Blame SPECS/scap-security-guide.spec

575137
Name:		scap-security-guide
d0bfd3
Version:	0.1.46
d0bfd3
Release:	1%{?dist}
575137
Summary:	Security guidance and baselines in SCAP formats
575137
Group:		Applications/System
575137
License:	BSD
575137
URL:		https://github.com/ComplianceAsCode/content/
575137
Source0:	https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2
d0bfd3
# Patch enables only OSPP and PCI-DSS profiles in RHEL8 datastream
d0bfd3
Patch0:		disable-not-in-good-shape-profiles.patch
575137
BuildArch:	noarch
575137
575137
# To get python3 inside the buildroot require its path explicitly in BuildRequires
575137
BuildRequires: /usr/bin/python3
575137
BuildRequires:	libxslt, expat, openscap-scanner >= 1.2.5, python3-lxml, cmake >= 2.8, python3-jinja2, python3-PyYAML
575137
Requires:	xml-common, openscap-scanner >= 1.2.5
575137
Obsoletes:	openscap-content < 0:0.9.13
575137
Provides:	openscap-content
575137
575137
%description
575137
The scap-security-guide project provides a guide for configuration of the
575137
system from the final system's security point of view. The guidance is specified
575137
in the Security Content Automation Protocol (SCAP) format and constitutes
575137
a catalog of practical hardening advice, linked to government requirements
575137
where applicable. The project bridges the gap between generalized policy
575137
requirements and specific implementation guidelines. The Red Hat Enterprise
575137
Linux 8 system administrator can use the oscap CLI tool from openscap-scanner
575137
package, or the scap-workbench GUI tool from scap-workbench package to verify
575137
that the system conforms to provided guideline. Refer to scap-security-guide(8)
575137
manual page for further information.
575137
575137
%package	doc
575137
Summary:	HTML formatted security guides generated from XCCDF benchmarks
575137
Group:		System Environment/Base
575137
Requires:	%{name} = %{version}-%{release}
575137
575137
%description	doc
575137
The %{name}-doc package contains HTML formatted documents containing
575137
hardening guidances that have been generated from XCCDF benchmarks
575137
present in %{name} package.
575137
575137
%prep
575137
%setup -q
575137
%patch0 -p1
575137
mkdir build
575137
575137
%build
575137
cd build
575137
%cmake \
d0bfd3
-DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \
d0bfd3
-DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \
d0bfd3
-DSSG_PRODUCT_JRE:BOOLEAN=TRUE \
575137
-DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
575137
-DSSG_SCIENTIFIC_LINUX_DERIVATIVES_ENABLED:BOOL=OFF ../
575137
%make_build
575137
575137
%install
575137
cd build
575137
%make_install
575137
575137
%files
575137
%{_datadir}/xml/scap/ssg/content
575137
%{_datadir}/%{name}/kickstart
575137
%{_datadir}/%{name}/ansible
575137
%{_datadir}/%{name}/bash
575137
%lang(en) %{_mandir}/man8/scap-security-guide.8.*
575137
%doc %{_docdir}/%{name}/LICENSE
575137
%doc %{_docdir}/%{name}/README.md
575137
%doc %{_docdir}/%{name}/Contributors.md
575137
575137
%files doc
575137
%doc %{_docdir}/%{name}/guides/*.html
575137
%doc %{_docdir}/%{name}/tables/*.html
575137
575137
%changelog
d0bfd3
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 0.1.46-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.46 release
d0bfd3
- Align OSPP Profile with Common Criteria Requirements (RHBZ#1714798)
d0bfd3
d0bfd3
* Wed Aug 07 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-2
d0bfd3
- Use crypto-policy rules in OSPP profile.
d0bfd3
- Re-enable FIREFOX and JRE product in build.
d0bfd3
- Change test suite logging message about missing profile from ERROR to WARNING.
d0bfd3
- Build only one version of SCAP content at a time.
d0bfd3
d0bfd3
* Tue Aug 06 2019 Milan Lysonek <mlysonek@redhat.com> - 0.1.45-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.45 release
d0bfd3
d0bfd3
* Mon Jun 17 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-2
d0bfd3
- Ported changelog from late 8.0 builds.
d0bfd3
- Disabled build of the OL8 product, updated other components of the cmake invocation.
d0bfd3
d0bfd3
* Fri Jun 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.44-1
d0bfd3
- Update to latest upstream SCAP-Security-Guide-0.1.44 release
d0bfd3
575137
* Mon Mar 11 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-11
575137
- Assign CCE to rules from OSPP profile which were missing the identifier.
