On 2-MAY the SSG v0.1-11 update was released, reflecting the inclusion of DISA FSO feedback on the (then) Draft RHEL6 STIG and several OVAL improvements. It was a huge milestone, driving us over 1,800 unique code commits!
We've since had an additional 88 commits, largely around OVAL content cleanup and the rewrite of combinefixes.py to handle parameters for OpenSCAP remediation generation (thanks, Jeff!). User feedback also prompted us to fix the build system when compiling on Fedora 18+ and the upcoming RHEL release.
SSG v0.1-12 has been released to the EPEL repository to reflect these recent bugfixes and enhancements. Download instructions available on the wiki: https://fedorahosted.org/scap-security-guide/wiki/downloads
CHANGELOG:
$ git log --oneline --after={2013-05-02} --no-merges fe2a0b6 Some corrections to the PAM cracklib guidance as follows: corrected pam_cracklib.so line to include all discussed parame 532aeb8 Modified the DoD banner check to accept either a newline or space between each word, as the RHEL5 version does. This al ded2ef4 Created remediation template: create_services_disabled.py - Based off OVAL services file a96cdc3 Added sysctl remediation scripts - Updated template to reflect proper naming of sysctl scripts c3355eb Added bash templates directory, added sample sysctl script - Makefile based off OVAL, same usage - CVS files point to f75ad8d Module is freevxfs, not freevsfs cd940ef Fix build of OpenStack and RHEVM3 parts on Fedora 18+ df19413 Fix build on Fedora 18+ and the upcoming RHEL release 2ddbbb7 Subexpression datatype shall equal to the variable datatype 4cd7650 Ok, to fix the "error" doing an evaluation for the various umask checks, changed the following variables referenced in t 5fa190d changed a typo var_acocunts_umask_bashrc => var_accounts_umask_bashrc 7d772db Update from deprecated rpmverify_* to rpmverifyfile_* checks 2026606 made xccdf-addfixes insert all text and child nodes of a fix d6703f4 rewrite of combinefixes.py to handle parameters for OpenSCAP remedation generation c13fafa incomplete support file for bash remediations * does at least warn when undefined variable exists f87d817 example remediation script which takes a parameter 24f2c2e Removing deprecated recurse="files" behavior f078b8f Removing deprecated recurse=files behavior. b12d669 Replacing deprecated ind:environmentvariable_... tags with ind:environmentvariable58_... tags 5ed6dc2 Created OVAL for ensure_gpgcheck_never_disabled XCCDF rule called nonexisting OVAL, created it. 0d69487 Renaming oval check no_rsh_trusted_host_files to no_rsh_trust_files to match rule ID 295184c Adding check for no_netrc_files e1aede3 Adding check for pam_lastlog.so 9c21556 additional copy editing 3fd9f3f copy editing 9db6e3d Renaming oval check no_rsh_trusted_host_files to no_rsh_trust_files to match rule ID 4109078 Adding check for no_netrc_files 6f31c05 Adding check for pam_lastlog.so 0e15e2d Adding check for disabling GNOME thumbnailers in gconf d10f08e modified makefile to remove test attestation from prose guide -- revised 4f3ea5f corrections for typos in OVAL references d50c71b removal of references to nonexistent OVAL for some NFS guidance 980f686 refine verify-references to deal only with OVAL compliance checks for OVAL 6051ea6 removal of comments, reference to nonexistent OVAL 8251580 removal or correction of misnamed or obsolete OVAL checks 76e93ef removal of packages from check templates 69f31e0 Added backslash escapes to the warning texts to fix the RegEx, replaced line breaks with newlines, and added some m c22ed9c Added backslash escapes to the warning texts to fix the RegEx, replaced line breaks with newlines, and added some more f c58ac2b Fixing indenting for external variable line. 95d5a4b removal of unused OVAL checks bcc1495 bugfixes for undisciplined renaming jaunt, missing OVAL references 9a378b9 removal of unused OVAL checks 3b82cf5 deletion of unused OVAL checks 6a89088 removal of commented text, some redundant/unnecessary Rules from Profiles 9705192 deletion of unused/obsoleted OVAL checks (and commented