Fedora alert FEDORA-2025-cc7979cb89 (scap-security-guide)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | Fedora 43 Update: scap-security-guide-0.1.78-1.fc43 | |
| Date: | Fri, 19 Sep 2025 01:19:26 +0000 | |
| Message-ID: | <20250919011926.BFF028788C@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-cc7979cb89 2025-09-19 01:18:06.829138+00:00 -------------------------------------------------------------------------------- Name : scap-security-guide Product : Fedora 43 Version : 0.1.78 Release : 1.fc43 URL : https://github.com/ComplianceAsCode/content/ Summary : Security guidance and baselines in SCAP formats Description : The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines. The system administrator can use the oscap CLI tool from openscap-scanner package, or the scap-workbench GUI tool from scap-workbench package to verify that the system conforms to provided guideline. Refer to scap-security-guide(8) manual page for further information. -------------------------------------------------------------------------------- Update Information: Important Highlights Enable SCE content for problematic rules that can traverse the whole filesystem (#13758) Remove unnecessary Jinja2 macros in control files (#13592) Update RHEL 8 STIG to V2R4 (#13774) Update RHEL 9 STIG to V2R5 (#13795) Add CIS benchmark support for debian (#13712) Add Debian 13 profile for ANSSI BP 28 (enhanced) (#13571) Create SLE Micro 5 General profile (#13490) Update the way in which the stable branch is maintained (#13769) New Rules and Profiles add anssi BP28 high profile to debian13 product (#13603) Debian13 ANSSI BP28 (minimal) (#13540) Debian13: add BP28 intermediary profile (#13556) Implement rpm_verify_crypto_policies (#13469) Update RHEL 8 STIG to V2R4 (#13774) Create slmicro6 product (#13570) Updated Rules and Profiles RHEL 9 STIG: align login timeout with the STIG policy (#13826) [Ubuntu 24.04]: Add vlock_installed pkg override (#13582) [Ubuntu] Define firewall varriable for Ubuntu 2404 STIG (#13689) Add CCE for rsyncd disabled rule to slmicro5 (#13523) Add distributed config support (#13653) Adjust description of file_permissions_sudo (#13685) Fix GRUB 2 UEFI selections in RHEL 9 ANSSI profiles (#13598) Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564) Move RHEL 8 STIG to Control file (#13481) Move RHEL 9 ISM O Profile to Control File (#13511) Remove rule from OL09-00-001085 (#13673) RHEL 9 CIS: add ensure_gpgcheck_never_disabled (#13706) RHEL 9 CIS: complete 6.3.3.5 (#13707) Set var_screensaver_lock_delay for OL9 (#13672) Slmicro5 disable ipv6 rules (#13524) Fix bsi conflicts (#13847) stop using fixfiles relabel in remediations (#13738) Support drop-in files in coredump rules (#13665) Update OL10 profiles (#13569) Update var_password_pam_unix_rounds for OL9 stig control (#13516) Use default order in configure_gnutls_tls_crypto_policy (#13692) Removed Products Remove leftover from ubuntu2004 (#13604) Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483) Changes in Remediations RHEL 9 Ansible replace systemd_service module with systemd (#13829) Add OL9 to platform in ssh ciphers rule's bash (#13506) Enable audit configure rules for slmicro5 (#13525) Ensure tmout.sh and ssh_confirm.sh have correct permissions on creation (#13711) Exclude remote mounted filesystems from local partition nodev tasks (#13530) Fix architecture dependent path (#13714) Implement mount_option_tmp_noexec for slmicro5 platform (#13509) Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694) Prevent fails in check mode (#13703) Prevent problems with single quotes (#13742) Reduce gathering facts in profile Ansible Playbooks (#13739) Remove file_owner_var_log_messages bash remediation (#13488) SLE fixes for gid-related rules (#13779) SLE improve require_singleuser_auth oval check and remediations (#13746) stop using fixfiles relabel in remediations (#13738) Support banner with single quote (#13713) Update ansible for auditd_data_retention_action_mail_acct (#13650) Update ansible in require_singleuser_auth for OL (#13651) Update disable_users_coredumps rule to support drop-in and string values (#13749) Update jinja in require_emergency_target_auth for OL (#13652) Use fully qualified collection name in Ansible tasks (#13794) Workaround OpenSCAP issue for Image Mode (#13645) Changes