scap-security-guide October 2013

scap-security-guide@lists.fedorahosted.org

32 participants
82 discussions

[PATCH] [RHEL6] 0.1-15.rc5: - Point the spec's source to proper remote tarball location - Modify the main Makefile to use remote tarball when building RHEL6's SRPM
by Jan Lieskovsky 26 Oct '13

26 Oct '13

This patch changes Source0 location in RHEL-6's / main SPEC file to use the remote one instead of a local one. Also changes the main Makefile, so when building SRPM the remote tarball would be retrieved first (and [S]RPM content built from it). Basic regression && sanity testing: - all of make tarball, srpm, rpm and - basic RHEL-6 make rules have passed. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: scap-security-guide-0.1-15.rc5.tar.gz has been uploaded to upstream location: http://repos.ssgproject.org/sources/ P.S.#2: Remember when making changes in the future, the new workflow to be as follows: * make tarball * upload the new tarball to http://repos.ssgproject.org/sources/ * then make srpm / rpm etc.

2 1

[PATCH] [RHEL6] Don't include the table html files two times. Remove makewhatis (let system regenerate man db)
by Jan Lieskovsky 26 Oct '13

26 Oct '13

This patch removes duplicate inclusion of policytables HTML files in the newly generated RPM file (they are in %doc, so no need to include them under policytables/ directory too - compare output of: prev_scap-security-guide-0.1-15.rc3.el6.noarch_rpm_list_output.txt vs output of: curr_scap-security-guide-0.1-15.rc4.el6.noarch_rpm_list_output.txt It also removes call for 'makewhatis' - it's not necessary to explicitly call it after adding the new manual page. Let the system to realize new manual page got added and launch man db update automa{t,g}ically. Sanity && regression testing: - make tarball, (s)rpm passed, - common RHEL-6 Makefile targets passed too, - guide(s) is(are) generated properly and look reasonable. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

[PATCH 3/3] OVAL + bash remediation - file_permissions_etc_shadow
by Shawn Wells 26 Oct '13

26 Oct '13

1 0

[PATCH 2/3] OVAL + bash remediation update for groupowner_shadow_file
by Shawn Wells 26 Oct '13

26 Oct '13

1 0

[PATCH 1/3] OVAL update for file_owner_etc_shadow
by Shawn Wells 26 Oct '13

26 Oct '13

1 0

[PATCH 0/3] OVAL cleanup & bash remediation scripts
by Shawn Wells 26 Oct '13

26 Oct '13

1 0

Checks vs. Fixes
by Frank Caviggia 26 Oct '13

26 Oct '13

All, As a starting point for writing remediation fixes in the SSG - so, I did the following: $ ls ~/scap-security-guide/RHEL6/input/checks/*.xml | awk '{ print $1 }' | sed s/\.[^\.]*$// > ~/checks $ ls ~/scap-security-guide/RHEL6/input/fixes/*.sh | awk '{ print $1 }' | sed s/\.[^\.]*$// > ~/fixes $ sdiff ~/fixes ~/checks | less There's fair a bit of work to be done for the fix remediations... Since I'm new to the project, I was wondering if there was any ideas or standards to how the SSG should distribute some of these fixes - for example - a wholesale replacement of the audit.rules and auditd.conf might be preferable than doing piecemeal sed's. I also think the first script that needs to be run is to tar the current existing configurations (as a backup) before applying any fix just in case we do something that jacks the users modifications to the system. Anyway, just trying to get an idea of how to proceed set some goals for my contributions. Regards, Frank Caviggia -- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com (M) (571) 295-4560

9 20

STIG ID RHEL-06-000248 / SSG ID ntpd_specify_remote_server
by Steinke, Leland J Sr CTR DISA DD (US) 26 Oct '13

