Added notes that indicate how I believe RHEL 5 settings could transition to consensus settings for RHEL 6. Also identified some items from the RHEL 5 STIG that should be leveraged in the RHEL 6 content.
Jeffrey Blank (4): added notes to support transition of RHEL 5 content to consensus for RHEL 6 normalize whitespace for each ref in (attribute) ref list, permitting use of newlines or accidental spaces added missing items to Profiles added support for setting password expiration to 60 days * and some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++-- RHEL6/input/profiles/STIG-server.xml | 4 + RHEL6/input/profiles/common.xml | 17 ++++ .../accounts/restrictions/password_expiration.xml | 9 ++- RHEL6/transforms/xccdf2table-stig.xslt | 4 +- 5 files changed, 106 insertions(+), 13 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/auxiliary/transition_notes.xml | 85 +++++++++++++++++++++++++--- 1 files changed, 77 insertions(+), 8 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 5f99dcc..32bdc9c 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -2,34 +2,103 @@ <!-- This file enables documentation of how the RHEL 5 STIG requirements will be migrated to consensus for RHEL 6. -->
-<note ref="792,821,822,828,829,831,832,837,838,840,841,842,843,848,849, +<note ref="775,786,792,821,822,828,829,831,832,837,838,840,841,842,843,848,849, 928,929,974,975,978,979,980,981,987,988,989,994,1025,1027,1028,1029,1054, 1055,1056,1058,1059,4335,4334,4336,4339,4089,4090,4091,4358,4361,4364, 4365,4367,4368,4369,4370,4371,4393,4394,4430,11997,12019,12038,12039,12040, 22294,22295,22296,22323,22324,22325,22327,22328,22329,22332,22333,22335, -22336,22337,22339,22342,22343,22392,22394,22396,22398,22406,22423,22425, +22336,22337,22342,22343,22392,22394,22396,22398,22406,22423,22425, 22427,22435,22438,22444,22451,22453,22451,22492,22496,22559,22560,22561" auth="WS"> This is superceded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8. </note>
-<note ref="" auth="JB"> +<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> The security argument is not apparent or salient. </note>
-<note ref="" auth=""> +<note ref="22297,22309,22313,22314,22315,22316,22317,22318,22322,22326,22330, +22334,22338,22340,22344,22350,22352,22353,22356,22357,22362,22366,22367, +22373,22384,22386,22387,22388,22389,22390,22393,22395,22407,22424,22426, +22428,22436,22437,22439,22441,22442,22445,22446,22450,22452,22454,22489,22493, +22497,22498,22502,22503,22504,22505,22562,22566,22570,22574,22585,22595,22596" auth="JB"> +Existence of an ACL is not necessarily a problem, and checking for existence of ACLs on a random selection of +files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred). +</note> + +<note ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> This is covered in the RHEL6 content. </note>
-<note ref="" auth=""> +<note ref="11945" auth="JB"> +What is the distinction and purpose of different MAC levels? +</note> + +<note ref="22292" auth="JB"> +This is desirable but not practical in many environments. Notably, many other OSes +do not even support this capability. +</note> + +<note ref="761,776,777,780,781,782,4382,11975,12765" auth="JB"> +This needs to be added to the RHEL6 content. +</note> + +<note ref="770,918" auth="JB"> This is covered in the RHEL6 content in a slightly different manner. </note>
-<note ref="" auth=""> -The intent of the check procedure is not clear. +<note ref="12022" auth="JB"> +This is covered in the RHEL6 content in a slightly different manner: iptables is required. +</note> + +<note ref="12005" auth="JB"> +This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6. +</note> + +<note ref="11940" auth="JB"> +This could be covered in the RHEL6 content itself, though it seems more like something appropriate for a CTO +upon retirement of major OS releases? +</note> + +<note ref="4688,4701" auth="JB"> +This is covered in the RHEL6 content in a slightly different manner: xinetd services are not permitted. +</note> + +<note ref="4701" auth="JB"> +Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined. </note>
