scap-security-guide May 2013

scap-security-guide@lists.fedorahosted.org

12 participants
55 discussions

[PATCH] modified makefile to remove test attestation tags for prose output
by David Smith 20 May '13

20 May '13

--- RHEL6/Makefile | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 3e0ba59..7edef74 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -37,6 +37,7 @@ guide: shorthand2xccdf # remove auxiliary Groups which are only for use in tables, and not guide output. # specifying a nonexistent profile, "allrules," to make oscap print all Rules xsltproc -o $(OUT)/unlinked-rhel6-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel6-xccdf.xml + xsltproc -o $(OUT)/unlinked-notest-rhel6-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel6-xccdf-guide.xml oscap xccdf generate guide --profile allrules $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/rhel6-guide.html # example, if needed: for converting XCCDF into shorthand -- 1.7.1

1 0

[PATCH] third batch of several: deletion of unused OVAL checks
by Jeffrey Blank 20 May '13

20 May '13

so many vestiges of RHEL 5 or obsolete guidance still hanging around... Jeffrey Blank (1): deletion of unused OVAL checks .../accounts_no_nis_inclusions_etc_group.xml | 23 ----- RHEL6/input/checks/accounts_wheel_exists.xml | 29 ------ RHEL6/input/checks/cups_limit_browsing.xml | 23 ----- .../input/checks/file_group_owner_etc_crontab.xml | 25 ----- .../input/checks/file_owner_ldap_server_files.xml | 31 ------ .../checks/file_permissions_ldap_server_files.xml | 38 ------- RHEL6/input/checks/iptables_cupsd_disabled.xml | 41 -------- RHEL6/input/checks/iptables_icmp_disabled.xml | 105 -------------------- .../checks/network_ipv6_disable_interfaces.xml | 59 ----------- .../checks/no_shelllogin_for_systemaccounts.xml | 25 ----- .../checks/package_cronie-anacron_removed.xml | 25 ----- .../input/checks/package_isdn4k-utils_removed.xml | 25 ----- RHEL6/input/checks/package_ntpdate_installed.xml | 25 ----- RHEL6/input/checks/service_isdn_disabled.xml | 99 ------------------ RHEL6/input/checks/service_mcstrans_disabled.xml | 96 ------------------ RHEL6/input/checks/sysconfig_ipv6_autoconf.xml | 33 ------ RHEL6/input/checks/templates/packages_removed.csv | 3 - RHEL6/input/checks/templates/services_disabled.csv | 2 - 18 files changed, 0 insertions(+), 707 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_group.xml delete mode 100644 RHEL6/input/checks/accounts_wheel_exists.xml delete mode 100644 RHEL6/input/checks/cups_limit_browsing.xml delete mode 100644 RHEL6/input/checks/file_group_owner_etc_crontab.xml delete mode 100644 RHEL6/input/checks/file_owner_ldap_server_files.xml delete mode 100644 RHEL6/input/checks/file_permissions_ldap_server_files.xml delete mode 100644 RHEL6/input/checks/iptables_cupsd_disabled.xml delete mode 100644 RHEL6/input/checks/iptables_icmp_disabled.xml delete mode 100644 RHEL6/input/checks/network_ipv6_disable_interfaces.xml delete mode 100644 RHEL6/input/checks/no_shelllogin_for_systemaccounts.xml delete mode 100644 RHEL6/input/checks/package_cronie-anacron_removed.xml delete mode 100644 RHEL6/input/checks/package_isdn4k-utils_removed.xml delete mode 100644 RHEL6/input/checks/package_ntpdate_installed.xml delete mode 100644 RHEL6/input/checks/service_isdn_disabled.xml delete mode 100644 RHEL6/input/checks/service_mcstrans_disabled.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_autoconf.xml

2 2

[PATCH 0/2] Fix for matching Banner Text in /etc/issue
by Maura Dailey 19 May '13

19 May '13

The existing values for <Value id="login_banner_text"> would never match anything because special characters were not escaped properly. I added backslashes where appropriate and added information to the description tag to inform future users. I also replaced line breaks and existing newlines in "dod_default" and "usgcb_default" with a regex class that would allow for multiple spaces, tabs, and newlines to increase the chances that imperfect copying and pasting from existing guidance will work correctly. More can be done to improve this even further, but it would be at the risk of severely impairing readability. It's worth pointing out that a tool like HTML tidy could potentially break these kinds of Regex checks in the future by adding line breaks in inappropriate places. Maura Dailey (2): Fixing indenting for external variable line. Added backslash escapes to the warning texts to fix the RegEx, replaced line breaks with newlines, and added some more flexible regex to handle variable spacing and newlines. RHEL6/input/checks/banner_etc_issue.xml | 2 +- RHEL6/input/system/accounts/banners.xml | 15 ++++----------- 2 files changed, 5 insertions(+), 12 deletions(-)

