On 3/29/13 8:28 PM, Shawn Wells wrote:

0002-Updated-package_aide_installed.patch

From 9a74ba6b6b48354e210a7cd5ee2dfabf21a410c1 Mon Sep 17 00:00:00 2001 From: Shawn Wellsshawn@redhat.com Date: Fri, 29 Mar 2013 15:45:22 -0400 Subject: [PATCH 02/21] Updated package_aide_installed

• Now includes bash remediation script
• Updated XCCDF rule title to standardized package_PACKAGE_installed
• Recursively changed rule title in associated profiles

---

RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/checks/templates/Makefile | 1 + RHEL6/input/fixes/bash/package_aide_installed.sh | 1 + RHEL6/input/fixes/puppet-example.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/manual_remediation.xml | 2 +- RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/input/system/software/integrity.xml | 2 +- 9 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 RHEL6/input/fixes/bash/package_aide_installed.sh

diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index af68f29..ca3f9ac 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -32,7 +32,7 @@ The system package management tool must cryptographically verify the authenticit

<title rule="ensure_gpgcheck_never_disabled" shorttitle="Ensure gpgcheck Enabled For All Yum Package Repositories"> The system package management tool must cryptographically verify the authenticity of all software packages during installation. </title> -<title rule="install_aide" shorttitle="Install AIDE"> +<title rule="package_aide_installed" shorttitle="Install AIDE"> A file integrity tool must be installed. </title> <title rule="aide_periodic_cron_checking" shorttitle="Configure Periodic Execution of AIDE"> diff --git a/RHEL6/input/checks/templates/Makefile b/RHEL6/input/checks/templates/Makefile index da6568a..fbc0c34 100644 --- a/RHEL6/input/checks/templates/Makefile +++ b/RHEL6/input/checks/templates/Makefile @@ -29,3 +29,4 @@ find-untemplated: templates

clean: rm output/*.xml

• rm output/*.sh

diff --git a/RHEL6/input/fixes/bash/package_aide_installed.sh b/RHEL6/input/fixes/bash/package_aide_installed.sh new file mode 100644 index 0000000..ccca946 --- /dev/null +++ b/RHEL6/input/fixes/bash/package_aide_installed.sh @@ -0,0 +1 @@ +yum -y install aide diff --git a/RHEL6/input/fixes/puppet-example.xml b/RHEL6/input/fixes/puppet-example.xml index 18046b1..94e448a 100644 --- a/RHEL6/input/fixes/puppet-example.xml +++ b/RHEL6/input/fixes/puppet-example.xml @@ -1,4 +1,4 @@

<fix-group id="puppet-clip" system="urn:xccdf:fix:script:puppet" xmlns="http://checklists.nist.gov/xccdf/1.1"> <fix rule="disable_vsftp">class vsftp</fix> -<fix rule="install_aide">class aide</fix> +<fix rule="package_aide_installed">class aide</fix> </fix-group> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index d80e69a..d63a875 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -11,7 +11,7 @@ <select idref="security_patches_up_to_date" selected="true"/> <select idref="ensure_gpgcheck_globally_activated" selected="true"/> <select idref="ensure_gpgcheck_never_disabled" selected="true"/> -<select idref="install_aide" selected="true"/> +<select idref="package_aide_installed" selected="true"/> <select idref="enable_selinux_bootloader" selected="true"/> <select idref="no_rsh_trust_files" selected="true"/> <select idref="set_selinux_state" selected="true"/> diff --git a/RHEL6/input/profiles/manual_remediation.xml b/RHEL6/input/profiles/manual_remediation.xml index ea1218d..1767082 100644 --- a/RHEL6/input/profiles/manual_remediation.xml +++ b/RHEL6/input/profiles/manual_remediation.xml @@ -1,7 +1,7 @@ <Profile id="manual_audits" xmlns="http://checklists.nist.gov/xccdf/1.1" > <title>Profile for Attended/Manual portion of DCID6/3 remediation</title> <description>This profile contains items that require user interaction during audit.</description> -<select idref="install_aide" selected="true"/> +<select idref="package_aide_installed" selected="true"/> <select idref="install_vsftpd" selected="true"/> <select idref="install_openswan" selected="true"/> <select idref="install_screen_package" selected="true"/> diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml index 9bbb86b..e092650 100644 --- a/RHEL6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml @@ -293,7 +293,7 @@ assurance."</description> changes to relevant files -->

<!-- CM-6(d) -->

-<select idref="install_aide" selected="true" > +<select idref="package_aide_installed" selected="true" > <select idref="disable_prelink" selected="true" > <select idref="aide_build_database" selected="true" > <select idref="aide_periodic_cron_checking" selected="true" > diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index ec280f7..af95ac2 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -12,7 +12,7 @@

<select idref="security_patches_up_to_date" selected="true" /> <select idref="ensure_gpgcheck_globally_activated" selected="true" /> <select idref="ensure_gpgcheck_never_disabled" selected="true" /> -<select idref="install_aide" selected="true" /> +<select idref="package_aide_installed" selected="true" /> <select idref="rpm_verify_permissions" selected="true" /> <select idref="rpm_verify_hashes" selected="true" /> <select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index ba5f595..7c67419 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -25,7 +25,7 @@ configurable, with further configuration information located in <tt>/usr/share/doc/aide-<i>VERSION</i></tt></description>

-<Rule id="install_aide" severity="medium"> +<Rule id="package_aide_installed" severity="medium">

<title>Install AIDE</title> <description> Install the AIDE package with the command: -- 1.7.1

Pushed per Jeff's ack

$ git push Counting objects: 40, done. Compressing objects: 100% (20/20), done. Writing objects: 100% (21/21), 1.89 KiB, done. Total 21 (delta 17), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/scap-security-guide.git 06766fe..01fe249 master -> master