RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1410914 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstream version
Summary: Rebase scap-security-guide in Red Hat Enterprise Linux 7.4 to current upstrea...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: scap-security-guide
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: Watson Yuuma Sato
QA Contact: Marek Haicman
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-06 20:22 UTC by Martin Preisler
Modified: 2020-08-13 08:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_scap-security-guide_ rebased to version 0.1.33 The _scap-security-guide_ packages have been upgraded to upstream version 0.1.33, which provides a number of bug fixes and enhancements over the previous version. In particular, this new version enhances existing compliance profiles and expands the scope of coverage to include two new configuration baselines: * Extended support for PCI-DSS v3 Control Baseline * Extended support for United States Government Commercial Cloud Services (C2S). * Extended support for Red Hat Corporate Profile for Certified Cloud Providers. * Added support for the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7 profile, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 profile. * Added support for the Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171) profile configures Red Hat Enterprise Linux 7 to the NIST Special Publication 800-53 controls identified for securing Controlled Unclassified Information (CUI). * Added support for the United States Government Configuration Baseline (USGCB/STIG) profile, developed in partnership with the U. S. National Institute of Standards and Technology (NIST), U. S. Department of Defense, the National Security Agency, and Red Hat. The USGCB/STIG profile implements configuration requirements from the following documents: * Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) * NIST Controlled Unclassified Information (NIST 800-171) * NIST 800-53 control selections for moderate impact systems (NIST 800-53) * U. S. Government Configuration Baseline (USGCB) * NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) * DISA Operating System Security Requirements Guide (OS SRG) Note that several previously-contained profiles have been removed or merged.
Clone Of:
Environment:
Last Closed: 2017-08-01 12:24:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2064 0 normal SHIPPED_LIVE scap-security-guide bug fix and enhancement update 2017-08-01 16:05:50 UTC

Description Martin Preisler 2017-01-06 20:22:21 UTC 
SCAP-Security-Guide (SSG) contains configuration hardening advice of Red Hat  Enterprise Linux 7 and other products. Some customers are contributing fixes  directly to upstream. The expectation is that we ship these fixes/improvements along the RHEL update release.

SCAP-Security-Guide (SSG) is low risk rebase component. There is no API or ABI, the product is a set of XML files used with OpenSCAP or other SCAP scanners.

The version currently in RHEL7 is 0.1.30, https://github.com/OpenSCAP/scap-security-guide/compare/v0.1.30...master shows changes in upstream since then.
Comment 1 Martin Preisler 2017-01-06 20:26:25 UTC 
This would also fix:
- https://bugzilla.redhat.com/show_bug.cgi?id=1378489
- https://bugzilla.redhat.com/show_bug.cgi?id=1392672
- https://bugzilla.redhat.com/show_bug.cgi?id=1392679
- https://bugzilla.redhat.com/show_bug.cgi?id=1372063
- https://bugzilla.redhat.com/show_bug.cgi?id=1392674
- https://bugzilla.redhat.com/show_bug.cgi?id=1372061
- https://bugzilla.redhat.com/show_bug.cgi?id=1392676
- https://bugzilla.redhat.com/show_bug.cgi?id=1372062
- https://bugzilla.redhat.com/show_bug.cgi?id=1372068
- https://bugzilla.redhat.com/show_bug.cgi?id=1372070
- https://bugzilla.redhat.com/show_bug.cgi?id=1369735
Comment 4 Shawn Wells 2017-06-08 19:24:42 UTC 
How do we get release notes created for the rebase of SCAP Security Guide?

This rebase brings in previously unavailable compliance profiles that should be documented.
Comment 6 Shawn Wells 2017-06-09 20:44:17 UTC 
OK. I don't have VPN access currently, so will login Monday and use the template. Mostly imagining to document the new and rebased profiles available in RHEL 7.4 (e.g. STIG and USGCB draft).
Comment 7 Shawn Wells 2017-06-14 05:02:50 UTC 
Mirek, Here is a first stab of content. Review from yourself and Watson is appreciated.

-----


SCAP Security Guide v0.1.33 enhances existing compliance profiles and expands scope of coverage to include two new configuration baselines.

- PCI-DSS v3 Control Baseline

- U.S. Government Commercial Cloud Services (C2S)

- Red Hat Corporate Profile for Certified Cloud Providers 

- NEW: DISA STIG for Red Hat Enterprise Linux 7, aligning to the DISA STIG for Red Hat Enterprise Linux V1R1 

- NEW: United States Government Configuration Baseline (USGCB / STIG) - DRAFT
This profile is developed in partnership with the  U.S. National Institute of Standards and Technology (NIST), U.S. Department of Defense, the National Security Agency, and Red Hat. The USGCB is intended to be the core set of security related configuration settings by which all federal agencies should comply.

This baseline implements configuration requirements from the following documents:

- Committee on National Security Systems Instruction No. 1253 (CNSSI 1253)
- NIST Controlled Unclassified Information (NIST 800-171)
- NIST 800-53 control selections for MODERATE impact systems (NIST 800-53)
- U.S. Government Configuration Baseline (USGCB)
- NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0)
- DISA Operating System Security Requirements Guide (OS SRG)

For any differing configuration requirements, e.g. password lengths, the stricter
security setting was chosen.

- NEW: Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)

This profile configures Red Hat Enterprise Linux 7 to the NIST Special
Publication 800-53 controls identified for securing Controlled Unclassified
Information (CUI).
Comment 8 Watson Yuuma Sato 2017-06-14 08:31:36 UTC 
Thank you Shawn.

Looks good to me.
One thing that may be worth to mention is that some profiles were removed or merged. People will come asking for them and it would be good to point, for each profile removed, the profiles they should go for now.
Comment 11 Marek Haicman 2017-06-28 00:26:29 UTC 
Regression and Sanity checks of version scap-security-guide-0.1.33-5.el7.noarch performed. Multiple new issues found and reported.

Most important ones:
https://bugzilla.redhat.com/show_bug.cgi?id=1465402 (incompatibility of SSG with oscap-anaconda-addon)
https://bugzilla.redhat.com/show_bug.cgi?id=1465675 (audit rules failing remediation)
https://bugzilla.redhat.com/show_bug.cgi?id=1465686 (various rules missing/failing remediations)

None of them are blocking issues though, switching to verified.
Comment 15 errata-xmlrpc 2017-08-01 12:24:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2064
Note You need to log in before you can comment on or make changes to this bug.