March 2014 - scap-security-guide - Fedora Mailing-Lists

[PATCH] Shared check was missing RHEL 7 platform line

by Maura Dailey

Other pam_cracklib shared checks had the required platform field, but the check for difok appears to have been inadvertently skipped. - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- .../oval/accounts_password_pam_cracklib_difok.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/shared/oval/accounts_password_pam_cracklib_difok.xml b/shared/oval/accounts_password_pam_cracklib_difok.xml index 80fd21e..62a535a 100644 --- a/shared/oval/accounts_password_pam_cracklib_difok.xml +++ b/shared/oval/accounts_password_pam_cracklib_difok.xml @@ -4,6 +4,7 @@ <title>Set Password difok Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password difok should meet minimum requirements using pam_cracklib</description> -- 1.7.1

10 years

2
3
0 / 0

ensure_gpgcheck_globally_activated

by Delorenzo, Michael A CIV USARMY ARDEC (US)

Hello everyone, I noticed that after a newer git pull this referenced check is now set as not checked, when it previously was checked. I can't seem to find an explanation in the mailing list emails. Does anyone have any explanation? Thanks, Michael DeLorenzo Computer Scientist Picatinny Arsenal Business Transformation & E-Systems Office, RDAR-WSE, Building 93 W: (973)-724-1370 BB: (862)-432-6071

10 years

3
4
0 / 0

[PATCH] Consolidate ntp and openssh package checks for Fedora, RHEL 6, and RHEL 7 into the shared directory, since they all share the same package name.

