scap-security-guide August 2013

scap-security-guide@lists.fedorahosted.org

34 participants
57 discussions

intermittent failure of oval check, how to debug?
by Brian Millett 21 Aug '13

21 Aug '13

Ok, how do I go about debugging this: [root@deckard scap]# ./testcheck.py dir_perms_world_writable_sticky_bits.xml Evaluating with OVAL tempfile : /tmp/dir_perms_world_writable_sticky_bitshof67c.xml OpenSCAP Error: Unable to receive a message from probe [oval_probe_ext.c:583] [root@deckard scap]# ./testcheck.py dir_perms_world_writable_sticky_bits.xml Evaluating with OVAL tempfile : /tmp/dir_perms_world_writable_sticky_bitsLT_H5A.xml OpenSCAP Error: Unable to receive a message from probe [oval_probe_ext.c:583] [root@deckard scap]# ./testcheck.py dir_perms_world_writable_sticky_bits.xml Evaluating with OVAL tempfile : /tmp/dir_perms_world_writable_sticky_bits6eM3gu.xml OpenSCAP Error: Unable to receive a message from probe [oval_probe_ext.c:583] [root@deckard scap]# ./testcheck.py dir_perms_world_writable_sticky_bits.xml Evaluating with OVAL tempfile : /tmp/dir_perms_world_writable_sticky_bitsIWHsj4.xml Definition oval:scap-security-guide.testing:def:100: false The dir_perms_world_writable_sticky_bits test on ONE rhel6 machine is failing, but sometimes it does not. When I run an evaluation with the stig-rhel policy, I get OpenSCAP Error: Unable to receive a message from probe [oval_probe_ext.c:584] No definition with ID: oval:ssg:def:509 in result model. [oval_agent.c:182] -- Brian Millett "We are not through with the Centauri yet." -- [ G'Kar (to Jha'dur), "Deathwalker"]

3 5

Generalising SSG ...
by Trey Henefield 20 Aug '13

20 Aug '13

Just food for thought. Has there been any desire to make changes to SSG to accommodate building other (non-rhel6) SSGs? I am getting up to speed on its processes, and for practice and actual need, was thinking of creating an SSG for Firefox and Java, and potentially webmin and apache. However, I noticed rhel6 is embedded all throughout. I have noticed that most of the processes in place can be repurposed. With some changes to the makefile and a repurposed input folder, should this be possible? I was just hoping to get some further insight before going down this long path. Thanks in advance! Best regards, Trey Henefield, CISSP Senior IAVA Engineer Ultra Electronics Advanced Tactical Systems, Inc. 4101 Smith School Road Building IV, Suite 100 Austin, TX 78744 USA Trey.Henefield(a)ultra-ats.com Tel: +1 512 327 6795 ext. 647 Fax: +1 512 327 8043 Mobile: +1 512 541 6450 www.ultra-ats.com Disclaimer The information contained in this communication from trey.henefield(a)ultra-ats.com sent at 2013-08-20 11:36:43 is confidential and may be legally privileged. It is intended solely for use by scap-security-guide(a)lists.fedorahosted.org and others authorized to receive it. If you are not scap-security-guide(a)lists.fedorahosted.org you are hereby notified that any disclosure, copying, distribution or taking action in reliance of the contents of this information is strictly prohibited and may be unlawful.

3 3

Re: Re: [PATCH 02/17] Mapped CCI-001436 to disable_vsftpd (UNCLASSIFIED)
by Beavers, Randall D. CTR (US) 20 Aug '13

20 Aug '13

Classification: UNCLASSIFIED Caveats: NONE Willy Santos & Shawn Wells, I'm seeing you guys mapping a lot of CCIs to RHEL 6 on the lists. (searching CCI information online). I'm doing some work mapping the NIST 800-53 (v.4) to CCIs to DISA SRGs to DISA STIGS for my program. Any help would be appreciated. Seems the DISA IASE website and the VMS site doesn't jive. Do you guys have some definitive mappings for RHEL 6.4 CCEs / CCIs that would help me? In excel format? In xml format? Please advise. Randy Beavers, GSLC, CISSP Information Assurance Engineer Joint Battle Command-Platform 6000-C Technology Drive Huntsville, AL 35805 256-842-5426 (work) 256-289-6054 (cell) 256-876-2576 (fax) randall.d.beavers.ctr(a)mail.mil randall.d.beavers.ctr(a)mail.smil.mil Classification: UNCLASSIFIED Caveats: NONE

3 2

Very basic question..
by Stuart Green 20 Aug '13

20 Aug '13

Hi Folks, I just noticed that in my /usr/share/xml/scap/ssg/content/ folder the files are time stamped Jul 5 19:03 but the files in here are from the 13th of July. http://people.redhat.com/swells/scap-security-guide/RHEL6/dist/content/ There's no updates available in yum, so is it just a matter these files have not been pushed to repo yet? Cheers, Stu

2 2

[PATCH 0/2] updates to transforms to show OVAL testing
by Jeffrey Blank 19 Aug '13

