10:10 a.m.
Added notes that indicate how I believe RHEL 5 settings
could transition to consensus settings for RHEL 6. Also identified
some items from the RHEL 5 STIG that should be leveraged in the RHEL 6
content.
Jeffrey Blank (4):
added notes to support transition of RHEL 5 content to consensus for
RHEL 6
normalize whitespace for each ref in (attribute) ref list, permitting
use of newlines or accidental spaces
added missing items to Profiles
added support for setting password expiration to 60 days * and
some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++--
RHEL6/input/profiles/STIG-server.xml | 4 +
RHEL6/input/profiles/common.xml | 17 ++++
.../accounts/restrictions/password_expiration.xml | 9 ++-
RHEL6/transforms/xccdf2table-stig.xslt | 4 +-
5 files changed, 106 insertions(+), 13 deletions(-)
10:10 a.m.
New subject: [PATCH 1/4] added notes to support transition of RHEL 5 content to consensus for RHEL 6
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/auxiliary/transition_notes.xml | 85 +++++++++++++++++++++++++---
1 files changed, 77 insertions(+), 8 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml
b/RHEL6/input/auxiliary/transition_notes.xml
index 5f99dcc..32bdc9c 100644
--- a/RHEL6/input/auxiliary/transition_notes.xml
+++ b/RHEL6/input/auxiliary/transition_notes.xml
@@ -2,34 +2,103 @@
<!-- This file enables documentation of how the RHEL 5 STIG requirements
will be migrated to consensus for RHEL 6. -->
-<note ref="792,821,822,828,829,831,832,837,838,840,841,842,843,848,849,
+<note ref="775,786,792,821,822,828,829,831,832,837,838,840,841,842,843,848,849,
928,929,974,975,978,979,980,981,987,988,989,994,1025,1027,1028,1029,1054,
1055,1056,1058,1059,4335,4334,4336,4339,4089,4090,4091,4358,4361,4364,
4365,4367,4368,4369,4370,4371,4393,4394,4430,11997,12019,12038,12039,12040,
22294,22295,22296,22323,22324,22325,22327,22328,22329,22332,22333,22335,
-22336,22337,22339,22342,22343,22392,22394,22396,22398,22406,22423,22425,
+22336,22337,22342,22343,22392,22394,22396,22398,22406,22423,22425,
22427,22435,22438,22444,22451,22453,22451,22492,22496,22559,22560,22561"
auth="WS">
This is superceded by the system-wide check for improper permissions provided
by the package manager. Automating this check became possible with OVAL 5.8.
</note>
-<note ref="" auth="JB">
+<note
ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279"
auth="JB">
The security argument is not apparent or salient.
</note>
-<note ref="" auth="">
+<note ref="22297,22309,22313,22314,22315,22316,22317,22318,22322,22326,22330,
+22334,22338,22340,22344,22350,22352,22353,22356,22357,22362,22366,22367,
+22373,22384,22386,22387,22388,22389,22390,22393,22395,22407,22424,22426,
+22428,22436,22437,22439,22441,22442,22445,22446,22450,22452,22454,22489,22493,
+22497,22498,22502,22503,22504,22505,22562,22566,22570,22574,22585,22595,22596"
auth="JB">
+Existence of an ACL is not necessarily a problem, and checking for existence of ACLs on a
random selection of
+files does not achieve any security goals. Alternatives include denying use of any ACLs
unless documented, or simply dropping these rules entirely (preferred).
+</note>
+
+<note
ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386"
auth="JB">
This is covered in the RHEL6 content.
</note>
-<note ref="" auth="">
+<note ref="11945" auth="JB">
+What is the distinction and purpose of different MAC levels?
+</note>
+
+<note ref="22292" auth="JB">
+This is desirable but not practical in many environments. Notably, many other OSes
+do not even support this capability.
+</note>
+
+<note ref="761,776,777,780,781,782,4382,11975,12765"
auth="JB">
+This needs to be added to the RHEL6 content.
+</note>
+
+<note ref="770,918" auth="JB">
This is covered in the RHEL6 content in a slightly different manner.
</note>
-<note ref="" auth="">
-The intent of the check procedure is not clear.
+<note ref="12022" auth="JB">
+This is covered in the RHEL6 content in a slightly different manner: iptables is
required.
+</note>
+
+<note ref="12005" auth="JB">
+This is covered in the RHEL6 content in a slightly different manner: xinetd is required
to be disabled, and inetd is not available as part of RHEL6.
+</note>
+
+<note ref="11940" auth="JB">
+This could be covered in the RHEL6 content itself, though it seems more like something
appropriate for a CTO
+upon retirement of major OS releases?
+</note>
+
+<note ref="4688,4701" auth="JB">
+This is covered in the RHEL6 content in a slightly different manner: xinetd services are
not permitted.
+</note>
+
+<note ref="4701" auth="JB">
+Finger is still part of RHEL, and so a separate rule could be created for this if we were
so inclined.
