Blame SPECS/scap-security-guide.spec

f04235
%global		redhatssgversion	30
2b7b16
2b7b16
Name:		scap-security-guide
2b7b16
Version:	0.1.%{redhatssgversion}
7a35c8
Release:	5%{?dist}
2b7b16
Summary:	Security guidance and baselines in SCAP formats
2b7b16
2b7b16
Group:		System Environment/Base
2b7b16
License:	Public Domain
fa25b6
URL:		https://github.com/OpenSCAP/scap-security-guide
fa25b6
Source0:	%{name}-%{version}.tar.gz
f04235
Patch1:		scap-security-guide-0.1.25-update-upstream-manual-page.patch
f04235
Patch2:		scap-security-guide-0.1.30-downstream-rhel7-pci-dss-drop-rpm-verify-permissions-rule.patch
f04235
Patch3:		scap-security-guide-0.1.30-rhbz#1351541.patch
f04235
Patch4:		scap-security-guide-0.1.30-rhbz#1344581.patch
f04235
Patch5:		scap-security-guide-0.1.30-rhbz#1351751.patch
f04235
Patch6:		scap-security-guide-0.1.30-downstream-rhbz#1357019.patch
7a35c8
Patch7:		scap-security-guide-0.1.30-zstream-rhbz#1415152.patch
2b7b16
BuildArch:	noarch
2b7b16
fa25b6
BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.5, python-lxml
fa25b6
Requires:	xml-common, openscap-scanner >= 1.2.5
2b7b16
2b7b16
%description
2b7b16
The scap-security-guide project provides a guide for configuration of the
2b7b16
system from the final system's security point of view. The guidance is
2b7b16
specified in the Security Content Automation Protocol (SCAP) format and
2b7b16
constitutes a catalog of practical hardening advice, linked to government
2b7b16
requirements where applicable. The project bridges the gap between generalized
2b7b16
policy requirements and specific implementation guidelines. The Red Hat
2b7b16
Enterprise Linux 7 system administrator can use the oscap command-line tool
2b7b16
from the openscap-utils package to verify that the system conforms to provided
2b7b16
guideline. Refer to scap-security-guide(8) manual page for further information.
2b7b16
fa25b6
%package	doc
fa25b6
Summary:	HTML formatted documents containing security guides generated from XCCDF benchmarks.
fa25b6
Group:		System Environment/Base
fa25b6
Requires:	%{name} = %{version}-%{release}
fa25b6
fa25b6
%description	doc
fa25b6
The %{name}-doc package contains HTML formatted documents containing security guides that have
fa25b6
been generated from XCCDF benchmarks present in %{name} package.