out XCCDF) 36a75ec deletion of unused OVAL checks 48e9900 removal of unnecessary guidance from SSL section 7682f9c removal of commented/obsolete text from logging section a1f2d30 removal of commented text, invalid CCE from root logins guidance 0a3577b update to NFS section (still perhaps incomplete) 1a3d854 changed Dovecot Rule to Group as it is guidance and not a compliance check fb4a29b removal of commented/obsolete items for base services 9a228d5 updates to the CCE verification script to be more informative ff25fc9 cleanup of comments, unnecessary Rules in DNS (bind) service 7a16cda Deleting duplicate check for disabling IPv6 d9d1741 Minor typo, removing slash at end of description 330258c added version info for RHEL, URL for project f36ecf3 removed some now-obsolete advice from samba 8d5ee52 added some clarifying text to the intro 6c9f047 removing some unnecessary (for compliance-focus) text from cups de705e9 Updated service_tftpd_disabled As reflected from update to template file 356405f Removed duplicate references to var_samba_private_directory Updated OVAL to have unique IDs 034b8b3 Removed duplicate references object_etc_skel_files Updated OVAL to have unique names d609d6b Removed duplicate var_ssh_config_directory references Updated OVAL to have unique names 8a7a3f3 Removed duplicate state_uid_root Updated OVAL to have unique names e421d69 Modified template_OVAL_package_installed and template_package_removed These files were causing build errors regarding ob 1ae4c30 Removed duplicate references to var_accounts_user_umask Assigned unique identifiers ea10f13 Removed duplicate references to object_lib_modules_files Assigned unique identifiers 882e341 Removed duplicate object_usr_lib64_files references Assigned unique identifiers within OVAL 9d89e61 Removed duplicate object_usr_lib64_dir references Assigned unique identifiers in OVAL 863aa19 Removed duplicate object_usr_lib_files references Assigned unique identifiers to OVAL checks 714c3c1 Removed duplicate object_usr_lib_dir Updated OVAL to have unique names dffd29b Removed duplicates of object_lib64_files Updated OVAL to have unique names bc6fbcd Removed duplicate object_lib64_dir Updated OVAL checks to have unique names fe089dc Removed duplicate object_lib_files Updated OVAL checks for unique names 7546f2e Removed duplicate object_lib_dir references Created unique names in the OVAL templates b376e27 Updated mount_option_* OVAL variable var_removable_partition These OVAL files were using duplicate 'var_remove_partition 7fae707 Updated template_permissions to place FILEID into strings e31dc7b Updated state_gid_0 to reflect per check naming 07380c0 Updated state_uid_0 names within OVAL Multiple OVAL checks were using "state_uid_0" causing build errors. Updated so eve f5b90ce Updated rpm_verify_hashes for OVAL 5.10 compliance The old rpmverify_* is now depricated, updated check to rpmverifyfile e3b5697 modified transform to only match test attestation 02a19e2 transform designed to remove the 'tested by' information a330ccf deleting files for imprecise and obsolete OVAL checks, manual remediation ca71cde simplification of Postfix service configuration 14397cd Removing a newline to fix XHTML formatting 7d1ab28 deletion of manual audit profile, OVAL for obsolete ldap server checks d7f3ca4 removed obsolete LDAP guidance, checks
It's been a few months since the last RPM release, v0.1-12, on 26-JUNE. Since that time we've had 175 patches reflecting feature requests, bug fixes, and the addition of Fedora content to the project (thanks, Jan!).
A few highlights: - New version scheme to ensure compliance with EPEL release syntax (namely, the addition of .rc#).
- Reducing false positives has been a specific focus over the past few months. To that end, many community members have began unit testing the OVAL checks and inserted a "test_attestation" tag. This tag indicates both fail and pass configurations have been unit tested, and to date, 216 of the 341 OVAL checks have gone through this process. The majority of the tested OVAL checks fall within the STIG profile.
