RHBA-2019:2198 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 7.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Users of scap-security-guide are advised to upgrade to these updated packages.

Solution

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1465675 - 14 audit related rules fail to remediate on fresh installed system
• BZ - 1599179 - Inconsistent memcache_timeout, ssh_known_hosts_timeout wrt man sssd.conf
• BZ - 1630739 - Rules not applicable to containers are not marked as "machine only" anymore
• BZ - 1631378 - dconf db is not checked by OVAL
• BZ - 1636392 - ansible remediations put colons into PAM configuration
• BZ - 1647189 - Ansible remediations generated using openscap exit after any failure.
• BZ - 1655614 - Bug/typo in scap-security-guide ansible fix for auditd.conf
• BZ - 1657701 - PCI DSS - Ensure Log Files Are Owned By Appropriate Group - checks group_id with 4 instead of 0
• BZ - 1658136 - Rule audit_rules_kernel_module_loading checks for syscalls finit and create, but does not mention or remediate accordingly
• BZ - 1661709 - typo in remediation script for id="xccdf_org.ssgproject.content_rule_display_login_attempts"
• BZ - 1667108 - DISA profile doubles audit rules (with auid unset and 4294967295) and prevents augenrules to run
• BZ - 1677508 - OSCAP rule xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank fails with status "error"
• BZ - 1684545 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.7 to latest upstream version
• BZ - 1686005 - DISA openscap remediation playbook failing on correcting file permissions with RPM.
• BZ - 1686007 - DISA openscap remediation playbook failing on ssh *.pub/*.key files
• BZ - 1687826 - Remediation of STIG DISA profile double audit rules
• BZ - 1703010 - Remediation for ensure_gpgcheck_repo_metadata prevents packages installation and the rule has been dropped from recommendations
• BZ - 1703092 - Rules have same CCE identifier assigned to
• BZ - 1711893 - DISA STIG profile for containers is too bloated

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.7_release_notes/index