fa25b6
2b7b16
%prep
2b7b16
%setup -q -n %{name}-%{version}
fa25b6
# Update manual page to drop the part dedicated to Fedora content
f04235
%patch1 -p1 -b .man_page_update
fa25b6
# Temporarily drop "Verify and Correct File Permissions with RPM"
fa25b6
# rule from RHEL-7's PCI-DSS profile (RH BZ#1267861)
f04235
%patch2 -p1 -b .rhel7_pcidss_drop_rpm_verify_permissions_rule
f04235
# Fix for RHBZ#1351541
f04235
%patch3 -p1 -b .rhbz#1351541
f04235
# Fix for RHBZ#1344581
f04235
%patch4 -p1 -b .rhbz#1344581
f04235
# Fix for RHBZ#1351751
f04235
%patch5 -p1 -b .rhbz#1351751
f04235
# Downstream fix for RHBZ#1357019 (slightly differs from upstream
f04235
# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1388.patch
f04235
# version because 'smartcard-auth.sh' remediation in upstream got moved
f04235
# to different location already). The rest of the change (except the path)
f04235
# is identical with upstream form
f04235
%patch6 -p1 -b .rhbz#1357019
7a35c8
# Z-stream fix for RHBZ#1415152
7a35c8
# Patch consists of upstream
7a35c8
# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1555.diff
7a35c8
# and modified version of upstream
7a35c8
# https://patch-diff.githubusercontent.com/raw/OpenSCAP/scap-security-guide/pull/1471.diff
7a35c8
# Patch for PR 1471 was modified to remove unrelated changes, and remediations files got
7a35c8
# moved to different location. Also, changes in 'sshd_use_approved_macs.sh' are slightly
7a35c8
# different due to commit c6730b867f6760b94ec193e95484a16054b27f48a).
7a35c8
%patch7 -p1 -b .rhbz#1415152
ee8600
2b7b16
%build
2b7b16
(cd RHEL/7 && make dist)
fa25b6
(cd RHEL/6 && make dist)
fa25b6
(cd Firefox && make dist)
fa25b6
(cd JRE && make dist)
2b7b16
2b7b16
%install
2b7b16
2b7b16
mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content
2b7b16
mkdir -p %{buildroot}%{_mandir}/en/man8/
2b7b16
2b7b16
# Add in RHEL-7 core content (SCAP)
fa25b6
cp -a RHEL/7/dist/content/ssg-rhel7-cpe-dictionary.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
fa25b6
cp -a RHEL/7/dist/content/ssg-rhel7-cpe-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
7a35c8
cp -a RHEL/7/dist/content/ssg-rhel7-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
fa25b6
cp -a RHEL/7/dist/content/ssg-rhel7-oval.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
7a35c8
cp -a RHEL/7/dist/content/ssg-rhel7-xccdf.xml %{buildroot}%{_datadir}/xml/scap/ssg/content/
2b7b16
2b7b16
# Add in RHEL-6 datastream (SCAP)
7a35c8
cp -a RHEL/6/dist/content/ssg-rhel6-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
2b7b16
fa25b6
# Add in Firefox datastream (SCAP)
fa25b6
cp -a Firefox/dist/content/ssg-firefox-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
fa25b6
fa25b6
# Add in Java Runtime Environment (JRE) datastream (SCAP)
fa25b6
cp -a JRE/dist/content/ssg-jre-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
fa25b6
f04235
# Add in currently available kickstart files
fa25b6
mkdir -p %{buildroot}%{_datadir}/%{name}/kickstart
f04235
cp -a RHEL/6/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
f04235
cp -a RHEL/7/kickstart/*-ks.cfg %{buildroot}%{_datadir}/%{name}/kickstart
fa25b6
2b7b16
# Add in manpage
fa25b6
cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/scap-security-guide.8
2b7b16
2b7b16
%files
2b7b16
%defattr(-,root,root,-)
2b7b16
%{_datadir}/xml/scap
fa25b6
%{_datadir}/%{name}
2b7b16
%lang(en) %{_mandir}/en/man8/scap-security-guide.8.gz
f04235
%doc RHEL/6/dist/tables/*.html
f04235
%doc RHEL/6/dist/tables/*.xhtml
f04235
%doc RHEL/7/dist/tables/*.html
f04235
%doc RHEL/7/dist/tables/*.xhtml
f04235
%doc ./LICENSE
f04235
%doc RHEL/6/input/auxiliary/DISCLAIMER
fa25b6
fa25b6
%files doc
fa25b6
%defattr(-,root,root,-)
7a35c8
%doc RHEL/6/output/ssg-rhel6-guide-*.html
7a35c8
%doc RHEL/7/output/ssg-rhel7-guide-*.html
f04235
%doc JRE/output/ssg-jre-guide-*.html
f04235
%doc Firefox/output/ssg-firefox-guide-*.html
2b7b16
2b7b16
%changelog
7a35c8
* Tue Feb 14 2017 Watson Sato <wsato@redhat.com> 0.1.30-5
7a35c8
- Fix template remediation function used by SSHD remediation
