Adding banner messages to the list of selectors.
by Caleb Cooper
This is concerning the RHEL6 content but might also be applicable to others:
At my work, we use a different login banner than the one that the DoD uses and I would like to add content for our banner message. However, I want to do this in such a way that would be useful to other institutions. To that end, I would like to change the way the banner message OVAL checks and XCCDF content are created to allow users to add a large number of banner messages to their profiles without a lot of work. I am planning to design a script which would handle this.
However, there is currently no system in place for me to implement this. I would like this to fit with the overall design strategy of the project so please let me know how you would like me to move forward. So far I have thought of the following methods for a script to programmatically generate this content:
1. Add a folder of text files into the auxiliary folder containing all of the banners with their selector ID as file names. The script would parse these at build time and add them to the "login_banner_text" rule inside the input/systems/accounts/banners.xml file. In addition it would append the full banner message to the "set_system_login_banner" rules.
Pros:
A. This is the smallest change from the way the banner message is checked now.
B. Would require the very little work or XML knowledge by the user -- as all that would be required is creating a simple text file and adding a single selector to their profile.
Cons:
A. Currently there are no scripts outside the checks/templates folder. As this does not create an oval check it doesn't make sense to keep it there.
2. Create a script which builds entire banner rules based on the contents of files stored in a folder in auxiliary. Therefore, rather than simply appending new messages to the "login_banner_text" and "set_system_login_banner" rules it would create entirely new rules for each banner.
Pros:
A. This would make the output of checks smaller and reduce complexity of each banner rule.
B. Would remove the need to external variables in the banner checks.
Cons:
A. This would vastly increase the size of the banner.xml file.
B. Would require changing the OVAL content logic.
C. Currently there are no scripts outside the checks/templates folder. As this does not create an oval check it doesn't make sense to keep it there.
3. Create a checks template script which generates OVAL content for each supplied banner instead of using the external variables from "login_banner_text".
Pros:
A. Would simplify the OVAL checks.
B. Would not require a new folder outside the current system of folders.
C. Would fit with the current system of OVAL checks most closely.
Cons:
A. Does not create any XCCDF content, requiring the user to provide this.
B. Parsing a CSV of banner messages would be problematic, so solution would be to use separate files for each banner -- which does not fit the current system.
If you can help me pick one of these, suggest a better solution, or explain why no change should be made I would appreciate the advice.
Thanks,
Caleb Cooper
10 years, 5 months
Introduction
by Caleb Cooper
Hello everyone,
I have been working with the SSG for the last few months and am now confident enough to start contributing (assuming I can figure this git stuff out). I look forward to working with you all and improving this project.
Thanks for having me.
Caleb Cooper
10 years, 5 months
Fun with limits.conf
by Frank Caviggia
All,
Most of the guidance for RHEL security has suggested setting the
following in /etc/security/limits.conf:
* hard core 0
I have generally set this to:
* - core 0
Because this sets both the hard and soft limits on the system. Most SCAP
scanners are looking for very specific values there. I'm looking at
modifying the checks to pass either 'hard' or '-' for the value.
I'd also to fix the maxlogins in the rule
(*max_concurrent_login_sessions*) in /etc/security/limits.conf to look
for the DOD default (10) and lower to satisfy the check. Security
standards are there as a baseline, why 'fail' the setting for exceeding
the baseline value?
Regards,
Frank Caviggia
--
Frank Caviggia
Consultant, Public Sector
fcaviggi(a)redhat.com
(M) (571) 295-4560
10 years, 5 months
[PATCH] Changed gconf_gnome_screensaver_idle_delay to accept values less than or equal to desired.
by Caleb Cooper
This check was failing if the idle delay for the gnome screensaver was less than the number of minutes requested in the profile's refine-selector. I changed the datatype from string to int and the operation from equals to less than or equal. Now any value less than or equal to that requested in the profile will pass.
Caleb Cooper (1):
Changed the gconf_gnome_screensaver_idle_delay check to pass on
values less than or equal to those in the profile. This allows
users to reduce the time until the screensaver begins without
causing the test to fail.
.../checks/gconf_gnome_screensaver_idle_delay.xml | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
10 years, 5 months
CCE-27032-2
by Jeff Bachtel
I keep getting a fail on CCE-27032-2, even after rebuilding SSG from
master. The bad thing is that find / -nouser and find / -nogroup are not
finding whatever files are triggering the warning.
Is there a debug flag I should be using for more details from oscap to
track this down?
Jeff
10 years, 5 months
scan question
by Kordell, Luke T
Hello,.
I recently downloaded the SCAP source code and noticed there were some additional profiles listed in the profiles folder. How can I run a scan against these profiles? For instance wen trying to run a scan against the usgcb-rhel6-server.xml (after successfully using oscap xccdf validate) I get an "unknown document type" error. I think this is because I'm using the stig profile and the ssg cpe dictionary. If so how can I add a usgcb profile and cpe dictionary to successfully scan against this profile?
Thank you for the help.
Luke Kordell
10 years, 5 months