[*] RHEL-6 / JBossEAP5 SSG *.spec, *.src.rpm && *.rpm rpmlint errors
by Jan Lieskovsky
Hello guys,
while this got inspired by another email from this list
(was [PATCH 1/8] Add Makefile, main README, and scap-security-guide.spec
file, that will be used for building Fedora scap-security-guide (source)
RPM package.)
decided to dedicate an own thread for this topic, since it deserves it
(pretty wide by itself).
Attached are (run on Red Hat Enterprise Linux 6) rpmlint results [R] for main
scap-security-guide.spec file, and also for both of RHEL6 / JBossEAP5 *.src.rpm, and *.rpm
packages, generated from SSG repository content.
While some of the issues are easy to fix (to mention some examples:
* scap-security-guide.src: W: summary-ended-with-dot C Security guidance and baselines in SCAP formats.
* scap-security-guide.src:20: W: mixed-use-of-spaces-and-tabs (spaces: line 8, tab: line 20),
* scap-security-guide.src: W: non-standard-group Testing),
* script-without-shebang /usr/share/xml/scap/ssg/policytables/table-rhel6-nistrefs.html
* ..)
[and i can make a patch proposal for these once we have agreed us on the points below],
there are also cases, where I am not sure how the fix should look like (so decided
to write a post about this prior proposing a patch).
The two cases i am not completely sure how they should be resolved (comments welcome)
are as follows:
#1: (from the *.src.rpm / *.rpm):
scap-security-guide.src: W: invalid-license Public domain
scap-security-guide.src: W: invalid-license GPL
The 'Public domain' one should be converted to 'Public Domain' to be recognized
(https://fedoraproject.org/wiki/Packaging:LicensingGuidelines?rd=Packaging...)
but not sure about the proper identifier for the GPL one. Suggestions / guidance welcome.
#2: (from the *.spec && *.src.rpm):
scap-security-guide.spec: E: specfile-error error: line 10: Source0: scap-security-guide-
rpmlint in this case is complaining about source tarball being generated and mainly referenced in *.spec
locally (common practice in the *.spec file to reference upstream page, where source tarball can be
downloaded from).
Therefore i would like to check with you, if there would be a willingness to dedicate stable page
for hosting of such a tarball and if we could use that page (once agreed upon) in the *.spec file
subsequently?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
[R] http://fedoraproject.org/wiki/Common_Rpmlint_issues
10 years, 8 months
Current false positve list
by leam hall
Using the oscap from openscap 0.9.3-1 and the ssg content fresh from the
repo (0.1-12) I ran:
oscap xccdf eval --profile stig-rhel6-server --results
`hostname`-ssg-results.xml --report `hostname`-ssg-results.html --cpe
/usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
on my server. The output gave me stuff to work on and what seems to be a
list of false positives. I have not found these items in the STIG. Could
someone point me to them, or can we remove them from the scan if they are
not present?
I'm looking at the git repo but having issues with builds. So some of these
might already be fixed.
Thanks!
Leam
#####
Configure auditd admin_space_left Action on Low Disk Space
Disable IPv6 Networking Support Automatic Loading
Disable Kernel Parameter for Accepting ICMP Redirects By Default
Disable Kernel Parameter for Accepting Secure Redirects By Default
Disable Kernel Parameter for Accepting Secure Redirects for All Interfaces
Disable Kernel Parameter for Sending ICMP Redirects by Default
Disable Modprobe Loading of USB Storage Driver
Ensure All Files Are Owned by a Group
Ensure All Files Are Owned by a User
Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)
Ensure SELinux State is Enforcing
Implement Blank Screen Saver
Record Events that Modify User/Group Information
Set SSH Client Alive Count
--
Mind on a Mission <http://leamhall.blogspot.com/>
10 years, 8 months