--- RHEL6/input/auxiliary/alt-titles-stig.xml | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index b7f36d5..0576b1b 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -38,6 +38,9 @@ A file integrity tool must be installed. <title rule="aide_periodic_cron_checking" shorttitle="Configure Periodic Execution of AIDE"> A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. </title> +<title rule="rpm_verify_hashes" shorttitle="Verify File Hashes with RPM"> +The system package management tool must verify contents of all files associated with packages. +</title> <title rule="rpm_verify_permissions" shorttitle="Verify File Permissions with RPM"> The system package management tool must verify permissions on all file and directories associated with packages. </title>
--- RHEL6/input/profiles/STIG-server.xml | 1 + 1 file changed, 1 insertion(+)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 5f67335..b9709bd 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -3,6 +3,7 @@ <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
<select idref="rpm_verify_permissions" selected="true"/> +<select idref="rpm_verify_hashes" selected="true"/> <select idref="world_writeable_files" selected="true"/>
<select idref="install_antivirus" selected="true"/>
--- RHEL6/input/system/software/integrity.xml | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 44bb1b2..14730e2 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -174,7 +174,15 @@ have hashes that differ from what is expected by the RPM database: <pre># rpm -Va | grep '^..5'</pre> A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. +If the file that has changed was not expected to then refresh from distribution media or online repositories. +<pre>rpm -Uvh <i>affected_package</i></pre> +OR +<pre>yum reinstall <i>affected_package</i></pre> </description> +<ocil clause="there is output"> The following command will list which files on the system +have file hashes different from what is expected by the RPM database. +<pre># rpm -Va | grep '$1 ~ /..5/ && $2 != "c"'</pre> +</ocil> <rationale> The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity
--- RHEL6/input/auxiliary/alt-titles-stig.xml | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 0576b1b..03efc62 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -722,4 +722,19 @@ The netconsole service must be disabled unless required. <title rule="world_writeable_files" shorttitle="Ensure No World-Writable Files Exist"> There must be no world-writable files on the system. </title> +<title rule="unmet_impractical_product" shorttitle="Product Does Not Meet this Requirement Due to Impracticality or Scope"> +This requirement must be satisfied via an external application or server. +</title> +<title rule="unmet_impractical_guidance" shorttitle="Guidance Does Not Meet this Requirement Due to Impracticality or Scope"> +This requirement must be satisfied via an external application, policy, or service. +</title> +<title rule="requirement_unclear" shorttitle="Implementation of the Requirement is Unclear"> +This requirement must be clarified. +</title> +<title rule="new_rule_needed" shorttitle="A New Policy/Manual? Rule is Needed."> +This rule remains to be written. +</title> +<title rule="met_inherently" shorttitle="Product Meets This Requirement"> +The system can not be configured not to meet this requirement. +</title> </titles>
--- RHEL6/input/auxiliary/srg_support.xml | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index a7e9457..cc3e697 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -7,13 +7,21 @@ not clearly relate. </description>
<Group id="met_inherently"> +<Rule id="met_inherently"> <title>Product Meets this Requirement</title> <description> Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> +</rationale> +<ocil> RHEL6 supports this requirement and cannot be configured to be out of +compliance. This is a permanent not a finding. +</ocil> +<description> +This requirement is permanent not a finding. No fix is required. </description> <ref disa="56,66,223,131,132,133,134,85,159,1694,770,804,162,163,164,345,346,872,1493,1494,1495,226,1096,1111,386,34,35,156,186,99,1083,1089,1082,804,1209,1214,1237,1248,1265,1269,1314,1362,1368,1310,1311,1328,1399,1400,1425,1427,1499,1693,1665,1670,1674,206,154" /> </Group> <!-- end met_inherently --> +</Rule> <!-- end met_inherently -->
<Group id="unmet_impractical_guidance"> <title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
