scap-security-guide December 2019

scap-security-guide@lists.fedorahosted.org

12 participants
24 discussions

𝓛𝓘𝓥𝓔@ Hameenlinna vs JYP, <（LiVE@sTReaM）>Free™
by bavaza juhay 30 Dec '19

30 Dec '19

Watch Hameenlinna vs JYP, Sports TV channel [LIVE-FREE]** Hockey live 30/12/2019 Broadcast Today @FINLAND. Liiga Live tv Liiga Live Tv[LIVE-FREE]** Hameenlinna vs JYP live 30/12/2019 Broadcast Today Uk. Liiga Live tv Live Broadcast :: https://v.ht/4K-GREATSPORTS-LIVESTREAM-2019-UMO Hameenlinna vs JYP live streaming: Watch Liiga - If you want to watch Hameenlinna vs JYP online, these are the live streaming instructions. ... Watch Hameenlinna vs JYP online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Liiga on Today. Hameenlinna vs JYP# <Live - Stream> @Free:registered: - Facebook Hameenlinna vs JYP# <Live - Stream> @Free:registered:. Public. · Hosted by Fans TV Sports. Interested. Invite. clock. Today, 30/12/2019 at 11:30 UTC+ ... Hockey live score, video stream ... Hockey live score (and video online live stream) ... Here on SofaScore livescore you can find all Liiga ... Hameenlinna vs JYP Live Stream - Jokerlivestream Watch Hameenlinna vs JYP Live Stream. Watch this game live and online for free. Liiga.

1 0

𝓛𝓘𝓥𝓔@ Assat vs Ilves, <（LiVE@sTReaM）>Free™
by bavaza juhay 30 Dec '19

30 Dec '19

Watch Assat vs Ilves, Sports TV channel [LIVE-FREE]** Hockey live 30/12/2019 Broadcast Today @FINLAND. Liiga Live tv Liiga Live Tv[LIVE-FREE]** Assat vs Ilves live 30/12/2019 Broadcast Today Uk. Liiga Live tv Live Broadcast :: https://v.ht/4K-GREATSPORTS-LIVESTREAM-2019-EEm Assat vs Ilves live streaming: Watch Liiga - If you want to watch Assat vs Ilves online, these are the live streaming instructions. ... Watch Assat vs Ilves online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Liiga on Today. Assat vs Ilves# <Live - Stream> @Free:registered: - Facebook Assat vs Ilves# <Live - Stream> @Free:registered:. Public. · Hosted by Fans TV Sports. Interested. Invite. clock. Today, 30/12/2019 at 11:30 UTC+ ... Hockey live score, video stream ... Hockey live score (and video online live stream) ... Here on SofaScore livescore you can find all Liiga ... Assat vs Ilves Live Stream - Jokerlivestream Watch Assat vs Ilves Live Stream. Watch this game live and online for free. Liiga.

1 0

JHGFJHGJHGJHGJHGJHGJHGJ
by bavaza juhay 30 Dec '19

30 Dec '19

HVHJGHGFHGFHFHG

1 0

HFHFGHFGHFHGFGHFGH
by bavaza juhay 30 Dec '19

30 Dec '19

HGFGHFHGFHGFGHFGHFGHFGHFGHFGH

1 0

General questions related to RHEL 7 STIG Update - RHEL-07-030840 - Rule Update (#3468)
by Salowitz, Mark A CTR 23 Dec '19