-<note ref="789,790,791" auth="JB"> +<note ref="4692,4694,12006" auth="JB"> +Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply. +</note> + +<note ref="4693" auth="JB"> +This needs to be added, but adjusting for Postfix as the mail server on RHEL 6. +</note> + +<note ref="4689" auth="JB"> +Is this not redundant to the system-wide requirement for keeping patches up to date (V-783)? +</note> + +<note ref="4696" auth="JB"> +This package is only available in EPEL. I suggest that this makes it out of scope. +</note> + +<note ref="803,804" auth="JB"> +Is this not redundant to the system-wide aide check (V-11945)? +</note> + +<note ref="801,802" auth="JB"> +Suggest that this be covered in the RHEL6 content in a slightly different manner: ensuring all setuid programs +are packaged (which implies vendor provenance). Also, what is the goal of the documentation? +</note> + +<note ref="769,794,795,796,11946,11977,11979,12024,12025,12049" auth="JB"> +The intent or utility of the check procedure is not clear or not actionable. +</note> + + +<note ref="789,790,791,12026" auth="JB"> NIS/NIS+/yp should be disabled, as stated in a Rule in the RHEL 6 content. NIS/NIS+/yp are obsolete and should not be running on any modern system. </note>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/transforms/xccdf2table-stig.xslt | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/transforms/xccdf2table-stig.xslt b/RHEL6/transforms/xccdf2table-stig.xslt index 95e5d3a..e3024eb 100644 --- a/RHEL6/transforms/xccdf2table-stig.xslt +++ b/RHEL6/transforms/xccdf2table-stig.xslt @@ -137,8 +137,8 @@ <xsl:template name="note-output"> <xsl:param name="vulnid_sought"/> <xsl:param name="vulnid_found"/> - - <xsl:variable name="vulnid_expanded" select="concat('V-', $vulnid_found)" /> + <xsl:variable name="vulnid_found_normal" select="normalize-space($vulnid_found)" /> + <xsl:variable name="vulnid_expanded" select="concat('V-', $vulnid_found_normal)" /> <xsl:if test="$vulnid_sought=$vulnid_expanded"> <tr><td><xsl:value-of select="@auth"/>: <xsl:value-of select="." /></td></tr> </xsl:if>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/profiles/STIG-server.xml | 4 ++++ RHEL6/input/profiles/common.xml | 17 +++++++++++++++++ 2 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 5c62da8..55bb934 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -6,8 +6,12 @@ <select idref="packagegroup_xwindows_remove" selected="true"/> <select idref="disable_dhcp_client" selected="true"/> <select idref="limiting_password_reuse" selected="true"/> +<select idref="no_files_unowned_by_user" selected="true"/> +<select idref="aide_periodic_cron_checking" selected="true"/> +<select idref="disable_users_coredumps" selected="true"/>
<!-- Password history --> <refine-value idref="password_history_retain_number" selector="5"/>
+<refine-value idref="var_password_max_age" selector="60"/> </Profile> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index ba42601..6d77abc 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -24,6 +24,18 @@ <select idref="no_empty_passwords" selected="true"/> <select idref="no_hashes_outside_shadow" selected="true"/> <select idref="no_uidzero_except_root" selected="true"/> + +<select idref="userowner_shadow_file" selected="true"/> +<select idref="groupowner_shadow_file" selected="true"/> +<select idref="perms_shadow_file" selected="true"/> + +<select idref="userowner_gshadow_file" selected="true"/> +<select idref="groupowner_gshadow_file" selected="true"/> +<select idref="perms_gshadow_file" selected="true"/> + +<select idref="userowner_passwd_file" selected="true"/> +<select idref="groupowner_passwd_file" selected="true"/> +<select idref="file_permissions_etc_passwd" selected="true"/> <select idref="password_min_len" selected="true"/> <select idref="password_min_age" selected="true"/> <select idref="password_max_age" selected="true"/> @@ -48,6 +60,10 @@ <select idref="install_vlock_package" selected="true"/> <select idref="set_system_login_banner" selected="true"/> <!