Bug 1410914
Summary: | Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstream version | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Preisler <mpreisle> |
Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> |
Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> |
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
Priority: | high | ||
Version: | 7.4 | CC: | degts, mhaicman, mjahoda, openscap-maint, swells, wsato |
Target Milestone: | rc | Keywords: | Rebase |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Rebase: Bug Fixes and Enhancements | |
Doc Text: |
_scap-security-guide_ rebased to version 0.1.33
The _scap-security-guide_ packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines:
* Extended support for PCI-DSS v3 Control Baseline
* Extended support for United States Government Commercial Cloud Services (C2S).
* Extended support for Red Hat Corporate Profile for Certified Cloud Providers.
* Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile.
* Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI).
* Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat.
The USGCB/STIG profile implements configuration requirements from the following documents:
* Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
* NIST Controlled Unclassified Information (NIST 800-171)
* NIST 800-53 control selections for moderate impact systems (NIST 800-53)
* U. S. Government Configuration Baseline (USGCB)
* NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
* DISA Operating System Security Requirements Guide (OS SRG)
Note that several previously-contained profiles have been removed or merged.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 12:24:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Preisler
2017-01-06 20:22:21 UTC
This would also fix: - https://bugzilla.redhat.com/show_bug.cgi?id=1378489 - https://bugzilla.redhat.com/show_bug.cgi?id=1392672 - https://bugzilla.redhat.com/show_bug.cgi?id=1392679 - https://bugzilla.redhat.com/show_bug.cgi?id=1372063 - https://bugzilla.redhat.com/show_bug.cgi?id=1392674 - https://bugzilla.redhat.com/show_bug.cgi?id=1372061 - https://bugzilla.redhat.com/show_bug.cgi?id=1392676 - https://bugzilla.redhat.com/show_bug.cgi?id=1372062 - https://bugzilla.redhat.com/show_bug.cgi?id=1372068 - https://bugzilla.redhat.com/show_bug.cgi?id=1372070 - https://bugzilla.redhat.com/show_bug.cgi?id=1369735 How do we get release notes created for the rebase of SCAP Security Guide? This rebase brings in previously unavailable compliance profiles that should be documented. OK. I don't have VPN access currently, so will login Monday and use the template. Mostly imagining to document the new and rebased profiles available in RHEL 7.4 (e.g. STIG and USGCB draft). Mirek, Here is a first stab of content. Review from yourself and Watson is appreciated. ----- SCAP Security Guide v0.1.33 enhances existing compliance profiles and expands scope of coverage to include two new configuration baselines. - PCI-DSS v3 Control Baseline - U.S. Government Commercial Cloud Services (C2S) - Red Hat Corporate Profile for Certified Cloud Providers - NEW: DISA STIG for Red Hat Enterprise Linux 7, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 - NEW: United States Government Configuration Baseline (USGCB / STIG) - DRAFT This profile is developed in partnership with the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply. This baseline implements configuration requirements from the following documents: - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) - NIST Controlled Unclassified Information (NIST 800-171) - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) - U.S. Government Configuration Baseline (USGCB) - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) - DISA Operating System Security Requirements Guide (OS SRG) For any differing configuration requirements, e.g. password lengths, the stricter security setting was chosen. - NEW: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) This profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). Thank you Shawn. Looks good to me. One thing that may be worth to mention is that some profiles were removed or merged. People will come asking for them and it would be good to point, for each profile removed, the profiles they should go for now. Regression and Sanity checks of version scap-security-guide-0.1.33-5.el7.noarch performed. Multiple new issues found and reported. Most important ones: https://bugzilla.redhat.com/show_bug.cgi?id=1465402 (incompatibility of SSG with oscap-anaconda-addon) https://bugzilla.redhat.com/show_bug.cgi?id=1465675 (audit rules failing remediation) https://bugzilla.redhat.com/show_bug.cgi?id=1465686 (various rules missing/failing remediations) None of them are blocking issues though, switching to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2064 |