- As OVAL checks have been unit tested, many corresponding bash scripts have been authored. Currently there are 133 checks with associated bash remediation. To generate bash scripts, first run a scan:
# oscap xccdf eval --profile stig-rhel6-server \ --results /root/ssg-results/results.xml \ --report /root/ssg-results/report.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
Then use OpenSCAP to transform out bash scripts for any failed checks:
# oscap xccdf generate fix \ --result-id xccdf_org.open-scap_testresult_stig-rhel6-server \ /root/ssg-results/results.xml > /root/ssg-results/ssg-fixes.sh
- Addressing user-reported bugfixes, both to core SSG content and bugs reported to DISA FSO against the RHEL6 STIG, has also been a focus. Examples include updates to the logrotate and PAM checks.
- The inclusion of a _/beta/_ Certified Cloud Provider profile (rht-ccp). The Red Hat Certified Cloud Provider program ensures that public cloud providers meet "testing and certification requirements to demonstrate that they can deliver a safe, scalable, supported and consistent environment for enterprise cloud deployments. The Red Hat Certified Cloud Provider program provides customers, ISVs, and partners with the confidence that Red Hat product experts have validated the solution so that implementations begin with a solid foundation." In order to establish an automated security testing process, Red Hat is exploring the use of SCAP profiles to evaluate RHEL baselines/AMIs before public cloud providers release them to their customer sets. /_This in no way reflects a statement of direction for Red Hat, but rather transparency as we evaluate best practices to evaluate RHEL platforms_/.
As always, updated RPMs are now available in the EPEL repository [1]. Download instructions are available on the wiki: https://fedorahosted.org/scap-security-guide/wiki/downloads
For those needing ZIP compressed files: http://repos.fedorapeople.org/repos/scap-security-guide/epel-6/ZIPs/
Please direct comments, issues, and general communications to the SSG mailing list: https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
[1] /Side note: In my testing, I had to 'yum clean all' before the updated RPM was available via 'yum update'/
A full listing of patches is provided below:
$ git log --oneline --after={2013-06-26} --no-merges 727d320 accounts_password_pam_cracklib_ocredit -- filename->filepath Updated OVAL to utilize filepath tag 578c9fe accounts_password_pam_cracklib_lcredit -- filename->filepath update Updated OVAL to filepath tag 0ef2176 accounts_password_pam_cracklib_ucredit - filename -> filepath update Updating filename -> filepath fc1234c [ticket 427] bugfix - Update sshd_idle_timeout * STIG required value of 900 (15min), values only went to 10min (updated sshd_idle_timeout_value within STIG profile, ad 084b0e7 Comment didn't match check f3b3bc4 [Fedora] Use correct file paths in scap-security-guide(8) manual page (RH BZ#1018905, c#10) f907c1c [Fedora] Apply further changes motivated by scap-security-guide Fedora RPM review request (RH BZ#1018905, c#8) 16e8b1f Deleting wrongly named check a89548d The name of the check did not reflect its content. efd4e06 [Fedora] Fixes for scap-security-guide Fedora RPM review request (RH BZ#1018905) 0f8425e [Fedora] Introduce SSG manual page. Fix previous changelog date typo. Create 0.1-2 version d478d86 [Fedora] Remove percent sign from Fedora spec's changelog to silence rpmlint warning 86cf0fe [Fedora] Convert RHEL6 'Restrict Root Logins' section's rules to Fedora e6a863a Fix couple of typos in the text of 'Restrict Root Logins' document aa38411 Made some corrections to the XSLT transforms to remedy missing fields, replaced PNG files with different images, added background colors and borders to code and header 3633243 New XCCDF Profile: Red Hat Certified Cloud Provider (rht-ccp)
