results validation
by Peter Vrabec
Hi all,
I have found that If I validate OVAL results by schematron rules:
$ oscap oval validate-xml --results --schematron
rhel6-oval-scap-security-guide.xml.result.xml
I get two types of errors:
oval:scap-security-guide:tst:960 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:959 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:811 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:787 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:786 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:359 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:267 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:221 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:tst:1085 - No state should be referenced when
check_existence has a value of 'none_exist'.
oval:scap-security-guide:var:2663 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2655 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2651 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2649 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2648 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2644 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2636 - inconsistent datatype between the
variable and an associated var_ref
oval:scap-security-guide:var:2629 - inconsistent datatype between the
variable and an associated var_ref
Peter.
11 years, 7 months
[PATCH] Minor regexp correction in wireless_disable_drivers.xml
by Willem Bos
Hi All,
The missing '^' in the regexp makes oscap 0.8.0 (from the RHEL6 repo)
scan the whole filesystem. Credits to Gary Gapinsky for the quick fix.
Jeffrey suggested replacing the check by a version that would advice
disabling the driver in /etc/modules.conf (see the 'oscap hangs on
wireless_disable_drivers.xml' thread). I'm not familiar with a robust
way to determine the presence of such a NIC without using specialized
utilities that might not be installed on the system. I did a `grep
net/wireless /lib/modules/$(uname -r)/modules.dep` to see if all
wireless drivers maybe shared a common dependency but this is not the
case. Also, I queried the device using udevadm for attributes unique
to wireless cards but could not see anything obvious :
udevadm info --path=/sys/class/net/wlan0 --attribute-walk
looking at device
'/devices/pci0000:00/0000:00:1c.1/0000:02:00.0/bcma0:0/net/wlan0':
KERNEL=="wlan0"
SUBSYSTEM=="net"
DRIVER==""
ATTR{addr_assign_type}=="0"
ATTR{addr_len}=="6"
ATTR{dev_id}=="0x0"
ATTR{ifalias}==""
ATTR{iflink}=="2"
ATTR{ifindex}=="2"
ATTR{type}=="1"
ATTR{link_mode}=="1"
ATTR{address}=="b8:8d:12:08:14:ea"
ATTR{broadcast}=="ff:ff:ff:ff:ff:ff"
ATTR{carrier}=="1"
ATTR{dormant}=="0"
ATTR{operstate}=="up"
ATTR{mtu}=="1500"
ATTR{flags}=="0x1003"
ATTR{tx_queue_len}=="1000"
ATTR{netdev_group}=="0"
udevadm info --path=/sys/class/net/eth0 --attribute-walk
looking at device '/devices/pci0000:00/0000:00:15.0/0000:03:00.0/net/eth0':
KERNEL=="eth0"
SUBSYSTEM=="net"
DRIVER==""
ATTR{addr_assign_type}=="0"
ATTR{addr_len}=="6"
ATTR{dev_id}=="0x0"
ATTR{ifalias}==""
ATTR{iflink}=="2"
ATTR{ifindex}=="2"
ATTR{features}=="0x118ba9"
ATTR{type}=="1"
ATTR{link_mode}=="0"
ATTR{address}=="00:50:56:b5:00:12"
ATTR{broadcast}=="ff:ff:ff:ff:ff:ff"
ATTR{carrier}=="1"
ATTR{speed}=="10000"
ATTR{duplex}=="full"
ATTR{dormant}=="0"
ATTR{operstate}=="unknown"
ATTR{mtu}=="1500"
ATTR{flags}=="0x1003"
ATTR{tx_queue_len}=="1000"
If anyone can give me a suggestion I'd be happy to spend more time on it.
Regards,
Willem.
---
RHEL6/input/checks/wireless_disable_drivers.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/checks/wireless_disable_drivers.xml
b/RHEL6/input/checks/wireless_disable_drivers.xml
index 9760f7c..129b308 100644
--- a/RHEL6/input/checks/wireless_disable_drivers.xml
+++ b/RHEL6/input/checks/wireless_disable_drivers.xml
@@ -21,7 +21,7 @@
</unix:file_test>
<unix:file_object comment="all local files"
id="object_wireless_disable_drivers" version="1">
- <unix:path operation="pattern
match">/lib/modules/.*/kernel/drivers/net/wireless</unix:path>
+ <unix:path operation="pattern
match">^/lib/modules/.*/kernel/drivers/net/wireless</unix:path>
<unix:filename operation="pattern match">.*</unix:filename>
</unix:file_object>
</def-group>
--
1.7.1
11 years, 7 months
[PATCH] Use mode 0 for gshadow file
by Kenneth Stailey
From: Kenneth Stailey <kstailey.lists(a)gmail.com>
Second try as changes that went in ahread of this fixed the perms
on /etc/shadow but not /etc/gshadow.
Kenneth Stailey (1):
Use mode 0 for gshadow file
.../input/checks/file_permissions_etc_gshadow.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
11 years, 7 months
[PATCH 0/3] manual checks (and OCIL?) now/soon, new macros
by Jeffrey Blank
This commitset provides a way for us to include manual checking ("auditing" as some call it)
for settings compliance with each Rule.
The patch should make it clear what the general idea is. As with the rest of
the project, the input format (in this case, new <ocil> tags) is designed to
allow for authoring ease and require the author only to provide the necessary
information. Transforms should take care of putting this information into
whatever format the specification (or a customer) requires.
Note that we do not yet have proper OCIL output here, just a start at formatting/providing it
inline with the XCCDF document.
Jeffrey Blank (3):
added proposed new "<ocil>" tags to contain manual check information.
