[PATCH] modified makefile to remove test attestation tags for prose output
by David Smith
---
RHEL6/Makefile | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/RHEL6/Makefile b/RHEL6/Makefile
index 3e0ba59..7edef74 100644
--- a/RHEL6/Makefile
+++ b/RHEL6/Makefile
@@ -37,6 +37,7 @@ guide: shorthand2xccdf
# remove auxiliary Groups which are only for use in tables, and not guide output.
# specifying a nonexistent profile, "allrules," to make oscap print all Rules
xsltproc -o $(OUT)/unlinked-rhel6-xccdf-guide.xml $(TRANS)/xccdf-removeaux.xslt $(OUT)/unlinked-rhel6-xccdf.xml
+ xsltproc -o $(OUT)/unlinked-notest-rhel6-xccdf-guide.xml $(TRANS)/xccdf-removetested.xslt $(OUT)/unlinked-rhel6-xccdf-guide.xml
oscap xccdf generate guide --profile allrules $(OUT)/unlinked-rhel6-xccdf-guide.xml > $(OUT)/rhel6-guide.html
# example, if needed: for converting XCCDF into shorthand
--
1.7.1
10 years, 11 months
[PATCH] third batch of several: deletion of unused OVAL checks
by Jeffrey Blank
so many vestiges of RHEL 5 or obsolete guidance still hanging around...
Jeffrey Blank (1):
deletion of unused OVAL checks
.../accounts_no_nis_inclusions_etc_group.xml | 23 -----
RHEL6/input/checks/accounts_wheel_exists.xml | 29 ------
RHEL6/input/checks/cups_limit_browsing.xml | 23 -----
.../input/checks/file_group_owner_etc_crontab.xml | 25 -----
.../input/checks/file_owner_ldap_server_files.xml | 31 ------
.../checks/file_permissions_ldap_server_files.xml | 38 -------
RHEL6/input/checks/iptables_cupsd_disabled.xml | 41 --------
RHEL6/input/checks/iptables_icmp_disabled.xml | 105 --------------------
.../checks/network_ipv6_disable_interfaces.xml | 59 -----------
.../checks/no_shelllogin_for_systemaccounts.xml | 25 -----
.../checks/package_cronie-anacron_removed.xml | 25 -----
.../input/checks/package_isdn4k-utils_removed.xml | 25 -----
RHEL6/input/checks/package_ntpdate_installed.xml | 25 -----
RHEL6/input/checks/service_isdn_disabled.xml | 99 ------------------
RHEL6/input/checks/service_mcstrans_disabled.xml | 96 ------------------
RHEL6/input/checks/sysconfig_ipv6_autoconf.xml | 33 ------
RHEL6/input/checks/templates/packages_removed.csv | 3 -
RHEL6/input/checks/templates/services_disabled.csv | 2 -
18 files changed, 0 insertions(+), 707 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_group.xml
delete mode 100644 RHEL6/input/checks/accounts_wheel_exists.xml
delete mode 100644 RHEL6/input/checks/cups_limit_browsing.xml
delete mode 100644 RHEL6/input/checks/file_group_owner_etc_crontab.xml
delete mode 100644 RHEL6/input/checks/file_owner_ldap_server_files.xml
delete mode 100644 RHEL6/input/checks/file_permissions_ldap_server_files.xml
delete mode 100644 RHEL6/input/checks/iptables_cupsd_disabled.xml
delete mode 100644 RHEL6/input/checks/iptables_icmp_disabled.xml
delete mode 100644 RHEL6/input/checks/network_ipv6_disable_interfaces.xml
delete mode 100644 RHEL6/input/checks/no_shelllogin_for_systemaccounts.xml
delete mode 100644 RHEL6/input/checks/package_cronie-anacron_removed.xml
delete mode 100644 RHEL6/input/checks/package_isdn4k-utils_removed.xml
delete mode 100644 RHEL6/input/checks/package_ntpdate_installed.xml
delete mode 100644 RHEL6/input/checks/service_isdn_disabled.xml
delete mode 100644 RHEL6/input/checks/service_mcstrans_disabled.xml
delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_autoconf.xml
10 years, 11 months
[PATCH 0/2] Fix for matching Banner Text in /etc/issue
by Maura Dailey
The existing values for <Value id="login_banner_text"> would never match anything because special
characters were not escaped properly. I added backslashes where appropriate and added information
to the description tag to inform future users. I also replaced line breaks and existing newlines
in "dod_default" and "usgcb_default" with a regex class that would allow for multiple spaces, tabs,
and newlines to increase the chances that imperfect copying and pasting from existing guidance will
work correctly. More can be done to improve this even further, but it would be at the risk of severely
impairing readability.
