Blame SPECS/scap-security-guide.spec

a297d8
# Base name of static rhel6 content tarball
a297d8
%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
572223
# https://fedoraproject.org/wiki/Changes/CMake_to_do_out-of-source_builds
572223
%global _vpath_builddir build
b67bb6
# global _default_patch_fuzz 2  # Normally shouldn't be needed as patches should apply cleanly
a297d8
54c0d5
Name:		scap-security-guide
9aba52
Version:	0.1.63
792d3d
Release:	3%{?dist}
54c0d5
Summary:	Security guidance and baselines in SCAP formats
572223
License:	BSD-3-Clause
54c0d5
Group:		Applications/System
54c0d5
URL:		https://github.com/ComplianceAsCode/content/
54c0d5
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
a297d8
# Include tarball with last released rhel6 content
a297d8
Source1:	%{_static_rhel6_content}.tar.bz2
540324
54c0d5
BuildArch:	noarch
54c0d5
572223
# Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream
572223
Patch0:		disable-not-in-good-shape-profiles.patch
792d3d
Patch1:		scap-security-guide-0.1.64-stig_bump_version-PR_9276.patch
792d3d
Patch2:		scap-security-guide-0.1.64-stig_ipv4_forwarding-PR_9277.patch
792d3d
Patch3:		scap-security-guide-0.1.64-stig_aide-PR_9282.patch
792d3d
Patch4:		scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
792d3d
Patch5:		scap-security-guide-0.1.64-sysctl_template_multivalue-PR_9147.patch
792d3d
Patch6:		scap-security-guide-0.1.64-stig_sysctl_multivalue_rules-PR_9286.patch
792d3d
Patch7:		scap-security-guide-0.1.64-stig_readd_ssh_rules-PR_9318.patch
792d3d
Patch8:		scap-security-guide-0.1.64-ospp_autselect_minimal-PR_9298.patch
792d3d
Patch9:		scap-security-guide-0.1.64-ospp_grub_disable_recovery-PR_9321.patch
792d3d
Patch10:		scap-security-guide-0.1.64-warning_about_queues_for_rsyslog_remote_loghost-PR_9305.patch
792d3d
Patch11:		scap-security-guide-0.1.64-fix_sudoers_defaults-PR_9299.patch
792d3d
Patch12:		scap-security-guide-0.1.64-add_platform_for_partition_existence-PR_9204.patch
792d3d
Patch13:		scap-security-guide-0.1.64-apply_partition_platform_to_rules-PR_9324.patch
792d3d
Patch14:		scap-security-guide-0.1.64-improve_handling_of_rsyslog_includes-PR_9326.patch
792d3d
Patch15:		scap-security-guide-0.1.64-fix_ansible_partition_conditional-PR_9339.patch
572223
572223
BuildRequires:	libxslt
572223
BuildRequires:	expat
572223
BuildRequires:	openscap-scanner >= 1.2.5
572223
BuildRequires:	cmake >= 2.8
54c0d5
# To get python3 inside the buildroot require its path explicitly in BuildRequires
54c0d5
BuildRequires: /usr/bin/python3
572223
BuildRequires:	python%{python3_pkgversion}
572223
BuildRequires:	python%{python3_pkgversion}-jinja2
572223
BuildRequires:	python%{python3_pkgversion}-PyYAML
54c0d5
Requires:	xml-common, openscap-scanner >= 1.2.5
54c0d5
Obsoletes:	openscap-content < 0:0.9.13
54c0d5
Provides:	openscap-content
54c0d5
54c0d5
%description
54c0d5
The scap-security-guide project provides a guide for configuration of the
54c0d5
system from the final system's security point of view. The guidance is specified
54c0d5
in the Security Content Automation Protocol (SCAP) format and constitutes
54c0d5
a catalog of practical hardening advice, linked to government requirements
54c0d5
where applicable. The project bridges the gap between generalized policy
572223
requirements and specific implementation guidelines. The system
572223
administrator can use the oscap CLI tool from openscap-scanner package, or the
572223
scap-workbench GUI tool from scap-workbench package to verify that the system
572223
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
572223
further information.
