Gov profiles gone from EL derivatives?
by Chuck Atkins
I just noticed that all the EL derivatives in the current SSG no longer get
any of the government security profiles, only pci-dss and standard. What
happend to all of te other profiles available for RHEL7?
- Chuck
5 years, 3 months
SCAP Security Guide 0.1.42
by Watson Sato
Hello everybody,
We have the pleasure to announce release of SCAP Security Guide 0.1.42.
Although it is named SCAP Security Guide, the project is now under
ComplianceAsCode organization (https://github.com/ComplianceAsCode/content).
For more on this move, see
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
This release is mostly about improvements in content,
including lots of new rules, checks and remediations added and bugfixes to
them.
This release features significant updates in content for:
- Oracle Linux 7, OpenStack Platform 13
- OpenShift Container Platform 3
- Red Hat Enterprise Linux 8.
*Highlights of this release*
- Addition of RHEL8 product
- Content for OSP7 have been update for OSP13
- Contents for OCP3 have updated
- New contents are enabled for OL7
- Addition of rules that cover configuration of system-wide crypto policy
- Addition of Fedora 29 in place of Fedora 27
- Update of TestSuite to work with python3.7
- Introduction of platform dependent test scenarios
For a more detailed overview of changes (bug fixes, enhancements)
implemented in this release, please have a look at more detailed changelog:
https://github.com/ComplianceAsCode/content/releases/tag/v0.1.42
Full changelog at:
* https://github.com/ComplianceAsCode/content/issues?q=milestone%3A0.1.42
Zip archives with pre-built benchmarks in DataStream form:
*
https://github.com/ComplianceAsCode/content/releases/download/v0.1.42/sca...
(Zip archive using OVAL-5.11.1 language version)
*
https://github.com/ComplianceAsCode/content/releases/download/v0.1.42/sca...
(Zip archive using OVAL-5.10 language version only)
Thank you to everyone who contributed with issues, patches and discussion!
Happy hardening!
--
Watson Sato
Security Technologies | Red Hat, Inc
5 years, 4 months
Cron, at, and sudo rules pointless? (and some other goodies)
by Trevor Vaughan
Hi All,
In my never ending quest to find new and annoying ways to do everything, I
figured that I'd throw out the new list of fun.
1. Using pkexec makes sudo relatively pointless. Sure, it logs things, but
we now effectively have two sudo subsystems and one can't really have the
rules audited per my last discussion with Steve because JavaScript as a
configuration language is amazing. Not sure what to do about this one but
people should really be watching for it and I don't see any mention of it
in the rules anywhere.
2. Systemd timers can be run in user mode and effectively make all the
restrictions around cron and at pointless from what I can tell. So far, I
can't figure out how to disable user space timers or 'systemctl --user'
calls without completely removing 'pam_systemd' from the stack. No idea
what this would break but it's probably the only solution right now (or
maybe having a group-based jump stack in PAM).
3. There should probably be some sort of check to make sure that
'enable-linger' has not been set for users.
In summary, the SSG simply does not cover any of the new EL7+ capabilities
very well, particularly those that replace traditional services that are
already expected to be controlled. As systemd becomes more of an operating
system and less of service manager, this will only get worse.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
5 years, 4 months
Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL
in January 2019?
by Trevor Vaughan
Heh, no offense taken. I just needed to turn the little lights green with a
.ckl file...and I did :-D
On Wed, Nov 28, 2018 at 11:37 AM Brent Kimberley <Brent.Kimberley(a)durham.ca>
wrote:
> No disrespect intended. That’s exactly what I would do under the
> circumstances.
>
>
>
> *From:* Brent Kimberley
> *Sent:* Wednesday, November 28, 2018 11:36 AM
> *To:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> *Subject:* RE: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8
> is EOL in January 2019?
>
>
>
> That speaks volumes.
>
>
>
> http://www.crosstalkonline.org/back-issues/
>
>
>
> *From:* Trevor Vaughan [mailto:tvaughan@onyxpoint.com
> <tvaughan(a)onyxpoint.com>]
> *Sent:* Wednesday, November 28, 2018 11:31 AM
> *To:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> *Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8
> is EOL in January 2019?
>
>
>
> Brent, that may be the funniest message I've ever read.
>
>
>
> There isn't one, I just reverse engineered it from the pseudo-XML that it
> outputs.
>
>
>
> On Wed, Nov 28, 2018 at 9:42 AM Brent Kimberley <Brent.Kimberley(a)durham.ca>
> wrote:
>
> Where can I find the controlled schema / ICD / metadata for the checklist
> file format?
>
>
>
> *From:* Trevor Vaughan [mailto:tvaughan@onyxpoint.com]
> *Sent:* Wednesday, November 28, 2018 9:02 AM
> *To:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> *Subject:* Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8
> is EOL in January 2019?
>
>
>
> Yep, this is the one.
>
>
>
> That said, if you dig through the archives of this mailing list, I figured
> out how to create the bare minimum .ckl file that you need for reporting so
> that should give people a head start.
>
>
>
> On Wed, Nov 28, 2018 at 1:31 AM Matthew <simontek(a)gmail.com> wrote:
>
> The .ckl issue is the answer to why use. I know not everyone works for
> gov't entities, but they typically require it, with very little options for
> other products. Management likes graphs and charts.
>
>
>
> On Tue, Nov 27, 2018, 8:22 PM James Cassell <fedoraproject(a)cyberpear.com
> wrote:
>
> On Tue, Nov 27, 2018, at 6:21 PM, Shawn Wells wrote:
> >
> >
> > On 11/27/18 2:06 PM, James Ralston wrote:
> > > I apologize if this is a little off-topic for this list, but a
> > > question: what are others who use STIG Viewer planning to do once
> > > Oracle JDK 8 / JavaFX go EOL in January 2019?
> > >
> [...]
> > > Ideally, I'd like to find a Linux replacement for STIG
> > > Viewer—something that can read, annotate, and write STIG Viewer
> > > checklist (*.ckl) files. But although SCAP Workbench can load and
> > > check STIGs, unless I'm missing something, it has no support for STIG
> > > Viewer checklist files.
> >
> > Not being snide, should this come across wrongly.... genuine question:
> > Why use STIG Viewer in the first place?
> >
>
> The STIG Viewer produces *.ckl checklist files, which some auditors and
> many security departments want.
>
> V/r,
> James Cassell
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
>
> --
>
> Trevor Vaughan
> Vice President, Onyx Point, Inc
>
> (410) 541-6699 x788
>
>
> -- This account not approved for unencrypted proprietary information --
>
> THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY
> CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR
> EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to
> any privilege have been waived. If you are not the intended recipient, you
> are hereby notified that any review, re-transmission, dissemination,
> distribution, copying, conversion to hard copy, taking of action in
> reliance on or other use of this communication is strictly prohibited. If
> you are not the intended recipient and have received this message in error,
> please notify me by return e-mail and delete or destroy all copies of this
> message.
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
>
> --
>
> Trevor Vaughan
> Vice President, Onyx Point, Inc
>
> (410) 541-6699 x788
>
>
> -- This account not approved for unencrypted proprietary information --
> THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY
> CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR
> EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to
> any privilege have been waived. If you are not the intended recipient, you
> are hereby notified that any review, re-transmission, dissemination,
> distribution, copying, conversion to hard copy, taking of action in
> reliance on or other use of this communication is strictly prohibited. If
> you are not the intended recipient and have received this message in error,
> please notify me by return e-mail and delete or destroy all copies of this
> message.
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
5 years, 4 months