forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
scap-security-guide.spec.in
275 lines (220 loc) · 10.1 KB
/
scap-security-guide.spec.in
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
Name: __NAME__
Version: __VERSION__
Release: __RELEASE__%{?dist}
Summary: Security guidance and baselines in SCAP formats
Vendor: scap-security-guide
Group: Applications/System
License: Public Domain
URL: https://fedorahosted.org/scap-security-guide/
Source0: https://github.com/OpenSCAP/scap-security-guide/archive/%{name}-%{version}.tar.gz
BuildArch: noarch
BuildRequires: libxslt, expat, python, openscap-utils >= 1.0.3, python-lxml
%if 0%{?fedora}
BuildRequires: openscap-utils >= 1.2.2
BuildRequires: ShellCheck
%endif
Requires: xml-common, openscap-utils >= 1.0.8
Provides: openscap-content
%description
The %{name} project provides a guide for configuration of the
system from the final system's security point of view. The guidance is
specified in the Security Content Automation Protocol (SCAP) format and
constitutes a catalog of practical hardening advice, linked to government
requirements where applicable. The project bridges the gap between generalized
policy requirements and specific implementation guidelines. The system
administrator can use the oscap command-line tool from the openscap-utils
package to verify that the system conforms to provided guidelines.
%package doc
Summary: HTML formatted documents containing security guides generated from XCCDF benchmarks.
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
%description doc
The %{name}-doc package contains HTML formatted documents containing
hardening guidances that have been generated from XCCDF benchmarks
present in %{name} package.
%prep
%setup -q -n %{name}-%{version}
%build
#(cd RHEL/5 && make dist)
(cd RHEL/6 && make dist)
(cd RHEL/7 && make dist)
(cd JRE && make dist)
(cd Firefox && make dist)
# JBossEAP5 has a different build system
#(cd JBossEAP5 && make dist)
%if 0%{?fedora}
(cd Fedora && make dist)
(cd Chromium && make dist)
#(cd Webmin && make dist)
%endif
%install
mkdir -p %{buildroot}%{_mandir}/en/man8/
cp -a docs/scap-security-guide.8 %{buildroot}%{_mandir}/en/man8/
mkdir -p %{buildroot}%{_datadir}/%{name}
mkdir -p %{buildroot}%{_datadir}/xml/scap/ssg/content
#cp -a RHEL/5/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a RHEL/6/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a RHEL/7/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a JRE/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
cp -a Firefox/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content/
# Add in functions library for remediations
cp -a shared/remediations/bash/templates/remediation_functions %{buildroot}%{_datadir}/%{name}/
%if 0%{?fedora}
cp -a Fedora/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content
cp -a Chromium/dist/content/ssg-chromium-ds.xml %{buildroot}%{_datadir}/xml/scap/ssg/content
#cp -a Webmin/dist/content/* %{buildroot}%{_datadir}/xml/scap/ssg/content
# We only want datastreams on Fedora, lets get rid of plain XCCDF, OVAL and CPE dict files
rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-xccdf.xml
rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-oval.xml
rm %{buildroot}%{_datadir}/xml/scap/ssg/content/*-cpe-dictionary.xml
%endif
# We do this after the filtering on Fedora because we don't ship JBossEAP5 datastreams
cp -a JBossEAP5/eap5-* %{buildroot}%{_datadir}/xml/scap/ssg/content/
# Docs
mkdir -p %{buildroot}/%{_docdir}/%{name}/guides
cp -a RHEL/6/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
