scap-security-guide October 2013

scap-security-guide@lists.fedorahosted.org

32 participants
82 discussions

[PATCH] Introduce new RPM versioning scheme for RHEL6 / JBossEAP content
by Jan Lieskovsky 10 Oct '13

10 Oct '13

Based on request from: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October/0… introduce also new RPM versioning scheme also for RHEL6/JBossEAP5 content. * Makefile changes: - retrieve necessary values from RHEL-6 spec file, - organize Makefile into sections (RHEL-6 section, Fedora section below, custom macros definition follows, then Makefile targets), - in the 'srpm' target remove explicit setting of following variables: - ARCH - not needed, defined in *.spec directly, - PKGNAME, VERSION, RELEASE - defined in *.spec directly, - VENDOR - defined in *.spec directly, - PACKAGER - not needed. When building in Koji, packager will be set automatically to "Fedora Project", when building locally it's not needed (rpmlint complains when PACKAGER set up directly), - _sysconfdir on RHEL-6 system is defined too (as can be double-checked by rpm --eval), so no need to re-define it exactly. * scap-security-guide.spec changes: - introduce 'redhatssgrelease', - add Vendor && BuildArch, - update missing %changelog records with proper entries (according to the git log) * the only remaining rpmlint warning to be fixed is exact source location. Tests: - a, RHEL-6 (make tarball, srpm, rpm passes), final xccdf eval passes, guide is generated correctly, - b, Fedora (make fedora-{tarball, srpm, rpm}), final xccdf eval pass, guide is generated correctly. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

[PATCH] [Fedora] Introduce 'Accounts and Access Control Section'. Convert four RHEL-6 rules from its 'Verify Proper Storage' subsection to Fedora
by Jan Lieskovsky 10 Oct '13

10 Oct '13

This patch introduces new 'Accounts and Access Control' section for Fedora content. Also convert four existing RHEL-6 rules from 'Protect Accounts by Restricting Password-Based Login' and include them into Fedora. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

[PATCH] [Fedora] Convert four RHEL6 rules from 'Set Password Expiration Parameters' section to Fedora
by Jan Lieskovsky 10 Oct '13

10 Oct '13

This patch converts (and includes) four existing rules from RHEL6 'Set Password Expiration Parameters' section to (into) Fedora. Testing: * all tests of make fedora-tarball, fedora-srpm, fedora-rpm have passed, * all tests within Fedora of 'make / make validate / make validate-xml / make checks / make guide / make content / make eval-common' have passed with the proposal. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 1

[PATCH] [Fedora] Introduce 'Ensure SELinux Not Disabled in Currently Running Kernel' rule
by Jan Lieskovsky 10 Oct '13

10 Oct '13

Introduce new SELinux section of the guide and first rule for it - check if SELinux is enabled in currently booted kernel. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

4 11

[PATCH 2/2] [Fedora] Introduce 'Ensure Software Security Patches Installed' rule
by Jan Lieskovsky 10 Oct '13

10 Oct '13

Introduce rule that will be checking if underlying Fedora system is updated wrt to recently reported security flaws (success = all available security updates for installed packages are installed on the system). It uses SCE script to determine if there are security updates available, and requires former 'ensure yum fedora-updates.repo enabled' rule to pass first. Proposed patch passed all testing except: make validate rule in Fedora directory (utils/verify-references.py returned following traceback): Non-OVAL checking system found: http://open-scap.org/page/SCE Traceback (most recent call last): File "../utils/verify-references.py", line 184, in <module> main() File "../utils/verify-references.py", line 120, in main print "Invalid OVAL definition referenced by XCCDF Rule: " + rule.get("id") TypeError: cannot concatenate 'str' and 'NoneType' objects make: *** [validate] Error 1 but this error message is expected / safe, since 'security_patches_up_to_date' rule uses in the complex-check section also one SCE rule (reason where 'Non-OVAL checking system' warning comes from). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 3

