[PATCH 0/2] updated library file permissions check
by Jeffrey Blank
This is based on Shawn's earlier submission to the list.
I have little doubt that someone else could do this in a more
compact/comprehensible fashion (to the extent permitted by OVAL).
But this should work.
Jeffrey Blank (2):
OVAL check to find library files with permissions go+w
added link to new OVAL check for library perms
.../input/checks/file_permissions_library_dirs.xml | 153 ++++++++++++++++++++
RHEL6/input/system/permissions/files.xml | 1 +
2 files changed, 154 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/file_permissions_library_dirs.xml
11 years
[PATCH 0/2] updated library ownership check
by Jeffrey Blank
This is based on Shawn's earlier post to the list.
This corrects the definition ID, and also does not include the
state objects (which were likely confusing the final decision).
Note that the testcheck.py script writes its results to
/tmp (adding "-results" to the temporary OVAL file), so this
should aid in any OVAL debugging.
Jeffrey Blank (2):
adding reference to OVAL check for library ownership
bugfixed version of library permission OVAL check
RHEL6/input/checks/file_ownership_library_dirs.xml | 138 ++++++++++++++++++++
RHEL6/input/system/permissions/files.xml | 1 +
2 files changed, 139 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml
11 years
Re: [scap-security-guide] #174: False positive: enable_auditd_bootloader
by fedora-badges
#174: False positive: enable_auditd_bootloader
------------------------------+-------------------------------------
Reporter: Logan.Rodrian@… | Owner: mnewman23
Type: defect | Status: closed
Priority: major | Milestone: RHEL6 STIG OVAL Content
Component: OVAL content | Version: 0.5.0-InitialDraft
Resolution: worksforme | Keywords:
Blocked By: | Blocking:
------------------------------+-------------------------------------
Changes (by shawndwells):
* cc: scap-security-guide@… (added)
* status: new => closed
* resolution: => worksforme
Comment:
[root@rhel6 checks]# grep audit=1 /etc/grub.conf
(nodda)
[root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml
Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentCK9K2I.xml
Definition oval:scap-security-guide.testing:def:247: false
Evaluation done.
[root@rhel6 checks]# vim /etc/grub.conf
[root@rhel6 checks]# grep audit=1 /etc/grub.conf
kernel /vmlinuz-2.6.32-358.2.1.el6.x86_64 ro
root=/dev/mapper/vg_rhel6-lv_root rd_LVM_LV=vg_rhel6/lv_root
rd_LVM_LV=vg_rhel6/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8
SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto
rhgb quiet audit=1
[root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml
Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentafOktZ.xml
Definition oval:scap-security-guide.testing:def:247: true
Evaluation done.
Resolving as worksforme
--
Ticket URL: <https://fedorahosted.org/scap-security-guide/ticket/174#comment:1>
scap-security-guide <http://fedorahosted.org/scap-security-guide>
scap-security-guide
11 years
help with OVAL transforms
by Shawn Wells
I've been going through the OVAL code and have stumped myself. The
partition_for_* rules are enabled in the XCCDF profiles, yet somehow is
marked as selected=false in the final output:
$ grep -rin partition_for_tmp input/profiles/
input/profiles/usgcb-rhel6-server.xml:5:<select
idref="partition_for_tmp" selected="true" />
input/profiles/common.xml:4:<select idref="partition_for_tmp"
selected="true"/>
$ grep -rin partition_for_tmp output/ssg-rhel6-xccdf.xml
43: <select idref="partition_for_tmp" selected="true"/>
259: <select idref="partition_for_tmp" selected="true"/>
500: <select idref="partition_for_tmp" selected="true"/>
720: <select idref="partition_for_tmp" selected="true"/>
946: <select idref="partition_for_tmp" selected="true"/>
1400: <Rule id="partition_for_tmp" selected="false" severity="low">
In the ssg-rhel6-xccdf.xml file, the OVAL points to oval:ssg:2741:
<check-content-ref name="oval:ssg:def:2741" href="ssg-rhel6-oval.xml"/>
And when I check for that in ssg-rhel6-oval.xml, it doesn't exist:
$ grep -in oval:ssg:2741 output/ssg-rhel6-oval.xml
(no return)
When I load up ssg-rhel6-oval.xml and look for the rule, it's actually
oval:ssg:def:841:
<definition class="compliance" id="oval:ssg:def:841" version="1">
<metadata>
<title>Ensure /tmp Located On Separate Partition</title>
I started to play with relabelids.py and only made things worse.
Jeff/Dave, any chance you could take a look at this?
11 years
Re: [scap-security-guide] #201: False positive: enable_randomize_va_space
by fedora-badges
#201: False positive: enable_randomize_va_space
------------------------------+-------------------------------------
Reporter: Logan.Rodrian@… | Owner: mnewman23
Type: defect | Status: closed
Priority: major | Milestone: RHEL6 STIG OVAL Content
Component: OVAL content | Version: 0.5.0-InitialDraft
Resolution: worksforme | Keywords:
Blocked By: | Blocking:
------------------------------+-------------------------------------
Changes (by shawndwells):
* cc: scap-security-guide@… (added)
* resolution: => worksforme
* status: new => closed
Comment:
[root@rhel6 checks]# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0
[root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml
Evaluating with OVAL tempfile :
/tmp/sysctl_kernel_randomize_va_spaceCCIFTH.xml
Definition oval:scap-security-guide.testing:def:324: false
Evaluation done.
[root@rhel6 checks]# sysctl -w kernel.randomize_va_space=1
kernel.randomize_va_space = 1
[root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml
Evaluating with OVAL tempfile :
/tmp/sysctl_kernel_randomize_va_spacefPriXs.xml
Definition oval:scap-security-guide.testing:def:324: false
Evaluation done.
[root@rhel6 checks]# sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
[root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml
Evaluating with OVAL tempfile :
/tmp/sysctl_kernel_randomize_va_space5oyOdN.xml
Definition oval:scap-security-guide.testing:def:324: true
Evaluation done.
Resolving as worksforme. IIRC this behavior was fixed as a result of your
ticket some time ago, however we never closed it out. Thank you for
reporting!
--
Ticket URL: <https://fedorahosted.org/scap-security-guide/ticket/201#comment:2>
scap-security-guide <http://fedorahosted.org/scap-security-guide>
scap-security-guide
11 years