scap-security-guide October 2013

scap-security-guide@lists.fedorahosted.org

32 participants
82 discussions

[PATCH] [Fedora] Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905)
by Jan Lieskovsky 15 Oct '13

15 Oct '13

This patch fixes Fedora scap-security-guide RPM package review comments / objections as raised in: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1018905 Since it changes mainly content of Fedora/ scap-security-guide.spec (and doesn't add new SCAP content) I am going to push it immediately to be able to submit new version for another round of review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

[PATCH] [Fedora] Introduce SSG manual page. Fix previous changelog date typo. Create 0.1-2 version
by Jan Lieskovsky 14 Oct '13

14 Oct '13

The following proposal performs: * include manual page for scap-security-guide in Fedora too (fixes --w no-documentation rpmlint's warning), * fixes previous date Fedora spec's typo, * merge previous Fedora spec's changelog entries into one to create new upstream scap-security-guide-0.1-2 version (me to be able to schedule Fedora package review request). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

1 0

[Fedora] Remove percent sign from Fedora spec's changelog to silence rpmlint warning
by Jan Lieskovsky 14 Oct '13

14 Oct '13

Remove percent sign from Fedora spec's changelog to silence one rpmlint warning that raised in between. No other change was made to the content. Pushed this change already (as I need it for other commit). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S. Noticed the wrong date used. Will correct it with subsequent proposal.

1 0

[PATCH] [Fedora] Convert RHEL6 'Restrict Root Logins' section's rules to Fedora
by Jan Lieskovsky 14 Oct '13

14 Oct '13

This proposal converts rules from RHEL6's 'Restrict Root Logins' section so they could be used on Fedora too. Depends on previous typo fix (caab207a8c8a587914d9a1b318d972bbd678896c). Common Fedora rpm Makefile rules and Fedora SSG Makefile content rules have been tested and confirmed to work properly. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 2

[PATCH] [RHEL6] Fix couple of typos in the text in 'Restrict Root Logins' document
by Jan Lieskovsky 14 Oct '13

14 Oct '13

This proposal fixes couple of text typos in the 'Restrict Root Logins' document: * replace <tt>/etc/secuetty</tt> with <tt>/etc/securetty</tt>, * s/on thesyste,/on the system,/ * s/passowrd/password/ * s/as as user can login/as user can login/ * remove couple instances of whitespace noise at the end of rows, * be consistent - globally use one space character to start new sentence (in cca 3 cases there have been two spaces). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

RE: [PATCH] New XCCDF Profile - Red Hat Certified Cloud Provider (rht-ccp)
by Dave Smith 11 Oct '13

11 Oct '13

Looks solid (and organized!)-- ack From: Shawn Wells <shawn(a)redhat.com> Date: Fri, Oct 11, 2013 at 3:54 PM Subject: [PATCH] New XCCDF Profile - Red Hat Certified Cloud Provider (rht-ccp) To: scap-security-guide(a)lists.fedorahosted.org _______________________________________________ scap-security-guide mailing list scap-security-guide(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

1 0

[PATCH] New XCCDF Profile - Red Hat Certified Cloud Provider (rht-ccp)
by Shawn Wells 11 Oct '13

11 Oct '13

1 0

OVAL signoff: Show testing procedures?
by Shawn Wells 11 Oct '13

11 Oct '13

When OVAL testing, should we show *how* we tested the OVAL? For example: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-September… IMO this helps by: - Allowing the community to remind of us niche test cases, such as the "Match" in sshd pointed out by Rui Bernardino - Documenting test cases, which someday should (will?) make their way into automated test cases I found the overhead of copy/pasting what I was doing to be incredibly minimal.