3 6

[PATCH] fourth batch of several: deletion of unused OVAL checks
by Jeffrey Blank 17 May '13

17 May '13

...not that many left now. These are being found by "make validate", which runs utils/verify-references.py, which has many tricks up its sleeve to find things that are amiss. Jeffrey Blank (1): removal of unused OVAL checks RHEL6/input/checks/accounts_su_wheel_only.xml | 30 ------ .../checks/cups_limit_browsing_browseaddress.xml | 41 -------- .../checks/cups_limit_browsing_browsedenyallow.xml | 54 ----------- .../checks/ensure_gpgcheck_never_disabled.xml | 26 ----- .../checks/file_groupowner_ldap_server_bdb.xml | 31 ------ RHEL6/input/checks/file_owner_ldap_server_bdb.xml | 31 ------ .../input/checks/file_ownership_samba_password.xml | 30 ------ RHEL6/input/checks/libuser_login_defs_import.xml | 31 ------ RHEL6/input/checks/network_ipv6_limit_requests.xml | 42 -------- RHEL6/input/checks/package_autofs_removed.xml | 25 ----- .../checks/package_openldap-servers_installed.xml | 25 ----- RHEL6/input/checks/package_sssd_removed.xml | 25 ----- .../input/checks/service_lvm2-monitor_enabled.xml | 99 -------------------- RHEL6/input/checks/service_network_enabled.xml | 99 -------------------- RHEL6/input/checks/service_sendmail_disabled.xml | 99 -------------------- RHEL6/input/checks/service_ypserv_disabled.xml | 99 -------------------- RHEL6/input/checks/templates/packages_removed.csv | 1 - RHEL6/input/checks/templates/services_disabled.csv | 2 - RHEL6/input/checks/templates/services_enabled.csv | 1 - 19 files changed, 0 insertions(+), 791 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_su_wheel_only.xml delete mode 100644 RHEL6/input/checks/cups_limit_browsing_browseaddress.xml delete mode 100644 RHEL6/input/checks/cups_limit_browsing_browsedenyallow.xml delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml delete mode 100644 RHEL6/input/checks/file_groupowner_ldap_server_bdb.xml delete mode 100644 RHEL6/input/checks/file_owner_ldap_server_bdb.xml delete mode 100644 RHEL6/input/checks/file_ownership_samba_password.xml delete mode 100644 RHEL6/input/checks/libuser_login_defs_import.xml delete mode 100644 RHEL6/input/checks/network_ipv6_limit_requests.xml delete mode 100644 RHEL6/input/checks/package_autofs_removed.xml delete mode 100644 RHEL6/input/checks/package_openldap-servers_installed.xml delete mode 100644 RHEL6/input/checks/package_sssd_removed.xml delete mode 100644 RHEL6/input/checks/service_lvm2-monitor_enabled.xml delete mode 100644 RHEL6/input/checks/service_network_enabled.xml delete mode 100644 RHEL6/input/checks/service_sendmail_disabled.xml delete mode 100644 RHEL6/input/checks/service_ypserv_disabled.xml

2 2

[PATCH 0/2] fifth batch of several: deletion of unused OVAL checks
by Jeffrey Blank 17 May '13

