This improvement was originally proposed by Tomas Heinrich for USGCB content. But it is applicable to SSG content too, therefore this post.
Rationale: ----------
When checking the system for underlying value of ClientAliveInterval sshd config variable it's not sufficient to check just for upper bound (if the present value is less than required maximum), but it is necessary to check also for lower bound. Because from the sshd_config manual page:
ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
Conclusion: -----------
The current form worked only for instances, not having ClientAliveInterval at all in the config. But having had that value set to zero, would still pass (which is wrong, since as mentioned above these messages would still not be sent). Thus this patch adds also check if actual value is greater than zero.
Besides that it add some blank lines for better readability. Also removes Fedora version of sshd_set_idle_timeout.xml rule and links to shared one.
Testing background: -------------------
Has been tested on RHEL-7 & Fedora-20 and seems to be working properly.
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 2/24/14, 12:06 PM, Jan Lieskovsky wrote:
This improvement was originally proposed by Tomas Heinrich for USGCB content. But it is applicable to SSG content too, therefore this post.
Rationale:
When checking the system for underlying value of ClientAliveInterval sshd config variable it's not sufficient to check just for upper bound (if the present value is less than required maximum), but it is necessary to check also for lower bound. Because from the sshd_config manual page:
ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
Conclusion:
The current form worked only for instances, not having ClientAliveInterval at all in the config. But having had that value set to zero, would still pass (which is wrong, since as mentioned above these messages would still not be sent). Thus this patch adds also check if actual value is greater than zero.
Besides that it add some blank lines for better readability. Also removes Fedora version of sshd_set_idle_timeout.xml rule and links to shared one.
Testing background:
Has been tested on RHEL-7 & Fedora-20 and seems to be working properly.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-shared-sshd_set_idle_timeout-when-doing-the-check-be.patch
From b8419800dd27abad20a5f631ea71944ceb43664f Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Mon, 24 Feb 2014 17:52:03 +0100 Subject: [PATCH] [shared] sshd_set_idle_timeout - when doing the check be sure to check also the lower bound of ClientAliveInterval value.
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
Fedora/input/checks/sshd_set_idle_timeout.xml | 34 +-------------------------- shared/oval/sshd_set_idle_timeout.xml | 19 ++++++++++++--- 2 files changed, 17 insertions(+), 36 deletions(-) mode change 100644 => 120000 Fedora/input/checks/sshd_set_idle_timeout.xml
diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input/checks/sshd_set_idle_timeout.xml deleted file mode 100644 index df3336a..0000000 --- a/Fedora/input/checks/sshd_set_idle_timeout.xml +++ /dev/null @@ -1,33 +0,0 @@ -<def-group>
<definition class="compliance" id="sshd_set_idle_timeout" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>The SSH idle timeout interval should be set to an appropriate value.</description>
</metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" />
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
- <ind:object object_ref="object_sshd_idle_timeout" />
- <ind:state state_ref="state_timeout_value" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
- ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" id="state_timeout_value" version="1">
- <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="sshd_idle_timeout_value" />
- </ind:textfilecontent54_state>
<external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" />
-</def-group> diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input/checks/sshd_set_idle_timeout.xml new file mode 120000 index 0000000..2fd18f6 --- /dev/null +++ b/Fedora/input/checks/sshd_set_idle_timeout.xml @@ -0,0 +1 @@ +../../../shared/oval/sshd_set_idle_timeout.xml \ No newline at end of file diff --git a/shared/oval/sshd_set_idle_timeout.xml b/shared/oval/sshd_set_idle_timeout.xml index ad63830..f891e65 100644 --- a/shared/oval/sshd_set_idle_timeout.xml +++ b/shared/oval/sshd_set_idle_timeout.xml @@ -5,10 +5,12 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform> </affected> <description>The SSH idle timeout interval should be set to an appropriate value.</description> <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> --> </metadata> <criteria comment="SSH is not being used or conditions are met" operator="OR">
@@ -18,21 +20,32 @@ test_ref="test_sshd_idle_timeout" /> </criteria> </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="test_sshd_idle_timeout" version="1"> <ind:object object_ref="object_sshd_idle_timeout" />
- <ind:state state_ref="state_timeout_value" />
- <ind:state state_ref="state_timeout_value_upper_bound" />
- <ind:state state_ref="state_timeout_value_lower_bound" /> </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1"> ind:filepath/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
- <ind:textfilecontent54_state comment="ClientAliveInterval in seconds"
- id="state_timeout_value" version="1">
- <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds"
- id="state_timeout_value_upper_bound" version="1"> <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="sshd_idle_timeout_value" /> </ind:textfilecontent54_state>
- <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds"
- id="state_timeout_value_lower_bound" version="1">
- <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
- </ind:textfilecontent54_state>
- <external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" />
</def-group>
Good finding. Ack.
Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor.
The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more.
I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes)
Thanks,
Trevor
On Mon, Feb 24, 2014 at 5:34 PM, Shawn Wells shawn@redhat.com wrote:
On 2/24/14, 12:06 PM, Jan Lieskovsky wrote:
This improvement was originally proposed by Tomas Heinrich for USGCB content. But it is applicable to SSG content too, therefore this post.
Rationale:
When checking the system for underlying value of ClientAliveInterval sshd config variable it's not sufficient to check just for upper bound (if the present value is less than required maximum), but it is necessary to check also for lower bound. Because from the sshd_config manual page:
ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.
Conclusion:
The current form worked only for instances, not having ClientAliveInterval at all in the config. But having had that value set to zero, would still pass (which is wrong, since as mentioned above these messages would still not be sent). Thus this patch adds also check if actual value is greater than zero.
Besides that it add some blank lines for better readability. Also removes Fedora version of sshd_set_idle_timeout.xml rule and links to shared one.
Testing background:
Has been tested on RHEL-7 & Fedora-20 and seems to be working properly.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-shared-sshd_set_idle_timeout-when-doing-the-check-be.patch
From b8419800dd27abad20a5f631ea71944ceb43664f Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com jlieskov@redhat.com Date: Mon, 24 Feb 2014 17:52:03 +0100 Subject: [PATCH] [shared] sshd_set_idle_timeout - when doing the check be sure to check also the lower bound of ClientAliveInterval value.
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com jlieskov@redhat.com
Fedora/input/checks/sshd_set_idle_timeout.xml | 34 +-------------------------- shared/oval/sshd_set_idle_timeout.xml | 19 ++++++++++++--- 2 files changed, 17 insertions(+), 36 deletions(-) mode change 100644 => 120000 Fedora/input/checks/sshd_set_idle_timeout.xml
diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input/checks/sshd_set_idle_timeout.xml deleted file mode 100644 index df3336a..0000000 --- a/Fedora/input/checks/sshd_set_idle_timeout.xml +++ /dev/null @@ -1,33 +0,0 @@ -<def-group>
<definition class="compliance" id="sshd_set_idle_timeout" version="1">
<metadata>
<title>Set OpenSSH Idle Timeout Interval</title>
<affected family="unix">
<platform>Fedora 19</platform>
</affected>
<description>The SSH idle timeout interval should be set to an appropriate value.</description>
</metadata>
<criteria comment="SSH is not being used or conditions are met" operator="OR">
<extend_definition comment="sshd service is disabled" definition_ref="service_sshd_disabled" />
<criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="test_sshd_idle_timeout" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="test_sshd_idle_timeout" version="1">
- <ind:object object_ref="object_sshd_idle_timeout" />
- <ind:state state_ref="state_timeout_value" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1">
- ind:filepath/etc/ssh/sshd_config</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" id="state_timeout_value" version="1">
- <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="sshd_idle_timeout_value" />
- </ind:textfilecontent54_state>
<external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" />
-</def-group> diff --git a/Fedora/input/checks/sshd_set_idle_timeout.xml b/Fedora/input/checks/sshd_set_idle_timeout.xml new file mode 120000 index 0000000..2fd18f6 --- /dev/null +++ b/Fedora/input/checks/sshd_set_idle_timeout.xml @@ -0,0 +1 @@ +../../../shared/oval/sshd_set_idle_timeout.xml \ No newline at end of file diff --git a/shared/oval/sshd_set_idle_timeout.xml b/shared/oval/sshd_set_idle_timeout.xml index ad63830..f891e65 100644 --- a/shared/oval/sshd_set_idle_timeout.xml +++ b/shared/oval/sshd_set_idle_timeout.xml @@ -5,10 +5,12 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform>
<platform>Fedora 20</platform> </affected> <description>The SSH idle timeout interval should be set to an appropriate value.</description> <reference source="MED" ref_id="20130813" ref_url="test_attestation" />
<!-- Fedora 20: <reference source="JL" ref_id="20140224" ref_url="test_attestation" /> -->
