scap-security-guide October 2013

scap-security-guide@lists.fedorahosted.org

32 participants
82 discussions

[PATCH] Additional OVAL testing
by Shawn Wells 02 Oct '13

02 Oct '13

..... submitting to mailing list for a private citizen, working on SSG on their own time.... who doesn't currently have access to their work EMail... > From ea29e29516e253fce13bef596fa0de219157a82a Mon Sep 17 00:00:00 2001 > From: root <root(a)localhost.localdomain> > Date: Wed, 2 Oct 2013 20:46:06 -0400 > Subject: [PATCH] OVAL testing > > --- > RHEL6/input/checks/service_auditd_enabled.xml | 1 + > RHEL6/input/checks/service_bluetooth_disabled.xml | 1 + > RHEL6/input/checks/service_netconsole_disabled.xml | 1 + > RHEL6/input/checks/service_rhnsd_disabled.xml | 1 + > RHEL6/input/checks/service_rsyslog_enabled.xml | 1 + > 5 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/RHEL6/input/checks/service_auditd_enabled.xml > b/RHEL6/input/checks/service_auditd_enabled.xml > index 382fca3..7124b8f 100644 > --- a/RHEL6/input/checks/service_auditd_enabled.xml > +++ b/RHEL6/input/checks/service_auditd_enabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The auditd service should be enabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria comment="package audit installed and service auditd is > configured to start" operator="AND"> > <extend_definition comment="audit installed" > definition_ref="package_audit_installed" /> > diff --git a/RHEL6/input/checks/service_bluetooth_disabled.xml > b/RHEL6/input/checks/service_bluetooth_disabled.xml > index c3bda7c..89818f9 100644 > --- a/RHEL6/input/checks/service_bluetooth_disabled.xml > +++ b/RHEL6/input/checks/service_bluetooth_disabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The bluetooth service should be disabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria operator="AND" comment="service bluetooth is not > configured to start"> > <criterion comment="bluetooth runlevel 0" > test_ref="test_runlevel0_bluetooth" /> > diff --git a/RHEL6/input/checks/service_netconsole_disabled.xml > b/RHEL6/input/checks/service_netconsole_disabled.xml > index cdcc544..143d496 100644 > --- a/RHEL6/input/checks/service_netconsole_disabled.xml > +++ b/RHEL6/input/checks/service_netconsole_disabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The netconsole service should be disabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria operator="AND" comment="service netconsole is not > configured to start"> > <criterion comment="netconsole runlevel 0" > test_ref="test_runlevel0_netconsole" /> > diff --git a/RHEL6/input/checks/service_rhnsd_disabled.xml > b/RHEL6/input/checks/service_rhnsd_disabled.xml > index ff0779f..316426b 100644 > --- a/RHEL6/input/checks/service_rhnsd_disabled.xml > +++ b/RHEL6/input/checks/service_rhnsd_disabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The rhnsd service should be disabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria comment="package rhnsd removed or service rhnsd is not > configured to start" operator="OR"> > <extend_definition comment="rhnsd removed" > definition_ref="package_rhnsd_removed" /> > diff --git a/RHEL6/input/checks/service_rsyslog_enabled.xml > b/RHEL6/input/checks/service_rsyslog_enabled.xml > index 05bf4c7..fad53a2 100644 > --- a/RHEL6/input/checks/service_rsyslog_enabled.xml > +++ b/RHEL6/input/checks/service_rsyslog_enabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The rsyslog service should be enabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria comment="package rsyslog installed and service rsyslog > is configured to start" operator="AND"> > <extend_definition comment="rsyslog installed" > definition_ref="package_rsyslog_installed" /> > -- > 1.7.1 >