* these also use new macros for disabling services and
checking partitioning
use of new macros for disk partition checking, minor language updates
support for handling new <ocil> tags for manual check info *
also, support for displaying this manual check information in
tables * definitions of new macros to make developing easier
RHEL6/input/services/avahi.xml | 1 +
RHEL6/input/services/base.xml | 25 +++++++++++++
RHEL6/input/services/cron.xml | 2 +
RHEL6/input/services/dns.xml | 1 +
RHEL6/input/services/http.xml | 1 +
RHEL6/input/services/obsolete.xml | 7 ++++
RHEL6/input/services/printing.xml | 1 +
RHEL6/input/services/smb.xml | 1 +
RHEL6/input/system/software/disk_partitioning.xml | 41 ++++++++++++---------
RHEL6/transforms/constants.xslt | 1 +
RHEL6/transforms/relabelids.py | 6 ++-
RHEL6/transforms/shorthand2xccdf.xslt | 38 +++++++++++++++++++-
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 7 ++++
13 files changed, 111 insertions(+), 21 deletions(-)
11 years, 7 months
/etc/shadow and gshadow mode 0400 or 0?
by Kenneth Stailey
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400
while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify
files against RPM database) to flag /etc/shadow
and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400
or use the mode 0 that the files are distributed from Red Hat with?
Thanks
11 years, 7 months
[PATCH 0/7] many minor changes, CCE removal from OVAL
by Jeffrey Blank
The changes in this patchset (visible here) are minor/helpful --
however the "missing" patch 4 is the removal of CCE references
from the OVAL content (which at 325K) I did not want to send out.
We discussed the removal of those CCEs before I did it, but now know
that it will come with this push (if an ACK is forthcoming).
Jeffrey Blank (7):
added argument to output oval-results file * this will help
avoid future issues with invalid output/input
removed files which are either obsolete or are/will be created
through different mechanisms
added OVAL files which are now created through template
removed CCE references from OVAL content
added xslt template to automatically insert current date into XCCDF
* easier than manually inserting date?
added support to automatically add reference to OVAL definitions
* to document their true origin, ease some debugging
content editing for permissions section, fixups for title style
* my voyage through the content revealed to me how much other
content editing is still needed
.../checks/accounts_dangerous_path_for_root.xml | 1 -
.../checks/accounts_disable_post_pw_expiration.xml | 1 -
.../accounts_max_concurrent_login_sessions.xml | 1 -
.../checks/accounts_maximum_age_login_defs.xml | 1 -
.../checks/accounts_minimum_age_login_defs.xml | 1 -
RHEL6/input/checks/accounts_no_empty_passwords.xml | 1 -
.../accounts_no_nis_inclusions_etc_group.xml | 1 -
.../accounts_no_nis_inclusions_etc_passwd.xml | 1 -
.../accounts_no_nis_inclusions_etc_shadow.xml | 1 -
RHEL6/input/checks/accounts_no_uid_except_zero.xml | 1 -
RHEL6/input/checks/accounts_nologin_for_system.xml | 1 -
RHEL6/input/checks/accounts_pam_no_nullok.xml | 1 -
.../checks/accounts_password_all_shadowed.xml | 1 -
.../checks/accounts_password_hashing_algorithm.xml | 1 -
.../checks/accounts_password_minlen_login_defs.xml | 1 -
.../accounts_password_pam_cracklib_dcredit.xml | 1 -
.../accounts_password_pam_cracklib_difok.xml | 1 -
.../accounts_password_pam_cracklib_lcredit.xml | 1 -
.../accounts_password_pam_cracklib_ocredit.xml | 1 -
.../accounts_password_pam_cracklib_retry.xml | 1 -
.../accounts_password_pam_cracklib_ucredit.xml | 1 -
.../input/checks/accounts_password_reuse_limit.xml | 1 -
.../accounts_password_warn_age_login_defs.xml | 1 -
.../accounts_passwords_pam_faillock_deny.xml | 1 -
.../checks/accounts_passwords_pam_tally2_deny.xml | 1 -
.../checks/accounts_root_path_dirs_no_write.xml | 1 -
RHEL6/input/checks/accounts_su_wheel_only.xml | 1 -
RHEL6/input/checks/accounts_umask_bash_users.xml | 1 -
RHEL6/input/checks/accounts_umask_csh.xml | 1 -
RHEL6/input/checks/accounts_umask_etc_profile.xml | 1 -
RHEL6/input/checks/accounts_umask_login_defs.xml | 1 -
RHEL6/input/checks/accounts_wheel_exists.xml | 1 -
.../input/checks/audit_rules_dac_modification.xml | 1 -
.../checks/audit_rules_dac_modification_chmod.xml | 1 -
.../checks/audit_rules_dac_modification_chown.xml | 1 -
.../checks/audit_rules_dac_modification_fchmod.xml | 1 -
.../audit_rules_dac_modification_fchmodat.xml | 1 -
.../checks/audit_rules_dac_modification_fchown.xml | 1 -
