September 2012 - scap-security-guide

by Peter Vrabec

Hi all, I have found that If I validate OVAL results by schematron rules: $ oscap oval validate-xml --results --schematron rhel6-oval-scap-security-guide.xml.result.xml I get two types of errors: oval:scap-security-guide:tst:960 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:959 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:811 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:787 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:786 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:359 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:267 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:221 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:tst:1085 - No state should be referenced when check_existence has a value of 'none_exist'. oval:scap-security-guide:var:2663 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2655 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2651 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2649 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2648 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2644 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2636 - inconsistent datatype between the variable and an associated var_ref oval:scap-security-guide:var:2629 - inconsistent datatype between the variable and an associated var_ref Peter.

11 years, 7 months

2
3
0 / 0

[PATCH] Minor regexp correction in wireless_disable_drivers.xml

by Willem Bos

Hi All, The missing '^' in the regexp makes oscap 0.8.0 (from the RHEL6 repo) scan the whole filesystem. Credits to Gary Gapinsky for the quick fix. Jeffrey suggested replacing the check by a version that would advice disabling the driver in /etc/modules.conf (see the 'oscap hangs on wireless_disable_drivers.xml' thread). I'm not familiar with a robust way to determine the presence of such a NIC without using specialized utilities that might not be installed on the system. I did a `grep net/wireless /lib/modules/$(uname -r)/modules.dep` to see if all wireless drivers maybe shared a common dependency but this is not the case. Also, I queried the device using udevadm for attributes unique to wireless cards but could not see anything obvious : udevadm info --path=/sys/class/net/wlan0 --attribute-walk looking at device '/devices/pci0000:00/0000:00:1c.1/0000:02:00.0/bcma0:0/net/wlan0': KERNEL=="wlan0" SUBSYSTEM=="net" DRIVER=="" ATTR{addr_assign_type}=="0" ATTR{addr_len}=="6" ATTR{dev_id}=="0x0" ATTR{ifalias}=="" ATTR{iflink}=="2" ATTR{ifindex}=="2" ATTR{type}=="1" ATTR{link_mode}=="1" ATTR{address}=="b8:8d:12:08:14:ea" ATTR{broadcast}=="ff:ff:ff:ff:ff:ff" ATTR{carrier}=="1" ATTR{dormant}=="0" ATTR{operstate}=="up" ATTR{mtu}=="1500" ATTR{flags}=="0x1003" ATTR{tx_queue_len}=="1000" ATTR{netdev_group}=="0" udevadm info --path=/sys/class/net/eth0 --attribute-walk looking at device '/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/eth0': KERNEL=="eth0" SUBSYSTEM=="net" DRIVER=="" ATTR{addr_assign_type}=="0" ATTR{addr_len}=="6" ATTR{dev_id}=="0x0" ATTR{ifalias}=="" ATTR{iflink}=="2" ATTR{ifindex}=="2" ATTR{features}=="0x118ba9" ATTR{type}=="1" ATTR{link_mode}=="0" ATTR{address}=="00:50:56:b5:00:12" ATTR{broadcast}=="ff:ff:ff:ff:ff:ff" ATTR{carrier}=="1" ATTR{speed}=="10000" ATTR{duplex}=="full" ATTR{dormant}=="0" ATTR{operstate}=="unknown" ATTR{mtu}=="1500" ATTR{flags}=="0x1003" ATTR{tx_queue_len}=="1000" If anyone can give me a suggestion I'd be happy to spend more time on it. Regards, Willem. --- RHEL6/input/checks/wireless_disable_drivers.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/checks/wireless_disable_drivers.xml b/RHEL6/input/checks/wireless_disable_drivers.xml index 9760f7c..129b308 100644 --- a/RHEL6/input/checks/wireless_disable_drivers.xml +++ b/RHEL6/input/checks/wireless_disable_drivers.xml @@ -21,7 +21,7 @@ </unix:file_test> <unix:file_object comment="all local files" id="object_wireless_disable_drivers" version="1"> - <unix:path operation="pattern match">/lib/modules/.*/kernel/drivers/net/wireless</unix:path> + <unix:path operation="pattern match">^/lib/modules/.*/kernel/drivers/net/wireless</unix:path> <unix:filename operation="pattern match">.*</unix:filename> </unix:file_object> </def-group> -- 1.7.1

11 years, 7 months

2
2
0 / 0

[PATCH] Use mode 0 for gshadow file

by Kenneth Stailey

From: Kenneth Stailey <kstailey.lists(a)gmail.com> Second try as changes that went in ahread of this fixed the perms on /etc/shadow but not /etc/gshadow. Kenneth Stailey (1): Use mode 0 for gshadow file .../input/checks/file_permissions_etc_gshadow.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)

11 years, 7 months

2
7
0 / 0

[PATCH 0/3] manual checks (and OCIL?) now/soon, new macros

by Jeffrey Blank

This commitset provides a way for us to include manual checking ("auditing" as some call it) for settings compliance with each Rule. The patch should make it clear what the general idea is. As with the rest of the project, the input format (in this case, new <ocil> tags) is designed to allow for authoring ease and require the author only to provide the necessary information. Transforms should take care of putting this information into whatever format the specification (or a customer) requires. Note that we do not yet have proper OCIL output here, just a start at formatting/providing it inline with the XCCDF document. Jeffrey Blank (3): added proposed new "<ocil>" tags to contain manual check information. * these also use new macros for disabling services and checking partitioning use of new macros for disk partition checking, minor language updates support for handling new <ocil> tags for manual check info * also, support for displaying this manual check information in tables * definitions of new macros to make developing easier RHEL6/input/services/avahi.xml | 1 + RHEL6/input/services/base.xml | 25 +++++++++++++ RHEL6/input/services/cron.xml | 2 + RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/http.xml | 1 + RHEL6/input/services/obsolete.xml | 7 ++++ RHEL6/input/services/printing.xml | 1 + RHEL6/input/services/smb.xml | 1 + RHEL6/input/system/software/disk_partitioning.xml | 41 ++++++++++++--------- RHEL6/transforms/constants.xslt | 1 + RHEL6/transforms/relabelids.py | 6 ++- RHEL6/transforms/shorthand2xccdf.xslt | 38 +++++++++++++++++++- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 7 ++++ 13 files changed, 111 insertions(+), 21 deletions(-)