575137
- Fix regular expression for Audit rules ordering
575137
- Account for Audit rules flags parameter position within syscall
575137
- Add remediations for Audit rules file path
575137
- Add Audit rules for modification of /etc/shadow and /etc/gshadow
575137
- Add Ansible and Bash remediations for directory_access_var_log_audit rule
575137
- Add a Bash remediation for Audit rules that require ordering
575137
575137
* Thu Mar 07 2019 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-10
575137
- Assign CCE identifier to rules used by RHEL8 profiles.
575137
575137
* Thu Feb 14 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-9
575137
- Fixed Crypto Policy OVAL for NSS
575137
- Got rid of rules requiring packages dropped in RHEL8.
575137
- Profile descriptions fixes.
575137
575137
* Tue Jan 22 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-8
575137
- Update applicable platforms in crypto policy tests
575137
575137
* Mon Jan 21 2019 Jan Černý <jcerny@redhat.com> - 0.1.42-7
575137
- Introduce Podman backend for SSG Test suite
575137
- Update bind and libreswan crypto policy test scenarios
575137
575137
* Fri Jan 11 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-6
575137
- Further fix of profiles descriptions, so they don't contain literal '\'.
575137
- Removed obsolete sshd rule from the OSPP profile.
575137
575137
* Tue Jan 08 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-5
575137
- Fixed profiles descriptions, so they don't contain literal '\n'.
575137
- Made the configure_kerberos_crypto_policy OVAL more robust.
575137
- Made OVAL for libreswan and bind work as expected when those packages are not installed.
575137
575137
* Wed Jan 02 2019 Matěj Týč <matyc@redhat.com> - 0.1.42-4
575137
- Fixed the regression of enable_fips_mode missing OVAL due to renamed OVAL defs.
575137
575137
* Tue Dec 18 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-3
575137
- Added FIPS mode rule for the OSPP profile.
575137
- Split the installed_OS_is certified rule.
575137
- Explicitly disabled OSP13, RHV4 and Example products.
575137
575137
* Mon Dec 17 2018 Gabriel Becker <ggasparb@redhat.com> - 0.1.42-2
575137
- Add missing kickstart files for RHEL8
575137
- Disable profiles that are not in good shape for RHEL8
575137
575137
* Wed Dec 12 2018 Matěj Týč <matyc@redhat.com> - 0.1.42-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.42 release:
575137
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
575137
- System-wide crypto policies are introduced for RHEL8
575137
- Patches introduced the RHEL8 product were dropped, as it has been upstreamed.