It's worth pointing out that a tool like HTML tidy could potentially break these kinds of Regex
checks in the future by adding line breaks in inappropriate places.
Maura Dailey (2):
Fixing indenting for external variable line.
Added backslash escapes to the warning texts to fix the RegEx,
replaced line breaks with newlines, and added some more flexible
regex to handle variable spacing and newlines.
RHEL6/input/checks/banner_etc_issue.xml | 2 +-
RHEL6/input/system/accounts/banners.xml | 15 ++++-----------
2 files changed, 5 insertions(+), 12 deletions(-)
10 years, 11 months
[PATCH] fourth batch of several: deletion of unused OVAL checks
by Jeffrey Blank
...not that many left now.
These are being found by "make validate", which
runs utils/verify-references.py, which has many tricks
up its sleeve to find things that are amiss.
Jeffrey Blank (1):
removal of unused OVAL checks
RHEL6/input/checks/accounts_su_wheel_only.xml | 30 ------
.../checks/cups_limit_browsing_browseaddress.xml | 41 --------
.../checks/cups_limit_browsing_browsedenyallow.xml | 54 -----------
.../checks/ensure_gpgcheck_never_disabled.xml | 26 -----
.../checks/file_groupowner_ldap_server_bdb.xml | 31 ------
RHEL6/input/checks/file_owner_ldap_server_bdb.xml | 31 ------
.../input/checks/file_ownership_samba_password.xml | 30 ------
RHEL6/input/checks/libuser_login_defs_import.xml | 31 ------
RHEL6/input/checks/network_ipv6_limit_requests.xml | 42 --------
RHEL6/input/checks/package_autofs_removed.xml | 25 -----
.../checks/package_openldap-servers_installed.xml | 25 -----
RHEL6/input/checks/package_sssd_removed.xml | 25 -----
.../input/checks/service_lvm2-monitor_enabled.xml | 99 --------------------
RHEL6/input/checks/service_network_enabled.xml | 99 --------------------
RHEL6/input/checks/service_sendmail_disabled.xml | 99 --------------------
RHEL6/input/checks/service_ypserv_disabled.xml | 99 --------------------
RHEL6/input/checks/templates/packages_removed.csv | 1 -
RHEL6/input/checks/templates/services_disabled.csv | 2 -
RHEL6/input/checks/templates/services_enabled.csv | 1 -
19 files changed, 0 insertions(+), 791 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_su_wheel_only.xml
delete mode 100644 RHEL6/input/checks/cups_limit_browsing_browseaddress.xml
delete mode 100644 RHEL6/input/checks/cups_limit_browsing_browsedenyallow.xml
delete mode 100644 RHEL6/input/checks/ensure_gpgcheck_never_disabled.xml
delete mode 100644 RHEL6/input/checks/file_groupowner_ldap_server_bdb.xml
delete mode 100644 RHEL6/input/checks/file_owner_ldap_server_bdb.xml
delete mode 100644 RHEL6/input/checks/file_ownership_samba_password.xml
delete mode 100644 RHEL6/input/checks/libuser_login_defs_import.xml
delete mode 100644 RHEL6/input/checks/network_ipv6_limit_requests.xml
delete mode 100644 RHEL6/input/checks/package_autofs_removed.xml
delete mode 100644 RHEL6/input/checks/package_openldap-servers_installed.xml
delete mode 100644 RHEL6/input/checks/package_sssd_removed.xml
delete mode 100644 RHEL6/input/checks/service_lvm2-monitor_enabled.xml
delete mode 100644 RHEL6/input/checks/service_network_enabled.xml
delete mode 100644 RHEL6/input/checks/service_sendmail_disabled.xml
delete mode 100644 RHEL6/input/checks/service_ypserv_disabled.xml
10 years, 11 months
[PATCH 0/2] fifth batch of several: deletion of unused OVAL checks
by Jeffrey Blank
...and some bugfixes here, too.
