RHBA-2018:3308 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 7.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.

Users of scap-security-guide are advised to upgrade to these updated packages.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux for ARM 64 7 aarch64
• Red Hat Enterprise Linux for Power 9 7 ppc64le
• Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1392681 - SCAP Security Guide remediation fail - CCE-80258-7 - Disable KDump Kernel Crash Analyzer (kdump)
• BZ - 1443551 - Align SSG profile and official DISA STIG release.
• BZ - 1462944 - SCAP Security Guide lacks Anaconda remediations for partitioning
• BZ - 1463829 - rule_mount_option_var_tmp_bind discrepancy between OVAL and remediation
• BZ - 1540505 - Rule xccdf_org.ssgproject.content_rule_aide_scan_notification fails when email ID other than root@. is given
• BZ - 1547694 - Rule audit_rules_kernel_module_loading does not remediate properly
• BZ - 1564902 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.6 to latest upstream version
• BZ - 1570802 - Some rules in PCI-DSS, DISA STIG and USGCB Profile fail to remediate
• BZ - 1570956 - Selecting "Standard System Security Profile" during install fails
• BZ - 1592887 - Ansible remediation of various dconf settings contains typo
• BZ - 1592957 - Ansible remediation of default umask in login.defs sets incorrect value
• BZ - 1592970 - Ansible remediation setting SELinux policy fails
• BZ - 1601296 - auditd service does not start on new installation with DISA STIG security profile
• BZ - 1601428 - chronyd service does not start on installation with DISA STIG security profile
• BZ - 1618840 - Some of the profiles requires /dev/cdrom as a separate partition in anaconda
• BZ - 1619689 - Ship profile in line with OSPP v4.2

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index