scap-security-guide July 2012

scap-security-guide@lists.fedorahosted.org

12 participants
83 discussions

Just for fun: gitstats
by Shawn Wells 26 Jul '12

26 Jul '12

I had a need to create some metrics of the project and came across gitstats [1]. I ran it against our tree and posted the results here: http://people.redhat.com/swells/gitstats/ Kind of fun reading through the data points. Jeff takes the #1 by lines of code at 231,376 (omfg), with Willy the #1 by number of commits at 334. [1] http://gitstats.sourceforge.net/

1 0

Test email
by Stephen John Smoogen 26 Jul '12

26 Jul '12

We have moved the lists to a new email server and need to test that lists are working. -- Stephen J Smoogen. "Don't derail a useful feature for the 99% because you're not in it." Linus Torvalds "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd

1 0

[PATCH] Removed redundant profile ref
by Kevin Spargur 26 Jul '12

26 Jul '12

limit_password_reuse doesn't map to anything and limiting_password_reuse is already in the profile. Removed limit_password_reuse from common profile. Thanks to Willem Bos for pointing it out. Kevin Spargur (1): Removed a redundant profile reference to the remember password rule RHEL6/input/profiles/common.xml | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) -- 1.7.7.6

2 2

[PATCH 0/2] Mapped CCI1343 and fixed group/rule
by Kevin Spargur 26 Jul '12

26 Jul '12

group limiting_password_reuse was causing the oval line not to properly transform and making it into the final output. Changing Group to Rule fixes this. Not sure why this is a group instead of a rule in anycase. Also mapped CCI 1343 to the rule for auditd to drop to single user mode when storage fills then removed that from the "needs new rule" group. Kevin Spargur (2): Mapped CCI 1343 to rule for action on full storage for auditd Changed group limiting_password_reuse to a rule RHEL6/input/auxiliary/srg_support.xml | 2 +- RHEL6/input/system/accounts/pam.xml | 31 +++++++++++++++---------------- RHEL6/input/system/auditing.xml | 2 +- 3 files changed, 17 insertions(+), 18 deletions(-) -- 1.7.7.6

2 3

Profiles updates
by Jeffrey Blank 25 Jul '12

25 Jul '12

Before the consensus meeting next week, we should have the STIG-server Profile expanded to include all items which bear CCIs. Even though a few of these are not practical (such as disabling all USB support), the conversation should start with a strict mapping of the SRG requirements, captured in the STIG-server Profile. Note: I've pushed the script that can identify Rules with references which are missing from a Profile, but I'm not pushing the other part of that commitset until we've been able to sync on how/when the Profile updating (and likely reorganization between common and STIG-server) should occur. There are likely Rules for disabling service in the common Profile which likely belong only in the desktop Profile, too (as these would be normal for a server). -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance

1 0

[PATCH 0/5] Changes based on feedback from DISA FSO.
by Willy Santos 25 Jul '12

25 Jul '12

This set of patches contains changes/additions based on feedback from DISA FSO. These are also documented as tickets in the project's wiki. Willy Santos (5): Corrected rule mapping for CCI-143. Corrected mapping of CCI 206. Corrected mapping of CCI 154. Removed mapping of CCI-1414 from unmet_impractical_guidance. Created prose for NFS insecure_locks option. RHEL6/input/auxiliary/srg_support.xml | 4 +- RHEL6/input/services/nfs.xml | 26 +++++++++++++++++++- RHEL6/input/system/accounts/accounts.xml | 1 - RHEL6/input/system/auditing.xml | 6 ++-- RHEL6/input/system/software/disk_partitioning.xml | 2 +- 5 files changed, 30 insertions(+), 9 deletions(-) -- 1.7.7.6

2 6

[PATCH 0/1] Rule and checks for disabling qpidd per ticket 50
by Kevin Spargur 25 Jul '12

25 Jul '12

Adds xccdf rule and oval checks for disabling the qpidd service or removal of the qpid-cpp-server package (which provides qpidd). Kevin Spargur (1): Rule and checks for disabling qpidd per ticket 50 .../checks/package_qpid-cpp-server_removed.xml | 26 +++++ RHEL6/input/checks/service_qpidd_disabled.xml | 100 ++++++++++++++++++++ RHEL6/input/services/base.xml | 17 ++++ 3 files changed, 143 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/package_qpid-cpp-server_removed.xml create mode 100644 RHEL6/input/checks/service_qpidd_disabled.xml -- 1.7.7.6

2 4

[PATCH 0/2] making sure anything with a CCI ref is in the STIG profile
by Jeffrey Blank 25 Jul '12

25 Jul '12

Well, almost. But the tooling now exists to make sure it will (or that it's clear where/why we haven't). Jeffrey Blank (2): improved verify-references script to show if Profile does not include all Rules with certain references added Rules to STIG profile, based on output from verify-references.py * some Rules are still tagged but have not been added yet * some of these need Values specified or require a little more investigation RHEL6/input/profiles/STIG-server.xml | 10 +++++ RHEL6/input/profiles/common.xml | 4 ++ RHEL6/utils/verify-references.py | 65 ++++++++++++++++++++++++++++++--- 3 files changed, 73 insertions(+), 6 deletions(-)

2 6

[PATCH 4/4] Mapped CCI-000196 to sshd_use_approved_ciphers
by Shawn Wells 25 Jul '12

25 Jul '12

2 1

[PATCH 3/4] Updated mappings for CCI-000130
by Shawn Wells 25 Jul '12

25 Jul '12

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide July 2012