Jeffrey Blank (2):
bugfixes for undisciplined renaming jaunt, missing OVAL references
removal of unused OVAL checks
.../accounts_no_nis_inclusions_etc_shadow.xml | 23 -----
.../checks/accounts_passwords_pam_tally2_deny.xml | 31 ------
.../console_device_restrict_access_server.xml | 41 --------
.../checks/file_groupowner_ldap_server_files.xml | 31 ------
RHEL6/input/checks/iptables_avahi_disabled.xml | 43 ---------
.../input/checks/package_initscripts_installed.xml | 26 -----
RHEL6/input/checks/package_lvm2_installed.xml | 25 -----
RHEL6/input/checks/package_samba_removed.xml | 25 -----
RHEL6/input/checks/postfix_logging.xml | 99 --------------------
RHEL6/input/checks/restrict_serial_port_logins.xml | 2 +-
...sctl_net_ipv6_conf_default_accept_ra_defrtr.xml | 31 ------
...ysctl_net_ipv6_conf_default_accept_ra_pinfo.xml | 31 ------
.../sysctl_net_ipv6_conf_default_autoconf.xml | 31 ------
.../sysctl_net_ipv6_conf_default_dad_transmits.xml | 31 ------
.../sysctl_net_ipv6_conf_default_max_addresses.xml | 31 ------
..._net_ipv6_conf_default_router_solicitations.xml | 31 ------
RHEL6/input/checks/templates/packages_removed.csv | 1 -
RHEL6/input/checks/templates/services_enabled.csv | 1 -
RHEL6/input/services/mail.xml | 1 +
RHEL6/input/system/accounts/physical.xml | 3 +-
20 files changed, 4 insertions(+), 534 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_shadow.xml
delete mode 100644 RHEL6/input/checks/accounts_passwords_pam_tally2_deny.xml
delete mode 100644 RHEL6/input/checks/console_device_restrict_access_server.xml
delete mode 100644 RHEL6/input/checks/file_groupowner_ldap_server_files.xml
delete mode 100644 RHEL6/input/checks/iptables_avahi_disabled.xml
delete mode 100644 RHEL6/input/checks/package_initscripts_installed.xml
delete mode 100644 RHEL6/input/checks/package_lvm2_installed.xml
delete mode 100644 RHEL6/input/checks/package_samba_removed.xml
delete mode 100644 RHEL6/input/checks/postfix_logging.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_defrtr.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_pinfo.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_autoconf.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_dad_transmits.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_max_addresses.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_router_solicitations.xml
10 years, 11 months
[PATCH] second batch of several: deletion of unused OVAL checks
by Jeffrey Blank
... and also the commented-out vestigial XCCDF from RHEL 5
Jeffrey Blank (1):
deletion of unused/obsoleted OVAL checks (and commented out XCCDF)
RHEL6/input/checks/accounts_no_empty_passwords.xml | 22 -----
.../input/checks/audit_rules_record_timechange.xml | 65 -------------
.../console_device_restrict_access_desktop.xml | 41 --------
.../checks/file_permissions_ldap_server_bdb.xml | 39 --------
.../ldap_server_config_certificate_usage.xml | 78 ---------------
RHEL6/input/checks/package_certmonger_removed.xml | 25 -----
RHEL6/input/checks/package_irda-utils_removed.xml | 25 -----
RHEL6/input/checks/package_openldap_removed.xml | 25 -----
RHEL6/input/checks/package_rpcbind_removed.xml | 25 -----
RHEL6/input/checks/service_rpcbind_disabled.xml | 99 --------------------
RHEL6/input/checks/templates/packages_removed.csv | 2 -
RHEL6/input/checks/templates/services_disabled.csv | 1 -
RHEL6/input/checks/wireless_disable_drivers.xml | 26 -----
RHEL6/input/profiles/common.xml | 1 -
RHEL6/input/profiles/desktop.xml | 1 -
RHEL6/input/profiles/usgcb-rhel6-server.xml | 1 -
RHEL6/input/system/network/wireless.xml | 19 +----
17 files changed, 1 insertions(+), 494 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_no_empty_passwords.xml
delete mode 100644 RHEL6/input/checks/audit_rules_record_timechange.xml
delete mode 100644 RHEL6/input/checks/console_device_restrict_access_desktop.xml
delete mode 100644 RHEL6/input/checks/file_permissions_ldap_server_bdb.xml
delete mode 100644 RHEL6/input/checks/ldap_server_config_certificate_usage.xml
delete mode 100644 RHEL6/input/checks/package_certmonger_removed.xml
delete mode 100644 RHEL6/input/checks/package_irda-utils_removed.xml
delete mode 100644 RHEL6/input/checks/package_openldap_removed.xml
delete mode 100644 RHEL6/input/checks/package_rpcbind_removed.xml
delete mode 100644 RHEL6/input/checks/service_rpcbind_disabled.xml
delete mode 100644 RHEL6/input/checks/wireless_disable_drivers.xml
10 years, 11 months
[PATCH] first batch of several: deletion of unused OVAL checks
by Jeffrey Blank
For various reasons, these OVAL checks are no longer needed.