23 Dec '19

Good afternoon, Before I start getting too far down the road with creating the rule for this, I had some basic process questions about the contents of references and identifiers in the rule.yml. Basically, I don't know where to obtain about 60% of the documents referenced in other similar rules. Inside, for example, linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml there are references to cui, cis, hipaa, and so on... - Do I need to establish those as part of the rule writing, and if so, is there a handy place to obtain that information? - if the answer is no, should I leave stubs entries for the other guidance documents ( eg "hipaa: " ) and just focus on populating the DISA information - How do I find out if a CCE has been assigned for the rule and add it to identifiers - I'm unfamiliar with the offerings outside the EL(5-8) products, how do I (or do I) determine product applicability for prodtype I'd like to do as much right as I can out the gate, so thanks in advance for any and all advice, Mark Salowitz, CTR Principal Architect, PaaS Engineering Ace Info Solutions, a Dovel company ITIL® V3 Foundation Certified CompTIA Security+ CE USCG Operations Systems Center email: <mailto:Mark.A.Salowitz@uscg.mil> phone: (304) 433-3200

2 1

New Blog Post on ComplianceAsCode blog
by Gabriel Gaspar Becker 20 Dec '19

20 Dec '19

Dear community, A new blog post has arrived and you might be interested in checking it out: Content Navigator - A Visual Studio Code Extension to Help Users to create Security Content <https://ComplianceAsCode.github.io/template/2019/12/19/content-navigator-a-…> Happy Holidays. _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedo…

1 0

what referencing a control/requirement means
by Marek Haicman 18 Dec '19

18 Dec '19

Hello, I have stumbled upon a case where I am not sure, if some rule should have a reference or not. Can you help me with your view on this situation? I will use the case as an example (RHEL8 content) :) Reference: The operating system must uniquely identify peripherals before establishing a connection. <http://securityrules.info/about/xovos-tufes-rumeb-decex/SV-71029r1_rule> Now we have five rules in two groups * install USBGuard package and * enforce USBGuard service to be enabled These two rules satisfy, in my opinion, the requirement (at least for the USB peripherals) -> USBGuard is "drop by default", so anything acceptable has to be allowed explicitly. * allow Class 03 (HID) USB devices * allow Class 08 (HUB) USB devices * allow any combination of HID and HUB USB devices These rules are not increasing the security of the system - they soften the hardening. So they go against the requirement to some extent. But without these, machines would not be usable for general audience, so as a compromise, we do want to have them available to the users. And now the question - should the reference be part of all the rules? Or just the ones that really increases the security of the system? What's your interpretation of the reference, if you are reading it in the guide? Thanks! Marek

3 4

Re: Bash remediations failing due to missing functions
by Marek Haicman 16 Dec '19