.../audit_rules_dac_modification_fchownat.xml | 1 -
.../audit_rules_dac_modification_fremovexattr.xml | 1 -
.../audit_rules_dac_modification_fsetxattr.xml | 1 -
.../checks/audit_rules_dac_modification_lchown.xml | 1 -
.../audit_rules_dac_modification_lremovexattr.xml | 1 -
.../audit_rules_dac_modification_lsetxattr.xml | 1 -
.../audit_rules_dac_modification_removexattr.xml | 1 -
.../audit_rules_dac_modification_setxattr.xml | 1 -
.../checks/audit_rules_file_deletion_events.xml | 1 -
RHEL6/input/checks/audit_rules_immutable.xml | 1 -
.../checks/audit_rules_kernel_module_loading.xml | 1 -
RHEL6/input/checks/audit_rules_login_events.xml | 1 -
.../input/checks/audit_rules_mac_modification.xml | 1 -
RHEL6/input/checks/audit_rules_media_export.xml | 1 -
.../audit_rules_networkconfig_modification.xml | 1 -
.../checks/audit_rules_privileged_commands.xml | 1 -
.../input/checks/audit_rules_record_timechange.xml | 1 -
RHEL6/input/checks/audit_rules_session_events.xml | 1 -
.../input/checks/audit_rules_sysadmin_actions.xml | 1 -
RHEL6/input/checks/audit_rules_time_adjtimex.xml | 1 -
.../checks/audit_rules_time_clock_settime.xml | 1 -
.../input/checks/audit_rules_time_settimeofday.xml | 1 -
RHEL6/input/checks/audit_rules_time_stime.xml | 1 -
.../checks/audit_rules_time_watch_localtime.xml | 1 -
.../audit_rules_unsuccessful_file_modification.xml | 1 -
.../checks/audit_rules_usergroup_modification.xml | 1 -
.../auditd_data_retention_action_mail_acct.xml | 1 -
...ditd_data_retention_admin_space_left_action.xml | 1 -
.../checks/auditd_data_retention_max_log_file.xml | 1 -
.../auditd_data_retention_max_log_file_action.xml | 1 -
.../checks/auditd_data_retention_num_logs.xml | 1 -
.../auditd_data_retention_space_left_action.xml | 1 -
RHEL6/input/checks/banner_etc_issue.xml | 1 -
RHEL6/input/checks/banner_gui_enabled.xml | 1 -
RHEL6/input/checks/banner_gui_gdm.xml | 1 -
RHEL6/input/checks/bootloader_audit_argument.xml | 1 -
RHEL6/input/checks/bootloader_nousb_argument.xml | 1 -
RHEL6/input/checks/bootloader_password.xml | 1 -
.../console_device_restrict_access_desktop.xml | 1 -
.../console_device_restrict_access_server.xml | 1 -
.../checks/core_dump_suid_progs_limits_conf.xml | 1 -
RHEL6/input/checks/core_dumps_limitsconf.xml | 1 -
RHEL6/input/checks/cups_disable_browsing.xml | 1 -
RHEL6/input/checks/cups_disable_printserver.xml | 1 -
RHEL6/input/checks/cups_limit_browsing.xml | 1 -
.../checks/cups_limit_browsing_browseaddress.xml | 1 -
.../checks/cups_limit_browsing_browsedenyallow.xml | 1 -
RHEL6/input/checks/cups_limit_web_interface.xml | 1 -
RHEL6/input/checks/dir_perms_etc_httpd_conf.xml | 1 -
RHEL6/input/checks/dir_perms_var_log_httpd.xml | 1 -
.../dir_perms_world_writable_sticky_bits.xml | 1 -
.../dir_perms_world_writable_system_owned.xml | 1 -
.../checks/dovecot_disable_plaintext_auth.xml | 1 -
RHEL6/input/checks/dovecot_enable_ssl.xml | 1 -
.../input/checks/file_group_owner_etc_crontab.xml | 1 -
RHEL6/input/checks/file_group_owner_grub_conf.xml | 1 -
RHEL6/input/checks/file_groupowner_etc_group.xml | 1 -
RHEL6/input/checks/file_groupowner_etc_gshadow.xml | 1 -
RHEL6/input/checks/file_groupowner_etc_passwd.xml | 1 -
RHEL6/input/checks/file_groupowner_etc_shadow.xml | 1 -
.../checks/file_groupowner_ldap_server_bdb.xml | 1 -
.../checks/file_groupowner_ldap_server_files.xml | 1 -
RHEL6/input/checks/file_mode_etc_crontab.xml | 1 -
RHEL6/input/checks/file_owner_etc_group.xml | 1 -
RHEL6/input/checks/file_owner_etc_gshadow.xml | 1 -
RHEL6/input/checks/file_owner_etc_passwd.xml | 1 -
RHEL6/input/checks/file_owner_etc_shadow.xml | 1 -
RHEL6/input/checks/file_owner_ldap_server_bdb.xml | 1 -
.../input/checks/file_owner_ldap_server_files.xml | 1 -
RHEL6/input/checks/file_ownership_etc_skel.xml | 1 -
.../input/checks/file_ownership_samba_password.xml | 1 -
.../input/checks/file_ownership_var_log_audit.xml | 1 -
.../file_permissions_boot_grub_grub_conf.xml | 46 +++++++++
.../input/checks/file_permissions_etc_at_allow.xml | 37 -------
RHEL6/input/checks/file_permissions_etc_group.xml | 1 -
.../input/checks/file_permissions_etc_gshadow.xml | 1 -
RHEL6/input/checks/file_permissions_etc_passwd.xml | 58 ++++++-----
RHEL6/input/checks/file_permissions_etc_shadow.xml | 58 ++++++-----
RHEL6/input/checks/file_permissions_etc_skel.xml | 1 -
RHEL6/input/checks/file_permissions_grub_conf.xml | 1 -
RHEL6/input/checks/file_permissions_home_dirs.xml | 1 -
.../file_permissions_httpd_server_conf_files.xml | 1 -
.../checks/file_permissions_ldap_server_bdb.xml | 1 -
