Accepting request 992448 from security

- updated to 0.1.63 (jsc#ECO-3319)
   - multiple bugfixes in SUSE profiles
   - Expand project guidelines 
   - Add Draft OCP4 STIG profile 
   - Add anssi_bp28_intermediary profile 
   - add products/uos20 to support UnionTech OS Server 20
   - products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles
   - Remove WRLinux Products
   - Update CIS RHEL8 Benchmark for v2.0.0
- removed fix-bash-template.patch: fixed upstream
- Fixed: stig: /etc/shadow group owner should not be root but shadow (bsc#1200149)
- Fixed: sles15_script-stig.sh: remediation_functions: No such file or directory (bsc#1200163)
- Fixed: SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity (bsc#1200122)

OBS-URL: https://build.opensuse.org/request/show/992448
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/scap-security-guide?expand=0&rev=20
This commit is contained in:
Dominique Leuenberger 2022-08-03 19:16:33 +00:00 committed by Git OBS Bridge
commit a6f694089d
5 changed files with 24 additions and 40 deletions

View File

@ -1,33 +0,0 @@
diff --git a/shared/templates/audit_rules_syscall_events/bash.template b/shared/templates/audit_rules_syscall_events/bash.template
index 6532554875..bd5bb94cb9 100644
--- a/shared/templates/audit_rules_syscall_events/bash.template
+++ b/shared/templates/audit_rules_syscall_events/bash.template
@@ -1,19 +1,20 @@
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
# First perform the remediation of the syscall rule
# Retrieve hardware architecture of the underlying system
[ "$(getconf LONG_BIT)" = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")
for ARCH in "${RULE_ARCHS[@]}"
do
- PATTERN="-a always,exit -F arch=$ARCH -S {{{ ATTR }}}.*"
- GROUP="perm_mod"
- FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
+ # FULL_RULE="-a always,exit -F arch=$ARCH -S {{{ ATTR }}} -F auid>={{{ auid }}} -F auid!=4294967295 -F key=perm_mod"
+ ACTION_ARCH_FILTERS="-a always,exit -F arch=$ARCH"
+ SYSCALL="{{{ ATTR }}}"
+ SYSCALL_GROUPING="{{{ ATTR }}}"
+ AUID_FILTERS="-F auid>={{{ auid }}} -F auid!=4294967295"
+ KEY="perm_mod"
+ OTHER_FILTERS=""
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
- fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
- fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
+ {{{ bash_fix_audit_syscall_rule("augenrules","$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
+ {{{ bash_fix_audit_syscall_rule("auditctl", "$ACTION_ARCH_FILTERS", "$OTHER_FILTERS", "$AUID_FILTERS", "$SYSCALL", "$SYSCALL_GROUPING", "$KEY") }}}
done

View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Sat Jul 30 13:59:29 UTC 2022 - Marcus Meissner <meissner@suse.com>
- updated to 0.1.63 (jsc#ECO-3319)
- multiple bugfixes in SUSE profiles
- Expand project guidelines
- Add Draft OCP4 STIG profile
- Add anssi_bp28_intermediary profile
- add products/uos20 to support UnionTech OS Server 20
- products/alinux3: Add CIS Alibaba Cloud Linux 3 profiles
- Remove WRLinux Products
- Update CIS RHEL8 Benchmark for v2.0.0
- removed fix-bash-template.patch: fixed upstream
- Fixed: stig: /etc/shadow group owner should not be root but shadow (bsc#1200149)
- Fixed: sles15_script-stig.sh: remediation_functions: No such file or directory (bsc#1200163)
- Fixed: SLES-15-010130 - The SUSE operating system must initiate a session lock after a 15-minute period of inactivity (bsc#1200122)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jul 15 11:57:43 UTC 2022 - Julio González Gil <jgonzalez@suse.com> Fri Jul 15 11:57:43 UTC 2022 - Julio González Gil <jgonzalez@suse.com>

View File

@ -42,7 +42,7 @@
%endif %endif
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.62 Version: 0.1.63
Release: 0 Release: 0
Summary: XCCDF files for SUSE Linux and openSUSE Summary: XCCDF files for SUSE Linux and openSUSE
License: BSD-3-Clause License: BSD-3-Clause
@ -53,8 +53,6 @@ Packager: SUSE Security Team <security@suse.de>
%endif %endif
Source: https://github.com/ComplianceAsCode/content/archive/v%{version}.tar.gz Source: https://github.com/ComplianceAsCode/content/archive/v%{version}.tar.gz
Patch0: scap-security-guide-UnicodeEncodeError-character-fix.patch Patch0: scap-security-guide-UnicodeEncodeError-character-fix.patch
# upstream d9aa7a49d135be60e1a6f9d2ce4e29560482b3d0 and 3485c8298957b24d97a563079fd648004a92822b
Patch1: fix-bash-template.patch
BuildRequires: cmake BuildRequires: cmake
%if "%{_vendor}" == "debbuild" %if "%{_vendor}" == "debbuild"
@ -184,13 +182,14 @@ Note that the included profiles are community supplied and not officially suppor
%prep %prep
%setup -n content-%version %setup -n content-%version
%patch0 -p0 %patch0 -p0
%patch1 -p1
%build %build
cd build cd build
cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \ cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-DCMAKE_INSTALL_MANDIR=%{_mandir} \ -DCMAKE_INSTALL_MANDIR=%{_mandir} \
-DSSG_PRODUCT_CHROMIUM=OFF \ -DSSG_PRODUCT_CHROMIUM=OFF \
-DSSG_PRODUCT_ALINUX2=OFF \
-DSSG_PRODUCT_ALINUX3=OFF \
-DSSG_PRODUCT_DEBIAN9=ON \ -DSSG_PRODUCT_DEBIAN9=ON \
-DSSG_PRODUCT_DEBIAN10=ON \ -DSSG_PRODUCT_DEBIAN10=ON \
-DSSG_PRODUCT_DEFAULT=ON \ -DSSG_PRODUCT_DEFAULT=ON \
@ -216,6 +215,7 @@ cmake -DCMAKE_INSTALL_PREFIX=%{_prefix} \
-DSSG_PRODUCT_UBUNTU1604=ON \ -DSSG_PRODUCT_UBUNTU1604=ON \
-DSSG_PRODUCT_UBUNTU1804=ON \ -DSSG_PRODUCT_UBUNTU1804=ON \
-DSSG_PRODUCT_UBUNTU2004=ON \ -DSSG_PRODUCT_UBUNTU2004=ON \
-DSSG_PRODUCT_UOS20=OFF \
-DSSG_PRODUCT_VSEL=OFF \ -DSSG_PRODUCT_VSEL=OFF \
-DSSG_PRODUCT_EKS=OFF \ -DSSG_PRODUCT_EKS=OFF \
-DSSG_PRODUCT_WRLINUX8=OFF \ -DSSG_PRODUCT_WRLINUX8=OFF \

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d8e855040dfe23ccce380543a48e3a2a8c172b48e6d9eb292f575b51ea970e0d
size 5244135

3
v0.1.63.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f028a5959bdb279ec2072aa6fc951223a1f63963a6055fdc4c27744055da55bd
size 5382366