scap-security-guide August 2012

scap-security-guide@lists.fedorahosted.org

18 participants
49 discussions

[PATCH] Additional transition notes
by Kevin Spargur 16 Aug '12

16 Aug '12

--- RHEL6/input/auxiliary/transition_notes.xml | 337 ++++++++++++++++++++++++++-- 1 files changed, 323 insertions(+), 14 deletions(-) diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 7cb67c2..b40ef00 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -324,14 +324,14 @@ rule=audit_rules_dac_modification manual=no <note ref="833" auth="KS"> Sendmail is no longer shipped by default. Postfix is the default instead. -Equivilent check does not exist in the RHEL6 prose, it can be automated and +Equivalent check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no </note> <note ref="834" auth="KS"> Sendmail is no longer shipped by default. Postfix is the default instead. -Equivilent check does not exist in the RHEL6 prose, it can be automated and +Equivalent check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no </note> @@ -369,7 +369,9 @@ By default new home directories will be given 700 perms. </note> <note ref="904,905,914,915,924,986,993,995,1021,1022,1046,4087,4268, -4346,4357,4360,4366" auth="KS"> +4346,4357,4360,4366,11985,11986,11989,11995,12030,22302,22304,22308, +22348,22349,22374,22378,22382,22408,22415,22421,22430,22447,22448, +22449,22473,22475,22485,22486,22487,22488" auth="KS"> Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not appear to already exist. rule=null manual=no @@ -394,8 +396,8 @@ the vendor for correction as a bug in the product. <note ref="923" auth="KS"> Check does not exist in the RHEL6 prose, it cannot be entirely automated and -the OVAL for it does not appear to already exist. r -ule=null manual=yes +the OVAL for it does not appear to already exist. +rule=null manual=yes A simple example, a cronjob can be made to look for devices and compare to previous lists but still requires someone to review it which is a manual process @@ -441,10 +443,10 @@ of using TCP Wrappers to protect certain versions of NFS but nothing specific which may be the intent as this check is not at all specific either. </note> -<note ref="941,982" auth="KS"> +<note ref="941,982,1204" auth="KS"> Check exists in the RHEL6 prose, it can be automated and the OVAL for it -appears to already exist. -rule=ensure_rsyslog_log_file_configuration manual=no +does not appear to exist. +group=ensure_rsyslog_log_file_configuration manual=no </note> <note ref="974" auth="KS"> @@ -471,12 +473,13 @@ any files that are world writable but not system owned. System file permissions are addressed through the rpm verification check </note> -<note ref="983,1048,1049,1061" auth="KS"> -Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it -does not appear to already exist. +<note ref="983,1048,1049,1061,11981,11983,11984,11990,11994,12014,22351, +22369,22385,22391,22397,22405,22440,22471,22472,22567,22568,22569,22571, +22572,22573,22586,22587,22702,29289" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. rule=null manual=no -This and others like it should be covered under a new section targeting -permissions in key directories +A new section targeting permissions in key directories will be added. </note> <note ref="984,985" auth="KS"> @@ -580,7 +583,7 @@ Cannot programmatically determine if a server is a "valid" DoD time source without maintaining a exhaustive list of potentially sensitive information </note> -<note ref="4304" auth="KS"> +<note ref="4304,22422" auth="KS"> Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it does not exist. rule=null manual=no @@ -600,7 +603,313 @@ does exist. rule=postfix_server_banner manual=no </note> +<note ref="4387" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +If we must include a section on ftp we should at least require it be done over +SSH. +</note> + +<note ref="4392" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL +for it does not exist. +rule=null manual=yes +This is not really feasible without maintaining an exhaustive list which +constantly changes. Also, why NMS? We're allowed to run unauthorized s/w +on non-NMS systems? +</note> + +<note ref="4395,22455" auth="KS"> +Partial check does exists in the RHEL6 prose, it cannot be entirely automated +and partial OVAL check for it does exist. +rule=rsyslog_send_messages_to_logserver manual=yes +We can verify that logs are sent to a remote server but we cannot determine in +an automated fashion if it is "justified and documented using site-defined +procedures." +</note> + +<note ref="4397" auth="KS"> +Partial check does exists in the RHEL6 prose, it can be automated an OVAL check +for it appears to exist. +rule=disable_dhcp_client manual=no +</note> + +<note ref="4399,11987,11988" auth="KS"> +Check in the RHEL6 prose requires NIS not be installed, it can be automated and +an OVAL check for it appears to exist. +rule=uninstall_ypserv manual=no +Let NIS die. +</note> + +<note ref="4427,4428" auth="KS"> +Check in the RHEL6 prose requires most if not all of these files be removed, +it can be automated and an OVAL check for it appears to exist. +rule=no_rsh_trust_files manual=no +What "r-commands" are we suggesting be used with these? V-11988 wants these +removed anyway. +</note> + +<note ref="4430" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +This is root:root by default. A new section will be added discussing +permissions on key files. +</note> + + +<note ref="4689" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +Wouldn't this also be covered by V-783 on keeping the system patched? +</note> + +<note ref="4689,4691" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +Wouldn't this also be covered by V-783 on keeping the system patched? +</note> + +<note ref="4695" auth="KS"> +Check does exist in the RHEL6 prose to deny use of TFTP, it can be automated +and the OVAL for it does exist. +rule=tftp-server manual=no +Is it not necessary for other software on the system to be authorized and +approved? +</note> + +<note ref="4697,12016,12017" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated +and the OVAL for it does not exist. +rule=null