scap-security-guide August 2013

scap-security-guide@lists.fedorahosted.org

34 participants
57 discussions

Start a nNew thread

[PATCH 2/4] template_OVAL_package_installed testing + bash remediations
by Shawn Wells 30 Aug '13

30 Aug '13

1 0

[PATCH 1/4] Updated NIST profile ID
by Shawn Wells 30 Aug '13

30 Aug '13

1 0

Bouncing messages?
by Robert Sanders 29 Aug '13

29 Aug '13

Just out of curiosity, has anyone else received messages from the mailing list that about too many bounces? I got one a couple of weeks ago and did see a bunch of email on the web archive that I never received via email, but I just got another notice and there is nothing (recent) in the archive that I don't have here. I've asked my IT group here to back track and see if any of our filters are bouncing stuff... -Rob

4 3

current OVAL testing progress
by Jeffrey Blank 29 Aug '13

29 Aug '13

As promised, here is a display of the OVAL testing progress on scap-security-guide, against the Rules for the STIG profile: http://scap-securityguide.rhcloud.com/RHEL6/output/table-stig-rhel6-testinf… A very fat green bar in the "Check Text" column indicates that both OVAL and XCCDF have been tested; a note with the testers' names/initials are displayed at the bottom of the associated cell. How check attestations are added to the project are covered in previous discussions on the list (and hopefully apparent at a glance in the corresponding input file). The number of tested checks could increase significantly (momentum!), if some of the templated ones are tested (which would then likely involve adding a tag to the template, at least for the OVAL). Relatedly, I seem to recall that one of the templated OVAL checks may not quite be right, such as enabling/disabling a service for all runlevels instead of the usual 2-5.

2 1

[PATCH] added "checks" as a dependency for tables
by Jeffrey Blank 29 Aug '13

29 Aug '13

Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil> --- RHEL6/Makefile | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RHEL6/Makefile b/RHEL6/Makefile index 40aa322..1c3d2a9 100644 --- a/RHEL6/Makefile +++ b/RHEL6/Makefile @@ -7,7 +7,7 @@ DIST = dist ID = ssg -all: shorthand2xccdf tables guide checks content dist +all: shorthand2xccdf tables guide content dist shorthand-guide: xsltproc -o $(OUT)/rhel6-shorthand.xml $(IN)/guide.xslt $(IN)/guide.xml @@ -59,14 +59,14 @@ table-srgmap: shorthand2xccdf $(TRANS)/table-srgmap.xslt $(REFS)/disa-os-srg-v1r1.xml xmllint --xmlout --html --output $(OUT)/table-rhel6-srgmap-flat.xhtml $(OUT)/table-rhel6-srgmap-flat.html -table-stigs: shorthand2xccdf table-srgmap +table-stigs: shorthand2xccdf table-srgmap checks xsltproc -o $(OUT)/table-rhel5-stig.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf.xml xsltproc -o $(OUT)/table-rhel5-stig-manual.html $(TRANS)/xccdf2table-stig.xslt $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml # xsltproc -stringparam notes "../$(IN)/auxiliary/transition_notes.xml" -o $(OUT)/table-rhel5-stig-manual-withnotes.html \ # $(TRANS)/xccdf2table-stig.xslt \ # $(REFS)/disa-stig-rhel5-v1r0.6-xccdf-manual.xml # temporarily retain an output file showing the short titles as well - xsltproc -stringparam profile "stig-rhel6-server" -stringparam testinfo "y" -o $(OUT)/table-stig-rhel6-shorttitles.html \ + xsltproc -stringparam profile "stig-rhel6-server" -stringparam testinfo "y" -o $(OUT)/table-stig-rhel6-testinfo.html \ $(TRANS)/xccdf2table-profileccirefs.xslt \ $(OUT)/unlinked-rhel6-xccdf.xml xsltproc -stringparam overlay "../$(IN)/auxiliary/stig_overlay.xml" -o $(OUT)/unlinked-stig-rhel6-xccdf.xml \ -- 1.7.1

2 1

[PATCH] Tiny patch to correct typo, it's -S stime, not -S time.
by Maura Dailey 29 Aug '13

29 Aug '13

Just a typo I noticed in passing. Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- RHEL6/input/system/auditing.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 4597b6f..cfb1425 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -555,7 +555,7 @@ to the system time should be audited.</rationale> <description>On a 32-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: <pre># audit_time_rules -a always,exit -F arch=b32 -S stime -k audit_time_rules</pre> -On a 64-bit system, the "-S time" is not necessary. The -k option allows for +On a 64-bit system, the "-S stime" is not necessary. The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. -- 1.7.1