- Testing profile for Red Hat's CCP program (standards for Red Hat's
certified cloud providers) cc82cd1 corrected the activate logrotate rule 81f2ad8 additional OVAL testing d7fbe82 [Fedora] Convert four RHEL6 rules from 'Set Password Expiration Parameters' section to Fedora a7da684 Introduce 'Accounts and Access Control Section'. Convert four RHEL-6 rules from its 'Verify Proper Storage' subsection to Fedora 3da6a96 Introduce new RPM versioning scheme for RHEL6 / JBossEAP content f6d5566 images for guide presentation a2b1a21 editing on ntp section prose 559f4b3 editing on prose for mounting,partitioning,permissions 13a5ca6 editing on prose text for software integrity/updating ddca85f use new guide transform in Makefile, fixed filename mistake 5f730f3 new transform to create custom HTML guide 05381fb Correcting a simple typo (/etc/modprob.d instead of the correct path /etc/modprobe.d) 61ade64 Changed the gconf_gnome_screensaver_idle_delay check to pass on values less than or equal to those in the profile. This allows users to reduce the time until the scree 94b1ecd OVAL testing 37de67c Fedora spec - replace hard-wired paths with macros. Preserve attributes when copying files. af11d6a [Fedora] New rpm versioning scheme - set proper name of the build directory https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October/00... 42ec0c8 [bugfix] Updated RPM spec file Pushing Jan Lieskovsky's patches. Thread @ https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-October/00... 745b173 Fixed two typos in RHEL6/input/checks/file_ownership_binary_dirs.xml. The first was inside a comment and said the check was for /lib when really it was for /bin. The s a9580d3 Added checks for 'hard' or '-' for checks in /etc/security/limits.conf 321abf2 [bugfix] Updated RPM spec file c148607 XCCDF Profile Cleanup, take 2 (now with correct patch) .... might help if I included the correct patch! - Forgot that test profile needed by make-eval (thanks, jeff! 666565b OVAL signoff auditd_data_retention_action_mail_acct a3a7c7e updated OVAL template: template_sysctl - Prior edition of sysctl template only checked runtime configuration, added checks for /etc/sysctl.conf - OVAL signoff 122b80e OVAL signoff: accounts_password_pam_cracklib_retry - filepath update - XCCDF naming update - Fixed variable name in USGCB profile 7450369 New OVAL: file_permissions_binary_dirs - net-new OVAL, though based off file_permissions_libary* - Added remediation script - Mapped XCCDF to OVAL - OVAL signoff 620110f OVAL signoff: file_permissions_library_dirs Light OVAL cleanup & signoff d3a7e63 Updated kernel_module_disabled OVAL template - RHEL6 supports *both* /etc/modprobe.conf and /etc/modprob.d, updated check to scan via OR operator - Frank Caviggia call 49993eb new remediation: file_permissions_library_dirs 273fca2 OVAL signoff: accounts_dangerous_path_for_root c522957 [Fedora] Introduce better rpm versioning scheme 28b1f22 Updated and tested root path checks b3a67cb Introduce FEDORA directory skeleton and 'common' profile having two gpgcheck scans 1e0e85d [bugfix] Invalid dates in RHEL6 RPM spec file When testing the fedora RPM system, errors were thrown regarding invalidat dates in the RHEL6 RPM spec file. Interestingl cac6900 [bugfix] Updated XCCDF profile names 9990a96 Reference tag was in wrong location, so I moved it to the metadata section as required. 11c277e OVAL signoff for multiple sysctl_net_ipv4 checks 657347f OVAL signoff for sysctl_kernel_exec_shield 52ea785 OVAL signoff for sysctl_kernel_randomize_va_space 7348645 OVAL signoff file_permissions_etc_group e932bdc OVAL signoff file_groupowner_etc_group 25e5350 OVAL signoff file_groupowner_etc_passwd ba5f816 added testrefs to a number of OVAL checks d8373be corrected naming mismatch issues picked up by verify-input-sanity 8baa4a0 OVAL signoff file_groupowner_etc_gshadow [user@redhat-thing-1 checks]$ ls -lL /etc/gshadow ----------. 