manual=yes +Without knowing what hosts should be trusted we can't do this, we don't really +want to either. X has numerous issues. If remote connections to X must be +used it should be tunneled over something such as SSH. +</note> + +<note ref="4702" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated +and the OVAL for it does not exist. +rule=null manual=yes +No automated means to determine presence in DMZ. We should not be allowing FTP. +</note> + +<note ref="11976" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=password_max_age manual=yes +</note> + +<note ref="11980" auth="KS"> +Partial check for authpriv does exist in the RHEL6 prose, it can be automated +and the OVAL for it does exist. +group=ensure_rsyslog_log_file_configuration manual=no +The authpriv portion seems to be covered in several different places (V-12004, +V-941). The value provided by the second half of this is not apparent and not +in the RHEL6 prose. +</note> + +<note ref="11996" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +appears to exist. +rule=disable_users_coredumps manual=no +</note> + +<note ref="11999" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=enable_execshield manual=no +</note> + +<note ref="12002" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=set_sysctl_net_ipv4_conf_all_accept_source_route manual=no +This check is split in the RHEL6 prose and addressed in the rule listed above +and the set_sysctl_net_ipv4_conf_default_accept_source_route rule +</note> +<note ref="846,12010,12011,23732" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +appears to exist. +rule=uninstall_vsftpd manual=no +Per V-12010 don't allow FTP. Lets get rid of these other random FTP rules. +</note> +<note ref="12023" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=disable_sysctl_ipv4_ip_forward manual=no +</note> + +<note ref="12028" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL +for it does not exist. +rule=null manual=yes +Any automated effort to check this is at best a token effort. +</note> + +<note ref="22301" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=set_blank_screensaver manual=no +</note> + +<note ref="22303" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=set_password_hashing_algorithm manual=no +</note> + +<note ref="22305,22306,22307" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +group=password_quality_pamcracklib manual=no +The cracklib checks are in the RHEL6 prose. +</note> + +<note ref="22312" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=no_files_unowned_by_group manual=no +</note> + +<note ref="22339" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=userowner_shadow_file manual=no +</note> + +<note ref="22347" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=no_hashes_outside_shadow manual=no +</note> + +<note ref="22375" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=configure_auditd_space_left_action manual=no +</note> + +<note ref="22376,22377" auth="KS"> +Partial check does exist in the RHEL6 prose, it can be automated and a partial +OVAL for it does exist. +rule=audit_account_changes manual=no +Auditing of the files is in place but not the commands. +</note> + +<note ref="22383" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=audit_kernel_module_loading manual=no +</note> + +<note ref="22404" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=service_kdump_disabled manual=no +</note> + +<note ref="22409" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=iptables_icmp_disabled manual=no +This is accomplished by whitelisting specific types of icmp traffic. +</note> + +<note ref="22410,22411" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts manual=no +V-22410 and V-22411 are the same. +</note> + +<note ref="22414" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=set_sysctl_net_ipv4_conf_all_accept_source_route manual=no +This check is split in the RHEL6 prose into the above and the +set_sysctl_net_ipv4_conf_default_accept_source_route rule. +</note> + +<note ref="22416" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=set_sysctl_net_ipv4_conf_all_accept_redirects manual=no +This check is split in the RHEL6 prose into the above and the +set_sysctl_net_ipv4_conf_default_accept_redirects rule. +</note> + +<note ref="22417" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=disable_sysctl_ipv4_all_send_redirects manual=no +This check is split in the RHEL6 prose into the above and the +disable_sysctl_ipv4_default_send_redirects rule. +</note> + +<note ref="22418" auth="KS"> +Partial check does exist in the RHEL6 prose, it can be automated and partial +OVAL for it does exist. +rule=set_sysctl_net_ipv4_conf_all_log_martians manual=no +This check is split in the RHEL6 prose into the above but no equivalent rule +exists for "default." +</note> + +<note ref="22419" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=set_sysctl_net_ipv4_tcp_syncookies manual=no +</note> + +<note ref="22429" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=service_rpcbind_disabled manual=no +</note> + +<note ref="22431,22432,22433,22434" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=uninstall_rsh-server manual=no +</note> + +<note ref="22456,22461,22462,22463,22474" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and OVAL for it +does not exist. +rule=null manual=no +No check exists for the client side. +</note> + +<note ref="22457" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated and OVAL for +it does not exist. +rule=null manual=yes +No automated way to determine the management interface. +</note> + +<note ref="22458,22459" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=sshd_use_approved_ciphers manual=no +V-22458 and V-22459 are essentially the same. +</note> + +<note ref="22470" auth="KS"> +Partial check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=sshd_limit_user_access manual=no +Prose focuses on blacklisting where we should prefer a whitelist. +</note> + +<note ref="22489" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and OVAL for it does +exist. +rule=sshd_enable_warning_banner manual=no +</note> </notegroup> -- 1.7.7.6

