scap-security-guide August 2012

scap-security-guide@lists.fedorahosted.org

18 participants
49 discussions

[PATCH 0/4] new transforms to enable CCE display, correction, generation
by Jeffrey Blank 27 Aug '12

27 Aug '12

(Note: If acknowledged, this push will also include a 280K file with the RHEL 5 CCE list.) This patchset is designed to allow for display of the CCEs that are currently included as idents in the the RHEL 6 XCCDF contents. This will allow for easier identification of any incorrect CCE references in the XCCDF content. It should also allow for easier request of CCEs for RHEL 6. Technically, the (semantically identical) CCE references we are using are incorrect; the CCEs are really only for RHEL 5. Mitre have asked me not to do this and we will not release with these CCEs. However, we will need proper ones before a release is issued. Jeffrey Blank (4): added support for generating CCE table (RHEL 5 vs RHEL 6) added NIST 800-53 ref origin to table with DISA CCI refs new transform to show CCE list (and compare RHEL 6 Rules with CCEs desc/mechanisms for RHEL 5) new script which extracts platform-specific CCEs from master CCE list * because apparently only the master list is provided in XML, and it's 10MB * this gets us down to about 280K for the RHEL 5-specific CCE list RHEL6/Makefile | 8 +- RHEL6/transforms/cce_extract.py | 51 ++++++++++ RHEL6/transforms/xccdf2table-cce.xslt | 115 ++++++++++++++++++++++ RHEL6/transforms/xccdf2table-profileccirefs.xslt | 17 +++- 4 files changed, 187 insertions(+), 4 deletions(-) create mode 100755 RHEL6/transforms/cce_extract.py create mode 100644 RHEL6/transforms/xccdf2table-cce.xslt

3 7

[PATCH 1/7] Updated guide.xml
by Shawn Wells 25 Aug '12

25 Aug '12

1 0

[PATCH] A refine-value should point to an exissting selector.
by Šimon Lukašík 23 Aug '12

23 Aug '12

From: Simon Lukasik <slukasik(a)redhat.com> --- RHEL6/input/profiles/common.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 6637844..44a92ad 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -173,7 +173,7 @@ these should likely be moved out of common. <select idref="service_rpcsvcgssd_disabled" selected="true"/> <select idref="set_screensaver_inactivity_timeout" selected="true"/> -<refine-value idref="inactivity_timeout_value" selector="15"/> +<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> <select idref="enable_screensaver_after_idle" selected="true"/> <select idref="enable_screensaver_password_lock" selected="true"/> -- 1.7.7.6

2 1

[PATCH 0/3] Audit granularity and minor bugfixes
by Kevin Spargur 23 Aug '12

23 Aug '12

Increased the granularity of DAC mod auditing and some housekeeping. Kevin Spargur (3): Permissions cleanup on profiles Increased granularity for auditing of DAC modification Minor bugfix/typo .../checks/audit_rules_dac_modification_chmod.xml | 77 ++++ .../checks/audit_rules_dac_modification_chown.xml | 77 ++++ .../checks/audit_rules_dac_modification_fchmod.xml | 77 ++++ .../audit_rules_dac_modification_fchmodat.xml | 77 ++++ .../checks/audit_rules_dac_modification_fchown.xml | 77 ++++ .../audit_rules_dac_modification_fchownat.xml | 77 ++++ .../audit_rules_dac_modification_fremovexattr.xml | 77 ++++ .../audit_rules_dac_modification_fsetxattr.xml | 77 ++++ .../checks/audit_rules_dac_modification_lchown.xml | 77 ++++ .../audit_rules_dac_modification_lremovexattr.xml | 77 ++++ .../audit_rules_dac_modification_lsetxattr.xml | 77 ++++ .../audit_rules_dac_modification_removexattr.xml | 77 ++++ .../audit_rules_dac_modification_setxattr.xml | 77 ++++ RHEL6/input/checks/postfix_logging.xml | 2 +- RHEL6/input/profiles/common.xml | 18 +- RHEL6/input/services/ftp.xml | 3 +- RHEL6/input/system/auditing.xml | 367 +++++++++++++++++++- 17 files changed, 1379 insertions(+), 12 deletions(-) create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_chmod.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_chown.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchmod.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchmodat.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchown.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fchownat.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fremovexattr.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_fsetxattr.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lchown.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lremovexattr.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_lsetxattr.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_removexattr.xml create mode 100644 RHEL6/input/checks/audit_rules_dac_modification_setxattr.xml mode change 100755 => 100644 RHEL6/input/profiles/manual_audits.xml mode change 100755 => 100644 RHEL6/input/profiles/manual_remediation.xml -- 1.7.7.6

