From shawn@redhat.com Thu Aug 20 11:35:12 2015 From: Shawn Wells To: scap-security-guide@lists.fedorahosted.org Subject: Re: Current false positve list Date: Mon, 16 Sep 2013 00:03:47 -0400 Message-ID: <52368323.6070109@redhat.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2205443784860871044==" --===============2205443784860871044== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 9/12/13 2:51 PM, leam hall wrote: > Using the oscap from openscap 0.9.3-1 and the ssg content fresh from > the repo (0.1-12) I ran: > > oscap xccdf eval --profile stig-rhel6-server --results > `hostname`-ssg-results.xml --report `hostname`-ssg-results.html --cpe > /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml > /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml > > on my server. The output gave me stuff to work on and what seems to be > a list of false positives. I have not found these items in the STIG. > Could someone point me to them, or can we remove them from the scan if > they are not present? > > I'm looking at the git repo but having issues with builds. So some of > these might already be fixed. > > Thanks! > > Leam > > ##### > > Configure auditd admin_space_left Action on Low Disk Space > Disable IPv6 Networking Support Automatic Loading > Disable Kernel Parameter for Accepting ICMP Redirects By Default > Disable Kernel Parameter for Accepting Secure Redirects By Default > Disable Kernel Parameter for Accepting Secure Redirects for All > Interfaces > Disable Kernel Parameter for Sending ICMP Redirects by Default > Disable Modprobe Loading of USB Storage Driver > Ensure All Files Are Owned by a Group > Ensure All Files Are Owned by a User > Ensure auditd Collects Unauthorized Access Attempts to Files > (unsuccessful) > Ensure SELinux State is Enforcing > Implement Blank Screen Saver > Record Events that Modify User/Group Information > Set SSH Client Alive Count DISA FSO wanted to retitle some of the rules, e.g. "Ensure All Files Are Owner by a Group" they wanted to be a declarative "All Files Must be Owned by a Group" Within the content, we map back to the raw DISA CCI requirements through the tags. To pull them out: 1) Find what XCCDF file/rule things map back to, e.g.: > [shawn(a)SSG-RHEL6 input]$ pwd > /var/www/html/scap-security-guide/RHEL6/input > [shawn(a)SSG-RHEL6 input]$ grep -rin "Ensure SELinux State is Enforcing" * > system/selinux.xml:107:Ensure SELinux State is Enforcing 2) Open the file, find the tag, to identify the DISA CCI: > > ....... > > > So, in this case, "Ensure SELinux State is Enforcing" maps to DISA CCI's 22, 32, and 26. --===============2205443784860871044==--