2 1

[PATCH 0/2] adding umask rules to STIG profile
by Jeffrey Blank 16 Aug '12

16 Aug '12

The OVAL for this is broken at the moment, but ensuring the list of settings for the STIG profile is complete is top priority right now. Jeffrey Blank (2): added umask Rules to STIG profile, test profile * OVAL seems broken linebreak removals from sessions file RHEL6/input/profiles/STIG-server.xml | 11 ++++++++ RHEL6/input/profiles/test.xml | 11 ++++++++ RHEL6/input/system/accounts/session.xml | 43 ++++++++----------------------- 3 files changed, 33 insertions(+), 32 deletions(-)

2 4

[PATCH] RHEL 5 => RHEL 6 Mapping + comments
by Vincent Passaro 15 Aug '12

15 Aug '12

All, Here is my patch for the rundown of open line items being mapped to RHEL 6 requirements. Hopefully I didn't screw this up too much, let me know if I did and I'll go adjust. Be gentle, Aqueduct is all SVN, so still learning the oddities of GIt. That and my eyes started bleeding about 1/2 through this. Thanks, Vince From a0cc954760b031f6c4014f323871373e8b40e750 Mon Sep 17 00:00:00 2001 From: Vincent Passaro <Vincent.Passaro(a)fotisnetworks.com> Date: Tue, 14 Aug 2012 15:10:07 -0700 Subject: [PATCH] VP Patch for RHEL 5 / RHEL 6 Mapping --- RHEL6/input/auxiliary/transition_notes.xml | 666 +++++++++++++++++++++++++++++ 1 file changed, 666 insertions(+) diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 7cb67c2..d43ca16 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -2,6 +2,672 @@  +<note ref="931" auth="VP"> +This is not in the RHEL 6 content. Nosuid / nodev checks address perms on NFS shares. +</note> + +<note ref="1026" auth="VP"> +This is not in the RHEL 6 content. The requirements SSL / Localhost will be addressed via the Web Stig, there is no need (IMHO) to require this twice. +</note> + +<note ref="1047" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="4387" auth="VP"> +This is covered in the RHEL 6 content. The check CCE-3987-5 meets this requirement +</note> + +<note ref="4392" auth="VP"> +This is not covered in the RHEL 6 content. This check is entirely manual and shouldn't be added to RHEL 6 content +</note> + +<note ref="4395" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="4397" auth="VP"> +This is covered in the RHEL 6 content. CCE-4191-3 +</note> + +<note ref="4399" auth="VP"> +This is covered in the RHEL 6 content by setting NIS to disabled. +</note> + +<note ref="4427" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="4428" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="4690" auth="VP"> +This is covered in the RHEL 6 content. By applying patches, this requirement will be addressed +</note> + +<note ref="4691" auth="VP"> +This is covered in the RHEL 6 content. By applying patches, this requirement will be addressed +</note> + +<note ref="4695" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="4697" auth="VP"> +This is not covered in the RHEL 6 content. There is a check to disable a GUI, but a GUI is sometimes required for install of 3rd party apps (Oracle, Weblogic, etc) +</note> + +<note ref="4702" auth="VP"> +This is covered in the RHEL 6 content in a slightly different manner. CCE-3919-8 is set vsftpd to off +</note> + +<note ref="11976" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-4092-3 sets pass max days in /etc/login.defs, not shadow. +</note> + +<note ref="11980" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-17248-6 states a *.*, which would include the authpriv being submitted to the loghost. The audit.rules settings are not called out +</note> + +<note ref="11980" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="11983" auth="VP"> +This is not covered in the RHEL 6 content. This will have to be a manual check IF it is to be included. +</note> + +<note ref="11984" auth="VP"> +This is not covered in the RHEL 6 content. Default settings from RH should be acceptable for this and should be covered in the rpm verify check. +</note> + +<note ref="11985" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="11987" auth="VP"> +This is covered in the RHEL 6 content in a slightly different manner. NIS+ is to be set to disable / erased. +</note> + +<note ref="11988" auth="VP"> +This is covered in the RHEL 6 content in a slightly different manner. CCE-TODO requires .rhosts file to be removed. +</note> + +<note ref="11989" auth="VP"> +This is covered in the RHEL 6 content in a slightly different manner. CCE-TODO requires .rhosts file to be removed. +</note> + +<note ref="11990" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="11995" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="11996" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="11999" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="12002" auth="VP"> +This is covered in the RHEL 6 content. CCE-4236-6 +</note> + +<note ref="12004" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-17248-6 states a *.*, which would include the authpriv being submitted to the loghost. The audit.rules settings are not called out +</note> + +<note ref="12010" auth="VP"> +This is covered in the RHEL 6 content. CCE-4236-6 +</note> + +<note ref="12011" auth="VP"> +This is not covered in the RHEL 6 content. The RHEL 6 requirement is to disable FTP +</note> + +<note ref="12014" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="12017" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="12023" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="12028" auth="VP"> +This is covered in the RHEL 6 content. This is a manual check. Previously have addressed this with DISA about this that HBSS (which is required on systems) meets this requirement. +</note> + +<note ref="12030" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22301" auth="VP"> +This is covered in the RHEL 6 content. CCE-14735-5 +</note> + +<note ref="22302" auth="VP"> +This is covered in the RHEL 6 content. CCE-14063-2 +</note> + +<note ref="22303" auth="VP"> +This is covered in the RHEL 6 content. CCE-14063-2 +</note> + +<note ref="22304" auth="VP"> +This is covered in the RHEL 6 content. CCE-14063-2 +</note> + +<note ref="22305" auth="VP"> +This is covered in the RHEL 6 content. CCE-14063-2 +</note> + +<note ref="22306" auth="VP"> +This is covered in the RHEL 6 content. CCE-14701-7 +</note> + +<note ref="22307" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="22308" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22312" auth="VP"> +This is not covered in the RHEL 6 content. This is a manual check. +</note> + +<note ref="22339" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="22347" auth="VP"> +This is covered in the RHEL 6 content. CCE-14300-8 +</note> + +<note ref="22348" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22349" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22351" auth="VP"> +This is not covered in the RHEL 6 content. This is a manual check. This check typically fails with accounts for Oracle (ora:dba) is a good example of this. +</note> + +<note ref="22358" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22369" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="22374" auth="VP"> +This is covered in the RHEL 6 content in a slightly different mannger. RHEL 6 admin_space_left_action = ACTION +</note> + +<note ref="22375" auth="VP"> +This is covered in the RHEL 6 content in a slightly different mannger. RHEL 6 admin_space_left_action = ACTION +</note> + +<note ref="22376" auth="VP"> +-w /usr/sbin/useradd -p x -k useradd - Not in RHEL 6 +-w /usr/sbin/groupadd -p x -k groupadd - Not in RHEL 6 +-w /etc/passwd -p a -k passwd - Is in RHEL 6 +-w /etc/shadow -p a -k shadow - Is in RHEL 6 +-w /etc/group -p a -k group - Is in RHEL 6 +-w /etc/gshadow -p a -k gshadow - Is in RHEL 6 +</note> + +<note ref="22377" auth="VP"> +-w /usr/sbin/usermod -p x -k usermod - Not in RHEL 6 +-w /usr/sbin/groupmod -p x -k groupmod - Not in RHEL 6 +-w /etc/passwd -p w -k passwd - Is in RHEL 6 +-w /etc/shadow -p