scap-security-guide June 2013

scap-security-guide@lists.fedorahosted.org

20 participants
35 discussions

[PATCH] Update from deprecated rpmverify_* to rpmverifyfile_* checks
by Maura Dailey 04 Jun '13

04 Jun '13

Little patch to eliminate a deprecated family of checks and tests. I compared the results of testcheck.py against the current list of complaints that rpm -qVa outputs on our systems and everything seems to match up. I still can't get accounts_root_path_dirs_no_write.xml to work correctly (specifying a file or directory directly in place of parsing out PATH works, but trying to get it to use variables correctly is stumping me). - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- RHEL6/input/checks/rpm_verify_permissions.xml | 42 ++++++++++++------------ 1 files changed, 21 insertions(+), 21 deletions(-) diff --git a/RHEL6/input/checks/rpm_verify_permissions.xml b/RHEL6/input/checks/rpm_verify_permissions.xml index cfb662e..d177dfb 100644 --- a/RHEL6/input/checks/rpm_verify_permissions.xml +++ b/RHEL6/input/checks/rpm_verify_permissions.xml @@ -16,40 +16,40 @@ <criterion test_ref="test_verify_all_rpms_mode" comment="mode of all files matches local rpm database" /> </criteria> </definition> - <linux:rpmverify_test check_existence="none_exist" id="test_verify_all_rpms_user_ownership" version="1" check="all" comment="user ownership of all files matches local rpm database"> + <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_user_ownership" version="1" check="all" comment="user ownership of all files matches local rpm database"> <linux:object object_ref="object_files_fail_user_ownership"/> - </linux:rpmverify_test> - <linux:rpmverify_test check_existence="none_exist" id="test_verify_all_rpms_group_ownership" version="1" check="all" comment="group ownership of all files matches local rpm database"> + </linux:rpmverifyfile_test> + <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_group_ownership" version="1" check="all" comment="group ownership of all files matches local rpm database"> <linux:object object_ref="object_files_fail_group_ownership"/> - </linux:rpmverify_test> - <linux:rpmverify_test check_existence="none_exist" id="test_verify_all_rpms_mode" version="1" check="all" comment="mode of all files matches local rpm database"> + </linux:rpmverifyfile_test> + <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_mode" version="1" check="all" comment="mode of all files matches local rpm database"> <linux:object object_ref="object_files_fail_mode"/> - </linux:rpmverify_test> - <linux:rpmverify_object id="object_files_fail_user_ownership" version="1" comment="rpm verify of all files"> - <linux:behaviors nodeps="true" nofiles="false" nodigest="true" noscripts="true" nosignature="true" nomd5="true"/> + </linux:rpmverifyfile_test> + <linux:rpmverifyfile_object id="object_files_fail_user_ownership" version="1" comment="rpm verify of all files"> + <linux:behaviors nomd5="true"/> <linux:name operation="pattern match">.*</linux:name> <linux:filepath operation="pattern match">.*</linux:filepath> <filter action="include">state_files_fail_user_ownership</filter> - </linux:rpmverify_object> - <linux:rpmverify_object id="object_files_fail_group_ownership" version="1" comment="rpm verify of all files"> - <linux:behaviors nodeps="true" nofiles="false" nodigest="true" noscripts="true" nosignature="true" nomd5="true"/> + </linux:rpmverifyfile_object> + <linux:rpmverifyfile_object id="object_files_fail_group_ownership" version="1" comment="rpm verify of all files"> + <linux:behaviors nomd5="true"/> <linux:name operation="pattern match">.*</linux:name> <linux:filepath operation="pattern match">.*</linux:filepath> <filter action="include">state_files_fail_group_ownership</filter> - </linux:rpmverify_object> - <linux:rpmverify_object id="object_files_fail_mode" version="1" comment="rpm verify of all files"> - <linux:behaviors nodeps="true" nofiles="false" nodigest="true" noscripts="true" nosignature="true" nomd5="true"/> + </linux:rpmverifyfile_object> + <linux:rpmverifyfile_object id="object_files_fail_mode" version="1" comment="rpm verify of all files"> + <linux:behaviors nomd5="true"/> <linux:name operation="pattern match">.*</linux:name> <linux:filepath operation="pattern match">.*</linux:filepath> <filter action="include">state_files_fail_mode</filter> - </linux:rpmverify_object> - <linux:rpmverify_state id="state_files_fail_user_ownership" version="1"> + </linux:rpmverifyfile_object> + <linux:rpmverifyfile_state id="state_files_fail_user_ownership" version="1"> <linux:ownership_differs>fail</linux:ownership_differs> - </linux:rpmverify_state> - <linux:rpmverify_state id="state_files_fail_group_ownership" version="1"> + </linux:rpmverifyfile_state> + <linux:rpmverifyfile_state id="state_files_fail_group_ownership" version="1"> <linux:group_differs>fail</linux:group_differs> - </linux:rpmverify_state> - <linux:rpmverify_state id="state_files_fail_mode" version="1"> + </linux:rpmverifyfile_state> + <linux:rpmverifyfile_state id="state_files_fail_mode" version="1"> <linux:mode_differs>fail</linux:mode_differs> - </linux:rpmverify_state> + </linux:rpmverifyfile_state> </def-group> -- 1.7.1

2 2

[PATCH] fix the accounts_umask_* checks to reference var_accounts_user_umask.
by Brian Millett 04 Jun '13

04 Jun '13

accounts_umask_* checks are referencing the wrong variables. Brian Millett (1): Ok, to fix the "error" doing an evaluation for the various umask checks, changed the following variables referenced in the checks RHEL6/input/checks/accounts_umask_bashrc.xml | 4 ++-- RHEL6/input/checks/accounts_umask_cshrc.xml | 4 ++-- RHEL6/input/checks/accounts_umask_etc_profile.xml | 4 ++-- RHEL6/input/checks/accounts_umask_login_defs.xml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) -- 1.8.2.1

1 1

question about fix-common code
by Jeffrey Blank 03 Jun '13

03 Jun '13

Francisco, Shawn, What was your thinking behind the common-fix elements? Please also see (shortly) my new patches for fix insertion. I've re-written the fix insertion stuff. So that people can "declare" their use of particular environment variables in bash (using a bash function). Then the reworked combinefixes.py will pick up on the declaration and assign an XCCDF <sub idref/> to that variable. <sub idref/> is how oscap supports inserting particular values inside a fix. For unit testing (still incomplete), the bash function "needs" should grab the right value from XCCDF and populate it accordingly. Do we still need the fix-common elements, to insert them into the XCCDF? I like to delete unused code. Jeff

3 3

[PATCH 1/4] Added bash templates directory, added sample sysctl script
by Shawn Wells 02 Jun '13

02 Jun '13

3 4

[PATCH 2/4] Added sysctl remediation scripts
by Shawn Wells 01 Jun '13

01 Jun '13

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide June 2013