by Maura Dailey

This small patch takes care of the existing package checks in Fedora and shared. More patches will be forthcoming for shared package checks in RHEL 6 and RHEL 7. - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- Fedora/input/checks/package_ntp_installed.xml | 26 +----------------- .../checks/package_openssh-server_removed.xml | 26 +----------------- RHEL/6/input/checks/package_ntp_installed.xml | 27 +------------------ RHEL/7/input/checks/package_ntp_installed.xml | 1 + shared/oval/package_ntp_installed.xml | 28 ++++++++++++++++++++ shared/oval/package_openssh-server_removed.xml | 1 + 6 files changed, 33 insertions(+), 76 deletions(-) mode change 100644 => 120000 Fedora/input/checks/package_ntp_installed.xml mode change 100644 => 120000 Fedora/input/checks/package_openssh-server_removed.xml mode change 100644 => 120000 RHEL/6/input/checks/package_ntp_installed.xml create mode 120000 RHEL/7/input/checks/package_ntp_installed.xml create mode 100644 shared/oval/package_ntp_installed.xml diff --git a/Fedora/input/checks/package_ntp_installed.xml b/Fedora/input/checks/package_ntp_installed.xml deleted file mode 100644 index 389f166..0000000 --- a/Fedora/input/checks/package_ntp_installed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> -  - <definition class="compliance" id="package_ntp_installed" - version="1"> - <metadata> - <title>Package ntp Installed</title> - <affected family="unix"> - <platform>Fedora 19</platform> - </affected> - <description>The RPM package ntp should be installed.</description> - </metadata> - <criteria> - <criterion comment="package ntp is installed" - test_ref="test_package_ntp_installed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="all_exist" - id="test_package_ntp_installed" version="1" - comment="package ntp is installed"> - <linux:object object_ref="obj_package_ntp_installed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_ntp_installed" version="1"> - <linux:name>ntp</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/Fedora/input/checks/package_ntp_installed.xml b/Fedora/input/checks/package_ntp_installed.xml new file mode 120000 index 0000000..7432e41 --- /dev/null +++ b/Fedora/input/checks/package_ntp_installed.xml @@ -0,0 +1 @@ +../../../shared/oval/package_ntp_installed.xml \ No newline at end of file diff --git a/Fedora/input/checks/package_openssh-server_removed.xml b/Fedora/input/checks/package_openssh-server_removed.xml deleted file mode 100644 index 785681d..0000000 --- a/Fedora/input/checks/package_openssh-server_removed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> -  - <definition class="compliance" id="package_openssh-server_removed" - version="1"> - <metadata> - <title>Package openssh-server Removed</title> - <affected family="unix"> - <platform>Fedora 19</platform> - </affected> - <description>The RPM package openssh-server should be removed.</description> - </metadata> - <criteria> - <criterion comment="package openssh-server is removed" - test_ref="test_package_openssh-server_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_openssh-server_removed" version="1" - comment="package openssh-server is removed"> - <linux:object object_ref="obj_package_openssh-server_removed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_openssh-server_removed" version="1"> - <linux:name>openssh-server</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/Fedora/input/checks/package_openssh-server_removed.xml b/Fedora/input/checks/package_openssh-server_removed.xml new file mode 120000 index 0000000..f7e880d --- /dev/null +++ b/Fedora/input/checks/package_openssh-server_removed.xml @@ -0,0 +1 @@ +../../../shared/oval/package_openssh-server_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/checks/package_ntp_installed.xml b/RHEL/6/input/checks/package_ntp_installed.xml deleted file mode 100644 index 2495849..0000000 --- a/RHEL/6/input/checks/package_ntp_installed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group> -  - <definition class="compliance" id="package_ntp_installed" - version="1"> - <metadata> - <title>Package ntp Installed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package ntp should be installed.</description> - <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion comment="package ntp is installed" - test_ref="test_package_ntp_installed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="all_exist" - id="test_package_ntp_installed" version="1" - comment="package ntp is installed"> - <linux:object object_ref="obj_package_ntp_installed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_ntp_installed" version="1"> - <linux:name>ntp</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL/6/input/checks/package_ntp_installed.xml b/RHEL/6/input/checks/package_ntp_installed.xml new file mode 120000 index 0000000..e9413c8 --- /dev/null +++ b/RHEL/6/input/checks/package_ntp_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_ntp_installed.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/package_ntp_installed.xml b/RHEL/7/input/checks/package_ntp_installed.xml new file mode 120000 index 0000000..e9413c8 --- /dev/null +++ b/RHEL/7/input/checks/package_ntp_installed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_ntp_installed.xml \ No newline at end of file diff --git a/shared/oval/package_ntp_installed.xml b/shared/oval/package_ntp_installed.xml new file mode 100644 index 0000000..ee8d0ac --- /dev/null +++ b/shared/oval/package_ntp_installed.xml @@ -0,0 +1,28 @@ +<def-group> +  + <definition class="compliance" id="package_ntp_installed" + version="1"> + <metadata> + <title>Package ntp Installed</title> + <affected family="unix"> + <platform>Fedora 19</platform> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package ntp should be installed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package ntp is installed" + test_ref="test_package_ntp_installed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="all_exist" + id="test_package_ntp_installed" version="1" + comment="package ntp is installed"> + <linux:object object_ref="obj_package_ntp_installed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_ntp_installed" version="1"> + <linux:name>ntp</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/shared/oval/package_openssh-server_removed.xml b/shared/oval/package_openssh-server_removed.xml index 311463e..b72eb32 100644 --- a/shared/oval/package_openssh-server_removed.xml +++ b/shared/oval/package_openssh-server_removed.xml @@ -5,6 +5,7 @@ <metadata> <title>Package openssh-server Removed</title> <affected family="unix"> + <platform>Fedora 19</platform> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform> </affected> -- 1.7.1

10 years

2
1
0 / 0

Minimum Password Length ...