16 Dec '19

Ok. For about a week, ComplianceAsCode project had a bug that made this an issue :) You might have cloned the repo at that time? This PR from Monday last week fixes it, so try to rebase your work and try again: https://github.com/ComplianceAsCode/content/pull/5061 It's probably that, because on the released packages in RHEL7, I cannot reproduce what you observe: [dahaic@psyduck bla]$ rpm -qa openscap scap-security-guide openscap-1.2.17-4.el7.x86_64 scap-security-guide-0.1.43-13.el7.noarch [dahaic@psyduck bla]$ oscap xccdf generate fix --fix-type bash --profile ospp --fetch-remote-resources --output remediation.sh /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml [dahaic@psyduck bla]$ grep populate remediation.sh Regards, Marek On Mon, Dec 16, 2019 at 3:02 PM Kuko Armas <kuko(a)canarytek.com> wrote: > > Hello Miguel, > remediations, as they are stored in the DataStream are prepared to be used > within the environment provided by the `oscap` utility. (I.e. so > `--remediate` works). So no, it's not supposed to be self contained in that > particular form. > > What you are looking for is probably `oscap xccdf generate fix`. That one > will process the snippets and produces self-contained bash script. > > So no issue - works as intended. ;) > > > I also tried that, and at least in my box it's not working. It's one of > the things I tried when I said "I have been playing with remediation > code"... > > I generate the fix code with (ens is a profile I'm creating, but also > fails with other profiles) > oscap xccdf generate fix --fix-type bash --profile ens > --fetch-remote-resources --output remediation.sh ssg-centos7-ds.xml > > This creates the remediation,sh, but it does not eem to contain the > remediation functions defined in group > xccdf_org.ssgproject.content_group_remediation_functions > > If I search for one of the functions that fail (populate), I see it > "tries" to use the function, but it's not defined in the generated > remedaite script: > > [root@test ~]# grep populate remediation.sh > populate login_banner_text > populate var_accounts_max_concurrent_login_sessions > populate var_accounts_user_umask > populate var_auditd_action_mail_acct > populate var_auditd_admin_space_left_action > populate var_auditd_max_log_file > populate var_auditd_max_log_file_action > populate var_auditd_num_logs > populate var_auditd_space_left_action > populate sysctl_net_ipv4_conf_all_accept_redirects_value > populate sysctl_net_ipv4_conf_all_accept_source_route_value > populate sysctl_net_ipv4_conf_all_log_martians_value > populate sysctl_net_ipv4_conf_all_rp_filter_value > populate sysctl_net_ipv4_conf_all_secure_redirects_value > populate sysctl_net_ipv4_conf_default_accept_redirects_value > populate sysctl_net_ipv4_conf_default_accept_source_route_value > populate sysctl_net_ipv4_conf_default_log_martians_value > populate sysctl_net_ipv4_conf_default_rp_filter_value > populate sysctl_net_ipv4_conf_default_secure_redirects_value > populate sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value > populate sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value > populate sysctl_net_ipv4_tcp_syncookies_value > populate var_auditadm_exec_content > > And of course if I run it, I get errors for each invocation of that > function (and any other that is supposed to be defined) > > root@test ~]# sh remediation.sh > Remediating rule 1/105: > 'xccdf_org.ssgproject.content_rule_banner_etc_issue' > remediation.sh: line 34: populate: command not found > Remediating rule 2/105: > 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions' > remediation.sh: line 52: populate: command not found > Remediating rule 3/105: > 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs' > remediation.sh: line 68: populate: command not found > remediation.sh: line 70: replace_or_append: command not found > Remediating rule 4/105: > 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' > FIX FOR THIS RULE > 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' IS > MISSING! > Remediating rule 5/105: > 'xccdf_org.ssgproject.content_rule_audit_rules_immutable' > Remediating rule 6/105: > 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification' > remediation.sh: line 115: fix_audit_watch_rule: command not found > > Until, I understand why it fails, I'm also trying the ansible remediation, > which seems to be working better, but I won't be able to use ansible in all > my clients. And anyway, I would like to learm how bash remediation code > works (or should work), and help if I can 😉 > > Salu2! > -- > Miguel Armas > CanaryTek Consultoria y Sistemas SL > http://www.canarytek.com/ > > ------------------------------ > *De:* Marek Haicman <mhaicman(a)redhat.com> > *Enviado:* lunes, 16 de diciembre de 2019 12:15 > *Para:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org> > *Asunto:* Re: Bash remediations failing due to missing functions > > Hello Miguel, > remediations, as they are stored in the DataStream are prepared to be used > within the environment provided by the `oscap` utility. (I.e. so > `--remediate` works). So no, it's not supposed to be self contained in that > particular form. > > What you are looking for is probably `oscap xccdf generate fix`. That one > will process the snippets and produces self-contained bash script. > > So no issue - works as intended. ;) > > Regards, > Marek > > On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <kuko(a)canarytek.com> wrote: > > > I've been playing with remediation code, and I've seen that remediation > code for many checks fails due to undefined functions as "populate" (to > populate defined variables) and "fix_audit_syscall_rule" (for audit checks) > > I've seen that both functions (and many more) are defined inside the > datasource, in group > xccdf_org.ssgproject.content_group_remediation_functions > > Since I'm a complete newbie in openSCAP, I'm not sure how it should work: > > > - Is remediation code supposed to be selt-contained in the data > source? Or does it depend on the host having the security-guide package > installed ir order to have that functions code? > - If it's self contained, how and where are the functions code file > extracted and read by remediation code? > - If it's extracted, is there an option to keep the temp files > around to take a look? > - Maybe I need a more recent openscap version? (I'm using > 1.2.17-4.el7 in centos7) > - Should I file an issue on ComplianceAsCode GitHub repo? or am I > doing something wrong? > > > Thanks a lot! > -- > Miguel Armas > CanaryTek Consultoria y Sistemas SL > http://www.canarytek.com/ > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide(a)lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedo… > >