w -k shadow - Is in RHEL 6 +-w /etc/group -p w -k group - Is in RHEL 6 +-w /etc/gshadow -p w -k gshadow - Is in RHEL 6 +</note> + +<note ref="22378" auth="VP"> +-w /usr/bin/passwd -p x -k passwd - Not in RHEL 6 +</note> + +<note ref="22382" auth="VP"> +-w /usr/sbin/userdel -p x - Not in RHEL 6 +-w /usr/sbin/groupdel -p x - Not in RHEL 6 +</note> + +<note ref="22383" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22385" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22391" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22397" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22404" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22405" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22408" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22409" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22410" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22411" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22414" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22415" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22416" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22417" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22418" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22419" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22421" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22422" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22429" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22430" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22431" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22432" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22433" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22434" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22440" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22447" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled +</note> + +<note ref="22448" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled +</note> + +<note ref="22449" auth="VP"> +This is covered in RHEL 6 content in a slightly different manner. CCE-3765-5 sets SNMP to disabled +</note> + +<note ref="22455" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22456" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22457" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22458" auth="VP"> +This is not covered in RHEL 6 content. This is a manual check +</note> + +<note ref="22461" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22462" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22463" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22470" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22471" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22472" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22473" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22474" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22475" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22485" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22486" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22487" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22488" auth="VP"> +This is not covered in RHEL 6 content +</note> + +<note ref="22490" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to disabled in RHEL 6 content +</note> + +<note ref="22491" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to disabled in RHEL 6 content +</note> + +<note ref="22499" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22500" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22501" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22506" auth="VP"> +This is not covered in RHEL 6 content. This is a manual check +</note> + +<note ref="22507" auth="VP"> +This is not covered in RHEL 6 content. AIDE is set to be installed, but not configuration changes are set for the aide.conf in RHEL 6 content. +</note> + +<note ref="22508" auth="VP"> +This is not covered in RHEL 6 content. AIDE is set to be installed, but not configuration changes are set for the aide.conf in RHEL 6 content. +</note> + +<note ref="22511" auth="VP"> +This is covered in RHEL 6 content. +</note> + +<note ref="22514" auth="VP"> +This is covered in RHEL 6 content. +</note> + +<note ref="22524" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22530" auth="VP"> +This is covered in RHEL 6 content. +</note> + +<note ref="22533" auth="VP"> +This is covered in RHEL 6 content. +</note> + +<note ref="22539" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22541" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22542" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22545" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22546" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22547" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22548" auth="VP"> +This is covered in RHEL 6 content in a slightly different way. +</note> + +<note ref="22549" auth="VP"> +This is covered in RHEL 6 content in a slightly different way. +</note> + +<note ref="22550" auth="VP"> +This is covered in RHEL 6 content +</note> + +<note ref="22553" auth="VP"> +This is not covered in RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="22555" auth="VP"> +This is covered in RHEL 6 content. +</note> + +<note ref="22556" auth="VP"> +This is covered in RHEL 6 content. This is a manual check +</note> + +<note ref="22557" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22558" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22563" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22564" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22565" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22567" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22568" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22569" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22571" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22572" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22573" auth="VP"> +This is not covered in RHEL 6 content. +</note> + +<note ref="22575" auth="VP"> +This is not covered in RHEL 6 content. *note* DISA FSO stated HBSS meets this requirement +</note> + +<note ref="22577" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22582" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22583" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22586" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22587" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22588" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22589" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22598" auth="VP"> +This is covered in the RHEL 6 content +</note> + +<note ref="22665" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="22702" auth="VP"> +This is not covered in the RHEL 6 content +</note> + +<note ref="23732" auth="VP"> +This is not covered in the RHEL 6 content. FTP is set to be disabled in RHEL 6 +</note> + +<note ref="23736" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="23738" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="23739" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="23741" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="23952" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="23972" auth="VP"> +This is not covered in the RHEL 6 content. IPV6 is set to be disabled +</note> + +<note ref="24331" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="24384" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="24624" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="27250" auth="VP"> +This is not covered in the RHEL 6 content. +</note> + +<note ref="27283" auth="VP"> +This is covered in the RHEL 6 content. +</note> + +<note ref="27284" auth="VP"> +This is covered in the RHEL 6 content. +</note> <note ref="760,923,925,4246,4247,4248,4255,4357,4398,11986,12018,12020,12021, 22310,22311,22578,22579,27251,22579,22580,27251" auth="JB"> -- 1.7.11.2

2 2

[PATCH] Added two potential manual audit/remediation profiles.
by Mike Palmiotto 14 Aug '12

14 Aug '12

Here are two potential profiles for manual actions on SCAP content. They separately address manual audits and manual remediation (with overlap). They are included in one patch, as they provide a solution to SCAP's lack of coverage for audit and remediation. I understand if these profiles are not adopted, but just to give an idea of the scope of this (and as requested), I thought a patch would be appreciated. Feel free to provide input, as I'm sure there's something I missed. --- RHEL6/input/profiles/manual_audits.xml | 40 +++++++++++++++++++++++++++ RHEL6/input/profiles/manual_remediation.xml | 32 +++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) create mode 100755 RHEL6/input/profiles/manual_audits.xml create mode 100755 RHEL6/input/profiles/manual_remediation.xml diff --git a/RHEL6/input/profiles/manual_audits.xml b/RHEL6/input/profiles/manual_audits.xml new file mode 100755 index 0000000..005bcd9 --- /dev/null +++ b/RHEL6/input/profiles/manual_audits.xml @@ -0,0 +1,40 @@ +<Profile id="manual_audits" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<title>Profile for Attended/Manual portion of DCID6/3 remediation</title> +<description>This profile contains items that require user interaction during audit.</description> +<select idref="bios_disable_usb_boot" selected="true"/> +<select idref="rsyslog_send_messages_to_logserver" selected="true"/> +<select idref="no_empty_passwords" selected="true"/> +<select idref="no_uidzero_except_root" selected="true"/> +<select idref="postfix_create_cert" selected="true"/> +<select idref="postfix_install_ssl_cert" selected="true"/> +<select idref="network_ssl_create_ca" selected="true" /> +<select idref="network_ssl_create_ssl_certs" selected="true" /> +<select idref="network_ssl_create_ssl_certs" selected="true" /> +<select idref="network_ssl_enable_client_support" selected="true"/> +<select idref="network_ssl_add_ca_firefox" selected="true"/> +<select idref="network_ssl_add_ca_thunderbird" selected="true"/> +<select idref="network_ssl_add_ca_evolution" selected="true"/> +<select idref="network_ssl_remove_certs" selected="true"/> +<select idref="network_ipv6_static_address" selected="true"/> +<select idref="bios_disable_usb_boot" selected="true"/> +<select idref="enable_gdm_login_banner" selected="true"/> +<select idref="aide_build_database" selected="true"/> +<select idref="wireless_disable_in_bios" selected="true"/> +<select idref="deactivate_wireless_interfaces" selected="true"/> +<select idref="iptables_log_and_drop_suspicious" selected="true"/> +<select idref="network_ipv6_default_gateway" selected="true"/> +<select idref="no_files_unowned_by_user" selected="true"/> +<select idref="no_files_unowned_by_group" selected="true"/> +<select idref="world_writable_files_system_ownership" selected="true"/> +<select idref="aide_verify_integrity-manually" selected="true"/> +<select idref="ldap_server_config_olcsuffix" selected="true"/> +<select idref="ldap_server_config_olcrootpw" selected="true"/> +<select idref="ldap_server_config_olcaccess" selected="true"/> +<select idref="iptables_ldap_enabled" selected="true"/> +<select idref="ldap_server_config_certificate_files" selected="true"/> +<select idref="ldap_server_config_directory_domain" selected="true"/> +<select idref="ldap_server_config_directory_users_groups" selected="true"/> +<select idref="ldap_server_config_directory_accounts" selected="true"/> +<select idref="ldap_server_config_directory_groups" selected="true"/> +<select idref="ldap_server_config_directory_admin_group" selected="true"/> +</Profile> diff --git a/RHEL6/input/profiles/manual_remediation.xml b/RHEL6/input/profiles/manual_remediation.xml new file mode 100755 index 0000000..84a8fe7 --- /dev/null +++ b/RHEL6/input/profiles/manual_remediation.xml @@ -0,0 +1,32 @@ +<Profile id="manual_audits" xmlns="http://checklists.nist.gov/xccdf/1.1" > +<title>Profile for Attended/Manual portion of DCID6/3 remediation</title> +<description>This profile contains items that require user interaction during audit.</description> +<select idref="install_aide" selected="true"/> +<select idref="install_vsftpd" selected="true"/> +<select idref="install_openswan" selected="true"/> +<select idref="install_vlock_package" selected="true"/> +<select idref="bios_disable_usb_boot" selected="true"/> +<select idref="bootloader_password" selected="true"/> +<select idref="rsyslog_send_messages_to_logserver" selected="true"/> +<select idref="disable_dhcp_client" selected="true"/> +<select idref="enable_gdm_login_banner" selected="true"/> +<select idref="set_gdm_login_banner_text" selected="true"/> +<select idref="no_empty_passwords" selected="true"/> +<select idref="no_uidzero_except_root" selected="true"/> +<select idref="postfix_create_cert" selected="true"/> +<select idref="postfix_install_ssl_cert" selected="true"/> +<select idref="postfix_seperate_internal_external" selected="true"/> +<select idref="network_ipv6_static_address" selected="true"/> +<select idref="bios_disable_usb_boot" selected="true"/> +<select idref="enable_gdm_login_banner" selected="true"/> +<select idref="aide_build_database" selected="true"/> +<select idref="wireless_disable_in_bios" selected="true"/> +<select idref="deactivate_wireless_interfaces" selected="true"/> +<select idref="iptables_log_and_drop_suspicious" selected="true"/> +<select idref="network_ipv6_default_gateway" selected="true"/> +<select idref="no_files_unowned_by_user" selected="true"/> +<select idref="no_files_unowned_by_group" selected="true"/> +<select idref="world_writable_files_system_ownership" selected="true"/> +<select idref="aide_verify_integrity-manually" selected="true"/> +<select idref="iptables_ldap_enabled" selected="true"/> +</Profile> -- 1.7.1

2 1

[RFC] Manual Profile Use
by Mike Palmiotto 14 Aug '12

14 Aug '12

Due to the need for handling Manual remediation of audits, I wanted to see if there was any interest in a Manual profile. We have one already generated, and it helps establish a separation of content in remediation. This should help address the OCIL void while it exists. If there is any interest, I can submit a patch to the list. Otherwise, we can carry a patch in CLIP.

