[PATCH] Introduce new RPM versioning scheme for RHEL6 / JBossEAP content
by Jan Lieskovsky
Based on request from:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October...
introduce also new RPM versioning scheme also for RHEL6/JBossEAP5 content.
* Makefile changes:
- retrieve necessary values from RHEL-6 spec file,
- organize Makefile into sections (RHEL-6 section,
Fedora section below, custom macros definition follows,
then Makefile targets),
- in the 'srpm' target remove explicit setting of following variables:
- ARCH - not needed, defined in *.spec directly,
- PKGNAME, VERSION, RELEASE - defined in *.spec directly,
- VENDOR - defined in *.spec directly,
- PACKAGER - not needed. When building in Koji, packager will be
set automatically to "Fedora Project", when building locally it's
not needed (rpmlint complains when PACKAGER set up directly),
- _sysconfdir on RHEL-6 system is defined too (as can be double-checked
by rpm --eval), so no need to re-define it exactly.
* scap-security-guide.spec changes:
- introduce 'redhatssgrelease',
- add Vendor && BuildArch,
- update missing %changelog records with proper entries (according
to the git log)
* the only remaining rpmlint warning to be fixed is exact source location.
Tests:
- a, RHEL-6 (make tarball, srpm, rpm passes), final xccdf eval passes,
guide is generated correctly,
- b, Fedora (make fedora-{tarball, srpm, rpm}), final xccdf eval pass,
guide is generated correctly.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
10 years, 6 months
[PATCH] [Fedora] Convert four RHEL6 rules from 'Set Password Expiration Parameters' section to Fedora
by Jan Lieskovsky
This patch converts (and includes) four existing rules from RHEL6
'Set Password Expiration Parameters' section to (into) Fedora.
Testing:
* all tests of make fedora-tarball, fedora-srpm, fedora-rpm have passed,
* all tests within Fedora of 'make / make validate / make validate-xml /
make checks / make guide / make content / make eval-common' have passed
with the proposal.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
10 years, 6 months
[PATCH 2/2] [Fedora] Introduce 'Ensure Software Security Patches Installed' rule
by Jan Lieskovsky
Introduce rule that will be checking if underlying
Fedora system is updated wrt to recently reported
security flaws (success = all available security
updates for installed packages are installed on
the system).
It uses SCE script to determine if there are security
updates available, and requires former 'ensure
yum fedora-updates.repo enabled' rule to pass first.
Proposed patch passed all testing except:
make validate
rule in Fedora directory (utils/verify-references.py
returned following traceback):
Non-OVAL checking system found: http://open-scap.org/page/SCE
Traceback (most recent call last):
File "../utils/verify-references.py", line 184, in <module>
main()
File "../utils/verify-references.py", line 120, in main
print "Invalid OVAL definition referenced by XCCDF Rule: " + rule.get("id")
TypeError: cannot concatenate 'str' and 'NoneType' objects
make: *** [validate] Error 1
but this error message is expected / safe, since 'security_patches_up_to_date'
rule uses in the complex-check section also one SCE rule (reason where
'Non-OVAL checking system' warning comes from).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
10 years, 6 months
[PATCH 1/2] [Fedora] Introduce 'Ensure Yum fedora-updates Repository Enabled' rule
by Jan Lieskovsky
Introduce rule that will be checking if fedora-updates.repo
repository is enabled.
While that repository being enabled by default, this rule
is required as prerequisite for the upcoming 'ensure
software security patches installed' rule - because if
fedora-updates.repo Yum repository would be disabled
on particular system (hopefully no-one is doing this),
the 'ensure software security patches installed' rule
would subsequently realize there are no security updates
available, and might (wrongly) assume / return success.
Thus prevent this scenario by explicitly checking state
of fedora-updates.repo.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
10 years, 6 months
[PATCH 0/5] new prose guide transform, editing
by Jeffrey Blank
This patchset includes edits to reach a more consistent style across
approximately the first quarter of the content. It also includes a new
transform to create a prose guide, which uses some very simple JavaScript (which
works in any browser) to show the manual checking procedures included in the
XCCDF content. The references stored inline in the XCCDF content still need QA work.
The new stylesheet wants some (very small) images, which I'll push
into output/images, assuming this all receives a positive reception.
Jeffrey Blank (5):
new transform to create custom HTML guide
use new guide transform in Makefile, fixed filename mistake
editing on prose text for software integrity/updating
editing on prose for mounting,partitioning,permissions
editing on ntp section prose
RHEL6/Makefile | 3 +-
RHEL6/input/services/ntp.xml | 32 +-
RHEL6/input/system/permissions/mounting.xml | 143 +++----
RHEL6/input/system/permissions/partitions.xml | 16 +-
RHEL6/input/system/permissions/permissions.xml | 16 +-
RHEL6/input/system/software/integrity.xml | 103 ++---
RHEL6/input/system/software/updating.xml | 31 +-
RHEL6/transforms/xccdf-removeaux.xslt | 3 +-
RHEL6/transforms/xccdf2html.xslt | 614 ++++++++++++++++++++++++
9 files changed, 757 insertions(+), 204 deletions(-)
create mode 100644 RHEL6/transforms/xccdf2html.xslt
10 years, 6 months
Small typo in Template template_kernel_module_disabled Now Fixed
by Maura Dailey
I went ahead and pushed out a tiny correction to
template_kernel_module_disabled and the affected OVAL check XML files
generated with the template. The template incorrectly pointed to
/etc/modprob.d instead of /etc/modprobe.d in a comment field. The actual
check content still pointed to the correct location.
- Maura Dailey
10 years, 6 months
workbook question
by Kordell, Luke T
Hello I am trying to follow the SCAP workbook and I got to the rule creation portion on page 29. I've copied the code as instructed but I'm getting an Invalid Checklist content in out/put/unlinked-unresolved-rhel6-xccdf.xml error. Just to make sure this wasn't an erroneous error I checked to see if the html guide had been regenerated and it hadn't. I am including an attachment that has the added rule at the bottom. My initial thought was that I used the guide tags incorrectly, but none of the changes I made ended up working. Any ideas of what I might be doing wrong?
Thanks!
Luke Kordell
10 years, 6 months
Remediations involving sshd_config
by Rui Pedro Bernardino
Hi all,
The remediation won't work if it appends the new option to the end of file AND there are 'Match' rules (from sshd_config's: "If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file.").
Although commented, 'Match' rules are in the default sshd_config.
For example, for "sshd_enable_warning_banner.sh", my suggestion would be:
==================================
grep -q ^Banner /etc/ssh/sshd_config && \
sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
ed -s /etc/ssh/sshd_config <<'EOF'
/Match/
?^[A-Z]?
+
i
Banner /etc/issue
.
w
q
EOF
fi
==================================
This will add a new line, after the last keyword before the first 'Match' block (including comments). I'm ashamed to say I couldn't do it with 'sed' :(
Does it sound reasonable?
Thanks
--
Rui Pedro Bernardino
CTE2/Tecnologias e Desenvolvimento
PT Inovação
10 years, 6 months