RHBA-2023:4793 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux
8.6 Extended Update Support.

Description

The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is
specified in the Security Content Automation Protocol (SCAP) format and
constitutes a catalog of practical hardening advice, linked to government
requirements where applicable. The project bridges the gap between generalized
policy requirements and specific implementation guidelines.

Bug Fix(es):

• Failed to locate a datastream with ID matching 'scap_org.open-

scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml' ID (BZ#2223967)

• Update ANSSI BP-028 in RHEL8 to v2.0 (BZ#2228430)
• Definition of interactive an non interactive users (BZ#2228434)
• Applying CIS benchmark fix cause systemd-journald to unable to parse

configuration file (BZ#2228438)

• scap results should be clear about what values are acceptable for "pam

faillock deny" and "pam faillock interval". (BZ#2228442)

• CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the

permissions cannot be changed as directed (BZ#2228445)

• Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream

version (BZ#2228446)

• Remote resource referenced from datastream is missing

https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 (BZ#2228453)

• content_rule_audit_rules_login_events_faillock not selected on DISA STIG

Profile (BZ#2228456)

• AIDE compliancy (BZ#2228459)
• system account with uid >= 1000 is badly detected as user interactive account

(BZ#2228461)

• Please explain if "accounts_passwords_pam_faillock_interval" should apply to

RHEL8.2+ or not (BZ#2228466)

• xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should

allow whitespace in "smtpd_client_restrictions" value (BZ#2228472)

• "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should

return "notapplicable" when no dedicated mount point is used (BZ#2228474)

Solution

For details on how to apply this update, which includes the changes described
in this advisory, refer to

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
• Red Hat Enterprise Linux Server - AUS 8.6 x86_64
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.6 x86_64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

• BZ - 2223967 - Failed to locate a datastream with ID matching 'scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf-1.2.xml' ID [rhel-8.6.0.z]
• BZ - 2228430 - Update ANSSI BP-028 in RHEL8 to v2.0 [rhel-8.6.0.z]
• BZ - 2228434 - Definition of interactive an non interactive users [rhel-8.6.0.z]
• BZ - 2228438 - Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file [rhel-8.6.0.z]
• BZ - 2228442 - scap results should be clear about what values are acceptable for "pam faillock deny" and "pam faillock interval". [rhel-8.6.0.z]
• BZ - 2228445 - CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed [rhel-8.6.0.z]
• BZ - 2228446 - Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream version [rhel-8.6.0.z]
• BZ - 2228453 - Remote resource referenced from datastream is missing https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 [rhel-8.6.0.z]
• BZ - 2228456 - content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile [rhel-8.6.0.z]
• BZ - 2228459 - AIDE compliancy [rhel-8.6.0.z]
• BZ - 2228461 - system account with uid >= 1000 is badly detected as user interactive account [rhel-8.6.0.z]
• BZ - 2228466 - Please explain if "accounts_passwords_pam_faillock_interval" should apply to RHEL8.2+ or not [rhel-8.6.0.z]
• BZ - 2228472 - xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should allow whitespace in "smtpd_client_restrictions" value [rhel-8.6.0.z]
• BZ - 2228474 - "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should return "notapplicable" when no dedicated mount point is used [rhel-8.6.0.z]

CVEs

(none)

References

(none)