--- RHEL6/input/auxiliary/srg_support.xml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index cc3e697..80e0a46 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -23,14 +23,21 @@ This requirement is permanent not a finding. No fix is required. </Group> <!-- end met_inherently --> </Rule> <!-- end met_inherently -->
-<Group id="unmet_impractical_guidance"> +<Rule id="unmet_impractical_guidance"> <title>Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title> -<description> +<rationale> The guidance does not meet this requirement. The requirement is impractical or out of scope. +</rationale> +<ocil> +RHEL6 cannot support this requirement without assistance from an external +application, policy, or service. This requirement is NA. +</ocil> +<description> +This requirement is NA. No fix is required. </description> <ref disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,37,221,25,28,29,30,24,1112,1126,1149,1157,1210,1211,1341,1372,1373,1374,1376,1377,1340,1352,1401,1555,1556,1150" /> -</Group> <!-- end unmet_impractical_guidance --> +</Rule> <!-- end unmet_impractical_guidance -->
<Group id="unmet_impractical_product"> <title>Product Does Not Meet this Requirement Due to Impracticality or Scope</title>
--- RHEL6/input/auxiliary/srg_support.xml | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index 80e0a46..4e9dabc 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -6,10 +6,9 @@ those cases where Groups or Rules elsewhere in scap-security-guide do not clearly relate. </description>
-<Group id="met_inherently"> <Rule id="met_inherently"> <title>Product Meets this Requirement</title> -<description> +<rationale> Red Hat Enterprise Linux meets this requirement by design. <!-- We could include discussion of Common Criteria Testing if so desired here. --> </rationale> @@ -20,7 +19,6 @@ compliance. This is a permanent not a finding. This requirement is permanent not a finding. No fix is required. </description> <ref disa="56,66,223,131,132,133,134,85,159,1694,770,804,162,163,164,345,346,872,1493,1494,1495,226,1096,1111,386,34,35,156,186,99,1083,1089,1082,804,1209,1214,1237,1248,1265,1269,1314,1362,1368,1310,1311,1328,1399,1400,1425,1427,1499,1693,1665,1670,1674,206,154" /> -</Group> <!-- end met_inherently --> </Rule> <!-- end met_inherently -->
<Rule id="unmet_impractical_guidance"> @@ -39,14 +37,20 @@ This requirement is NA. No fix is required. <ref disa="165,21,354,1094,371,372,535,537,539,780,1682,1383,370,37,221,25,28,29,30,24,1112,1126,1149,1157,1210,1211,1341,1372,1373,1374,1376,1377,1340,1352,1401,1555,1556,1150" /> </Rule> <!-- end unmet_impractical_guidance -->
-<Group id="unmet_impractical_product"> +<Rule id="unmet_impractical_product"> <title>Product Does Not Meet this Requirement Due to Impracticality or Scope</title> +<rationale> +The product does not meet this requirement. The requirement is impractical or out of scope. +</rationale> +<ocil> +RHEL6 cannot support this requirement without assistance from an external +application or server. This requirement is NA. +</ocil> <description> -The product does not meet this requirement. -The requirement is impractical or out of scope. +This requirement is NA. No fix is required. </description> -<ref disa="28,29,30,32,24,1695,1169,1170,1662,1395,553" /> -</Group> <!-- end unmet_impractical_product --> +<ref disa="15,28,29,30,32,24,1695,1169,1170,1662,1395,553" /> +</Rule> <!-- end unmet_impractical_product -->
<Group id="requirement_unclear"> <title>Implementation of the Requirement is Unclear</title>
--- RHEL6/input/auxiliary/srg_support.xml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index 4e9dabc..30af353 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -52,13 +52,21 @@ This requirement is NA. No fix is required. <ref disa="15,28,29,30,32,24,1695,1169,1170,1662,1395,553" /> </Rule> <!-- end unmet_impractical_product -->
-<Group id="requirement_unclear"> +<Rule id="requirement_unclear"> <title>Implementation of the Requirement is Unclear</title> -<description> +<rationale> It is unclear how to satisfy this requirement. +</rationale> +<ocil> +RHEL6 does not support this requirement. This is a permanent finding. +</ocil> +<description> +This requirement is a permanent finding and cannot be fixed. An appropriate +mitigation for the system must be implemented but this finding cannot be +considered fixed. </description> <ref disa="20,31,218,219,1158,1291,1294,1295,1428,1500" /> -</Group> <!-- end requirement_unclear --> +</Rule> <!-- end requirement_unclear -->
