Configuration Changes

1.0.3

• Add work-arounds for PCS hardening 2023-08-07T17:50:56

  Disable hardening rules that need running systemd.
  Disable hardening rules that execute sysctl.
  Replicate remediation for disabled rule pam_disable_automatic_configuration.
  Add sysctl config files to replicate sysctl remediation rules.

• Move PCS hardening into images.sh 2023-08-07T17:49:28

  Move PCS hardening from config.sh to images.sh so it is executed when all
  configuration steps are done.

• Add python-instance-billing-flavor-check 2023-08-04T13:16:57

  Add python-instance-billing-flavor-check to base/common module.

1.0.2

• Use oscap with pcs-hardening not remediation script and turn off bin/fail 2023-07-27T18:31:22

  The remediation script:
  /usr/share/scap-security-guide/bash/sle15-script-pcs-hardening.sh
  
  blindly applies remediation even if it is not needed
  
  using:
  oscap xccdf eval --remediate --profile pcs-hardening /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml
  
  is better, since it will only attempt to apply remediation when needed.
  
  Do not execute /bin/fail if the oscap command returns an error.
  This allows builds to complete even if remediation returns
  and error

1.0.1

• Remove indirect dependencies 2023-07-25T18:08:58

  Do not list indirect dependencies in the image build description. Listing indirect dependencies forces us to make changes to the image description everytime the package we really want changes it's dependencies.

• Add OBS constraints 2023-07-24T16:50:54
• Always include package 'hostname' 2023-07-14T12:45:39
• Add additional hardening to pcs-sap-hardening 2023-06-28T20:12:00

  In response to customer requests we added additional hardening
  rules to pcs-sap-hardening. The changes needed are:
  
  1: Replace existing rule by rule from pcs-hardening profile
     with direct use of the pcs-hardening-sap profile.
  
  2: Add new loop to pull in additional rules from the cis_server_l1
     profile. The rule list is defined by RULES_FROM_CIS variable
  
  The new SAP hardening results in a CIS Level 1 pass rate
  of 81.2% compared to 66.4% for the existing SAP hardened image.
  
  The following rules were explicitly not included for the resons given.
  
  following break ssh into instance
  
  package_dhcp_removed \
  package_rsync_removed \
  package_tcp_wrappers_removed \
  package_telnet_removed \
  
  the following rules break SAP testing
  
  sshd_disable_root_login \
  accounts_umask_etc_bashrc \
  accounts_umask_etc_login_defs \
  accounts_umask_etc_profile \
  package_pam_apparmor_installed \
  service_firewalld_enabled \
  set_firewalld_default_zone \
  
  the following rules either fail remediation or are missing remediation
  
  aide_build_database \
  partition_for_tmp \
  accounts_password_pam_dcredit \
  accounts_password_pam_lcredit \
  accounts_password_pam_minlen \
  accounts_password_pam_ocredit \
  accounts_password_pam_ucredit \
  use_pam_wheel_for_su \
  grub2_password \
  service_iptables_enabled \
  mount_option_home_nodev \
  coredump_disable_backtraces \
  coredump_disable_storage \
  service_crond_enabled \
  service_timesyncd_enabled \
  
  Signed-off-by: sampsone <esampson@suse.com>

• Add comment about need for ALP adapation 2023-06-19T15:22:28
• Fix set-prodlink script 2023-06-16T15:52:04

  Fix bug with prod file traversal that resulted only in the first prod file to
  be considered.
  Filter all prod files with a <flavor> tag, not just extensions.
  Fix bug with handling mulitple base product files.

Added Packages

• corosync-qdevice
• libfstrm0
• libhidapi-hidraw0
• libprotobuf-c1
• python-instance-billing-flavor-check
• python3-looseversion

Removed Packages

• libisl15
• firewalld-lang
• fence-agents
• rpcbind
• libfido2-udev
• libmpc3
• cpp7
• nftables
• cpp
• nfs-client
• libfreebl3-hmac
• HANA-Firewall
• dracut-mkinitrd-deprecated
• libsoftokn3-hmac
• firewalld
• net-snmp
• perl-SNMP
• yast2-sap-ha
• patterns-ha-ha_sles
• libmpfr6
• nfs-kernel-server