RHBA-2023:1139 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

Bug Fix(es) and Enhancement(s):

• [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax (BZ#2168051)
• DISA STIG: SCAP kerberos related findings after realm join (BZ#2168055)
• file_permissions_sshd_private_key is not aligned with DISA STIG benchmark (BZ#2168058)
• audit_rules_usergroup_modification_shadow don't remediate existing audit rule (BZ#2168061)
• Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) (BZ#2168064)
• The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value (BZ#2168067)
• Some rules have proper STIG references but they are not part of STIG profile (BZ#2168070)
• Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile (BZ#2168073)
• Update RHEL8 DISA STIG profile to V1R9 (BZ#2168076)
• Rebase SSG to the latest upstream version in RHEL 8.8 (BZ#2168080)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat Enterprise Linux Server - AUS 8.6 x86_64
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.6 x86_64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

• BZ - 2168051 - [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax [rhel-8.6.0.z]
• BZ - 2168055 - DISA STIG: SCAP kerberos related findings after realm join [rhel-8.6.0.z]
• BZ - 2168058 - file_permissions_sshd_private_key is not aligned with DISA STIG benchmark [rhel-8.6.0.z]
• BZ - 2168061 - audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-8.6.0.z]
• BZ - 2168064 - Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) [rhel-8.6.0.z]
• BZ - 2168067 - The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value [rhel-8.6.0.z]
• BZ - 2168070 - Some rules have proper STIG references but they are not part of STIG profile [rhel-8.6.0.z]
• BZ - 2168073 - Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile [rhel-8.6.0.z]
• BZ - 2168076 - Update RHEL8 DISA STIG profile to V1R9 [rhel-8.6.0.z]
• BZ - 2168080 - Rebase SSG to the latest upstream version in RHEL 8.8 [rhel-8.6.0.z]

CVEs

(none)

References

(none)