RHBA-2023:1226 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.

Description

The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines.

Bug Fix(es) and Enhancement(s):

• [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax (BZ#2168052)
• DISA STIG: SCAP kerberos related findings after realm join (BZ#2168056)
• file_permissions_sshd_private_key is not aligned with DISA STIG benchmark (BZ#2168059)
• audit_rules_usergroup_modification_shadow don't remediate existing audit rule (BZ#2168062)
• Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) (BZ#2168065)
• The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value (BZ#2168068)
• Some rules have proper STIG references but they are not part of STIG profile (BZ#2168071)
• Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile (BZ#2168074)
• Update RHEL8 DISA STIG profile to V1R9 (BZ#2168077)
• Rebase SSG to the latest upstream version in RHEL 8.8 (BZ#2168081)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.4 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.4 x86_64
• Red Hat Enterprise Linux Server - AUS 8.4 x86_64
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.4 s390x
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.4 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.4 x86_64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.4 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64

Fixes

• BZ - 2168052 - [SCAP] PCI-DSS Rsyslog log files related rules fails for Rsyslog 8 RainerScript syntax [rhel-8.4.0.z]
• BZ - 2168056 - DISA STIG: SCAP kerberos related findings after realm join [rhel-8.4.0.z]
• BZ - 2168059 - file_permissions_sshd_private_key is not aligned with DISA STIG benchmark [rhel-8.4.0.z]
• BZ - 2168062 - audit_rules_usergroup_modification_shadow don't remediate existing audit rule [rhel-8.4.0.z]
• BZ - 2168065 - Rules concerning audit check for content of specific files, and not /etc/audit/audit.rules ( ex xccdf_org.ssgproject.content_rule_audit_immutable_login_uids) [rhel-8.4.0.z]
• BZ - 2168068 - The stig rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication fails due to space in in the "timestamp_timeout" value [rhel-8.4.0.z]
• BZ - 2168071 - Some rules have proper STIG references but they are not part of STIG profile [rhel-8.4.0.z]
• BZ - 2168074 - Two CIS Level 2 Benchmarks are listed in scap-security-guide under CIS Level 1 Profile [rhel-8.4.0.z]
• BZ - 2168077 - Update RHEL8 DISA STIG profile to V1R9 [rhel-8.4.0.z]
• BZ - 2168081 - Rebase SSG to the latest upstream version in RHEL 8.8 [rhel-8.4.0.z]

CVEs

(none)

References

(none)