in Checks [Ubuntu] Fix rule encrypt_partitions (#13596) Add OL9 in oval to directory_permissions_var_log_audit rule (#13745) Add oval check for prevent_direct_root_logins (#13615) Add OVAL for encrypt_partitions rule (#13539) Allow spaces around equal sign (#13691) Create slmicro6 product (#13570) Disable value of zero in dconf_gnome_screensaver_idle_delay (#13671) Enable multi_platform_sle platforms for encrypt_partition oval check (#13775) Exclude remote mounted filesystems from local partition nodev tasks (#13530) Fix(accounts_tmout): OVAL check incorrectly passes for TMOUT=0 (#13564) Fix(OVAL): Correct variable reference in account_disable_inactivity_* (#13591) Implement mount_option_tmp_noexec for slmicro5 platform (#13509) Implement oval and remediation files to tftp_uses_secure_mode_systemd (#13694) Improve OVAL checks for nss-altfiles (#13759) Make sure oval service disable macro covers also not found definition (#13725) SLE fixes for gid-related rules (#13779) SLE improve require_singleuser_auth oval check and remediations (#13746) SLE kernel package may be called kernel-default-base (#13748) Sshd rekey limit update OVAL (#13687) Update disable_users_coredumps rule to support drop-in and string values (#13749) Update path for OL9 in sysctl_kernel_exec_shield oval file (#13538) Update sshd_set_idle_timeout oval file & sshd_lineinfile template for OL (#13695) Changes in the Infrastructure [workflow] Fix ansible for Ubuntu workflow (#13480) Add the ability built more than one product with SRG XLSX Option (#13693) Fix Debian 13 in CI (#13557) Fix level inheritance when processing profiles (#13666) Fix SCAP Delta Tailoring (#13542) Format rhel8 related yaml files (#13621) Improve reproducibility and stability (#13531) Move RHEL 9 E8 profile to use the e8 control file (#13482) Pre-load Jinja macros (#13502) Remove 2 functions (#13659) Remove Ubuntu 16.04, 18.04 and 20.04 products (#13483) Update Export SRG Script (#13474) Changes in the Test Suite [Ubuntu] Fix test of package_bind_removed (#13560) Add missing profile stability data (#13600) Add OL9 to disable_ctrlaltdel_reboot tests (#13609) Add tags to test scenarios in accounts_root_path_dirs_no_write (#13536) Change TS in networkmanager_dns_mode from fail to pass (#13724) CI: fedora gating - collapse the multiline command (#13735) file_groupownership_system_commands_dirs fix test scenario (#13675) Fix platform tag in test scenarios (#13534) Fix tests for rule grub2_pti_argument (#13733) Update profile to variable in banner_etc_issue_disa_dod_short test (#13667) Documentation Remove outdated Code Climate badage (#13744) Update Contributors for 0.1.78 (#13807) Fixed Bugs RHEL 9 STIG: align login timeout with the STIG policy (#13826) [stabilization]: auditd_lineinfile: allow specifying data type of XCCDF variable (#13841) RHEL 9 Ansible replace systemd_service module with systemd (#13829) [Ubuntu] Remove non-ascii character (#13607) Add var_sudo_timestamp_timeout=always_prompt to RHEL 9 and RHEL 10 STIG (#13517) Adjust description of file_permissions_sudo (#13685) Allow spaces around equal sign (#13691) file_groupownership_system_commands_dirs fix test scenario (#13675) Fix rule auditd_freq (#13718) grub2_*_admin_username: make regex less strict (#13740) Install package polkit-pkla-compat (#13729) make service_rngd_enabled applicable in case FIPS mode is not enabled (#13705) Remove remaining dependencies on installed_OS_is_FIPS_certified (#13757) replace instances of grub-mkconfig with correct grub2-mkconfig (#13640) sshd_limit_user_access is missing the opening tag (#13616) stop using fixfiles relabel in remediations (#13738) Support drop-in files in coredump rules (#13665) Update links which pointed to outdated documentation (#13508) Update the suffix for rules used when generating components gh pages (#13597) Use default order in configure_gnutls_tls_crypto_policy (#13692) Use template in grub2_nousb_argument (#13726) -------------------------------------------------------------------------------- ChangeLog: * Mon Sep 8 2025 Matthew Burket <mburket@redhat.com> - 0.1.78-1 - Update to latest upstream release: https://github.com/ComplianceAsCode/content/releases/tag/... -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-cc7979cb89' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue