August 2014 - scap-security-guide - Fedora Mailing-Lists

by Pettorino, Jeffrey D CTR USAF USAFA USAFA/DFAN

I have been trying to get oscap working on my CentOS6.5 network core, without luck. Everything comes back with "Result notapplicable". I am pretty new to SCAP and XCCDF, but am a long-time user of Nessus and Security Center (prior to ACAS program by DISA). Does anyone have suggestions where I can find some in depth guidance to adjust the rhel6 configs to CentOS? -- Jeff v/r, Jeffrey D. Pettorino, GCIH, CISSP Systems Engineer High Performance Computing Research Center United States Air Force Academy Jeffrey.Pettorino.ctr(a)USAFA.edu 719/333-9391 ---- The use of the Unix philosophy just for UNIX was a great waste. Fortunately, Linux came along. - Bellevue Linux User Group member, 2005

9 years, 8 months

17
39
0 / 0

git pull request - enabling gconf-tree.xml OAVL support (#22)

by Gabe Alford

Hello, I have a git pull request waiting for review at https://github.com/OpenSCAP/scap-security-guide/pull/22. If ack'ed, it would need to be merged by project collaborators. Thanks, Gabe

9 years, 8 months

2
2
0 / 0

selinux_all_devicefiles_labeled not working

by Jeremiah Jahn

this just isn't working at all and returns a false positive

9 years, 8 months

3
2
0 / 0

[PATCH] Update C2S profile <description> per request from CIS

by Shawn Wells

The prior wording of the C2S profile contained a statement that the C2S profile, as it is derived from CIS' publicly available RHEL6 Benchmark [1], could measure a system against the CIS RHEL6 baseline. We have been informed that per CIS' terms and conditions, specifically under RESTRICTIONS, item #8, one may not "represent or claim a particular level of compliance or consistency with any SB product." To remain in compliance with CIS' request, this patch updates the C2S profile description to indicate that while the C2S profile may be sourced from the public, freely available CIS benchmark, no representation or claim to a particular level of compliance or consistency is being made. CIS is eager to collaborate more closely with the community (and Red Hat) on guidance development, in particular through the SCAP Security Guide. They have expressed that having automated security guidance and workflows ship with the Operating System is definitely a positive step, and one they encourage. Unfortunately, we were unable to reconcile the CIS Terms and Conditions to provide a freely available SCAP profile against the CIS baseline. When faced with the choice of paying ~$20,000 license fees [2], or rewording references to CIS compliance, the later was chosen. [1] https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Lin... mark_v1.2.0.pdf [2] http://benchmarks.cisecurity.org/membership/certified/overview/ Signed-off-by: Shawn Wells <shawn(a)redhat.com> --- RHEL/6/input/profiles/C2S.xml | 504 ++++++++++++++++++++--------------------- 1 files changed, 250 insertions(+), 254 deletions(-) diff --git a/RHEL/6/input/profiles/C2S.xml b/RHEL/6/input/profiles/C2S.xml index 282da6a..ef97fc2 100644 --- a/RHEL/6/input/profiles/C2S.xml +++ b/RHEL/6/input/profiles/C2S.xml @@ -1,19 +1,15 @@ <Profile id="C2S"> <title>C2S for Red Hat Enterprise Linux 6</title> <description>This profile demonstrates compliance against the -U.S. Government C2S baseline. - -This baseline is tied to the Center for Internet Security's -Red Hat Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013, -and uses the same refine values. One could use C2S interchangably -with CIS v1.2.0. For a copy of the CIS RHEL6 benchmark, refer -to: -https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.2.0.pdf - -This profile is not production ready and should be considered -development preview. As of 13-APR-2014, Out of the 233 -policy-mandated checks, only 169 currently have associated OVAL. -Patches would be most welcome! +U.S. Government Commercial Cloud Services (C2S) baseline. + +This baseline was inspired by the Center for Internet Security +(CIS) Red Hat Enterprise Linux 6 Benchmark, v1.2.0 - 06-25-2013. +For the SCAP Security Guide project to remain in compliance with +CIS' terms and conditions, specifically Restrictions(8), note +there is no representation or claim that the C2S profile will +ensure a system is in compliance or consistency with the CIS +baseline. </description>  @@ -26,698 +22,698 @@ Patches would be most welcome!  - - + <select idref="partition_for_tmp" selected="true"/> - + <select idref="mount_option_tmp_nodev" selected="true" /> - + <select idref="mount_option_tmp_nosuid" selected="true" /> - + <select idref="mount_option_tmp_noexec" selected="true" /> - + <select idref="partition_for_var" selected="true"/> - + <select idref="mount_option_var_tmp_bind_var" selected="true" /> - + <select idref="partition_for_var_log" selected="true"/> - + <select idref="partition_for_var_log_audit" selected="true"/> - + <select idref="partition_for_home" selected="true"/> - + <select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> - + <select idref="mountopt_nodev_on_removable_partitions" selected="true" /> - + <select idref="mount_option_noexec_removable_partitions" selected="true" /> - + <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> - + <select idref="mount_option_dev_shm_nodev" selected="true" /> - + <select idref="mount_option_dev_shm_nosuid" selected="true" /> - + <select idref="mount_option_dev_shm_noexec" selected="true" /> - + <select idref="sticky_world_writable_dirs" selected="true" /> - + <select idref="kernel_module_cramfs_disabled" selected="true" /> - + <select idref="kernel_module_freevxfs_disabled" selected="true" /> - + <select idref="kernel_module_jffs2_disabled" selected="true" /> - + <select idref="kernel_module_hfs_disabled" selected="true" /> - + <select idref="kernel_module_hfsplus_disabled" selected="true" /> - + <select idref="kernel_module_squashfs_disabled" selected="true" /> - + <select idref="kernel_module_udf_disabled" selected="true" /> - - + +  - + <select idref="ensure_redhat_gpgkey_installed" selected="true"/> - + <select idref="ensure_gpgcheck_globally_activated" selected="true"/> <select idref="ensure_gpgcheck_never_disabled" selected="true"/> - + <select idref="service_rhnsd_disabled" selected="true"/> - +  - + <select idref="rpm_verify_permissions" selected="true" /> <select idref="rpm_verify_hashes" selected="true" /> - - + + <select idref="package_aide_installed" selected="true" /> - + <select idref="disable_prelink" selected="true" /> <select idref="aide_build_database" selected="true" /> <select idref="aide_periodic_cron_checking" selected="true" /> - - + + <select idref="enable_selinux_bootloader" selected="true" /> - + <select idref="selinux_state" selected="true" /> - + <select idref="selinux_policytype" selected="true" /> - + <select idref="package_setroubleshoot_removed" selected="true" /> - + <select idref="package_mcstrans_removed" selected="true" /> - + <select idref="selinux_confinement_of_daemons" selected="true" /> - - + + <select idref="user_owner_grub_conf" selected="true"/> <select idref="group_owner_grub_conf" selected="true"/> - + <select idref="permissions_grub_conf" selected="true"/> - + <select idref="bootloader_password" selected="true"/> - + <select idref="require_singleuser_auth" selected="true"/> - + <select idref="disable_interactive_boot" selected="true"/> - - + + <select idref="disable_users_coredumps" selected="true" /> <select idref="sysctl_fs_suid_dumpable" selected="true" /> - + <select idref="sysctl_kernel_exec_shield" selected="true"/> - + <select idref="sysctl_kernel_randomize_va_space" selected="true"/> - - - - + + + + <select idref="uninstall_telnet_server" selected="true"/> - + <select idref="package_telnet_removed" selected="true" /> - + <select idref="uninstall_rsh-server" selected="true"/> - + <select idref="package_rsh_removed" selected="true" /> - + <select idref="package_ypbind_removed" selected="true" /> - + <select idref="uninstall_ypserv" selected="true" /> - + <select idref="package_tftp_removed" selected="true" /> - + <select idref="uninstall_tftp-server" selected="true"/> - +  - +  - + <select idref="uninstall_xinetd" selected="true"/> - +  - +  - +  - +  - +  - +  - +  - - + + <select idref="umask_for_daemons" selected="true" /> - + <select idref="packagegroup_xwindows_remove" selected="true" /> - + <select idref="disable_avahi" selected="true" /> - + <select idref="service_cups_disabled" selected="true" /> - + <select idref="uninstall_dhcp_server" selected="true" /> - + <select idref="service_ntpd_enabled" selected="true" /> <select idref="ntpd_specify_remote_server" selected="true" /> <select idref="ntpd_specify_multiple_servers" selected="true" /> - + <select idref="package_openldap-servers_removed" selected="true" /> - +  - +  - + <select idref="uninstall_vsftpd" selected="true" /> - + <select idref="uninstall_httpd" selected="true" /> - +  - +  - +  - + <select idref="uninstall_net-snmp" selected="true"/> - + <select idref="postfix_network_listening" selected="true" /> - - - + + + <select idref="sysctl_ipv4_ip_forward" selected="true"/> - + <select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> <select idref="sysctl_ipv4_all_send_redirects" selected="true"/> - - + + <select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> <select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> - + <select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> <select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> - + <select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> <select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> - + <select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> - + <select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> - + <select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> - + <select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> <select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> - + <select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> - - + + <select idref="wireless_disable_in_bios" selected="true" /> <select idref="deactivate_wireless_interfaces" selected="true" /> - - - + + + <select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" />  - + <select idref="sysctl_ipv6_default_accept_redirects" selected="true" />  - + <select idref="network_ipv6_disable_interfaces" selected="true" /> - - + +  - +  - +  - +  - +  -  - - + + + <select idref="kernel_module_dccp_disabled" selected="true"/> - + <select idref="kernel_module_sctp_disabled" selected="true"/> - + <select idref="kernel_module_rds_disabled" selected="true"/> - + <select idref="kernel_module_tipc_disabled" selected="true"/> - + <select idref="service_iptables_enabled" selected="true"/> - + <select idref="service_ip6tables_enabled" selected="true"/> - - - + + + <select idref="package_rsyslog_installed" selected="true"/> - + <select idref="service_rsyslog_enabled" selected="true"/> - +  - + <select idref="rsyslog_file_permissions" selected="true"/> - + <select idref="rsyslog_send_messages_to_logserver" selected="true"/> - + <select idref="rsyslog_accept_remote_messages_none" selected="true" /> - - - + + + <select idref="configure_auditd_max_log_file" selected="true"/> - + <select idref="auditd_data_retention_space_left_action" selected="true" /> <select idref="auditd_data_retention_action_mail_acct" selected="true" /> <select idref="auditd_data_retention_admin_space_left_action" selected="true" /> - + <select idref="configure_auditd_max_log_file_action" selected="true" /> - + <select idref="service_auditd_enabled" selected="true"/> - + <select idref="enable_auditd_bootloader" selected="true"/> - + <select idref="audit_rules_time_adjtimex" selected="true" /> <select idref="audit_rules_time_settimeofday" selected="true" /> <select idref="audit_rules_time_stime" selected="true" /> <select idref="audit_rules_time_watch_localtime" selected="true" /> - + <select idref="audit_account_changes" selected="true" /> - + <select idref="audit_network_modifications" selected="true" /> - + <select idref="audit_mac_changes" selected="true" /> - + <select idref="audit_manual_logon_edits" selected="true" /> - + <select idref="audit_manual_session_edits" selected="true" /> - + <select idref="audit_dac_actions" selected="true" /> - + <select idref="audit_rules_unsuccessful_file_modification" selected="true" /> - + <select idref="audit_privileged_commands" selected="true" /> - + <select idref="audit_media_exports" selected="true" /> - + <select idref="audit_rules_file_deletion_events" selected="true" /> - + <select idref="audit_sysadmin_actions" selected="true" /> - +   - + <select idref="audit_kernel_module_loading" selected="true" /> - + <select idref="audit_config_immutable" selected="true" /> - + <select idref="ensure_logrotate_activated" selected="true" /> - - - + + +    - + <select idref="service_crond_enabled" selected="true" /> - +  - +  - +  - +  - +  - +  - +  - + <select idref="service_atd_disabled" selected="true" /> - +  - - + + <select idref="sshd_allow_only_protocol2" selected="true" /> - +  - +  - +  - +  - + <select idref="sshd_disable_rhosts" selected="true" /> - + <select idref="disable_host_auth" selected="true" /> - + <select idref="sshd_disable_root_login" selected="true" /> - + <select idref="sshd_disable_empty_passwords" selected="true" /> - - + + <select idref="sshd_use_approved_ciphers" selected="true" /> - + <select idref="sshd_set_idle_timeout" selected="true" /> - + <select idref="sshd_limit_user_access" selected="true" /> - + <select idref="sshd_enable_warning_banner" selected="true" /> - - + + <select idref="set_password_hashing_algorithm" selected="true" /> - + <select idref="password_quality_pamcracklib" selected="true" /> - + <select idref="accounts_passwords_pam_faillock_deny" selected="true" /> - + <select idref="accounts_password_reuse_limit" selected="true" /> - + <select idref="no_direct_root_logins" selected="true" /> - +  - - - + + + <select idref="accounts_maximum_age_login_defs" selected="true" /> - + <select idref="accounts_minimum_age_login_defs" selected="true" /> - + <select idref="accounts_password_warn_age_login_defs" selected="true" /> - + <select idref="no_shelllogin_for_systemaccounts" selected="true" /> - +  - + <select idref="accounts_umask_bashrc" selected="true" /> <select idref="accounts_umask_etc_profile" selected="true" /> - + <select idref="account_disable_post_pw_expiration" selected="true" /> - + - + <select idref="set_system_login_banner" selected="true" /> - +  - + <select idref="enable_gdm_login_banner" selected="true" /> <select idref="set_gdm_login_banner_text" selected="true" /> - - - + + +  - + <select idref="file_permissions_etc_passwd" selected="true" /> - + <select idref="file_permissions_etc_shadow" selected="true" /> - + <select idref="file_permissions_etc_gshadow" selected="true" /> - + <select idref="file_permissions_etc_group" selected="true" /> - + <select idref="file_owner_etc_passwd" selected="true" /> <select idref="file_groupowner_etc_passwd" selected="true" /> - + <select idref="userowner_shadow_file" selected="true" /> <select idref="groupowner_shadow_file" selected="true" /> - + <select idref="file_owner_etc_gshadow" selected="true" /> <select idref="file_groupowner_etc_gshadow" selected="true" /> - + <select idref="file_owner_etc_group" selected="true" /> <select idref="file_groupowner_etc_group" selected="true" /> - + <select idref="file_permissions_binary_dirs" selected="true" /> <select idref="world_writeable_files" selected="true" /> - + <select idref="no_files_unowned_by_user" selected="true" /> - + <select idref="no_files_unowned_by_group" selected="true" /> - + <select idref="no_unpackaged_suid_files" selected="true" /> - + <select idref="no_unpackaged_sgid_files" selected="true" /> - - + + <select idref="no_empty_passwords" selected="true" /> - +  - +  - +  - + <select idref="accounts_no_uid_except_zero" selected="true" /> - + <select idref="root_path_default" selected="true" /> - + <select idref="homedir_perms_no_groupwrite_worldread" selected="true" /> - +  - +  - + <select idref="no_rsh_trust_files" selected="true" /> - + <select idref="gid_passwd_group_same" selected="true" /> - +  - +  - + <select idref="account_unique_name" selected="true" /> - +  - +  - +  - - + + - + <select idref="no_netrc_files" selected="true" /> - +  -- 1.7.1

9 years, 8 months

2
3
0 / 0

root_path_no_groupother_writable false positive

by Jeremiah Jahn

this is currently returning a false positive

9 years, 8 months

1
0
0 / 0

no_files_unowned_by_user needs to be tightened down

by Jeremiah Jahn

It currently includes /proc in which nothing seems to be owned by anyone. path type UID GID size permissions /proc/16815/ns/pid symbolic link 0 0 0 rwxrwxrwx /proc/16815/net/ip_tables_targets regular 0 0 0 r--r-----

9 years, 8 months

1
0
0 / 0

faillock related descriptions are wrong and dangerous

by Jeremiah Jahn

accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time have bad description The description needs to be changed in these from currently telling the user to put them under pam_env.so to under pam_unix.so. Also there are a number of things you have to do. And I'll walk though this example so you can see. normal pam system-auth file, same allied for password file auth required pam_env.so auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth sufficient pam_faillock.so authsucc deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so fist things first. you must skip the authfail on a successful login, and set default equal to bad. the faillock authfail will ALWAYS lock the user out if run. Which is why if you follow the guidance, you'll brick your machine. so pam_unix.so must be set to [success=1 default=bad]. second pam_faillock.so authsucc must be set to sufficient, and always placed before pam_deny. your description currently says required, but you've got to alter unix.so to fall through on success instead of simply being sufficient, so now pam_faillock.so authsucc has to be sufficient to pick up the slack. The test for this is also going to have to be rewritten as well. -jj-

9 years, 8 months

3
4
0 / 0

RHEL 6.6 beta released, includes SCAP Security Guide!

by Shawn Wells

RHEL 6.6 beta was released this morning: http://www.redhat.com/about/news/archive/2014/8/red-hat-enterprise-linux-... And as mentioned, includes SSG!: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6-... Testing and bugfixes most welcome. URL for RHEL 6.6 beta download: https://access.redhat.com/downloads/content/69/ver=/rhel---6/6.6%20Beta/x...

9 years, 8 months

2
1
0 / 0

[PATCH] SSH + CAC Card Guidance

by Shawn Wells

Include SSH+CAC doc reference Shawn Wells (1): Updated Smart Card XCCDF to reflect SSH+CAC docs RHEL/6/input/system/accounts/physical.xml | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-)

9 years, 8 months

3
5
0 / 0

[PATCH 0/3][bugfix] - sshd OVAL false positives

by Gabe Alford

These patches fix some OVAL false positives for SSH configuration checks that were showing that they had passed even when they were not configured in sshd_config. Thanks, Gabe Gabe (3): [bugfix] - disable_host_auth OVAL false positive [bugfix] - sshd_disable_rhosts OVAL false positive [bugfix] - sshd_disable_root_login OVAL false positive shared/oval/disable_host_auth.xml | 4 ++-- shared/oval/sshd_disable_rhosts.xml | 4 ++-- shared/oval/sshd_disable_root_login.xml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) -- 2.0.0

9 years, 8 months

2
16
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide August 2014