.../checks/file_permissions_ldap_server_files.xml | 1 -
.../checks/file_permissions_samba_password.xml | 1 -
.../checks/file_permissions_unauthorized_sgid.xml | 1 -
.../checks/file_permissions_unauthorized_suid.xml | 1 -
...ile_permissions_unauthorized_world_writable.xml | 1 -
.../input/checks/file_permissions_ungroupowned.xml | 1 -
RHEL6/input/checks/file_permissions_unowned.xml | 1 -
.../checks/file_permissions_var_log_audit.xml | 1 -
.../input/checks/file_permissions_var_log_cron.xml | 46 +++++++++
.../file_ssh_host_keys_private_permissions.xml | 1 -
.../file_ssh_host_keys_public_permissions.xml | 1 -
RHEL6/input/checks/file_user_owner_etc_crontab.xml | 1 -
RHEL6/input/checks/file_user_owner_grub_conf.xml | 1 -
.../input/checks/gconf_gnome_disable_automount.xml | 1 -
...f_gnome_screensaver_idle_activation_enabled.xml | 1 -
.../checks/gconf_gnome_screensaver_idle_delay.xml | 1 -
.../gconf_gnome_screensaver_lock_enabled.xml | 1 -
.../checks/gconf_gnome_screensaver_mode_blank.xml | 1 -
RHEL6/input/checks/interactive_boot_disable.xml | 1 -
RHEL6/input/checks/iptables_avahi_disabled.xml | 1 -
RHEL6/input/checks/iptables_cupsd_disabled.xml | 1 -
.../input/checks/iptables_default_policy_drop.xml | 1 -
RHEL6/input/checks/iptables_icmp_disabled.xml | 1 -
RHEL6/input/checks/iptables_ldap_enabled.xml | 1 -
RHEL6/input/checks/iptables_smtp_enabled.xml | 1 -
RHEL6/input/checks/iptables_sshd_disabled.xml | 1 -
.../checks/kernel_module_bluetooth_disabled.xml | 1 -
.../input/checks/kernel_module_cramfs_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_dccp_disabled.xml | 3 +-
.../checks/kernel_module_freevxfs_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_hfs_disabled.xml | 3 +-
.../checks/kernel_module_hfsplus_disabled.xml | 3 +-
.../checks/kernel_module_ipv6_option_disabled.xml | 1 -
.../input/checks/kernel_module_jffs2_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_rds_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_sctp_disabled.xml | 16 ++-
.../checks/kernel_module_squashfs_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_tipc_disabled.xml | 3 +-
RHEL6/input/checks/kernel_module_udf_disabled.xml | 3 +-
.../checks/kernel_module_usb-storage_disabled.xml | 3 +-
.../input/checks/ldap_client_pam_ldap_present.xml | 1 -
RHEL6/input/checks/ldap_client_start_tls.xml | 1 -
RHEL6/input/checks/ldap_client_tls_cacertpath.xml | 1 -
.../ldap_server_config_bdb_file_security.xml | 1 -
.../ldap_server_config_certificate_files.xml | 1 -
.../ldap_server_config_certificate_usage.xml | 1 -
.../ldap_server_config_directory_file_security.xml | 1 -
RHEL6/input/checks/ldap_server_config_logging.xml | 1 -
.../input/checks/ldap_server_config_olcaccess.xml | 1 -
.../input/checks/ldap_server_config_olcrootpw.xml | 1 -
.../ldap_server_config_olcsecurity_simple_bind.xml | 1 -
.../checks/ldap_server_config_olcsecurity_tls.xml | 1 -
.../input/checks/ldap_server_config_olcsuffix.xml | 1 -
.../ldap_server_config_olctlsciphersuite.xml | 1 -
RHEL6/input/checks/libuser_login_defs_import.xml | 1 -
RHEL6/input/checks/logrotate_rotate_all_files.xml | 1 -
.../input/checks/logwatch_configured_hostlimit.xml | 1 -
.../checks/logwatch_configured_splithosts.xml | 1 -
RHEL6/input/checks/mount_home_own_partition.xml | 1 -
RHEL6/input/checks/mount_option_dev_shm_nodev.xml | 1 -
RHEL6/input/checks/mount_option_dev_shm_noexec.xml | 1 -
RHEL6/input/checks/mount_option_dev_shm_nosuid.xml | 1 -
...mount_option_nodev_nonroot_local_partitions.xml | 1 -
RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 1 -
.../mount_option_nodev_remote_filesystems.xml | 1 -
.../mount_option_nodev_removable_partitions.xml | 1 -
.../mount_option_noexec_removable_partitions.xml | 1 -
.../mount_option_nosuid_remote_filesystems.xml | 1 -
.../mount_option_nosuid_removable_partitions.xml | 1 -
.../checks/mount_option_smb_client_signing.xml | 1 -
RHEL6/input/checks/mount_option_tmp_nodev.xml | 1 -
RHEL6/input/checks/mount_option_tmp_noexec.xml | 1 -
RHEL6/input/checks/mount_option_tmp_nosuid.xml | 1 -
RHEL6/input/checks/mount_option_var_tmp_bind.xml | 1 -
RHEL6/input/checks/mount_tmp_own_partition.xml | 1 -
.../checks/mount_var_log_audit_own_partition.xml | 1 -
RHEL6/input/checks/mount_var_log_own_partition.xml | 1 -
RHEL6/input/checks/mount_var_own_partition.xml | 1 -
.../input/checks/network_ipv6_default_gateway.xml | 1 -
.../checks/network_ipv6_disable_interfaces.xml | 1 -
RHEL6/input/checks/network_ipv6_disable_rpc.xml | 1 -
RHEL6/input/checks/network_ipv6_limit_requests.xml | 7 --
