[PATCH 0/4] new transforms to enable CCE display, correction, generation
by Jeffrey Blank
(Note: If acknowledged, this push will also include a 280K file with the RHEL 5 CCE list.)
This patchset is designed to allow for display of the CCEs that are
currently included as idents in the the RHEL 6 XCCDF contents.
This will allow for easier identification of any incorrect CCE references in the XCCDF content.
It should also allow for easier request of CCEs for RHEL 6.
Technically, the (semantically identical) CCE references we are using are incorrect; the CCEs
are really only for RHEL 5. Mitre have asked me not to do this and we will not release with these
CCEs. However, we will need proper ones before a release is issued.
Jeffrey Blank (4):
added support for generating CCE table (RHEL 5 vs RHEL 6)
added NIST 800-53 ref origin to table with DISA CCI refs
new transform to show CCE list (and compare RHEL 6 Rules with CCEs
desc/mechanisms for RHEL 5)
new script which extracts platform-specific CCEs from master CCE list
* because apparently only the master list is provided in XML,
and it's 10MB * this gets us down to about 280K for the RHEL
5-specific CCE list
RHEL6/Makefile | 8 +-
RHEL6/transforms/cce_extract.py | 51 ++++++++++
RHEL6/transforms/xccdf2table-cce.xslt | 115 ++++++++++++++++++++++
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 17 +++-
4 files changed, 187 insertions(+), 4 deletions(-)
create mode 100755 RHEL6/transforms/cce_extract.py
create mode 100644 RHEL6/transforms/xccdf2table-cce.xslt
11 years, 7 months
[PATCH] A refine-value should point to an exissting selector.
by Šimon Lukašík
From: Simon Lukasik <slukasik(a)redhat.com>
---
RHEL6/input/profiles/common.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index 6637844..44a92ad 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -173,7 +173,7 @@ these should likely be moved out of common.
<select idref="service_rpcsvcgssd_disabled" selected="true"/>
<select idref="set_screensaver_inactivity_timeout" selected="true"/>
-<refine-value idref="inactivity_timeout_value" selector="15"/>
+<refine-value idref="inactivity_timeout_value" selector="15_minutes"/>
<select idref="enable_screensaver_after_idle" selected="true"/>
<select idref="enable_screensaver_password_lock" selected="true"/>
--
1.7.7.6
11 years, 8 months
[PATCH 0/3] Audit granularity and minor bugfixes
by Kevin Spargur
Increased the granularity of DAC mod auditing and some housekeeping.
Kevin Spargur (3):
Permissions cleanup on profiles
Increased granularity for auditing of DAC modification
Minor bugfix/typo
.../checks/audit_rules_dac_modification_chmod.xml | 77 ++++
.../checks/audit_rules_dac_modification_chown.xml | 77 ++++
.../checks/audit_rules_dac_modification_fchmod.xml | 77 ++++
.../audit_rules_dac_modification_fchmodat.xml | 77 ++++
.../checks/audit_rules_dac_modification_fchown.xml | 77 ++++
.../audit_rules_dac_modification_fchownat.xml | 77 ++++
.../audit_rules_dac_modification_fremovexattr.xml | 77 ++++
.../audit_rules_dac_modification_fsetxattr.xml | 77 ++++
.../checks/audit_rules_dac_modification_lchown.xml | 77 ++++
.../audit_rules_dac_modification_lremovexattr.xml | 77 ++++
.../audit_rules_dac_modification_lsetxattr.xml | 77 ++++
.../audit_rules_dac_modification_removexattr.xml | 77 ++++
.../audit_rules_dac_modification_setxattr.xml | 77 ++++
RHEL6/input/checks/postfix_logging.xml | 2 +-
RHEL6/input/profiles/common.xml | 18 +-
RHEL6/input/services/ftp.xml | 3 +-
RHEL6/input/system/auditing.xml | 367 +++++++++++++++++++-
17 files changed, 1379 insertions(+), 12 deletions(-)
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_chmod.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_chown.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchmod.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchmodat.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchown.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchownat.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fremovexattr.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fsetxattr.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lchown.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lremovexattr.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lsetxattr.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_removexattr.xml
create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_setxattr.xml
mode change 100755 => 100644 RHEL6/input/profiles/manual_audits.xml
mode change 100755 => 100644 RHEL6/input/profiles/manual_remediation.xml
--
1.7.7.6
11 years, 8 months
[PATCH] Added ipv6 dependency to some sysctl checks.
by Mike Palmiotto
Two ipv6 sysctl entry checks were missing extend-definitions.
