[PATCH 0/1] (Resubmit) add oval for aide cron job
by Gabe Alford
Add oval for aide to check that it is running in a cron job.
This is a resubmit.
Thanks,
Gabe Alford
Gabe (1):
add aide cron oval check
.../6/input/checks/aide_periodic_cron_checking.xml | 39 ++++++++++++++++++++++
.../fixes/bash/aide_periodic_cron_checking.sh | 1 +
RHEL/6/input/system/software/integrity.xml | 1 +
3 files changed, 41 insertions(+)
create mode 100644 RHEL/6/input/checks/aide_periodic_cron_checking.xml
create mode 100644 RHEL/6/input/fixes/bash/aide_periodic_cron_checking.sh
--
2.0.0
9 years, 8 months
[PATCH] resubmit -- adding CAC links
by Shawn Wells
Shawn Wells (1):
resubmit - Updated Smart Card XCCDF to reflect SSH+CAC docs
RHEL/6/input/system/accounts/physical.xml | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
9 years, 8 months
system auth password hashing algorithm can also be required right?
by Jeremiah Jahn
not just sufficient?
diff --git a/shared/oval/set_password_hashing_algorithm_systemauth.xml
b/shared/oval/set_password_hashing_algorithm_systemauth.xml
index 8a5525e..2d71e8b 100644
--- a/shared/oval/set_password_hashing_algorithm_systemauth.xml
+++ b/shared/oval/set_password_hashing_algorithm_systemauth.xml
@@ -20,7 +20,7 @@
<ind:textfilecontent54_object comment="check /etc/pam.d/system-auth
for correct settings" id="object_pam_unix_sha512" version="1">
<ind:filepath>/etc/pam.d/system-auth</ind:filepath>
- <ind:pattern operation="pattern
match">^[\s]*password[\s]+sufficient[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
9 years, 8 months
my kernels all live in /boot/vmlinuz by default
by Jeremiah Jahn
diff --git a/RHEL/6/input/checks/bootloader_audit_argument.xml
b/RHEL/6/input/checks/bootloader_audit_argument.xml
index e22bb17..fdbca28 100644
--- a/RHEL/6/input/checks/bootloader_audit_argument.xml
+++ b/RHEL/6/input/checks/bootloader_audit_argument.xml
@@ -17,7 +17,7 @@
<ind:textfilecontent54_object id="object_bootloader_audit_argument"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>grub.conf</ind:filename>
- <ind:pattern operation="pattern
match">^\s*kernel\s/vmlinuz.*audit=1.*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*kernel\s(/boot){0,1}/vmlinuz.*audit=1.*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
9 years, 8 months
[PATCH v#2] [RHEL/6] Include SSG logo into generated HTML guide if underlying oscap version on the system supports <svg> element to be present within <front-matter> element of the <xccdf:benchmark>
by Jan Lieskovsky
Hello folks,
based on the feedback (not good to hardcode arbitrary versions / dependencies in
transform scripts) from:
[1] https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-July/00...
attached below is the version #2 of the patch, that should ensure inclusion of the SSG
logo into HTML guide as generated from RHEL-6 content. The logo will be included only in
case underlying oscap package version supports presence of <svg> XHTML element to be present
within the <front-matter> element of the <xccdf:benchmark>.
The difference between the first version being that instead of hardcoding / requiring
certain (1.0.9) version of the openscap RPM package to be present on the system, in this
version we before generating the guide first check (via simplified benchmark) if <svg>
presence is supported, and in case it is, we include the logo. In case it isn't (HTML
guide from simplified benchmark doesn't contain corresponding form of <svg> content), we
leave <front-matter> intact (as is).
Testing report:
---------------
The proposed change has been tested on both:
* openscap versions supporting <svg> elements (X >= 1.0.9), and
* openscap versions not supporting <svg> inclusion yet
and works properly in both cases.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
9 years, 8 months
accounts_root_path_dirs_no_write not working correctly?
by Jeremiah Jahn
The split result in this class don't seem to be treated as separate
paths in the var_ref of the path element. I can't quite wrap my head
around how to fix this. Is there any info I can send to the list to
help resolve this?
thanks,
-jj-
9 years, 8 months
isn't /dev/null also a valid nologin option for system accounts
by Jeremiah Jahn
There seems to be some debate on this, but I think /dev/null should be
a valid setting for system accounts
diff --git a/shared/oval/no_shelllogin_for_systemaccounts.xml
b/shared/oval/no_shelllogin_for_systemaccounts.xml
index d38e4bb..aeda9d5 100644
--- a/shared/oval/no_shelllogin_for_systemaccounts.xml
+++ b/shared/oval/no_shelllogin_for_systemaccounts.xml
@@ -18,7 +18,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object
id="object_no_shelllogin_for_systemaccounts" version="1">
<ind:filepath>/etc/passwd</ind:filepath>
- <ind:pattern operation="pattern
match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>
+ <ind:pattern operation="pattern
match">^(?!root).*:x:[\d]*:0*([0-9]{1,2}|[1-4][0-9]{2}):[^:]*:[^:]*:(?!\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/dev\/null).*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
9 years, 8 months
fix for including /home in /home dir permissions
by Jeremiah Jahn
the actual /home dir should be world readable I think, there for
should be included in the permission checks.
diff --git a/RHEL/6/input/checks/file_permissions_home_dirs.xml
b/RHEL/6/input/checks/file_permissions_home_dirs.xml
index e0d671f..e9757a8 100644
--- a/RHEL/6/input/checks/file_permissions_home_dirs.xml
+++ b/RHEL/6/input/checks/file_permissions_home_dirs.xml
@@ -16,8 +16,8 @@
<unix:state state_ref="state_home_dirs_wrong_perm" />
</unix:file_test>
<unix:file_object comment="home directories"
id="object_file_permissions_home_dirs" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="1" recurse_file_system="all" />
- <unix:path operation="equals">/home</unix:path>
+ <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="0" recurse_file_system="all" />
+ <unix:path operation="pattern match">^/home/[^/]*$</unix:path>
<unix:filename xsi:nil="true" />
<filter action="include">state_home_dirs_wrong_perm</filter>
</unix:file_object>
9 years, 8 months
[PATCH] [bugfix] Updating verify-references.py
by David Smith
Discovered during a RHT presentation this morning that there was still a reference to 800-53 rev3 in the content. Rechecked after modifying the verify-references.py file:
[dave@localhost 6]$ ls output/
bash-remediations.xml ssg.ini ssg-rhel6-ocil.xml unlinked-notest-rhel6-xccdf-guide.xml unlinked-rhel6-xccdf.xml
images ssg-ocilrefs-rhel6-xccdf.xml ssg-rhel6-oval.xml unlinked-ocilrefs-rhel6-xccdf.xml unlinked-unresolved-rhel6-xccdf.xml
rhel6-guide-custom.html ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf-1.2.xml unlinked-rhel6-ocil.xml
rhel6-guide.html ssg-rhel6-cpe-oval.xml ssg-rhel6-xccdf-nodangles.xml unlinked-rhel6-oval.xml
rhel6-shorthand.xml ssg-rhel6-ds.xml ssg-rhel6-xccdf.xml unlinked-rhel6-xccdf-guide.xml
[dave@localhost 6]$ grep -ri rev3 output/
[dave@localhost 6]$
David Smith (1):
[bugfix] Modified verify-references.py to reflect 800-53 rev4
RHEL/6/utils/verify-references.py | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
9 years, 8 months