7a35c8
- Reduce scope of patch that fixes SSHD remediation (RH BZ#1415152)
ee8600
7a35c8
* Tue Jan 31 2017 Jan Watson Sato <wsato@redhat.com> 0.1.30-4
7a35c8
- Correct remediation for SSHD which caused it not to start (RH BZ#1415152)
ee8600
f04235
* Wed Aug 10 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-3
f04235
- Correct the remediation script for 'Enable Smart Card Login' rule
f04235
  for Red Hat Enterprise Linux 7 (RH BZ#1357019)
f04235
f04235
* Thu Jul 14 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-2
f04235
- Fix issue of two STIG profiles for Red Hat Enterprise Linux 6 benchmark
f04235
  having the identical title (RH BZ#1351541)
f04235
- Enhance the shared OVAL check for 'Set Deny For Failed Password Attempts'
f04235
  rule and also Red Hat Enterprise Linux 7 OVAL check for 'Configure the root
f04235
  Account for Failed Password Attempts' rule to report correct system status
f04235
  WRT to these requirements also in the case the SSSD daemon is used
f04235
  (RH BZ#1344581)
f04235
- Include currently available kickstart files and produced HTML tables for
f04235
  Red Hat Enterprise Linux 6 and 7 products into the produced RPM package
f04235
  (RH BZ#1351751)
f04235
f04235
* Wed Jun 22 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.30-1
f04235
- Update to upstream's 0.1.30 release:
f04235
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
f04235
  (RH BZ#1289533)
f04235
- Drop remediation functions library since starting from 0.1.30 release
f04235
  remediation scripts are part of the benchmarks directly
f04235
- Drop three patches that have been accepted upstream in the meantime
f04235
- Update drop-rpm-verify-permissions-rule patch to work properly against
f04235
  0.1.30 release
6c1a7a
fa25b6
* Fri Oct 02 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-3
fa25b6
- Drop "Verify and Correct File Permissions with RPM" rule from the PCI-DSS
fa25b6
  profile for Red Hat Enterprise Linux 7 (RH BZ#1267861)
fa25b6
fa25b6
* Wed Sep 09 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-2
fa25b6
- Update R and BR for the openscap-scanner package to 1.2.5 per RHBZ#1202762#c7
fa25b6
fa25b6
* Wed Aug 19 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.25-1
fa25b6
- Rebase to upstream 0.1.25 release
fa25b6
fa25b6
* Tue Aug 04 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-4
fa25b6
- Fix false-positive in OVAL check for 'accounts_passwords_pam_faillock_deny'
fa25b6
  rule
fa25b6
fa25b6
* Mon Aug 03 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-3
fa25b6
- Add remediation script for 'accounts_passwords_pam_faillock_unlock_time' rule
fa25b6
  for Red Hat Enterprise Linux 7 product
fa25b6
- Override title and description for all existing profiles for Red Hat
fa25b6
  Enterprise Linux 6 product that are extending another SCAP profile
fa25b6
  (RHBZ#1246529)
fa25b6
- Correct various issues in the included Oscap Anaconda Addon PCI-DSS profile
fa25b6
  kickstart file for Red Hat Enterprise Linux 7 product
fa25b6
- Add remediation script for 'audit_rules_time_clock_settime' rule for
fa25b6
  Red Hat Enterprise Linux 7 product
fa25b6
- Add remediation scripts for 'audit_rules_time_adjtimex',
fa25b6
  'audit_rules_time_settimeofday', and 'audit_rules_time_stime' rules for
fa25b6
  Red Hat Enterprise Linux 7 product
fa25b6
- Tag current PCI-DSS profile for Red Hat Enterprise Linux 7 product with
fa25b6
  "Draft" label
fa25b6
- Disable the following rules in the PCI-DSS profile for the Red Hat Enterprise
fa25b6
  Linux 7 product:
fa25b6
  * dconf_gnome_screensaver_idle_delay -- missing remediation script,
fa25b6
  * dconf_gnome_screensaver_idle_activation -- missing remediation script,
fa25b6
  * dconf_gnome_screensaver_lock_enabled -- missing remediation script,
fa25b6
  * audit_rules_login_events -- incorrect OVAL check (upstream issue #607),
fa25b6
  * audit_rules_privileged_commands -- missing remediation script, and
fa25b6
  * audit_rules_immutable -- missing remediation script.
