RHBA-2022:6591 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 9.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

Bug Fix(es) and Enhancement(s):

• Rebase SSG to the latest upstream version in RHEL 9.1 (BZ#2116350)
• openscap uses x86_64 audit syscall rules for all arches in OSPP profile (BZ#2117596)
• Make rule audit_access_success in OSPP profile unenforcing (BZ#2117609)
• The zipl_vsyscall_argument rule actually not needed (BZ#2117610)
• login.defs PASS_MIN_LEN is unused (BZ#2117611)
• Refresh of OSPP SCAP rules that disable core dumps. (BZ#2117612)
• Removal of some network sysctl-related rules from OSPP SCAP profile. (BZ#2117613)
• Removal of sysctl_fs_protected_* rules from OSPP profile. (BZ#2117614)
• Refresh of BPF-related SCAP rules in the OSPP profile. (BZ#2117615)
• Make sysctl_user_max_user_namespaces enforcing in the OSPP profile. (BZ#2117616)
• The require_singleuser_auth SCAP rule description is confusing. (BZ#2117617)
• Separate rule just for the GRUB_DISABLE_RECOVERY=true check (BZ#2117618)
• New rule to check against systemd.debug-shell=1 (BZ#2117619)
• Remove *rsyslog* and *audispd-plugins* rules from the OSPP SCAP profile. (BZ#2117620)
• The sshd_enable_strictmodes rule is not needed in RHEL 9 OSPP SCAP profile. (BZ#2117621)
• Remove dnf-automatic_security_updates_only rule from the OSPP SCAP profile. (BZ#2117622)
• Remove three configure_*_crypto_policy rules from the OSPP SCAP profile. (BZ#2117623)
• Remove kerberos_disable_no_keytab rule from the OSPP SCAP profile. (BZ#2117624)
• Remove three package_*_installed rules from the OSPP SCAP profile. (BZ#2117625)
• Remove all package_*_removed rules from the OSPP SCAP profile. (BZ#2117626)
• Remediation results in double crypto-policies include. (BZ#2117627)
• Remove four accounts_password_pam_* rules from the OSPP SCAP profile. (BZ#2117628)
• Remove accounts_max_concurrent_login_sessions from the OSPP SCAP profile. (BZ#2117629)
• Remove securetty_root_login_console_only from the OSPP SCAP profile. (BZ#2117630)
• Remove accounts_umask_etc_* rules from the OSPP SCAP profile. (BZ#2117636)
• Remove multiple partition_for_* and respective mount_option_* rules from the OSPP SCAP profile. (BZ#2117637)
• The new enable_authselect SCAP rule needs some tweaking. (BZ#2117638)
• Ensure that all rules that were once selected in a profile remain in the datastream within the product lifecycle. (BZ#2117682)
• Introduce a rule to warn on non-standard subpolicies in FIPS. (BZ#2117684)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 9 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
• Red Hat Enterprise Linux Server - AUS 9.6 x86_64
• Red Hat Enterprise Linux Server - AUS 9.4 x86_64
• Red Hat Enterprise Linux Server - AUS 9.2 x86_64
• Red Hat Enterprise Linux for IBM z Systems 9 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
• Red Hat Enterprise Linux for Power, little endian 9 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.4 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
• Red Hat Enterprise Linux for ARM 64 9 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.4 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.6 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.4 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.6 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.4 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64
• Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.4 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x
• Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

• BZ - 2116350 - Rebase SSG to the latest upstream version in RHEL 9.1 [rhel-9.0.0.z]
• BZ - 2117596 - openscap uses x86_64 audit syscall rules for all arches in OSPP profile [rhel-9.0.0.z]
• BZ - 2117609 - Make rule audit_access_success in OSPP profile unenforcing [rhel-9.0.0.z]
• BZ - 2117610 - The zipl_vsyscall_argument rule actually not needed [rhel-9.0.0.z]
• BZ - 2117611 - login.defs PASS_MIN_LEN is unused [rhel-9.0.0.z]
• BZ - 2117612 - Refresh of OSPP SCAP rules that disable core dumps [rhel-9.0.0.z]
• BZ - 2117613 - Removal of some network sysctl-related rules from OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117614 - Removal of sysctl_fs_protected_* rules from OSPP profile [rhel-9.0.0.z]
• BZ - 2117615 - Refresh of BPF-related SCAP rules in the OSPP profile [rhel-9.0.0.z]
• BZ - 2117616 - Make sysctl_user_max_user_namespaces enforcing in the OSPP profile [rhel-9.0.0.z]
• BZ - 2117617 - The require_singleuser_auth SCAP rule description is confusing [rhel-9.0.0.z]
• BZ - 2117618 - Separate rule just for the GRUB_DISABLE_RECOVERY=true check [rhel-9.0.0.z]
• BZ - 2117619 - New rule to check against systemd.debug-shell=1 [rhel-9.0.0.z]
• BZ - 2117620 - Remove *rsyslog* and *audispd-plugins* rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117621 - The sshd_enable_strictmodes rule is not needed in RHEL 9 OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117622 - Remove dnf-automatic_security_updates_only rule from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117623 - Remove three configure_*_crypto_policy rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117624 - Remove kerberos_disable_no_keytab rule from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117625 - Remove three package_*_installed rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117626 - Remove all package_*_removed rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117627 - remediation results in double crypto-policies include [rhel-9.0.0.z]
• BZ - 2117628 - Remove four accounts_password_pam_* rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117629 - Remove accounts_max_concurrent_login_sessions from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117630 - Remove securetty_root_login_console_only from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117636 - Remove accounts_umask_etc_* rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117637 - Remove multiple partition_for_* and respective mount_option_* rules from the OSPP SCAP profile [rhel-9.0.0.z]
• BZ - 2117638 - The new enable_authselect SCAP rule needs some tweaking [rhel-9.0.0.z]
• BZ - 2117682 - Ensure that all rules that were once selected in a profile remain in the datastream within the product lifecycle [rhel-9.0.0.z]

CVEs

(none)

References

(none)