diff --git a/openscap-0.8.2.tar.gz b/openscap-0.8.2.tar.gz
deleted file mode 100644
index ae6abcf..0000000
--- a/openscap-0.8.2.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe7d6b3f20c08feef5c70ff3a02b752b593a8d8a3b3d1302d8e31fe0c29cce11
-size 4524453
diff --git a/openscap-0.8.3.tar.gz b/openscap-0.8.3.tar.gz
new file mode 100644
index 0000000..616ee39
--- /dev/null
+++ b/openscap-0.8.3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e00b9ee6741b7ae01f46172c2ed560b38107a1fffdda5bc7c32be4f4a15ef5e4
+size 6420923
diff --git a/openscap-stdio.h.patch b/openscap-stdio.h.patch
deleted file mode 100644
index 8e38fac..0000000
--- a/openscap-stdio.h.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Index: openscap-0.8.2/lib/stdio.in.h
-===================================================================
---- openscap-0.8.2.orig/lib/stdio.in.h
-+++ openscap-0.8.2/lib/stdio.in.h
-@@ -733,7 +733,9 @@ _GL_CXXALIASWARN (gets);
- /* It is very rare that the developer ever has full control of stdin,
- so any use of gets warrants an unconditional warning. Assume it is
- always declared, since it is required by C89. */
-+# if HAVE_RAW_DECL_GETS
- _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
-+# endif
- #endif
-
-
diff --git a/openscap.changes b/openscap.changes
index daa93a0..bb896b2 100644
--- a/openscap.changes
+++ b/openscap.changes
@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Aug 1 09:43:28 UTC 2012 - meissner@suse.com
+
+- Updated to 0.8.3
+ - added XCCDF 1.2 schemas
+ - changed XCCDF report format
+ - updated schemas for OVAL 5.10
+ - added additional OVAL schemas - 5.3, 5.4, 5.5, 5.6, 5.7
+ - multi version support for XCCDF and OVAL
+ - a schema version of an imported and exported content is same
+ - added rpmverifyfile probe
+ - results are validated only if an OSCAP_FULL_VALIDATION variable is set
+ - bug fixes
+
+-------------------------------------------------------------------
+Wed Aug 1 09:18:06 UTC 2012 - dmacvicar@suse.de
+
+- add OVAL/XCCDF content based on yast2-security checks
+ and set them as the default content (using symlinks)
+
-------------------------------------------------------------------
Sat Jul 28 14:24:46 UTC 2012 - aj@suse.de
@@ -16,7 +36,7 @@ Fri Mar 30 16:21:21 CEST 2012 - meissner@suse.de
-------------------------------------------------------------------
Sat Mar 24 10:54:22 UTC 2012 - mc@suse.com
-- require libnl-devel on older SUSE version
+- require libnl-devel on older SUSE version
-------------------------------------------------------------------
Mon Mar 19 15:52:17 UTC 2012 - cfarrell@suse.com
diff --git a/openscap.spec b/openscap.spec
index d89ff49..1125e9a 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -20,12 +20,17 @@
%define with_bindings 0
Name: openscap
-Version: 0.8.2
+Version: 0.8.3
Release: 1.0
Source: http://www.open-scap.org/download/%name-%version.tar.gz
Source1: oscap-scan.init
Source2: sysconfig.oscap-scan
-Patch1: openscap-stdio.h.patch
+# SUSE specific profile, based on yast2-security
+# checks.
+# Generated from http://gitorious.org/test-suite/scap
+Source3: scap-yast2sec-xccdf.xml
+Source4: scap-yast2sec-oval.xml
+#
Url: http://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libacl-devel
@@ -139,7 +144,6 @@ commonly used and require additional dependencies.
