RHBA-2022:1900 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 8.

Description

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat Enterprise Linux Server - AUS 8.6 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.8 x86_64
• Red Hat Enterprise Linux Server - TUS 8.6 x86_64
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

• BZ - 1884687 - Openscap protection profile rules for rhel 8 are always notchecked.
• BZ - 1914849 - Rule accounts_passwords_pam_faillock_enforce_local fails to remediate
• BZ - 1956972 - [RHEL8/SCAP/RFE] Align SCAP pam_faillock with recommendation of pam_faillock manpage to use failock.conf
• BZ - 1983061 - The rules CCE-80763-6 and CCE-83496-0 should not be there in RHEL CIS compliance policy
• BZ - 1993826 - content_rule_audit_basic_configuration enforces using default buffer size (8192) for audit, which isn't always suitable on busy systems
• BZ - 2000264 - oscap scans for xccdf_org.ssgproject.content_profile_ospp profile incorrectly flags 11-loginuid.rules and 30-ospp-v42.rules as altered if 10-base-config.rules is changed
• BZ - 2002719 - [Regression] Cannot accept Licence due to USB keyboard and mouse being blocked (ISM profile) [rhel-8.6.0]
• BZ - 2002850 - The CIS profile sets /etc/ssh/*key to 640 which prevents sshd from starting
• BZ - 2013159 - rsyslog_encrypt_offload_* rules fail after ansible remediation
• BZ - 2014485 - Rebase scap-security-guide in Red Hat Enterprise Linux 8.6 to the latest upstream version
• BZ - 2021802 - [RFE] RHV hypervisors hardening profile based on DISA STIG profile
• BZ - 2023569 - Remediations for scan with xccdf_org.ssgproject.content_profile_ism_o do not actually remediate failed test results
• BZ - 2026301 - Cannot remediate Configure Time Service Maxpoll Interval
• BZ - 2028428 - Update source of CVE data in data stream
• BZ - 2030966 - [BZ] [RHEL 8.X] Bash scripts for remediations on grub2_slub_debug and poisoning doesn't work on RHEL 8 as expected.
• BZ - 2049555 - Update RHEL8 DISA STIG profile to V1R5
• BZ - 2053587 - Profile ANSSI Enhanced is missing the rule selinux_state
• BZ - 2055149 - Add krb5-workstation to ignored for RHV
• BZ - 2055860 - configure_bashrc_exec_tmux now errors during remediation
• BZ - 2058033 - ANSSI kickstart doesn't provide enough space for /usr

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/index