54c0d5
54c0d5
%package	doc
54c0d5
Summary:	HTML formatted security guides generated from XCCDF benchmarks
54c0d5
Group:		System Environment/Base
54c0d5
Requires:	%{name} = %{version}-%{release}
54c0d5
54c0d5
%description	doc
54c0d5
The %{name}-doc package contains HTML formatted documents containing
54c0d5
hardening guidances that have been generated from XCCDF benchmarks
54c0d5
present in %{name} package.
54c0d5
572223
%if ( %{defined rhel} && (! %{defined centos}) )
647bb4
%package	rule-playbooks
647bb4
Summary:	Ansible playbooks per each rule.
647bb4
Group:		System Environment/Base
647bb4
Requires:	%{name} = %{version}-%{release}
647bb4
647bb4
%description	rule-playbooks
647bb4
The %{name}-rule-playbooks package contains individual ansible playbooks per rule.
647bb4
%endif
647bb4
54c0d5
%prep
572223
%autosetup -p1 -b1
54c0d5
54c0d5
%build
572223
mkdir -p build
54c0d5
cd build
54c0d5
%cmake \
54c0d5
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
54c0d5
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
54c0d5
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
eabbfc
%if %{defined centos}
eabbfc
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=ON \
eabbfc
%else
54c0d5
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
eabbfc
%endif
647bb4
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF \
572223
%if ( %{defined rhel} && (! %{defined centos}) )
647bb4
-DSSG_ANSIBLE_PLAYBOOKS_PER_RULE_ENABLED:BOOL=ON \
647bb4
%endif
647bb4
../
572223
%cmake_build
54c0d5
54c0d5
%install
54c0d5
cd build
572223
%cmake_install
54c0d5
a297d8
# Manually install pre-built rhel6 content
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}
a297d8
cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name}
a297d8
54c0d5
%files
54c0d5
%{_datadir}/xml/scap/ssg/content
54c0d5
%{_datadir}/%{name}/kickstart
54c0d5
%{_datadir}/%{name}/ansible
54c0d5
%{_datadir}/%{name}/bash
97a805
%{_datadir}/%{name}/tailoring
54c0d5
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
54c0d5
%doc %{_docdir}/%{name}/LICENSE
54c0d5
%doc %{_docdir}/%{name}/README.md
54c0d5
%doc %{_docdir}/%{name}/Contributors.md
572223
%if ( %{defined rhel} && (! %{defined centos}) )
647bb4
%exclude %{_datadir}/%{name}/ansible/rule_playbooks
647bb4
%endif
54c0d5
54c0d5
%files doc
54c0d5
%doc %{_docdir}/%{name}/guides/*.html
54c0d5
%doc %{_docdir}/%{name}/tables/*.html
54c0d5
572223
%if ( %{defined rhel} && (! %{defined centos}) )
647bb4
%files rule-playbooks
647bb4
%defattr(-,root,root,-)
647bb4
%{_datadir}/%{name}/ansible/rule_playbooks
647bb4
%endif
647bb4
54c0d5
%changelog
792d3d
* Mon Aug 15 2022 Watson Sato <wsato@redhat.com> - 0.1.63-3
792d3d
- Fix Ansible partition conditional (RHBZ#2032403)
792d3d
792d3d
* Wed Aug 10 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-2
792d3d
- aligning with the latest STIG update (RHBZ#2112937)
792d3d
- OSPP: use Authselect minimal profile (RHBZ#2117192)
792d3d
- OSPP: change rules for protecting of boot (RHBZ#2116440)
792d3d
- add warning about configuring of TCP queues to rsyslog_remote_loghost (RHBZ#2078974)
792d3d
- fix handling of Defaults clause in sudoers (RHBZ#2083109)
792d3d
- make rules checking for mount options of /tmp and /var/tmp applicable only when the partition really exists (RHBZ#2032403)
792d3d
- fix handling of Rsyslog include directives (RHBZ#2075384)
792d3d
9aba52
* Mon Aug 01 2022 Vojtech Polasek <vpolasek@redhat.com> - 0.1.63-1
9aba52
- Rebase to a new upstream release 0.1.63 (RHBZ#2070564)
9aba52
b67bb6
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 0.1.62-1
b67bb6
- Rebase to a new upstream release (RHBZ#2070564)
b67bb6
5e4bca
* Tue May 17 2022 Watson Sato <wsato@redhat.com> - 0.1.60-9
