[PATCH] new rules
by David Smith
Created additional Rules from the RHEL5 content.
David Smith (1):
additional rules
RHEL6/input/auxiliary/transition_notes.xml | 4 ++--
RHEL6/input/system/accounts/pam.xml | 18 ++++++++++++++++++
.../accounts/restrictions/password_storage.xml | 17 +++++++++++++++++
.../system/accounts/restrictions/root_logins.xml | 18 ++++++++++++++++++
4 files changed, 55 insertions(+), 2 deletions(-)
11 years, 5 months
[PATCH] Created new Rules for root path
by David Smith
Additional rules, as well as slight change to earlier HIDS rule
David Smith (1):
new Rules for root path
RHEL6/input/auxiliary/transition_notes.xml | 6 +-
.../system/accounts/restrictions/root_logins.xml | 42 ++++++++++++++++++++
RHEL6/input/system/software/integrity.xml | 4 +-
3 files changed, 47 insertions(+), 5 deletions(-)
11 years, 5 months
[PATCH 0/3] additions of new rules
by David Smith
added a few Rules, fixed typos in alt-titles-stig
David Smith (3):
changed values to reflect added rules
content editing/typo fixing
content editing, deletion of earlier AppleTalk rule, added HIDS rule
RHEL6/input/auxiliary/alt-titles-stig.xml | 14 +++++++-------
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/auxiliary/transition_notes.xml | 12 ++++++------
RHEL6/input/system/auditing.xml | 9 ++++-----
RHEL6/input/system/network/uncommon.xml | 17 -----------------
RHEL6/input/system/software/integrity.xml | 15 +++++++++++++++
6 files changed, 33 insertions(+), 36 deletions(-)
11 years, 5 months
[PATCH 0/8] content editing, transforms to STIG format, RPM fixes
by Jeffrey Blank
This patchset includes a significant body of content editing
to ensure checks/fixes are discrete and comprehensible,
and compatible with the conventions of written English.
It also includes additional transforms to put the content in the
structure seen in a STIG (viz. the Benchmark is a list of Groups,
each of which contains one Rule), as well as a transform to output
this to CSV (which is hopefully only a temporary need).
Some of these transforms depend on the OpenSCAP XCCDF resolve
functionality, for which a bugfix is underway (see OpenSCAP list --
thanks to Peter and Martin).
Jeffrey Blank (8):
updated RPM specfile Requires/BuildRequires, change installation
directory
out unicode, out!!! somebody needs to use a real text editor or stop
copying/pasting * fancy characters are nice, but are causing
trouble for some transforms
more unicode cleanup. hmmm perhaps we need a git commit hook...
added new file that can transform XCCDF Rules into CSV
added Makerules and updated transforms to create STIG-specific
content
updating transform to show STIG-structured XCCDF as a table
temporary fixups to shorthand macros, still need to improve further
comprehensive content (and some copy) editing to XCCDF in system/
directory
RHEL6/Makefile | 12 +++-
.../input/checks/audit_rules_mac_modification.xml | 4 +-
.../audit_rules_networkconfig_modification.xml | 2 +-
.../input/checks/gconf_gnome_disable_automount.xml | 2 +-
.../input/checks/ldap_server_config_olcaccess.xml | 4 +-
.../checks/yum_gpgcheck_global_activation.xml | 2 +-
RHEL6/input/services/avahi.xml | 2 +-
RHEL6/input/services/base.xml | 2 +-
RHEL6/input/services/dhcp.xml | 8 +-
RHEL6/input/services/dns.xml | 6 +-
RHEL6/input/services/ftp.xml | 8 +-
RHEL6/input/services/http.xml | 6 +-
RHEL6/input/services/ldap.xml | 20 ++--
RHEL6/input/services/mail.xml | 14 ++--
RHEL6/input/services/nfs.xml | 4 +-
RHEL6/input/services/snmp.xml | 2 +-
RHEL6/input/services/ssh.xml | 4 +-
RHEL6/input/system/accounts/banners.xml | 34 ++++++--
RHEL6/input/system/accounts/pam.xml | 77 +++++++++++------
RHEL6/input/system/accounts/physical.xml | 20 +++--
.../accounts/restrictions/password_expiration.xml | 11 +--
.../system/accounts/restrictions/root_logins.xml | 89 +++++---------------
RHEL6/input/system/auditing.xml | 28 +++---
RHEL6/input/system/network/iptables.xml | 8 +-
RHEL6/input/system/network/network.xml | 2 +-
RHEL6/input/system/network/ssl.xml | 12 ++--
RHEL6/input/system/network/uncommon.xml | 2 +-
RHEL6/input/system/permissions/files.xml | 18 ++++-
RHEL6/input/system/permissions/mounting.xml | 42 +++++++---
RHEL6/input/system/permissions/permissions.xml | 2 +-
RHEL6/input/system/selinux.xml | 20 ++--
RHEL6/input/system/software/disk_partitioning.xml | 2 +-
RHEL6/input/system/software/integrity.xml | 8 +-
RHEL6/input/system/software/updating.xml | 26 ++++--
RHEL6/transforms/constants.xslt | 1 +
RHEL6/transforms/shorthand2xccdf.xslt | 32 +++++--
RHEL6/transforms/xccdf-addrefs.xslt | 21 +++++
RHEL6/transforms/xccdf2csv-stig.py | 56 ++++++++++++
RHEL6/transforms/xccdf2stigformat.xslt | 73 ++++++++++++----
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 4 +-
RHEL6/transforms/xccdf2table-stig.xslt | 34 +++++---
scap-security-guide.spec | 16 +++-
42 files changed, 469 insertions(+), 271 deletions(-)
create mode 100755 RHEL6/transforms/xccdf2csv-stig.py
11 years, 5 months
[PATCH 0/2] additional Rules
by David Smith
added Rules for AppleTalk and root ownership of log files
David Smith (2):
added rules for AppleTalk and log file ownership
changed values to reflect added rules
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/auxiliary/transition_notes.xml | 12 ++++++------
RHEL6/input/system/auditing.xml | 14 ++++++++++++++
RHEL6/input/system/network/uncommon.xml | 17 +++++++++++++++++
4 files changed, 38 insertions(+), 7 deletions(-)
11 years, 5 months
very short-term project goals
by Jeffrey Blank
The short term goals this week are:
1) Add the 8 or so items that were identified as present in the RHEL 5
STIG but in need of addition to the RHEL 6 pre-draft STIG profile in
scap-security-guide. David will be working on this, with support from me.
