[PATCH] Removing the rule to disable anacron from CS2, FISMA, NIST, USGCB profiles
by David Smith
---
RHEL/6/input/profiles/CS2.xml | 1 -
.../6/input/profiles/fisma-medium-rhel6-server.xml | 1 -
RHEL/6/input/profiles/nist-CL-IL-AL.xml | 1 -
RHEL/6/input/profiles/usgcb-rhel6-server.xml | 1 -
4 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/RHEL/6/input/profiles/CS2.xml b/RHEL/6/input/profiles/CS2.xml
index 33c0395..aea380b 100644
--- a/RHEL/6/input/profiles/CS2.xml
+++ b/RHEL/6/input/profiles/CS2.xml
@@ -226,7 +226,6 @@
<select idref="kernel_module_bluetooth_disabled" selected="true"/>
<select idref="service_crond_enabled" selected="true"/>
-<select idref="disable_anacron" selected="true" />
<select idref="service_abrtd_disabled" selected="true"/>
<select idref="service_acpid_disabled" selected="true" />
diff --git a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
index 9e639f1..b604924 100644
--- a/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
+++ b/RHEL/6/input/profiles/fisma-medium-rhel6-server.xml
@@ -235,7 +235,6 @@
<select idref="service_smartd_disabled" selected="true" />
<select idref="service_sysstat_disabled" selected="true" />
<select idref="service_crond_enabled" selected="true" />
-<select idref="disable_anacron" selected="true" />
<select idref="service_atd_disabled" selected="true" />
<select idref="disable_avahi" selected="true" />
<select idref="mountopt_nodev_on_nonroot_partitions" selected="true" />
diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
index ccb1ae6..9e0dd40 100644
--- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml
+++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml
@@ -341,7 +341,6 @@ assurance."</description>
<select idref="disable_dhcp_client" selected="true" />
<select idref="disable_avahi" selected="true" />
<select idref="service_crond_enabled" selected="true" />
-<select idref="disable_anacron" selected="true" />
<select idref="disable_dns_server" selected="true" />
<select idref="uninstall_bind" selected="true" />
<select idref="package_openldap-servers_removed" selected="true" />
diff --git a/RHEL/6/input/profiles/usgcb-rhel6-server.xml b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
index 7fa82c7..c6bad6b 100644
--- a/RHEL/6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL/6/input/profiles/usgcb-rhel6-server.xml
@@ -208,7 +208,6 @@
<select idref="service_kdump_disabled" selected="true" />
<select idref="network_disable_zeroconf" selected="true" />
<select idref="service_crond_enabled" selected="true" />
-<select idref="disable_anacron" selected="true" />
<!-- PLACEHOLDER: cron file perms go here when ready -->
<select idref="sshd_allow_only_protocol2" selected="true" />
<select idref="service_atd_disabled" selected="true" />
--
1.7.1
9 years, 10 months
PATCH] Added OVAL check for 'disable_anacron' using service_disabled templates
by Rui Pedro Bernardino
This patch proposes to fix the missing oval check for 'disable_anacron' rule.
Signed-off-by: Rui Bernardino <rui-p-bernardino(a)telecom.pt>
---
.../6/input/checks/templates/services_disabled.csv | 1 +
RHEL/6/input/services/cron.xml | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/RHEL/6/input/checks/templates/services_disabled.csv b/RHEL/6/input/checks/templates/services_disabled.csv
index 7045072..c819e51 100644
--- a/RHEL/6/input/checks/templates/services_disabled.csv
+++ b/RHEL/6/input/checks/templates/services_disabled.csv
@@ -1,5 +1,6 @@
abrtd,abrt
acpid,
+anacron,
autofs,
certmonger,
cgred,
diff --git a/RHEL/6/input/services/cron.xml b/RHEL/6/input/services/cron.xml index 983d9ed..4f57af6 100644
--- a/RHEL/6/input/services/cron.xml
+++ b/RHEL/6/input/services/cron.xml
@@ -37,6 +37,7 @@ additional functionality, <tt>anacron</tt> could needlessly increase the possibl attack surface for an intruder.</description> <ref nist="CM-7" /> <ident cce="27158-5" />
+<oval id="service_anacron_disabled" />
</Rule>
--
Rui Pedro Bernardino
CTE2
Aveiro
PT Inovação e Sistemas
9 years, 10 months
[PATCH] [RHEL/6, RHEL/7, shared] Finish logrotate_rotate_all_files => ensure_logrotate_activated transition. Replace ensure_logrotate_activated unknown test stub with actual OVAL check implementation.