1 root root 723 Sep 16 12:58 /etc/gshadow [user@redhat-thing-1 c d391ec4 OVAL signoff: file_groupowner_etc_shadow 712bb19 OVAL signoff no_empty_passwords [user@redhat-thing-1 checks]$ grep nullok /etc/pam.d/system-auth [user@redhat-thing-1 checks]$ ./testcheck.py no_empty_passwords.xml Ev 3836f91 OVAL/XCCDF namings for no_shelllogin_for_systemaccounts 405362d OVAL signoff for accounts_password_all_shadowed TESTING: [user@redhat-thing-1 checks]$ awk -F: '($2 != "x") {print}' /etc/passwd [user@redhat-thing-1 checks]$ awk -F: de01914 OVAL signoff for accounts_no_shelllogin_for_systemaccounts OVAL signoff: accounts_no_shelllogin_for_systemaccounts 8e56c69 Updated XCCDF/OVAL namings 16b291f Updated accounts_password_minlen_login_defs - XCCDF/OVAL namings ef20faf OVAL signoff + remediation: no_empty_passwords - OVAL/XCCDF namings - OVAL signoff - filename -> filepath - Remediation be29655 Added remediation for disable_users_coredumps - OVAL/XCCDF naming - Added remediation 88470cb Added remediation for umask_for_daemons - OVAL/XCCDF namings - Added remediation script 0fcd5ad [ticket 390] Updated ensure_redhat_gpgkey_installed - XCCDF/OVAL naming matchings - OVAL signoff 8f6f2d9 [ticket 393] Updated securetty_root_login_console_only - Updated XCCDF/OVAL namings - filename ->filepath - Added remediation faa8e01 OVAL signoff + remediation: auditd_data_retention_admin_space_left_action - OVAL signoff - Updated XCCDF/OVAL namings - Remediation script d8e077e New remediation template: create_kernel_module_disabled Created bash remediation template for kernel_module_disabled checks 5eccd26 Updated kernel module naming schemes - Unified naming between XCCDF and OVAL namings for kernel module checks f36af0a Updated sysctl templates - Old sysctl XCCDF names varied from "set_sysctl," "disable_sysctl" to "sysctl_*", standardized on "sysctl_*" - This change ensures that al 524f623 accounts_* remediation update Needed to append filename after echo statement f3f6dce OVAL signoff + remediation: require_singleuser_auth - Updated OVAL to match XCCDF namings - Created remediation - Resignoff on OVAL due to changes bb49f29 OVAL signoff + remediation: disable_interactive_boot - Updated OVAL namings to match XCCDF - OVAL signoff (the old regex was broke) - Added remediation 78b45af Added remediation: set_sysctl_kernel_dmesg_restrict From template c42cf7b Added Remediation: set_sysctl_fs_suid_dumpable Built from template 59d383a OVAL signoff + remediation: accounts_password_warn_age_login_defs - OVAL signoff - Added remediation bce5a06 Updated filepaths Just noticed these two were using /etc/sshd... updated! 72e6eb2 Added remediation: accounts_maximum_age_login_defs f7c11da Added Remediation for accounts_minimum_age_login_defs Based off prior template 89d1d6d OVAL signoff + remediation: accounts_password_minlen_login_defs - Old OVAL was checking system-auth, XCCDF calls /etc/login.defs - OVAL signoff - Added remediation 00dced9 XCCDF & OVAL signoff for file_ownership_library_dirs + remediation - The XCCDF was not clear that users should scan the /lib/modules directory, adjusted wording - XC ce7ab3d More testrefs, this time for mount_option_tmp checks 184dba8 Adding testrefs to mount_option_dev_shm_* checks, all appear to function correctly. 7031613 RHEL6 verify-input-sanity.py: Replace lxml.etree.XMLSyntaxError traceback with path to problematic XCCDF file. OpenStack ditto. RHEVM3 ditto. 6d8ecc4 grub.conf is not guaranteed to be in /boot/grub if the system is using EFI, so I added a test for its default location in /boot/efi/EFI/redhat 61c9e4e New check uses /etc/mtab and mount partition check to look for bind mount on /var/tmp 380379b Added test checks for set of partition checks. 