fa25b6
fa25b6
* Mon Aug 03 2015 Martin Preisler <mpreisle@redhat.com> 0.1.24-2
fa25b6
- Break-down firewalld rule description for Red Hat Enterprise Linux 7 product
fa25b6
  into multiple lines, prevents HTML guide UX issues
fa25b6
fa25b6
* Tue Jul 07 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.24-1
fa25b6
- Rebase to upstream scap-security-guide-0.1.24 version
fa25b6
- Start producing the -doc subpackage to provide the HTML formatted
fa25b6
  documents containing security guides generated from shipped XCCDF benchmarks
fa25b6
fa25b6
* Mon Jun 22 2015 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.23-1
fa25b6
- Rebase to upstream scap-security-guide-0.1.23 version
fa25b6
- Update upstream tarball source URL to GitHub archive location
fa25b6
- Drop the following patches that have been accepted upstream:
fa25b6
  * scap-security-guide-0.1.19-rhel7-include-only-rht-ccp-profile.patch
fa25b6
  * scap-security-guide-0.1.19-rhel7-drop-restorecond-since-in-optional.patch
fa25b6
  * scap-security-guide-0.1.19-update-man-page-for-rhel7-content.patch
fa25b6
  * scap-security-guide-0.1.19-rhel7-update-pam-XCCDF-to-use-pam_pwquality.patch
fa25b6
  * scap-security-guide-0.1.20-rhel7-shared-fix-limit-password-reuse-remediation.patch
fa25b6
  * scap-security-guide-0.1.20-rhel6-rhel7-PR#280-set-deny-prerequisite-#1.patch
fa25b6
  * scap-security-guide-0.1.20-rhel6-rhel7-set-deny-prerequisite-#2.patch
fa25b6
  * scap-security-guide-0.1.20-shared-fix-set-deny-for-failed-password-attempts-remediation.patch
fa25b6
  * scap-security-guide-0.1.20-rhel7-specify-exact-profile-name-when-generating-guide.patch
fa25b6
- Include the datastream versions of Firefox and Java Runtime Environment (JRE) benchmarks
fa25b6
- Include USGCB and DISA STIG profile kickstart files for Red Hat Enterprise Linux 6
fa25b6
2b7b16
* Tue Oct 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-2
2b7b16
- Fix Limit Password Reuse remediation script error
2b7b16
- Fix Set Deny For Failed Password Attempts remediation script error
2b7b16
- Use RHT-CCP profile name when generating HTML guide
2b7b16
- Describe RHT-CCP profile in the manual page
2b7b16
2b7b16
* Mon Sep 29 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.19-1
2b7b16
- Include RHEL-7 content (RHT-CCP profile only)
2b7b16
- Drop RHEL-7 restorecond XCCDF rule since policycoreutils-restorecond in Optional channel
2b7b16
- Drop RHEL-7 cpuspeed XCCDF rule since obsoleted by cpupower from kernel-tools
2b7b16
- Update manual page to be more appropriate for RHEL-7
2b7b16
- Drop RHEL-6 C2S profile update patch since merged upstream
2b7b16
2b7b16
* Tue Sep 02 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-4
2b7b16
- Initial build for Red Hat Enterprise Linux 7
2b7b16
2b7b16
* Thu Aug 28 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-3
2b7b16
- Update C2S profile <description> per request from CIS
2b7b16
2b7b16
* Thu Jun 26 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-2
2b7b16
- Include the upstream STIG for RHEL 6 Server profile disclaimer file too
2b7b16
2b7b16
* Sun Jun 22 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.18-1
2b7b16
- Make new 0.1.18 release
2b7b16
2b7b16
* Wed May 14 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-2
2b7b16
- Drop vendor line from the spec file. Let the build system to provide it.
2b7b16
2b7b16
* Fri May 09 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.17-1
2b7b16
- Upgrade to upstream 0.1.17 version
2b7b16
2b7b16
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-2
2b7b16
- Initial RPM for RHEL base channels
2b7b16
2b7b16
* Mon May 05 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.16-1
2b7b16
- Change naming scheme (0.1-16 => 0.1.16-1)
2b7b16
2b7b16
* Fri Feb 21 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-16
2b7b16
- Include datastream file into RHEL6 RPM package too
2b7b16
- Bump version
2b7b16
2b7b16
* Tue Dec 24 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc2
2b7b16
+ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
2b7b16
2b7b16
* Mon Dec 23 2013 Shawn Wells <shawn@redhat.com> 0.1-16.rc1
2b7b16
- [bugfix] RHEL6 no_empty_passwords remediation script overwrote
2b7b16
  system-auth symlink. Added --follow-symlink to sed command.