</metadata> <criteria comment="SSH is not being used or conditions are met" operator="OR">
@@ -18,21 +20,32 @@ test_ref="test_sshd_idle_timeout" /> </criteria>
</definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="test_sshd_idle_timeout" version="1"> <ind:object object_ref="object_sshd_idle_timeout" /> - <ind:state state_ref="state_timeout_value" /> + <ind:state state_ref="state_timeout_value_upper_bound" /> + <ind:state state_ref="state_timeout_value_lower_bound" /> </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_sshd_idle_timeout" version="1"> <ind:filepath>/etc/ssh/sshd_config</ind:filepath> <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> - <ind:textfilecontent54_state comment="ClientAliveInterval in seconds" - id="state_timeout_value" version="1"> + + <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" + id="state_timeout_value_upper_bound" version="1"> <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="sshd_idle_timeout_value" /> </ind:textfilecontent54_state> + + <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" + id="state_timeout_value_lower_bound" version="1"> + <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression> + </ind:textfilecontent54_state> + <external_variable comment="timeout value" datatype="int" id="sshd_idle_timeout_value" version="1" /> + </def-group>
Good finding. Ack.
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor.
The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more.
I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes)
Thanks,
The default value is 5 minutes:
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0">
<title>SSH session Idle time</title> <description>Specify duration of allowed idle time.</description> <value selector="">300</value> <value selector="5_minutes">300</value> <value selector="10_minutes">600</value> <value selector="15_minutes">900</value> </Value>
STIG value is 15 minutes:
$ grep -rin sshd_idle_timeout_value profiles/ profiles/stig-rhel6-server-upstream.xml:114:<refine-value idref="sshd_idle_timeout_value" selector="15_minutes"/> profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/>
Interestingly, the CS2 profile doesn't refine the sshd_idle_timeout_value, thus inheriting the 5 minute constraint....
/me eyeballs dave smith to see if this was an oversight in the CS2 profile
It seems to have been missed on the CS2 side. It's likely that it was refined internally at some point, but a subsequent version of the SSG content overwrote it. I'll make a note to get the fix handled this week - thanks for letting us know!
On Wed, May 14, 2014 at 5:06 PM, Shawn Wells shawn@redhat.com wrote:
On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor.
The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more.
I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes)
Thanks,
The default value is 5 minutes:
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0">
<title>SSH session Idle time</title> <description>Specify duration of allowed idle time.</description> <value selector="">300</value> <value selector="5_minutes">300</value> <value selector="10_minutes">600</value> <value selector="15_minutes">900</value> </Value>
STIG value is 15 minutes:
$ grep -rin sshd_idle_timeout_value profiles/ profiles/stig-rhel6-server-upstream.xml:114:<refine-value idref="sshd_idle_timeout_value" selector="15_minutes"/> profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/>
Interestingly, the CS2 profile doesn't refine the sshd_idle_timeout_value, thus inheriting the 5 minute constraint....
/me eyeballs dave smith to see if this was an oversight in the CS2 profile
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I'd still like to push for something more than 15 minutes. It's just too short.
Thanks,
Trevor
On Wed, May 14, 2014 at 6:05 PM, David Smith dsmith@secure-innovations.netwrote:
It seems to have been missed on the CS2 side. It's likely that it was refined internally at some point, but a subsequent version of the SSG content overwrote it. I'll make a note to get the fix handled this week - thanks for letting us know!
On Wed, May 14, 2014 at 5:06 PM, Shawn Wells shawn@redhat.com wrote:
On 5/14/14, 4:37 PM, Trevor Vaughan wrote:
Ok, I realize that this went through a while ago but has anyone actually lived with this setting enabled?
