There are several items that are showing failures in spite of remediation. Where is the best place to search/file findings such as these. As an example, the scan fails even though the boot loader password is enabled and the root user is not listed.
Thank you.
-Al
On Mon, Mar 20, 2017 at 12:44 PM, alsifius@gmail.com wrote:
There are several items that are showing failures in spite of remediation. Where is the best place to search/file findings such as these. As an example, the scan fails even though the boot loader password is enabled and the root user is not listed.
What does --oval-results show in the reports as well as what version of SSG and OS are you using?
Thank you.
-Al _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
The version of RHEL is 7.3 minimal install running as a VM.
Name : scap-security-guide Arch : noarch Version : 0.1.30 Release : 3.el7 Size : 20 M Repo : installed From repo : rhel-7-server-rpms
Not sure what you mean when you ask what --oval-results show. I don't typically use that option. I did run the command again with that option and I see the resulting file. What information should I get from it?
On 3/20/17 7:01 PM, Gabe Alford wrote:
On Mon, Mar 20, 2017 at 12:44 PM, <alsifius@gmail.com mailto:alsifius@gmail.com> wrote:
There are several items that are showing failures in spite of remediation. Where is the best place to search/file findings such as these. As an example, the scan fails even though the boot loader password is enabled and the root user is not listed.What does |--oval-results |show in the reports as well as what version of SSG and OS are you using?
Thank you. -Al _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 3/21/17 4:33 PM, Al Roberson wrote:
The version of RHEL is 7.3 minimal install running as a VM.
Name : scap-security-guide Arch : noarch Version : 0.1.30 Release : 3.el7 Size : 20 M Repo : installed From repo : rhel-7-server-rpms
Not sure what you mean when you ask what --oval-results show. I don't typically use that option. I did run the command again with that option and I see the resulting file. What information should I get from it?
Buried in there should be the exact reason of the failure -- e.g. a regex mismatch, missing file(s), etc. Sharing your system configuration file (or relevant snippet) and the OVAL results greatly aides in troubleshooting.
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found violating are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
-Al On 3/22/17 1:38 PM, Shawn Wells wrote:
On 3/21/17 4:33 PM, Al Roberson wrote:
The version of RHEL is 7.3 minimal install running as a VM.
Name : scap-security-guide Arch : noarch Version : 0.1.30 Release : 3.el7 Size : 20 M Repo : installed From repo : rhel-7-server-rpms
Not sure what you mean when you ask what --oval-results show. I don't typically use that option. I did run the command again with that option and I see the resulting file. What information should I get from it?
Buried in there should be the exact reason of the failure -- e.g. a regex mismatch, missing file(s), etc. Sharing your system configuration file (or relevant snippet) and the OVAL results greatly aides in troubleshooting. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 3/22/17 3:23 PM, Al Roberson wrote:
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found violating are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
Default permissions on grub.cfg block non-root access. Are you running oscap through sudo or root?
I am logged in as rut when I run the scan.
On 3/22/17 6:02 PM, Shawn Wells wrote:
On 3/22/17 3:23 PM, Al Roberson wrote:
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found violating are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
Default permissions on grub.cfg block non-root access. Are you running oscap through sudo or root?
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
I hope it is obvious that i meant to type that i am logged in as "root" when i run the scan.
Thanks.
On Mar 23, 2017 10:30 AM, "Al Roberson" alsifius@gmail.com wrote:
I am logged in as rut when I run the scan.
On 3/22/17 6:02 PM, Shawn Wells wrote:
On 3/22/17 3:23 PM, Al Roberson wrote:
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found violating
are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
Default permissions on grub.cfg block non-root access. Are you running oscap through sudo or root?
scap-security-guide mailing list -- scap-security-guide@lists.
fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@
lists.fedorahosted.org
Can you provide the HTML output at all? Also permissions of /boot/grub2 and grub.cfg? What superusers to you have configured?
On Thursday, March 23, 2017, Albert Roberson alsifius@gmail.com wrote:
I hope it is obvious that i meant to type that i am logged in as "root" when i run the scan.
Thanks.
On Mar 23, 2017 10:30 AM, "Al Roberson" <alsifius@gmail.com javascript:_e(%7B%7D,'cvml','alsifius@gmail.com');> wrote:
I am logged in as rut when I run the scan.
On 3/22/17 6:02 PM, Shawn Wells wrote:
On 3/22/17 3:23 PM, Al Roberson wrote:
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found violating
are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
Default permissions on grub.cfg block non-root access. Are you running oscap through sudo or root?
scap-security-guide mailing list -- scap-security-guide@lists.fedo
rahosted.org javascript:_e(%7B%7D,'cvml','scap-security-guide@lists.fedorahosted.org');
To unsubscribe send an email to scap-security-guide-leave@list
s.fedorahosted.org javascript:_e(%7B%7D,'cvml','scap-security-guide-leave@lists.fedorahosted.org');
permissions for /boot/grub2
drwx------. 6 root root 4096 Mar 27 09:58 grub2
permissions for grub.cfg
-rw-r--r--. 1 root root 4323 Mar 27 09:58 /boot/grub2/grub.cfg
cat of /etc/grub.d/01_users
#!/bin/sh -e cat << EOF if [ -f ${prefix}/user.cfg ]; then source ${prefix}/user.cfg if [ -n ${GRUB2_PASSWORD} ]; then set superusers="alr" export superusers password_pbkdf2 alr ${GRUB2_PASSWORD} fi fi EOF
I ran 'grub2-setpassword' to generate the password in the user.cfg and then ran 'grub2-mkconfig -o /boot/grub2/grub.cfg' to make a new grub config file. I then run the scan as root with the following command:
oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results \
--results-arf `hostname`-`date +$F%H%M`-arf-scan-oval-results.xml \
--report `hostname`-`date +$F%H%M`-scan-xccdf-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Let me know how you want the html output provided; the report is 3M, which I don't think is appropriate for pushing out to the distro.