5e4bca
- Fix validation of OVAL 5.10 content (RHBZ#2079241)
5e4bca
- Fix Ansible sysctl remediation (RHBZ#2079241)
5e4bca
e1877a
* Tue May 03 2022 Watson Sato <wsato@redhat.com> - 0.1.60-8
5e4bca
- Update to ensure a sysctl option is not defined in multiple files (RHBZ#2079241)
5e4bca
- Update RHEL8 STIG profile to V1R6 (RHBZ#2079241)
e1877a
3bd189
* Thu Feb 24 2022 Watson Sato <wsato@redhat.com> - 0.1.60-7
3bd189
- Resize ANSSI kickstart partitions to accommodate GUI installs (RHBZ#2058033)
3bd189
3bd189
* Wed Feb 23 2022 Matthew Burket <mburket@redhat.com> - 0.1.60-6
3bd189
- Fix another issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
3bd189
3bd189
* Mon Feb 21 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-5
3bd189
- Remove tmux process runinng check in configure_bashrc_exec_tmux (RHBZ#2055860)
3bd189
- Fix issue with getting STIG items in create_scap_delta_tailoring.py (RHBZ#2014485)
3bd189
- Update rule enable_fips_mode to check only for technical state (RHBZ#2014485)
3bd189
574ebc
* Wed Feb 16 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
574ebc
- Fix Ansible service disabled tasks (RHBZ#2014485)
574ebc
- Set rule package_krb5-workstation_removed as not applicable on RHV (RHBZ#2055149)
574ebc
12e95e
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
12e95e
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2049555)
12e95e
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2049555)
12e95e
- Update chronyd_or_ntpd_set_maxpoll to disregard server and poll directives (RHBZ#2026301)
12e95e
- Fix GRUB2 rule template to configure the module correctly on RHEL8 (RHBZ#2030966)
12e95e
- Update GRUB2 rule descriptions (RHBZ#2014485)
12e95e
- Make package_rear_installed not applicable on AARCH64 (RHBZ#2014485)
12e95e
12e95e
* Fri Feb 11 2022 Watson Sato <wsato@redhat.com> - 0.1.60-2
12e95e
- Update RHEL8 STIG profile to V1R5 (RHBZ#2049555)
12e95e
- Align audit rules for OSPP profile (RHBZ#2000264)
12e95e
- Fix rule selection in ANSSI Enhanced profile (RHBZ#2053587)
12e95e
52a4ce
* Thu Jan 27 2022 Watson Sato <wsato@redhat.com> - 0.1.60-1
52a4ce
- Rebase to a new upstream release (RHBZ#2014485)
52a4ce
97a805
* Wed Dec 01 2021 Watson Sato <wsato@redhat.com> - 0.1.59-1
97a805
- Rebase to a new upstream release (RHBZ#2014485)
97a805
97a805
* Fri Oct 15 2021 Matej Tyc <matyc@redhat.com> - 0.1.58-1
97a805
- Rebase to a new upstream release. (RHBZ#2014485)
97a805
- Add a VM wait handling to fix issues with tests.
d7b557
2e51aa
* Tue Aug 24 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-4
2e51aa
- Fix a value selector in RHEL8 CIS L1 profiles (RHBZ#1993197)
2e51aa
76240a
* Mon Aug 23 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.57-3
76240a
- Fix remaining audit rules file permissions (RHBZ#1993056)
76240a
- Mark a STIG service rule as machine only (RHBZ#1993056)
76240a
- Fix a remaining broken RHEL7 documentation link. (RHBZ#1966577)
76240a
76240a
* Fri Aug 20 2021 Marcus Burghardt <maburgha@redhat.com> - 0.1.57-2
76240a
- Update Ansible login banner fixes to avoid unnecessary updates (RHBZ#1857179)
76240a
- Include tests for Ansible Playbooks that remove and reintroduce files.
76240a
- Update RHEL8 STIG profile to V1R3 (RHBZ#1993056) 
76240a
- Improve Audit Rules remediation to group similar syscalls (RHBZ#1876483)
76240a
- Reestructure RHEL7 and RHEL8 CIS profiles according to the policy (RHBZ#1993197)
76240a
- Add Kickstart files for ISM profile (RHBZ#1955373)
76240a
- Fix broken RHEL7 documentation links (RHBZ#1966577)
76240a
572223
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 0.1.57-1
572223
- Update to the latest upstream release (RHBZ#1966577)
572223
- Enable the ISM profile.