-- CURRENTLY NOT IMPLEMENTED <select idref="set_gui_login_banner" selected="true"/> --> + +<select idref="enable_randomize_va_space" selected="true"/> +<select idref="enable_execshield" selected="true"/> + <select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/> <select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/> <select idref="disable_sysctl_ipv4_ip_forward" selected="true"/> @@ -111,6 +127,7 @@ <select idref="disable_telnet_service" selected="true"/> <select idref="uninstall_rsh-server" selected="true"/> <select idref="disable_rsh" selected="true"/> +<select idref="disable_rexec" selected="true"/> <select idref="disable_rlogin" selected="true"/> <select idref="uninstall_ypserv" selected="true"/> <select idref="disable_ypbind" selected="true"/>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../accounts/restrictions/password_expiration.xml | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index 01f0f45..88b3463 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -47,6 +47,7 @@ age, and 7 day warning period with the following command: <description>Maximum age of password in days</description> <warning category="general">This will only apply to newly created accounts</warning> <value selector="">90</value> +<value selector="60">60</value> <value selector="90">90</value> <value selector="120">120</value> <value selector="180">180</value> @@ -128,13 +129,15 @@ after satisfying the password reuse requirement. edit the file <tt>/etc/login.defs</tt> and add or correct the following line, replacing <i>DAYS</i> appropriately: <pre>PASS_MAX_DAYS <i>DAYS</i><!-- <sub idref="password_max_age_login_defs_value" /> --></pre> -A value of 180 days is considered for sufficient for many -environments. +A value of 180 days is sufficient for many +environments. The current setting required in DoD is 60 days. </description> <rationale> Setting the password maximum age ensures that users are required to periodically change their passwords. This could possibly decrease -the utility of a stolen password.</rationale> +the utility of a stolen password. Requiring shorter password lifetimes +increases the risk of users writing down the password in a convenient +location subject to physical compromise.</rationale> <ident cce="4092-3" /> <oval id="accounts_maximum_age_login_defs" value="var_password_max_age"/> <ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/>
ACK to the set.
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 07/30/2012 11:10 AM, Jeffrey Blank wrote:
Added notes that indicate how I believe RHEL 5 settings could transition to consensus settings for RHEL 6. Also identified some items from the RHEL 5 STIG that should be leveraged in the RHEL 6 content.
Jeffrey Blank (4): added notes to support transition of RHEL 5 content to consensus for RHEL 6 normalize whitespace for each ref in (attribute) ref list, permitting use of newlines or accidental spaces added missing items to Profiles added support for setting password expiration to 60 days * and some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++-- RHEL6/input/profiles/STIG-server.xml | 4 + RHEL6/input/profiles/common.xml | 17 ++++ .../accounts/restrictions/password_expiration.xml | 9 ++- RHEL6/transforms/xccdf2table-stig.xslt | 4 +- 5 files changed, 106 insertions(+), 13 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Thanks -- and a quick note for anyone editing Profiles -- these are easy to get merge problems, so let's sync if we're planning to edit them.
I am about to submit another batch of changes to the common and stig-server profiles.
On 07/30/2012 02:06 PM, Willy Santos wrote:
ACK to the set.
Willy Santos, RHCE Consultant Red Hat Consulting Cell: +1 (301) 254-7077 Email: wsantos@redhat.com
On 07/30/2012 11:10 AM, Jeffrey Blank wrote:
Added notes that indicate how I believe RHEL 5 settings could transition to consensus settings for RHEL 6. Also identified some items from the RHEL 5 STIG that should be leveraged in the RHEL 6 content.
Jeffrey Blank (4): added notes to support transition of RHEL 5 content to consensus for RHEL 6 normalize whitespace for each ref in (attribute) ref list, permitting use of newlines or accidental spaces added missing items to Profiles added support for setting password expiration to 60 days * and some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++-- RHEL6/input/profiles/STIG-server.xml | 4 + RHEL6/input/profiles/common.xml | 17 ++++ .../accounts/restrictions/password_expiration.xml | 9 ++- RHEL6/transforms/xccdf2table-stig.xslt | 4 +- 5 files changed, 106 insertions(+), 13 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org