1 1

[PATCH] additional OVAL testing
by Shawn Wells 02 Oct '13

02 Oct '13

..... submitting to mailing list for a private citizen, working on SSG on their own time.... who doesn't currently have access to their work EMail... > From b4887bddd651e814c217173c7e8e7fc45422f5aa Mon Sep 17 00:00:00 2001 > From: root <root(a)localhost.localdomain> > Date: Wed, 2 Oct 2013 22:55:46 -0400 > Subject: [PATCH] additional OVAL testing > > --- > .../input/checks/accounts_password_reuse_limit.xml | 1 + > RHEL6/input/checks/bootloader_password.xml | 1 + > RHEL6/input/checks/rsyslog_files_ownership.xml | 1 + > RHEL6/input/checks/service_abrtd_disabled.xml | 1 + > RHEL6/input/checks/service_iptables_enabled.xml | 1 + > 5 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/RHEL6/input/checks/accounts_password_reuse_limit.xml > b/RHEL6/input/checks/accounts_password_reuse_limit.xml > index 755391c..b9e5b68 100644 > --- a/RHEL6/input/checks/accounts_password_reuse_limit.xml > +++ b/RHEL6/input/checks/accounts_password_reuse_limit.xml > @@ -6,6 +6,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The passwords to remember should be set > correctly.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria> > <criterion comment="remember parameter is set to 0" > test_ref="test_accounts_password_reuse_limit" /> > diff --git a/RHEL6/input/checks/bootloader_password.xml > b/RHEL6/input/checks/bootloader_password.xml > index bd31307..6545c4d 100644 > --- a/RHEL6/input/checks/bootloader_password.xml > +++ b/RHEL6/input/checks/bootloader_password.xml > @@ -6,6 +6,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The grub boot loader should have password > protection enabled.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria> > <criterion comment="make sure a password is defined in > /etc/grub.conf" test_ref="test_bootloader_password" /> > diff --git a/RHEL6/input/checks/rsyslog_files_ownership.xml > b/RHEL6/input/checks/rsyslog_files_ownership.xml > index 05bc20e..32a2533 100644 > --- a/RHEL6/input/checks/rsyslog_files_ownership.xml > +++ b/RHEL6/input/checks/rsyslog_files_ownership.xml > @@ -8,6 +8,7 @@ > </affected> > <description>All syslog log files should be owned by the > appropriate user.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria> > <criterion comment="check if group root owns all syslog log > files" test_ref="test_rsyslog_files_ownership" /> > diff --git a/RHEL6/input/checks/service_abrtd_disabled.xml > b/RHEL6/input/checks/service_abrtd_disabled.xml > index 71c8985..f195456 100644 > --- a/RHEL6/input/checks/service_abrtd_disabled.xml > +++ b/RHEL6/input/checks/service_abrtd_disabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The abrtd service should be disabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria comment="package abrt removed or service abrtd is not > configured to start" operator="OR"> > <extend_definition comment="abrt removed" > definition_ref="package_abrt_removed" /> > diff --git a/RHEL6/input/checks/service_iptables_enabled.xml > b/RHEL6/input/checks/service_iptables_enabled.xml > index 2360686..a8c7f7d 100644 > --- a/RHEL6/input/checks/service_iptables_enabled.xml > +++ b/RHEL6/input/checks/service_iptables_enabled.xml > @@ -8,6 +8,7 @@ > <platform>Red Hat Enterprise Linux 6</platform> > </affected> > <description>The iptables service should be enabled if > possible.</description> > + <reference source="DS" ref_id="20131002" > ref_url="test_attestation" /> > </metadata> > <criteria comment="package iptables installed and service > iptables is configured to start" operator="AND"> > <extend_definition comment="iptables installed" > definition_ref="package_iptables_installed" /> > -- > 1.7.1 >

1 1

[PATCH] XCCDF: using value references in rule description for RHEL6 content
by Rui Pedro Bernardino 02 Oct '13

02 Oct '13

2 1

[PATCH] *** SUBJECT HERE ***
by Frank Caviggia 02 Oct '13

02 Oct '13

From: Frank Caviggia <fcaviggi(a)ra.iad.redhat.com> *** BLURB HERE *** Frank Caviggia (1): Added checks for 'hard' or '-' for checks in /etc/security/limits.conf RHEL6/input/checks/accounts_max_concurrent_login_sessions.xml | 2 +- RHEL6/input/checks/disable_users_coredumps.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 1.8.3.1

3 4

[PATCH] Fixed typos in RHEL6/input/checks/file_ownership_binary_dirs.xml
by Caleb Cooper 02 Oct '13