575137
575137
* Wed Oct 10 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-2
575137
- Fix man page and package description
575137
575137
* Mon Oct 08 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.41-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.41 release:
575137
  https://github.com/ComplianceAsCode/content/releases/tag/v0.1.41
575137
- Add RHEL8 Product with OSPP4.2 and PCI-DSS Profiles
575137
575137
* Mon Aug 13 2018 Watson Sato <wsato@redhat.com> - 0.1.40-3
575137
- Use explicit path BuildRequires to get /usr/bin/python3 inside the buildroot
575137
- Only build content for rhel8 products
575137
575137
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-2
575137
- Update build of rhel8 content
575137
575137
* Fri Aug 10 2018 Watson Sato <wsato@redhat.com> - 0.1.40-1
575137
- Enable build of rhel8 content
575137
575137
* Fri May 18 2018 Jan Černý <jcerny@redhat.com> - 0.1.39-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.39 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.39
575137
- Fix spec file to build using Python 3
575137
- Fix License because upstream changed to BSD-3
575137
575137
* Mon Mar 05 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.38-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.38 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.38
575137
575137
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.37-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
575137
575137
* Thu Jan 04 2018 Watson Yuuma Sato <wsato@redhat.com> - 0.1.37-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.37 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.37
575137
575137
* Wed Nov 01 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.1.36-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.36 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.36
575137
575137
* Tue Aug 29 2017 Watson Sato <wsato@redhat.com> - 0.1.35-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.35 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35
575137
575137
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.34-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
575137
575137
* Mon Jul 03 2017 Watson Sato <wsato@redhat.com> - 0.1.34-1
575137
- updated to latest upstream release
575137
575137
* Mon May 01 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.33-1
575137
- updated to latest upstream release
575137
575137
* Thu Mar 30 2017 Martin Preisler <mpreisle@redhat.com> - 0.1.32-1
575137
- updated to latest upstream release
575137
575137
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.31-3
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
575137
575137
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-2
575137
- use make_build and make_install RPM macros
575137
575137
* Mon Nov 28 2016 Martin Preisler <mpreisle@redhat.com> - 0.1.31-1
575137
- update to the latest upstream release
575137
- new default location for content /usr/share/scap/ssg
575137
- install HTML tables in the doc subpackage
575137
575137
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-2
575137
- Correct currently failing parallel SCAP Security Guide build
575137
575137
* Mon Jun 27 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.30-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.30 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.30
575137
- Drop shell library for remediation functions since it is not required
575137
  starting from 0.1.30 release any more
575137
575137
* Thu May 05 2016 Jan iankko Lieskovsky <jlieskov@redhat.com> - 0.1.29-1
575137
- Update to latest upstream SCAP-Security-Guide-0.1.29 release:
575137
  https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.29
575137
- Do not ship Firefox/DISCLAIMER documentation file since it has been removed
575137
  in 0.1.29 upstream release
575137
575137
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.1.28-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
575137
575137
* Wed Jan 20 2016 Šimon Lukašík <slukasik@redhat.com> - 0.1.28-1
575137
- upgrade to the latest upstream release
575137
575137
* Fri Dec 11 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.27-1
575137
- update to the latest upstream release
575137
575137
* Tue Oct 20 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.26-1
575137
- update to the latest upstream release
575137
575137
* Sat Sep 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.25-1
575137
- update to the latest upstream release
575137
575137
* Thu Jul 09 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.24-1
575137
- update to the latest upstream release
575137
- created doc sub-package to ship all the guides
575137
- start distributing centos and scientific linux content
575137
- rename java content to jre
575137
575137
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.22-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
575137
575137
* Tue May 05 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.22-1
575137
- update to the latest upstream release
575137
- only DataStream file is now available for Fedora
575137
- start distributing security baseline for Firefox
575137
- start distributing security baseline for Java RunTime deployments
575137
575137
* Wed Mar 04 2015 Šimon Lukašík <slukasik@redhat.com> - 0.1.21-1
575137
- update to the latest upstream release
575137
- move content to /usr/share/scap/ssg/content
575137
575137
* Thu Oct 02 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.19-1
575137
- update to the latest upstream release
575137
575137
* Mon Jul 14 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-4
575137
- require only openscap-scanner, not whole openscap-utils package
575137
575137
* Tue Jul 01 2014 Šimon Lukašík <slukasik@redhat.com> - 0.1.5-3
575137