26 Oct '13

This Rule verifies that there is an NTP server configured in /etc/ntpd.conf. The supporting OVAL performs this check as well as verifying that ntpd is enabled, by extending RHEL-06-000247/service_ntpd_enabled. Arguments could be made that these Rules should pass or fail independently or that, if ntpd (or ntpdate) is not enabled or used, it does not matter whether a server is configured in /etc/ntpd.conf. There is a patch below my signature block to remove the dependency entirely. Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr(a)mail.mil (gov't) lsteinke(a)tapestrytech.com (com'l) 8<==================== Subject: [PATCH] remove dependency between ntpd service and /etc/ntpd.conf server configuration --- RHEL6/input/checks/ntp_remote_server.xml | 4 +--- 1 files changed, 1 insertions(+), 3 deletions(-) diff --git a/RHEL6/input/checks/ntp_remote_server.xml b/RHEL6/input/checks/ntp_remote_server.xml index b630ae4..750d640 100644 --- a/RHEL6/input/checks/ntp_remote_server.xml +++ b/RHEL6/input/checks/ntp_remote_server.xml @@ -9,9 +9,7 @@ specified (and dependencies are met)</description> <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> - <criteria comment="ntpd is enabled and conditions are met" operator="AND"> - <extend_definition comment="ntpd is enabled" - definition_ref="service_ntpd_enabled" /> + <criteria comment="ntp.conf conditions are met"> <criterion test_ref="test_ntp_remote_server" /> </criteria> </definition> -- 1.7.1

3 3

selinux_all_devicefiles_labeled
by Jeff Bachtel 26 Oct '13

26 Oct '13

Getting errors running selinux_all_devicefiles_labeled check on RHEL6. I ran testcheck.py, and initially the check was barfing on all of the broken symlinks under /dev/.udev/**. I deleted all of the broken symlinks, but I'm still getting an error on one file (that does not exist) <system_data> <lin-sys:selinuxsecuritycontext_item id="1255121" status="error"> <message level="error">Can't get context for /dev/fd/6: No such file or directory </message> <lin-sys:filepath>/dev/fd/6</lin-sys:filepath> <lin-sys:path>/dev/fd</lin-sys:path> <lin-sys:filename>6</lin-sys:filename> </lin-sys:selinuxsecuritycontext_item> </system_data> Regarding the broken symlinks: should the check error out on them? Looking, the problem might occur around if ((ofts = oval_fts_open(path, filename, filepath, behaviors)) != NULL) { in OVAL/probes/unix/linux/selinuxsecuritycontext.c Regarding the search for the stray file descriptor: the check still errors out when run properly via oscap, as well. Might this be some sort of race condition with the file descriptor being opened by the probe, and disappearing before the check can get to it? I've tried manually creating the symlink for /dev/fd/6 to test, but devfs unfortunately won't let me create it. Thanks for any ideas, Jeff

2 2

Issue with PASS_MIN_DAYS validation
by wm-lists 26 Oct '13

26 Oct '13

I'm using scap-security-guide-0.1-12.el6.noarch as my source from http://people.redhat.com/swells/scap-security-guide/rpmbuild/src/redhat/RPM… Running oscap xccdf eval --profile server /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Generates a failure for Title Set Password Minimum Age Rule password_min_age Ident CCE-27013-2 Result fail Title Set Password Maximum Age Rule password_max_age Ident CCE-26985-2 Result fail Title Set Password Strength Minimum Uppercase Characters Rule password_require_uppercases Ident CCE-26601-5 Result fail Title Set Password Strength Minimum Special Characters Rule password_require_specials Ident CCE-26409-3 Result fail Title Set Password Strength Minimum Lowercase Characters Rule password_require_lowercases Ident CCE-26631-2 Result fail Among others. I have cracklib configured what I believe is correct (according to the CCE) # grep cracklib /etc/pam.d/system-auth-ac password requisite pam_cracklib.so dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4 try_first_pass retry=3 minlen=14 type= # grep PASS /etc/login.defs PASS_MAX_DAYS 180 PASS_MIN_DAYS 1 PASS_MIN_LEN 14 PASS_WARN_AGE 7 Any help on what I might be missing here? Thanks! Will

4 13

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide October 2013