11 years, 7 months

2
6
0 / 0

[PATCH] Included Manual steps for /tmp checks Sanity checks against, "fix text" (for manual command line checks).

by Michael J. McConachie

11 years, 7 months

2
4
0 / 0

/etc/shadow and gshadow mode 0400 or 0?

by Kenneth Stailey

Hi, RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files. CCE-3932-1 and CCE-4130-1 require mode 0400. Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified. Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with? Thanks

11 years, 7 months

6
9
0 / 0

[PATCH 0/7] many minor changes, CCE removal from OVAL

by Jeffrey Blank

The changes in this patchset (visible here) are minor/helpful -- however the "missing" patch 4 is the removal of CCE references from the OVAL content (which at 325K) I did not want to send out. We discussed the removal of those CCEs before I did it, but now know that it will come with this push (if an ACK is forthcoming). Jeffrey Blank (7): added argument to output oval-results file * this will help avoid future issues with invalid output/input removed files which are either obsolete or are/will be created through different mechanisms added OVAL files which are now created through template removed CCE references from OVAL content added xslt template to automatically insert current date into XCCDF * easier than manually inserting date? added support to automatically add reference to OVAL definitions * to document their true origin, ease some debugging content editing for permissions section, fixups for title style * my voyage through the content revealed to me how much other content editing is still needed .../checks/accounts_dangerous_path_for_root.xml | 1 - .../checks/accounts_disable_post_pw_expiration.xml | 1 - .../accounts_max_concurrent_login_sessions.xml | 1 - .../checks/accounts_maximum_age_login_defs.xml | 1 - .../checks/accounts_minimum_age_login_defs.xml | 1 - RHEL6/input/checks/accounts_no_empty_passwords.xml | 1 - .../accounts_no_nis_inclusions_etc_group.xml | 1 - .../accounts_no_nis_inclusions_etc_passwd.xml | 1 - .../accounts_no_nis_inclusions_etc_shadow.xml | 1 - RHEL6/input/checks/accounts_no_uid_except_zero.xml | 1 - RHEL6/input/checks/accounts_nologin_for_system.xml | 1 - RHEL6/input/checks/accounts_pam_no_nullok.xml | 1 - .../checks/accounts_password_all_shadowed.xml | 1 - .../checks/accounts_password_hashing_algorithm.xml | 1 - .../checks/accounts_password_minlen_login_defs.xml | 1 - .../accounts_password_pam_cracklib_dcredit.xml | 1 - .../accounts_password_pam_cracklib_difok.xml | 1 - .../accounts_password_pam_cracklib_lcredit.xml | 1 - .../accounts_password_pam_cracklib_ocredit.xml | 1 - .../accounts_password_pam_cracklib_retry.xml | 1 - .../accounts_password_pam_cracklib_ucredit.xml | 1 - .../input/checks/accounts_password_reuse_limit.xml | 1 - .../accounts_password_warn_age_login_defs.xml | 1 - .../accounts_passwords_pam_faillock_deny.xml | 1 - .../checks/accounts_passwords_pam_tally2_deny.xml | 1 - .../checks/accounts_root_path_dirs_no_write.xml | 1 - RHEL6/input/checks/accounts_su_wheel_only.xml | 1 - RHEL6/input/checks/accounts_umask_bash_users.xml | 1 - RHEL6/input/checks/accounts_umask_csh.xml | 1 - RHEL6/input/checks/accounts_umask_etc_profile.xml | 1 - RHEL6/input/checks/accounts_umask_login_defs.xml | 1 - RHEL6/input/checks/accounts_wheel_exists.xml | 1 - .../input/checks/audit_rules_dac_modification.xml | 1 - .../checks/audit_rules_dac_modification_chmod.xml | 1 - .../checks/audit_rules_dac_modification_chown.xml | 1 - .../checks/audit_rules_dac_modification_fchmod.xml | 1 - .../audit_rules_dac_modification_fchmodat.xml | 1 - .../checks/audit_rules_dac_modification_fchown.xml | 1 - .../audit_rules_dac_modification_fchownat.xml | 1 - .../audit_rules_dac_modification_fremovexattr.xml | 1 - .../audit_rules_dac_modification_fsetxattr.xml | 1 - .../checks/audit_rules_dac_modification_lchown.xml | 1 - .../audit_rules_dac_modification_lremovexattr.xml | 1 - .../audit_rules_dac_modification_lsetxattr.xml | 1 - .../audit_rules_dac_modification_removexattr.xml | 1 - .../audit_rules_dac_modification_setxattr.xml | 1 - .../checks/audit_rules_file_deletion_events.xml | 1 - RHEL6/input/checks/audit_rules_immutable.xml | 1 - .../checks/audit_rules_kernel_module_loading.xml | 1 - RHEL6/input/checks/audit_rules_login_events.xml | 1 - .../input/checks/audit_rules_mac_modification.xml | 1 - RHEL6/input/checks/audit_rules_media_export.xml | 1 - .../audit_rules_networkconfig_modification.xml | 1 - .../checks/audit_rules_privileged_commands.xml | 1 - .../input/checks/audit_rules_record_timechange.xml | 1 - RHEL6/input/checks/audit_rules_session_events.xml | 1 - .../input/checks/audit_rules_sysadmin_actions.xml | 1 - RHEL6/input/checks/audit_rules_time_adjtimex.xml | 1 - .../checks/audit_rules_time_clock_settime.xml | 1 - .../input/checks/audit_rules_time_settimeofday.xml | 1 - RHEL6/input/checks/audit_rules_time_stime.xml | 1 - .../checks/audit_rules_time_watch_localtime.xml | 1 - .../audit_rules_unsuccessful_file_modification.xml | 1 - .../checks/audit_rules_usergroup_modification.xml | 1 - .../auditd_data_retention_action_mail_acct.xml | 1 - ...ditd_data_retention_admin_space_left_action.xml | 1 - .../checks/auditd_data_retention_max_log_file.xml | 1 - .../auditd_data_retention_max_log_file_action.xml | 1 - .../checks/auditd_data_retention_num_logs.xml | 1 - .../auditd_data_retention_space_left_action.xml | 1 - RHEL6/input/checks/banner_etc_issue.xml | 1 - RHEL6/input/checks/banner_gui_enabled.xml | 1 - RHEL6/input/checks/banner_gui_gdm.xml | 1 - RHEL6/input/checks/bootloader_audit_argument.xml | 1 - RHEL6/input/checks/bootloader_nousb_argument.xml | 1 - RHEL6/input/checks/bootloader_password.xml | 1 - .../console_device_restrict_access_desktop.xml | 1 - .../console_device_restrict_access_server.xml | 1 - .../checks/core_dump_suid_progs_limits_conf.xml | 1 - RHEL6/input/checks/core_dumps_limitsconf.xml | 1 - RHEL6/input/checks/cups_disable_browsing.xml | 1 - RHEL6/input/checks/cups_disable_printserver.xml | 1 - RHEL6/input/checks/cups_limit_browsing.xml | 1 - .../checks/cups_limit_browsing_browseaddress.xml | 1 - .../checks/cups_limit_browsing_browsedenyallow.xml | 1 - RHEL6/input/checks/cups_limit_web_interface.xml | 1 - RHEL6/input/checks/dir_perms_etc_httpd_conf.xml | 1 - RHEL6/input/checks/dir_perms_var_log_httpd.xml | 1 - .../dir_perms_world_writable_sticky_bits.xml | 1 - .../dir_perms_world_writable_system_owned.xml | 1 - .../checks/dovecot_disable_plaintext_auth.xml | 1 - RHEL6/input/checks/dovecot_enable_ssl.xml | 1 - .../input/checks/file_group_owner_etc_crontab.xml | 1 - RHEL6/input/checks/file_group_owner_grub_conf.xml | 1 - RHEL6/input/checks/file_groupowner_etc_group.xml | 1 - RHEL6/input/checks/file_groupowner_etc_gshadow.xml | 1 - RHEL6/input/checks/file_groupowner_etc_passwd.xml | 1 - RHEL6/input/checks/file_groupowner_etc_shadow.xml | 1 - .../checks/file_groupowner_ldap_server_bdb.xml | 1 - .../checks/file_groupowner_ldap_server_files.xml | 1 - RHEL6/input/checks/file_mode_etc_crontab.xml | 1 - RHEL6/input/checks/file_owner_etc_group.xml | 1 - RHEL6/input/checks/file_owner_etc_gshadow.xml | 1 - RHEL6/input/checks/file_owner_etc_passwd.xml | 1 - RHEL6/input/checks/file_owner_etc_shadow.xml | 1 - RHEL6/input/checks/file_owner_ldap_server_bdb.xml | 1 - .../input/checks/file_owner_ldap_server_files.xml | 1 - RHEL6/input/checks/file_ownership_etc_skel.xml | 1 - .../input/checks/file_ownership_samba_password.xml | 1 - .../input/checks/file_ownership_var_log_audit.xml | 1 - .../file_permissions_boot_grub_grub_conf.xml | 46 +++++++++ .../input/checks/file_permissions_etc_at_allow.xml | 37 ------- RHEL6/input/checks/file_permissions_etc_group.xml | 1 - .../input/checks/file_permissions_etc_gshadow.xml | 1 - RHEL6/input/checks/file_permissions_etc_passwd.xml | 58 ++++++----- RHEL6/input/checks/file_permissions_etc_shadow.xml | 58 ++++++----- RHEL6/input/checks/file_permissions_etc_skel.xml | 1 - RHEL6/input/checks/file_permissions_grub_conf.xml | 1 - RHEL6/input/checks/file_permissions_home_dirs.xml | 1 - .../file_permissions_httpd_server_conf_files.xml | 1 - .../checks/file_permissions_ldap_server_bdb.xml | 1 - .../checks/file_permissions_ldap_server_files.xml | 1 - .../checks/file_permissions_samba_password.xml | 1 - .../checks/file_permissions_unauthorized_sgid.xml | 1 - .../checks/file_permissions_unauthorized_suid.xml | 1 - ...ile_permissions_unauthorized_world_writable.xml | 1 - .../input/checks/file_permissions_ungroupowned.xml | 1 - RHEL6/input/checks/file_permissions_unowned.xml | 1 - .../checks/file_permissions_var_log_audit.xml | 1 - .../input/checks/file_permissions_var_log_cron.xml | 46 +++++++++ .../file_ssh_host_keys_private_permissions.xml | 1 - .../file_ssh_host_keys_public_permissions.xml | 1 - RHEL6/input/checks/file_user_owner_etc_crontab.xml | 1 - RHEL6/input/checks/file_user_owner_grub_conf.xml | 1 - .../input/checks/gconf_gnome_disable_automount.xml | 1 - ...f_gnome_screensaver_idle_activation_enabled.xml | 1 - .../checks/gconf_gnome_screensaver_idle_delay.xml | 1 - .../gconf_gnome_screensaver_lock_enabled.xml | 1 - .../checks/gconf_gnome_screensaver_mode_blank.xml | 1 - RHEL6/input/checks/interactive_boot_disable.xml | 1 - RHEL6/input/checks/iptables_avahi_disabled.xml | 1 - RHEL6/input/checks/iptables_cupsd_disabled.xml | 1 - .../input/checks/iptables_default_policy_drop.xml | 1 - RHEL6/input/checks/iptables_icmp_disabled.xml | 1 - RHEL6/input/checks/iptables_ldap_enabled.xml | 1 - RHEL6/input/checks/iptables_smtp_enabled.xml | 1 - RHEL6/input/checks/iptables_sshd_disabled.xml | 1 - .../checks/kernel_module_bluetooth_disabled.xml | 1 - .../input/checks/kernel_module_cramfs_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_dccp_disabled.xml | 3 +- .../checks/kernel_module_freevxfs_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_hfs_disabled.xml | 3 +- .../checks/kernel_module_hfsplus_disabled.xml | 3 +- .../checks/kernel_module_ipv6_option_disabled.xml | 1 - .../input/checks/kernel_module_jffs2_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_rds_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_sctp_disabled.xml | 16 ++- .../checks/kernel_module_squashfs_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_tipc_disabled.xml | 3 +- RHEL6/input/checks/kernel_module_udf_disabled.xml | 3 +- .../checks/kernel_module_usb-storage_disabled.xml | 3 +- .../input/checks/ldap_client_pam_ldap_present.xml | 1 - RHEL6/input/checks/ldap_client_start_tls.xml | 1 - RHEL6/input/checks/ldap_client_tls_cacertpath.xml | 1 - .../ldap_server_config_bdb_file_security.xml | 1 - .../ldap_server_config_certificate_files.xml | 1 - .../ldap_server_config_certificate_usage.xml | 1 - .../ldap_server_config_directory_file_security.xml | 1 - RHEL6/input/checks/ldap_server_config_logging.xml | 1 - .../input/checks/ldap_server_config_olcaccess.xml | 1 - .../input/checks/ldap_server_config_olcrootpw.xml | 1 - .../ldap_server_config_olcsecurity_simple_bind.xml | 1 - .../checks/ldap_server_config_olcsecurity_tls.xml | 1 - .../input/checks/ldap_server_config_olcsuffix.xml | 1 - .../ldap_server_config_olctlsciphersuite.xml | 1 - RHEL6/input/checks/libuser_login_defs_import.xml | 1 - RHEL6/input/checks/logrotate_rotate_all_files.xml | 1 - .../input/checks/logwatch_configured_hostlimit.xml | 1 - .../checks/logwatch_configured_splithosts.xml | 1 - RHEL6/input/checks/mount_home_own_partition.xml | 1 - RHEL6/input/checks/mount_option_dev_shm_nodev.xml | 1 - RHEL6/input/checks/mount_option_dev_shm_noexec.xml | 1 - RHEL6/input/checks/mount_option_dev_shm_nosuid.xml | 1 - ...mount_option_nodev_nonroot_local_partitions.xml | 1 - RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 1 - .../mount_option_nodev_remote_filesystems.xml | 1 - .../mount_option_nodev_removable_partitions.xml | 1 - .../mount_option_noexec_removable_partitions.xml | 1 - .../mount_option_nosuid_remote_filesystems.xml | 1 - .../mount_option_nosuid_removable_partitions.xml | 1 - .../checks/mount_option_smb_client_signing.xml | 1 - RHEL6/input/checks/mount_option_tmp_nodev.xml | 1 - RHEL6/input/checks/mount_option_tmp_noexec.xml | 1 - RHEL6/input/checks/mount_option_tmp_nosuid.xml | 1 - RHEL6/input/checks/mount_option_var_tmp_bind.xml | 1 - RHEL6/input/checks/mount_tmp_own_partition.xml | 1 - .../checks/mount_var_log_audit_own_partition.xml | 1 - RHEL6/input/checks/mount_var_log_own_partition.xml | 1 - RHEL6/input/checks/mount_var_own_partition.xml | 1 - .../input/checks/network_ipv6_default_gateway.xml | 1 - .../checks/network_ipv6_disable_interfaces.xml | 1 - RHEL6/input/checks/network_ipv6_disable_rpc.xml | 1 - RHEL6/input/checks/network_ipv6_limit_requests.xml | 7 -- .../checks/network_ipv6_privacy_extensions.xml | 1 - RHEL6/input/checks/network_ipv6_static_address.xml | 1 - RHEL6/input/checks/network_sniffer_disabled.xml | 1 - RHEL6/input/checks/no_rsh_trusted_host_files.xml | 1 - RHEL6/input/checks/ntp_remote_server.xml | 1 - RHEL6/input/checks/package_abrt_removed.xml | 3 +- RHEL6/input/checks/package_acpid_removed.xml | 3 +- RHEL6/input/checks/package_aide_installed.xml | 3 +- RHEL6/input/checks/package_at_removed.xml | 3 +- RHEL6/input/checks/package_audit_installed.xml | 3 +- RHEL6/input/checks/package_autofs_removed.xml | 3 +- RHEL6/input/checks/package_bind_removed.xml | 3 +- RHEL6/input/checks/package_certmonger_removed.xml | 3 +- RHEL6/input/checks/package_cpuspeed_removed.xml | 3 +- .../checks/package_cronie-anacron_removed.xml | 3 +- RHEL6/input/checks/package_cronie_installed.xml | 3 +- RHEL6/input/checks/package_cups_removed.xml | 3 +- RHEL6/input/checks/package_cyrus-sasl_removed.xml | 3 +- RHEL6/input/checks/package_dbus_removed.xml | 3 +- RHEL6/input/checks/package_dhcp_removed.xml | 3 +- RHEL6/input/checks/package_dhcpd_removed.xml | 26 +++--- RHEL6/input/checks/package_dovecot_removed.xml | 3 +- RHEL6/input/checks/package_hal_removed.xml | 3 +- RHEL6/input/checks/package_httpd_removed.xml | 3 +- .../input/checks/package_initscripts_installed.xml | 1 - .../input/checks/package_ipsec-tools_installed.xml | 3 +- .../checks/package_iptables-ipv6_installed.xml | 3 +- RHEL6/input/checks/package_iptables_installed.xml | 3 +- RHEL6/input/checks/package_iputils_removed.xml | 20 ++-- RHEL6/input/checks/package_irda-utils_removed.xml | 3 +- .../input/checks/package_irqbalance_installed.xml | 3 +- .../input/checks/package_isdn4k-utils_removed.xml | 3 +- RHEL6/input/checks/package_kexec-tools_removed.xml | 3 +- RHEL6/input/checks/package_libcgroup_removed.xml | 3 +- RHEL6/input/checks/package_lvm2_installed.xml | 3 +- RHEL6/input/checks/package_mdadm_removed.xml | 3 +- RHEL6/input/checks/package_net-snmp_removed.xml | 3 +- RHEL6/input/checks/package_nfs-utils_removed.xml | 3 +- RHEL6/input/checks/package_ntp_installed.xml | 3 +- RHEL6/input/checks/package_ntpdate_installed.xml | 3 +- RHEL6/input/checks/package_oddjob_removed.xml | 3 +- .../checks/package_openldap-servers_installed.xml | 4 +- .../checks/package_openldap-servers_removed.xml | 8 +- RHEL6/input/checks/package_openldap_removed.xml | 3 +- .../checks/package_openssh-server_removed.xml | 3 +- RHEL6/input/checks/package_openswan_installed.xml | 3 +- RHEL6/input/checks/package_pam_ccreds_removed.xml | 27 ----- RHEL6/input/checks/package_pam_ldap_removed.xml | 11 +- .../checks/package_policycoreutils_installed.xml | 3 +- RHEL6/input/checks/package_portreserve_removed.xml | 3 +- RHEL6/input/checks/package_postfix_installed.xml | 3 +- RHEL6/input/checks/package_psacct_installed.xml | 3 +- .../checks/package_qpid-cpp-server_removed.xml | 1 - RHEL6/input/checks/package_quota_removed.xml | 3 +- .../input/checks/package_rhn_gpgkey_installed.xml | 28 +++--- RHEL6/input/checks/package_rhnsd_removed.xml | 3 +- RHEL6/input/checks/package_rpcbind_removed.xml | 3 +- RHEL6/input/checks/package_rsh-server_removed.xml | 3 +- RHEL6/input/checks/package_rsh_removed.xml | 3 +- RHEL6/input/checks/package_rsyslog_installed.xml | 3 +- .../input/checks/package_samba-common_removed.xml | 3 +- RHEL6/input/checks/package_samba_removed.xml | 3 +- RHEL6/input/checks/package_sendmail_removed.xml | 3 +- .../input/checks/package_smartmontools_removed.xml | 3 +- RHEL6/input/checks/package_squid_removed.xml | 3 +- RHEL6/input/checks/package_sssd_removed.xml | 3 +- .../package_subscription-manager_removed.xml | 1 - RHEL6/input/checks/package_sysstat_removed.xml | 3 +- RHEL6/input/checks/package_talk-server_removed.xml | 3 +- RHEL6/input/checks/package_talk_removed.xml | 3 +- .../input/checks/package_telnet-server_removed.xml | 3 +- RHEL6/input/checks/package_tftp-server_removed.xml | 3 +- RHEL6/input/checks/package_vlock_installed.xml | 24 ++--- RHEL6/input/checks/package_vlock_removed.xml | 3 +- RHEL6/input/checks/package_vsftpd_installed.xml | 8 +- RHEL6/input/checks/package_vsftpd_removed.xml | 3 +- RHEL6/input/checks/package_xinetd_removed.xml | 3 +- .../package_xorg-x11-server-common_removed.xml | 1 - RHEL6/input/checks/package_ypbind_removed.xml | 3 +- RHEL6/input/checks/package_ypserv_removed.xml | 3 +- RHEL6/input/checks/postfix_certificate_files.xml | 1 - RHEL6/input/checks/postfix_logging.xml | 1 - .../checks/postfix_network_listening_disabled.xml | 1 - RHEL6/input/checks/postfix_server_banner.xml | 1 - .../checks/postfix_server_denial_of_service.xml | 1 - ...tfix_server_mail_relay_for_trusted_networks.xml | 1 - ...server_mail_relay_require_tls_for_smtp_auth.xml | 1 - ...tfix_server_mail_relay_set_trusted_networks.xml | 1 - ...mail_relay_smtp_auth_for_untrusted_networks.xml | 1 - RHEL6/input/checks/rpm_verify_hashes.xml | 1 - RHEL6/input/checks/rpm_verify_permissions.xml | 1 - .../checks/rsyslog_files_exist_permissions.xml | 1 - .../input/checks/rsyslog_files_groupownership.xml | 1 - RHEL6/input/checks/rsyslog_files_ownership.xml | 1 - RHEL6/input/checks/rsyslog_files_permissions.xml | 1 - RHEL6/input/checks/rsyslog_nolisten.xml | 1 - RHEL6/input/checks/rsyslog_remote_loghost.xml | 1 - RHEL6/input/checks/securetty_no_serial.xml | 1 - .../checks/securetty_root_login_console_only.xml | 1 - .../checks/selinux_all_devicefiles_labeled.xml | 1 - .../checks/selinux_bootloader_notdisabled.xml | 1 - RHEL6/input/checks/selinux_mode.xml | 1 - RHEL6/input/checks/selinux_policytype.xml | 1 - RHEL6/input/checks/service_abrtd_disabled.xml | 1 - RHEL6/input/checks/service_acpid_disabled.xml | 1 - RHEL6/input/checks/service_atd_disabled.xml | 1 - RHEL6/input/checks/service_auditd_enabled.xml | 1 - RHEL6/input/checks/service_autofs_disabled.xml | 1 - .../input/checks/service_avahi-daemon_disabled.xml | 1 - RHEL6/input/checks/service_bluetooth_disabled.xml | 1 - RHEL6/input/checks/service_certmonger_disabled.xml | 1 - RHEL6/input/checks/service_cgconfig_disabled.xml | 1 - RHEL6/input/checks/service_cgred_disabled.xml | 1 - RHEL6/input/checks/service_cpuspeed_disabled.xml | 1 - RHEL6/input/checks/service_crond_enabled.xml | 1 - RHEL6/input/checks/service_cups_disabled.xml | 1 - RHEL6/input/checks/service_dhcpd_disabled.xml | 1 - RHEL6/input/checks/service_dovecot_disabled.xml | 1 - RHEL6/input/checks/service_haldaemon_disabled.xml | 1 - RHEL6/input/checks/service_httpd_disabled.xml | 1 - RHEL6/input/checks/service_ip6tables_enabled.xml | 1 - RHEL6/input/checks/service_iptables_enabled.xml | 1 - RHEL6/input/checks/service_irqbalance_enabled.xml | 1 - RHEL6/input/checks/service_isdn_disabled.xml | 1 - RHEL6/input/checks/service_kdump_disabled.xml | 1 - .../input/checks/service_lvm2-monitor_enabled.xml | 1 - RHEL6/input/checks/service_mcstrans_disabled.xml | 1 - RHEL6/input/checks/service_mdmonitor_disabled.xml | 1 - RHEL6/input/checks/service_messagebus_disabled.xml | 1 - RHEL6/input/checks/service_named_disabled.xml | 1 - RHEL6/input/checks/service_netconsole_disabled.xml | 1 - RHEL6/input/checks/service_netfs_disabled.xml | 1 - RHEL6/input/checks/service_network_enabled.xml | 1 - RHEL6/input/checks/service_nfs_disabled.xml | 1 - RHEL6/input/checks/service_nfslock_disabled.xml | 1 - RHEL6/input/checks/service_ntpd_enabled.xml | 1 - RHEL6/input/checks/service_ntpdate_enabled.xml | 103 -------------------- RHEL6/input/checks/service_oddjobd_disabled.xml | 1 - .../input/checks/service_portreserve_disabled.xml | 1 - RHEL6/input/checks/service_postfix_enabled.xml | 1 - RHEL6/input/checks/service_psacct_enabled.xml | 1 - RHEL6/input/checks/service_qpidd_disabled.xml | 7 +- RHEL6/input/checks/service_quota_nld_disabled.xml | 1 - RHEL6/input/checks/service_rdisc_disabled.xml | 1 - RHEL6/input/checks/service_restorecond_enabled.xml | 1 - RHEL6/input/checks/service_rexec_disabled.xml | 1 - RHEL6/input/checks/service_rhnsd_disabled.xml | 1 - RHEL6/input/checks/service_rhsmcertd_disabled.xml | 1 - RHEL6/input/checks/service_rlogin_disabled.xml | 1 - RHEL6/input/checks/service_rpcbind_disabled.xml | 1 - RHEL6/input/checks/service_rpcgssd_disabled.xml | 1 - RHEL6/input/checks/service_rpcidmapd_disabled.xml | 1 - RHEL6/input/checks/service_rpcsvcgssd_disabled.xml | 1 - RHEL6/input/checks/service_rsh_disabled.xml | 1 - RHEL6/input/checks/service_rsyslog_enabled.xml | 1 - RHEL6/input/checks/service_saslauthd_disabled.xml | 1 - RHEL6/input/checks/service_sendmail_disabled.xml | 1 - RHEL6/input/checks/service_smartd_disabled.xml | 1 - RHEL6/input/checks/service_smb_disabled.xml | 1 - RHEL6/input/checks/service_snmpd_disabled.xml | 1 - RHEL6/input/checks/service_squid_disabled.xml | 1 - RHEL6/input/checks/service_sshd_disabled.xml | 1 - RHEL6/input/checks/service_sssd_disabled.xml | 1 - RHEL6/input/checks/service_sysstat_disabled.xml | 1 - RHEL6/input/checks/service_telnet_disabled.xml | 1 - RHEL6/input/checks/service_telnetd_disabled.xml | 1 - RHEL6/input/checks/service_tftp_disabled.xml | 1 - RHEL6/input/checks/service_vsftpd_disabled.xml | 1 - RHEL6/input/checks/service_xinetd_disabled.xml | 1 - RHEL6/input/checks/service_ypbind_disabled.xml | 1 - RHEL6/input/checks/service_ypserv_disabled.xml | 1 - RHEL6/input/checks/singleuser_password.xml | 1 - RHEL6/input/checks/smb_client_signing_smb_conf.xml | 1 - RHEL6/input/checks/sshd_banner_set.xml | 1 - RHEL6/input/checks/sshd_clientalivecountmax.xml | 1 - .../input/checks/sshd_hostbasedauthentication.xml | 1 - RHEL6/input/checks/sshd_idle_timeout.xml | 1 - RHEL6/input/checks/sshd_no_user_envset.xml | 1 - .../input/checks/sshd_permitemptypasswords_no.xml | 1 - RHEL6/input/checks/sshd_permitrootlogin_no.xml | 1 - RHEL6/input/checks/sshd_protocol_2.xml | 1 - RHEL6/input/checks/sshd_rsh_emulation_disabled.xml | 1 - RHEL6/input/checks/sshd_use_approved_ciphers.xml | 1 - RHEL6/input/checks/sysconfig_ipv6_autoconf.xml | 1 - RHEL6/input/checks/sysconfig_ipv6_disable.xml | 1 - RHEL6/input/checks/sysconfig_ipv6_networking.xml | 1 - .../sysconfig_networking_bootproto_ifcfg.xml | 1 - .../checks/sysconfig_networking_ipv6_ifcfg.xml | 1 - RHEL6/input/checks/sysconfig_nozeroconf_yes.xml | 1 - RHEL6/input/checks/sysctl_kernel_exec_shield.xml | 3 +- .../checks/sysctl_kernel_randomize_va_space.xml | 3 +- .../sysctl_net_ipv4_conf_all_accept_redirects.xml | 1 - ...ysctl_net_ipv4_conf_all_accept_source_route.xml | 1 - .../sysctl_net_ipv4_conf_all_log_martians.xml | 3 +- .../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 3 +- .../sysctl_net_ipv4_conf_all_secure_redirects.xml | 1 - .../sysctl_net_ipv4_conf_all_send_redirects.xml | 1 - ...sctl_net_ipv4_conf_default_accept_redirects.xml | 1 - ...l_net_ipv4_conf_default_accept_source_route.xml | 1 - .../sysctl_net_ipv4_conf_default_rp_filter.xml | 3 +- ...sctl_net_ipv4_conf_default_secure_redirects.xml | 1 - ...sysctl_net_ipv4_conf_default_send_redirects.xml | 1 - ...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 3 +- ..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 3 +- RHEL6/input/checks/sysctl_net_ipv4_ip_forward.xml | 3 +- .../checks/sysctl_net_ipv4_tcp_syncookies.xml | 3 +- .../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 1 - .../sysctl_net_ipv6_conf_default_accept_ra.xml | 1 - ...sctl_net_ipv6_conf_default_accept_ra_defrtr.xml | 1 - ...ysctl_net_ipv6_conf_default_accept_ra_pinfo.xml | 1 - ...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 1 - ...sctl_net_ipv6_conf_default_accept_redirects.xml | 1 - .../sysctl_net_ipv6_conf_default_autoconf.xml | 1 - .../sysctl_net_ipv6_conf_default_dad_transmits.xml | 1 - .../sysctl_net_ipv6_conf_default_max_addresses.xml | 1 - ..._net_ipv6_conf_default_router_solicitations.xml | 1 - RHEL6/input/checks/sysctl_net_ipv6_disabled.xml | 1 - RHEL6/input/checks/testcheck.py | 2 +- RHEL6/input/checks/tftpd_uses_secure_mode.xml | 1 - RHEL6/input/checks/umask_for_daemons.xml | 1 - RHEL6/input/checks/wireless_disable_drivers.xml | 1 - RHEL6/input/checks/wireless_disable_interfaces.xml | 1 - RHEL6/input/checks/xwindows_remote_listening.xml | 1 - RHEL6/input/checks/xwindows_runlevel_setting.xml | 1 - .../checks/yum_gpgcheck_global_activation.xml | 1 - RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 1 - RHEL6/input/services/cron.xml | 2 +- RHEL6/input/services/dhcp.xml | 6 +- RHEL6/input/services/dns.xml | 14 ++- RHEL6/input/services/imap.xml | 5 +- RHEL6/input/services/ldap.xml | 6 +- RHEL6/input/services/squid.xml | 4 +- RHEL6/input/services/xorg.xml | 4 +- RHEL6/input/system/accounts/session.xml | 2 +- RHEL6/input/system/auditing.xml | 17 ++-- RHEL6/input/system/permissions/execution.xml | 2 +- RHEL6/input/system/permissions/files.xml | 103 +++++++++++--------- RHEL6/input/system/permissions/mounting.xml | 2 +- RHEL6/input/system/selinux.xml | 4 +- RHEL6/input/system/software/updating.xml | 4 +- RHEL6/transforms/idtranslate.py | 14 ++- RHEL6/transforms/relabelids.py | 2 +- RHEL6/transforms/shorthand2xccdf.xslt | 9 ++- 446 files changed, 429 insertions(+), 881 deletions(-) create mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml delete mode 100644 RHEL6/input/checks/file_permissions_etc_at_allow.xml create mode 100644 RHEL6/input/checks/file_permissions_var_log_cron.xml delete mode 100644 RHEL6/input/checks/package_pam_ccreds_removed.xml delete mode 100644 RHEL6/input/checks/service_ntpdate_enabled.xml

