- Issued:
- 2015-07-22
- Updated:
- 2015-07-22
RHBA-2015:1334 - scap-security-guide bug fix and enhancement update
Synopsis
scap-security-guide bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated scap-security-guide package that fixes several bugs and adds various enhancements are now available for Red Hat Enterprise Linux 6.
Description
The scap-security-guide package provides the security guidance, baselines, and associated validation mechanisms that use Security Content Automation Protocol (SCAP). SCAP Security Guide contains the necessary data to perform system security compliance scans regarding prescribed security policy requirements; both a written description and an automated test (probe) are included. By automating the testing, SCAP Security Guide provides a convenient and reliable way to verify system compliance on a regular basis.
The scap-security-guide package has been upgraded to upstream version 0.1.21, which provides a number of bug fixes and enhancements over the previous version. Notably, the upgrade includes the following changes:
-
The SCAP content for Red Hat Enterprise Linux 6 Server is now shipped also in the datastream output format.
-
The SCAP content for Red Hat Enterprise Linux 7 Server has been included in order to enable the possibility to perform remote scans of Red Hat Enterprise Linux 7 Server systems from Red Hat Enterprise Linux 6 systems.
-
This update also includes the United States Government Configuration Baseline (USGCB) profile kickstart file for a new installation of USGCB-compliant Red Hat Enterprise Linux 6 Server system. Refer to Red Hat Enterprise Linux 6 Security Guide for further details. (BZ#1133963)
This update also fixes the following bugs:
-
Previously, when checking the sysctl kernel parameters configuration, the SCAP content recognized only the settings present in the /etc/sysctl.conf file. With this update, the content has been updated to also recognize the sysctl utility settings from additional configuration files located in the /etc/sysctl.d/ directory. (BZ#1183034)
-
Prior to this update, when performing a validation if the removable media block special devices were configured with the "nodev", "noexec", or "nosuid" options, the content could incorrectly report shared memory (/dev/shm) device as the one missing the required setting. With this update, the corresponding Open Vulnerability and Assessment Language (OVAL) checks have been corrected to verify mount options settings only for removable media block special devices. (BZ#1185426)
-
Due to a bug in the OVAL check validation, if the listening capability of the postfix service was disabled, the system property scan returned a failure even if the postfix package was not installed on the system. This bug has been corrected and the feature of the postfix service is now reported as disabled. Also, the underlying scan result returns "PASS" when the postfix package is not installed on the system. (BZ#1191409)
-
An earlier version of the scap-security-guide package included also an Extensible Configuration Checklist Document Format (XCCDF) profile named "test". Since the purpose of this profile is just to check basic sanity of the corresponding SCAP content and it is not intended to be applied for actual system scan, the "test" profile has now been removed. (BZ#1199946)
Users of scap-security-guide are advised to upgrade to this updated package, which fixes these bugs and adds these enhancements.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 6 | ppc64 |
| Red Hat Enterprise Linux for IBM z Systems | 6 | s390x |
| Red Hat Enterprise Linux Workstation | 6 | x86_64 |
| Red Hat Enterprise Linux Workstation | 6 | i386 |
| Red Hat Enterprise Linux Server | 6 | x86_64 |
| Red Hat Enterprise Linux Server | 6 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 6 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | x86_64 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension | 6 | i386 |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) | 6 | s390x |
| Red Hat Enterprise Linux Desktop | 6 | x86_64 |
| Red Hat Enterprise Linux Desktop | 6 | i386 |
Updated Packages
- scap-security-guide-0.1.21-3.el6.src.rpm
- scap-security-guide-0.1.21-3.el6.noarch.rpm
Fixes
CVEs
(none)
References
- https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/index.html
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.