by Jan Lieskovsky
The change:
[1] https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=d2f9...
attempted to replace "logrotate_rotate_all_files" OVAL check with "ensure_logrotate_activated" OVAL check,
but failed (to do so in all locations):
scap-security-guide]$ grep -rHn "logrotate_rotate_all_files" *
RHEL/6/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" />
RHEL/7/input/system/logging.xml:377:<oval id="logrotate_rotate_all_files" />
resulting into the following new 'make validate' / verify-input-references.py error message to appear:
Invalid OVAL definition referenced by XCCDF Rule: ensure_logrotate_activated
Fix that by referencing the new OVAL check name in RHEL/{6,7}/input/system/logging.xml files too.
Besides that the original RHEL/6/input/checks/ensure_logrotate_activated.xml OVAL check was implemented just
as unknown OVAL test stub. Replace that stub definition with actual implementation based on guide.html content,
move it to shared, and create links for RHEL/6 and RHEL/7.
The proposal has been tested on RHEL/6 & RHEL/7 - rpm package builds properly, make validate warning
disappeared & the check seems to be working properly on both of the products.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
9 years, 10 months
[PATCH] [RHEL/6] [RHEL/7] [shared] When checking for static IP address configuration in network scripts allow BOOTPROTO to match also "none" (since that's what system-config-network / nm-connection-editor do when creating static IP connection)
by Jan Lieskovsky
As noted in:
[1] https://github.com/cobbler/cobbler/issues/361
[2] https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Lin...
BOOTPROTO variable in /etc/sysconfig/network-scripts can have just one of (none|bootp|dhcp) values.
Initscripts knowns also only these three:
[3] https://git.fedorahosted.org/cgit/initscripts.git/tree/sysconfig.txt
meaning when 'bootp' or 'dhcp' options are used, the DHCP client is run on the device. Any other
option is dealt with / considered to mean static configuration.
When system-config-network / system-config-network-tui / nm-connection-editor creates new connection
with static IP configuration, it uses BOOTPROTO=none in the particular /etc/sysconfig/network-scripts/ifcfg-conn-name
script (can be verified by creating sample connection).
Based on bug:
[4] https://bugzilla.redhat.com/show_bug.cgi?id=528068
and resulting patch:
[5] http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=c31b...
NetworkManager (starting from NetworkManager-0.7.996-5.git20091021.fc12) treats BOOTPROTO=static as an
alias for BOOTPROTO=none (doesn't complain when 'static' is used as BOOTPROTO specification).
But since RHEL-6 Deployment guide [2] and initscripts code [3] know / suggest use of 'none', enhance
the sysconfig_networking_bootproto_ifcfg OVAL check to allow test success also in case 'none' is used
as BOOTPROTO specification (since that actually is what is used, when new static IP using connection
is created e.g. via system-config-network or nm-connection-editor).
Besides that (support also for 'none' in BOOTPROTO specification), the patch starts to recommend to use
'none' on appropriate places (RHEL/6, RHEL/7 XCCDF rules description, stig reference) & moves originally
RHEL-6 specific sysconfig_networking_bootproto_ifcfg OVAL check to be shared one.
The change has been tested on both of RHEL/6 & RHEL/7, rpm(s) build correctly, the change seems to be
working as expected (on both products).
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
9 years, 10 months