by Trey Henefield

I had noticed that the RHEL6 SSG and RHEL6 STIG both require checking /etc/login.defs for the password minimum length parameter 'PASS_MIN_LEN'. This differs from the RHEL5 STIG in which it requires it being configured via the 'minlen' parameter for cracklib.so within /etc/pam.d/system-auth. Furthermore, the RHEL5 manpage indicates the enforcement of /etc/login.defs, as it relates to passwords, as being deprecated. However, this is not indicated in the same manpage in RHEL6. "Much of the functionality that used to be provided by the shadow password suite is now handled by PAM. Thus, /etc/login.defs is no longer used by programs such as: login(1), passwd(1), su(1). Please refer to the corresponding PAM configuration files instead." So I decided to test this to see if RHEL6 is actually enforcing the 'PASS_MIN_LEN' parameter in /etc/login.defs, and it is not. I have it set to 14 and I was able to configure a password with 12 characters. So shouldn't this be changed to reflect how this is configured in RHEL5, or am I missing something? Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield(a)ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com Disclaimer The information contained in this communication from trey.henefield(a)ultra-ats.com sent at 2014-02-26 10:22:15 is confidential and may be legally privileged. It is intended solely for use by scap-security-guide(a)lists.fedorahosted.org and others authorized to receive it. If you are not scap-security-guide(a)lists.fedorahosted.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

10 years

4
10
0 / 0

[PATCH 0/3] minor edits in preparation for publication

by Jeffrey Blank

This represents my proofreading and minor editing of the first half of the "guide", which represents the complete set of XCCDF content. Jeffrey Blank (3): minor edits to permissions section text minor edits to selinux and integrity sections minor edit to intro text RHEL/6/input/guide.xml | 12 +++++-- RHEL/6/input/system/permissions/files.xml | 1 - RHEL/6/input/system/permissions/mounting.xml | 5 ++- RHEL/6/input/system/permissions/permissions.xml | 2 +- RHEL/6/input/system/selinux.xml | 38 +---------------------- RHEL/6/input/system/software/integrity.xml | 12 ++++--- 6 files changed, 21 insertions(+), 49 deletions(-)

10 years

3
5
0 / 0

IPV6 and security?

by Andrew Gilmore

Had our IT folks explain that this 3+ year old push is now gaining traction at my agency. http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/transi... Are the security concerns around IPV6 about the maturity of the protocol stack, or the reduced utility of NAT, or? Thanks, Andrew Gilmore

10 years

4
7
0 / 0

RE: IPV6 and security? (UNCLASSIFIED)

by Beavers, Randall D. CTR (US)

Classification: UNCLASSIFIED Caveats: NONE If I get a penny for my thoughts, then I put in my two cents...where does that other penny go? On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <sgrubb(a)redhat.com> wrote: The view taking in hardening systems is if you don't need something, turn it off so that you don't have inadvertent security problems. Paraphrasing the RHEL5 SNAC guide, it says if you need IPv6, here are the hardening steps. If you do not, then turn it off. That is the prudent thing to do in all cases. An additional thought that we've done on past programs is: Maybe not only "turn off" IPv6, but I've gone through the effort of following the STIGs to set all of the security configurations, AND turn it off. Why you ask? Because if IPv6 is "turned on" by malicious or inadvertent activity later, then it is already STIG-compliant, thereby provide some level of security. If one simply turns it off, it still "may" leave the system somewhat vulnerable IMHO. v/r, Randy Beavers, GSLC, CISSP System Security Engineer Multi-Mission Launcher 256-842-5426 office 256-289-6054 cell randall.d.beavers.ctr(a)mail.mil randall.d.beavers.ctr(a)mail.smil.mil -----Original Message----- From: scap-security-guide-bounces(a)lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Andrew Gilmore Sent: Tuesday, March 25, 2014 4:33 PM To: SCAP Security Guide Subject: Re: IPV6 and security? Thanks for the info! On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <sgrubb(a)redhat.com> wrote: The view taking in hardening systems is if you don't need something, turn it off so that you don't have inadvertent security problems. Paraphrasing the RHEL5 SNAC guide, it says if you need IPv6, here are the hardening steps. If you do not, then turn it off. That is the prudent thing to do in all cases. Definitely, and for the last 12 years, all I've heard is we don't need IPV6, turn it off. Put another way, its not that IPv6 is insecure...its very well tested. Its that if you don't need it or use it and a security bulletin comes along for it, its easy to dismiss because you didn't intend to use it. This was part of my real question, I guess. Much of what I had heard about IPV6 focused on the relative maturity of the stack, compared to IPV4, and suggested that some of the same types of critical vulnerabilities that we saw in the 90s may be lurking in this stack. It's good to hear your confidence in the tech. I'd put this back on the OP. Who said it _is_ insecure? I implied that there were concerns, but that was an uninformed position. This may have been fostered in other benchmarks I've been involved in, but I'd have to go re-read them to make sure I wasn't reading it in. Thanks! Andrew Classification: UNCLASSIFIED Caveats: NONE

