April 2013 - scap-security-guide - Fedora Mailing-Lists

[PATCH 0/2] updated library file permissions check

by Jeffrey Blank

This is based on Shawn's earlier submission to the list. I have little doubt that someone else could do this in a more compact/comprehensible fashion (to the extent permitted by OVAL). But this should work. Jeffrey Blank (2): OVAL check to find library files with permissions go+w added link to new OVAL check for library perms .../input/checks/file_permissions_library_dirs.xml | 153 ++++++++++++++++++++ RHEL6/input/system/permissions/files.xml | 1 + 2 files changed, 154 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_permissions_library_dirs.xml

11 years

3
4
0 / 0

[PATCH 0/3] OVAL update of set_password_hashing_algorithm

by Shawn Wells

11 years

3
2
0 / 0

[PATCH 0/2] updated library ownership check

by Jeffrey Blank

This is based on Shawn's earlier post to the list. This corrects the definition ID, and also does not include the state objects (which were likely confusing the final decision). Note that the testcheck.py script writes its results to /tmp (adding "-results" to the temporary OVAL file), so this should aid in any OVAL debugging. Jeffrey Blank (2): adding reference to OVAL check for library ownership bugfixed version of library permission OVAL check RHEL6/input/checks/file_ownership_library_dirs.xml | 138 ++++++++++++++++++++ RHEL6/input/system/permissions/files.xml | 1 + 2 files changed, 139 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/file_ownership_library_dirs.xml

11 years

2
4
0 / 0

[PATCH 1/2] (resubmit) Ticket 396 - OVAL needed for file_ownership_library_dirs

by Shawn Wells

11 years

4
3
0 / 0

Re: [scap-security-guide] #174: False positive: enable_auditd_bootloader

by fedora-badges

#174: False positive: enable_auditd_bootloader ------------------------------+------------------------------------- Reporter: Logan.Rodrian@… | Owner: mnewman23 Type: defect | Status: closed Priority: major | Milestone: RHEL6 STIG OVAL Content Component: OVAL content | Version: 0.5.0-InitialDraft Resolution: worksforme | Keywords: Blocked By: | Blocking: ------------------------------+------------------------------------- Changes (by shawndwells): * cc: scap-security-guide@… (added) * status: new => closed * resolution: => worksforme Comment: [root@rhel6 checks]# grep audit=1 /etc/grub.conf (nodda) [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentCK9K2I.xml Definition oval:scap-security-guide.testing:def:247: false Evaluation done. [root@rhel6 checks]# vim /etc/grub.conf [root@rhel6 checks]# grep audit=1 /etc/grub.conf kernel /vmlinuz-2.6.32-358.2.1.el6.x86_64 ro root=/dev/mapper/vg_rhel6-lv_root rd_LVM_LV=vg_rhel6/lv_root rd_LVM_LV=vg_rhel6/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet audit=1 [root@rhel6 checks]# ./testcheck.py bootloader_audit_argument.xml Evaluating with OVAL tempfile : /tmp/bootloader_audit_argumentafOktZ.xml Definition oval:scap-security-guide.testing:def:247: true Evaluation done. Resolving as worksforme -- Ticket URL: <https://fedorahosted.org/scap-security-guide/ticket/174#comment:1> scap-security-guide <http://fedorahosted.org/scap-security-guide> scap-security-guide

11 years

3
2
0 / 0

help with OVAL transforms

by Shawn Wells

I've been going through the OVAL code and have stumped myself. The partition_for_* rules are enabled in the XCCDF profiles, yet somehow is marked as selected=false in the final output: $ grep -rin partition_for_tmp input/profiles/ input/profiles/usgcb-rhel6-server.xml:5:<select idref="partition_for_tmp" selected="true" /> input/profiles/common.xml:4:<select idref="partition_for_tmp" selected="true"/> $ grep -rin partition_for_tmp output/ssg-rhel6-xccdf.xml 43: <select idref="partition_for_tmp" selected="true"/> 259: <select idref="partition_for_tmp" selected="true"/> 500: <select idref="partition_for_tmp" selected="true"/> 720: <select idref="partition_for_tmp" selected="true"/> 946: <select idref="partition_for_tmp" selected="true"/> 1400: <Rule id="partition_for_tmp" selected="false" severity="low"> In the ssg-rhel6-xccdf.xml file, the OVAL points to oval:ssg:2741: <check-content-ref name="oval:ssg:def:2741" href="ssg-rhel6-oval.xml"/> And when I check for that in ssg-rhel6-oval.xml, it doesn't exist: $ grep -in oval:ssg:2741 output/ssg-rhel6-oval.xml (no return) When I load up ssg-rhel6-oval.xml and look for the rule, it's actually oval:ssg:def:841: <definition class="compliance" id="oval:ssg:def:841" version="1"> <metadata> <title>Ensure /tmp Located On Separate Partition</title> I started to play with relabelids.py and only made things worse. Jeff/Dave, any chance you could take a look at this?

11 years

3
3
0 / 0

[PATCH] =?UTF-8?q?[bugfix]=20Ticket=20113=20-=20RHEL6/input/checks/file=5Fgroupowner=5Fldap=5Fserver=5Ffiles.xml=20invalid=20regex

by Shawn Wells

11 years

1
0
0 / 0

Re: [scap-security-guide] #201: False positive: enable_randomize_va_space

by fedora-badges

#201: False positive: enable_randomize_va_space ------------------------------+------------------------------------- Reporter: Logan.Rodrian@… | Owner: mnewman23 Type: defect | Status: closed Priority: major | Milestone: RHEL6 STIG OVAL Content Component: OVAL content | Version: 0.5.0-InitialDraft Resolution: worksforme | Keywords: Blocked By: | Blocking: ------------------------------+------------------------------------- Changes (by shawndwells): * cc: scap-security-guide@… (added) * resolution: => worksforme * status: new => closed Comment: [root@rhel6 checks]# sysctl -w kernel.randomize_va_space=0 kernel.randomize_va_space = 0 [root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml Evaluating with OVAL tempfile : /tmp/sysctl_kernel_randomize_va_spaceCCIFTH.xml Definition oval:scap-security-guide.testing:def:324: false Evaluation done. [root@rhel6 checks]# sysctl -w kernel.randomize_va_space=1 kernel.randomize_va_space = 1 [root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml Evaluating with OVAL tempfile : /tmp/sysctl_kernel_randomize_va_spacefPriXs.xml Definition oval:scap-security-guide.testing:def:324: false Evaluation done. [root@rhel6 checks]# sysctl -w kernel.randomize_va_space=2 kernel.randomize_va_space = 2 [root@rhel6 checks]# ./testcheck.py sysctl_kernel_randomize_va_space.xml Evaluating with OVAL tempfile : /tmp/sysctl_kernel_randomize_va_space5oyOdN.xml Definition oval:scap-security-guide.testing:def:324: true Evaluation done. Resolving as worksforme. IIRC this behavior was fixed as a result of your ticket some time ago, however we never closed it out. Thank you for reporting! -- Ticket URL: <https://fedorahosted.org/scap-security-guide/ticket/201#comment:2> scap-security-guide <http://fedorahosted.org/scap-security-guide> scap-security-guide

11 years

1
0
0 / 0

[PATCH 3/3] Created OVAL for set_password_hashing_algorithm_libuserconf

by Shawn Wells

11 years

1
0
0 / 0

[PATCH 2/3] Created OVAL for set_password_hashing_algorithm_logindefs

by Shawn Wells

11 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide April 2013