Sync from SUSE:SLFO:1.1 scap-security-guide revision 154d598166c2f67e5e46ced067fa0fb0

scap-security-guide.changes

@@ -1,3 +1,63 @@
+-------------------------------------------------------------------
+Tue Dec 16 11:25:18 UTC 2025 - Boychev <svetlin.boychev@suse.com>
+
+- updated to 0.1.79 (jsc#ECO-3319)
+    - Add rhcos4 Profile for BSI Grundschutz
+    - Create SLE15 general profile
+    - Fix crypto policy settings in RHEL CIS profiles
+    - Remove deprecated CIS OpenShift 1.4.0 and 1.5.0 profiles
+    - Remove OCP STIG V1R1
+    - Remove OCP STIG V2R1
+    - Various updates for SLE 12/15
+
+-------------------------------------------------------------------
+Mon Sep 29 11:36:05 UTC 2025 - Boychev <svetlin.boychev@suse.com>
+
+- updated to 0.1.78 (jsc#ECO-3319)
+    - Enable SCE content for problematic rules that can traverse the whole filesystem
+    - Remove unnecessary Jinja2 macros in control files
+    - Update RHEL 8 STIG to V2R4 and RHEL 9 STIG to V2R5
+    - Add Debian 13 profile for ANSSI BP 28 (enhanced)
+    - Create SLEM5 General profile
+    - Create SL Micro 6 product and general profile
+    - Update SLE15 STIG version to V2R5
+    - Update SLE12 STIG version to V3R3
+    - Update SLEM5 STIG version to V1R2
+- Remove the cis profiles from all products
+
+-------------------------------------------------------------------
+Thu Aug 21 08:24:36 UTC 2025 - Boychev <svetlin.boychev@suse.com>
+
+- Remove the cis profiles from the tarball 
+
+-------------------------------------------------------------------
+Thu Aug 21 07:26:39 UTC 2025 - Boychev <svetlin.boychev@suse.com>
+
+- Remove ssg-remove-cis.patch: tarball
+- Add check if cis profiles exists in the tarball
+
+-------------------------------------------------------------------
+Wed Jul 30 07:41:26 UTC 2025 - Boychev <svetlin.boychev@suse.com>
+
+- ssg-remove-cis.patch: remove cis profiles 
+- Update description: remove cis profiles 
+
+-------------------------------------------------------------------
+Tue Jun 24 08:15:38 UTC 2025 - Marcus Meissner <meissner@suse.com>
+
+- buildrequire cmake3 on older SLES versions for build
+
+-------------------------------------------------------------------
+Thu Jun 12 09:12:01 UTC 2025 - Rumen Chikov <rumen.chikov@suse.com>
+
+- updated to 0.1.77 (jsc#ECO-3319)
+    - Introduce Architecture Decisions Records 
+    - Move stablization to the third Monday of the second month 
+    - Remove CCI References 
+    - Remove macOS content 
+- removed ssg-fix-python.patch: upstream
+- Added support for tencentos4
+ 
 -------------------------------------------------------------------
 Sun Mar 23 10:12:12 UTC 2025 - Marcus Meissner <meissner@suse.com>
 

scap-security-guide.spec

@@ -16,7 +16,7 @@
 #
 
 
-%if ! (0%{?fedora} || 0%{?rhel} > 5) || 0%{?alma} >= 9
+%if ! (0%{?fedora} || 0%{?rhel} > 5) || 0%{?alma} >= 9 || 0%{?tencentos} >= 4
 %if "%{_vendor}" == "debbuild"
 %global __python /usr/bin/python3
 %endif
@@ -24,25 +24,25 @@
 %{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 %endif
 
-%if 0%{?fedora} || 0%{?rhel} >= 8 || 0%{?alma} >=9
+%if 0%{?fedora} || 0%{?rhel} >= 8 || 0%{?alma} >=9 || 0%{?tencentos} >= 4
 %{!?pylint_check: %global pylint_check 0}
 %endif
 
-%if 0%{?fedora} || 0%{?suse_version} > 1320 || 0%{?rhel} >= 8 || 0%{?alma} >=9 || "%{_vendor}" == "debbuild"
+%if 0%{?fedora} || 0%{?suse_version} > 1320 || 0%{?rhel} >= 8 || 0%{?alma} >=9 || 0%{?tencentos} >= 4  ||  "%{_vendor}" == "debbuild"
 %global build_py3   1
 %if "%{_vendor}" != "debbuild"
 %global python_sitelib %{python3_sitelib}
 %endif
 %endif
 