cp -a RHEL/7/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
cp -a Firefox/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
cp -a JRE/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
# outside of the normal build system, different guide
cp -a JBossEAP5/docs/JBossEAP5_Guide.html %{buildroot}/%{_docdir}/%{name}/guides
%if 0%{?fedora}
cp -a Fedora/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
cp -a Chromium/output/*-guide-*.html %{buildroot}/%{_docdir}/%{name}/guides
#cp -a Webmin/output/*-guide-*.html %{buildroot}/%{_defaultdocdir}/%{name}/guides
%endif
%files
%{_datadir}/xml/scap
%{_datadir}/%{name}
%lang(en) %{_mandir}/en/man8/scap-security-guide.8.*
%doc LICENSE
%doc README.md
%files doc
%doc %{_docdir}/%{name}/guides/*.html
%changelog
* __DATE__ __REL_MANAGER__ <__REL_MANAGER_MAIL__> __VERSION__-__RELEASE__
- Make new __VERSION__ release
* Mon Oct 19 2015 Jan iankko Lieskovsky <[email protected]> 0.1.26-1
- Make new 0.1.26 upstream release
* Wed Aug 19 2015 Jan iankko Lieskovsky <[email protected]> 0.1.25-1
- Make new 0.1.25 upstream release
* Tue Jul 07 2015 Jan iankko Lieskovsky <[email protected]> 0.1.24-1
- Make new 0.1.24 release
* Mon Jun 22 2015 Jan iankko Lieskovsky <[email protected]> 0.1.23-1
- Make new 0.1.23 release
* Mon May 04 2015 Jan iankko Lieskovsky <[email protected]> 0.1.22-1
- Make new 0.1.22 release
* Fri Feb 20 2015 Jan iankko Lieskovsky <[email protected]> 0.1.21-1
- Make new 0.1.21 release
* Thu Jan 15 2015 Jan iankko Lieskovsky <[email protected]> 0.1.20-1
- Make new 0.1.20 release
* Sun Sep 28 2014 Jan iankko Lieskovsky <[email protected]> 0.1.19-1
- Make new 0.1.19 release
* Sun Jun 22 2014 Jan iankko Lieskovsky <[email protected]> 0.1.18-1
- Make new 0.1.18 release
* Fri May 09 2014 Jan iankko Lieskovsky <[email protected]> 0.1.17-1
- Make new 0.1.17 release
* Mon May 05 2014 Jan iankko Lieskovsky <[email protected]> 0.1.16-1
- Change naming scheme (0.1-16 => 0.1.16-1)
* Fri Feb 21 2014 Jan iankko Lieskovsky <[email protected]> 0.1-16
- Include datastream files into RHEL6 and RHEL7 RPM packages too
- Bump version
* Thu Jan 23 2014 Shawn Wells <[email protected]> 0.1-16.rc3
+ Added to RHEL7 content pool
- OVAL for sshd_set_idle_timeout
- OVAL for sshd_set_keepalive
- OVAL for sshd_disable_rhosts
- OVAL for sshd_disable_root_login
- OVAL for sshd_disable_empty_passwords
- OVAL for sshd_enable_warning_banner
- OVAL for sshd_do_not_permit_user_env
- OVAL for sshd_use_approved_ciphers
- OVAL for sshd_allow_only_protocol2
* Tue Dec 24 2013 Shawn Wells <[email protected]> 0.1-16.rc2
+ RHEL6 stig-rhel6-server XCCDF profile renamed to stig-rhel6-server-upstream
* Mon Dec 23 2013 Shawn Wells <[email protected]> 0.1-16.rc1
+ Added RHEL7 content to SSG rpm
+ Added to RHEL7 content pool:
- OVAL for partition_for_tmp
- OVAL for partition_for_var
- OVAL for partition_for_var_log
- OVAL for partition_for_var_log_audit
- OVAL for selinux_state
- OVAL for selinux_policytype
- OVAL for ensure_redhat_gpgkey_installed
- OVAL for ensure_gpgcheck_never_disabled
- OVAL for package_aide_installed
- OVAL for accounts_password_reuse_limit
- OVAL for no_shelllogin_for_systemaccounts
- OVAL for no_empty_passwords
- OVAL for no_hashes_outside_shadow
- OVAL for accounts_no_uid_except_zero
- OVAL for accounts_password_minlen_login_defs
- OVAL for accounts_minimum_age_login_defs
- OVAL for accounts_password_warn_age_login_defs
- OVAL for accounts_password_pam_cracklib_retry
- [bugfix] RHEL6 no_empty_passwords remediation script overwrote
system-auth symlink. Added --follow-symlink to sed command.
