- Issued:
- 2023-09-19
- Updated:
- 2023-09-19
RHBA-2023:5267 - Bug Fix Advisory
Synopsis
scap-security-guide bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for scap-security-guide is now available for Red Hat Enterprise Linux
8.
Description
The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is
specified in the Security Content Automation Protocol (SCAP) format and
constitutes a catalog of practical hardening advice, linked to government
requirements where applicable. The project bridges the gap between generalized
policy requirements and specific implementation guidelines.
Bug Fix(es):
- Update ANSSI BP-028 in RHEL8 to v2.0 (BZ#2228429)
- Definition of interactive an non interactive users (BZ#2228433)
- Applying CIS benchmark fix cause systemd-journald to unable to parse
configuration file (BZ#2228437)
- scap results should be clear about what values are acceptable for "pam
faillock deny" and "pam faillock interval". (BZ#2228441)
- CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the
permissions cannot be changed as directed (BZ#2228443)
- Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream
version (BZ#2228444)
- Offline remediation of fstab permissions fails in Image Builder (BZ#2228448)
- Remote resource referenced from datastream is missing
https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 (BZ#2228452)
- content_rule_audit_rules_login_events_faillock not selected on DISA STIG
Profile (BZ#2228455)
- AIDE compliancy (BZ#2228458)
- system account with uid >= 1000 is badly detected as user interactive account
(BZ#2228460)
- Please explain if "accounts_passwords_pam_faillock_interval" should apply to
RHEL8.2+ or not (BZ#2228465)
- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should
allow whitespace in "smtpd_client_restrictions" value (BZ#2228471)
- "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should
return "notapplicable" when no dedicated mount point is used (BZ#2228473)
Solution
For details on how to apply this update, which includes the changes described
in this advisory, refer to:
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
- Red Hat Enterprise Linux Server - TUS 8.8 x86_64
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64
Fixes
- BZ - 2228429 - Update ANSSI BP-028 in RHEL8 to v2.0 [rhel-8.8.0.z]
- BZ - 2228433 - Definition of interactive an non interactive users [rhel-8.8.0.z]
- BZ - 2228437 - Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file [rhel-8.8.0.z]
- BZ - 2228441 - scap results should be clear about what values are acceptable for "pam faillock deny" and "pam faillock interval". [rhel-8.8.0.z]
- BZ - 2228443 - CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed [rhel-8.8.0.z]
- BZ - 2228444 - Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream version [rhel-8.8.0.z]
- BZ - 2228448 - Offline remediation of fstab permissions fails in Image Builder [rhel-8.8.0.z]
- BZ - 2228452 - Remote resource referenced from datastream is missing https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 [rhel-8.8.0.z]
- BZ - 2228455 - content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile [rhel-8.8.0.z]
- BZ - 2228458 - AIDE compliancy [rhel-8.8.0.z]
- BZ - 2228460 - system account with uid >= 1000 is badly detected as user interactive account [rhel-8.8.0.z]
- BZ - 2228465 - Please explain if "accounts_passwords_pam_faillock_interval" should apply to RHEL8.2+ or not [rhel-8.8.0.z]
- BZ - 2228471 - xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should allow whitespace in "smtpd_client_restrictions" value [rhel-8.8.0.z]
- BZ - 2228473 - "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should return "notapplicable" when no dedicated mount point is used [rhel-8.8.0.z]
CVEs
(none)
References
(none)
Red Hat Enterprise Linux for x86_64 8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
x86_64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
x86_64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for IBM z Systems 8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
s390x | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
s390x | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for Power, little endian 8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
ppc64le | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
ppc64le | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux Server - TUS 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
x86_64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for ARM 64 8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
aarch64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
aarch64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
ppc64le | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8
SRPM | |
---|---|
scap-security-guide-0.1.69-2.el8_8.src.rpm | SHA-256: 21a640c0cf65f672bcbc9e7a9737491d6c72ae0ba125b1893941cccb25fd549c |
x86_64 | |
scap-security-guide-0.1.69-2.el8_8.noarch.rpm | SHA-256: 4a70a4a8d262dd624e84a41cae35d46305f51a20a208c53fa1982c52b9c8efc3 |
scap-security-guide-doc-0.1.69-2.el8_8.noarch.rpm | SHA-256: 359ab35199c9e82c1cb658039f699bb58f177875a96e07e5c47472f0bc8e27ae |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.