11 years, 7 months

2
7
0 / 0

[PATCH 0/4] removal of CCE information from OVAL templates

by Jeffrey Blank

This is being done in favor of storing CCE identifiers only in the XCCDF Rules as idents (which made sense for a number of reasons). Yes, these templates/scripts feel so very much like an undergraduate (or possibly high-school) programming project. But consider the superficiality of their operation as a benefit. If I were starting over, I might have instead created a small dictionary of macros in XSLT to take care of generating the significant non-information-bearing OVAL overhead instead. This would allow for authors to create extremely simple XML files to express the necessary information, and also avoid the creation of any kind of parser. Maybe for RHEL 7... Jeffrey Blank (4): new helper scripts for making/verifying/installing templated files removed CCE handling from scripts that create templated OVAL checks removed CCE identifiers from template source-info files removal of CCE info from templates for kernelmods, packages, perms, services, sysctls RHEL6/input/checks/templates/Makefile | 30 ++++++ RHEL6/input/checks/templates/README | 32 +++++- .../templates/create_kernel_modules_disabled.py | 15 ++-- .../checks/templates/create_package_installed.py | 11 +-- .../checks/templates/create_package_removed.py | 10 +-- .../checks/templates/create_permission_checks.py | 9 +- .../checks/templates/create_services_disabled.py | 6 +- .../checks/templates/create_services_enabled.py | 6 +- .../input/checks/templates/create_sysctl_checks.py | 5 +- .../checks/templates/file_dir_permissions.csv | 7 +- RHEL6/input/checks/templates/find_untemplated.py | 31 ++++++ .../checks/templates/kernel_modules_disabled.csv | 24 ++-- .../input/checks/templates/packages_installed.csv | 34 ++++--- RHEL6/input/checks/templates/packages_removed.csv | 106 ++++++++++---------- RHEL6/input/checks/templates/services_disabled.csv | 103 ++++++++++---------- RHEL6/input/checks/templates/services_enabled.csv | 24 ++-- RHEL6/input/checks/templates/sysctl_values.csv | 36 +++---- .../templates/template_kernel_module_disabled | 2 - .../checks/templates/template_package_installed | 1 - .../checks/templates/template_package_removed | 1 - RHEL6/input/checks/templates/template_permissions | 1 - .../checks/templates/template_service_disabled | 1 - .../checks/templates/template_service_enabled | 1 - RHEL6/input/checks/templates/template_sysctl | 1 - 24 files changed, 281 insertions(+), 216 deletions(-) create mode 100644 RHEL6/input/checks/templates/Makefile create mode 100755 RHEL6/input/checks/templates/find_untemplated.py

11 years, 7 months

2
5
0 / 0

[PATCH] Fix paths and requires in spec file.

by Spencer R. Shimko

The spec file was dropping things in /usr/local. Shift it to /usr/share/doc/scap-security-guide-<version>. Update Requires and BuildRequires based on perusal of apps leveraged during build. Signed-off-by: Spencer Shimko <sshimko(a)tresys.com> --- scap-security-guide.spec | 15 +++++++++------ 1 files changed, 9 insertions(+), 6 deletions(-) diff --git a/scap-security-guide.spec b/scap-security-guide.spec index 55e22a5..0867fb1 100644 --- a/scap-security-guide.spec +++ b/scap-security-guide.spec @@ -12,8 +12,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildArch: %{arch} -BuildRequires: /bin/rm, /bin/mkdir, /bin/cp -Requires: /bin/bash, /bin/date, /usr/bin/oscap +BuildRequires: coreutils, libxslt, expat, python +Requires: coreutils, openscap %description The scap-security-guide project provides security configuration guidance in @@ -28,13 +28,12 @@ requirements and specific implementation guidance. %build cd RHEL6 && make dist - %install rm -rf $RPM_BUILD_ROOT #make install DESTDIR=$RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/usr/local/%{name}/ +mkdir -p $RPM_BUILD_ROOT/%{_usr}/share/doc/%{name}-%{version}/ -cp -r RHEL6/dist/* $RPM_BUILD_ROOT/usr/local/%{name}/ +cp -r RHEL6/dist/* $RPM_BUILD_ROOT/%{_usr}/share/doc/%{name}-%{version}/ %clean @@ -43,10 +42,14 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(0644,root,root,0755) -%attr(0755,root,root) /usr/local/scap-security-guide/ +%attr(0755,root,root) %{_usr}/share/doc/%{name}-%{version}/ %changelog +* Tue Aug 28 2012 Spencer Shimko <sshimko(a)tresys.com> 1.0-4 +- Move away from using /usr/local for installation dir. +- Fix BuildRequires and Requires. + * Wed Jul 3 2012 Jeffrey Blank <blank(a)eclipse.ncsc.mil> 1.0-3 - Modified install section, made description more concise. -- 1.7.1

11 years, 7 months

4
7
0 / 0

SP 800-53 rev3 controls in XML format

by Gary Gapinski

Would this be a useful document to use with some of the transformations? I'm willing to create one. I think was may have previously been mentioned.

11 years, 7 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide September 2012