Signed-off-by: Michael Palmiotto <mpalmiotto(a)tresys.com>
---
.../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 3 ++-
...sctl_net_ipv6_conf_default_accept_redirects.xml | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml
index 28a1ca2..d748dde 100644
--- a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml
+++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml
@@ -9,7 +9,8 @@
<description>The kernel runtime parameter "net.ipv6.conf.all.disable_ipv6" should be set to "1".</description>
<!-- generated by create_sysctl_checks.py -->
</metadata>
- <criteria>
+ <criteria operator="OR">
+ <extend_definition comment="IPv6 disabled or..." definition_ref="kernel_module_ipv6_option_disabled" />
<criterion comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" test_ref="test_sysctl_net_ipv6_conf_all_disable_ipv6" />
</criteria>
</definition>
diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml
index 7978ba7..dea99ab 100644
--- a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml
+++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml
@@ -9,7 +9,8 @@
<reference ref_id="CCE-4365-3" source="CCE" />
<description>The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0".</description>
</metadata>
- <criteria>
+ <criteria operator="OR">
+ <extend_definition comment="IPv6 disabled or..." definition_ref="kernel_module_ipv6_option_disabled" />
<criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_sysctl_net_ipv6_conf_default_accept_redirects" />
</criteria>
</definition>
--
1.7.1
11 years, 8 months
[PATCH] corrected check category, CCE
by Jeffrey Blank
no acknowledgement needed, this is a quick bug fix
Jeffrey Blank (1):
made qpid package check a compliance check instead of inventory,
removed incorrect CCE reference
.../checks/package_qpid-cpp-server_removed.xml | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
11 years, 8 months
[PATCH] A refine-value should point to an exissting selector.
by Šimon Lukašík
From: Simon Lukasik <slukasik(a)redhat.com>
---
RHEL6/input/profiles/common.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index 6637844..44a92ad 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -173,7 +173,7 @@ these should likely be moved out of common.
<select idref="service_rpcsvcgssd_disabled" selected="true"/>
<select idref="set_screensaver_inactivity_timeout" selected="true"/>
-<refine-value idref="inactivity_timeout_value" selector="15"/>
+<refine-value idref="inactivity_timeout_value" selector="15_minutes"/>
<select idref="enable_screensaver_after_idle" selected="true"/>
<select idref="enable_screensaver_password_lock" selected="true"/>
--
1.7.7.6
11 years, 8 months
[PATCH] more transition notes help
by Jeffrey Blank
I believe this puts the table at completion for noting current transition action.
Thanks Gary! And contributions via email are just fine from anybody if you have
contributions but aren't familiar with git yet.
(I'm also pushing since this already implies two-party agreeement.)
This allows firm understanding/documentation on the items that need to be
migrated into the project immediately to make it complete, versus the items
that still require discussion (which were not covered at the consensus meeting).
This means that a list of requirements for consideration is very close at hand
(and the current status is also fully visible).
Jeffrey Blank (1):
more transition notes help from Gary / Aqueduct
RHEL6/input/auxiliary/transition_notes.xml | 56 ++++++++++++++++++++++++++++
1 files changed, 56 insertions(+), 0 deletions(-)
11 years, 8 months
[PATCH] Removed br tags outside of Rules in system/auditing
by Mike Palmiotto
Oops. I went ahead and pushed without notifying the list.
There were two br tags in system/auditing that were breaking make validate.
> diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
> index f94161d..8d14443 100644
> --- a/RHEL6/input/system/auditing.xml
> +++ b/RHEL6/input/system/auditing.xml
> @@ -115,8 +115,6 @@ process during boot.
> <ref nist="AU-2" disa="1464,130" />
> </Rule>
>
> -<br /><br />
> -
> <Group id="configure_auditd_data_retention">
11 years, 8 months
[PATCH] additional file/directory permissions checks
by Jeffrey Blank
This is in line with the permissions checking strategy discussed here:
https://fedorahosted.org/scap-security-guide/wiki/STIGfileperms
This page is meant to document development of a coherent strategy for file
permissions checking for baselines.
Jeffrey Blank (1):
added Rules for file permission checks. * This likely needs
further prose expansion, but captures intent for now * OVAL
checks forthcoming
RHEL6/input/system/permissions/files.xml | 102 ++++++++++++++++++++++++++++--
1 files changed, 97 insertions(+), 5 deletions(-)
11 years, 8 months