4:06 p.m.
Also, I need to add Rules for automatic account expiration to handle some of the OS SRG
reqs.
Oddly, we seem to have OVAL for this and it's in the USGCB but not in our XCCDF.
(This means adding a Rule (plus Value) to discuss EXPIRE= in /etc/default/useradd.)
Jeffrey Blank (1):
added CCIs to move OS SRG mapping forward
rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------
rhel6/src/input/services/ssh.xml | 2 +-
rhel6/src/input/system/auditing.xml | 7 ++++---
rhel6/src/input/system/software/updating.xml | 4 ++--
4 files changed, 20 insertions(+), 12 deletions(-)
4:06 p.m.
New subject: [PATCH] added CCIs to move OS SRG mapping forward
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------
rhel6/src/input/services/ssh.xml | 2 +-
rhel6/src/input/system/auditing.xml | 7 ++++---
rhel6/src/input/system/software/updating.xml | 4 ++--
4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml
b/rhel6/src/input/auxiliary/srg_support.xml
index ac50bbd..c1bdf83 100644
--- a/rhel6/src/input/auxiliary/srg_support.xml
+++ b/rhel6/src/input/auxiliary/srg_support.xml
@@ -12,7 +12,7 @@ not clearly relate.
Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here.
-->
</description>
-<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346,872" />
+<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872" />
</Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
@@ -21,14 +21,21 @@ Red Hat Enterprise Linux meets this requirement by design.
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</description>
-<ref disa="354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221"
/>
+<ref
disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221"
/>
</Group> <!-- end unmet_impractical_guidance -->
-<Group id="unmet_impractical_product">
-<title>Product Does Not Meet this Requirement Due to Impracticality or
Scope</title>
+<Group id="requirement_unclear">
+<title>Implementation of the Requirement is Unclear</title>
<description>
-The product does not meet this requirement.
-The requirement is impractical or out of scope.
+It is unclear how to satisfy this requirement.
+</description>
+<ref disa="20,31,218,219,224" />
+</Group> <!-- end unmet_impractical_product -->
+
+<Group id="new_rule_needed">
+<title>A New Policy/Manual Rule is Needed</title>
+<description>
+A new Rule needs to be created in the scap-security-guide content.
</description>
</Group> <!-- end unmet_impractical_product -->
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml
index ad21cee..c673e76 100644
--- a/rhel6/src/input/services/ssh.xml
+++ b/rhel6/src/input/services/ssh.xml
@@ -8,7 +8,7 @@ implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
http://www.openssh.org. Its server program is called <tt>sshd</tt> and
provided by the RPM package <tt>openssh-server</tt>.</description>
-<ref disa="1453" />
+<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number"
operator="equals" interactive="0">
diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml
index 676b333..927cb60 100644
--- a/rhel6/src/input/system/auditing.xml
+++ b/rhel6/src/input/system/auditing.xml
@@ -55,7 +55,7 @@ and impacting other services. This also minimizes the risk of the
audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).
</description>
-<ref disa="120,166,1338,1339,157" />
+<ref disa="120,135,136,166,1338,1339,157" />
<Rule id="enable_auditd_service">
<title>Enable auditd Service</title>
@@ -272,6 +272,7 @@ Setting this to <tt>email</tt> is recommended over the
default
<rationale>Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</rationale>
<oval id="auditd_data_retention_space_left_action"
value="var_auditd_space_left_action"/>
+<ref disa="140,144" />
</Rule>
@@ -295,7 +296,7 @@ audit records. If a separate partition or logical volume of adequate
size
is used, running low on space for audit records should never occur.
</rationale>
<oval id="auditd_data_retention_admin_space_left_action"
value="var_auditd_admin_space_left_action" />
-<ref disa="140" />
+<ref disa="140,144" />
</Rule>
@@ -626,7 +627,7 @@ unusual activity.
</rationale>
<ident cce="14296-8" />
<oval id="audit_rules_privileged_commands" />
-<ref nist="AU-2" />
+<ref nist="AU-2" disa="40" />
</Rule>
<Rule id="audit_media_exports">
diff --git a/rhel6/src/input/system/software/updating.xml
b/rhel6/src/input/system/software/updating.xml
index efc7834..a759d62 100644
--- a/rhel6/src/input/system/software/updating.xml
+++ b/rhel6/src/input/system/software/updating.xml
@@ -93,7 +93,7 @@ protects against malicious tampering.
</rationale>
<ident cce="14914-6" />
<oval id="yum_gpgcheck_global_activation" />
-<ref nist="SI-2" disa="352" />
+<ref nist="SI-2" disa="352,663" />
</Rule>
<Rule id="ensure_gpgcheck_never_disabled">
@@ -110,6 +110,6 @@ protects against malicious tampering.
</rationale>
<ident cce="14813-0" />
<oval id="yum_gpgcheck_never_disabled" />
-<ref nist="SI-2" disa="352"/>
+<ref nist="SI-2" disa="352,663"/>
</Rule>
</Group>
--
1.7.1
4:17 p.m.