6 9

[PATCH] updated NTP service prose
by Jeffrey Blank 13 Aug '12

13 Aug '12

Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil> --- RHEL6/input/services/ntp.xml | 104 ++++++++++++++++++++---------------------- 1 files changed, 50 insertions(+), 54 deletions(-) diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index c1acd4a..c87fedf 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -16,81 +16,77 @@ prevent certain types of attacks. If your network does not have synchronized time, these protocols may be unreliable or even unusable. <br /><br /> -Depending on the specifics of the network, global time -accuracy may be just as important as local synchronization, or not -very important at all. If your network is connected to the -Internet, it is recommended that you make use of a public -timeserver, since globally accurate timestamps may be necessary if -you need to investigate or respond to an attack which originated -outside of your network. +Depending on the specifics of the network, global time accuracy may be just as +important as local synchronization, or not very important at all. If your +network is connected to the Internet, it is recommended that you make use of a +public timeserver or one provided by your enterprise or agency, since globally +accurate timestamps may be necessary if you need to investigate or respond to +an attack which originated outside of your network. <br /><br /> -Whether or not you use an outside timeserver, configure the -network to have a small number of machines operating as NTP +A typical network setup involves a small number of internal systems operating as NTP servers, and the remainder obtaining time information from those -internal servers.</description> - -<Group id="configuring_ntpd"> -<title>Configure an NTP Server</title> -<description>The site's NTP server contacts a central NTP server, -probably either one provided by your ISP or a public time server, -to obtain accurate time data. The server then allows other machines -on your network to request the time data. +internal servers. <br /><br /> -The NTP server configuration file is located at <tt>/etc/ntp.conf</tt>.</description> -<Group id="enabling_ntpd"> -<title>Enable the NTP Daemon</title> -<description>If this machine is an NTP server, ensure that <tt>ntpd</tt> is enabled at boot time.</description> +More information on how to configure the NTP server software, +including configuration of cryptographic authentication for +time data, is available at http://www.ntp.org. +</description> <Rule id="enable_ntpd"> <title>Enable the NTP Daemon</title> <description> <service-enable-macro service="ntpd" /> </description> -<rationale> Enabling the <tt>ntpd</tt> service ensures that the local system -time will be the same on all computers. This is essential for authentication +<rationale>Enabling the <tt>ntpd</tt> service ensures that the <tt>ntpd</tt> +service will be running and that the system will synchronize its time to +any servers specified. This is important whether the system is configured to be +a client (and synchronize only its own clock) or it is also acting as an NTP +server to other systems. Synchronizing time is essential for authentication services such as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches.</rationale> <ident cce="4376-0" /> <oval id="service_ntpd_enabled" /> <ref disa="160" /> </Rule> -</Group> - -<Group id="configuring_ntpd_client"> -<title>Specify a Remote NTP Server for Time Data</title> -<description>Find the IP address of an appropriate remote NTP server and -configure <tt>ntpd</tt> to use it to obtain accurate time data. If your site -does not require time data to be accurate, but merely to be synchronized among -local machines, this step can be omitted, and the NTP server will default to -providing time data from the local clock. However, it is a good idea to -periodically synchronize the clock to some source of accurate time, even if it -is not appropriate to do so automatically.</description> <Rule id="ntpd_specify_remote_server"> -<title>Specify a Remote NTP Server for Time Data</title> -<description>A remote NTP Server for time synchronization should be specified. -Edit the file <tt>/etc/ntp.conf</tt>, and add or correct the following lines, -substituting the IP address of a remote NTP server for <em>server-ip</em>: -<pre>restrict server-ip mask 255.255.255.255 nomodify notrap noquery server -server-ip</pre> This NTP server must contact a remote server to obtain accurate -data, so NTP's configuration must allow that remote data to be used to modify -the system clock. The restrict line changes the default access permissions for -that remote server. The server line specifies the remote server as the -preferred NTP server for time data. If you intend to synchronize to more than -one server, specify restrict and server lines for each server. -<br /><br /> -Note: It would be possible to specify a hostname, rather than an IP address, -for the server field. However, the restrict setting applies only to network -blocks of IP addresses, so it is considered more maintainable to use the IP -address in both fields.</description> -<rationale> Synchonizing <tt>ntpd</tt> with an accurate clock makes it easier +<title>Specify a Remote NTP Server</title> +<description>To specify a remote NTP server for time synchronization, edit +the file <tt>/etc/ntp.conf</tt>. Add or correct the following lines, +substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>: +<pre>server <i>ntpserver</i></pre> +This instructs the NTP software to contact that remote server to obtain time +data. +</description> +<rationale> Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with -real time events.</rationale> +real time events. Using a trusted NTP server provided by your organization is +recommended.</rationale> <ident cce="4385-1" /> <oval id="ntp_remote_server" /> <ref disa="160" /> </Rule> -</Group> -</Group> + + +<Rule id="ntpd_specify_multiple_servers"> +<title>Specify Additional Remote NTP Servers</title> +<description>Additional NTP servers can be specified for time synchronization +in the file <tt>/etc/ntp.conf</tt>. To do so, add additional lines of the +following form, substituting the IP address or hostname of a remote NTP server for +<em>ntpserver</em>: +<pre>server <i>ntpserver</i></pre> +</description> +<rationale>Specifying additional NTP servers increases the availability of +accurate time data, in the event that one of the specified servers becomes +unavailable. This is typical for a system acting as an NTP server for +other systems. +</rationale> +</Rule> + + + </Group> -- 1.7.1

3 2

[PATCH] additional notes to document transition from RHEL 5 STIG
by Jeffrey Blank 12 Aug '12

