Bug 1410914

Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstream version
Product: Red Hat Enterprise Linux 7 Reporter: Martin Preisler <mpreisle>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED ERRATA QA Contact: Marek Haicman <mhaicman>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.4CC: degts, mhaicman, mjahoda, openscap-maint, swells, wsato
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_scap-security-guide_ rebased to version 0.1.33 The _scap-security-guide_ packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines: * Extended support for PCI-DSS v3 Control Baseline * Extended support for United States Government Commercial Cloud Services (C2S). * Extended support for Red Hat Corporate Profile for Certified Cloud Providers. * Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile. * Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). * Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat. The USGCB/STIG profile implements configuration requirements from the following documents: * Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) * NIST Controlled Unclassified Information (NIST 800-171) * NIST 800-53 control selections for moderate impact systems (NIST 800-53) * U. S. Government Configuration Baseline (USGCB) * NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) * DISA Operating System Security Requirements Guide (OS SRG) Note that several previously-contained profiles have been removed or merged.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:24:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Preisler 2017-01-06 20:22:21 UTC 
SCAP-Security-Guide (SSG) contains configuration hardening advice of Red Hat  Enterprise Linux 7 and other products. Some customers are contributing fixes  directly to upstream. The expectation is that we ship these fixes/improvements along the RHEL update release.

SCAP-Security-Guide (SSG) is low risk rebase component. There is no API or ABI, the product is a set of XML files used with OpenSCAP or other SCAP scanners.

The version currently in RHEL7 is 0.1.30, https://github.com/OpenSCAP/scap-security-guide/compare/v0.1.30...master shows changes in upstream since then.
Comment 1 Martin Preisler 2017-01-06 20:26:25 UTC 
This would also fix:
- https://bugzilla.redhat.com/show_bug.cgi?id=1378489
- https://bugzilla.redhat.com/show_bug.cgi?id=1392672
- https://bugzilla.redhat.com/show_bug.cgi?id=1392679
- https://bugzilla.redhat.com/show_bug.cgi?id=1372063
- https://bugzilla.redhat.com/show_bug.cgi?id=1392674
- https://bugzilla.redhat.com/show_bug.cgi?id=1372061
- https://bugzilla.redhat.com/show_bug.cgi?id=1392676
- https://bugzilla.redhat.com/show_bug.cgi?id=1372062
- https://bugzilla.redhat.com/show_bug.cgi?id=1372068
- https://bugzilla.redhat.com/show_bug.cgi?id=1372070
- https://bugzilla.redhat.com/show_bug.cgi?id=1369735
Comment 4 Shawn Wells 2017-06-08 19:24:42 UTC 
How do we get release notes created for the rebase of SCAP Security Guide?

This rebase brings in previously unavailable compliance profiles that should be documented.
Comment 6 Shawn Wells 2017-06-09 20:44:17 UTC 
OK. I don't have VPN access currently, so will login Monday and use the template. Mostly imagining to document the new and rebased profiles available in RHEL 7.4 (e.g. STIG and USGCB draft).
Comment 7 Shawn Wells 2017-06-14 05:02:50 UTC 
Mirek, Here is a first stab of content. Review from yourself and Watson is appreciated.

-----


SCAP Security Guide v0.1.33 enhances existing compliance profiles and expands scope of coverage to include two new configuration baselines.

- PCI-DSS v3 Control Baseline

- U.S. Government Commercial Cloud Services (C2S)

- Red Hat Corporate Profile for Certified Cloud Providers 

- NEW: DISA STIG for Red Hat Enterprise Linux 7, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 

- NEW: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the  U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply.

This baseline implements configuration requirements from the following documents:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen.

- NEW: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

This profile configures Red Hat Enterprise Linux 7 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Information (CUI).
Comment 8 Watson Yuuma Sato 2017-06-14 08:31:36 UTC 
Thank you Shawn.

Looks good to me.
One thing that may be worth to mention is that some profiles were removed or merged. People will come asking for them and it would be good to point, for each profile removed, the profiles they should go for now.
Comment 11 Marek Haicman 2017-06-28 00:26:29 UTC 
Regression and Sanity checks of version scap-security-guide-0.1.33-5.el7.noarch performed. Multiple new issues found and reported.

Most important ones:
https://bugzilla.redhat.com/show_bug.cgi?id=1465402 (incompatibility of SSG with oscap-anaconda-addon)
https://bugzilla.redhat.com/show_bug.cgi?id=1465675 (audit rules failing remediation)
https://bugzilla.redhat.com/show_bug.cgi?id=1465686 (various rules missing/failing remediations)

None of them are blocking issues though, switching to verified.
Comment 15 errata-xmlrpc 2017-08-01 12:24:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064