𝓛𝓘𝓥𝓔@ Hameenlinna vs JYP, <(LiVE@sTReaM)>Free™
by bavaza juhay
Watch Hameenlinna vs JYP, Sports TV channel [LIVE-FREE]** Hockey live 30/12/2019 Broadcast Today @FINLAND. Liiga Live tv
Liiga Live Tv[LIVE-FREE]** Hameenlinna vs JYP live 30/12/2019 Broadcast Today Uk. Liiga Live tv
Live Broadcast :: https://v.ht/4K-GREATSPORTS-LIVESTREAM-2019-UMO
Hameenlinna vs JYP live streaming: Watch Liiga - If you want to watch Hameenlinna vs JYP online, these are the live streaming instructions. ... Watch Hameenlinna vs JYP online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Liiga on Today. Hameenlinna vs JYP# <Live - Stream> @Free:registered: - Facebook Hameenlinna vs JYP# <Live - Stream> @Free:registered:. Public. · Hosted by Fans TV Sports. Interested. Invite. clock. Today, 30/12/2019 at 11:30 UTC+ ... Hockey live score, video stream ... Hockey live score (and video online live stream) ... Here on SofaScore livescore you can find all Liiga ... Hameenlinna vs JYP Live Stream - Jokerlivestream Watch Hameenlinna vs JYP Live Stream. Watch this game live and online for free. Liiga.
4 years, 4 months
𝓛𝓘𝓥𝓔@ Assat vs Ilves, <(LiVE@sTReaM)>Free™
by bavaza juhay
Watch Assat vs Ilves, Sports TV channel [LIVE-FREE]** Hockey live 30/12/2019 Broadcast Today @FINLAND. Liiga Live tv
Liiga Live Tv[LIVE-FREE]** Assat vs Ilves live 30/12/2019 Broadcast Today Uk. Liiga Live tv
Live Broadcast :: https://v.ht/4K-GREATSPORTS-LIVESTREAM-2019-EEm
Assat vs Ilves live streaming: Watch Liiga - If you want to watch Assat vs Ilves online, these are the live streaming instructions. ... Watch Assat vs Ilves online with DAZN Canada (utilise their free 7-day trial) or BT Sport (UK). ... There are three matches in the Liiga on Today. Assat vs Ilves# <Live - Stream> @Free:registered: - Facebook Assat vs Ilves# <Live - Stream> @Free:registered:. Public. · Hosted by Fans TV Sports. Interested. Invite. clock. Today, 30/12/2019 at 11:30 UTC+ ... Hockey live score, video stream ... Hockey live score (and video online live stream) ... Here on SofaScore livescore you can find all Liiga ... Assat vs Ilves Live Stream - Jokerlivestream Watch Assat vs Ilves Live Stream. Watch this game live and online for free. Liiga.
4 years, 4 months
General questions related to RHEL 7 STIG Update - RHEL-07-030840 -
Rule Update (#3468)
by Salowitz, Mark A CTR
Good afternoon,
Before I start getting too far down the road with creating the rule for this, I had some basic process questions about the contents of references and identifiers in the rule.yml. Basically, I don't know where to obtain about 60% of the documents referenced in other similar rules.
Inside, for example, linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml there are references to cui, cis, hipaa, and so on...
- Do I need to establish those as part of the rule writing, and if so, is there a handy place to obtain that information?
- if the answer is no, should I leave stubs entries for the other guidance documents ( eg "hipaa: " ) and just focus on populating the DISA information
- How do I find out if a CCE has been assigned for the rule and add it to identifiers
- I'm unfamiliar with the offerings outside the EL(5-8) products, how do I (or do I) determine product applicability for prodtype
I'd like to do as much right as I can out the gate, so thanks in advance for any and all advice,
Mark Salowitz, CTR
Principal Architect, PaaS Engineering
Ace Info Solutions, a Dovel company
ITIL® V3 Foundation Certified
CompTIA Security+ CE
USCG Operations Systems Center
email: <mailto:Mark.A.Salowitz@uscg.mil>
phone: (304) 433-3200
4 years, 4 months
what referencing a control/requirement means
by Marek Haicman
Hello,
I have stumbled upon a case where I am not sure, if some rule should have a
reference or not. Can you help me with your view on this situation? I will
use the case as an example (RHEL8 content) :)
Reference: The operating system must uniquely identify peripherals before
establishing a connection.
<http://securityrules.info/about/xovos-tufes-rumeb-decex/SV-71029r1_rule>
Now we have five rules in two groups
* install USBGuard package
and
* enforce USBGuard service to be enabled
These two rules satisfy, in my opinion, the requirement (at least for the
USB peripherals) -> USBGuard is "drop by default", so anything acceptable
has to be allowed explicitly.
