On Friday, October 31, 2014 12:51:04 PM Jan Lieskovsky wrote:
----- Original Message -----
From: "Steve Grubb" sgrubb@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Friday, October 31, 2014 3:55:29 PM Subject: Re: Configuration testing vs Forensic testing
On Friday, October 31, 2014 10:47:37 AM Shawn Wells wrote:
On 10/31/14, 10:31 AM, Steve Grubb wrote:
I think there is a problem in the SSG content. I think that the current content is intended to check the system configuration. This would be done by examining the files on disk to warn about changes or thing that are misconfigured. There is also another category of testing that is forensics which checks the ephemeral / current values being enforced. Both are necessary and useful, but they should not be mixed.
<snip>
I've opened tickets to track mount vs fstab, sysctl, and service vs
chkconfig:
Thanks!
As/if you identify additional sections which need better separation, please bring them to our attention!
Well, in a very brief look, the selinux label check in /dev is wrong, it should be:
find /dev -context *:device_t:* ( -type c -o -type b )
Just out-of-curiosity this doesn't seem to be working properly (or I am missing something obvious) [*]. E.g. sample output from RHEL-6 system:
Something got snipped. Should have been:
find /dev -context *:device_t:* ( -type c -o -type b ) -printf "%p %Z\n"
[root@localhost ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) [root@localhost ~]# ls -Z /dev/null crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null [root@localhost ~]# chcon -t samba_share_t /dev/null [root@localhost ~]# ls -Z /dev/null crw-rw-rw-. root root system_u:object_r:samba_share_t:s0 /dev/null [root@localhost ~]# find /dev -context *:device_t:* ( -type c -o -type b ) [root@localhost ~]# find /dev -context *:device_t:* ( -type c -o -type b ) | wc -l 0
Shouldn't it be changed to e.g.:
find /dev ! -context *:*device_t:* ( -type c -o -type b )
to get the list of devices that are not of :*_device_t: target?
device_t is the default when selinux knows nothing about the device. You want your system to have none of these.
-Steve