2 1

Re: Bash remediations failing due to missing functions
by Marek Haicman 16 Dec '19

16 Dec '19

Hello Miguel, remediations, as they are stored in the DataStream are prepared to be used within the environment provided by the `oscap` utility. (I.e. so `--remediate` works). So no, it's not supposed to be self contained in that particular form. What you are looking for is probably `oscap xccdf generate fix`. That one will process the snippets and produces self-contained bash script. So no issue - works as intended. ;) Regards, Marek On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <kuko(a)canarytek.com> wrote: > > I've been playing with remediation code, and I've seen that remediation > code for many checks fails due to undefined functions as "populate" (to > populate defined variables) and "fix_audit_syscall_rule" (for audit checks) > > I've seen that both functions (and many more) are defined inside the > datasource, in group > xccdf_org.ssgproject.content_group_remediation_functions > > Since I'm a complete newbie in openSCAP, I'm not sure how it should work: > > > - Is remediation code supposed to be selt-contained in the data > source? Or does it depend on the host having the security-guide package > installed ir order to have that functions code? > - If it's self contained, how and where are the functions code file > extracted and read by remediation code? > - If it's extracted, is there an option to keep the temp files > around to take a look? > - Maybe I need a more recent openscap version? (I'm using > 1.2.17-4.el7 in centos7) > - Should I file an issue on ComplianceAsCode GitHub repo? or am I > doing something wrong? > > > Thanks a lot! > -- > Miguel Armas > CanaryTek Consultoria y Sistemas SL > http://www.canarytek.com/ > > _______________________________________________ > scap-security-guide mailing list -- > scap-security-guide(a)lists.fedorahosted.org > To unsubscribe send an email to > scap-security-guide-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedo… >

2 1

Re: [EXTERNAL] Bash remediations failing due to missing functions
by Todd, Charles 16 Dec '19

16 Dec '19

Kuko, I don’t have answers, but thought you would like to know that your question was extremely professional, asked specific questions, and demonstrated that you’ve given this some real effort so far. Thanks for a great question. I’ve learned something from both question and answer today. Charlie Todd Ball Aerospace On Dec 16, 2019, at 5:44 AM, Kuko Armas <kuko(a)canarytek.com> wrote: I've been playing with remediation code, and I've seen that remediation code for many checks fails due to undefined functions as "populate" (to populate defined variables) and "fix_audit_syscall_rule" (for audit checks) I've seen that both functions (and many more) are defined inside the datasource, in group xccdf_org.ssgproject.content_group_remediation_functions Since I'm a complete newbie in openSCAP, I'm not sure how it should work: * Is remediation code supposed to be selt-contained in the data source? Or does it depend on the host having the security-guide package installed ir order to have that functions code? * If it's self contained, how and where are the functions code file extracted and read by remediation code? * If it's extracted, is there an option to keep the temp files around to take a look? * Maybe I need a more recent openscap version? (I'm using 1.2.17-4.el7 in centos7) * Should I file an issue on ComplianceAsCode GitHub repo? or am I doing something wrong? Thanks a lot! -- Miguel Armas CanaryTek Consultoria y Sistemas SL http://www.canarytek.com/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.canarytek.com_&d=Dw…> _______________________________________________ scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org… List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki… List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org… This message and any enclosures are intended only for the addressee. Please notify the sender by email if you are not the intended recipient. If you are not the intended recipient, you may not use, copy, disclose, or distribute this message or its contents or enclosures to any other person and any such actions may be unlawful. Ball reserves the right to monitor and review all messages and enclosures sent to or from this email address.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide December 2019