12 Aug '12

Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil> --- RHEL6/input/auxiliary/transition_notes.xml | 45 ++++++++++++++++++++++++--- 1 files changed, 40 insertions(+), 5 deletions(-) diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 3421a2e..37e2a74 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -3,16 +3,47 @@ will be migrated to consensus for RHEL 6. --> -<note ref="4246,4247,4248,4255" auth="JB"> +<note ref="760,923,925,4246,4247,4248,4255,4357,4398,11986,12018,12020,12021, +22310,22311,22578,22579,27251,22579,22580,27251" auth="JB"> This is a manual/procedural check that requires human intervention. How to handle this for a specific OS's STIG is currently under consideration. </note> +<note ref="22363,22354,22355,22359,22360,22364" auth="JB"> +This needs to be considered for a new group that involves ensuring LD_LIBRARY_PATH, +LD_PRELOAD, LD_AUDIT, and relative paths do not occur in a particular set of initialization files. +At the same time, this represents a level of misconfiguration-checking +that may not be appropriate for a baseline. +</note> + +<note ref="22361" auth="JB"> +Isn't this redundant to V-914 and V-915? +</note> + +<note ref="12024" auth="JB"> +This rule is made irrelevant by the advent of browser-based IM clients. +</note> + + +<note ref="12025" auth="JB"> +The intent of the check is addressed effectively only by network traffic filtering/inspection. +</note> + + +<note ref="27285" auth="JB"> +We are manually inspecting the well-formedness of certain configuration files? What? +</note> + <note ref="793,787,901,902,903,904,905,906,750,924,925,11982" auth="JB"> This will be superceded by a new section describing expectations for permissions contained in certain important directories. </note> +<note ref="22370,22371,22372,22365" auth="JB"> +This is superceded by the system-wide check for improper permissions provided +by the package manager. Automating this check became possible with OVAL 5.8. +</note> + <note ref="775,786,792,821,822,828,829,831,832,837,838,840,841,842,843,848,849, 928,929,974,975,978,979,980,981,987,988,989,994,1025,1027,1028,1029,1054, 1055,1056,1058,1059,4335,4334,4336,4339,4089,4090,4091,4358,4361,4364, @@ -37,7 +68,7 @@ Existence of an ACL is not necessarily a problem, and checking for existence of files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred). </note> -<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> +<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,22576,22584,24386" auth="JB"> This is covered in the RHEL6 content. </note> @@ -182,7 +213,11 @@ For filepermission checks, defer to common criteria accepted values Need to ensure rpm verify flags such files </note> -<note ref="22297" auth="1augDCM"> +<note ref="22297,22309,22313,22314,22315,22316,22317,22318,22322,22326,22330, +22334,22338,22340,22344,22350,22352,22353,22356,22357,22362,22366,22367, +22373,22384,22386,22387,22388,22389,22390,22393,22395,22407,22424,22426, +22428,22436,22437,22439,22441,22442,22445,22446,22450,22452,22454,22489,22493, +22497,22498,22502,22503,22504,22505,22562,22566,22570,22574,22585,22595,22596" auth="1augDCM"> for all ACL content we will change to allow ACLs (via group prose) then mandate their audit (via a rule) </note> @@ -203,7 +238,7 @@ Language to be broadened to beyond just CAC cards per PKI-e </note> <note ref="984" auth="1augDCM"> -Disablement of at service to be implimented in RHEL6 STIG +Disablement of at service to be implemented in RHEL6 STIG </note> <note ref="1023" auth="1augDCM"> @@ -236,7 +271,7 @@ pam lastlog.so noupdate showfailed touch /etc/hushlogins </note> -<note ref="27276" auth="1augDCM"> +<note ref="810,27276" auth="1augDCM"> disable account, not remove set shell to nologin </note> -- 1.7.1

