RHBA-2022:2610 - Bug Fix Advisory

Topic

New scap-security-guide packages are available for Red Hat Enterprise Linux 9.

Description

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.0 Release Notes linked from the References section.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
• Red Hat Enterprise Linux Server - AUS 9.6 x86_64
• Red Hat Enterprise Linux Server - AUS 9.4 x86_64
• Red Hat Enterprise Linux Server - AUS 9.2 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
• Red Hat Enterprise Linux for ARM 64 9 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

• BZ - 1999576 - rpm_verify_hashes fails after installation with HIPAA or ISM_O profile due to modifications of systemd service files
• BZ - 2014561 - Rebase SSG to the latest upstream version in RHEL 9.0
• BZ - 2016038 - Updated kernel boot parameters for OSPP
• BZ - 2020556 - The grub2* rules that promise to set kernel command-line parameters do not work
• BZ - 2020623 - The grub2* rules description, warning, and OVAL often inconsistent
• BZ - 2020626 - The sshd_enable_warning_banner rule creates bogus file /etc/ssh/sshd_config.d/hardening
• BZ - 2020670 - The sshd* rules talk about editing /etc/ssh/sshd_config when they in fact add stuff to /etc/ssh/sshd_config.d/00-complianceascode-hardening.conf or don't do anything
• BZ - 2021093 - The Description text of grub2_uefi_password talks about grub2-mkconfig
• BZ - 2021284 - CentOS Stream 9 20211105.1 doesn't have scap-profiles
• BZ - 2022378 - The grub2_kernel_trust_cpu_rng rule fails even if CONFIG_RANDOM_TRUST_CPU is enabled
• BZ - 2022721 - All abrt related rules need to be removed from RHEL9 product
• BZ - 2028435 - Update source of CVE data in data stream
• BZ - 2043036 - Updated list of disabled kernel modules for OSPP
• BZ - 2045341 - Add ANSSI profiles to RHEL9
• BZ - 2045349 - Add CIS profiles to RHEL9
• BZ - 2045361 - Add CUI profile to RHEL9
• BZ - 2045368 - Add E8 profile to RHEL9
• BZ - 2045374 - Add HIPAA profile to RHEL9
• BZ - 2045381 - Add ISM Official profile to RHEL9
• BZ - 2045386 - Add OSPP profile to RHEL9
• BZ - 2045393 - Add PCI-DSS profile to RHEL9
• BZ - 2045403 - Add STIG profile to RHEL9
• BZ - 2046289 - Removal of auditd.conf rules that just repeat the RHEL default
• BZ - 2055118 - Add page_alloc.shuffle=1 kernel command line parameter to the OSPP profile
• BZ - 2056847 - configure_bashrc_exec_tmux now errors during remediation
• BZ - 2057457 - Even if FIPS mode is set, enable_fips_mode fails
• BZ - 2067109 - Rule ensure_redhat_gpgkey_installed fails on RHEL9 because of new auxiliary gpg key

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.0_release_notes/index