572223
647bb4
* Tue Jun 8 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.56-2
647bb4
- Create subpackage to hold ansible playbooks per rule (RHBZ#1966604)
647bb4
eabbfc
* Tue Jun 01 2021 Watson Sato <wsato@redhat.com> - 0.1.56-1
eabbfc
- Update to the latest upstream release (RHBZ#1966577)
eabbfc
- Add ANSSI High Profile (RHBZ#1955183)
eabbfc
a297d8
* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-5
a297d8
- Remove Kickstart for not shipped profile (RHBZ#1778188)
a297d8
a297d8
* Tue Feb 16 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-4
a297d8
- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742)
a297d8
a297d8
* Tue Feb 16 2021 Vojtech Polasek <vpolasek@redhat.com> - 0.1.54-3
a297d8
- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019)
a297d8
a297d8
* Fri Feb 12 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.54-2
a297d8
- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742)
a297d8
a297d8
* Thu Feb 04 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
a297d8
- Update to the latest upstream release (RHBZ#1889344)
a297d8
- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188)
a297d8
7303c7
* Fri Jan 08 2021 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-4
7303c7
- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193)
7303c7
- Fix RHEL6 CPE dictionary (RHBZ#1899059)
7303c7
- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853)
7303c7
f8899d
* Tue Dec 15 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.53-3
f8899d
- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062)
f8899d
- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032)
f8899d
- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041)
f8899d
- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067)
f8899d
- Disable usbguard rules on s390x architecture (RHBZ#1899059)
f8899d
971b3e
* Thu Dec 03 2020 Watson Sato <wsato@redhat.com> - 0.1.53-2
971b3e
- Update list of profiles built (RHBZ#1889344)
971b3e
971b3e
* Wed Nov 25 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.53-1
971b3e
- Update to the latest upstream release (RHBZ#1889344)
971b3e
510a3d
* Wed Sep 02 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-14
510a3d
- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962)
510a3d
510a3d
* Tue Aug 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-13
510a3d
- Enable build of RHEL-8 CUI Profile (RHBZ#1762962)
510a3d
814422
* Fri Aug 21 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-12
814422
- remove rationale from rules that contain defective links (rhbz#1854854)
814422
50ad7f
* Thu Aug 20 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-11
50ad7f
- fixed link in a grub2 rule description (rhbz#1854854)
50ad7f
- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367)
50ad7f
- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873)
50ad7f
540324
* Mon Aug 17 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-10
540324
- Update the scapval invocation (RHBZ#1815007)
540324
- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007)
540324
- Change the spec file macro invocation from patch to Patch
540324
- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066)
540324
540324
* Wed Aug 05 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.50-9
540324
- fix description of HIPAA profile (RHBZ#1867559)
540324
40a955
* Fri Jul 17 2020 Watson Sato <wsato@redhat.com> - 0.1.50-8
40a955
- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928)
40a955
  - Remove CCM from TLS Ciphersuites
40a955
ac2e16
* Mon Jun 29 2020 Matěj Týč <matyc@redhat.com> - 0.1.50-7
ac2e16
- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543)
ac2e16
ac2e16
* Mon Jun 22 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-6
ac2e16
- Fix rsyslog permissions/ownership rules (RHBZ#1781606)
ac2e16
c99e83
* Thu May 28 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.50-5
c99e83
- Fix SELinux remediation to detect properly current configuration. (RHBZ#1750526)
c99e83
c99e83
* Tue May 26 2020 Watson Sato <wsato@redhat.com> - 0.1.50-4
c99e83
- CIS Ansible fixes (RHBZ#1760734)
c99e83
- HIPAA Ansible fixes (RHBZ#1832760)
c99e83
c99e83
* Mon May 25 2020 Watson Sato <wsato@redhat.com> - 0.1.50-3
c99e83
 - HIPAA Profile (RHBZ#1832760)
c99e83
  - Enable build of RHEL8 HIPAA Profile
c99e83
  - Add kickstarts for HIPAA
c99e83