2) Update/complete transition notes to reflect current status (and
provide evidence to support any particular direction) at:
http://people.redhat.com/swells/scap-security-guide/RHEL6/output/table-rh...
Additions to the transition notes (by providing a diff or even text
fragments for input/auxiliary/transition_notes.xml) are welcome from any
parties who wish to document their position during the consensus process.
I will also shortly send out an invitation for a DoD Consensus concall
for later next week to review this list, so that any points of
contention are openly resolved.
By the time of the concall, the transition notes should be fairly close
to a state of consensus with regard to best-practice guidance from RHEL
5 being retained in the RHEL 6 guidance. My current understanding is
that requirements as defined in the OS SRG are met (or documented if unmet).
11 years, 5 months
[PATCH] Added rule
by David Smith
added rule for unique account names
David Smith (1):
added rule requiring unique usernames
RHEL6/input/auxiliary/srg_support.xml | 2 +-
RHEL6/input/auxiliary/transition_notes.xml | 5 ++++-
.../accounts/restrictions/account_expiration.xml | 16 ++++++++++++++++
3 files changed, 21 insertions(+), 2 deletions(-)
11 years, 5 months
[PATCH 0/4] alternate titles and CCI reference changes
by David Smith
Added/modified CCI references for multiple Rules, populated alternate titles for STIG
David Smith (4):
alternate titles for stig populated, Makerule to process them fixed
addition/alternation of CCI references for multiple Rules in system
guidance
additions/alterations for CCI refs in multiple Rules in services
guidance
typo fix
RHEL6/Makefile | 2 +-
RHEL6/input/auxiliary/alt-titles-stig.xml | 263 +++++++++++++++++---
RHEL6/input/services/avahi.xml | 2 +-
RHEL6/input/services/dhcp.xml | 6 +-
RHEL6/input/services/dns.xml | 4 +-
RHEL6/input/services/ftp.xml | 2 +-
RHEL6/input/services/ldap.xml | 2 +-
RHEL6/input/services/mail.xml | 2 +-
RHEL6/input/services/obsolete.xml | 9 +
RHEL6/input/services/smb.xml | 1 +
RHEL6/input/services/ssh.xml | 9 +-
RHEL6/input/services/xorg.xml | 2 +
RHEL6/input/system/accounts/pam.xml | 8 +-
RHEL6/input/system/accounts/physical.xml | 10 +-
.../accounts/restrictions/password_expiration.xml | 12 +-
.../accounts/restrictions/password_storage.xml | 2 +-
.../system/accounts/restrictions/root_logins.xml | 4 +-
RHEL6/input/system/accounts/session.xml | 6 +-
RHEL6/input/system/auditing.xml | 12 +-
RHEL6/input/system/logging.xml | 18 +-
RHEL6/input/system/network/ipv6.xml | 4 +-
RHEL6/input/system/network/kernel.xml | 24 +-
RHEL6/input/system/network/uncommon.xml | 8 +-
RHEL6/input/system/network/wireless.xml | 4 +-
RHEL6/input/system/permissions/files.xml | 22 +-
RHEL6/input/system/selinux.xml | 8 +-
RHEL6/input/system/software/disk_partitioning.xml | 12 +-
RHEL6/input/system/software/integrity.xml | 4 +-
RHEL6/input/system/software/updating.xml | 4 +-
RHEL6/transforms/shorthand2xccdf.xslt | 2 +-
30 files changed, 346 insertions(+), 122 deletions(-)
11 years, 5 months
[PATCH] Update for/of service-disable-check-macro
by Michael J. McConachie
All:
I tweaked the macro to facilitate the idea that service(s) that
are deemed necessary to disable -- may/may not apply to all environments.
The reasoning for this is that the way it was worded previously, it appeared
that they should be disabled, when in fact it is all contingent on the
environment, climate, and mission.
EX: of how it looks NOW:
-----------------------------------
For pre-determined environments, it is prudent to check that the rhnsd
service is disabled at boot time via chkconfig and not currently running
on the system (runtime configuration). Run the following command to
verify rhnsd is disabled through current runtime configuration:
# service rhnsd status
If the service is disabled, the command will return:
rhnsd is stopped
Run the following command to verify rhnsd is disabled through system
boot configuration:
# chkconfig rhnsd --list
Output should indicate the rhnsd service has been disabled at all
runlevels, as shown in the example below:
# chkconfig rhnsd --list
rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
If the service is running, this is a finding.
-----------------------------------
11 years, 6 months