.../checks/network_ipv6_privacy_extensions.xml | 1 -
RHEL6/input/checks/network_ipv6_static_address.xml | 1 -
RHEL6/input/checks/network_sniffer_disabled.xml | 1 -
RHEL6/input/checks/no_rsh_trusted_host_files.xml | 1 -
RHEL6/input/checks/ntp_remote_server.xml | 1 -
RHEL6/input/checks/package_abrt_removed.xml | 3 +-
RHEL6/input/checks/package_acpid_removed.xml | 3 +-
RHEL6/input/checks/package_aide_installed.xml | 3 +-
RHEL6/input/checks/package_at_removed.xml | 3 +-
RHEL6/input/checks/package_audit_installed.xml | 3 +-
RHEL6/input/checks/package_autofs_removed.xml | 3 +-
RHEL6/input/checks/package_bind_removed.xml | 3 +-
RHEL6/input/checks/package_certmonger_removed.xml | 3 +-
RHEL6/input/checks/package_cpuspeed_removed.xml | 3 +-
.../checks/package_cronie-anacron_removed.xml | 3 +-
RHEL6/input/checks/package_cronie_installed.xml | 3 +-
RHEL6/input/checks/package_cups_removed.xml | 3 +-
RHEL6/input/checks/package_cyrus-sasl_removed.xml | 3 +-
RHEL6/input/checks/package_dbus_removed.xml | 3 +-
RHEL6/input/checks/package_dhcp_removed.xml | 3 +-
RHEL6/input/checks/package_dhcpd_removed.xml | 26 +++---
RHEL6/input/checks/package_dovecot_removed.xml | 3 +-
RHEL6/input/checks/package_hal_removed.xml | 3 +-
RHEL6/input/checks/package_httpd_removed.xml | 3 +-
.../input/checks/package_initscripts_installed.xml | 1 -
.../input/checks/package_ipsec-tools_installed.xml | 3 +-
.../checks/package_iptables-ipv6_installed.xml | 3 +-
RHEL6/input/checks/package_iptables_installed.xml | 3 +-
RHEL6/input/checks/package_iputils_removed.xml | 20 ++--
RHEL6/input/checks/package_irda-utils_removed.xml | 3 +-
.../input/checks/package_irqbalance_installed.xml | 3 +-
.../input/checks/package_isdn4k-utils_removed.xml | 3 +-
RHEL6/input/checks/package_kexec-tools_removed.xml | 3 +-
RHEL6/input/checks/package_libcgroup_removed.xml | 3 +-
RHEL6/input/checks/package_lvm2_installed.xml | 3 +-
RHEL6/input/checks/package_mdadm_removed.xml | 3 +-
RHEL6/input/checks/package_net-snmp_removed.xml | 3 +-
RHEL6/input/checks/package_nfs-utils_removed.xml | 3 +-
RHEL6/input/checks/package_ntp_installed.xml | 3 +-
RHEL6/input/checks/package_ntpdate_installed.xml | 3 +-
RHEL6/input/checks/package_oddjob_removed.xml | 3 +-
.../checks/package_openldap-servers_installed.xml | 4 +-
.../checks/package_openldap-servers_removed.xml | 8 +-
RHEL6/input/checks/package_openldap_removed.xml | 3 +-
.../checks/package_openssh-server_removed.xml | 3 +-
RHEL6/input/checks/package_openswan_installed.xml | 3 +-
RHEL6/input/checks/package_pam_ccreds_removed.xml | 27 -----
RHEL6/input/checks/package_pam_ldap_removed.xml | 11 +-
.../checks/package_policycoreutils_installed.xml | 3 +-
RHEL6/input/checks/package_portreserve_removed.xml | 3 +-
RHEL6/input/checks/package_postfix_installed.xml | 3 +-
RHEL6/input/checks/package_psacct_installed.xml | 3 +-
.../checks/package_qpid-cpp-server_removed.xml | 1 -
RHEL6/input/checks/package_quota_removed.xml | 3 +-
.../input/checks/package_rhn_gpgkey_installed.xml | 28 +++---
RHEL6/input/checks/package_rhnsd_removed.xml | 3 +-
RHEL6/input/checks/package_rpcbind_removed.xml | 3 +-
RHEL6/input/checks/package_rsh-server_removed.xml | 3 +-
RHEL6/input/checks/package_rsh_removed.xml | 3 +-
RHEL6/input/checks/package_rsyslog_installed.xml | 3 +-
.../input/checks/package_samba-common_removed.xml | 3 +-
RHEL6/input/checks/package_samba_removed.xml | 3 +-
RHEL6/input/checks/package_sendmail_removed.xml | 3 +-
.../input/checks/package_smartmontools_removed.xml | 3 +-
RHEL6/input/checks/package_squid_removed.xml | 3 +-
RHEL6/input/checks/package_sssd_removed.xml | 3 +-
.../package_subscription-manager_removed.xml | 1 -
RHEL6/input/checks/package_sysstat_removed.xml | 3 +-
RHEL6/input/checks/package_talk-server_removed.xml | 3 +-
RHEL6/input/checks/package_talk_removed.xml | 3 +-
.../input/checks/package_telnet-server_removed.xml | 3 +-
RHEL6/input/checks/package_tftp-server_removed.xml | 3 +-
RHEL6/input/checks/package_vlock_installed.xml | 24 ++---
RHEL6/input/checks/package_vlock_removed.xml | 3 +-
RHEL6/input/checks/package_vsftpd_installed.xml | 8 +-
RHEL6/input/checks/package_vsftpd_removed.xml | 3 +-
RHEL6/input/checks/package_xinetd_removed.xml | 3 +-
.../package_xorg-x11-server-common_removed.xml | 1 -
RHEL6/input/checks/package_ypbind_removed.xml | 3 +-
RHEL6/input/checks/package_ypserv_removed.xml | 3 +-
RHEL6/input/checks/postfix_certificate_files.xml | 1 -
RHEL6/input/checks/postfix_logging.xml | 1 -
.../checks/postfix_network_listening_disabled.xml | 1 -
