RHBA-2023:0829 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 8.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the
Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable.
The project bridges the gap between generalized policy requirements and specific implementation guidelines.

Bug Fix(es) and Enhancement(s):

• [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax (BZ#2168050)
• DISA STIG: SCAP kerberos related findings after realm join (BZ#2168054)
• file_permissions_sshd_private_key is not aligned with DISA STIG benchmark (BZ#2168057)
• audit_rules_usergroup_modification_shadow don't remediate existing audit rule (BZ#2168060)
• Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) (BZ#2168063)
• The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value (BZ#2168066)
• Some rules have proper STIG references but they are not part of STIG profile (BZ#2168069)
• Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile (BZ#2168072)
• Update RHEL8 DISA STIG profile to V1R9 (BZ#2168075)
• Rebase SSG to the latest upstream version in RHEL 8.8 (BZ#2168079)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.8 x86_64
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

• BZ - 2168050 - [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax [rhel-8.7.0.z]
• BZ - 2168054 - DISA STIG: SCAP kerberos related findings after realm join [rhel-8.7.0.z]
• BZ - 2168057 - file_permissions_sshd_private_key is not aligned with DISA STIG benchmark [rhel-8.7.0.z]
• BZ - 2168060 - audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-8.7.0.z]
• BZ - 2168063 - Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) [rhel-8.7.0.z]
• BZ - 2168066 - The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value [rhel-8.7.0.z]
• BZ - 2168069 - Some rules have proper STIG references but they are not part of STIG profile [rhel-8.7.0.z]
• BZ - 2168072 - Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile [rhel-8.7.0.z]
• BZ - 2168075 - Update RHEL8 DISA STIG profile to V1R9 [rhel-8.7.0.z]
• BZ - 2168079 - Rebase SSG to the latest upstream version in RHEL 8.8 [rhel-8.7.0.z]

CVEs

(none)

References

(none)