<Group id="new_rule_needed"> <title>A New Policy/Manual Rule is Needed</title>
--- RHEL6/input/auxiliary/srg_support.xml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml b/RHEL6/input/auxiliary/srg_support.xml index 30af353..1185eaa 100644 --- a/RHEL6/input/auxiliary/srg_support.xml +++ b/RHEL6/input/auxiliary/srg_support.xml @@ -68,12 +68,18 @@ considered fixed. <ref disa="20,31,218,219,1158,1291,1294,1295,1428,1500" /> </Rule> <!-- end requirement_unclear -->
-<Group id="new_rule_needed"> +<Rule id="new_rule_needed"> <title>A New Policy/Manual Rule is Needed</title> -<description> +<rationale> A new Rule needs to be created in the scap-security-guide content. +</rationale> +<ocil> +RHEL6 does support this requirement but the guidance is not yet written. +</ocil> +<description> +When the guidance is written, the fix will be forthcoming. </description> <ref disa="52,53,1009,1019,1159,1125,1140,1143" /> -</Group> <!-- end new_rule_needed --> +</Rule> <!-- end new_rule_needed -->
</Group>
--- RHEL6/input/profiles/STIG-server.xml | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index b9709bd..280d092 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -2,6 +2,11 @@ <title>Pre-release Draft STIG for RHEL 6 Server</title> <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+<select idref="requirement_unclear" selected="true"/> +<select idref="new_rule_needed" selected="true"/> +<select idref="met_inherently" selected="true"/> +<select idref="unmet_impractical_product" selected="true"/> +<select idref="unmet_impractical_guidance" selected="true"/> <select idref="rpm_verify_permissions" selected="true"/> <select idref="rpm_verify_hashes" selected="true"/> <select idref="world_writeable_files" selected="true"/>
On 11/16/12 10:20 PM, Michele Newman wrote:
RHEL6/input/profiles/STIG-server.xml | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index b9709bd..280d092 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -2,6 +2,11 @@
<title>Pre-release Draft STIG for RHEL 6 Server</title> <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
+<select idref="requirement_unclear" selected="true"/> +<select idref="new_rule_needed" selected="true"/> +<select idref="met_inherently" selected="true"/> +<select idref="unmet_impractical_product" selected="true"/> +<select idref="unmet_impractical_guidance" selected="true"/>
<select idref="rpm_verify_permissions" selected="true"/> <select idref="rpm_verify_hashes" selected="true"/> <select idref="world_writeable_files" selected="true"/>
Undoing this, as these rules are not actual XCCDF and break things:
oscap xccdf eval --profile stig-server --cpe RHEL6/output/ssg-rhel6-cpe-dictionary.xml RHEL6/output/ssg-rhel6-xccdf.xml ... OpenSCAP Error: Selector ID(unmet_impractical_guidance) does not exist in Benchmark. [xccdf_policy.c:2207]
Please make sure to compile and run a scan to ensure patches don't bork things up ;)
--- RHEL6/input/system/accounts/restrictions/account_expiration.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index f0a1d5b..2e8c8f4 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -58,7 +58,7 @@ have been responsibly removed are not available to attackers who may have compromised their credentials. </rationale> <oval id="accounts_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> -<ref disa="15,16,17,795"/> +<ref disa="16,17,795"/> </Rule>
<Rule id="account_unique_name">
Ack to set.
====================================================== Michele Newman RHCE, RHCVA (Sr. Consultant) Email: mnewman@redhat.com Cell: 410.499.6177 Red Hat Consulting http://www.redhat.com/consulting ====================================================== Red Hat, Inc. | 1801 Varsity Dr | Raleigh, NC | 27606
On Nov 16, 2012, at 10:20 PM, Michele Newman wrote:
RHEL6/input/system/accounts/restrictions/account_expiration.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index f0a1d5b..2e8c8f4 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -58,7 +58,7 @@ have been responsibly removed are not available to attackers who may have compromised their credentials.
</rationale> <oval id="accounts_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> -<ref disa="15,16,17,795"/> +<ref disa="16,17,795"/> </Rule>
<Rule id="account_unique_name"> -- 1.8.0
scap-security-guide@lists.fedorahosted.org