19 Aug '13

This update to the table transform will show (with a thick green line) when an OVAL check has been tested for each Rule. This can probably get far more complete-looking if the templated checks are tested. (Did we ever fix the OVAL check for system services, such that only runlevel 2-5 were disabled?) It also shows the Rule ID for each Rule now, which is the stable identifier for each Rule. Jeffrey Blank (2): made CSS adjustments to make <pre> wrap improved table to indicate when OVAL checks have been tested RHEL6/transforms/table-style.xslt | 5 ++++ RHEL6/transforms/xccdf2table-profileccirefs.xslt | 27 +++++++++++++++++----- 2 files changed, 26 insertions(+), 6 deletions(-)

2 4

[PATCH] Original check assumed that sha512 would always be the first option
by Maura Dailey 19 Aug '13

19 Aug '13

Small edit to ensure that sha512 can be set anywhere in the list of options in the pam_unix.so line. - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- .../set_password_hashing_algorithm_systemauth.xml | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml b/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml index e999d0d..ac86592 100644 --- a/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml +++ b/RHEL6/input/checks/set_password_hashing_algorithm_systemauth.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> <criterion test_ref="test_pam_unix_sha512" /> @@ -18,7 +19,7 @@ <ind:textfilecontent54_object comment="check /etc/pam.d/system-auth for correct settings" id="object_pam_unix_sha512" version="1"> <ind:filepath>/etc/pam.d/system-auth</ind:filepath> - <ind:pattern operation="pattern match">^\s*password\s+sufficient\s+pam_unix.so\s+sha512.*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*password[\s]+sufficient[\s]+pam_unix\.so[\s]+.*sha512.*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> -- 1.7.1

2 1

[PATCH] Existing check was screwed up (title was wrong, comments were wrong, etc.) and was easily replaced by a templated check
by Maura Dailey 19 Aug '13

19 Aug '13

I noticed that the name of the check didn't make any sense, delved in deeper, and discovered that the correct check more closely met the templated sysctl checks. - Maura Dailey Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- .../checks/core_dump_suid_progs_limits_conf.xml | 30 -------------------- RHEL6/input/checks/sysctl_fs_suid_dumpable.xml | 28 ++++++++++++++++++ RHEL6/input/checks/templates/sysctl_values.csv | 1 + RHEL6/input/system/permissions/execution.xml | 2 +- 4 files changed, 30 insertions(+), 31 deletions(-) delete mode 100644 RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml create mode 100644 RHEL6/input/checks/sysctl_fs_suid_dumpable.xml diff --git a/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml b/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml deleted file mode 100644 index 066957a..0000000 --- a/RHEL6/input/checks/core_dump_suid_progs_limits_conf.xml +++ /dev/null @@ -1,30 +0,0 @@ -<def-group> - <definition class="compliance" id="core_dump_suid_progs_limits_conf" - version="1"> - <metadata> - <title>Disable Core Dumps for setuid programs</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Core dumps for setuid programs should be - disabled</description> - </metadata> - <criteria> - <criterion comment="Are core dumps for setuid programs disabled?" - test_ref="test_core_dump_suid_progs_limits_conf" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" - comment="Tests the value of the ^[\s]*fs\.suid_dumpable[\s]*=([\s]*) expression in the /etc/sysctl.conf file" - id="test_core_dump_suid_progs_limits_conf" version="2"> - <ind:object object_ref="object_core_dump_suid_progs_limits_conf" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_core_dump_suid_progs_limits_conf" - version="1"> - <ind:path>/etc/security</ind:path> - <ind:filename>limits.conf</ind:filename> - <ind:pattern operation="pattern match"> - ^fs.suid_dumpable\s+=\s+1$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml b/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml new file mode 100644 index 0000000..e358366 --- /dev/null +++ b/RHEL6/input/checks/sysctl_fs_suid_dumpable.xml @@ -0,0 +1,28 @@ +<def-group> +  + <definition class="compliance" id="sysctl_fs_suid_dumpable" version="1"> + <metadata> + <title>Kernel Runtime Parameter "fs.suid_dumpable" Check</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The kernel runtime parameter "fs.suid_dumpable" should be set to "0".</description> + </metadata> + <criteria> + <criterion comment="kernel runtime parameter fs.suid_dumpable set to 0" test_ref="test_sysctl_fs_suid_dumpable" /> + </criteria> + </definition> + + <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter fs.suid_dumpable set to 0" id="test_sysctl_fs_suid_dumpable" version="1"> + <unix:object object_ref="object_sysctl_fs_suid_dumpable" /> + <unix:state state_ref="state_sysctl_fs_suid_dumpable" /> + </unix:sysctl_test> + + <unix:sysctl_object id="object_sysctl_fs_suid_dumpable" version="1"> + <unix:name>fs.suid_dumpable</unix:name> + </unix:sysctl_object> + + <unix:sysctl_state id="state_sysctl_fs_suid_dumpable" version="1"> + <unix:value datatype="int" operation="equals">0</unix:value> + </unix:sysctl_state> +</def-group> diff --git a/RHEL6/input/checks/templates/sysctl_values.csv b/RHEL6/input/checks/templates/sysctl_values.csv index ae38b46..b318c47 100644 --- a/RHEL6/input/checks/templates/sysctl_values.csv +++ b/RHEL6/input/checks/templates/sysctl_values.csv @@ -17,3 +17,4 @@ net.ipv4.ip_forward,0 net.ipv4.tcp_syncookies,1 net.ipv6.conf.default.accept_redirects,0 net.ipv6.conf.default.accept_ra,0 +fs.suid_dumpable,0 diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index d742d60..86d2ea7 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -101,7 +101,7 @@ user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data.</rationale> <ident cce="27044-7" /> -<oval id="core_dump_suid_progs_limits_conf" /> +<oval id="sysctl_fs_suid_dumpable" /> <ref nist="SI-11" /> </Rule> </Group> -- 1.7.1