- Rebase the RHEL part of SSG to the latest upstream version (0.1.18)
575137
- Add STIG DISCLAIMER to the shipped documentation
575137
575137
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.1.5-2
575137
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
575137
575137
* Thu Feb 27 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.5-1
575137
- Fix fedora-srpm and fedora-rpm Make targets to work again
575137
- Include RHEL-6 and RHEL-7 datastream files to support remote RHEL system scans
575137
- EOL for Fedora 18 support
575137
- Include Fedora datastream file for remote Fedora system scans
575137
575137
* Mon Jan 06 2014 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-2
575137
- Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)
575137
575137
* Fri Dec 20 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.4-1
575137
- Fix remediation for sshd set keepalive (ClientAliveCountMax) and move
575137
  it to /shared
575137
- Add shared remediations for sshd disable empty passwords and
575137
  sshd set idle timeout
575137
- Shared remediation for sshd disable root login
575137
- Add empty -compat subpackage to ensure backward-compatibility with
575137
  openscap-content and firstaidkit-plugin-openscap packages (RH BZ#1040335)
575137
- OVAL check for sshd disable root login
575137
- Fix typo in OVAL check for sshd disable empty passwords
575137
- OVAL check for sshd disable empty passwords
575137
- Unselect no shelllogin for systemaccounts rule from being run by default
575137
- Rename XCCDF rules
575137
- Revert Set up Fedora release name and CPE based on build system properties
575137
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
575137
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
575137
- Shared OVAL check for Verify that System Executables Have Root Ownership
575137
- Shared OVAL check for Verify that Shared Library Files Have Restrictive
575137
  Permissions
575137
- Fix remediation for Disable Prelinking rule
575137
- OVAL check and remediation for sshd's ClientAliveCountMax rule
575137
- OVAL check for sshd's ClientAliveInterval rule
575137
- Include descriptions for permissions section, and rules for checking
575137
  permissions and ownership of shared library files and system executables
575137
- Disable selected rules by default
575137
- Add remediation for Disable Prelinking rule
575137
- Adjust service-enable-macro, service-disable-macro XSLT transforms
575137
  definition to evaluate to proper systemd syntax
575137
- Fix service_ntpd_enabled OVAL check make validate to pass again
575137
- Include patch from Šimon Lukašík to obsolete openscap-content
575137
  package (RH BZ#1028706)
575137
- Add OVAL check to test if there's is remote NTP server configured for
575137
  time data
575137
- Add system settings section for the guide (to track system wide
575137
  hardening configurations)
575137
- Include disable prelink rule and OVAL check for it
575137
- Initial OVAL check if ntpd service is enabled. Add package_installed
575137
  OVAL templating directory structure and functionality.
575137
- Include services section, and XCCDF description for selected ntpd's
575137
  sshd's service rules
575137
- Include remediations for login.defs' based password minimum, maximum and
575137
  warning age rules
575137
- Include directory structure to support remediations
575137
- Add SCAP "replace or append pattern value in text file based on variable"
575137
  remediation script generator
575137
- Add remediation for "Set Password Minimum Length in login.defs" rule
575137
575137
* Mon Nov 18 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1.3-1
575137
- Update versioning scheme - move fedorassgrelease to be part of
575137
  upstream version. Rename it to fedorassgversion to avoid name collision
575137
  with Fedora package release.
575137
575137
* Tue Oct 22 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-3
575137
- Add .gitignore for Fedora output directory
575137
- Set up Fedora release name and CPE based on build system properties
575137
- Use correct file paths in scap-security-guide(8) manual page 
575137
  (RH BZ#1018905, c#10)
575137
- Apply further changes motivated by scap-security-guide Fedora RPM review
575137
  request (RH BZ#1018905, c#8):
575137
  * update package description,
575137
  * make content files to be owned by the scap-security-guide package,
575137
  * remove Fedora release number from generated content files,
575137
  * move HTML form of the guide under the doc directory (together
575137
    with that drop fedora/content subdir and place the content
575137
    directly under fedora/ subdir).
575137
- Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905):
575137
  * drop Fedora release from package provided files' final path (c#5),
575137
  * drop BuildRoot, selected Requires:, clean section, drop chcon for
575137
    manual page, don't gzip man page (c#4),
575137
  * change package's description (c#4),
575137
  * include PD license text (#c4).
575137
575137
* Mon Oct 14 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-2
575137
- Provide manual page for scap-security-guide
575137
- Remove percent sign from spec's changelog to silence rpmlint warning
575137
- Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
575137
- Convert RHEL6 'Set Password Expiration Parameter' rules to Fedora
575137
- Introduce 'Account and Access Control' section
575137
- Convert RHEL6 'Verify Proper Storage and Existence of Password Hashes' section's
575137
  rules to Fedora
575137
- Set proper name of the build directory in the spec's setup macro.
575137
- Replace hard-coded paths with macros. Preserve attributes when copying files.
575137
575137
* Tue Sep 17 2013 Jan iankko Lieskovsky <jlieskov@redhat.com> 0.1-1
575137
- Initial Fedora SSG RPM.