1. Added new check display_login_attempts to check for a pam_lastlog.so session line. 2. Added new check for .netrc files in /home 3. Renamed existing check so that the file name, OVAL id, and rule id all match.
- Maura Dailey
Maura Dailey (3): Adding check for pam_lastlog.so Adding check for no_netrc_files Renaming oval check no_rsh_trusted_host_files to no_rsh_trust_files to match rule ID
RHEL6/input/checks/display_login_attempts.xml | 25 +++++++++++++++++++ RHEL6/input/checks/no_netrc_files.xml | 22 ++++++++++++++++ RHEL6/input/checks/no_rsh_trust_files.xml | 26 ++++++++++---------- RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/system/accounts/pam.xml | 2 +- .../accounts/restrictions/password_storage.xml | 2 +- 6 files changed, 63 insertions(+), 16 deletions(-) create mode 100644 RHEL6/input/checks/display_login_attempts.xml create mode 100644 RHEL6/input/checks/no_netrc_files.xml
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/display_login_attempts.xml | 25 +++++++++++++++++++++++++ RHEL6/input/system/accounts/pam.xml | 2 +- 2 files changed, 26 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/display_login_attempts.xml
diff --git a/RHEL6/input/checks/display_login_attempts.xml b/RHEL6/input/checks/display_login_attempts.xml new file mode 100644 index 0000000..a4a3143 --- /dev/null +++ b/RHEL6/input/checks/display_login_attempts.xml @@ -0,0 +1,25 @@ +<def-group> + <definition class="compliance" id="display_login_attempts" version="1"> + <metadata> + <title>Set Last Logon/Access Notification</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Configure the system to notify users of last logon/access using pam_lastlog.</description> + </metadata> + <criteria> + <criterion comment="Conditions for pam_lastlog are satisfied" test_ref="test_display_login_attempts" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_display_login_attempts" version="1"> + <ind:object object_ref="obj_display_login_attempts" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="obj_display_login_attempts" version="1"> + ind:path/etc/pam.d</ind:path> + ind:filenamesystem-auth</ind:filename> + <ind:pattern operation="pattern match">^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d=]+showfailed</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index ee18189..98dd568 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -75,7 +75,7 @@ allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. </rationale> <ident cce="27291-4" /> -<oval id="TODO" /> +<oval id="display_login_attempts" /> <ref disa="53" /> </Rule>
Excellent, please push.
On 05/21/2013 01:36 PM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
RHEL6/input/checks/display_login_attempts.xml | 25 +++++++++++++++++++++++++ RHEL6/input/system/accounts/pam.xml | 2 +- 2 files changed, 26 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/display_login_attempts.xml
diff --git a/RHEL6/input/checks/display_login_attempts.xml b/RHEL6/input/checks/display_login_attempts.xml new file mode 100644 index 0000000..a4a3143 --- /dev/null +++ b/RHEL6/input/checks/display_login_attempts.xml @@ -0,0 +1,25 @@ +<def-group>
<definition class="compliance" id="display_login_attempts" version="1">
<metadata>
<title>Set Last Logon/Access Notification</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>Configure the system to notify users of last logon/access using pam_lastlog.</description></metadata>
<criteria>
<criterion comment="Conditions for pam_lastlog are satisfied" test_ref="test_display_login_attempts" /></criteria>
</definition>
- <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="test_display_login_attempts" version="1">
- <ind:object object_ref="obj_display_login_attempts" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_display_login_attempts" version="1">
- ind:path/etc/pam.d</ind:path>
- ind:filenamesystem-auth</ind:filename>
- <ind:pattern operation="pattern match">^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d=]+showfailed</ind:pattern>
- <ind:instance datatype="int" operation="equals">1</ind:instance>
- </ind:textfilecontent54_object>
+</def-group> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index ee18189..98dd568 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -75,7 +75,7 @@ allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.
