RHBA-2023:5267 - Bug Fix Advisory

Topic

An update for scap-security-guide is now available for Red Hat Enterprise Linux
8.

Description

The scap-security-guide project provides a guide for configuration of the
system from the final system's security point of view. The guidance is
specified in the Security Content Automation Protocol (SCAP) format and
constitutes a catalog of practical hardening advice, linked to government
requirements where applicable. The project bridges the gap between generalized
policy requirements and specific implementation guidelines.

Bug Fix(es):

• Update ANSSI BP-028 in RHEL8 to v2.0 (BZ#2228429)
• Definition of interactive an non interactive users (BZ#2228433)
• Applying CIS benchmark fix cause systemd-journald to unable to parse

configuration file (BZ#2228437)

• scap results should be clear about what values are acceptable for "pam

faillock deny" and "pam faillock interval". (BZ#2228441)

• CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the

permissions cannot be changed as directed (BZ#2228443)

• Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream

version (BZ#2228444)

• Offline remediation of fstab permissions fails in Image Builder (BZ#2228448)
• Remote resource referenced from datastream is missing

https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 (BZ#2228452)

• content_rule_audit_rules_login_events_faillock not selected on DISA STIG

Profile (BZ#2228455)

• AIDE compliancy (BZ#2228458)
• system account with uid >= 1000 is badly detected as user interactive account

(BZ#2228460)

• Please explain if "accounts_passwords_pam_faillock_interval" should apply to

RHEL8.2+ or not (BZ#2228465)

• xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should

allow whitespace in "smtpd_client_restrictions" value (BZ#2228471)

• "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should

return "notapplicable" when no dedicated mount point is used (BZ#2228473)

Solution

For details on how to apply this update, which includes the changes described
in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux for x86_64 8 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.8 x86_64
• Red Hat Enterprise Linux for IBM z Systems 8 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.8 s390x
• Red Hat Enterprise Linux for Power, little endian 8 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.8 ppc64le
• Red Hat Enterprise Linux Server - TUS 8.8 x86_64
• Red Hat Enterprise Linux for ARM 64 8 aarch64
• Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.8 aarch64
• Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le
• Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64

Fixes

• BZ - 2228429 - Update ANSSI BP-028 in RHEL8 to v2.0 [rhel-8.8.0.z]
• BZ - 2228433 - Definition of interactive an non interactive users [rhel-8.8.0.z]
• BZ - 2228437 - Applying CIS benchmark fix cause systemd-journald to unable to parse configuration file [rhel-8.8.0.z]
• BZ - 2228441 - scap results should be clear about what values are acceptable for "pam faillock deny" and "pam faillock interval". [rhel-8.8.0.z]
• BZ - 2228443 - CIS profile flags the permissions on /boot/efi/EFI/redhat/user.cfg, but the permissions cannot be changed as directed [rhel-8.8.0.z]
• BZ - 2228444 - Rebase scap-security-guide in Red Hat Enterprise Linux 8.9 to latest upstream version [rhel-8.8.0.z]
• BZ - 2228448 - Offline remediation of fstab permissions fails in Image Builder [rhel-8.8.0.z]
• BZ - 2228452 - Remote resource referenced from datastream is missing https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml.bz2 [rhel-8.8.0.z]
• BZ - 2228455 - content_rule_audit_rules_login_events_faillock not selected on DISA STIG Profile [rhel-8.8.0.z]
• BZ - 2228458 - AIDE compliancy [rhel-8.8.0.z]
• BZ - 2228460 - system account with uid >= 1000 is badly detected as user interactive account [rhel-8.8.0.z]
• BZ - 2228465 - Please explain if "accounts_passwords_pam_faillock_interval" should apply to RHEL8.2+ or not [rhel-8.8.0.z]
• BZ - 2228471 - xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay should allow whitespace in "smtpd_client_restrictions" value [rhel-8.8.0.z]
• BZ - 2228473 - "Add xxx Option to /var/log" and "Add xxx Option to /var/log/audit" should return "notapplicable" when no dedicated mount point is used [rhel-8.8.0.z]

CVEs

(none)

References

(none)