5c30726 [bugfix] Updated APIPA addresses as identified by David Smith Dave noted that some of the APIPA addresses were typod as 169.245.0.0, vs correct 169.254.0.0. 841ba81 remediation + OVAL for sshd_enable_warning_banner - Updated OVAL namings to match XCCDF - filename --> filepath - added remediation 05e27cb [bugfix] sshd_set_idle_timeout.xml --> sshd_set_idle_timeout.sh (remediation script) 1da38d0 remediation + OVAL for sshd_disable_empty_passwords - Updated OVAL naming to match XCCDF - filename --> filepath - Added remediation 5b9b395 remediation + OVAL for sshd_set_idle_timeout - Updated OVAL ID & filename to match XCCDF - filename --> filepath OVAL - Added remediation d7e7971 OVAL + remediation: sshd_do_not_permit_user_env - Updated OVAL ID and filename to match XCCDF - filename -> filepath OVAL - Added remediation b0ab8e6 OVAL + remediation: disable_host_auth - Updated OVAL ID and filename to match XCCDF - filename --> filepath - Added remediation 57658ac OVAL + remediation for sshd_disable_root_login - Updated OVAL file & id to match XCCDF - filename --> filepath - Added remediation 23fc5f6 OVAL + remediation for sshd_set_keepalive - Updated OVAL names to match XCCDF - filename --> filepath - Added remediation 2a1bbe7 Updated sshd_disable_rhosts - Renamed OVAL check to match XCCDF name - filename -> filepath - Added remediation e293c7b New remediation: sshd_use_approved_ciphers a99d775 sshd_use_approved_ciphers OVAL: filename -> filepath 6153f07 Update to network_disable_zeroconf OVAL - Updated OVAL name to match XCCDF name - filename --> filepath in OVAL - Added remediation fd60b86 umask_for_daemons: filename -> filepath & updated signoff [shawn@rhel6 checks]$ var_umask_for_daemons=027 ; export var_umask_for_daemons ; ./testcheck.py umask_for_dae 52fbe2d new OVAL check for kernel.dmesg_restrict a4c3da8 new rule for restricting access to dmesg 731441f adjustment to combinechecks.py duplicate ID text 251f452 removed HOWTO text for openssl 1253b6e [bugfix] Updated selinux_bootloader_notdisabled per ticket 391 eb4d177 [bugfix] Updated regex+filepath for umask_for_daemons - Wrong filepath - Broke regex - Added signoff b034d93 Updated STIG refine values for ucredit, ocredit, lcredit 297ffb2 OVAL signoff for template_permissions 53faca6 [bugfix] oval/checks/templates/output/.gitignore updated to ignore .sh files ccd8c14 OVAL testing template_package_removed 92a6939 OVAL testing for template_kernel_module_disabled 285b70d template_OVAL_package_installed testing + bash remediations - Testing of OVAL for template_OVAL_package_installed - Adding of associated bash scripts 6ebc93f Updated NIST profile ID 90f3331 added "checks" as a dependency for tables 4c76e49 Tiny patch to correct typo, it's -S stime, not -S time. 156d71a Prose changes and copy editing 8612b07 added interrogatory phrase to OCIL questions ee53c82 Another batch of tested checks. Includes some checks that had their comments expanded or were renamed from random values. cca02fb Check will return list of all partitions without nodev instead of a complete list of all partitions and the return value of true/false will accurately reflect passing 3c2ddb9 improved table to indicate when OVAL checks have been tested 92dc471 made CSS adjustments to make <pre> wrap b5c35b6 Existing check was screwed up (title was wrong, comments were wrong, etc.) and was easily replaced by a templated check 2f92bb8 Improbably, the input line for UDP is $UDPServerRun, not $InputUDPServerRun. Also, the check forgot to include the port number, so it always gave a false positive. eeec622 Original check assumed that sha512 would always be the first option 95c8805 Guide refers to :omrelp: as a valid remote logging option, so I've updated the check to accept that format as well 6d40bcb Making SSH checks uniform and hopefully adding case insensitive matches properly 8d2b031 Adding reference tags to show which checks I've tested. Some very slight whitespace corrections were made as well. 04a0fb6 [bugfix] Updated XCCDF rule name of set_sysctl_ipv6_default_accept_redirects in profiles 477cf7d Check needs to be reversed. As is, if you specified 10 as the maximum number of concurrent logins, it would allow 20. 