Thanks.
-Al
On 3/23/17 10:19 PM, Gabe Alford wrote:
Can you provide the HTML output at all? Also permissions of /boot/grub2 and grub.cfg? What superusers to you have configured?
On Thursday, March 23, 2017, Albert Roberson <alsifius@gmail.com mailto:alsifius@gmail.com> wrote:
I hope it is obvious that i meant to type that i am logged in as "root" when i run the scan. Thanks. On Mar 23, 2017 10:30 AM, "Al Roberson" <alsifius@gmail.com <javascript:_e(%7B%7D,'cvml','alsifius@gmail.com');>> wrote: I am logged in as rut when I run the scan. On 3/22/17 6:02 PM, Shawn Wells wrote: > > On 3/22/17 3:23 PM, Al Roberson wrote: >> Ahhhh. I see said the blind man. >> >> In the Ovals details section of the scan report, Items found violating are: >> >> /boot/grub2/grub.cfg does not exist >> >> >> This file definitely exists. Not sure about the specific check it is >> doing for the files existence. > Default permissions on grub.cfg block non-root access. Are you running > oscap through sudo or root? > > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <javascript:_e(%7B%7D,'cvml','scap-security-guide@lists.fedorahosted.org');> > To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <javascript:_e(%7B%7D,'cvml','scap-security-guide-leave@lists.fedorahosted.org');>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Is anyone experiencing this issue? If not, what are the specific steps people are using to get the scan to pass this particular check?
Thanks for all the attention thus far.
-Al
On Mon, Mar 27, 2017 at 2:02 PM, Al Roberson alsifius@gmail.com wrote:
permissions for /boot/grub2
drwx------. 6 root root 4096 Mar 27 09:58 grub2
permissions for grub.cfg
-rw-r--r--. 1 root root 4323 Mar 27 09:58 /boot/grub2/grub.cfg
cat of /etc/grub.d/01_users
#!/bin/sh -e cat << EOF if [ -f ${prefix}/user.cfg ]; then source ${prefix}/user.cfg if [ -n ${GRUB2_PASSWORD} ]; then set superusers="alr" export superusers password_pbkdf2 alr ${GRUB2_PASSWORD} fi fi EOF
I ran 'grub2-setpassword' to generate the password in the user.cfg and then ran 'grub2-mkconfig -o /boot/grub2/grub.cfg' to make a new grub config file. I then run the scan as root with the following command:
oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results \
--results-arf `hostname`-`date +$F%H%M`-arf-scan-oval-results.xml \
--report `hostname`-`date +$F%H%M`-scan-xccdf-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Let me know how you want the html output provided; the report is 3M, which I don't think is appropriate for pushing out to the distro.
Thanks.
-Al
On 3/23/17 10:19 PM, Gabe Alford wrote:
Can you provide the HTML output at all? Also permissions of /boot/grub2 and grub.cfg? What superusers to you have configured?
On Thursday, March 23, 2017, Albert Roberson alsifius@gmail.com wrote:
I hope it is obvious that i meant to type that i am logged in as "root" when i run the scan.
Thanks.
On Mar 23, 2017 10:30 AM, "Al Roberson" alsifius@gmail.com wrote:
I am logged in as rut when I run the scan.
On 3/22/17 6:02 PM, Shawn Wells wrote:
On 3/22/17 3:23 PM, Al Roberson wrote:
Ahhhh. I see said the blind man.
In the Ovals details section of the scan report, Items found
violating are:
/boot/grub2/grub.cfg does not exist
This file definitely exists. Not sure about the specific check it is doing for the files existence.
Default permissions on grub.cfg block non-root access. Are you running oscap through sudo or root?
scap-security-guide mailing list -- scap-security-guide@lists.fedo
rahosted.org
To unsubscribe send an email to scap-security-guide-leave@list
s.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
On 3/20/17 2:44 PM, alsifius@gmail.com wrote:
There are several items that are showing failures in spite of remediation. Where is the best place to search/file findings such as these. As an example, the scan fails even though the boot loader password is enabled and the root user is not listed.
Depends :)
If using RHEL + scap-security-guide, you can absolutely open customer support tickets. Those carry official customer service SLAs to track your issue to resolution. Here's the link:
https://access.redhat.com/support/cases/#/case/new
If using upstream, then GitHub Issues or the mailing list are your best bet. This mailing list also has a broad user community who may have encountered your problem and can share their experiences. But keep in mind there are no formal SLAs.
scap-security-guide@lists.fedorahosted.org
-
Al Roberson -
Albert Roberson
-
alsifius@gmail.com
-
Gabe Alford -
Shawn Wells