I've got a LOT of unhappy users that start to VI a file, walk away for a while (with their local screen locked) and come back to find their sessions dumped all over the floor.
The default appears to be 5 minutes across the board which I find WAY too short since I might be looking at a man page in two windows for that amount of time or more.
I would like to propose that the defaults be changed to something more sensible like 2, 4, or 8 hours. (Heck, meetings can go on for more than 2 hours sometimes)
Thanks,
The default value is 5 minutes:
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0">
<title>SSH session Idle time</title> <description>Specify duration of allowed idle time.</description> <value selector="">300</value> <value selector="5_minutes">300</value> <value selector="10_minutes">600</value> <value selector="15_minutes">900</value> </Value>
STIG value is 15 minutes:
$ grep -rin sshd_idle_timeout_value profiles/ profiles/stig-rhel6-server-upstream.xml:114:<refine-value idref="sshd_idle_timeout_value" selector="15_minutes"/> profiles/rht-ccp.xml:9:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> profiles/common.xml:299:<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/>
Interestingly, the CS2 profile doesn't refine the sshd_idle_timeout_value, thus inheriting the 5 minute constraint....
/me eyeballs dave smith to see if this was an oversight in the CS2 profile
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/14/14, 6:05 PM, David Smith wrote:
It seems to have been missed on the CS2 side. It's likely that it was refined internally at some point, but a subsequent version of the SSG content overwrote it. I'll make a note to get the fix handled this week - thanks for letting us know!
bump
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
Greg,
Okay, this is just cool. The one change I'd like to see, if you think it's useful, is to sort on severity. When I was writing RHEL 6 Aqueduct scripts I tried to focus on the Highs and Mediums. However, it is easy to miss one here and there.
Thanks!
Leam
On Mon, May 19, 2014 at 3:44 PM, Greg Elin gregelin@gitmachines.com wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Leam,
In-page sorting and filter is a great idea. In the meantime, I have these pages:
http://www.govready.org/cce/severity/high/ http://www.govready.org/cce/severity/medium/ http://www.govready.org/cce/severity/low/
(Also working on http://www.govready.org/800-53/ but still pretty rough)
Greg Elin personal cell: 917-304-3488 personal email: greg@fotonotes.net email: gregelin@gitmachines.com
On Mon, May 19, 2014 at 3:54 PM, leam hall leamhall@gmail.com wrote:
Greg,
Okay, this is just cool. The one change I'd like to see, if you think it's useful, is to sort on severity. When I was writing RHEL 6 Aqueduct scripts I tried to focus on the Highs and Mediums. However, it is easy to miss one here and there.
Thanks!
Leam
On Mon, May 19, 2014 at 3:44 PM, Greg Elin gregelin@gitmachines.comwrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-- Mind on a Mission http://leamhall.blogspot.com/
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I've sorting added to my issues: https://github.com/GovReady/GovReady.github.io/issues/8
Greg
On Mon, May 19, 2014 at 3:54 PM, leam hall leamhall@gmail.com wrote:
Greg,
Okay, this is just cool. The one change I'd like to see, if you think it's useful, is to sort on severity. When I was writing RHEL 6 Aqueduct scripts I tried to focus on the Highs and Mediums. However, it is easy to miss one here and there.
Thanks!
Leam
On Mon, May 19, 2014 at 3:44 PM, Greg Elin gregelin@gitmachines.comwrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
-- Mind on a Mission http://leamhall.blogspot.com/
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Mon, May 19, 2014 at 3:44 PM, Greg Elin gregelin@gitmachines.com wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
Thanks Greg! I was just writing an email inquiring about the status of remediation in SSG when this hit my inbox. Eerily coincidental.
To piggy back onto this thread a bit - I see postings with bits and pieces of the content but I'm looking for a short summary of the status, this is what we have, this is what is missing, this is what we're looking for in the short-term. And, based on Greg's, chart above there are Aqueduct has remediation content missing from SSG and SSG has remediation content missing from Aqueduct. How is this gap being closed?
In the meantime - how are people STIG'ing a box given the gap in remediation content?