2 1

[PATCH] additional OVAL testing
by David Smith 11 Oct '13

11 Oct '13

From: David Smith <dsmith(a)eclipse.ncsc.mil> --- .../accounts_password_pam_cracklib_dcredit.xml | 1 + .../accounts_password_pam_cracklib_difok.xml | 1 + .../accounts_password_pam_cracklib_lcredit.xml | 1 + .../accounts_password_pam_cracklib_ocredit.xml | 1 + .../accounts_password_pam_cracklib_ucredit.xml | 1 + .../checks/audit_rules_file_deletion_events.xml | 1 + RHEL6/input/checks/audit_rules_media_export.xml | 1 + .../input/checks/audit_rules_sysadmin_actions.xml | 1 + RHEL6/input/checks/audit_rules_time_adjtimex.xml | 1 + .../audit_rules_unsuccessful_file_modification.xml | 1 + 10 files changed, 10 insertions(+), 0 deletions(-) diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml index 182313a..b0e13f4 100644 --- a/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml +++ b/RHEL6/input/checks/accounts_password_pam_cracklib_dcredit.xml @@ -7,6 +7,7 @@ </affected> <description>The password dcredit should meet minimum requirements using pam_cracklib</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for dcredit are satisfied" diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml index 37945cd..2aad2de 100644 --- a/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml +++ b/RHEL6/input/checks/accounts_password_pam_cracklib_difok.xml @@ -7,6 +7,7 @@ </affected> <description>The password difok should meet minimum requirements using pam_cracklib</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for difok are satisfied" diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml index f9c42f0..a4f35f0 100644 --- a/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml +++ b/RHEL6/input/checks/accounts_password_pam_cracklib_lcredit.xml @@ -7,6 +7,7 @@ </affected> <description>The password lcredit should meet minimum requirements using pam_cracklib</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for lcredit are satisfied" diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml index 8d433f4..39d106f 100644 --- a/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml +++ b/RHEL6/input/checks/accounts_password_pam_cracklib_ocredit.xml @@ -7,6 +7,7 @@ </affected> <description>The password ocredit should meet minimum requirements using pam_cracklib</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for ocredit are satisfied" diff --git a/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml b/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml index 9227167..0e2c478 100644 --- a/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml +++ b/RHEL6/input/checks/accounts_password_pam_cracklib_ucredit.xml @@ -7,6 +7,7 @@ </affected> <description>The password ucredit should meet minimum requirements using pam_cracklib</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions for ucredit are satisfied" diff --git a/RHEL6/input/checks/audit_rules_file_deletion_events.xml b/RHEL6/input/checks/audit_rules_file_deletion_events.xml index 9995642..d93d4d2 100644 --- a/RHEL6/input/checks/audit_rules_file_deletion_events.xml +++ b/RHEL6/input/checks/audit_rules_file_deletion_events.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Audit files deletion events.</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="audit file delete" test_ref="test_audit_rules_file_deletion_events" /> diff --git a/RHEL6/input/checks/audit_rules_media_export.xml b/RHEL6/input/checks/audit_rules_media_export.xml index 7019700..5adbfd2 100644 --- a/RHEL6/input/checks/audit_rules_media_export.xml +++ b/RHEL6/input/checks/audit_rules_media_export.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Audit rules that detect the mounting of filesystems should be enabled.</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="audit mount" test_ref="test_audit_rules_media_export" /> diff --git a/RHEL6/input/checks/audit_rules_sysadmin_actions.xml b/RHEL6/input/checks/audit_rules_sysadmin_actions.xml index 485f12e..081eedf 100644 --- a/RHEL6/input/checks/audit_rules_sysadmin_actions.xml +++ b/RHEL6/input/checks/audit_rules_sysadmin_actions.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Audit actions taken by system administrators on the system.</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="audit sudoers" test_ref="test_audit_rules_sysadmin_actions" /> diff --git a/RHEL6/input/checks/audit_rules_time_adjtimex.xml b/RHEL6/input/checks/audit_rules_time_adjtimex.xml index bbafe7f..ca3b631 100644 --- a/RHEL6/input/checks/audit_rules_time_adjtimex.xml +++ b/RHEL6/input/checks/audit_rules_time_adjtimex.xml @@ -8,6 +8,7 @@ </affected> <description>Record attempts to alter time through adjtimex. </description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria comment="Test for either..." operator="OR"> <criteria comment="both..." operator="AND"> diff --git a/RHEL6/input/checks/audit_rules_unsuccessful_file_modification.xml b/RHEL6/input/checks/audit_rules_unsuccessful_file_modification.xml index 424462b..c2305f3 100644 --- a/RHEL6/input/checks/audit_rules_unsuccessful_file_modification.xml +++ b/RHEL6/input/checks/audit_rules_unsuccessful_file_modification.xml @@ -8,6 +8,7 @@ </affected> <description>Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled</description> + <reference source="DS" ref_id="20131011" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> <criterion comment="audit file eacces" test_ref="test_audit_rules_unsuccessful_file_modification_eacces" /> -- 1.7.1

2 5

[PATCH] Prettied up custom stylesheet at Jeff's request
by Maura Dailey 11 Oct '13

11 Oct '13

I added more color and a few new fields that had been dropped by the transforms. The images were also replaced. Various other minor formatting changes were made. - Maura Dailey Maura Dailey (1): Made some corrections to the XSLT transforms to remedy missing fields, replaced PNG files with different images, added background colors and borders to code and header elements, created table for Security Identifiers and References (and added prefixes to references to make the source more obvious) RHEL6/output/images/collapsed.png | Bin 1075 -> 742 bytes RHEL6/output/images/expanded.png | Bin 1090 -> 1206 bytes RHEL6/transforms/xccdf2html.xslt | 249 +++++++++++++++++++++++++------------ 3 files changed, 171 insertions(+), 78 deletions(-)

2 2

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide October 2013