</rationale> <ident cce="27291-4" /> -<oval id="TODO" /> +<oval id="display_login_attempts" /> <ref disa="53" /> </Rule>
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/no_netrc_files.xml | 22 ++++++++++++++++++++ .../accounts/restrictions/password_storage.xml | 2 +- 2 files changed, 23 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/no_netrc_files.xml
diff --git a/RHEL6/input/checks/no_netrc_files.xml b/RHEL6/input/checks/no_netrc_files.xml new file mode 100644 index 0000000..c69c8e6 --- /dev/null +++ b/RHEL6/input/checks/no_netrc_files.xml @@ -0,0 +1,22 @@ +<def-group> + <definition class="compliance" id="no_netrc_files" version="1"> + <metadata> + <title>Verify No netrc Files Exist</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description> + </metadata> + <criteria> + <criterion test_ref="test_no_netrc_files_home" negate="true" /> + </criteria> + </definition> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="test_no_netrc_files_home" version="1"> + <unix:object object_ref="object_no_netrc_files_home" /> + </unix:file_test> + <unix:file_object comment="look for .netrc in /home" id="object_no_netrc_files_home" version="1"> + <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" /> + <unix:path operation="equals">/home</unix:path> + <unix:filename operation="pattern match">^.netrc$</unix:filename> + </unix:file_object> +</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index efa8d0d..e71ef62 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -106,7 +106,7 @@ files. DoD policy requires passwords be encrypted in storage and not used in access scripts. </rationale> <ident cce="27225-2" /> -<oval id="TODO" /> +<oval id="no_netrc_files" /> <ref nist="IA-5(h)" disa="196" /> </Rule>
please push
On 05/21/2013 01:36 PM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
RHEL6/input/checks/no_netrc_files.xml | 22 ++++++++++++++++++++ .../accounts/restrictions/password_storage.xml | 2 +- 2 files changed, 23 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/no_netrc_files.xml
diff --git a/RHEL6/input/checks/no_netrc_files.xml b/RHEL6/input/checks/no_netrc_files.xml new file mode 100644 index 0000000..c69c8e6 --- /dev/null +++ b/RHEL6/input/checks/no_netrc_files.xml @@ -0,0 +1,22 @@ +<def-group>
<definition class="compliance" id="no_netrc_files" version="1">
<metadata>
<title>Verify No netrc Files Exist</title><affected family="unix"><platform>Red Hat Enterprise Linux 6</platform></affected><description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description></metadata>
<criteria>
<criterion test_ref="test_no_netrc_files_home" negate="true" /></criteria>
</definition>
- <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="test_no_netrc_files_home" version="1">
- <unix:object object_ref="object_no_netrc_files_home" />
- </unix:file_test>
- <unix:file_object comment="look for .netrc in /home" id="object_no_netrc_files_home" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" />
- <unix:path operation="equals">/home</unix:path>
- <unix:filename operation="pattern match">^.netrc$</unix:filename>
- </unix:file_object>
+</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index efa8d0d..e71ef62 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -106,7 +106,7 @@ files. DoD policy requires passwords be encrypted in storage and not used in access scripts.
</rationale> <ident cce="27225-2" /> -<oval id="TODO" /> +<oval id="no_netrc_files" /> <ref nist="IA-5(h)" disa="196" /> </Rule>
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/no_rsh_trust_files.xml | 26 +++++++++++++------------- RHEL6/input/services/obsolete.xml | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/RHEL6/input/checks/no_rsh_trust_files.xml b/RHEL6/input/checks/no_rsh_trust_files.xml index 1e05dd1..22c1c82 100644 --- a/RHEL6/input/checks/no_rsh_trust_files.xml +++ b/RHEL6/input/checks/no_rsh_trust_files.xml @@ -1,5 +1,5 @@ <def-group> - <definition class="compliance" id="no_rsh_trusted_host_files" version="1"> + <definition class="compliance" id="no_rsh_trust_files" version="1"> <metadata> <title>No Legacy .rhosts Or hosts.equiv Files</title> <affected family="unix"> @@ -8,30 +8,30 @@ <description>There should not be any .rhosts or hosts.equiv files on the system.</description> </metadata> <criteria operator="AND"> - <criterion test_ref="test_no_rsh_trusted_host_files_root" negate="true" /> - <criterion test_ref="test_no_rsh_trusted_host_files_home" negate="true" /> - <criterion test_ref="test_no_rsh_trusted_host_files_etc" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_root" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_home" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_etc" negate="true" /> </criteria> </definition> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /root" id="test_no_rsh_trusted_host_files_root" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_root" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /root" id="test_no_rsh_trust_files_root" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_root" /> </unix:file_test> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /home" id="test_no_rsh_trusted_host_files_home" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_home" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /home" id="test_no_rsh_trust_files_home" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_home" /> </unix:file_test> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="test_no_rsh_trusted_host_files_etc" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_etc" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="test_no_rsh_trust_files_etc" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_etc" /> </unix:file_test> - <unix:file_object comment="look for .rhosts or .shosts in /root" id="object_no_rsh_trusted_host_files_root" version="1"> + <unix:file_object comment="look for .rhosts or .shosts in /root" id="object_no_rsh_trust_files_root" version="1"> <unix:path operation="equals">/root</unix:path> <unix:filename operation="pattern match">^.