scap-security-guide June 2012

scap-security-guide@lists.fedorahosted.org

11 participants
24 discussions

[PATCH] transform to view RHEL 5 STIG in table
by Jeffrey Blank 16 Jun '12

16 Jun '12

The RHEL 5 STIG development was not a consensus effort, but its contents should be considered for such discussions for RHEL 6. This transform is designed to allow easy viewing of the RHEL 5 STIG. A future modification to this transform will permit capture of notes by participants for consensus efforts, and to let the community see where things are going. Jeffrey Blank (1): new transform to view RHEL 5 STIG (manual and automated portions) conveniently * a similar transform will be used to capture consensus notes rhel6/src/Makefile | 4 + .../disa-stig-rhel5-v1r0.6-xccdf-manual.xml |20459 ++++++++++++++++++++ rhel6/src/transforms/xccdf2table-stig.xslt | 118 + 3 files changed, 20581 insertions(+), 0 deletions(-) create mode 100644 rhel6/src/references/disa-stig-rhel5-v1r0.6-xccdf-manual.xml create mode 100644 rhel6/src/transforms/xccdf2table-stig.xslt

2 2

JBoss Enterprise Application Platform
by Kenny Peeples 15 Jun '12

15 Jun '12

I am pleased to announce that the JBoss Enterprise Application Platform (EAP) SCAP project has been added to the scap-security-guide project. The initial content (OVAL and OCIL) has been added to the repository under JBossEAP5. We have released the initial content to the NIST NCP and to DISA for approval as a STIG. The content includes the Common Criteria Certification guidelines, Red Hat best practices and some DISA guidelines as well as mappings to NIST and DISA security controls. Additional content will be added for EAP 5. Future milestones should include adding content for EAP 6, SOA-P 5 and additional JBoss Middleware projects. We look forward to getting feedback, comments and suggestions from the community as we build the SCAP content for JBoss Middleware. Kenneth W. Peeples, C|HFI, Security+ Red Hat Consulting OASIS Member (AMQP, SAML, XACML TC), Infragard Member Cell: 843.636.3719 Office: 843.323.4261 kpeeples(a)redhat.com http://www.redhat.com

2 2

[PATCH 0/1] Broke apart ldap checkpeer, added dependency tests
by Kevin Spargur 15 Jun '12

15 Jun '12

Broke apart the ldap checkpeer tests into individual checks. It now checks for pam_ldap first rather than failing you for not having pointless config files. Removed checkpeer test as it's looking for the default setting. Signed-off-by: Kevin Spargur <kspargur(a)redhat.com> Kevin Spargur (1): Broke apart ldap checkpeer, added dependency tests .../input/checks/ldap_client_pam_ldap_present.xml | 32 +++++++++++++ rhel6/src/input/checks/ldap_client_start_tls.xml | 32 +++++++++++++ .../input/checks/ldap_client_tls_cacertpath.xml | 48 ++++++++++++++++++++ .../src/input/checks/ldap_client_tls_checkpeer.xml | 31 ------------- .../src/input/checks/package_pam_ldap_removed.xml | 26 +++++++++++ rhel6/src/input/profiles/common.xml | 3 +- rhel6/src/input/services/ldap.xml | 48 +++++++++++++------- 7 files changed, 171 insertions(+), 49 deletions(-) create mode 100644 rhel6/src/input/checks/ldap_client_pam_ldap_present.xml create mode 100644 rhel6/src/input/checks/ldap_client_start_tls.xml create mode 100644 rhel6/src/input/checks/ldap_client_tls_cacertpath.xml delete mode 100644 rhel6/src/input/checks/ldap_client_tls_checkpeer.xml create mode 100644 rhel6/src/input/checks/package_pam_ldap_removed.xml -- 1.7.7.6

2 2

[PATCH 0/6] More CCI mappings
by Willy Santos 14 Jun '12

14 Jun '12

Continued work on mapping CCI numbers to SSG. -Willy Willy Santos (6): Mapped CCI-000037 to unmet_impractical_guidance Mapped CCI-000140 to configure_auditd_admin_space_left_action in auditing.xml Mapped CCI-000157 to enable_auditd_service in auditing.xml Mapped CCI-000162 to met_inherently in srg_support.xml Mapped CCI-000163 to met_inherently in srg_support.xml Mapped CCI-000164 to met_inherently in srg_support.xml rhel6/src/input/auxiliary/srg_support.xml | 4 ++-- rhel6/src/input/system/auditing.xml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) -- 1.7.7.6

2 7

To atime or relatime?
by Shawn Wells 14 Jun '12

14 Jun '12

I received this note from a colleague today regarding content in the scap-security-guide for RHEL6: > Ext4 mounts devices with the relatime option by default. Probably not a good idea for secure environments. Means atime is not accurate. Very bad for systems using AIDE. RHEL 6 security guide needs to turn atime back on for Ext4 mounts. > > cat /proc/mounts > > Sent from iPhone. When he states that "atime is not accurate" I believe he's referring to how relatime maintains atime data, but not for each time the file was accessed. Only /modified/. From a performance perspective relatime makes a lot of sense. Enablement of relatime means that the filesystem will not write read-times to a file when read. Imagine recording every time a file in hadoop or a highly utilized fileshare was read... that could be a lot of overhead which relatime prevents. With that said, we're writing a security guide and not a performance guide. What does everyone think about this, and what should we do? One option is to set "default_relatime=0" in grub to prevent any filesystem from doing this. Is that overkill?