%prep
%setup -q
-%patch1 -p1
%build
@@ -162,9 +166,12 @@ install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/oscap-scan
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates
+install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_datadir}/openscap
+install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_datadir}/openscap
+
# create symlinks to default content
-ln -s %{_datadir}/openscap/scap-fedora14-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
-ln -s %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
+ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
+ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
%post -n libopenscap%{soname} -p /sbin/ldconfig
@@ -205,7 +212,7 @@ ln -s %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/
%{_libexecdir}/openscap/probe_process58
%{_libexecdir}/openscap/probe_routingtable
%{_libexecdir}/openscap/probe_rpminfo
-%{_libexecdir}/openscap/probe_rpmverify
+%{_libexecdir}/openscap/probe_rpmverify*
%{_libexecdir}/openscap/probe_runlevel
%{_libexecdir}/openscap/probe_selinuxboolean
%{_libexecdir}/openscap/probe_selinuxsecuritycontext
diff --git a/scap-yast2sec-oval.xml b/scap-yast2sec-oval.xml
new file mode 100644
index 0000000..81446ff
--- /dev/null
+++ b/scap-yast2sec-oval.xml
@@ -0,0 +1,577 @@
+
+
+
+ vim
+ 5.9
+ 2011-10-31T12:00:00-04:00
+
+
+
+
+
+
+ sysctl net.ipv4.ip_forward must be 0
+ sysctl net.ipv4.ip_forward must be 0
+
+
+
+
+
+
+
+ sysctl net.ipv4.tcp_syncookies must be 1
+ sysctl net.ipv4.tcp_syncookies must be 1
+
+
+
+
+
+
+
+ sysctl net.ipv6.conf.all.forwarding must be 0
+ sysctl net.ipv6.conf.all.forwarding must be 0
+
+
+
+
+
+
+
+ sysctl net.ipv6.conf.default.forwarding must be 0
+ sysctl net.ipv6.conf.default.forwarding must be 0
+
+
+
+
+
+
+
+ kernel config CONFIG_SYN_COOKIES must be y
+ kernel config CONFIG_SYN_COOKIES must be y
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999
+ file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0
+ file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7
+ file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7
+
+
+
+
+
+
+
+ file /etc/pam.d/common-password must have a line that matches minlen=6
+ file /etc/pam.d/common-password must have a line that matches minlen=6
+
+
+
+
+
+
+
+ file /etc/pam.d/common-password must have a line that matches remember=
+ file /etc/pam.d/common-password must have a line that matches remember=
+
+
+
+
+
+
+
+ file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0
+ file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^FAIL_DELAY
+ file /etc/login.defs must have a line that matches ^FAIL_DELAY
+
+
+
+
+
+
+
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no
+
+
+
+
+
+
+
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^UID_MIN.*1000
+ file /etc/login.defs must have a line that matches ^UID_MIN.*1000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^UID_MAX.*60000
+ file /etc/login.defs must have a line that matches ^UID_MAX.*60000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^GID_MIN.*1000
+ file /etc/login.defs must have a line that matches ^GID_MIN.*1000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^GID_MAX.*60000
+ file /etc/login.defs must have a line that matches ^GID_MAX.*60000
+
+
+
+
+
+
+
+ sysctl kernel.sysrq must be 0
+ sysctl kernel.sysrq must be 0
+
+
+
+
+
+
+
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5
+
+
+
+
+
+
+
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des
+
+
+
+
+
+
+
+ file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set
+ file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set
+
+
+
+
+
+
+
+ file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes
+ file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd
+
+
+
+
+
+
+
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /proc/sys/net/ipv4/ip_forward
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /proc/sys/net/ipv4/tcp_syncookies
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /usr/src/linux/.config
+ (CONFIG_SYN_COOKIES.*)
+ 1
+
+
+ /proc/sys/net/ipv6/conf/all/forwarding
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /proc/sys/net/ipv6/conf/default/forwarding
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /proc/sys/kernel/sysrq
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/login.defs
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/pam.d/common-passwd
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/default/passwd
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/pam.d/common-password
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/sysconfig/dhcpd
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/sysconfig/displaymanager
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/sysconfig/security
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+ /etc/sysconfig/services
+ ^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$
+ 1
+
+
+
+
+
+
+
+ 0
+
+
+ 1
+
+
+ CONFIG_SYN_COOKIES=y
+
+
+ ^PASS_MAX_DAYS.*99999
+
+
+ ^PASS_MIN_DAYS.*0
+
+
+ ^PASS_WARN_AGE.*7
+
+
+ ^minlen=6
+
+
+ ^remember=
+
+
+ ^FAIL_DELAY.*0
+
+
+ ^FAIL_DELAY
+
+
+ ^UID_MIN.*1000
+
+
+ ^UID_MAX.*60000
+
+
+ ^GID_MIN.*1000
+
+
+ ^GID_MAX.*60000
+
+
+ ^CRYPT_FILES=md5
+
+
+ ^CRYPT_FILES=des
+
+
+ minlen=6
+
+
+ remember=
+
+
+ ^DHCPD_RUN_CHROOTED.*yes
+
+
+ ^DHCPD_RUN_AS.*dhcpd
+
+
+ ^DHCPD6_RUN_CHROOTED.*yes
+
+
+ ^DHCPD6_RUN_AS.*dhcpd
+
+
+ ^DISPLAYMANAGER_REMOTE_ACCESS.*no
+
+
+ ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no
+
+
+ ^CHECK_PERMISSIONS.*set
+
+
+ ^CHECK_SIGNATURES.*yes
+
+
+ ^DISABLE_RESTART_ON_UPDATE.*yes
+
+
+ ^DISABLE_STOP_ON_REMOVAL.*yes
+
+
+
+
+
+
+
+
+
diff --git a/scap-yast2sec-xccdf.xml b/scap-yast2sec-xccdf.xml
new file mode 100644
index 0000000..be4c10e
--- /dev/null
+++ b/scap-yast2sec-xccdf.xml
@@ -0,0 +1,320 @@
+
+
+ draft
+ Hardening Linux Kernel
+
+ The Linux kernel is at the heart of every Linux system. With its extensive configuration
+ options, it comes to no surprise that specific settings can be enabled to further harden
+ your system.