</note>
-<note ref="789,790,791" auth="JB">
+<note ref="4692,4694,12006" auth="JB">
+Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply.
+</note>
+
+<note ref="4693" auth="JB">
+This needs to be added, but adjusting for Postfix as the mail server on RHEL 6.
+</note>
+
+<note ref="4689" auth="JB">
+Is this not redundant to the system-wide requirement for keeping patches up to date
(V-783)?
+</note>
+
+<note ref="4696" auth="JB">
+This package is only available in EPEL. I suggest that this makes it out of scope.
+</note>
+
+<note ref="803,804" auth="JB">
+Is this not redundant to the system-wide aide check (V-11945)?
+</note>
+
+<note ref="801,802" auth="JB">
+Suggest that this be covered in the RHEL6 content in a slightly different manner:
ensuring all setuid programs
+are packaged (which implies vendor provenance). Also, what is the goal of the
documentation?
+</note>
+
+<note ref="769,794,795,796,11946,11977,11979,12024,12025,12049"
auth="JB">
+The intent or utility of the check procedure is not clear or not actionable.
+</note>
+
+
+<note ref="789,790,791,12026" auth="JB">
NIS/NIS+/yp should be disabled, as stated in a Rule in the RHEL 6 content.
NIS/NIS+/yp are obsolete and should not be running on any modern system.
</note>
--
1.7.1
10:10 a.m.
New subject: [PATCH 2/4] normalize whitespace for each ref in (attribute) ref list, permitting use of newlines or accidental spaces
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/transforms/xccdf2table-stig.xslt | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/transforms/xccdf2table-stig.xslt
b/RHEL6/transforms/xccdf2table-stig.xslt
index 95e5d3a..e3024eb 100644
--- a/RHEL6/transforms/xccdf2table-stig.xslt
+++ b/RHEL6/transforms/xccdf2table-stig.xslt
@@ -137,8 +137,8 @@
<xsl:template name="note-output">
<xsl:param name="vulnid_sought"/>
<xsl:param name="vulnid_found"/>
-
- <xsl:variable name="vulnid_expanded" select="concat('V-',
$vulnid_found)" />
+ <xsl:variable name="vulnid_found_normal"
select="normalize-space($vulnid_found)" />
+ <xsl:variable name="vulnid_expanded" select="concat('V-',
$vulnid_found_normal)" />
<xsl:if test="$vulnid_sought=$vulnid_expanded">
<tr><td><xsl:value-of select="@auth"/>: <xsl:value-of
select="." /></td></tr>
</xsl:if>
--
1.7.1
10:10 a.m.
New subject: [PATCH 3/4] added missing items to Profiles
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/profiles/STIG-server.xml | 4 ++++
RHEL6/input/profiles/common.xml | 17 +++++++++++++++++
2 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml
index 5c62da8..55bb934 100644
--- a/RHEL6/input/profiles/STIG-server.xml
+++ b/RHEL6/input/profiles/STIG-server.xml
@@ -6,8 +6,12 @@
<select idref="packagegroup_xwindows_remove" selected="true"/>
<select idref="disable_dhcp_client" selected="true"/>
<select idref="limiting_password_reuse" selected="true"/>
+<select idref="no_files_unowned_by_user" selected="true"/>
+<select idref="aide_periodic_cron_checking" selected="true"/>
+<select idref="disable_users_coredumps" selected="true"/>
<!-- Password history -->
<refine-value idref="password_history_retain_number"
selector="5"/>
+<refine-value idref="var_password_max_age" selector="60"/>
</Profile>
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index ba42601..6d77abc 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -24,6 +24,18 @@
<select idref="no_empty_passwords" selected="true"/>
<select idref="no_hashes_outside_shadow" selected="true"/>
<select idref="no_uidzero_except_root" selected="true"/>
+
+<select idref="userowner_shadow_file" selected="true"/>
+<select idref="groupowner_shadow_file" selected="true"/>
+<select idref="perms_shadow_file" selected="true"/>
+
+<select idref="userowner_gshadow_file" selected="true"/>
+<select idref="groupowner_gshadow_file" selected="true"/>
+<select idref="perms_gshadow_file" selected="true"/>
+
+<select idref="userowner_passwd_file" selected="true"/>
+<select idref="groupowner_passwd_file" selected="true"/>
+<select idref="file_permissions_etc_passwd" selected="true"/>
<select idref="password_min_len" selected="true"/>
<select idref="password_min_age" selected="true"/>
<select idref="password_max_age" selected="true"/>
@@ -48,6 +60,10 @@
<select idref="install_vlock_package" selected="true"/>
<select idref="set_system_login_banner" selected="true"/>
<!-- CURRENTLY NOT IMPLEMENTED <select idref="set_gui_login_banner"
selected="true"/> -->
+
+<select idref="enable_randomize_va_space" selected="true"/>
+<select idref="enable_execshield" selected="true"/>
+
<select idref="disable_sysctl_ipv4_default_send_redirects"
selected="true"/>
<select idref="disable_sysctl_ipv4_all_send_redirects"
selected="true"/>
<select idref="disable_sysctl_ipv4_ip_forward"
selected="true"/>
@@ -111,6 +127,7 @@
<select idref="disable_telnet_service" selected="true"/>
<select idref="uninstall_rsh-server" selected="true"/>
<select idref="disable_rsh" selected="true"/>
+<select idref="disable_rexec" selected="true"/>
<select idref="disable_rlogin" selected="true"/>
<select idref="uninstall_ypserv" selected="true"/>
<select idref="disable_ypbind" selected="true"/>
--
1.7.1
10:10 a.m.