2 1

minutes from 8/28 meeting (5-7pm) at DuClaw
by David Smith 29 Aug '13

29 Aug '13

Hi all, Here are minutes for the scap-security-guide meeting at DuClaw on 8/28. Attendance was less than we'd hoped -- maybe we'll have more next time! We want to prioritize the following activities: 1) Review/act/closeout existing Trac tickets. (Working on it this afternoon!) 2) Comprehensive proofread of the XCCDF guide. 3) Get with DISA FSO to sync on how to link the project's STIG profile in XCCDF, with whatever they can ingest. This is really important to make sure that the OVAL testing corresponds to the right XCCDF. 4) Continued OVAL testing (in parallel), with results captured graphically. Currently the table with testing info should be captured in the file table-stig-rhel6-shorttitles.html. (Oddly this doesn't quite seem to be working, and it should likely be captured in a different file anyway.) Ambition is to use maven and jenkins for testing against openscap, and even other tools such as SCC. 5) Decide how to handle any references to NIST 800-53 controls in some intellectually coherent/consistent way, to the extent possible. 6) Issue the prose guide and automated checking content, following the testing of the OVAL content. This may precede the DISA issuance of automated content. This should occur prior to the Red Hat Government Symposium on Nov 6.

2 1

Definition Criteria ...
by Trey Henefield 29 Aug '13

29 Aug '13

Greetings, So I am still in the learning process and am currently creating my own SSG benchmark for Java. Given that there are numerous iterations of Java (i.e. java-1.6.0-sun, java-1.7.0-oracle, ibm, openjdk) and different install paths (/etc/alternatives/jre_oracle, /etc/alternatives/jre_sun), I am attempting to produce the appropriate criteria to account for all types. While typically one would only go with one particular type of java, I would like to ensure that if more than one type is installed, that I capture compliance for everyone. However, I am having trouble grasping the concept of the criteria (AND, OR, ONE, XOR) and how best to use each in the proper hierarchy to achieve my goal. I can't seem to find any good information that breaks down each of these and their intended outcome. Now obviously if you have more than one definition underneath AND, the requirement is that all equate to true. So to achieve my suggested goal, my thoughts were the following for cpe-oval: <AND> Def.UNIX <OR> Def.JRE-SUN <OR> Def.JRE-ORACLE ... That seems to work, but the criteria for the actual checks seem to get a little more grey. My thoughts were: <OR> TST.JRE-SUN-INSTALLED <AND> TST.JRE-SUN-CHECK TST.JRE-ORACLE-INSTALLED <AND> TST.JRE-ORACLE-CHECK But that doesn't seem to pan out the way I expected it to. Any thoughts on how best to accomplish this? Thaks! Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield(a)ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com Disclaimer The information contained in this communication from trey.henefield(a)ultra-ats.com sent at 2013-08-29 12:13:20 is confidential and may be legally privileged. It is intended solely for use by scap-security-guide(a)lists.fedorahosted.org and others authorized to receive it. If you are not scap-security-guide(a)lists.fedorahosted.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

3 6

Self Introduction
by Jan Lieskovsky 29 Aug '13

29 Aug '13

Hello guys, I have recently joined the Red Hat Security Technologies Team, to help with selected packages maintenance and participate on discussions wrt to OVAL content. I have previously worked for Red Hat Security Response Team, so OVAL and XCCDF shouldn't be that strange topics in comparison with those, I have been working in the past with (but of course some time will be needed me to get / become a fully-fledged member of this community). Jeff's previously provided link: [1] https://fedorahosted.org/scap-security-guide/wiki/becomeadeveloper was helpful for me too :) (already requested membership to the SCAP Security Guide project). Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team

2 2

SCC 3.1 results with SSG content
by Robert Sanders 29 Aug '13

29 Aug '13

Afternoonall, Just wanted to post some interesting lines from running the SCC3.1 tool with the latest SSG yum content. I'm seeing a fair number of items failing with messages like the following (an example line item): RH64-64: Processing (1 of 385) Ensure /tmp Located On Separate Partition - (CCE-26435-8) [ERROR] 'no line is returned' does not match 'oval:[A-Za-z0-9_\-\.]+:var:[1-9][0-9]*'. at /</opt/scc/cscc>System/System_Functions.pm line 2855. [ERROR] Check system [ocil-transitional] is not supported. Check will not be performed. Target System: RH64-64 Selected Profile: rht-ccp Stream Name: ssg-rhel6- Stream Version: 0.9 Stream Date: 2013-07-05 Rule ID: partition_for_tmp This line is showing both example of the errors I've seen , the oval match issue and the ocil-transitional stuff. It appears the errors are always the same, and scattered independently through the 385 checks, for a total of 131 errors listed. I have done exactly zero digging to see what is happening, just wanted to toss this out to the collective eyeballs of the group. -Rob

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide August 2013