-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2025-6b33c7310d 2025-03-06 02:18:18.572733+00:00 -------------------------------------------------------------------------------- Name : scap-security-guide Product : Fedora 41 Version : 0.1.76 Release : 1.fc41 URL : https://github.com/ComplianceAsCode/content/ Summary : Security guidance and baselines in SCAP formats Description : The scap-security-guide project provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The project bridges the gap between generalized policy requirements and specific implementation guidelines. The system administrator can use the oscap CLI tool from openscap-scanner package, or the scap-workbench GUI tool from scap-workbench package to verify that the system conforms to provided guideline. Refer to scap-security-guide(8) manual page for further information. -------------------------------------------------------------------------------- Update Information: Important Highlights Add new product for Ubuntu 24.04 and draft CIS profiles (#12611) Add pyproject.toml for the ssg package (#12604) AlmaLinux OS 9 as a new product (#12810) Documentation for ssg library (#12606) Extend SSG library to more easily collect profile selections (#12797) Extend SSG with functions to manage variables (#12717) New Rules and Profiles A new rule system_boot_in_fips_mode (#12671) Add a default profile for Ubuntu2404 to add all rules to the datastream (#13023) Add ccn profile to OL9 (#12759) Add new rule journald_disable_forward_to_syslog (#12674) Add new rule logging_services_active (#12857) Add new rule no_nologin_in_shells (#12835) Add new rule service_dhcpd6_disabled (#12627) Add new rule service_dnsmasq_disabled (#12628) Add new rule service_nginx_disabled (#12629) Add new rules to replace audit_rules_mac_modification on Ubuntu (#12828) add new stig rule accounts_password_pam_pwquality_retry (#12965) Add rules for installing pam-runtime and pam-modules to Ubuntu 24.04 (#12904) Add rules to ubuntu2404 CIS control 7.2.10 (#12716) Clean Up Opensc Rules in RHEL 10 (#12738) Create Public Cloud Hardening profile for SLE Micro5 (#12817) Implement audit rules for nsswitch.conf, pam.conf and pam.d (#12724) Implement new rule firewall_single_service_active (#12822) Implement rule accounts_umask_root (#12721) Implement rule groups_no_zero_gid_except_root (#12720) Implement rules for /etc/security/opasswd permissions (#12693) New rule package_unbound_removed (#12699) rhel10: use new rule for auditing of changes to selinux configuration (#12826) Updated Rules and Profiles Update RHEL 8 STIG to V2R1 (#12924) Fixes related to STIG and SSH cryptopolicy (#13025) Adapt audit_rules_suid_privilege_function for Ubuntu 24.04 CIS (#12974) Add new variable to set_password_hashing_min_rounds_logindefs rule (#12923) Add package_ypbind_removed to e8 profile to OL8 (#12957) Add ubuntu specific check and remediation for aide_periodic_checking_systemd_timer (#12733) Adjust journald rules for RHEL 10 (#12754) Adjust two filesystem permission rules to 600 (#12737) Adjust wording in kerberos_disable_no_keytab (#12739) Alma9 more changes (mk2) (#12905) audit_immutable_login_uids: remove stig-specific content (#12676) Clean Up Opensc Rules in RHEL 10 (#12738) Define var_user_initialization_files_regex on Ubuntu 24.04 (#12960) Exclude autrace and audispd on RHEL 10 (#12736) Fix audit access rules in ISM_O (#12670) Fix mistake done in PR #12714 (#12741) Fix package and service name overrides for Ubuntu 24.04 (#12913) Fix RHEL 10 DISA and SRG References (#12944) Fix RHEL 10 ISM profile fails in Image Mode (#12836) Fix rule firewalld_sshd_port_enabled OVAL check (#12914) Fix rule ip6tables_rules_for_open_ports and add to ubuntu2404 controls (#12666) Fix the bash conditional for checking system architecture (#12815) Fix variable name in Ubuntu 22.04 CIS profiles (#12982) gdm package cannot be removed in stig_gui profile (#12915) Improve rule file_permissions_ungroupowned for use in bootable containers (#12584) Refactor ubuntu oval for audit_rules_networkconfig_modification (#12722) Remove not applicable rules for OL8 & OL9 (#12558) Remove old rules from RHEL 10 profiles (#12697) Remove package_quagga_removed from RHEL 10 profiles (#12589) Remove RHEL-08-020220 and RHEL-08-020221 from the RHEL 8 STIG (#12805) Remove service_chronyd_or_ntpd_enabled from RHEL 10 (#12756) remove sshd_use_priv_separation from hipaa control file (#12591) require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861) require_singleuser_auth:update prose (#12864) RHEL 10 Kernel