New subject: [PATCH 4/4] added support for setting password expiration to 60 days * and some additional rationale text
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
.../accounts/restrictions/password_expiration.xml | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml
b/RHEL6/input/system/accounts/restrictions/password_expiration.xml
index 01f0f45..88b3463 100644
--- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml
+++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml
@@ -47,6 +47,7 @@ age, and 7 day warning period with the following command:
<description>Maximum age of password in days</description>
<warning category="general">This will only apply to newly created
accounts</warning>
<value selector="">90</value>
+<value selector="60">60</value>
<value selector="90">90</value>
<value selector="120">120</value>
<value selector="180">180</value>
@@ -128,13 +129,15 @@ after satisfying the password reuse requirement.
edit the file <tt>/etc/login.defs</tt>
and add or correct the following line, replacing <i>DAYS</i> appropriately:
<pre>PASS_MAX_DAYS <i>DAYS</i><!-- <sub
idref="password_max_age_login_defs_value" /> --></pre>
-A value of 180 days is considered for sufficient for many
-environments.
+A value of 180 days is sufficient for many
+environments. The current setting required in DoD is 60 days.
</description>
<rationale>
Setting the password maximum age ensures that users are required to
periodically change their passwords. This could possibly decrease
-the utility of a stolen password.</rationale>
+the utility of a stolen password. Requiring shorter password lifetimes
+increases the risk of users writing down the password in a convenient
+location subject to physical compromise.</rationale>
<ident cce="4092-3" />
<oval id="accounts_maximum_age_login_defs"
value="var_password_max_age"/>
<ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/>
--
1.7.1
1:06 p.m.
ACK to the set.
Willy Santos, RHCE
Consultant
Red Hat Consulting
Cell: +1 (301) 254-7077
Email: wsantos(a)redhat.com
On 07/30/2012 11:10 AM, Jeffrey Blank wrote:
Added notes that indicate how I believe RHEL 5 settings
could transition to consensus settings for RHEL 6. Also identified
some items from the RHEL 5 STIG that should be leveraged in the RHEL 6
content.
Jeffrey Blank (4):
added notes to support transition of RHEL 5 content to consensus for
RHEL 6
normalize whitespace for each ref in (attribute) ref list, permitting
use of newlines or accidental spaces
added missing items to Profiles
added support for setting password expiration to 60 days * and
some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++--
RHEL6/input/profiles/STIG-server.xml | 4 +
RHEL6/input/profiles/common.xml | 17 ++++
.../accounts/restrictions/password_expiration.xml | 9 ++-
RHEL6/transforms/xccdf2table-stig.xslt | 4 +-
5 files changed, 106 insertions(+), 13 deletions(-)
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
1:27 p.m.
Thanks -- and a quick note for anyone editing Profiles -- these are easy
to get merge problems, so let's sync if we're planning to edit them.
I am about to submit another batch of changes to the common and
stig-server profiles.
On 07/30/2012 02:06 PM, Willy Santos wrote:
ACK to the set.
Willy Santos, RHCE
Consultant
Red Hat Consulting
Cell: +1 (301) 254-7077
Email: wsantos(a)redhat.com
On 07/30/2012 11:10 AM, Jeffrey Blank wrote:
> Added notes that indicate how I believe RHEL 5 settings
> could transition to consensus settings for RHEL 6. Also identified
> some items from the RHEL 5 STIG that should be leveraged in the RHEL 6
> content.
>
>
> Jeffrey Blank (4):
> added notes to support transition of RHEL 5 content to consensus for
> RHEL 6
> normalize whitespace for each ref in (attribute) ref list, permitting
> use of newlines or accidental spaces
> added missing items to Profiles
> added support for setting password expiration to 60 days * and
> some additional rationale text
>
> RHEL6/input/auxiliary/transition_notes.xml | 85
> ++++++++++++++++++--
> RHEL6/input/profiles/STIG-server.xml | 4 +
> RHEL6/input/profiles/common.xml | 17 ++++
> .../accounts/restrictions/password_expiration.xml | 9 ++-
> RHEL6/transforms/xccdf2table-stig.xslt | 4 +-
> 5 files changed, 106 insertions(+), 13 deletions(-)
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
4281
days inactive
4281
days old
scap-security-guide@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Jeffrey Blank -
Willy Santos