02 Oct '13

*** BLURB HERE *** Caleb Cooper (1): Fixed two typos in RHEL6/input/checks/file_ownership_binary_dirs.xml. The first was inside a comment and said the check was for /lib when really it was for /bin. The second was a criterion which had an extra letter so it ended up not performing one of the checks and missed files which were owned by a user other than root. RHEL6/input/checks/file_ownership_binary_dirs.xml | 162 +++++++++++++++++++++ 1 files changed, 162 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_binary_dirs.xml

2 2

[PATCH 2/2] Fedora spec - replace hard-wired paths with macros. Preserve attributes when copying files.
by Jan Lieskovsky 02 Oct '13

02 Oct '13

According to: http://fedoraproject.org/wiki/Common_Rpmlint_issues hard-coded paths should be avoided in *.spec file: https://fedoraproject.org/wiki/Packaging:RPMMacros?rd=Packaging/RPMMacros Also, while copying files file attributes should be preserved: https://fedoraproject.org/wiki/Packaging:Guidelines#Timestamps Therefore fix both issues in Fedora's spec file. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 2

[PATCH 1/2] [Fedora] New rpm versioning scheme - set proper name of the build directory
by Jan Lieskovsky 02 Oct '13

02 Oct '13

Upstream commit c5229573e4b4aaf090d7bf8cfd25a40793ce0c12 introduced a change in the way how Fedora tarball is created (before it was created according to the scheme pkg_name-pkg_version.tar.gz, now it's created in pkg_name-pkg_version-fedora_ssg_release.tar.gz form). Without the attached patch it was not possible to properly generate Fedora RPM package (since %setup macro without build directory name [option -n] assumes the build directory to have a form of pkg_name-pkg_version: http://www.rpm.org/max-rpm/s1-rpm-inside-macros.html Thus fix the deficiency by setting proper name of the build directory. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 2

[PATCH] [bugfix] Updated RPM spec file
by Shawn Wells 02 Oct '13

02 Oct '13

3 3

Test
by Frank Caviggia 02 Oct '13

02 Oct '13

Test smtp settings.

2 1

Any RPM builders? request for help legitimizing EPEL RPM
by Shawn Wells 02 Oct '13

02 Oct '13

This afternoon sgrubb sent over where one could RTFM on the Fedora EPEL build system (thanks, Steve!). I was able to perform scratch builds in koji (the Fedora build system) tonight: http://koji.fedoraproject.org/koji/taskinfo?taskID=6008567 While the SSG RPM builds, several errors are thrown during rpmlint validation. The RHEL6/transforms/xccdf2table-* files need to issue proper HTML headers, e.g. "<!DOCTYPE html>" I'll be locked into meetings over the next two days, and I believe Dave & Jeff will be too. If anyone is feeling ambitious, patches to start resolving these errors would be INCREDIBLY helpful to move the project towards having a legitimate RPM in EPEL! > [shawn@localhost scap-security-guide]$ make clean ; \ > make all ; \ > rpmlint > rpmbuild/src/redhat/RPMS/noarch/scap-security-guide-0.1-12.el6.noarch.rpm > ....... > ....... > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-nistrefs.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/eap5-oval.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-cces.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/eap5-xccdf.xml > scap-security-guide.noarch: E: wrong-script-end-of-line-encoding > /usr/share/xml/scap/ssg/content/eap5-xccdf.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/eap5-cpe-dictionary.xml > scap-security-guide.noarch: E: wrong-script-end-of-line-encoding > /usr/share/xml/scap/ssg/content/eap5-cpe-dictionary.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-srgmap.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-nistrefs-common.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-srgmap-flat.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/guide/rhel6-guide.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/eap5-ocil.xml > scap-security-guide.noarch: E: wrong-script-end-of-line-encoding > /usr/share/xml/scap/ssg/content/eap5-ocil.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/guide/JBossEAP5_Guide.html > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/policytables/table-rhel6-srgmap-flat.xhtml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml > scap-security-guide.noarch: E: script-without-shebang > /usr/share/xml/scap/ssg/content/eap5-cpe-oval.xml

3 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide October 2013