From 2eb737837be116b65fe5e99aba4c1ee84f5d7e47cc97b526ba40351d2851ae8b Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Sat, 30 Jul 2022 14:01:30 +0000
Subject: [PATCH 1/7] - updated to 0.1.63 (jsc#ECO-3319)    - multiple bugfixes
 in SUSE profiles    - Expand project guidelines    - Add Draft OCP4 STIG
 profile    - Add anssi_bp28_intermediary profile    - add products/uos20 to
 support UnionTech OS Server 20    - products/alinux3: Add CIS Alibaba Cloud
 Linux 3 profiles    - Remove WRLinux Products    - Update CIS RHEL8 Benchmark
 for v2.0.0

OBS-URL: https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=65
---
 fix-bash-template.patch     | 33 ---------------------------------
 scap-security-guide.changes | 14 ++++++++++++++
 scap-security-guide.spec    |  2 +-
 v0.1.62.tar.gz              |  3 ---
 v0.1.63.tar.gz              |  3 +++
 xx                          | 37 +++++++++++++++++++++++++++++++++++++
 6 files changed, 55 insertions(+), 37 deletions(-)
 delete mode 100644 fix-bash-template.patch
 delete mode 100644 v0.1.62.tar.gz
 create mode 100644 v0.1.63.tar.gz
 create mode 100644 xx

diff --git a/fix-bash-template.patch b/fix-bash-template.patch
deleted file mode 100644
index fa18891..0000000
--- a/fix-bash-template.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff --git a/shared/templates/audit_rules_syscall_events/bash.template b/shared/templates/audit_rules_syscall_events/bash.template
-index 6532554875..bd5bb94cb9 100644
---- a/shared/templates/audit_rules_syscall_events/bash.template
-+++ b/shared/templates/audit_rules_syscall_events/bash.template
-@@ -1,19 +1,20 @@
- # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- 
--# Include source function library.
--. /usr/share/scap-security-guide/remediation_functions
--
- # First perform the remediation of the syscall rule
- # Retrieve hardware architecture of the underlying system
- [ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
- 
- for ARCH in "${RULE_ARCHS[@]}"
- do
--	PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*"
--	GROUP="perm_mod"
--	FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
-+	# FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
-+	ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
-+	SYSCALL="{{{ ATTR }}}"
-+	SYSCALL_GROUPING="{{{ ATTR }}}"
-+	AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=4294967295"
-+	KEY="perm_mod"
-+	OTHER_FILTERS=""
- 
- 	# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
--	fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
--	fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
-+	{{{ bash_fix_audit_syscall_rule("augenrules","$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
-+	{{{ bash_fix_audit_syscall_rule("auditctl",  "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
- done
diff --git a/scap-security-guide.changes b/scap-security-guide.changes
index ece4bd3..9079402 100644
--- a/scap-security-guide.changes
+++ b/scap-security-guide.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Sat Jul 30 13:59:29 UTC 2022 - Marcus Meissner <meissner@suse.com>
+
+- updated to 0.1.63 (jsc#ECO-3319)
+   - multiple bugfixes in SUSE profiles
+   - Expand project guidelines 
+   - Add Draft OCP4 STIG profile 
+   - Add anssi_bp28_intermediary profile 
+   - add products/uos20 to support UnionTech OS Server 20
+   - products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles
+   - Remove WRLinux Products
+   - Update CIS RHEL8 Benchmark for v2.0.0
+- removed fix-bash-template.patch: fixed upstream
+
 -------------------------------------------------------------------
 Fri Jul 15 11:57:43 UTC 2022 - Julio González Gil <jgonzalez@suse.com>
 
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index eabf41f..9904e0e 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -42,7 +42,7 @@
 %endif
 