2 4

[PATCH] Added ipv6 dependency to some sysctl checks.
by Mike Palmiotto 21 Aug '12

21 Aug '12

Two ipv6 sysctl entry checks were missing extend-definitions. Signed-off-by: Michael Palmiotto <mpalmiotto(a)tresys.com> --- .../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 3 ++- ...sctl_net_ipv6_conf_default_accept_redirects.xml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml index 28a1ca2..d748dde 100644 --- a/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml +++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml @@ -9,7 +9,8 @@ <description>The kernel runtime parameter "net.ipv6.conf.all.disable_ipv6" should be set to "1".</description>  </metadata> - <criteria> + <criteria operator="OR"> + <extend_definition comment="IPv6 disabled or..." definition_ref="kernel_module_ipv6_option_disabled" /> <criterion comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" test_ref="test_sysctl_net_ipv6_conf_all_disable_ipv6" /> </criteria> </definition> diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml index 7978ba7..dea99ab 100644 --- a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml +++ b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml @@ -9,7 +9,8 @@ <reference ref_id="CCE-4365-3" source="CCE" /> <description>The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0".</description> </metadata> - <criteria> + <criteria operator="OR"> + <extend_definition comment="IPv6 disabled or..." definition_ref="kernel_module_ipv6_option_disabled" /> <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to 0" test_ref="test_sysctl_net_ipv6_conf_default_accept_redirects" /> </criteria> </definition> -- 1.7.1

2 1

[PATCH] corrected check category, CCE
by Jeffrey Blank 21 Aug '12

21 Aug '12

no acknowledgement needed, this is a quick bug fix Jeffrey Blank (1): made qpid package check a compliance check instead of inventory, removed incorrect CCE reference .../checks/package_qpid-cpp-server_removed.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)

1 1

[PATCH] A refine-value should point to an exissting selector.
by Šimon Lukašík 21 Aug '12

21 Aug '12

1 0

[PATCH] more transition notes help
by Jeffrey Blank 17 Aug '12

17 Aug '12

I believe this puts the table at completion for noting current transition action. Thanks Gary! And contributions via email are just fine from anybody if you have contributions but aren't familiar with git yet. (I'm also pushing since this already implies two-party agreeement.) This allows firm understanding/documentation on the items that need to be migrated into the project immediately to make it complete, versus the items that still require discussion (which were not covered at the consensus meeting). This means that a list of requirements for consideration is very close at hand (and the current status is also fully visible). Jeffrey Blank (1): more transition notes help from Gary / Aqueduct RHEL6/input/auxiliary/transition_notes.xml | 56 ++++++++++++++++++++++++++++ 1 files changed, 56 insertions(+), 0 deletions(-)

2 2

[PATCH] Removed br tags outside of Rules in system/auditing
by Mike Palmiotto 17 Aug '12

17 Aug '12

Oops. I went ahead and pushed without notifying the list. There were two br tags in system/auditing that were breaking make validate. > diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml > index f94161d..8d14443 100644 > --- a/RHEL6/input/system/auditing.xml > +++ b/RHEL6/input/system/auditing.xml > @@ -115,8 +115,6 @@ process during boot. > <ref nist="AU-2" disa="1464,130" /> > </Rule> > > -<br /><br /> > - > <Group id="configure_auditd_data_retention">

2 1

[PATCH] additional file/directory permissions checks
by Jeffrey Blank 17 Aug '12

17 Aug '12

This is in line with the permissions checking strategy discussed here: https://fedorahosted.org/scap-security-guide/wiki/STIGfileperms This page is meant to document development of a coherent strategy for file permissions checking for baselines. Jeffrey Blank (1): added Rules for file permission checks. * This likely needs further prose expansion, but captures intent for now * OVAL checks forthcoming RHEL6/input/system/permissions/files.xml | 102 ++++++++++++++++++++++++++++-- 1 files changed, 97 insertions(+), 5 deletions(-)

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide August 2012