+
+
+ In this guide, we focus on Linux kernel configuration entries that support additional
+ hardening of your system, as well as the configuration through the syctl
+ settings.
+
+
+ 1
+
+
+
+ Default vanilla kernel hardening
+
+ Profile matching all standard (vanilla-kernel) hardening rules
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ sysctl net.ipv4.ip_forward must be 0
+ sysctl net.ipv4.ip_forward must be 0
+ echo 0 > /proc/sys/net/ipv4/ip_forward
+
+
+
+
+
+
+
+ sysctl net.ipv4.tcp_syncookies must be 1
+ sysctl net.ipv4.tcp_syncookies must be 1
+ echo 1 > /proc/sys/net/ipv4/tcp_syncookies
+
+
+
+
+
+
+
+ sysctl net.ipv6.conf.all.forwarding must be 0
+ sysctl net.ipv6.conf.all.forwarding must be 0
+ echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+
+
+
+
+
+
+
+ sysctl net.ipv6.conf.default.forwarding must be 0
+ sysctl net.ipv6.conf.default.forwarding must be 0
+ echo 0 > /proc/sys/net/ipv6/conf/default/forwarding
+
+
+
+
+
+
+
+ kernel config CONFIG_SYN_COOKIES must be y
+ kernel config CONFIG_SYN_COOKIES must be y
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999
+ file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0
+ file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7
+ file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7
+
+
+
+
+
+
+
+ file /etc/pam.d/common-password must have a line that matches minlen=6
+ file /etc/pam.d/common-password must have a line that matches minlen=6
+
+
+
+
+
+
+
+ file /etc/pam.d/common-password must have a line that matches remember=
+ file /etc/pam.d/common-password must have a line that matches remember=
+
+
+
+
+
+
+
+ file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0
+ file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^FAIL_DELAY
+ file /etc/login.defs must have a line that matches ^FAIL_DELAY
+
+
+
+
+
+
+
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no
+
+
+
+
+
+
+
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no
+ file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^UID_MIN.*1000
+ file /etc/login.defs must have a line that matches ^UID_MIN.*1000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^UID_MAX.*60000
+ file /etc/login.defs must have a line that matches ^UID_MAX.*60000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^GID_MIN.*1000
+ file /etc/login.defs must have a line that matches ^GID_MIN.*1000
+
+
+
+
+
+
+
+ file /etc/login.defs must have a line that matches ^GID_MAX.*60000
+ file /etc/login.defs must have a line that matches ^GID_MAX.*60000
+
+
+
+
+
+
+
+ sysctl kernel.sysrq must be 0
+ sysctl kernel.sysrq must be 0
+ echo 0 > /proc/sys/kernel/sysrq
+
+
+
+
+
+
+
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5
+
+
+
+
+
+
+
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des
+ file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des
+
+
+
+
+
+
+
+ file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set
+ file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set
+
+
+
+
+
+
+
+ file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes
+ file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd
+ file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd
+
+
+
+
+
+
+
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes
+
+
+
+
+
+
+
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes
+ file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes
+
+
+
+
+
+