[ol8_appstream] scap-security-guide-0.1.73-1.0.2.el8_10.noarch

The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is specified
in the Security Content Automation Protocol (SCAP) format and constitutes
a catalog of practical hardening advice, linked to government requirements
where applicable. The project bridges the gap between generalized policy
requirements and specific implementation guidelines. The system
administrator can use the oscap CLI tool from openscap-scanner package, or the
scap-workbench GUI tool from scap-workbench package to verify that the system
conforms to provided guideline. Refer to scap-security-guide(8) manual page for
further information.

Changelog (Show File list) (Show related packages)

• Wed Jul 24 2024 Armando Acosta <armando.acosta@oracle.com> - 0.1.73-1.0.2

  - Update stig profile version to v2r1 for ol8 [Orabug: 36879143]
  - Add ansible remediation to
    accounts_user_dot_no_world_writable_programs
    no_tmux_in_shells 
    account_password_selinux_faillock_dir
    configure_usbguard_auditbackend [Orabug: 36879143]
  - Fix bash bug account_disable_inactivity* [Orabug: 36879143]

• Thu Jun 06 2024 Armando Acosta <armando.acosta@oracle.com> - 0.1.73-1.0.1

  - Rebase oracle patches to v0.1.73-1 [Orabug: 36702208]
  - Update OL8 to implement OL9 STIG profile to match DISA STIG draft for OL9 [Orabug: 36680605]

• Wed Jun 05 2024 Release Engineering <releng@openela.org> - 0.1.73.openela.1.0

  - Make OpenELA a derivative of RHEL

• Tue May 21 2024 Jan Černý <jcerny@redhat.com> - 0.1.73-1

  - Rebase scap-security-guide package to version 0.1.73 (RHEL-36733)
  - Change crypto policy used in the CUI profile to FIPS (RHEL-30346)
  - Fix file path identification in Rsyslog configuration (RHEL-17202)
  - Use a correct chrony server address in STIG profile (RHEL-1814)
  - Don't BuildRequire /usr/bin/python3 (RHEL-2244)

• Fri Feb 16 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-2

  - Unlist profiles no longer maintained in RHEL8.

• Wed Feb 14 2024 Marcus Burghardt <maburgha@redhat.com> - 0.1.72-1

  - Rebase to a new upstream release 0.1.72 (RHEL-25250)
  - Increase CIS standards coverage regarding SSH and cron (RHEL-1314)
  - Increase compatibility of accounts_tmout rule for ksh (RHEL-16896 and RHEL-1811)
  - Align Ansible and Bash remediation in sssd_certificate_verification rule (RHEL-1313)
  - Add a warning to rule service_rngd_enabled about rule applicability (RHEL-1819)
  - Add rule to terminate idle user sessions after defined time (RHEL-1801)
  - Allow spaces around equal sign in /etc/sudoers (RHEL-1904)
  - Add remediation for rule fapolicy_default_deny (RHEL-1817)
  - Fix invalid syntax in file /usr/share/scap-security-guide/ansible/rhel8-playbook-ospp.yml (RHEL-19127)
  - Refactor ensure_pam_wheel_group_empty (RHEL-1905)
  - Prevent remediation of display_login_attempts rule from creating redundant configuration entries (RHEL-1809)
  - Update PCI-DSS to v4 (RHEL-1808)
  - Fix regex in Ansible remediation of configure_ssh_crypto_policy (RHEL-1820)

• Thu Aug 17 2023 Vojtech Polasek <vpolasek@redhat.com> - 0.1.69-2

  - remove problematic rule from ANSSI High profile (RHBZ#2221695)

• Thu Aug 10 2023 Jan Černý <jcerny@redhat.com> - 0.1.69-1

  - Rebase to a new upstream release 0.1.69 (RHBZ#2221695)
  - Fixed CCE link URL (RHBZ#2178516)
  - align remediations with rule description for rule configuring OpenSSL cryptopolicy (RHBZ#2192893)
  - Add rule audit_rules_login_events_faillock to STIG profile (RHBZ#2167999)
  - Fixed rules related to AIDE configuration (RHBZ#2175684)
  - Allow default permissions for files stored on EFI FAT partitions (RHBZ#2184487)
  - Add appropriate STIGID to accounts_passwords_pam_faillock_interval rule (RHBZ#2209073)
  - improved and unified OVAL checks checking for interactive users (RHBZ#2157877)
  - update ANSSI BP-028 profiles to be aligned with version 2.0 (RHBZ#2155789)
  - unify OVAL checks to correctly identify interactive users (RHBZ#2178740)
  - make rule checking for Postfix unrestricted relay accept more variants of valid configuration syntax (RHBZ#2170530)
  - Fixed excess quotes in journald configuration files (RHBZ#2169857)
  - rules related to polyinstantiated directories are not applied when building images for Image Builder (RHBZ#2130182)
  - evaluation and remediation of rules related to mount points have been enhanced for Image Builder (RHBZ#2130185)
  - do not enable FIPS mode when creating hardened images for Image Builder (RHBZ#2130181)
  - Correct URL used to download CVE checks (RHBZ#2222583)
  - mention exact required configuration value in description of some PAM related rules (RHBZ#2175882)
  - make mount point related rules not applicable when no such mount points exist (RHBZ#2176008)
  - improve checks determining if FIPS mode is enabled (RHBZ#2129100)

• Mon Feb 13 2023 Watson Sato <wsato@redhat.com> - 0.1.66-2

  - Unselect rule logind_session_timeout (RHBZ#2158404)

• Mon Feb 06 2023 Watson Sato <wsato@redhat.com> - 0.1.66-1

  - Rebase to a new upstream release 0.1.66 (RHBZ#2158404)
  - Update RHEL8 STIG profile to V1R9 (RHBZ#2152658)
  - Fix levels of CIS rules (RHBZ#2162803)
  - Remove unused RHEL8 STIG control file (RHBZ#2156192)
  - Fix accounts_password_pam_unix_remember's check and remediations (RHBZ#2153547)
  - Fix handling of space in sudo_require_reauthentication (RHBZ#2152208)
  - Add rule for audit immutable login uids (RHBZ#2151553)
  - Fix remediation of audit watch rules (RHBZ#2119356)
  - Align file_permissions_sshd_private_key with DISA Benchmark (RHBZ#2115343)
  - Fix applicability of kerberos rules (RHBZ#2099394)
  - Add support rainer scripts in rsyslog rules (RHBZ#2072444)