RHBA-2020:3909 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise
Linux 7.

Description

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.9 Release Notes linked from the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

• BZ - 1494606 - Rules requiring sysctl.conf values have misleading descriptions - sysctl values defaults are ignored, description says otherwise.
• BZ - 1547642 - OVAL check for content_rule_bootloader_audit_argument uses wrong file
• BZ - 1549671 - Check for module skipping in accounts_passwords_pam_faillock_deny is tricked by comment in config file
• BZ - 1574586 - OSCAP rule xccdf_org.ssgproject.content_rule_audit_rules_login_event remediation is not detected
• BZ - 1609014 - firewall-cmd command in https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html is breaking firewalld functionality
• BZ - 1691579 - DISA STIG does not recognize options on removable partitions
• BZ - 1691877 - Remediation for xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands rule doesn't fix the system.
• BZ - 1722237 - bootloader options on C2S show "notchecked" even when manually selected with a tailoring file
• BZ - 1776780 - Rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text' fail to remediate
• BZ - 1781244 - FIPS approved ciphers need to be updated
• BZ - 1791583 - [DOC] C2S security profile - services are now masked instead of disabled
• BZ - 1794402 - Link in scap-security-guide rhel6 datastream is 404
• BZ - 1801411 - The test if atd is stopped gives a false postive on the service 'rpc-statd.service' because it also contains the letters 'atd'.
• BZ - 1815008 - Rebase scap-security-guide in Red Hat Enterprise Linux 7.9 to latest upstream version
• BZ - 1821633 - Ship CIS aligned profile in RHEL7
• BZ - 1823576 - OpenSCAP ssh rules content_rule_sshd_do_not_permit_user_env content_rule_sshd_allow_only_protocol2 failing after upgrade
• BZ - 1829743 - Undocumented fact that file ownership-related rules dont work with remote user/group backends
• BZ - 1844431 - xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env rule is broken

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index