- CIS Profile (RHBZ#1760734)
c99e83
  - Add Ansible fix for sshd_set_max_sessions
c99e83
  - Add CIS Profile content attribution to Center for Internet Security
c99e83
c99e83
* Fri May 22 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c99e83
- Fix Ansible for no_direct_root_logins
c99e83
- Fix Ansible template for SELinux booleans
c99e83
- Add CCEs to rules in RHEL8 CIS Profile (RHBZ#1760734)
c99e83
c99e83
* Wed May 20 2020 Watson Sato <wsato@redhat.com> - 0.1.50-2
c99e83
- Update selections in RHEL8 CIS Profile (RHBZ#1760734)
c99e83
c99e83
* Tue May 19 2020 Watson Sato <wsato@redhat.com> - 0.1.50-1
c99e83
- Update to the latest upstream release (RHBZ#1815007)
c99e83
f5dd42
* Thu Mar 19 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.49-1
f5dd42
- Update to the latest upstream release (RHBZ#1815007)
f5dd42
54c0d5
* Tue Feb 11 2020 Watson Sato <wsato@redhat.com> - 0.1.48-7
54c0d5
- Update baseline package list of OSPP profile
54c0d5
54c0d5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-6
54c0d5
- Rebuilt with correct spec file
54c0d5
54c0d5
* Thu Feb 06 2020 Watson Sato <wsato@redhat.com> - 0.1.48-5
54c0d5
- Add SRG references to STIG rules (RHBZ#1755447)
54c0d5
54c0d5
* Mon Feb 03 2020 Vojtech Polasek <vpolasek@redhat.com> - 0.1.48-4
54c0d5
- Drop rsyslog rules from OSPP profile
54c0d5
- Update COBIT URI
54c0d5
- Add rules for strong source of RNG entropy
54c0d5
- Enable build of RHEL8 STIG Profile (RHBZ#1755447)
54c0d5
- STIG profile: added rsyslog rules and updated SRG mappings
54c0d5
- Split audit rules according to audit component (RHBZ#1791312)
54c0d5
54c0d5
* Tue Jan 21 2020 Watson Sato <wsato@redhat.com> - 0.1.48-3
54c0d5
- Update crypto-policy test scenarios
54c0d5
- Update max-path-len test to skip tests/logs directory
54c0d5
54c0d5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-2
54c0d5
- Fix list of tables that are generated for RHEL8
54c0d5
54c0d5
* Fri Jan 17 2020 Watson Sato <wsato@redhat.com> - 0.1.48-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.48 release
54c0d5
54c0d5
* Tue Nov 26 2019 Matěj Týč <matyc@redhat.com> - 0.1.47-2
54c0d5
- Improved the e8 profile (RHBZ#1755194)
54c0d5
54c0d5
* Mon Nov 11 2019 Vojtech Polasek <vpolasek@redhat.com> - 0.1.47-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.47 release (RHBZ#1757762)
54c0d5
54c0d5
* Wed Oct 16 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.46-3
54c0d5
- Align SSHD crypto policy algorithms to Common Criteria Requirements. (RHBZ#1762821)
54c0d5
54c0d5
* Wed Oct 09 2019 Watson Sato <wsato@redhat.com> - 0.1.46-2
54c0d5
- Fix evaluaton and remediation of audit rules in PCI-DSS profile (RHBZ#1754919)
54c0d5
54c0d5
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
54c0d5
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
54c0d5
54c0d5
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
54c0d5
- Use crypto-policy rules in OSPP profile.
54c0d5
- Re-enable FIREFOX and JRE product in build.
54c0d5
- Change test suite logging message about missing profile from ERROR to WARNING.
54c0d5
- Build only one version of SCAP content at a time.
54c0d5
54c0d5
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
54c0d5
54c0d5
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
54c0d5
- Ported changelog from late 8.0 builds.
54c0d5
- Disabled build of the OL8 product, updated other components of the cmake invocation.
54c0d5
54c0d5
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
54c0d5
54c0d5
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
54c0d5
- Assign CCE to rules from OSPP profile which were missing the identifier.
54c0d5
- Fix regular expression for Audit rules ordering
54c0d5
- Account for Audit rules flags parameter position within syscall
54c0d5
- Add remediations for Audit rules file path
54c0d5
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
54c0d5
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
54c0d5
- Add a Bash remediation for Audit rules that require ordering
54c0d5
54c0d5
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
54c0d5
- Assign CCE identifier to rules used by RHEL8 profiles.
54c0d5
54c0d5
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
54c0d5
- Fixed Crypto Policy OVAL for NSS
54c0d5
- Got rid of rules requiring packages dropped in RHEL8.
54c0d5
- Profile descriptions fixes.