-%if 0%{?fedora} || 0%{?rhel} >= 8 || 0%{?alma} >= 9
+%if 0%{?fedora} || 0%{?rhel} >= 8 || 0%{?alma} >= 9 || 0%{?tencentos} >= 4
 %global python2prefix python2
 %else
 %global python2prefix python
 %endif
 
 Name:           scap-security-guide
-Version:        0.1.76
+Version:        0.1.79
 Release:        0
 Summary:        XCCDF files for SUSE Linux and openSUSE
 License:        BSD-3-Clause
@@ -51,7 +51,6 @@ URL:            https://github.com/ComplianceAsCode/content
 Packager:       SUSE Security Team <security@suse.de>
 %endif
 Source:         https://github.com/ComplianceAsCode/content/archive/v%{version}.tar.gz
-Patch0:         ssg-fix-python.patch
 
 # explicit require what is needed by the detection logic in the scripts
 Requires:       coreutils
@@ -62,7 +61,11 @@ Requires:       sed
 Requires:       sudo
 Requires:       zypper
 
+%if 0%{?suse_version} && 0%{?suse_version} < 1520
+BuildRequires:  cmake3 >= 3.5
+%else
 BuildRequires:  cmake >= 3.5
+%endif
 
 %if "%{_vendor}" == "debbuild"
 %{!?_licensedir:%global license %%doc}
@@ -89,6 +92,10 @@ BuildRequires:  python3
 BuildRequires:  python3
 %endif
 
+%if 0%{?tencentos} == 4
+BuildRequires:  python3
+%endif
+
 %if 0%{?suse_version}
 BuildRequires:  python3-xml
 %endif
@@ -102,6 +109,9 @@ BuildRequires:  python3-pyyaml
 %if 0%{?alma} == 9
 BuildRequires:  python3-pyyaml
 %else
+%if 0%{?tencentos} == 4
+BuildRequires:  python3-pyyaml
+%else
 %if "%{_vendor}" == "debbuild"
 BuildRequires:  python3-yaml
 %else
@@ -110,7 +120,7 @@ BuildRequires:  python3-PyYAML
 %endif
 %endif
 %endif
-
+%endif
 %if 0%{?rhel} == 7
 BuildRequires:  python-jinja2
 %else
@@ -120,6 +130,9 @@ BuildRequires:  python3-jinja2
 %if 0%{?alma} >= 9
 BuildRequires:  python3-jinja2
 %else
+%if 0%{?tencentos} >= 4
+BuildRequires:  python3-jinja2
+%else
 %if "%{_vendor}" == "debbuild"
 BuildRequires:  python3-jinja2
 %else
@@ -128,6 +141,7 @@ BuildRequires:  python3-Jinja2
 %endif
 %endif
 %endif
+%endif
 
 BuildRequires:  expat
 BuildRequires:  libxml2
@@ -144,7 +158,7 @@ Security Content Automation Protocol (SCAP) Security Guide for SUSE Linux.
 This package contains XCCDF (Extensible Configuration Checklist
 Description Format), OVAL (Open Vulnerability and Assessment
 Language), CPE (Common Platform Enumeration) and DS (Data Stream)
-files to run a compliance test on SLE12, SLE15, SLEM5 and openSUSE
+files to run a compliance test on SLE12, SLE15, SLEM5, SLEM6 and openSUSE
 
 SUSE supported in this version of scap-security-guide:
 
@@ -153,7 +167,6 @@ SUSE supported in this version of scap-security-guide:
 - ANSSI-BP-028 profile for SUSE Linux Enterprise Server 12 and 15
 - PCI-DSS profile for SUSE Linux Enterprise Server 12 and 15
 - HIPAA profile for SUSE Linux Enterprise Server 12 and 15
-- CIS profile for SUSE Linux Enterprise Server 12 and 15
 - Hardening for Public Cloud Image of SUSE Linux Enterprise Server for SAP Applications 15
 - Public Cloud Hardening for SUSE Linux Enterprise 15
 
@@ -162,7 +175,7 @@ are community supplied and not officially supported by SUSE.
 
