January 2014 - scap-security-guide - Fedora Mailing-Lists

by Shaw, Ray V CTR USARMY RDECOM ARL (US)

Classification: UNCLASSIFIED Caveats: NONE Anyone want to weigh in on this? At the very least, it would be nice if the check also accepted the value of "none", and possibly the guidance should recommend this setting. -- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support -----Original Message----- From: Shaw, Ray V CTR USARMY ARL (US) Sent: Thursday, December 26, 2013 1:27 PM To: 'scap-security-guide(a)lists.fedorahosted.org' Subject: Disable DHCP client (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The Disable DHCP client check specifies that the value of BOOTPROTO should be "static". However, this doesn't list "static" as an option: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... Should the check be for "none" instead? [Aside: I thought this might be a carryover from RHEL5, but the RHEL5 deployment guide lists the same options: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin... However, all the RHEL5 clients I've checked have had it set to "static", whereas the RHEL6 clients I've checked have it set to "none". Is setting it to anything other than "bootp" or "dhcp" the equivalent of setting it to "none"? Not that I'm arguing the check should go in that direction...just wondering how we got here.] -- Ray Shaw (Contractor, STG) Army Research Laboratory CIO, Unix Support Classification: UNCLASSIFIED Caveats: NONE Classification: UNCLASSIFIED Caveats: NONE

10 years, 3 months

2
1
0 / 0

SSG 0.1-14-14 - Apparent content error. Unable to find referenced state

by ssg fthfth

While running SCC 3.1.1.1 against the SSG 0.1-14-14 content, with the usgcb-rhel6-server profile selected from the SCAP stream, and rpm_verify_permissions = false, there appears to be another variable referenced in the OVAL file but are not declared in the XCCDF and the value is being used in XCCDF without being declared. SCC errorlog: [ERROR] Apparent content error. Unable to find referenced state: 'oval:ssg:ste:1545.' OVAL snippits: /bin/grep "oval:ssg:ste:1545" /opt/scc/Resources/Content/ssg-rhel6-oval.xml <linux:state state_ref="oval:ssg:ste:1545"/> <filter action="include">oval:ssg:ste:1545</filter> <linux:partition_state id="oval:ssg:ste:1545" version="1"> $ /bin/grep "1545" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml $<null> perhaps related is this integer comparison error "[ERROR] Collected item to be compared is not type 'int': hard for item" when run with the stig-rhel6-server profile selected from the SCAP stream.

10 years, 3 months

1
0
0 / 0

RHEL 6 Benchmark and STIG errors

by Shuhart, Jordan P CIV DISA FSO (US)

I have been doing a full pass/fail test of the RHEL 6 Benchmark and listed below are some of the issues I have come across. - V-38465 / SV-50265 - The benchmark check returns a passing result, but upon a manual check you can see that /lib/modules/2.6.32-358.el6.x86_64/source and /lib/modules/2.6.32-358.el6.x86_64/build both have group and write permissions. - V-38476 / SV-50276 - Benchmark returns that this check is closed. Manually checking for gpg-pubkey shows that the package is not installed - V-38477 / SV-50277 - This check has been returning a open finding even after the settings have been configured to pass. - V-38499 / SV-50300 - Same as above - V-38501 / SV-50302 - Unable to make this check pass. It appears that the STIG is missing some Fix text that the Benchmark is checking for. - V-38512 / SV-50313 - This check passes but the STIG may need updating as the status does not return what the STIG suggests it should. - V-38519 / SV-50320 - I am unable to get this check to run for some reason. - V-38540 / SV-50341 - STIG may need updated. Benchmark is looking for "-a always,exit... " but the STIG is instructing me to configure it as "-a exit,always..." Check runs properly when I change the order but I am unsure which is the correct way. Jordan Shuhart DISA Field Security Operations IA Standards & Analysis Division (717)267-9078 jordan.p.shuhart.civ(a)mail.mil

