[PATCH] Fix processor_type value for 32-bit systems
by Kenneth Stailey
Hi,
I found this while figuring out why audit rules that worked on
x86_64 systems were failing on i686.
Regads,
Kenneth Stailey (1):
Fix processor_type value for 32-bit systems
RHEL6/input/checks/audit_rules_record_timechange.xml | 2 +-
RHEL6/input/checks/system_info_architecture_x86.xml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
1.8.1.1
11 years, 3 months
[PATCH 0/2] a couple of changes
by David Smith
1) touched up some of the formatting, for consistency
2) kernel.randomize_va_space value is now "2", per earlier conversation on here
David Smith (2):
copy editing
changed kernel.randomize_va_space value to 2
.../accounts/restrictions/password_storage.xml | 4 ++--
RHEL6/input/system/permissions/execution.xml | 4 ++--
RHEL6/input/system/permissions/files.xml | 6 +++---
RHEL6/input/system/permissions/mounting.xml | 4 ++--
RHEL6/input/system/permissions/partitions.xml | 14 +++++++-------
RHEL6/input/system/software/integrity.xml | 4 ++--
6 files changed, 18 insertions(+), 18 deletions(-)
11 years, 3 months
[PATCH] added address/CIDR option to /etc/exports file
by David Smith
---
RHEL6/input/services/nfs.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml
index 0b3c139..d9f8d8f 100644
--- a/RHEL6/input/services/nfs.xml
+++ b/RHEL6/input/services/nfs.xml
@@ -410,7 +410,7 @@ Authorized hosts can be specified in several different formats:
<li>Name or alias that is recognized by the resolver</li>
<li>Fully qualified domain name</li>
<li>IP address</li>
-<li>IP subnets in the format <tt>address/netmask</tt></li>
+<li>IP subnets in the format <tt>address/netmask</tt> or <tt>address/CIDR</tt></li>
</ul>
</description>
</Group> <!-- use_acl_enforce_auth_restrictions -->
--
1.7.1
11 years, 3 months
[PATCH] Add some <fix>s
by Christopher Anderson
As requested by Shawn. I hope I understood the request correctly...
Chris
Christopher Anderson (1):
Add some <fix>s.
RHEL6/input/services/avahi.xml | 2 ++
RHEL6/input/services/base.xml | 52 +++++++++++++++++++++++++++++++++
RHEL6/input/services/cron.xml | 2 ++
RHEL6/input/services/dhcp.xml | 2 ++
RHEL6/input/services/dns.xml | 2 ++
RHEL6/input/services/ftp.xml | 2 ++
RHEL6/input/services/http.xml | 2 ++
RHEL6/input/services/imap.xml | 2 ++
RHEL6/input/services/nfs.xml | 14 +++++++++
RHEL6/input/services/obsolete.xml | 14 +++++++++
RHEL6/input/services/printing.xml | 2 ++
RHEL6/input/services/smb.xml | 2 ++
RHEL6/input/services/snmp.xml | 2 ++
RHEL6/input/services/squid.xml | 2 ++
RHEL6/input/services/ssh.xml | 2 ++
RHEL6/input/system/network/network.xml | 2 ++
RHEL6/input/system/network/wireless.xml | 2 ++
RHEL6/input/system/selinux.xml | 2 ++
18 files changed, 110 insertions(+)
--
1.7.11.7
11 years, 3 months
[RFC] Alteration RPM build process for individual subproject RPMs
by Shawn Wells
Currently we have a single RPM (scap-security-guide.rpm), however being
there are two subprojects within the SSG, I think it makes sense to have
individual RPMs for each component.
The patch was to big for the mailing list (because of file renaming), so
I've posted it here:
http://people.redhat.com/swells/0001-RFC-Alteration-RPM-build-process-for...
The patch:
- Alters the RPM naming scheme to "ssg-{component}," e.g.:
* ssg-eap5-0.1.0.el6.noarch.rpm && ssg-eap5-0.1.0.el6.src.rpm
* ssg-rhel6-0.1-9.el6.noarch.rpm && ssg-rhel6-0.1-9.el6.src.rpm
- Provides subproject specific Makefiles in the top directory, e.g.
Makefile.eap5 and Makefile.rhel6. This will allow each project to
have their own build processes.
$ make -f Makefile.eap5 rpm
$ make -f Makefile.rhel6 all
11 years, 3 months
[PATCH] bringing colons back
by David Smith
Aside from the slight formatting changes in ipv6.xml, this was mostly periods -> colons (where appropriate).