The reasons include:
* changes from RHEL 5 to RHEL 6
* handling the same check in different ways in newer OVAL
* handling the same check in smarter ways
* not really relevant for compliance to begin with
Jeffrey Blank (1):
deletion of unused OVAL checks
RHEL6/input/checks/banner_gui_gdm.xml | 30 ------
RHEL6/input/checks/file_permissions_etc_skel.xml | 54 ----------
.../checks/file_permissions_samba_password.xml | 36 -------
RHEL6/input/checks/package_acpid_removed.xml | 25 -----
RHEL6/input/checks/package_rsh_removed.xml | 25 -----
RHEL6/input/checks/package_vlock_installed.xml | 25 -----
RHEL6/input/checks/package_vlock_removed.xml | 25 -----
...mail_relay_smtp_auth_for_untrusted_networks.xml | 107 --------------------
RHEL6/input/checks/selinux_enabled.xml | 20 ----
RHEL6/input/checks/service_sssd_disabled.xml | 96 ------------------
.../sysctl_net_ipv6_conf_all_disable_ipv6.xml | 29 ------
.../input/checks/templates/packages_installed.csv | 1 -
RHEL6/input/checks/templates/packages_removed.csv | 3 -
RHEL6/input/checks/templates/services_disabled.csv | 1 -
14 files changed, 0 insertions(+), 477 deletions(-)
delete mode 100644 RHEL6/input/checks/banner_gui_gdm.xml
delete mode 100644 RHEL6/input/checks/file_permissions_etc_skel.xml
delete mode 100644 RHEL6/input/checks/file_permissions_samba_password.xml
delete mode 100644 RHEL6/input/checks/package_acpid_removed.xml
delete mode 100644 RHEL6/input/checks/package_rsh_removed.xml
delete mode 100644 RHEL6/input/checks/package_vlock_installed.xml
delete mode 100644 RHEL6/input/checks/package_vlock_removed.xml
delete mode 100644 RHEL6/input/checks/postfix_server_mail_relay_smtp_auth_for_untrusted_networks.xml
delete mode 100644 RHEL6/input/checks/selinux_enabled.xml
delete mode 100644 RHEL6/input/checks/service_sssd_disabled.xml
delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_all_disable_ipv6.xml
10 years, 11 months
[PATCH 0/7] editing of services
by Jeffrey Blank
Various fixups/updates, to make this closer to publishable
as a guide.
Jeffrey Blank (7):
updates to the CCE verification script to be more informative
removal of commented/obsolete items for base services
changed Dovecot Rule to Group as it is guidance and not a compliance
check
update to NFS section (still perhaps incomplete)
removal of commented text, invalid CCE from root logins guidance
removal of commented/obsolete text from logging section
removal of unnecessary guidance from SSL section
RHEL6/input/services/base.xml | 51 ---------
RHEL6/input/services/imap.xml | 9 +--
RHEL6/input/services/nfs.xml | 109 ++------------------
.../system/accounts/restrictions/root_logins.xml | 20 +---
RHEL6/input/system/logging.xml | 13 ---
RHEL6/input/system/network/ssl.xml | 92 ++---------------
RHEL6/utils/verify-cce.py | 38 ++++---
7 files changed, 46 insertions(+), 286 deletions(-)
10 years, 11 months
Video preview of the OSCAP Anaconda addon
by Shawn Wells
For those following the SCAP enablement of Anaconda, a new video. This
was originally posted to open-scap-list, but thought there would be
interest here.
-------- Original Message --------
Subject: Re: [Open-scap] Video preview of the OSCAP Anaconda addon
Date: Tue, 14 May 2013 11:26:04 +0200
From: Vratislav Podzimek <vpodzime(a)redhat.com>
To: open-scap-list(a)redhat.com
Hello again,
I've recorded another video [1] showing the current state of the addon's
UI and functionality.
The addon now handles not only data stream collections but also various
archives (ZIPs and tarballs) containing separate files with the XCCDF
benchmark with OVAL checks etc.
In the UI it is now possible to switch between profiles and in case of a
data stream collection content, it is also possible to switch between
data streams and checklists.
[1] http://vimeo.com/66085973
Enjoy the video and let me know, what you think about it!
--
Vratislav Podzimek
Anaconda Rider | Red Hat, Inc. | Brno - Czech Republic
_______________________________________________
Open-scap-list mailing list
Open-scap-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list
10 years, 11 months
disable_telnet_service
by Brian Peake
Shawn & Crew.
First, wish to thank all for your efforts. It was very helpful for me, as I used the SSG to help me ensure I was ready and also as a sanity check after updates are done. We just went through our IV&V and my RHEL6 box did very well.
Wanted to give some feedback after latest scan regarding the disable_telnet_service check. It is now failing with the latest SSG content w/ openscap 0.9.3 from RH. telnet is not even installed on this box (removing telnet is another STIG). I know I can ignore this, but would think a check would be done to see if it is even installed first, and only do the disable check if telnet is in fact installed.
Regards,
Brian
10 years, 11 months