10 years, 3 months

1
0
0 / 0

[PATCH] Initial GConf2 fixups

by Maura Dailey

Several of the GConf checks were using xmlfilecontent, which I liked, so I changed the ones that weren't to use it. However, the checks that had been using xmlfilecontent were improperly pointing to /etc/gconf/gconf.xml.defaults, when we wanted to be peering into gconf.xml.mandatory instead (this is where the gconf2-tool instructions were writing their values). To add support to ensure these checks will no longer report a failure on machines that aren't using X, I added an extended definition check and the appropriate package checks to point to the lowest level package that installs GConf settings, namely the GConf2 package. On servers that don't have this package installed, the check will pass. - Maura Dailey Maura Dailey (1): Rewrote various GConf checks to standardize on xmlfilecontent tests and ensured they were actually checking the correct location (gconf.xml.mandatory, not gconf.xml.defaults). .../input/checks/gconf_gnome_disable_automount.xml | 59 +++++++++++--------- .../checks/gconf_gnome_disable_thumbnailers.xml | 34 ++++++----- ...f_gnome_screensaver_idle_activation_enabled.xml | 19 ++++-- .../checks/gconf_gnome_screensaver_idle_delay.xml | 24 +++++--- .../gconf_gnome_screensaver_lock_enabled.xml | 14 +++-- .../checks/gconf_gnome_screensaver_mode_blank.xml | 12 +++- RHEL6/input/checks/package_GConf2_installed.xml | 26 +++++++++ .../input/checks/templates/packages_installed.csv | 1 + RHEL6/input/fixes/bash/package_GConf2_installed.sh | 1 + 9 files changed, 124 insertions(+), 66 deletions(-) create mode 100644 RHEL6/input/checks/package_GConf2_installed.xml create mode 100644 RHEL6/input/fixes/bash/package_GConf2_installed.sh

10 years, 3 months

6
19
0 / 0

[PATCH] [Fedora] Drop -compat package, provide openscap-content directly (RH BZ#1040335#c14)

by Jan Lieskovsky

Happy New Year folks, an issue has been found: https://bugzilla.redhat.com/show_bug.cgi?id=1040335#c14 with scap-security-guide-0.1.4-1.* packages on Fedora. This patch should fix it (tested via local yum repo, pushed to master and have built new packages for all versions of Fedora-18 up to [upcoming] Fedora-21). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

10 years, 3 months

1
0
0 / 0

[PATCH] add disable_user_list to STIG/RHEL-06-000527

by Steinke, Leland J Sr CTR DISA DD (US)

This has been overlooked for a long time. Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr(a)mail.mil (gov't) lsteinke(a)tapestrytech.com (com'l)

10 years, 3 months

2
2
0 / 0

SSG 0.1-14-14 - [WARN] Value X was not found

by ssg testing

While running SCC 3.1.1.1 against the SSG 0.1-14-14 content, with either the stig-rhel6-server or usgcb-rhel6-server profile selected from the SCAP stream, and rpm_verify_permissions = false, there appears to be variables referenced in the OVAL file but are not declared in the XCCDF and the value is being used in XCCDF without being declared. usgcb-rhel6-server profile: SCC Warning: "[WARN] Value 'umask_user_value' was not found" declaration in XCCDF: # /bin/grep -ir "<value id.* 'umask_user_value" /opt/scc/Resources/ <null> reference in XCCDF: # /bin/grep -ir "value idref.*umask_user_value" /opt/scc/Resources/ /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value idref="umask_user_value" selector="077"/> # /bin/grep "umask_user_value" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml -A13|/bin/grep "oval:ssg:var"|/usr/bin/uniq <check-export export-name="oval:ssg:var:2261" value-id="var_accounts_user_umask"/> reference in OVAL: /bin/grep -i "2261" /opt/scc/Resources/Content/ssg-rhel6-oval.xml <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:2261"/> <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:2261"/> <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:2261"/> <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg:var:2261"/> <external_variable comment="umask for user shell" datatype="string" id="oval:ssg:var:2261" version="1"/> 　 stig-rhel6-server profile: SCC Warning: "[WARN] Value 'sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value' was not found." declaration in XCCDF: # /bin/grep -ir "<value id.*sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" /opt/scc/Resources/ <null> reference in XCCDF: # /bin/grep -ir "value idref.*sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" /opt/scc/Resources/ /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml: <refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_messages_value" selector="enabled"/> reference in OVAL: <null> SCC Warning: [WARN] Value 'var_password_min_len' was not found. [WARN] Value 'var_password_max_age' was not found. [WARN] Value 'var_password_min_age' was not found. [WARN] Value 'var_password_warn_age' was not found. $ /bin/grep -E "var_password_[m|w]" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml <refine-value idref="var_password_min_len" selector="6"/> <refine-value idref="var_password_max_age" selector="90"/> <refine-value idref="var_password_min_age" selector="7"/> <refine-value idref="var_password_warn_age" selector="7"/> $ /bin/grep -E "var_password_[m|w]" /opt/scc/Resources/Content/ssg-rhel6-oval.xml $ <null>