54c0d5
54c0d5
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
54c0d5
- Update applicable platforms in crypto policy tests
54c0d5
54c0d5
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
54c0d5
- Introduce Podman backend for SSG Test suite
54c0d5
- Update bind and libreswan crypto policy test scenarios
54c0d5
54c0d5
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
54c0d5
- Further fix of profiles descriptions, so they don't contain literal '\'.
54c0d5
- Removed obsolete sshd rule from the OSPP profile.
54c0d5
54c0d5
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
54c0d5
- Fixed profiles descriptions, so they don't contain literal '\n'.
54c0d5
- Made the configure_kerberos_crypto_policy OVAL more robust.
54c0d5
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
54c0d5
54c0d5
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
54c0d5
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
54c0d5
54c0d5
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
54c0d5
- Added FIPS mode rule for the OSPP profile.
54c0d5
- Split the installed_OS_is certified rule.
54c0d5
- Explicitly disabled OSP13, RHV4 and Example products.
54c0d5
54c0d5
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
54c0d5
- Add missing kickstart files for RHEL8
54c0d5
- Disable profiles that are not in good shape for RHEL8
54c0d5
54c0d5
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
54c0d5
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
54c0d5
- System-wide crypto policies are introduced for RHEL8
54c0d5
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
54c0d5
54c0d5
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
54c0d5
- Fix man page and package description
54c0d5
54c0d5
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
54c0d5
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
54c0d5
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
54c0d5
54c0d5
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
54c0d5
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
54c0d5
- Only build content for rhel8 products
54c0d5
54c0d5
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
54c0d5
- Update build of rhel8 content
54c0d5
54c0d5
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
54c0d5
- Enable build of rhel8 content
54c0d5
54c0d5
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
54c0d5
- Fix spec file to build using Python 3
54c0d5
- Fix License because upstream changed to BSD-3
54c0d5
54c0d5
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
54c0d5
54c0d5
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
54c0d5
54c0d5
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
54c0d5
54c0d5
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
54c0d5
54c0d5
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
54c0d5
54c0d5
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
54c0d5
54c0d5
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
54c0d5
- updated to latest upstream release
54c0d5
54c0d5
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
54c0d5
54c0d5
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
54c0d5
- use make_build and make_install RPM macros
54c0d5
54c0d5
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
54c0d5
- update to the latest upstream release
54c0d5
- new default location for content /usr/share/scap/ssg
54c0d5
- install HTML tables in the doc subpackage
54c0d5
54c0d5
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
54c0d5
- Correct currently failing parallel SCAP Security Guide build
54c0d5
54c0d5
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
54c0d5
- Drop shell library for remediation functions since it is not required
54c0d5
  starting from 0.1.30 release any more
54c0d5
54c0d5
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
54c0d5
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
54c0d5
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
54c0d5
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
54c0d5
  in 0.1.29 upstream release
54c0d5
54c0d5
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
54c0d5
54c0d5
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
54c0d5
- upgrade to the latest upstream release
54c0d5
54c0d5
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
54c0d5
- update to the latest upstream release
54c0d5
- created doc sub-package to ship all the guides
54c0d5
- start distributing centos and scientific linux content
54c0d5
- rename java content to jre
54c0d5
54c0d5
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
54c0d5
54c0d5
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
54c0d5
- update to the latest upstream release
54c0d5
- only DataStream file is now available for Fedora
54c0d5
- start distributing security baseline for Firefox
54c0d5
- start distributing security baseline for Java RunTime deployments
54c0d5
54c0d5
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
54c0d5
- update to the latest upstream release
54c0d5
- move content to /usr/share/scap/ssg/content
54c0d5
54c0d5
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
54c0d5
- update to the latest upstream release
54c0d5
54c0d5
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
54c0d5
- require only openscap-scanner, not whole openscap-utils package
54c0d5
54c0d5
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
54c0d5
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
54c0d5
- Add STIG DISCLAIMER to the shipped documentation