* allow Class 03 (HID) USB devices
* allow Class 08 (HUB) USB devices
* allow any combination of HID and HUB USB devices
These rules are not increasing the security of the system - they soften the
hardening. So they go against the requirement to some extent. But without
these, machines would not be usable for general audience, so as a
compromise, we do want to have them available to the users.
And now the question - should the reference be part of all the rules? Or
just the ones that really increases the security of the system?
What's your interpretation of the reference, if you are reading it in the
guide?
Thanks!
Marek
4 years, 4 months
Re: Bash remediations failing due to missing functions
by Marek Haicman
Ok. For about a week, ComplianceAsCode project had a bug that made this an
issue :) You might have cloned the repo at that time? This PR from Monday
last week fixes it, so try to rebase your work and try again:
https://github.com/ComplianceAsCode/content/pull/5061
It's probably that, because on the released packages in RHEL7, I cannot
reproduce what you observe:
[dahaic@psyduck bla]$ rpm -qa openscap scap-security-guide
openscap-1.2.17-4.el7.x86_64
scap-security-guide-0.1.43-13.el7.noarch
[dahaic@psyduck bla]$ oscap xccdf generate fix --fix-type bash --profile
ospp --fetch-remote-resources --output remediation.sh
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
[dahaic@psyduck bla]$ grep populate remediation.sh
Regards,
Marek
On Mon, Dec 16, 2019 at 3:02 PM Kuko Armas <kuko(a)canarytek.com> wrote:
>
> Hello Miguel,
> remediations, as they are stored in the DataStream are prepared to be used
> within the environment provided by the `oscap` utility. (I.e. so
> `--remediate` works). So no, it's not supposed to be self contained in that
> particular form.
>
> What you are looking for is probably `oscap xccdf generate fix`. That one
> will process the snippets and produces self-contained bash script.
>
> So no issue - works as intended. ;)
>
>
> I also tried that, and at least in my box it's not working. It's one of
> the things I tried when I said "I have been playing with remediation
> code"...
>
> I generate the fix code with (ens is a profile I'm creating, but also
> fails with other profiles)
> oscap xccdf generate fix --fix-type bash --profile ens
> --fetch-remote-resources --output remediation.sh ssg-centos7-ds.xml
>
> This creates the remediation,sh, but it does not eem to contain the
> remediation functions defined in group
> xccdf_org.ssgproject.content_group_remediation_functions
>
> If I search for one of the functions that fail (populate), I see it
> "tries" to use the function, but it's not defined in the generated
> remedaite script:
>
> [root@test ~]# grep populate remediation.sh
> populate login_banner_text
> populate var_accounts_max_concurrent_login_sessions
> populate var_accounts_user_umask
> populate var_auditd_action_mail_acct
> populate var_auditd_admin_space_left_action
> populate var_auditd_max_log_file
> populate var_auditd_max_log_file_action
> populate var_auditd_num_logs
> populate var_auditd_space_left_action
> populate sysctl_net_ipv4_conf_all_accept_redirects_value
> populate sysctl_net_ipv4_conf_all_accept_source_route_value
> populate sysctl_net_ipv4_conf_all_log_martians_value
> populate sysctl_net_ipv4_conf_all_rp_filter_value
> populate sysctl_net_ipv4_conf_all_secure_redirects_value
> populate sysctl_net_ipv4_conf_default_accept_redirects_value
> populate sysctl_net_ipv4_conf_default_accept_source_route_value
> populate sysctl_net_ipv4_conf_default_log_martians_value
> populate sysctl_net_ipv4_conf_default_rp_filter_value
> populate sysctl_net_ipv4_conf_default_secure_redirects_value
> populate sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value
> populate sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value
> populate sysctl_net_ipv4_tcp_syncookies_value
> populate var_auditadm_exec_content
>
> And of course if I run it, I get errors for each invocation of that
> function (and any other that is supposed to be defined)
>
> root@test ~]# sh remediation.sh
> Remediating rule 1/105:
> 'xccdf_org.ssgproject.content_rule_banner_etc_issue'
> remediation.sh: line 34: populate: command not found
> Remediating rule 2/105:
> 'xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions'
> remediation.sh: line 52: populate: command not found
> Remediating rule 3/105:
> 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'
> remediation.sh: line 68: populate: command not found
> remediation.sh: line 70: replace_or_append: command not found
> Remediating rule 4/105:
> 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users'
> FIX FOR THIS RULE
> 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users' IS
> MISSING!
> Remediating rule 5/105:
> 'xccdf_org.ssgproject.content_rule_audit_rules_immutable'
> Remediating rule 6/105:
> 'xccdf_org.ssgproject.content_rule_audit_rules_mac_modification'
> remediation.sh: line 115: fix_audit_watch_rule: command not found
>
> Until, I understand why it fails, I'm also trying the ansible remediation,
> which seems to be working better, but I won't be able to use ansible in all
> my clients. And anyway, I would like to learm how bash remediation code
> works (or should work), and help if I can 😉
>
> Salu2!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> ------------------------------
> *De:* Marek Haicman <mhaicman(a)redhat.com>
> *Enviado:* lunes, 16 de diciembre de 2019 12:15
> *Para:* SCAP Security Guide <scap-security-guide(a)lists.fedorahosted.org>
> *Asunto:* Re: Bash remediations failing due to missing functions
>
> Hello Miguel,
> remediations, as they are stored in the DataStream are prepared to be used
> within the environment provided by the `oscap` utility. (I.e. so
> `--remediate` works). So no, it's not supposed to be self contained in that
> particular form.