17 May '13

...and some bugfixes here, too. Jeffrey Blank (2): bugfixes for undisciplined renaming jaunt, missing OVAL references removal of unused OVAL checks .../accounts_no_nis_inclusions_etc_shadow.xml | 23 ----- .../checks/accounts_passwords_pam_tally2_deny.xml | 31 ------ .../console_device_restrict_access_server.xml | 41 -------- .../checks/file_groupowner_ldap_server_files.xml | 31 ------ RHEL6/input/checks/iptables_avahi_disabled.xml | 43 --------- .../input/checks/package_initscripts_installed.xml | 26 ----- RHEL6/input/checks/package_lvm2_installed.xml | 25 ----- RHEL6/input/checks/package_samba_removed.xml | 25 ----- RHEL6/input/checks/postfix_logging.xml | 99 -------------------- RHEL6/input/checks/restrict_serial_port_logins.xml | 2 +- ...sctl_net_ipv6_conf_default_accept_ra_defrtr.xml | 31 ------ ...ysctl_net_ipv6_conf_default_accept_ra_pinfo.xml | 31 ------ .../sysctl_net_ipv6_conf_default_autoconf.xml | 31 ------ .../sysctl_net_ipv6_conf_default_dad_transmits.xml | 31 ------ .../sysctl_net_ipv6_conf_default_max_addresses.xml | 31 ------ ..._net_ipv6_conf_default_router_solicitations.xml | 31 ------ RHEL6/input/checks/templates/packages_removed.csv | 1 - RHEL6/input/checks/templates/services_enabled.csv | 1 - RHEL6/input/services/mail.xml | 1 + RHEL6/input/system/accounts/physical.xml | 3 +- 20 files changed, 4 insertions(+), 534 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_shadow.xml delete mode 100644 RHEL6/input/checks/accounts_passwords_pam_tally2_deny.xml delete mode 100644 RHEL6/input/checks/console_device_restrict_access_server.xml delete mode 100644 RHEL6/input/checks/file_groupowner_ldap_server_files.xml delete mode 100644 RHEL6/input/checks/iptables_avahi_disabled.xml delete mode 100644 RHEL6/input/checks/package_initscripts_installed.xml delete mode 100644 RHEL6/input/checks/package_lvm2_installed.xml delete mode 100644 RHEL6/input/checks/package_samba_removed.xml delete mode 100644 RHEL6/input/checks/postfix_logging.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_defrtr.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_pinfo.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_autoconf.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_dad_transmits.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_max_addresses.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_router_solicitations.xml

1 2

[PATCH] second batch of several: deletion of unused OVAL checks
by Jeffrey Blank 17 May '13

17 May '13

... and also the commented-out vestigial XCCDF from RHEL 5 Jeffrey Blank (1): deletion of unused/obsoleted OVAL checks (and commented out XCCDF) RHEL6/input/checks/accounts_no_empty_passwords.xml | 22 ----- .../input/checks/audit_rules_record_timechange.xml | 65 ------------- .../console_device_restrict_access_desktop.xml | 41 -------- .../checks/file_permissions_ldap_server_bdb.xml | 39 -------- .../ldap_server_config_certificate_usage.xml | 78 --------------- RHEL6/input/checks/package_certmonger_removed.xml | 25 ----- RHEL6/input/checks/package_irda-utils_removed.xml | 25 ----- RHEL6/input/checks/package_openldap_removed.xml | 25 ----- RHEL6/input/checks/package_rpcbind_removed.xml | 25 ----- RHEL6/input/checks/service_rpcbind_disabled.xml | 99 -------------------- RHEL6/input/checks/templates/packages_removed.csv | 2 - RHEL6/input/checks/templates/services_disabled.csv | 1 - RHEL6/input/checks/wireless_disable_drivers.xml | 26 ----- RHEL6/input/profiles/common.xml | 1 - RHEL6/input/profiles/desktop.xml | 1 - RHEL6/input/profiles/usgcb-rhel6-server.xml | 1 - RHEL6/input/system/network/wireless.xml | 19 +---- 17 files changed, 1 insertions(+), 494 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_empty_passwords.xml delete mode 100644 RHEL6/input/checks/audit_rules_record_timechange.xml delete mode 100644 RHEL6/input/checks/console_device_restrict_access_desktop.xml delete mode 100644 RHEL6/input/checks/file_permissions_ldap_server_bdb.xml delete mode 100644 RHEL6/input/checks/ldap_server_config_certificate_usage.xml delete mode 100644 RHEL6/input/checks/package_certmonger_removed.xml delete mode 100644 RHEL6/input/checks/package_irda-utils_removed.xml delete mode 100644 RHEL6/input/checks/package_openldap_removed.xml delete mode 100644 RHEL6/input/checks/package_rpcbind_removed.xml delete mode 100644 RHEL6/input/checks/service_rpcbind_disabled.xml delete mode 100644 RHEL6/input/checks/wireless_disable_drivers.xml

2 2

[PATCH] first batch of several: deletion of unused OVAL checks
by Jeffrey Blank 17 May '13

