1410914 – Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstream version

Bug 1410914 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstream version

Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstrea...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	scap-security-guide
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Watson Yuuma Sato
QA Contact:	Marek Haicman
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-06 20:22 UTC by Martin Preisler
Modified:	2017-08-01 12:24 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	_scap-security-guide_ rebased to version 0.1.33 The _scap-security-guide_ packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines: * Extended support for PCI-DSS v3 Control Baseline * Extended support for United States Government Commercial Cloud Services (C2S). * Extended support for Red Hat Corporate Profile for Certified Cloud Providers. * Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile. * Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). * Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat. The USGCB/STIG profile implements configuration requirements from the following documents: * Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) * NIST Controlled Unclassified Information (NIST 800-171) * NIST 800-53 control selections for moderate impact systems (NIST 800-53) * U. S. Government Configuration Baseline (USGCB) * NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) * DISA Operating System Security Requirements Guide (OS SRG) Note that several previously-contained profiles have been removed or merged.
Clone Of:
Environment:
Last Closed:	2017-08-01 12:24:43 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2064	normal	SHIPPED_LIVE	scap-security-guide bug fix and enhancement update	2017-08-01 16:05:50 UTC

Description Martin Preisler 2017-01-06 20:22:21 UTC

SCAP-Security-Guide (SSG) contains configuration hardening advice of Red Hat  Enterprise Linux 7 and other products. Some customers are contributing fixes  directly to upstream. The expectation is that we ship these fixes/improvements along the RHEL update release.

SCAP-Security-Guide (SSG) is low risk rebase component. There is no API or ABI, the product is a set of XML files used with OpenSCAP or other SCAP scanners.

The version currently in RHEL7 is 0.1.30, https://github.com/OpenSCAP/scap-security-guide/compare/v0.1.30...master shows changes in upstream since then.

Comment 1 Martin Preisler 2017-01-06 20:26:25 UTC

This would also fix:
- https://bugzilla.redhat.com/show_bug.cgi?id=1378489
- https://bugzilla.redhat.com/show_bug.cgi?id=1392672
- https://bugzilla.redhat.com/show_bug.cgi?id=1392679
- https://bugzilla.redhat.com/show_bug.cgi?id=1372063
- https://bugzilla.redhat.com/show_bug.cgi?id=1392674
- https://bugzilla.redhat.com/show_bug.cgi?id=1372061
- https://bugzilla.redhat.com/show_bug.cgi?id=1392676
- https://bugzilla.redhat.com/show_bug.cgi?id=1372062
- https://bugzilla.redhat.com/show_bug.cgi?id=1372068
- https://bugzilla.redhat.com/show_bug.cgi?id=1372070
- https://bugzilla.redhat.com/show_bug.cgi?id=1369735

Comment 4 Shawn Wells 2017-06-08 19:24:42 UTC

How do we get release notes created for the rebase of SCAP Security Guide?

This rebase brings in previously unavailable compliance profiles that should be documented.

Comment 6 Shawn Wells 2017-06-09 20:44:17 UTC

OK. I don't have VPN access currently, so will login Monday and use the template. Mostly imagining to document the new and rebased profiles available in RHEL 7.4 (e.g. STIG and USGCB draft).

Comment 7 Shawn Wells 2017-06-14 05:02:50 UTC

Mirek, Here is a first stab of content. Review from yourself and Watson is appreciated.

-----

SCAP Security Guide v0.1.33 enhances existing compliance profiles and expands scope of coverage to include two new configuration baselines.

- PCI-DSS v3 Control Baseline

- U.S. Government Commercial Cloud Services (C2S)

- Red Hat Corporate Profile for Certified Cloud Providers

- NEW: DISA STIG for Red Hat Enterprise Linux 7, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1

- NEW: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply.

This baseline implements configuration requirements from the following documents:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen.

- NEW: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

This profile configures Red Hat Enterprise Linux 7 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Information (CUI).

Comment 8 Watson Yuuma Sato 2017-06-14 08:31:36 UTC

Thank you Shawn.

Looks good to me.
One thing that may be worth to mention is that some profiles were removed or merged. People will come asking for them and it would be good to point, for each profile removed, the profiles they should go for now.

Comment 11 Marek Haicman 2017-06-28 00:26:29 UTC

Regression and Sanity checks of version scap-security-guide-0.1.33-5.el7.noarch performed. Multiple new issues found and reported.

Most important ones:
https://bugzilla.redhat.com/show_bug.cgi?id=1465402 (incompatibility of SSG with oscap-anaconda-addon)
https://bugzilla.redhat.com/show_bug.cgi?id=1465675 (audit rules failing remediation)
https://bugzilla.redhat.com/show_bug.cgi?id=1465686 (various rules missing/failing remediations)

None of them are blocking issues though, switching to verified.

Comment 15 errata-xmlrpc 2017-08-01 12:24:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064

Note You need to log in before you can comment on or make changes to this bug.