RHEL6/input/checks/postfix_server_banner.xml | 1 -
.../checks/postfix_server_denial_of_service.xml | 1 -
...tfix_server_mail_relay_for_trusted_networks.xml | 1 -
...server_mail_relay_require_tls_for_smtp_auth.xml | 1 -
...tfix_server_mail_relay_set_trusted_networks.xml | 1 -
...mail_relay_smtp_auth_for_untrusted_networks.xml | 1 -
RHEL6/input/checks/rpm_verify_hashes.xml | 1 -
RHEL6/input/checks/rpm_verify_permissions.xml | 1 -
.../checks/rsyslog_files_exist_permissions.xml | 1 -
.../input/checks/rsyslog_files_groupownership.xml | 1 -
RHEL6/input/checks/rsyslog_files_ownership.xml | 1 -
RHEL6/input/checks/rsyslog_files_permissions.xml | 1 -
RHEL6/input/checks/rsyslog_nolisten.xml | 1 -
RHEL6/input/checks/rsyslog_remote_loghost.xml | 1 -
RHEL6/input/checks/securetty_no_serial.xml | 1 -
.../checks/securetty_root_login_console_only.xml | 1 -
.../checks/selinux_all_devicefiles_labeled.xml | 1 -
.../checks/selinux_bootloader_notdisabled.xml | 1 -
RHEL6/input/checks/selinux_mode.xml | 1 -
RHEL6/input/checks/selinux_policytype.xml | 1 -
RHEL6/input/checks/service_abrtd_disabled.xml | 1 -
RHEL6/input/checks/service_acpid_disabled.xml | 1 -
RHEL6/input/checks/service_atd_disabled.xml | 1 -
RHEL6/input/checks/service_auditd_enabled.xml | 1 -
RHEL6/input/checks/service_autofs_disabled.xml | 1 -
.../input/checks/service_avahi-daemon_disabled.xml | 1 -
RHEL6/input/checks/service_bluetooth_disabled.xml | 1 -
RHEL6/input/checks/service_certmonger_disabled.xml | 1 -
RHEL6/input/checks/service_cgconfig_disabled.xml | 1 -
RHEL6/input/checks/service_cgred_disabled.xml | 1 -
RHEL6/input/checks/service_cpuspeed_disabled.xml | 1 -
RHEL6/input/checks/service_crond_enabled.xml | 1 -
RHEL6/input/checks/service_cups_disabled.xml | 1 -
RHEL6/input/checks/service_dhcpd_disabled.xml | 1 -
RHEL6/input/checks/service_dovecot_disabled.xml | 1 -
RHEL6/input/checks/service_haldaemon_disabled.xml | 1 -
RHEL6/input/checks/service_httpd_disabled.xml | 1 -
RHEL6/input/checks/service_ip6tables_enabled.xml | 1 -
RHEL6/input/checks/service_iptables_enabled.xml | 1 -
RHEL6/input/checks/service_irqbalance_enabled.xml | 1 -
RHEL6/input/checks/service_isdn_disabled.xml | 1 -
RHEL6/input/checks/service_kdump_disabled.xml | 1 -
.../input/checks/service_lvm2-monitor_enabled.xml | 1 -
RHEL6/input/checks/service_mcstrans_disabled.xml | 1 -
RHEL6/input/checks/service_mdmonitor_disabled.xml | 1 -
RHEL6/input/checks/service_messagebus_disabled.xml | 1 -
RHEL6/input/checks/service_named_disabled.xml | 1 -
RHEL6/input/checks/service_netconsole_disabled.xml | 1 -
RHEL6/input/checks/service_netfs_disabled.xml | 1 -
RHEL6/input/checks/service_network_enabled.xml | 1 -
RHEL6/input/checks/service_nfs_disabled.xml | 1 -
RHEL6/input/checks/service_nfslock_disabled.xml | 1 -
RHEL6/input/checks/service_ntpd_enabled.xml | 1 -
RHEL6/input/checks/service_ntpdate_enabled.xml | 103 --------------------
RHEL6/input/checks/service_oddjobd_disabled.xml | 1 -
.../input/checks/service_portreserve_disabled.xml | 1 -
RHEL6/input/checks/service_postfix_enabled.xml | 1 -
RHEL6/input/checks/service_psacct_enabled.xml | 1 -
RHEL6/input/checks/service_qpidd_disabled.xml | 7 +-
RHEL6/input/checks/service_quota_nld_disabled.xml | 1 -
RHEL6/input/checks/service_rdisc_disabled.xml | 1 -
RHEL6/input/checks/service_restorecond_enabled.xml | 1 -
RHEL6/input/checks/service_rexec_disabled.xml | 1 -
RHEL6/input/checks/service_rhnsd_disabled.xml | 1 -
RHEL6/input/checks/service_rhsmcertd_disabled.xml | 1 -
RHEL6/input/checks/service_rlogin_disabled.xml | 1 -
RHEL6/input/checks/service_rpcbind_disabled.xml | 1 -
RHEL6/input/checks/service_rpcgssd_disabled.xml | 1 -
RHEL6/input/checks/service_rpcidmapd_disabled.xml | 1 -
RHEL6/input/checks/service_rpcsvcgssd_disabled.xml | 1 -
RHEL6/input/checks/service_rsh_disabled.xml | 1 -
RHEL6/input/checks/service_rsyslog_enabled.xml | 1 -
RHEL6/input/checks/service_saslauthd_disabled.xml | 1 -
RHEL6/input/checks/service_sendmail_disabled.xml | 1 -
RHEL6/input/checks/service_smartd_disabled.xml | 1 -
RHEL6/input/checks/service_smb_disabled.xml | 1 -
RHEL6/input/checks/service_snmpd_disabled.xml | 1 -
RHEL6/input/checks/service_squid_disabled.xml | 1 -
RHEL6/input/checks/service_sshd_disabled.xml | 1 -
RHEL6/input/checks/service_sssd_disabled.xml | 1 -
RHEL6/input/checks/service_sysstat_disabled.xml | 1 -
RHEL6/input/checks/service_telnet_disabled.xml | 1 -
RHEL6/input/checks/service_telnetd_disabled.xml | 1 -
RHEL6/input/checks/service_tftp_disabled.xml | 1 -
RHEL6/input/checks/service_vsftpd_disabled.xml | 1 -