2b7b16
2b7b16
* Fri Nov 01 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15
2b7b16
- Version bump
2b7b16
2b7b16
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc5
2b7b16
- Point the spec's source to proper remote tarball location
2b7b16
- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM
2b7b16
2b7b16
* Sat Oct 26 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc4
2b7b16
- Don't include the table html files two times
2b7b16
- Remove makewhatis
2b7b16
2b7b16
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc3
2b7b16
- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*
2b7b16
- Numberous XCCDF->OVAL naming schema updates
2b7b16
- All rules now have CCE
2b7b16
2b7b16
* Fri Oct 25 2013 Shawn Wells <shawn@redhat.com> 0.1-15.rc2
2b7b16
- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)
2b7b16
2b7b16
* Fri Oct 25 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-15.rc1
2b7b16
- Apply spec file changes required by review request (RH BZ#1018905)
2b7b16
2b7b16
* Thu Oct 24 2013 Shawn Wells <shawn@redhat.com> 0.1-14
2b7b16
- Formal RPM release
2b7b16
- Inclusion of rht-ccp profile
2b7b16
- OVAL unit testing patches
2b7b16
- Bash remediation patches
2b7b16
- Bugfixes
2b7b16
2b7b16
* Mon Oct 07 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-14.rc1
2b7b16
- Change RPM versioning scheme to include release into tarball
2b7b16
2b7b16
* Sat Sep 28 2013 Shawn Wells <shawn@redhat.com> 0.1-13
2b7b16
- Updated RPM spec file to fix rpmlint warnings
2b7b16
2b7b16
* Wed Jun 26 2013 Shawn Wells <shawn@redhat.com> 0.1-12
2b7b16
- Updated RPM version to 0.1-12
2b7b16
2b7b16
* Fri Apr 26 2013 Shawn Wells <shawn@redhat.com> 0.1-11
2b7b16
- Significant amount of OVAL bugfixes
2b7b16
- Incorporation of Draft RHEL/6 STIG feedback
2b7b16
2b7b16
* Sat Feb 16 2013 Shawn Wells <shawn@redhat.com> 0.1-10
2b7b16
- `man scap-security-guide`
2b7b16
- OVAL bug fixes
2b7b16
- NIST 800-53 mappings update
2b7b16
2b7b16
* Wed Nov 28 2012 Shawn Wells <shawn@redhat.com> 0.1-9
2b7b16
- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!)
2b7b16
- Reverting to noarch RPM
2b7b16
2b7b16
* Tue Nov 27 2012 Shawn Wells <shawn@redhat.com> 0.1-8
2b7b16
- Significant copy editing to XCCDF rules per community
2b7b16
  feedback on the DISA RHEL/6 STIG Initial Draft
2b7b16
2b7b16
* Thu Nov 1 2012 Shawn Wells <shawn@redhat.com> 0.1-7
2b7b16
- Corrected XCCDF content errors
2b7b16
- OpenSCAP now supports CPE dictionaries, important to
2b7b16
  utilize --cpe-dict when scanning machines with OpenSCAP,
2b7b16
  e.g.:
2b7b16
  $ oscap xccdf eval --profile stig-server \
2b7b16
   --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
2b7b16
2b7b16
* Mon Oct 22 2012 Shawn Wells <shawn@redhat.com> 0.1-6
2b7b16
- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6)
2b7b16
- Updated RPM includes feedback received from DoD Consensus meetings
2b7b16
2b7b16
* Fri Oct 5  2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-5
2b7b16
- Adjusted installation directory to /usr/share/xml/scap.
2b7b16
2b7b16
* Tue Aug 28  2012 Spencer Shimko <sshimko@tresys.com> 1.0-4
2b7b16
- Fix BuildRequires and Requires.
2b7b16
2b7b16
* Tue Jul 3 2012 Jeffrey Blank <blank@eclipse.ncsc.mil> 1.0-3
2b7b16
- Modified install section, made description more concise.
2b7b16
2b7b16
* Thu Apr 19 2012 Spencer Shimko <sshimko@tresys.com> 1.0-2
2b7b16
- Minor updates to pass some variables in from build system.
2b7b16
2b7b16
* Mon Apr 02 2012 Shawn Wells <shawn@redhat.com> 1.0-1
2b7b16
- First attempt at SSG RPM. May ${deity} help us...