 %package redhat
 Summary:        XCCDF files for RHEL, CentOS, Fedora, ScientificLinux and AlmaLinux
-%if 0%{?fedora} || 0%{?rhel} || 0%{?alma}
+%if 0%{?fedora} || 0%{?rhel} || 0%{?alma} || 0%{?tencentos}
 Conflicts:      scap-security-guide
 %endif
 
@@ -204,57 +217,67 @@ Note that the included profiles are community supplied and not officially suppor
 
 %prep
 %setup -q -n content-%version
-%patch -P 0 -p 1
+
+# Remove CIS profiles
+find products -type f -name 'cis*.profile' -delete
+
+# Fail if any cis*.profile exists in under products/
+if find products -type f -name 'cis*.profile' | grep -q .; then
+    echo "ERROR: CIS profiles found under products/:"
+    find products -type f -name 'cis*.profile'
+    exit 1
+fi
 
 %build
 cd build
-cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-      -DCMAKE_INSTALL_MANDIR=%{_mandir} \
-      -DSSG_PRODUCT_CHROMIUM=OFF \
-	 -DSSG_PRODUCT_ALINUX2=OFF \
-	 -DSSG_PRODUCT_ALINUX3=OFF \
-         -DSSG_PRODUCT_ALMALINUX9=ON \
-	 -DSSG_PRODUCT_AL2023=OFF \
-	 -DSSG_PRODUCT_DEBIAN9=ON \
-	 -DSSG_PRODUCT_DEBIAN10=ON \
-	 -DSSG_PRODUCT_DEFAULT=ON \
-	 -DSSG_PRODUCT_EXAMPLE=OFF \
-	 -DSSG_PRODUCT_FEDORA=ON \
-	 -DSSG_PRODUCT_FIREFOX=OFF \
-	 -DSSG_PRODUCT_FUSE6=OFF \
-	 -DSSG_PRODUCT_JRE=OFF \
-	 -DSSG_PRODUCT_MACOS1015=OFF \
-	 -DSSG_PRODUCT_OCP4=OFF \
-	 -DSSG_PRODUCT_KYLINSERVER10=OFF \
-	 -DSSG_PRODUCT_OL7=ON \
-	 -DSSG_PRODUCT_OL8=ON \
-	 -DSSG_PRODUCT_OL9=ON \
-	 -DSSG_PRODUCT_OPENSUSE=ON \
-	 -DSSG_PRODUCT_OPENEMBEDDED=OFF \
-	 -DSSG_PRODUCT_RHCOS4=ON \
-	 -DSSG_PRODUCT_RHEL8=ON \
-	 -DSSG_PRODUCT_RHEL9=ON \
-	 -DSSG_PRODUCT_RHEL10=ON \
-	 -DSSG_PRODUCT_CS10=ON \
-	 -DSSG_PRODUCT_RHOSP10=ON \
-	 -DSSG_PRODUCT_RHOSP13=ON \
-	 -DSSG_PRODUCT_RHV4=ON \
-	 -DSSG_PRODUCT_SLE12=ON \
-	 -DSSG_PRODUCT_SLE15=ON \
-         -DSSG_PRODUCT_SLMICRO5=ON \
-	 -DSSG_PRODUCT_UBUNTU1604=ON \
-	 -DSSG_PRODUCT_UBUNTU1804=ON \
-	 -DSSG_PRODUCT_UBUNTU2004=ON \
-	 -DSSG_PRODUCT_UBUNTU2204=ON \
-	 -DSSG_PRODUCT_UOS20=OFF \
-         -DSSG_PRODUCT_VSEL=OFF \
-         -DSSG_PRODUCT_EKS=OFF \
-         -DSSG_PRODUCT_WRLINUX8=OFF \
-         -DSSG_PRODUCT_WRLINUX1019=OFF \
-         -DSSG_PRODUCT_ANOLIS8=OFF \
-         -DSSG_PRODUCT_ANOLIS23=OFF \
-    -DCMAKE_POLICY_VERSION_MINIMUM=3.5 \
-         ../
+cmake   -DCMAKE_INSTALL_PREFIX=%{_prefix} \
+        -DCMAKE_INSTALL_MANDIR=%{_mandir} \
+        -DSSG_PRODUCT_CHROMIUM=OFF \
+	    -DSSG_PRODUCT_ALINUX2=OFF \
+	    -DSSG_PRODUCT_ALINUX3=OFF \
+        -DSSG_PRODUCT_ALMALINUX9=ON \
+        -DSSG_PRODUCT_AL2023=OFF \
+        -DSSG_PRODUCT_DEBIAN9=ON \
+        -DSSG_PRODUCT_DEBIAN10=ON \
+        -DSSG_PRODUCT_DEFAULT=ON \
+        -DSSG_PRODUCT_EXAMPLE=OFF \
+        -DSSG_PRODUCT_FEDORA=ON \
+        -DSSG_PRODUCT_FIREFOX=OFF \
+        -DSSG_PRODUCT_FUSE6=OFF \
+        -DSSG_PRODUCT_JRE=OFF \
+        -DSSG_PRODUCT_MACOS1015=OFF \
+        -DSSG_PRODUCT_OCP4=OFF \
+        -DSSG_PRODUCT_KYLINSERVER10=OFF \
+        -DSSG_PRODUCT_OL7=ON \
+        -DSSG_PRODUCT_OL8=ON \
+        -DSSG_PRODUCT_OL9=ON \
+        -DSSG_PRODUCT_OPENSUSE=ON \
+        -DSSG_PRODUCT_OPENEMBEDDED=OFF \
+        -DSSG_PRODUCT_RHCOS4=ON \
+        -DSSG_PRODUCT_RHEL8=ON \
+        -DSSG_PRODUCT_RHEL9=ON \
+        -DSSG_PRODUCT_RHEL10=ON \
+        -DSSG_PRODUCT_CS10=ON \
+        -DSSG_PRODUCT_RHOSP10=ON \
+        -DSSG_PRODUCT_RHOSP13=ON \
+        -DSSG_PRODUCT_RHV4=ON \
+        -DSSG_PRODUCT_TENCENTOS4=ON \
+        -DSSG_PRODUCT_SLE12=ON \
+        -DSSG_PRODUCT_SLE15=ON \
+        -DSSG_PRODUCT_SLMICRO5=ON \
+        -DSSG_PRODUCT_SLMICRO6=ON \
+        -DSSG_PRODUCT_UBUNTU1604=ON \
+        -DSSG_PRODUCT_UBUNTU1804=ON \
+        -DSSG_PRODUCT_UBUNTU2004=ON \
+        -DSSG_PRODUCT_UBUNTU2204=ON \
+        -DSSG_PRODUCT_UOS20=OFF \
+        -DSSG_PRODUCT_VSEL=OFF \
+        -DSSG_PRODUCT_EKS=OFF \
+        -DSSG_PRODUCT_WRLINUX8=OFF \
+        -DSSG_PRODUCT_WRLINUX1019=OFF \
+        -DSSG_PRODUCT_ANOLIS8=OFF \
+        -DSSG_PRODUCT_ANOLIS23=OFF \
+        ../
 make
 