2 1

[PATCH 00/26] More CCI mappings
by Willy Santos 13 Jun '12

13 Jun '12

More CCI mappings for OS SRG compliance. Willy Santos (26): Mapped CCI-000022 to set_selinux_state in selinux.xml Corrected CCI reference number. Mapped CCI-000050 to enable_gdm_login_banner in banners.xml Mapped CCI-000131 to met_inherently in srg_support.xml Mapped CCI-000132 to met_inherently in srg_support.xml Mapped CCI-000133 to met_inherently in srg_support.xml Mapped CCI-000134 to met_inherently in srg_support.xml Mapped CCI-000137 to partition_for_var_log_audit in disk_partitioning.xml Mapped CCI-000138 to configure_auditd_data_retention in autditing.xml Mapped CCI-000139 to configure_auditd_action_mail_acct in auditing.xml Mapped CCI-000159 to met_inherently in srg_support.xml Mapped CCI-000371 to unmet_impractical_guidance Mapped CCI-000372 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000535 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000537 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000539 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000780 to unmet_impractical_guidance in srg_support.xml Mapped CCI-001682 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000879 to sshd_idle_timeout in ssh.xml Mapped CCI-000880 to auditd_configure_rules in auditing.xml Mapped CCI-001109 to default_iptables_policies in iptables.xml Mapped CCI-001383 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000370 to unmet_impractical_guidance in srg_support.xml Mapped CCI-000066 to unmet_impractical_guidance in srg_support.xml Mapped CCI-001694 to met_inherently in srg_support.xml Mapped CCI-001632 to ssh_server in ssh.xml rhel6/src/input/auxiliary/srg_support.xml | 4 ++-- rhel6/src/input/services/ssh.xml | 3 ++- rhel6/src/input/system/accounts/banners.xml | 2 +- rhel6/src/input/system/auditing.xml | 4 +++- rhel6/src/input/system/network/iptables.xml | 2 +- rhel6/src/input/system/selinux.xml | 2 +- .../input/system/software/disk_partitioning.xml | 2 +- 7 files changed, 11 insertions(+), 8 deletions(-) -- 1.7.7.6

2 27

[PATCH] Future deprecation of modprobe.conf
by Mike Palmiotto 13 Jun '12

13 Jun '12

Proposal to replace all references to modprobe.conf with modprobe.d, due to potential deprecation in the future. "the /etc/modprobe.conf file can also be used if it exists, but that will be removed in a future version." Source: modprobe.conf man-page Michael Palmiotto (1): Remove use of modprobe.conf and fix some typos. rhel6/src/input/system/network/uncommon.xml | 10 +++++----- rhel6/src/input/system/network/wireless.xml | 2 +- rhel6/src/input/system/permissions/mounting.xml | 20 ++++++++++---------- 3 files changed, 16 insertions(+), 16 deletions(-)

2 2

[PATCH] prose cleanup of SELinux discussion
by Jeffrey Blank 12 Jun '12

12 Jun '12

Removed some old comments, removed redundant discussion in a Group. Changed Rule titles for consistency. Jeffrey Blank (1): prose cleanup of SELinux discussion rhel6/src/input/system/selinux.xml | 116 +++++++----------------------------- 1 files changed, 22 insertions(+), 94 deletions(-)

3 3

This may help some
by Mackanick, Jason W CIV DISA RE (US) 06 Jun '12

06 Jun '12

Attached is the draft RHEL5 content we are beginning to release to the field for testing.

4 3

[PATCH] The single user password test is different than RHEL 5
by Joe Nall 06 Jun '12

06 Jun '12

The check for single user password changed from RHEL 5 to 6. The prose is correct and does not need and update Signed-off-by: Joe Nall <joe(a)nall.com> --- rhel6/src/input/checks/singleuser_password.xml | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rhel6/src/input/checks/singleuser_password.xml b/rhel6/src/input/checks/singleuser_password.xml index 3cb78b2..990c75e 100644 --- a/rhel6/src/input/checks/singleuser_password.xml +++ b/rhel6/src/input/checks/singleuser_password.xml @@ -18,15 +18,15 @@ </definition> <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the ~~:S:wait:/sbin/sulogin setting in the /etc/inittab file" + comment="Tests for existence of SINGLE=/sbin/sulogin in the /etc/sysconfig/init file" id="test_20096" version="1"> <ind:object object_ref="obj_73" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_73" version="1"> - <ind:path>/etc</ind:path> - <ind:filename>inittab</ind:filename> - <ind:pattern operation="pattern match">~:S:wait:/sbin/sulogin</ind:pattern> + <ind:path>/etc/sysconfig</ind:path> + <ind:filename>init</ind:filename> + <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> -- 1.7.1

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide June 2012