3 2

[PATCH] Comments for the transition notes.
by Kevin Spargur 12 Aug '12

12 Aug '12

--- RHEL6/input/auxiliary/transition_notes.xml | 307 ++++++++++++++++++++++++++++ 1 files changed, 307 insertions(+), 0 deletions(-) diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 3421a2e..e64075a 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -261,4 +261,311 @@ update to remove vendor specific language <note ref="22355" auth="1augDCM"> also watch for LD_AUDIT </note> + +<note ref="814" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=audit_file_access manual=no +</note> + +<note ref="815" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=audit_rules_file_deletion_events manual=no +</note> + +<note ref="818" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=audit_manual_logon_edits manual=no +Has no NIST controls associated +</note> + +<note ref="819" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=audit_rules_dac_modification manual=no +</note> + +<note ref="833" auth="KS"> +Sendmail is no longer shipped by default. Postfix is the default instead. +Equivilent check does not exist in the RHEL6 prose, it can be automated and +the OVAL for it does not appear to already exist. +rule=null manual=no +</note> + +<note ref="834" auth="KS"> +Sendmail is no longer shipped by default. Postfix is the default instead. +Equivilent check does not exist in the RHEL6 prose, it can be automated and +the OVAL for it does not appear to already exist. +rule=null manual=no +</note> + +<note ref="836" auth="KS"> +Sendmail is no longer shipped by default. Postfix is the default instead. +rsyslog is used instead of syslog +Check exists in multiple places in the RHEL6 prose, it can be automated and +the OVAL for it appears to already exist. +rule=postfix_logging manual=no +group=ensure_rsyslog_log_file_configuration (redundant?) +Has no cce associated +</note> + +<note ref="845,850,903,913" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +</note> + +<note ref="846" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +At the same time, does this check make sense? Given the many security issues +present in ftp, does requiring credentials really provide authentication of +the user? +</note> + +<note ref="901" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +By default new home directories will be given 700 perms. +</note> + +<note ref="904,905,914,915,924,986,993,995,1021,1022,1046,4087,4268, +4346,4357,4360,4366" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +</note> + +<note ref="906" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +This check should be superceeded by the system-wide check for improper +permissions provided by the package manager. Automating this check became +possible with OVAL 5.8 +</note> + +<note ref="907" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +This should not occur. If such a case is identified it should be brought to +the vendor for correction as a bug in the product. +</note> + +<note ref="923" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be entirely automated and +the OVAL for it does not appear to already exist. r +ule=null manual=yes +A simple example, a cronjob can be made to look for devices and compare to +previous lists but still requires someone to review it which is a manual +process +</note> + +<note ref="925" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=null manual=no +Check seems redundant with V-924 +</note> + +<note ref="932" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to already exist. +group=specify_anonymous_uid_gid manual=no +</note> + +<note ref="933" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to already exist. +group=export_filesystems_read_only manual=no +</note> + +<note ref="935" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to already exist. +rule=use_root_squashing_all_exports manual=no +</note> + +<note ref="936" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=use_nosuid_option_on_nfs_mounts manual=no +</note> + +<note ref="940" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not appear to already exist. +rule=blank manual=no +There are some mentions in the RHEL6 prose (group=nfs_restrict_access_rpcbind) +of using TCP Wrappers to protect certain versions of NFS but nothing specific +which may be the intent as this check is not at all specific either. +</note> + +<note ref="941,982" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=ensure_rsyslog_log_file_configuration manual=no +</note> + +<note ref="974" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +group=restrict_at_cron_users manual=no +</note> + +<note ref="976,1010" auth="KS"> +Partial check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=world_writable_files manual=no +Check is addressed by the world_writable_files_system_ownership rule to find +any files that are world writable but not system owned. System file +permissions are addressed through the rpm verification check +</note> + +<note ref="977" auth="KS"> +Partial check exists in the RHEL6 prose, it can be automated and the OVAL for it +appears to already exist. +rule=world_writable_files_system_ownership manual=no +Check is addressed by the world_writable_files_system_ownership rule to find +any files that are world writable but not system owned. System file +permissions are addressed through the rpm verification check +</note> + +<note ref="983,1048,1049,1061" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to already exist. +rule=null manual=no +This and others like it should be covered under a new section targeting +permissions in key directories +</note> + +<note ref="984,985" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to exist. +rule=restrict_at_cron_users manual=no +This and others like it should be covered under a new section targeting +permissions in key directories +</note> + +<note ref="1013" auth="KS"> +Check exists in the RHEL6 prose, it cannot be automated and the OVAL/OCIL for +it does not exist. +rule=bios_disable_usb_boot manual=yes +</note> + +<note ref="1030" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to exist. +rule=smb_restrict_file_sharing manual=no +</note> + +<note ref="1030" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does not appear to exist. +rule=password_min_age manual=no +</note> + +<note ref="1032" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +partially exists. +rule=password_min_age manual=no +Guide and oval address changing the defaults but don't address the current +values +</note> + +<note ref="1062" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it +not exist. +rule=null manual=no +Not sure what the argument is for singling these specific things out. +</note> + +<note ref="4083" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=enable_screensaver_after_idle manual=no +</note> + +<note ref="4084" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=limiting_password_reuse manual=no +</note> + +<note ref="4249" auth="KS"> +Check does exist in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=bootloader_password manual=no +</note> + +<note ref="4250" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for it +does not exist. +rule=null manual=no +System file permissions will be addressed through the rpm verification check +</note> + +<note ref="4269" auth="KS"> +Check does not exist in the RHEL6 prose, it cannot be automated and the OVAL +for it does not exist. +rule=null manual=yes +</note> + +<note ref="4273,4274,4275,4276,4277,4278" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL +for it does not exist. +rule=null manual=yes +This no longer ships in the default repo's. Should be removed. +</note> + +<note ref="4295" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=sshd_allow_only_protocol2 manual=no +</note> + +<note ref="4298" auth="KS"> +Check does not exists in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +We do have a section for addressing these sorts of items under the group +root_logins, but this particular concern is not addressed. +</note> + +<note ref="4301" auth="KS"> +Check does not exists in the RHEL6 prose, it cannot be automated and the OVAL +for it does not exist. +rule=null manual=yes +Cannot programmatically determine if a server is a "valid" DoD time source +without maintaining a exhaustive list of potentially sensitive information +</note> + +<note ref="4304" auth="KS"> +Check does not exist in the RHEL6 prose, it can be automated and the OVAL for +it does not exist. +rule=null manual=no +This check doesn't actually determine if the file system is making use of +journaling. Is it necessary to carry this forward? +</note> + +<note ref="4321" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=disable_smb_server manual=no +</note> + +<note ref="4384" auth="KS"> +Check exists in the RHEL6 prose, it can be automated and the OVAL for it +does exist. +rule=postfix_server_banner manual=no +</note> + + + + </notegroup> -- 1.7.7.6

2 1

[PATCH 0/4] support for CPE creation
by Jeffrey Blank 12 Aug '12

12 Aug '12

These patches allow for generation of cpe-dictionary and cpe-oval files. The cpe-oval file is extracted from whatever definitions are of the "inventory" class in the main body of OVAL content. The cpe-dictionary file is generated from a template which lives in input/checks/platform, whose fields are then adjusted to properly reference the OVAL filename and definitions. I am not terribly happy with this, but it is the most elegant thing I could come up with in the short term. Before long, we may also re-arrange the content filenames to be like organization-product-scapacronym.xml, which is apparently considered "best practice". It will, however, still be easy for any consumer of the content to change the identifier when building the content by changing $(ID) in the Makefile. This is not terribly elegant, but again it is designed to ease creation of the CPE files that some scanning tools apparently require. Jeffrey Blank (4): updated OVAL inventory check with reasonable IDs * will need to be expanded later, or possibly joined later by inventory checks for other versions of RHEL 6 to which the content applies added lines to "content" Makerule to also generate CPE-related files, made ID variable for filename instances in case we decide to change/shorten to "scapguide" added new CPE dictionary file (with fields that are adjusted by cpe_generate.py script during the ID/filename "linking" phase) new script to create CPE files * the script creates a cpe-oval file from inventory definitions, links it to cpe-dictionary file RHEL6/Makefile | 26 +++-- RHEL6/input/checks/installed_OS_is_rhel6.xml | 36 +++--- .../input/checks/platform/rhel6-cpe-dictionary.xml | 10 ++ RHEL6/transforms/cpe_generate.py | 109 ++++++++++++++++++++ 4 files changed, 153 insertions(+), 28 deletions(-) create mode 100644 RHEL6/input/checks/platform/rhel6-cpe-dictionary.xml create mode 100755 RHEL6/transforms/cpe_generate.py

3 9

[PATCH] Added prose regarding netrc files
by Willy Santos 11 Aug '12

11 Aug '12

Added prose regarding netrc files. Tracked in ticket #88. Willy Santos (1): Added prose regarding netrc files. trac ticket #88. .../accounts/restrictions/password_storage.xml | 24 +++++++++++++++++++- 1 files changed, 23 insertions(+), 1 deletions(-) -- 1.7.7.6

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide August 2012