54c0d5
54c0d5
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
54c0d5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
54c0d5
54c0d5
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
54c0d5
- Fix fedora-srpm and fedora-rpm Make targets to work again
54c0d5
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
54c0d5
- EOL for Fedora 18 support
54c0d5
- Include Fedora datastream file for remote Fedora system scans
54c0d5
54c0d5
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
54c0d5
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
54c0d5
54c0d5
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
54c0d5
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
54c0d5
  it to /shared
54c0d5
- Add shared remediations for sshd disable empty passwords and
54c0d5
  sshd set idle timeout
54c0d5
- Shared remediation for sshd disable root login
54c0d5
- Add empty -compat subpackage to ensure backward-compatibility with
54c0d5
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
54c0d5
- OVAL check for sshd disable root login
54c0d5
- Fix typo in OVAL check for sshd disable empty passwords
54c0d5
- OVAL check for sshd disable empty passwords
54c0d5
- Unselect no shelllogin for systemaccounts rule from being run by default
54c0d5
- Rename XCCDF rules
54c0d5
- Revert Set up Fedora release name and CPE based on build system properties
54c0d5
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
54c0d5
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
54c0d5
- Shared OVAL check for Verify that System Executables Have Root Ownership
54c0d5
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
54c0d5
  Permissions
54c0d5
- Fix remediation for Disable Prelinking rule
54c0d5
- OVAL check and remediation for sshd's ClientAliveCountMax rule
54c0d5
- OVAL check for sshd's ClientAliveInterval rule
54c0d5
- Include descriptions for permissions section, and rules for checking
54c0d5
  permissions and ownership of shared library files and system executables
54c0d5
- Disable selected rules by default
54c0d5
- Add remediation for Disable Prelinking rule
54c0d5
- Adjust service-enable-macro, service-disable-macro XSLT transforms
54c0d5
  definition to evaluate to proper systemd syntax
54c0d5
- Fix service_ntpd_enabled OVAL check make validate to pass again
54c0d5
- Include patch from Šimon Lukašík to obsolete openscap-content
54c0d5
  package (RH BZ#1028706)
54c0d5
- Add OVAL check to test if there's is remote NTP server configured for
54c0d5
  time data
54c0d5
- Add system settings section for the guide (to track system wide
54c0d5
  hardening configurations)
54c0d5
- Include disable prelink rule and OVAL check for it
54c0d5
- Initial OVAL check if ntpd service is enabled. Add package_installed
54c0d5
  OVAL templating directory structure and functionality.
54c0d5
- Include services section, and XCCDF description for selected ntpd's
54c0d5
  sshd's service rules
54c0d5
- Include remediations for login.defs' based password minimum, maximum and
54c0d5
  warning age rules
54c0d5
- Include directory structure to support remediations
54c0d5
- Add SCAP "replace or append pattern value in text file based on variable"
54c0d5
  remediation script generator
54c0d5
- Add remediation for "Set Password Minimum Length in login.defs" rule
54c0d5
54c0d5
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
54c0d5
- Update versioning scheme - move fedorassgrelease to be part of
54c0d5
  upstream version. Rename it to fedorassgversion to avoid name collision
54c0d5
  with Fedora package release.
54c0d5
54c0d5
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
54c0d5
- Add .gitignore for Fedora output directory
54c0d5
- Set up Fedora release name and CPE based on build system properties
54c0d5
- Use correct file paths in scap-security-guide(8) manual page
54c0d5
  (RH BZ#1018905, c#10)
54c0d5
- Apply further changes motivated by scap-security-guide Fedora RPM review
54c0d5
  request (RH BZ#1018905, c#8):
54c0d5
  * update package description,
54c0d5
  * make content files to be owned by the scap-security-guide package,
54c0d5
  * remove Fedora release number from generated content files,
54c0d5
  * move HTML form of the guide under the doc directory (together
54c0d5
    with that drop fedora/content subdir and place the content
54c0d5
    directly under fedora/ subdir).
54c0d5
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
54c0d5
  * drop Fedora release from package provided files' final path (c#5),
54c0d5
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
54c0d5
    manual page, don't gzip man page (c#4),
54c0d5
  * change package's description (c#4),
54c0d5
  * include PD license text (#c4).
54c0d5
54c0d5
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
54c0d5
- Provide manual page for scap-security-guide
54c0d5
- Remove percent sign from spec's changelog to silence rpmlint warning
54c0d5
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
54c0d5
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
54c0d5
- Introduce 'Account and Access Control' section
54c0d5
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
54c0d5
  rules to Fedora
54c0d5
- Set proper name of the build directory in the spec's setup macro.
54c0d5
- Replace hard-coded paths with macros. Preserve attributes when copying files.
54c0d5
54c0d5
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
54c0d5
- Initial Fedora SSG RPM.