David Smith (1):
copy editing, mostly adding colons
RHEL6/input/services/avahi.xml | 12 ++++++------
RHEL6/input/services/cron.xml | 2 +-
RHEL6/input/services/dhcp.xml | 32 ++++++++++++++++----------------
RHEL6/input/services/dns.xml | 30 +++++++++++++++---------------
RHEL6/input/services/ftp.xml | 20 ++++++++++----------
RHEL6/input/services/imap.xml | 20 ++++++++++----------
RHEL6/input/services/ldap.xml | 6 +++---
RHEL6/input/services/mail.xml | 16 ++++++++--------
RHEL6/input/services/nfs.xml | 13 +++++++------
RHEL6/input/services/ntp.xml | 4 ++--
RHEL6/input/services/obsolete.xml | 6 +++---
RHEL6/input/system/network/ipv6.xml | 8 ++++----
12 files changed, 85 insertions(+), 84 deletions(-)
11 years, 3 months
[PATCH] A few more spelling fixes.
by Christopher Anderson
There are several I dare not touch yet as they are used as identifiers (grep for "destication" and "writeable").
Chris
Christopher Anderson (2):
A few more spelling fixes.
Correct spelling for divine intervention request in spec file (diety
-> deity).
RHEL6/input/checks/audit_rules_login_events.xml | 2 +-
RHEL6/input/checks/testcheck.py | 2 +-
RHEL6/input/profiles/common.xml | 10 +++++-----
scap-security-guide.spec | 2 +-
4 files changed, 8 insertions(+), 8 deletions(-)
--
1.7.11.7
11 years, 3 months
[RFC] Some Considerations for Kernel Module Checks
by Mike Palmiotto
There was some discussion a while back about the proper method for doing
kernel module checking. (see:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2012-August/...)
The OVAL checks for disabling kernel modules are currently checking for
`install [module] /bin/true`.
I'm sure there is a reason for doing this as opposed to `install
[module] /bin/false`. Just a shot in the dark: we want the install to
fail and return as if a failure is expected? Would it make more sense
to run /bin/false, as the actual install is failing to install?
Additionally, it seems the checks are using a mixture of `install
[module] /bin/true` and `alias [module] off`. Should these be made
uniform, or is there a reason for the variation in method?
Any and all insight is greatly appreciated.
Thanks,
--Mike
11 years, 3 months
[PATCH] Avoid allowing negative versions of PAM parameters
by Kenneth Stailey
The checks in RHEL6/input/checks/accounts_password_pam_cracklib_[dlou]credit.xml
all permit an optional "-" in front of the value so
setting ucredit=2 in RHEL6/input/profiles/common.xml
permits ucredit=-2 in system-auth
The same is true for RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml
This change avoids unintentionally matching negative values that were not
specified in a profile.
Signed-off-by: Kenneth Stailey <kstailey.lists(a)gmail.com>
---
RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml | 2 +-
RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml | 2 +-
RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml | 2 +-
RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml | 2 +-
RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml
index 182313a..1cc6ed1 100644
--- a/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml
+++ b/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml
@@ -37,7 +37,7 @@
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]dcredit=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]dcredit=(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml
index 37945cd..56619a7 100644
--- a/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml
+++ b/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml
@@ -25,7 +25,7 @@
<ind:textfilecontent54_object id="object_accounts_password_pam_cracklib_difok" version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]difok=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]difok=(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml
index f9c42f0..21bef98 100644
--- a/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml
+++ b/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml
@@ -37,7 +37,7 @@
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]lcredit=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]lcredit=(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml
index 8d433f4..117daaf 100644
--- a/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml
+++ b/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml
@@ -37,7 +37,7 @@
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ocredit=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ocredit=(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml
index 9227167..fe66c2b 100644
--- a/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml
+++ b/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml
@@ -37,7 +37,7 @@
version="1">
<ind:path>/etc/pam.d</ind:path>
<ind:filename>system-auth</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(-?\d+)(?:[\s]|$)</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*password[\s]+(?:(?:required)|(?:requisite))[\s]+[\w_\.\-=\s]+[\s]ucredit=(\d+)(?:[\s]|$)</ind:pattern>
<ind:instance datatype="int" operation="less than or equal">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
--
1.8.1.1
11 years, 3 months