Config and Module Clean Up (#12712) RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824) rhel8 STIG: update password hashing rounds (#12948) RHEL8 STIG: update SSH algorithms (#12949) Switch to _guard_var templates for timesync rules on Ubuntu 24.04 (#12903) Switch to CIS-specific banner rules for Ubuntu 24.04 CIS (#12619) Update sssd_enable_smartcards for RHEL 10 (#12882) update audit_ospp_general with the latest content (#12579) Update mount_option_proc_hidepid to include OL9 product (#12917) Update Ol10 profiles (#12833) Update package_gssproxy_removed based on feedback (#12725) Update profiles ol8 (#12890) Update RHEL 10 GPG Keys (#12744) Update RHEL 9 STIG to V2R3 (#12922) Update set_password_hashing_algorithm_passwordauth for RHEL 10 STIG (#12758) Update several controls and variables for Ubuntu 24.04 CIS (#12624) Update several controls for Ubuntu 24.04 CIS (#12912) Update SRG GPOS to V3R2 (#12943) Update ubuntu2404 CIS control 2.3.2.1 (#12637) Update X Servers Rules for Wayland (#12897) Use yescrypt in RHEL 10 (#12743) Update Ol10 profiles (#12833) Changes in Remediations Fix set_password_hashing_min_rounds_logindefs (#12998) Add systemd check if it is running for systemctl start commands (#12918) Adjust set_password_hashing_algorithm_* for RHEL 10 (#12782) Adjust ansible_audit_augenrules_add_syscall_rule to 600 (#12786) Firewall technology related rules per service and package change logic according to interactive profile variable (#11818) Fix display_login_attempts (#12603) Fix dpkg package applicability check in bash (#12873) Fix file_permissions_etc_audit_rulesd in Image Mode (#12855) Fix path to timesyncd.conf for sle15 (#12919) Fix sssd_enable_smartcards (#12600) Some small patches for SLE15 CIS related remediations (#12921) Update ensure_logrotate_activated for image mode (#12645) Changes in Checks Adjust OVAL for directory_permissions_var_log_audit (#12631) Fix file_permissions_unauthorized_sgid (#12602) Fix path to timesyncd.conf for sle15 (#12919) Fix rule firewalld_sshd_port_enabled OVAL check (#12914) Improve OVAL and tests for accounts_password_pam_unix_authtok (#12868) Improve regex in sudo_defaults_option oval (#12673) Improve rule file_permissions_ungroupowned for use in bootable containers (#12584) Update ensure_logrotate_activated for image mode (#12645) Use nss-altfiles in file_groupowner_etc_chrony_keys (#12789) Fixed Bugs Remove RHEL 8 STIG reference from file_permission_user_init_files - stable (#13016) Fix set_password_hashing_min_rounds_logindefs (#12998) Fixes related to STIG and SSH cryptopolicy (#13025) Add a script to ensure coredump configuration file exists (#12844) Add custom test scenario dconf_gnome_lock_screen_on_smartcard_removal (#12839) Adjust kernel_module_disabled/missing_blacklist.fail.sh (#12898) Authselect profile minimal is now called local in RHEL10 (#12846) disable_ctrlaltdel_burstaction: make sure config file exists (#12841) Enable correct OVAL criteria for RHEL9/RHEL10 in file_ownership_var_log_audit_stig (#12845) Fix audit_rules_privileged_commands_unix2_chkpwd (#12886) Fix CIS reference URI for AlmaLinux 9 (#12850) Fix NERC CIP Link (#12892) Fix RHEL 8 CIS reference on Ensure noexec option set on /var/tmp (#12847) Fix sssd service enabled test scenarios (#12862) Fix to prevent oscap crashing on ubuntu (#12728) Move to enable_fips_mode from grub2_enable_fips_mode in RHEL 10 (#12899) Remove package_xinetd_removed from RHEL 10 (#12881) Remove rule disable_ctrlaltdel_burstaction from Ubuntu STIG profiles (#12620) rename OVAL tests and objects to fix name conflict (#12869) require_singleuser_auth: rewrite rule to use systemd override mechanism (#12861) RHEL 9 STIG: make sysctl_user_max_user_namespaces not scored and informational (#12824) RHEL now checks no other users have primary group ID 0 (#12891) RHEL8: add back removed rules to keep datastream consistent (#12966) update audit_ospp_general with the latest content (#12579) Update tests for file_groupownership_sshd_private_key (#12896) Update X Servers Rules for Wayland (#12897) Use dedicated_ssh_keyowner variable in test scenarios (#12860) -------------------------------------------------------------------------------- ChangeLog: * Tue Feb 25 2025 Evgenii Kolesnikov <ekolesni@xxxxxxxxxx> - 0.1.76-1 - Update to latest upstream release: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.76 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-6b33c7310d' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-announce-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