 Name:           scap-security-guide
-Version:        0.1.62
+Version:        0.1.63
 Release:        0
 Summary:        XCCDF files for SUSE Linux and openSUSE
 License:        BSD-3-Clause
diff --git a/v0.1.62.tar.gz b/v0.1.62.tar.gz
deleted file mode 100644
index da6c142..0000000
--- a/v0.1.62.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d8e855040dfe23ccce380543a48e3a2a8c172b48e6d9eb292f575b51ea970e0d
-size 5244135
diff --git a/v0.1.63.tar.gz b/v0.1.63.tar.gz
new file mode 100644
index 0000000..e0f1940
--- /dev/null
+++ b/v0.1.63.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f028a5959bdb279ec2072aa6fc951223a1f63963a6055fdc4c27744055da55bd
+size 5382366
diff --git a/xx b/xx
new file mode 100644
index 0000000..c737d6e
--- /dev/null
+++ b/xx
@@ -0,0 +1,37 @@
+  <repository name="xUbuntu_22.04">
+    <path project="Ubuntu:22.04" repository="universe"/>
+    <arch>x86_64</arch>
+    <arch>i586</arch>
+    <arch>s390x</arch>
+    <arch>ppc64le</arch>
+    <arch>aarch64</arch>
+    <arch>armv7l</arch>
+  </repository>
+  <repository name="xUbuntu_21.04">
+    <path project="Ubuntu:21.04" repository="universe"/>
+    <arch>x86_64</arch>
+    <arch>i586</arch>
+    <arch>s390x</arch>
+    <arch>ppc64le</arch>
+    <arch>aarch64</arch>
+    <arch>armv7l</arch>
+  </repository>
+  <repository name="xUbuntu_20.04">
+    <path project="Ubuntu:20.04" repository="universe"/>
+    <arch>x86_64</arch>
+    <arch>i586</arch>
+    <arch>s390x</arch>
+    <arch>ppc64le</arch>
+    <arch>aarch64</arch>
+    <arch>armv7l</arch>
+  </repository>
+  <repository name="xUbuntu_18.04">
+    <path project="Ubuntu:18.04:Ports" repository="universe"/>
+    <path project="Ubuntu:18.04:Ports" repository="standard"/>
+    <path project="Ubuntu:18.04" repository="universe"/>
+    <arch>i586</arch>
+    <arch>x86_64</arch>
+    <arch>aarch64</arch>
+    <arch>armv7l</arch>
+    <arch>ppc64le</arch>
+  </repository>

From 2f7037c731afc4cc9c20df0c3ccddd2aaefeb30ef11f5b3aa20e1c78f1ae079c Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Sat, 30 Jul 2022 14:01:53 +0000
Subject: [PATCH 2/7] OBS-URL:
 https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=66

---
 scap-security-guide.spec |  4 ----
 xx                       | 37 -------------------------------------
 2 files changed, 41 deletions(-)
 delete mode 100644 xx

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 9904e0e..11f0ded 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -49,12 +49,9 @@ License:        BSD-3-Clause
 Group:          Productivity/Security
 URL:            https://github.com/ComplianceAsCode/content
 %if "%{_vendor}" == "debbuild"
-Packager:       SUSE Security Team <security@suse.de>
 %endif
 Source:         https://github.com/ComplianceAsCode/content/archive/v%{version}.tar.gz
 Patch0:         scap-security-guide-UnicodeEncodeError-character-fix.patch
-# upstream d9aa7a49d135be60e1a6f9d2ce4e29560482b3d0 and 3485c8298957b24d97a563079fd648004a92822b
-Patch1:         fix-bash-template.patch
 BuildRequires:  cmake
 
 %if "%{_vendor}" == "debbuild"
@@ -184,7 +181,6 @@ Note that the included profiles are community supplied and not officially suppor
 %prep
 %setup -n content-%version
 %patch0 -p0
-%patch1 -p1
 
 %build
 cd build
diff --git a/xx b/xx
deleted file mode 100644
index c737d6e..0000000
--- a/xx
+++ /dev/null
@@ -1,37 +0,0 @@
-  <repository name="xUbuntu_22.04">
-    <path project="Ubuntu:22.04" repository="universe"/>
-    <arch>x86_64</arch>
-    <arch>i586</arch>
-    <arch>s390x</arch>
-    <arch>ppc64le</arch>
-    <arch>aarch64</arch>
-    <arch>armv7l</arch>
-  </repository>
-  <repository name="xUbuntu_21.04">
-    <path project="Ubuntu:21.04" repository="universe"/>
-    <arch>x86_64</arch>
-    <arch>i586</arch>
-    <arch>s390x</arch>
-    <arch>ppc64le</arch>
-    <arch>aarch64</arch>
-    <arch>armv7l</arch>
-  </repository>
-  <repository name="xUbuntu_20.04">
-    <path project="Ubuntu:20.04" repository="universe"/>
-    <arch>x86_64</arch>
-    <arch>i586</arch>
-    <arch>s390x</arch>
-    <arch>ppc64le</arch>
-    <arch>aarch64</arch>
-    <arch>armv7l</arch>
-  </repository>
-  <repository name="xUbuntu_18.04">
-    <path project="Ubuntu:18.04:Ports" repository="universe"/>
-    <path project="Ubuntu:18.04:Ports" repository="standard"/>
-    <path project="Ubuntu:18.04" repository="universe"/>
-    <arch>i586</arch>
-    <arch>x86_64</arch>
-    <arch>aarch64</arch>
-    <arch>armv7l</arch>
-    <arch>ppc64le</arch>
-  </repository>

From c851cbd50a1feff6b6be2d066f21c0595c5e4db5c1d6be77c4c9352ecc27fa53 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Sat, 30 Jul 2022 14:02:13 +0000
Subject: [PATCH 3/7] OBS-URL:
 https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=67

---
 scap-security-guide.spec | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 11f0ded..55ee7a6 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -49,6 +49,7 @@ License:        BSD-3-Clause
 Group:          Productivity/Security
 URL:            https://github.com/ComplianceAsCode/content
 %if "%{_vendor}" == "debbuild"
+Packager:       SUSE Security Team <security@suse.de>
 %endif
 Source:         https://github.com/ComplianceAsCode/content/archive/v%{version}.tar.gz
 Patch0:         scap-security-guide-UnicodeEncodeError-character-fix.patch

From 316cd1586b27448af117d5f3e9c84378f7ff8b124160690468a5d312158157a9 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Sat, 30 Jul 2022 14:07:22 +0000
Subject: [PATCH 4/7] - Fixed: stig: /etc/shadow group owner should not be root
 but shadow (bsc#1200149) - Fixed: sles15_script-stig.sh:
 remediation_functions: No such file or directory (bsc#1200163) - Fixed:
 SLES-15-010130 - The SUSE operating system must initiate a session lock after
 a 15-minute period of inactivity (bsc#1200122)

OBS-URL: https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=68
---
 scap-security-guide.changes | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scap-security-guide.changes b/scap-security-guide.changes
index 9079402..7be6629 100644
--- a/scap-security-guide.changes
+++ b/scap-security-guide.changes
@@ -11,6 +11,9 @@ Sat Jul 30 13:59:29 UTC 2022 - Marcus Meissner <meissner@suse.com>
    - Remove WRLinux Products
    - Update CIS RHEL8 Benchmark for v2.0.0
 - removed fix-bash-template.patch: fixed upstream
+- Fixed: stig: /etc/shadow group owner should not be root but shadow (bsc#1200149)
+- Fixed: sles15_script-stig.sh: remediation_functions: No such file or directory (bsc#1200163)
+- Fixed: SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity (bsc#1200122)
 
 -------------------------------------------------------------------
 Fri Jul 15 11:57:43 UTC 2022 - Julio González Gil <jgonzalez@suse.com>

From 14e63528982204392bf34f31684fdf54719109cebebf6f0b44fbd2574c8b9481 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Tue, 2 Aug 2022 10:50:33 +0000
Subject: [PATCH 5/7] disable alibaba linux for now

OBS-URL: https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=69
---
 scap-security-guide.spec | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 55ee7a6..afcfb40 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -188,6 +188,8 @@ cd build
 cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
       -DCMAKE_INSTALL_MANDIR=%{_mandir} \
       -DSSG_PRODUCT_CHROMIUM=OFF \
+	 -DSSG_PRODUCT_ALINUX2=OFF \
+	 -DSSG_PRODUCT_ALINUX3=OFF \
 	 -DSSG_PRODUCT_DEBIAN9=ON \
 	 -DSSG_PRODUCT_DEBIAN10=ON \
 	 -DSSG_PRODUCT_DEFAULT=ON \

From 9d790ae2f3046c72dc14f1ad246eb8afc061eb3e02172ab313b01b1b1182c26e Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Tue, 2 Aug 2022 11:56:04 +0000
Subject: [PATCH 6/7] OBS-URL:
 https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=70

---
 scap-security-guide.spec | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index afcfb40..7602865 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -215,6 +215,7 @@ cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
 	 -DSSG_PRODUCT_UBUNTU1604=ON \
 	 -DSSG_PRODUCT_UBUNTU1804=ON \
 	 -DSSG_PRODUCT_UBUNTU2004=ON \
+	 -DSSG_PRODUCT_UOS=OFF \
          -DSSG_PRODUCT_VSEL=OFF \
          -DSSG_PRODUCT_EKS=OFF \
          -DSSG_PRODUCT_WRLINUX8=OFF \

From 7493083014b4ca54693a2b3377d46f63332966cb31698687a94b1735033f6edc Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Tue, 2 Aug 2022 12:46:34 +0000
Subject: [PATCH 7/7] OBS-URL:
 https://build.opensuse.org/package/show/security/scap-security-guide?expand=0&rev=71

---
 scap-security-guide.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 7602865..b644f89 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -215,7 +215,7 @@ cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
 	 -DSSG_PRODUCT_UBUNTU1604=ON \
 	 -DSSG_PRODUCT_UBUNTU1804=ON \
 	 -DSSG_PRODUCT_UBUNTU2004=ON \
-	 -DSSG_PRODUCT_UOS=OFF \
+	 -DSSG_PRODUCT_UOS20=OFF \
          -DSSG_PRODUCT_VSEL=OFF \
          -DSSG_PRODUCT_EKS=OFF \
          -DSSG_PRODUCT_WRLINUX8=OFF \