RHEL6/input/checks/service_xinetd_disabled.xml | 1 -
RHEL6/input/checks/service_ypbind_disabled.xml | 1 -
RHEL6/input/checks/service_ypserv_disabled.xml | 1 -
RHEL6/input/checks/singleuser_password.xml | 1 -
RHEL6/input/checks/smb_client_signing_smb_conf.xml | 1 -
RHEL6/input/checks/sshd_banner_set.xml | 1 -
RHEL6/input/checks/sshd_clientalivecountmax.xml | 1 -
.../input/checks/sshd_hostbasedauthentication.xml | 1 -
RHEL6/input/checks/sshd_idle_timeout.xml | 1 -
RHEL6/input/checks/sshd_no_user_envset.xml | 1 -
.../input/checks/sshd_permitemptypasswords_no.xml | 1 -
RHEL6/input/checks/sshd_permitrootlogin_no.xml | 1 -
RHEL6/input/checks/sshd_protocol_2.xml | 1 -
RHEL6/input/checks/sshd_rsh_emulation_disabled.xml | 1 -
RHEL6/input/checks/sshd_use_approved_ciphers.xml | 1 -
RHEL6/input/checks/sysconfig_ipv6_autoconf.xml | 1 -
RHEL6/input/checks/sysconfig_ipv6_disable.xml | 1 -
RHEL6/input/checks/sysconfig_ipv6_networking.xml | 1 -
.../sysconfig_networking_bootproto_ifcfg.xml | 1 -
.../checks/sysconfig_networking_ipv6_ifcfg.xml | 1 -
RHEL6/input/checks/sysconfig_nozeroconf_yes.xml | 1 -
RHEL6/input/checks/sysctl_kernel_exec_shield.xml | 3 +-
.../checks/sysctl_kernel_randomize_va_space.xml | 3 +-
.../sysctl_net_ipv4_conf_all_accept_redirects.xml | 1 -
...ysctl_net_ipv4_conf_all_accept_source_route.xml | 1 -
.../sysctl_net_ipv4_conf_all_log_martians.xml | 3 +-
.../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 3 +-
.../sysctl_net_ipv4_conf_all_secure_redirects.xml | 1 -
.../sysctl_net_ipv4_conf_all_send_redirects.xml | 1 -
...sctl_net_ipv4_conf_default_accept_redirects.xml | 1 -
...l_net_ipv4_conf_default_accept_source_route.xml | 1 -
.../sysctl_net_ipv4_conf_default_rp_filter.xml | 3 +-
...sctl_net_ipv4_conf_default_secure_redirects.xml | 1 -
...sysctl_net_ipv4_conf_default_send_redirects.xml | 1 -
...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 3 +-
..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 3 +-
RHEL6/input/checks/sysctl_net_ipv4_ip_forward.xml | 3 +-
.../checks/sysctl_net_ipv4_tcp_syncookies.xml | 3 +-
.../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 1 -
.../sysctl_net_ipv6_conf_default_accept_ra.xml | 1 -
...sctl_net_ipv6_conf_default_accept_ra_defrtr.xml | 1 -
...ysctl_net_ipv6_conf_default_accept_ra_pinfo.xml | 1 -
...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 1 -
...sctl_net_ipv6_conf_default_accept_redirects.xml | 1 -
.../sysctl_net_ipv6_conf_default_autoconf.xml | 1 -
.../sysctl_net_ipv6_conf_default_dad_transmits.xml | 1 -
.../sysctl_net_ipv6_conf_default_max_addresses.xml | 1 -
..._net_ipv6_conf_default_router_solicitations.xml | 1 -
RHEL6/input/checks/sysctl_net_ipv6_disabled.xml | 1 -
RHEL6/input/checks/testcheck.py | 2 +-
RHEL6/input/checks/tftpd_uses_secure_mode.xml | 1 -
RHEL6/input/checks/umask_for_daemons.xml | 1 -
RHEL6/input/checks/wireless_disable_drivers.xml | 1 -
RHEL6/input/checks/wireless_disable_interfaces.xml | 1 -
RHEL6/input/checks/xwindows_remote_listening.xml | 1 -
RHEL6/input/checks/xwindows_runlevel_setting.xml | 1 -
.../checks/yum_gpgcheck_global_activation.xml | 1 -
RHEL6/input/checks/yum_gpgcheck_never_disabled.xml | 1 -
RHEL6/input/services/cron.xml | 2 +-
RHEL6/input/services/dhcp.xml | 6 +-
RHEL6/input/services/dns.xml | 14 ++-
RHEL6/input/services/imap.xml | 5 +-
RHEL6/input/services/ldap.xml | 6 +-
RHEL6/input/services/squid.xml | 4 +-
RHEL6/input/services/xorg.xml | 4 +-
RHEL6/input/system/accounts/session.xml | 2 +-
RHEL6/input/system/auditing.xml | 17 ++--
RHEL6/input/system/permissions/execution.xml | 2 +-
RHEL6/input/system/permissions/files.xml | 103 +++++++++++---------
RHEL6/input/system/permissions/mounting.xml | 2 +-
RHEL6/input/system/selinux.xml | 4 +-
RHEL6/input/system/software/updating.xml | 4 +-
RHEL6/transforms/idtranslate.py | 14 ++-
RHEL6/transforms/relabelids.py | 2 +-
RHEL6/transforms/shorthand2xccdf.xslt | 9 ++-
446 files changed, 429 insertions(+), 881 deletions(-)
create mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml
delete mode 100644 RHEL6/input/checks/file_permissions_etc_at_allow.xml
create mode 100644 RHEL6/input/checks/file_permissions_var_log_cron.xml
delete mode 100644 RHEL6/input/checks/package_pam_ccreds_removed.xml
delete mode 100644 RHEL6/input/checks/service_ntpdate_enabled.xml
11 years, 7 months
[PATCH 0/4] removal of CCE information from OVAL templates
by Jeffrey Blank
This is being done in favor of storing CCE identifiers only in the
XCCDF Rules as idents (which made sense for a number of reasons).