10 years, 3 months

2
1
0 / 0

[PATCH] [bugfix] Updated USGCB XCCDF variable umask_user_value

by Shawn Wells

10 years, 3 months

1
0
0 / 0

SSG 0.1-14-14 - [ERROR] Could not find external variable with id X

by ssg testing

While running SCC 3.1.1.1 against the SSG 0.1-14-14 content, with either the stig-rhel6-server or usgcb-rhel6-server profile selected from the SCAP stream, and rpm_verify_permissions = false, there appears to be variables referenced in the OVAL file but are not declared in the XCCDF and the value is being used in XCCDF without being declared. SCC errorlog snippets: [ERROR] Could not find external variable with id 'oval:ssg:var:2224'. [ERROR] Could not find external variable with id 'oval:ssg:var:2234'. [ERROR] Could not find external variable with id 'oval:ssg:var:2237'. OVAL/XCCDF snippets: ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_object> ./Content/ssg-rhel6-oval.xml- <linux:partition_object id="oval:ssg:obj:1436" version="1"> ./Content/ssg-rhel6-oval.xml: <linux:mount_point var_ref="oval:ssg:var:2224"/> ./Content/ssg-rhel6-oval.xml- </linux:partition_object> ./Content/ssg-rhel6-oval.xml- <linux:rpminfo_object id="oval:ssg:obj:1440" version="1"> ./Content/ssg-rhel6-oval.xml- <linux:name>vsftpd</linux:name> ./Content/ssg-rhel6-oval.xml- </linux:rpminfo_object> ./Content/ssg-rhel6-oval.xml- </unix:runlevel_state> ./Content/ssg-rhel6-oval.xml- <ind:textfilecontent54_state id="oval:ssg:ste:1439" version="1"> ./Content/ssg-rhel6-oval.xml: <ind:subexpression datatype="string" var_ref="oval:ssg:var:2224"/> ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_state> ./Content/ssg-rhel6-oval.xml- <linux:partition_state id="oval:ssg:ste:1437" version="1"> ./Content/ssg-rhel6-oval.xml- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options> ./Content/ssg-rhel6-oval.xml- </linux:partition_state> ./Content/ssg-rhel6-oval.xml- <value>/usr/sbin/usernetctl</value> ./Content/ssg-rhel6-oval.xml- </constant_variable> ./Content/ssg-rhel6-oval.xml: <external_variable comment="removable partition" datatype="string" id="oval:ssg:var:2224" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="number of failed login attempts allowed" datatype="int" id="oval:ssg:var:2244" version="1"/> ./Content/ssg-rhel6-oval.xml- L25:L29 $ /bin/grep "2224" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml $<null> 　 ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_object> ./Content/ssg-rhel6-oval.xml- <linux:partition_object id="oval:ssg:obj:1713" version="1"> ./Content/ssg-rhel6-oval.xml: <linux:mount_point var_ref="oval:ssg:var:2234"/> ./Content/ssg-rhel6-oval.xml- </linux:partition_object> ./Content/ssg-rhel6-oval.xml- <unix:file_object comment="/etc/passwd" id="oval:ssg:obj:1717" version="1"> ./Content/ssg-rhel6-oval.xml- <unix:path>/etc</unix:path> ./Content/ssg-rhel6-oval.xml- <unix:filename>passwd</unix:filename> ./Content/ssg-rhel6-oval.xml- </unix:runlevel_state> ./Content/ssg-rhel6-oval.xml- <ind:textfilecontent54_state id="oval:ssg:ste:1716" version="1"> ./Content/ssg-rhel6-oval.xml: <ind:subexpression datatype="string" var_ref="oval:ssg:var:2234"/> ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_state> ./Content/ssg-rhel6-oval.xml- <linux:partition_state id="oval:ssg:ste:1714" version="1"> ./Content/ssg-rhel6-oval.xml- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options> ./Content/ssg-rhel6-oval.xml- </linux:partition_state> ./Content/ssg-rhel6-oval.xml- <external_variable comment="External variable: name of selinux policy in /etc/selinux/config" datatype="string" id="oval:ssg:var:2257" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="audit max_log_file settting" datatype="int" id="oval:ssg:var:2258" version="1"/> ./Content/ssg-rhel6-oval.xml: <external_variable comment="removable partition" datatype="string" id="oval:ssg:var:2234" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="External variable for pam_cracklib dcredit" datatype="int" id="oval:ssg:var:2259" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="number of failed login attempts allowed" datatype="int" id="oval:ssg:var:2260" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="umask for user shell" datatype="string" id="oval:ssg:var:2261" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="External variable for pam_cracklib minclass" datatype="int" id="oval:ssg:var:2262" version="1"/> /bin/grep "2234" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml $ <null> ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_object> ./Content/ssg-rhel6-oval.xml- <linux:partition_object id="oval:ssg:obj:2095" version="1"> ./Content/ssg-rhel6-oval.xml: <linux:mount_point var_ref="oval:ssg:var:2237"/> ./Content/ssg-rhel6-oval.xml- </linux:partition_object> ./Content/ssg-rhel6-oval.xml- <linux:rpminfo_object id="oval:ssg:obj:2099" version="1"> ./Content/ssg-rhel6-oval.xml- <linux:name>nfs-utils</linux:name> ./Content/ssg-rhel6-oval.xml- </linux:rpminfo_object> ./Content/ssg-rhel6-oval.xml- </unix:runlevel_state> ./Content/ssg-rhel6-oval.xml- <ind:textfilecontent54_state id="oval:ssg:ste:2098" version="1"> ./Content/ssg-rhel6-oval.xml: <ind:subexpression datatype="string" var_ref="oval:ssg:var:2237"/> ./Content/ssg-rhel6-oval.xml- </ind:textfilecontent54_state> ./Content/ssg-rhel6-oval.xml- <linux:partition_state id="oval:ssg:ste:2096" version="1"> ./Content/ssg-rhel6-oval.xml- <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options> ./Content/ssg-rhel6-oval.xml- </linux:partition_state> ./Content/ssg-rhel6-oval.xml- <external_variable comment="number of passwords that should be remembered" datatype="int" id="oval:ssg:var:2267" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="audit max_log_file_action setting" datatype="string" id="oval:ssg:var:2268" version="1"/> ./Content/ssg-rhel6-oval.xml: <external_variable comment="removable partition" datatype="string" id="oval:ssg:var:2237" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="External variable for pam_cracklib ucredit" datatype="int" id="oval:ssg:var:2269" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="audit num_logs settting" datatype="int" id="oval:ssg:var:2270" version="1"/> ./Content/ssg-rhel6-oval.xml- <external_variable comment="external variable for daemon umask" datatype="string" id="oval:ssg:var:2271" version="1"/> ./Content/ssg-rhel6-oval.xml- </variables> $ /bin/grep "2237" /opt/scc/Resources/Content/ssg-rhel6-xccdf.xml $ <null>

10 years, 3 months

2
1
0 / 0

scan-result question

by Kordell, Luke T

Hello, I have two questions regarding scan results. 1) When reviewing the .xml and .html output how can I determine the cause of an error if the setting described in the rule is configured properly? Does the scan output human-readable or even OVAL errors? 2) What is the difference between not checked, not applicable, unknown and not selected? I know not selected is when an inherited rule is specifically eliminated from an extended profile. Otherwise I would think it would either pass,fail or error. Luke K

10 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide January 2014