(r|s)hosts$</unix:filename> </unix:file_object> - <unix:file_object comment="look for .rhosts or .shosts in /home" id="object_no_rsh_trusted_host_files_home" version="1"> + <unix:file_object comment="look for .rhosts or .shosts in /home" id="object_no_rsh_trust_files_home" version="1"> <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" /> <unix:path operation="equals">/home</unix:path> <unix:filename operation="pattern match">^.(r|s)hosts$</unix:filename> </unix:file_object> - <unix:file_object comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="object_no_rsh_trusted_host_files_etc" version="1"> + <unix:file_object comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="object_no_rsh_trust_files_etc" version="1"> <unix:path operation="equals">/etc</unix:path> <unix:filename operation="pattern match">^s?hosts.equiv$</unix:filename> </unix:file_object> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 0c28d24..8883caf 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -209,7 +209,7 @@ used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> <ident cce="27270-8" /> <ref nist="AC-17(8),CM-7" disa="1436" /> -<oval id="no_rsh_trusted_host_files" /> +<oval id="no_rsh_trust_files" /> <tested by="DS" on="20121026"/> </Rule>
it compiles, ship it
On 05/21/2013 01:36 PM, Maura Dailey wrote:
Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil
RHEL6/input/checks/no_rsh_trust_files.xml | 26 +++++++++++++------------- RHEL6/input/services/obsolete.xml | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/RHEL6/input/checks/no_rsh_trust_files.xml b/RHEL6/input/checks/no_rsh_trust_files.xml index 1e05dd1..22c1c82 100644 --- a/RHEL6/input/checks/no_rsh_trust_files.xml +++ b/RHEL6/input/checks/no_rsh_trust_files.xml @@ -1,5 +1,5 @@
<def-group> - <definition class="compliance" id="no_rsh_trusted_host_files" version="1"> + <definition class="compliance" id="no_rsh_trust_files" version="1"> <metadata> <title>No Legacy .rhosts Or hosts.equiv Files</title> <affected family="unix"> @@ -8,30 +8,30 @@ <description>There should not be any .rhosts or hosts.equiv files on the system.</description> </metadata> <criteria operator="AND"> - <criterion test_ref="test_no_rsh_trusted_host_files_root" negate="true" /> - <criterion test_ref="test_no_rsh_trusted_host_files_home" negate="true" /> - <criterion test_ref="test_no_rsh_trusted_host_files_etc" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_root" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_home" negate="true" /> + <criterion test_ref="test_no_rsh_trust_files_etc" negate="true" /> </criteria> </definition> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /root" id="test_no_rsh_trusted_host_files_root" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_root" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /root" id="test_no_rsh_trust_files_root" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_root" /> </unix:file_test> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /home" id="test_no_rsh_trusted_host_files_home" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_home" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /home" id="test_no_rsh_trust_files_home" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_home" /> </unix:file_test> - <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="test_no_rsh_trusted_host_files_etc" version="1"> - <unix:object object_ref="object_no_rsh_trusted_host_files_etc" /> + <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="test_no_rsh_trust_files_etc" version="1"> + <unix:object object_ref="object_no_rsh_trust_files_etc" /> </unix:file_test> - <unix:file_object comment="look for .rhosts or .shosts in /root" id="object_no_rsh_trusted_host_files_root" version="1"> + <unix:file_object comment="look for .rhosts or .shosts in /root" id="object_no_rsh_trust_files_root" version="1"> <unix:path operation="equals">/root</unix:path> <unix:filename operation="pattern match">^\.(r|s)hosts$</unix:filename> </unix:file_object> - <unix:file_object comment="look for .rhosts or .shosts in /home" id="object_no_rsh_trusted_host_files_home" version="1"> + <unix:file_object comment="look for .rhosts or .shosts in /home" id="object_no_rsh_trust_files_home" version="1"> <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all" /> <unix:path operation="equals">/home</unix:path> <unix:filename operation="pattern match">^\.(r|s)hosts$</unix:filename> </unix:file_object> - <unix:file_object comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="object_no_rsh_trusted_host_files_etc" version="1"> + <unix:file_object comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="object_no_rsh_trust_files_etc" version="1"> <unix:path operation="equals">/etc</unix:path> <unix:filename operation="pattern match">^s?hosts.equiv$</unix:filename> </unix:file_object> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 0c28d24..8883caf 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -209,7 +209,7 @@ used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> <ident cce="27270-8" /> <ref nist="AC-17(8),CM-7" disa="1436" /> -<oval id="no_rsh_trusted_host_files" /> +<oval id="no_rsh_trust_files" /> <tested by="DS" on="20121026"/> </Rule>
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey