- Issued:
- 2015-07-22
- Updated:
- 2015-07-22
RHBA-2015:1334 - Bug Fix Advisory
Synopsis
scap-security-guide bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
Updated scap-security-guide package that fixes several bugs and adds various
enhancements are now available for Red Hat Enterprise Linux 6.
Description
The scap-security-guide package provides the security guidance, baselines, and
associated validation mechanisms that use Security Content Automation Protocol
(SCAP). SCAP Security Guide contains the necessary data to perform system
security compliance scans regarding prescribed security policy requirements;
both a written description and an automated test (probe) are included. By
automating the testing, SCAP Security Guide provides a convenient and reliable
way to verify system compliance on a regular basis.
The scap-security-guide package has been upgraded to upstream version 0.1.21,
which provides a number of bug fixes and enhancements over the previous version.
Notably, the upgrade includes the following changes:
- The SCAP content for Red Hat Enterprise Linux 6 Server is now shipped also in
the datastream output format.
- The SCAP content for Red Hat Enterprise Linux 7 Server has been included in
order to enable the possibility to perform remote scans of Red Hat Enterprise
Linux 7 Server systems from Red Hat Enterprise Linux 6 systems.
- This update also includes the United States Government Configuration Baseline
(USGCB) profile kickstart file for a new installation of USGCB-compliant Red Hat
Enterprise Linux 6 Server system. Refer to Red Hat Enterprise Linux 6 Security
Guide for further details.
(BZ#1133963)
This update also fixes the following bugs:
- Previously, when checking the sysctl kernel parameters configuration, the SCAP
content recognized only the settings present in the /etc/sysctl.conf file. With
this update, the content has been updated to also recognize the sysctl utility
settings from additional configuration files located in the /etc/sysctl.d/
directory. (BZ#1183034)
- Prior to this update, when performing a validation if the removable media
block special devices were configured with the "nodev", "noexec", or "nosuid"
options, the content could incorrectly report shared memory (/dev/shm) device as
the one missing the required setting. With this update, the corresponding Open
Vulnerability and Assessment Language (OVAL) checks have been corrected to
verify mount options settings only for removable media block special devices.
(BZ#1185426)
- Due to a bug in the OVAL check validation, if the listening capability of the
postfix service was disabled, the system property scan returned a failure even
if the postfix package was not installed on the system. This bug has been
corrected and the feature of the postfix service is now reported as disabled.
Also, the underlying scan result returns "PASS" when the postfix package is not
installed on the system. (BZ#1191409)
- An earlier version of the scap-security-guide package included also an
Extensible Configuration Checklist Document Format (XCCDF) profile named "test".
Since the purpose of this profile is just to check basic sanity of the
corresponding SCAP content and it is not intended to be applied for actual
system scan, the "test" profile has now been removed. (BZ#1199946)
Users of scap-security-guide are advised to upgrade to this updated package,
which fixes these bugs and adds these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant
to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat Enterprise Linux Server 6 x86_64
- Red Hat Enterprise Linux Server 6 i386
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
- Red Hat Enterprise Linux Workstation 6 x86_64
- Red Hat Enterprise Linux Workstation 6 i386
- Red Hat Enterprise Linux Desktop 6 x86_64
- Red Hat Enterprise Linux Desktop 6 i386
- Red Hat Enterprise Linux for IBM z Systems 6 s390x
- Red Hat Enterprise Linux for Power, big endian 6 ppc64
- Red Hat Enterprise Linux Server from RHUI 6 x86_64
- Red Hat Enterprise Linux Server from RHUI 6 i386
- Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
Fixes
- BZ - 1133963 - Rebase scap-security-guide in Red Hat Enterprise Linux 6 to current upstream version
CVEs
(none)
Red Hat Enterprise Linux Server 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| x86_64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
| i386 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux Server - Extended Life Cycle Support 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| x86_64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
| i386 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux Workstation 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| x86_64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
| i386 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux Desktop 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| x86_64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
| i386 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux for IBM z Systems 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| s390x | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux for Power, big endian 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| ppc64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux Server from RHUI 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| x86_64 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
| i386 | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6
| SRPM | |
|---|---|
| scap-security-guide-0.1.21-3.el6.src.rpm | SHA-256: 64b42569814bf2a3cb6a26015dd4e57d16aebe1e06a18fc7bef28af6106d9503 |
| s390x | |
| scap-security-guide-0.1.21-3.el6.noarch.rpm | SHA-256: bf44494e7d85be78c359cd5f009d9d9f32dc3de8af80eb423103831c8d119c40 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.