2 1

Rsyslog Permission Checks
by Maura Dailey 19 Aug '13

19 Aug '13

How do you think we should handle file owner and group permission checks on rsyslog files? Should we look for a predetermined list of files (trying to search for *.log is insufficient, since at the very least, /var/log/messages, /var/log/secure, and /var/log/maillog would get passed over)? Or should we try ninja regex to parse rsyslog.conf? - Maura Dailey

7 12

[PATCH] Guide refers to :omrelp: as a valid remote logging option, so I've updated the check to accept that format as well
by Maura Dailey 19 Aug '13

19 Aug '13

Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil> --- RHEL6/input/checks/rsyslog_remote_loghost.xml | 20 +++++++------------- 1 files changed, 7 insertions(+), 13 deletions(-) diff --git a/RHEL6/input/checks/rsyslog_remote_loghost.xml b/RHEL6/input/checks/rsyslog_remote_loghost.xml index b3ab6a8..81441eb 100644 --- a/RHEL6/input/checks/rsyslog_remote_loghost.xml +++ b/RHEL6/input/checks/rsyslog_remote_loghost.xml @@ -1,30 +1,24 @@ <def-group> - <definition class="compliance" - id="rsyslog_remote_loghost" version="1"> + <definition class="compliance" id="rsyslog_remote_loghost" version="1"> <metadata> <title>Send Logs to a Remote Loghost</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Syslog logs should be sent to a remote - loghost</description> + <description>Syslog logs should be sent to a remote loghost</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> - <criterion comment="Conditions are satisfied" - test_ref="test_rsyslog_remote_loghost" /> + <criterion comment="Conditions are satisfied" test_ref="test_rsyslog_remote_loghost" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the \*\.\*[\s]+@ setting in the /etc/syslog.conf file" - id="test_rsyslog_remote_loghost" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the \*\.\*[\s]+@ setting in the /etc/syslog.conf file" id="test_rsyslog_remote_loghost" version="1"> <ind:object object_ref="object_rsyslog_remote_loghost" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_rsyslog_remote_loghost" - version="1"> + <ind:textfilecontent54_object id="object_rsyslog_remote_loghost" version="1"> <ind:path>/etc</ind:path> <ind:filename>rsyslog.conf</ind:filename> - <ind:pattern operation="pattern match">^\*\.\*[\s]+@</ind:pattern> + <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> -- 1.7.1

2 1

[PATCH] Adding reference tags to show test_attestation for various checks
by Maura Dailey 19 Aug '13

19 Aug '13

I intend to continue to test checks and commit tested results to checks. Here's the current batch I've completed from today and last week. - Maura Dailey Maura Dailey (1): Adding reference tags to show which checks I've tested. Some very slight whitespace corrections were made as well. .../checks/accounts_disable_post_pw_expiration.xml | 1 + .../checks/accounts_maximum_age_login_defs.xml | 1 + .../checks/accounts_minimum_age_login_defs.xml | 3 ++- RHEL6/input/checks/accounts_no_uid_except_zero.xml | 1 + RHEL6/input/checks/accounts_umask_bashrc.xml | 1 + RHEL6/input/checks/accounts_umask_cshrc.xml | 1 + RHEL6/input/checks/accounts_umask_etc_profile.xml | 1 + RHEL6/input/checks/accounts_umask_login_defs.xml | 1 + RHEL6/input/checks/core_dumps_limitsconf.xml | 4 ++-- .../checks/ensure_gpgcheck_never_disabled.xml | 9 ++++----- RHEL6/input/checks/file_owner_etc_group.xml | 1 + RHEL6/input/checks/file_owner_etc_gshadow.xml | 1 + RHEL6/input/checks/file_owner_etc_passwd.xml | 1 + RHEL6/input/checks/file_owner_etc_shadow.xml | 1 + RHEL6/input/checks/no_netrc_files.xml | 1 + RHEL6/input/checks/no_rsh_trust_files.xml | 3 ++- .../checks/yum_gpgcheck_global_activation.xml | 7 ++++--- 17 files changed, 26 insertions(+), 12 deletions(-)

3 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide August 2013