New subject: [PATCH] added CCIs to move OS SRG mapping forward
Ack. I really like the new_rule_needed.
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) shawn(a)redhat.com
(c) 443-534-0130
On Jun 26, 2012, at 5:06 PM, Jeffrey Blank <blank(a)eclipse.ncsc.mil> wrote:
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
rhel6/src/input/auxiliary/srg_support.xml | 19 +++++++++++++------
rhel6/src/input/services/ssh.xml | 2 +-
rhel6/src/input/system/auditing.xml | 7 ++++---
rhel6/src/input/system/software/updating.xml | 4 ++--
4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml
b/rhel6/src/input/auxiliary/srg_support.xml
index ac50bbd..c1bdf83 100644
--- a/rhel6/src/input/auxiliary/srg_support.xml
+++ b/rhel6/src/input/auxiliary/srg_support.xml
@@ -12,7 +12,7 @@ not clearly relate.
Red Hat Enterprise Linux meets this requirement by design.
<!-- We could include discussion of Common Criteria Testing if so desired here.
-->
</description>
-<ref disa="131,130,132,133,134,159,1694,162,163,164,345,346,872" />
+<ref disa="223,131,130,132,133,134,159,1694,162,163,164,345,346,872" />
</Group> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance">
@@ -21,14 +21,21 @@ Red Hat Enterprise Linux meets this requirement by design.
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</description>
-<ref disa="354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221"
/>
+<ref
disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,66,37,213,221"
/>
</Group> <!-- end unmet_impractical_guidance -->
-<Group id="unmet_impractical_product">
-<title>Product Does Not Meet this Requirement Due to Impracticality or
Scope</title>
+<Group id="requirement_unclear">
+<title>Implementation of the Requirement is Unclear</title>
<description>
-The product does not meet this requirement.
-The requirement is impractical or out of scope.
+It is unclear how to satisfy this requirement.
+</description>
+<ref disa="20,31,218,219,224" />
+</Group> <!-- end unmet_impractical_product -->
+
+<Group id="new_rule_needed">
+<title>A New Policy/Manual Rule is Needed</title>
+<description>
+A new Rule needs to be created in the scap-security-guide content.
</description>
</Group> <!-- end unmet_impractical_product -->
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml
index ad21cee..c673e76 100644
--- a/rhel6/src/input/services/ssh.xml
+++ b/rhel6/src/input/services/ssh.xml
@@ -8,7 +8,7 @@ implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
http://www.openssh.org. Its server program is called <tt>sshd</tt> and
provided by the RPM package <tt>openssh-server</tt>.</description>
-<ref disa="1453" />
+<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number"
operator="equals" interactive="0">
diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml
index 676b333..927cb60 100644
--- a/rhel6/src/input/system/auditing.xml
+++ b/rhel6/src/input/system/auditing.xml
@@ -55,7 +55,7 @@ and impacting other services. This also minimizes the risk of the
audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).
</description>
-<ref disa="120,166,1338,1339,157" />
+<ref disa="120,135,136,166,1338,1339,157" />
<Rule id="enable_auditd_service">
<title>Enable auditd Service</title>
@@ -272,6 +272,7 @@ Setting this to <tt>email</tt> is recommended over the
default
<rationale>Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</rationale>
<oval id="auditd_data_retention_space_left_action"
value="var_auditd_space_left_action"/>
+<ref disa="140,144" />
</Rule>
@@ -295,7 +296,7 @@ audit records. If a separate partition or logical volume of adequate
size
is used, running low on space for audit records should never occur.
</rationale>
<oval id="auditd_data_retention_admin_space_left_action"
value="var_auditd_admin_space_left_action" />
-<ref disa="140" />
+<ref disa="140,144" />
</Rule>
@@ -626,7 +627,7 @@ unusual activity.
</rationale>
<ident cce="14296-8" />
<oval id="audit_rules_privileged_commands" />
-<ref nist="AU-2" />
+<ref nist="AU-2" disa="40" />
</Rule>
<Rule id="audit_media_exports">
diff --git a/rhel6/src/input/system/software/updating.xml
b/rhel6/src/input/system/software/updating.xml
index efc7834..a759d62 100644
--- a/rhel6/src/input/system/software/updating.xml
+++ b/rhel6/src/input/system/software/updating.xml
@@ -93,7 +93,7 @@ protects against malicious tampering.
</rationale>
<ident cce="14914-6" />
<oval id="yum_gpgcheck_global_activation" />
-<ref nist="SI-2" disa="352" />
+<ref nist="SI-2" disa="352,663" />
</Rule>
<Rule id="ensure_gpgcheck_never_disabled">
@@ -110,6 +110,6 @@ protects against malicious tampering.
</rationale>
<ident cce="14813-0" />
<oval id="yum_gpgcheck_never_disabled" />
-<ref nist="SI-2" disa="352"/>
+<ref nist="SI-2" disa="352,663"/>
</Rule>
</Group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/scap-security-guide
4345
days inactive
4345
days old
scap-security-guide@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Jeffrey Blank -
Shawn Wells