499d1ca Small patch to replace autogenerated test, state, and object ids with human readable ones (now with 80 character line breaks) 0bea4ab moved namespace assignment into shorthand2xccdf.xslt transform 464b876 added comment, added calls to insert Profiles 2a62395 removing calls to now-unnecessary transforms 61da0f5 Adding new OVAL check that will parse /etc/passwd, looking for system accounts with real login shells (not /sbin/nologin, /sbin/halt, /sbin/shutdown, or /bin/sync) fc064ce renaming namespace addition file, as part of refactoring 9c366bb removing namespaces from no-namespace fragments, transforms 28630df refactoring of XCCDF shorthand expansion and namespace assignments b22713b Added rule for disabling interface use of IPv6 57464ba Additional option for number of max concurrent logins 19be81c Added rule regarding anonymous NFS connections 0986a65 modified transform to include new profile 65b0a84 added example of a custom profile 92dd7a3 DHCP section referred to the wrong file location for dhcpd.conf c351938 Last item in Avahi file feels like it's supposed to be a Rule, not a Group c929fc5 It IS always,exit NEVER exit,always! 996bf22 what? 0b1ad85 Correct telnet service disabled checks 53ae081 Audit test fix to match rest of checks, also fixed text doc 748b723 Corrected bash services template - Updated Makefile - Removed incorrectly generated service enable scripts 9ce1c3a Removing content of pattern match line, since it seems to break OVAL. Also, updated id names to be real words, not randomly generated values. 8f89e00 removal of invalid state child element in world-writable files test 6699d5a removal of invalid state child element in /var/log/audit ownership test ff9da0a new versions of unauth suid/sgid OVAL checks 789e0c1 Added line to indicate test output file, to OVAL testing script e24cf91 Created remediation template: create_services_enabled 52a2e0b Removing unreferenced OVAL file_ssh_host_keys_public_permissions.xml fd78bd7 Removing unreferenced file_ssh_host_keys_private_permissions.xml Removing unreferenced file_ssh_host_keys_private_permissions.xml a8b3a2b Updated selinux_all_devicefiles_labeled The check enumeration of 'none exist' was depricated for 'none satisfy' as of OVAL 5.3, reference: http://oval.mitre.org/la 32652f9 Added OVAL mapping to world_writeable_files Mapped OVAL file_permissions_unauthorized_world_writable to XCCDF world_writeable_files 2a027a4 Corrected naming of set_sysctl_ipv6_default_accept_redirects Updated naming of XCCDF rule "set_sysctl_ipv6_default_accept_redirects" to "set_sysctl_net_ipv6_default_ e2a0203 Added OVAL + remediation for sysctl_net_ipv6_conf_default_accept_ra Generated from templates a46ca9b Created OVAL + remediation for sysctl_net_ipv6_conf_default_accept_redirects Created using templates 73f5ddc removal of invalid state child element in world-writable files test pushing for jeff blank via https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-July/0 fe7008e removal of invalid state child element in /var/log/audit ownership test pushing for jeff blank per https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Ju 76d18ba Changes to SSHD Ciphers 7bcca7b Removing '' from audit rule lines to prevent confusion. 3fd0b9f Updated RPM version to 0.1-12 91c0a64 Added the checks for accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time as there was only the check for accounts_passwords_pam_faillo
scap-security-guide@lists.fedorahosted.org