Thanks, --Spencer
Greg Elin P: 917-304-3488 E: gregelin@gitmachines.com
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/19/14, 3:44 PM, Greg Elin wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
This is very, very cool. Did you use some sort of XSLT for this, and if so, is it sharable? Shipping something like this seems valuable, with a link back to govready for a dynamic version.
It doesn't seem to be picking up a few CCEs:
aide_build_database - CCE 27135-3 (since 2013-10-30) bios_disable_usb_boot - CCE 26923-3 (since 2013-10-30)
Is a refresh needed?
On 5/19/14, 4:09 PM, Shawn Wells wrote:
On 5/19/14, 3:44 PM, Greg Elin wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts.
Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
This is very, very cool. Did you use some sort of XSLT for this, and if so, is it sharable? Shipping something like this seems valuable, with a link back to govready for a dynamic version.
It doesn't seem to be picking up a few CCEs:
aide_build_database - CCE 27135-3 (since 2013-10-30) bios_disable_usb_boot - CCE 26923-3 (since 2013-10-30)
Is a refresh needed?
Went through a few more of the XCCDF rules manually and double checked on the CCEs. All *appears* well.
The code we use to transform out the CCEs from each XCCDF rule lives here: https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transf...
And generates this HTML table: http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/table-rhel...
Now that I'm done fretting if proper CCE assignments exist (mini heart attack due to the pending SSG inclusion in RHEL 6.6), I'd like to re-iterate, this is very cool!
Thanks, Shawn!
I'll check out table-rhel6-cces.htmlhttp://people.redhat.com/swells/scap-security-guide/RHEL/6/output/table-rhel6-cces.html and do an update.
Greg
On Mon, May 19, 2014 at 4:26 PM, Shawn Wells shawn@redhat.com wrote:
On 5/19/14, 4:09 PM, Shawn Wells wrote:
On 5/19/14, 3:44 PM, Greg Elin wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts. Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
This is very, very cool. Did you use some sort of XSLT for this, and if so, is it sharable? Shipping something like this seems valuable, with a link back to govready for a dynamic version.
It doesn't seem to be picking up a few CCEs:
aide_build_database - CCE 27135-3 (since 2013-10-30) bios_disable_usb_boot - CCE 26923-3 (since 2013-10-30)
Is a refresh needed?
Went through a few more of the XCCDF rules manually and double checked on the CCEs. All *appears* well.
The code we use to transform out the CCEs from each XCCDF rule lives here:
https://git.fedorahosted.org/cgit/scap-security-guide.git/tree/RHEL/6/transf...
And generates this HTML table:
http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/table-rhel...
Now that I'm done fretting if proper CCE assignments exist (mini heart attack due to the pending SSG inclusion in RHEL 6.6), I'd like to re-iterate, this is very cool!
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Shawn and Spencer:
I am probably working with an older version of Aqueduct and SSG. I can update.
Also, there are 274 remediation bash scripts in Aqueduct, but only 185 are generated when looping through RHEL6. The Aqueduct scripts are also online, but I still need to put the SSG remediation scripts online.
I'm using Jekyll and GitHub Pages for the site. I wanted to see how far I get with a static pages. In this case, I'm using PHP scripts to generate the content for Jekyll. It makes it easier to prototype at this stage to consume the SSG XCCDF file and extract what I want and reformat for Jekyll pages.
The web site repo is open: http://github.com/GovReady.github.io The PHP scripts are not yet in an open repo.
Greg
On Mon, May 19, 2014 at 4:09 PM, Shawn Wells shawn@redhat.com wrote:
On 5/19/14, 3:44 PM, Greg Elin wrote:
I've put together a web page to show which RHEL 6 CCE's have a remediation script from Aqueduct and SSG.
It is interesting that a number of rules are missing CCE Idents. It is also easier to see the coverage of fix scripts. Http://www.govready.org/cce/fixes/
Would love feedback and thoughts in how to improve coverage.
This is very, very cool. Did you use some sort of XSLT for this, and if so, is it sharable? Shipping something like this seems valuable, with a link back to govready for a dynamic version.
It doesn't seem to be picking up a few CCEs:
aide_build_database - CCE 27135-3 (since 2013-10-30) bios_disable_usb_boot - CCE 26923-3 (since 2013-10-30)
Is a refresh needed?
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org