10 years

2
1
0 / 0

[PATCH] Removing ntpdate as a package doesn't make sense, because it's a dependency of ntp, a package we want to be installed. It's suffient to check that the ntpdate service is not configured to start.

by Maura Dailey

This removes the package_ntpdate_removed.xml check and the reference to it in the service disable check. - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- RHEL/6/input/checks/package_ntpdate_removed.xml | 25 ---------------------- RHEL/6/input/checks/service_ntpdate_disabled.xml | 5 +--- 2 files changed, 1 insertions(+), 29 deletions(-) delete mode 100644 RHEL/6/input/checks/package_ntpdate_removed.xml diff --git a/RHEL/6/input/checks/package_ntpdate_removed.xml b/RHEL/6/input/checks/package_ntpdate_removed.xml deleted file mode 100644 index a78fb82..0000000 --- a/RHEL/6/input/checks/package_ntpdate_removed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> -  - <definition class="compliance" id="package_ntpdate_removed" - version="1"> - <metadata> - <title>Package ntpdate Removed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package ntpdate should be removed.</description> - </metadata> - <criteria> - <criterion comment="package ntpdate is removed" - test_ref="test_package_ntpdate_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_ntpdate_removed" version="1" - comment="package ntpdate is removed"> - <linux:object object_ref="obj_package_ntpdate" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_ntpdate" version="1"> - <linux:name>ntpdate</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL/6/input/checks/service_ntpdate_disabled.xml b/RHEL/6/input/checks/service_ntpdate_disabled.xml index 5a9559e..1aee2d9 100644 --- a/RHEL/6/input/checks/service_ntpdate_disabled.xml +++ b/RHEL/6/input/checks/service_ntpdate_disabled.xml @@ -10,9 +10,7 @@ <description>The ntpdate service should be disabled if possible.</description> <reference source="DS" ref_id="20130918" ref_url="test_attestation" /> </metadata> - <criteria comment="package ntpdate removed or service ntpdate is not configured to start" operator="OR"> - <extend_definition comment="ntpdate removed" definition_ref="package_ntpdate_removed" /> - <criteria operator="AND" comment="service ntpdate is not configured to start"> + <criteria comment="service ntpdate is not configured to start" operator="AND"> <criterion comment="ntpdate runlevel 0" test_ref="test_runlevel0_ntpdate" /> <criterion comment="ntpdate runlevel 1" test_ref="test_runlevel1_ntpdate" /> <criterion comment="ntpdate runlevel 2" test_ref="test_runlevel2_ntpdate" /> @@ -21,7 +19,6 @@ <criterion comment="ntpdate runlevel 5" test_ref="test_runlevel5_ntpdate" /> <criterion comment="ntpdate runlevel 6" test_ref="test_runlevel6_ntpdate" /> </criteria> - </criteria> </definition> <unix:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="test_runlevel0_ntpdate" -- 1.7.1

10 years

2
1
0 / 0

[PATCH] [Fedora] Switch on OVAL variables evaluation in rules description

by Jan Lieskovsky

Based on xccdf:sub elements thread: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-March/0... switch on OVAL variables evaluation for Fedora content in XCCDF rules description. Together with that change, indent content of <pre> elements with one heading tab character. Tested on Fedora (both make & make validate seems to be working properly). Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

10 years

2
3
0 / 0

commit-introduction

by Kordell, Luke T

Hello, My name is Luke Kordell, and I am working on an multi-level Secure profile called MLS_CSCF. Currently the profile is rough, but expect more updates soon! Luke

10 years

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide March 2014