* Fri Nov 01 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15
- Version bump
* Sat Oct 26 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15.rc5
- Point the spec's source to proper remote tarball location
- Modify the main Makefile to use remote tarball when building RHEL/6's SRPM
* Sat Oct 26 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15.rc4
- Don't include the table html files two times
- Remove makewhatis
* Fri Oct 25 2013 Shawn Wells <[email protected]> 0.1-15.rc3
- [bugfix] Updated rsyslog_remote_loghost to scan /etc/rsyslog.conf and /etc/rsyslog.d/*
- Numberous XCCDF->OVAL naming schema updates
- All rules now have CCE
* Fri Oct 25 2013 Shawn Wells <[email protected]> 0.1-15.rc2
- Updated file permissions of JBossEAP5/eap5-cpe-dictionary.xml (chmod -x) to resolve rpmlint errors
- RHEL/6 HTML table naming bugfixes (table-rhel6-*, not table-*-rhel6)
* Fri Oct 25 2013 Jan iankko Lieskovsky <[email protected]> 0.1-15.rc1
- Apply spec file changes required by review request (RH BZ#1018905)
* Thu Oct 24 2013 Shawn Wells <[email protected]> 0.1-14
- Formal RPM release
- Inclusion of rht-ccp profile
- OVAL unit testing patches
- Bash remediation patches
- Bugfixes
* Mon Oct 07 2013 Jan iankko Lieskovsky <[email protected]> 0.1-14.rc1
- Change RPM versioning scheme to include release into tarball
* Sat Sep 28 2013 Shawn Wells <[email protected]> 0.1-13
- Updated RPM spec file to fix rpmlint warnings
* Wed Jun 26 2013 Shawn Wells <[email protected]> 0.1-12
- Updated RPM version to 0.1-12
* Fri Apr 26 2013 Shawn Wells <[email protected]> 0.1-11
- Significant amount of OVAL bugfixes
- Incorporation of Draft RHEL/6 STIG feedback
* Sat Feb 16 2013 Shawn Wells <[email protected]> 0.1-10
- SSG now includes JBoss EAP5 content!
- `man scap-security-guide`
- OVAL bug fixes
- NIST 800-53 mappings update
* Wed Nov 28 2012 Shawn Wells <[email protected]> 0.1-9
- Updated BuildRequires to reflect python-lxml (thank you, Ray S.!)
- Reverting to noarch RPM
* Tue Nov 27 2012 Shawn Wells <[email protected]> 0.1-8
- Significant copy editing to XCCDF rules per community
feedback on the DISA RHEL/6 STIG Initial Draft
* Thu Nov 1 2012 Shawn Wells <[email protected]> 0.1-7
- Corrected XCCDF content errors
- OpenSCAP now supports CPE dictionaries, important to
utilize --cpe-dict when scanning machines with OpenSCAP,
e.g.:
$ oscap xccdf eval --profile stig-server \
--cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml
* Mon Oct 22 2012 Shawn Wells <[email protected]> 0.1-6
- Corrected RPM versioning, we're on 0.1 release 6 (not version 1 release 6)
- Updated RPM includes feedback received from DoD Consensus meetings
* Fri Oct 5 2012 Jeffrey Blank <[email protected]> 1.0-5
- Adjusted installation directory to /usr/share/xml/scap.
* Tue Aug 28 2012 Spencer Shimko <[email protected]> 1.0-4
- Fix BuildRequires and Requires.
* Tue Jul 3 2012 Jeffrey Blank <[email protected]> 1.0-3
- Modified install section, made description more concise.
* Thu Apr 19 2012 Spencer Shimko <[email protected]> 1.0-2
- Minor updates to pass some variables in from build system.
* Mon Apr 02 2012 Shawn Wells <[email protected]> 1.0-1
- First attempt at SSG RPM. May ${deity} help us...