Yes, these templates/scripts feel so very much like an undergraduate (or
possibly high-school) programming project. But consider the superficiality of
their operation as a benefit.
If I were starting over, I might have instead created a small dictionary of
macros in XSLT to take care of generating the significant
non-information-bearing OVAL overhead instead. This would allow for authors to
create extremely simple XML files to express the necessary information, and
also avoid the creation of any kind of parser. Maybe for RHEL 7...
Jeffrey Blank (4):
new helper scripts for making/verifying/installing templated files
removed CCE handling from scripts that create templated OVAL checks
removed CCE identifiers from template source-info files
removal of CCE info from templates for kernelmods, packages, perms,
services, sysctls
RHEL6/input/checks/templates/Makefile | 30 ++++++
RHEL6/input/checks/templates/README | 32 +++++-
.../templates/create_kernel_modules_disabled.py | 15 ++--
.../checks/templates/create_package_installed.py | 11 +--
.../checks/templates/create_package_removed.py | 10 +--
.../checks/templates/create_permission_checks.py | 9 +-
.../checks/templates/create_services_disabled.py | 6 +-
.../checks/templates/create_services_enabled.py | 6 +-
.../input/checks/templates/create_sysctl_checks.py | 5 +-
.../checks/templates/file_dir_permissions.csv | 7 +-
RHEL6/input/checks/templates/find_untemplated.py | 31 ++++++
.../checks/templates/kernel_modules_disabled.csv | 24 ++--
.../input/checks/templates/packages_installed.csv | 34 ++++---
RHEL6/input/checks/templates/packages_removed.csv | 106 ++++++++++----------
RHEL6/input/checks/templates/services_disabled.csv | 103 ++++++++++----------
RHEL6/input/checks/templates/services_enabled.csv | 24 ++--
RHEL6/input/checks/templates/sysctl_values.csv | 36 +++----
.../templates/template_kernel_module_disabled | 2 -
.../checks/templates/template_package_installed | 1 -
.../checks/templates/template_package_removed | 1 -
RHEL6/input/checks/templates/template_permissions | 1 -
.../checks/templates/template_service_disabled | 1 -
.../checks/templates/template_service_enabled | 1 -
RHEL6/input/checks/templates/template_sysctl | 1 -
24 files changed, 281 insertions(+), 216 deletions(-)
create mode 100644 RHEL6/input/checks/templates/Makefile
create mode 100755 RHEL6/input/checks/templates/find_untemplated.py
11 years, 7 months
[PATCH] Fix paths and requires in spec file.
by Spencer R. Shimko
The spec file was dropping things in /usr/local. Shift it to
/usr/share/doc/scap-security-guide-<version>.
Update Requires and BuildRequires based on perusal of apps leveraged
during build.
Signed-off-by: Spencer Shimko <sshimko(a)tresys.com>
---
scap-security-guide.spec | 15 +++++++++------
1 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index 55e22a5..0867fb1 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -12,8 +12,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildArch: %{arch}
-BuildRequires: /bin/rm, /bin/mkdir, /bin/cp
-Requires: /bin/bash, /bin/date, /usr/bin/oscap
+BuildRequires: coreutils, libxslt, expat, python
+Requires: coreutils, openscap
%description
The scap-security-guide project provides security configuration guidance in
@@ -28,13 +28,12 @@ requirements and specific implementation guidance.
%build
cd RHEL6 && make dist
-
%install
rm -rf $RPM_BUILD_ROOT
#make install DESTDIR=$RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT/usr/local/%{name}/
+mkdir -p $RPM_BUILD_ROOT/%{_usr}/share/doc/%{name}-%{version}/
-cp -r RHEL6/dist/* $RPM_BUILD_ROOT/usr/local/%{name}/
+cp -r RHEL6/dist/* $RPM_BUILD_ROOT/%{_usr}/share/doc/%{name}-%{version}/
%clean
@@ -43,10 +42,14 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(0644,root,root,0755)
-%attr(0755,root,root) /usr/local/scap-security-guide/
+%attr(0755,root,root) %{_usr}/share/doc/%{name}-%{version}/
%changelog
+* Tue Aug 28 2012 Spencer Shimko <sshimko(a)tresys.com> 1.0-4
+- Move away from using /usr/local for installation dir.
+- Fix BuildRequires and Requires.
+
* Wed Jul 3 2012 Jeffrey Blank <blank(a)eclipse.ncsc.mil> 1.0-3
- Modified install section, made description more concise.
--
1.7.1
11 years, 7 months
SP 800-53 rev3 controls in XML format
by Gary Gapinski
Would this be a useful document to use with some of the transformations?
I'm willing to create one. I think was may have previously been mentioned.
11 years, 7 months