17 May '13

For various reasons, these OVAL checks are no longer needed. The reasons include: * changes from RHEL 5 to RHEL 6 * handling the same check in different ways in newer OVAL * handling the same check in smarter ways * not really relevant for compliance to begin with Jeffrey Blank (1): deletion of unused OVAL checks RHEL6/input/checks/banner_gui_gdm.xml | 30 ------ RHEL6/input/checks/file_permissions_etc_skel.xml | 54 ---------- .../checks/file_permissions_samba_password.xml | 36 ------- RHEL6/input/checks/package_acpid_removed.xml | 25 ----- RHEL6/input/checks/package_rsh_removed.xml | 25 ----- RHEL6/input/checks/package_vlock_installed.xml | 25 ----- RHEL6/input/checks/package_vlock_removed.xml | 25 ----- ...mail_relay_smtp_auth_for_untrusted_networks.xml | 107 -------------------- RHEL6/input/checks/selinux_enabled.xml | 20 ---- RHEL6/input/checks/service_sssd_disabled.xml | 96 ------------------ .../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 29 ------ .../input/checks/templates/packages_installed.csv | 1 - RHEL6/input/checks/templates/packages_removed.csv | 3 - RHEL6/input/checks/templates/services_disabled.csv | 1 - 14 files changed, 0 insertions(+), 477 deletions(-) delete mode 100644 RHEL6/input/checks/banner_gui_gdm.xml delete mode 100644 RHEL6/input/checks/file_permissions_etc_skel.xml delete mode 100644 RHEL6/input/checks/file_permissions_samba_password.xml delete mode 100644 RHEL6/input/checks/package_acpid_removed.xml delete mode 100644 RHEL6/input/checks/package_rsh_removed.xml delete mode 100644 RHEL6/input/checks/package_vlock_installed.xml delete mode 100644 RHEL6/input/checks/package_vlock_removed.xml delete mode 100644 RHEL6/input/checks/postfix_server_mail_relay_smtp_auth_for_untrusted_networks.xml delete mode 100644 RHEL6/input/checks/selinux_enabled.xml delete mode 100644 RHEL6/input/checks/service_sssd_disabled.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml

2 2

[PATCH 0/7] editing of services
by Jeffrey Blank 17 May '13

17 May '13

Various fixups/updates, to make this closer to publishable as a guide. Jeffrey Blank (7): updates to the CCE verification script to be more informative removal of commented/obsolete items for base services changed Dovecot Rule to Group as it is guidance and not a compliance check update to NFS section (still perhaps incomplete) removal of commented text, invalid CCE from root logins guidance removal of commented/obsolete text from logging section removal of unnecessary guidance from SSL section RHEL6/input/services/base.xml | 51 --------- RHEL6/input/services/imap.xml | 9 +-- RHEL6/input/services/nfs.xml | 109 ++------------------ .../system/accounts/restrictions/root_logins.xml | 20 +--- RHEL6/input/system/logging.xml | 13 --- RHEL6/input/system/network/ssl.xml | 92 ++--------------- RHEL6/utils/verify-cce.py | 38 ++++--- 7 files changed, 46 insertions(+), 286 deletions(-)

2 8

Video preview of the OSCAP Anaconda addon
by Shawn Wells 16 May '13

16 May '13

For those following the SCAP enablement of Anaconda, a new video. This was originally posted to open-scap-list, but thought there would be interest here. -------- Original Message -------- Subject: Re: [Open-scap] Video preview of the OSCAP Anaconda addon Date: Tue, 14 May 2013 11:26:04 +0200 From: Vratislav Podzimek <vpodzime(a)redhat.com> To: open-scap-list(a)redhat.com Hello again, I've recorded another video [1] showing the current state of the addon's UI and functionality. The addon now handles not only data stream collections but also various archives (ZIPs and tarballs) containing separate files with the XCCDF benchmark with OVAL checks etc. In the UI it is now possible to switch between profiles and in case of a data stream collection content, it is also possible to switch between data streams and checklists. [1] http://vimeo.com/66085973 Enjoy the video and let me know, what you think about it! -- Vratislav Podzimek Anaconda Rider | Red Hat, Inc. | Brno - Czech Republic _______________________________________________ Open-scap-list mailing list Open-scap-list(a)redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list

4 3

disable_telnet_service
by Brian Peake 15 May '13

15 May '13

Shawn & Crew. First, wish to thank all for your efforts. It was very helpful for me, as I used the SSG to help me ensure I was ready and also as a sanity check after updates are done. We just went through our IV&V and my RHEL6 box did very well. Wanted to give some feedback after latest scan regarding the disable_telnet_service check. It is now failing with the latest SSG content w/ openscap 0.9.3 from RH. telnet is not even installed on this box (removing telnet is another STIG). I know I can ignore this, but would think a check would be done to see if it is even installed first, and only do the disable check if telnet is in fact installed. Regards, Brian

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide May 2013