 %install
@@ -304,6 +327,7 @@ make install DESTDIR=%buildroot
 %doc %{_datadir}/doc/scap-security-guide/guides/ssg-ol*
 %doc %{_datadir}/doc/scap-security-guide/guides/ssg-openeuler*
 %doc %{_datadir}/doc/scap-security-guide/guides/ssg-rh*
+%doc %{_datadir}/doc/scap-security-guide/guides/ssg-tencentos*
 %dir %{_datadir}/doc/scap-security-guide/tables/
 %doc %{_datadir}/doc/scap-security-guide/tables/table-ol*
 %doc %{_datadir}/doc/scap-security-guide/tables/table-rh*
@@ -320,6 +344,7 @@ make install DESTDIR=%buildroot
 %{_datadir}/scap-security-guide/*/*fedora*
 %{_datadir}/scap-security-guide/*/*ol*
 %{_datadir}/scap-security-guide/*/*openeuler*
+%{_datadir}/scap-security-guide/*/*tencentos*
 %{_datadir}/scap-security-guide/*/*rh*
 %dir %{_datadir}/xml/scap/
 %dir %{_datadir}/xml/scap/ssg/
@@ -331,6 +356,7 @@ make install DESTDIR=%buildroot
 %{_datadir}/xml/scap/ssg/content/*-fedora*
 %{_datadir}/xml/scap/ssg/content/*-ol*
 %{_datadir}/xml/scap/ssg/content/*-openeuler*
+%{_datadir}/xml/scap/ssg/content/*-tencentos*
 %{_datadir}/xml/scap/ssg/content/*-rh*
 
 %files debian

ssg-fix-python.patch

@@ -1,13 +0,0 @@
-Index: content-0.1.76/ssg/jinja.py
-===================================================================
---- content-0.1.76.orig/ssg/jinja.py
-+++ content-0.1.76/ssg/jinja.py
-@@ -255,7 +255,7 @@ def _load_macros(macros_directory, subst
-     add_python_functions(substitutions_dict)
- 
-     if not os.path.isdir(macros_directory):
--        msg = (f"The directory '{macros_directory}' does not exist.")
-+        msg = ("The directory '{1}' does not exist.").format(macros_directory)
-         raise RuntimeError(msg)
- 
-     _load_macros_from_directory(macros_directory, substitutions_dict)