[PATCH 1/2] [Fedora] Introduce 'Ensure Yum fedora-updates Repository Enabled' rule
by Jan Lieskovsky 10 Oct '13

10 Oct '13

Introduce rule that will be checking if fedora-updates.repo repository is enabled. While that repository being enabled by default, this rule is required as prerequisite for the upcoming 'ensure software security patches installed' rule - because if fedora-updates.repo Yum repository would be disabled on particular system (hopefully no-one is doing this), the 'ensure software security patches installed' rule would subsequently realize there are no security updates available, and might (wrongly) assume / return success. Thus prevent this scenario by explicitly checking state of fedora-updates.repo. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

1 1

[PATCH 0/5] new prose guide transform, editing
by Jeffrey Blank 10 Oct '13

10 Oct '13

This patchset includes edits to reach a more consistent style across approximately the first quarter of the content. It also includes a new transform to create a prose guide, which uses some very simple JavaScript (which works in any browser) to show the manual checking procedures included in the XCCDF content. The references stored inline in the XCCDF content still need QA work. The new stylesheet wants some (very small) images, which I'll push into output/images, assuming this all receives a positive reception. Jeffrey Blank (5): new transform to create custom HTML guide use new guide transform in Makefile, fixed filename mistake editing on prose text for software integrity/updating editing on prose for mounting,partitioning,permissions editing on ntp section prose RHEL6/Makefile | 3 +- RHEL6/input/services/ntp.xml | 32 +- RHEL6/input/system/permissions/mounting.xml | 143 +++---- RHEL6/input/system/permissions/partitions.xml | 16 +- RHEL6/input/system/permissions/permissions.xml | 16 +- RHEL6/input/system/software/integrity.xml | 103 ++--- RHEL6/input/system/software/updating.xml | 31 +- RHEL6/transforms/xccdf-removeaux.xslt | 3 +- RHEL6/transforms/xccdf2html.xslt | 614 ++++++++++++++++++++++++ 9 files changed, 757 insertions(+), 204 deletions(-) create mode 100644 RHEL6/transforms/xccdf2html.xslt

2 11

Small typo in Template template_kernel_module_disabled Now Fixed
by Maura Dailey 10 Oct '13

10 Oct '13

I went ahead and pushed out a tiny correction to template_kernel_module_disabled and the affected OVAL check XML files generated with the template. The template incorrectly pointed to /etc/modprob.d instead of /etc/modprobe.d in a comment field. The actual check content still pointed to the correct location. - Maura Dailey

2 1

workbook question
by Kordell, Luke T 09 Oct '13

09 Oct '13

Hello I am trying to follow the SCAP workbook and I got to the rule creation portion on page 29. I've copied the code as instructed but I'm getting an Invalid Checklist content in out/put/unlinked-unresolved-rhel6-xccdf.xml error. Just to make sure this wasn't an erroneous error I checked to see if the html guide had been regenerated and it hadn't. I am including an attachment that has the added rule at the bottom. My initial thought was that I used the guide tags incorrectly, but none of the changes I made ended up working. Any ideas of what I might be doing wrong? Thanks! Luke Kordell

3 4

Remediations involving sshd_config
by Rui Pedro Bernardino 08 Oct '13

08 Oct '13

Hi all, The remediation won't work if it appends the new option to the end of file AND there are 'Match' rules (from sshd_config's: "If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file."). Although commented, 'Match' rules are in the default sshd_config. For example, for "sshd_enable_warning_banner.sh", my suggestion would be: ================================== grep -q ^Banner /etc/ssh/sshd_config && \ sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config if ! [ $? -eq 0 ]; then ed -s /etc/ssh/sshd_config <<'EOF' /Match/ ?^[A-Z]? + i Banner /etc/issue . w q EOF fi ================================== This will add a new line, after the last keyword before the first 'Match' block (including comments). I'm ashamed to say I couldn't do it with 'sed' :( Does it sound reasonable? Thanks -- Rui Pedro Bernardino CTE2/Tecnologias e Desenvolvimento PT Inovação

3 4

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide October 2013