enterprise Linux 7

* Thu Aug 28 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-3

- Update C2S profile <description> per request from CIS

* Thu Jun 26 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-2

- Include the upstream STIG for RHEL 6 Server profile disclaimer file too

* Sun Jun 22 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-1

- Make new 0.1.18 release

* Wed May 14 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-2

- Drop vendor line from the spec file. Let the build system to provide it.

* Fri May 09 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-1

- Upgrade to upstream 0.1.17 version

* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-2

- Initial RPM for RHEL base channels

* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-1

- Change naming scheme (0.1-16 => 0.1.16-1)

* Fri Feb 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-16

- Include datastream file into RHEL6 RPM package too

- Bump version

* Tue Dec 24 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc2

+ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream

* Mon Dec 23 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc1

- [bugfix] RHEL6 no_empty_passwords remediation script overwrote

  system-auth symlink. Added --follow-symlink to sed command.

* Fri Nov 01 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15

- Version bump

* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc5

- Point the spec's source to proper remote tarball location

- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM

* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc4

- Don't include the table html files two times

- Remove makewhatis

* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc3

- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*

- Numberous XCCDF->OVAL naming schema updates

- All rules now have CCE

* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc2

- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)

* Fri Oct 25 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc1

- Apply spec file changes required by review request (RH BZ#1018905)

* Thu Oct 24 2013 Shawn Wells <shawn@redhat.com> 0.1-14

- Formal RPM release

- Inclusion of rht-ccp profile

- OVAL unit testing patches