>
> What you are looking for is probably `oscap xccdf generate fix`. That one
> will process the snippets and produces self-contained bash script.
>
> So no issue - works as intended. ;)
>
> Regards,
> Marek
>
> On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
>
> I've been playing with remediation code, and I've seen that remediation
> code for many checks fails due to undefined functions as "populate" (to
> populate defined variables) and "fix_audit_syscall_rule" (for audit checks)
>
> I've seen that both functions (and many more) are defined inside the
> datasource, in group
> xccdf_org.ssgproject.content_group_remediation_functions
>
> Since I'm a complete newbie in openSCAP, I'm not sure how it should work:
>
>
> - Is remediation code supposed to be selt-contained in the data
> source? Or does it depend on the host having the security-guide package
> installed ir order to have that functions code?
> - If it's self contained, how and where are the functions code file
> extracted and read by remediation code?
> - If it's extracted, is there an option to keep the temp files
> around to take a look?
> - Maybe I need a more recent openscap version? (I'm using
> 1.2.17-4.el7 in centos7)
> - Should I file an issue on ComplianceAsCode GitHub repo? or am I
> doing something wrong?
>
>
> Thanks a lot!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
4 years, 4 months
Re: Bash remediations failing due to missing functions
by Marek Haicman
Hello Miguel,
remediations, as they are stored in the DataStream are prepared to be used
within the environment provided by the `oscap` utility. (I.e. so
`--remediate` works). So no, it's not supposed to be self contained in that
particular form.
What you are looking for is probably `oscap xccdf generate fix`. That one
will process the snippets and produces self-contained bash script.
So no issue - works as intended. ;)
Regards,
Marek
On Mon, Dec 16, 2019 at 11:44 AM Kuko Armas <kuko(a)canarytek.com> wrote:
>
> I've been playing with remediation code, and I've seen that remediation
> code for many checks fails due to undefined functions as "populate" (to
> populate defined variables) and "fix_audit_syscall_rule" (for audit checks)
>
> I've seen that both functions (and many more) are defined inside the
> datasource, in group
> xccdf_org.ssgproject.content_group_remediation_functions
>
> Since I'm a complete newbie in openSCAP, I'm not sure how it should work:
>
>
> - Is remediation code supposed to be selt-contained in the data
> source? Or does it depend on the host having the security-guide package
> installed ir order to have that functions code?
> - If it's self contained, how and where are the functions code file
> extracted and read by remediation code?
> - If it's extracted, is there an option to keep the temp files
> around to take a look?
> - Maybe I need a more recent openscap version? (I'm using
> 1.2.17-4.el7 in centos7)
> - Should I file an issue on ComplianceAsCode GitHub repo? or am I
> doing something wrong?
>
>
> Thanks a lot!
> --
> Miguel Armas
> CanaryTek Consultoria y Sistemas SL
> http://www.canarytek.com/
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
4 years, 4 months
Re: [EXTERNAL] Bash remediations failing due to missing functions
by Todd, Charles
Kuko,
I don’t have answers, but thought you would like to know that your question was extremely professional, asked specific questions, and demonstrated that you’ve given this some real effort so far. Thanks for a great question. I’ve learned something from both question and answer today.
Charlie Todd
Ball Aerospace
On Dec 16, 2019, at 5:44 AM, Kuko Armas <kuko(a)canarytek.com> wrote:
I've been playing with remediation code, and I've seen that remediation code for many checks fails due to undefined functions as "populate" (to populate defined variables) and "fix_audit_syscall_rule" (for audit checks)
I've seen that both functions (and many more) are defined inside the datasource, in group xccdf_org.ssgproject.content_group_remediation_functions
Since I'm a complete newbie in openSCAP, I'm not sure how it should work:
* Is remediation code supposed to be selt-contained in the data source? Or does it depend on the host having the security-guide package installed ir order to have that functions code?
* If it's self contained, how and where are the functions code file extracted and read by remediation code?
* If it's extracted, is there an option to keep the temp files around to take a look?
* Maybe I need a more recent openscap version? (I'm using 1.2.17-4.el7 in centos7)
* Should I file an issue on ComplianceAsCode GitHub repo? or am I doing something wrong?
Thanks a lot!
--
Miguel Armas
CanaryTek Consultoria y Sistemas SL
http://www.canarytek.com/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.canarytek.com_&d=...>
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
4 years, 4 months