Proposed patch adds (previously missing) package_rsh_removed XCCDF reference to already existing OVAL check with same name. Also defines the same XCCDF rule for RHEL-7. Yet moves the original RHEL-6 specific package_rsh_removed OVAL check to be shared one.
Change has been tested on RHEL/6 & RHEL/7, rpms build correctly, underlying rule seems to work as expected (on both products).
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 5/30/14, 7:16 AM, Jan Lieskovsky wrote:
Proposed patch adds (previously missing) package_rsh_removed XCCDF reference to already existing OVAL check with same name. Also defines the same XCCDF rule for RHEL-7. Yet moves the original RHEL-6 specific package_rsh_removed OVAL check to be shared one.
Change has been tested on RHEL/6 & RHEL/7, rpms build correctly, underlying rule seems to work as expected (on both products).
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-Start-using-package_rsh_removed-OVAL-check.patch
From d83bf8ee28da32bdf93af66cb2a9e578ddcbd889 Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Fri, 30 May 2014 13:07:42 +0200 Subject: [PATCH] [RHEL/6] Start using package_rsh_removed OVAL check [RHEL/7] Define new XCCDF rule package_rsh_removed [shared] Move the RHEL-6 specific check to be shared one
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
RHEL/6/input/checks/package_rsh_removed.xml | 27 +-------------------------- RHEL/6/input/services/obsolete.xml | 4 +++- RHEL/7/input/checks/package_rsh_removed.xml | 1 + RHEL/7/input/services/obsolete.xml | 17 +++++++++++++++++ shared/oval/package_rsh_removed.xml | 27 +++++++++++++++++++++++++++ 5 files changed, 49 insertions(+), 27 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_rsh_removed.xml create mode 120000 RHEL/7/input/checks/package_rsh_removed.xml create mode 100644 shared/oval/package_rsh_removed.xml
diff --git a/RHEL/6/input/checks/package_rsh_removed.xml b/RHEL/6/input/checks/package_rsh_removed.xml deleted file mode 100644 index 11ae275..0000000 --- a/RHEL/6/input/checks/package_rsh_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
<!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_rsh_removed"
- version="1">
<metadata>
<title>Package rsh Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package rsh should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package rsh is removed"
test_ref="test_package_rsh_removed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_rsh_removed" version="1"
- comment="package rsh is removed">
- <linux:object object_ref="obj_package_rsh_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_rsh_removed" version="1">
- linux:namersh</linux:name>
- </linux:rpminfo_object>
-</def-group> diff --git a/RHEL/6/input/checks/package_rsh_removed.xml b/RHEL/6/input/checks/package_rsh_removed.xml new file mode 120000 index 0000000..3b94a20 --- /dev/null +++ b/RHEL/6/input/checks/package_rsh_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_rsh_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index ee980d4..c2e5b15 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -186,7 +186,7 @@ stolen by eavesdroppers on the network.
</Rule>
<Rule id="package_rsh_removed"> -<title>Remove rsh</title> +<title>Uninstal rsh Package</title> <description>The <tt>rsh</tt> package contains the client commands for the rsh services</description> <ocil><package-remove-macro package="rsh"/></ocil> @@ -198,6 +198,8 @@ their credentials. Note that removing the <tt>rsh</tt> package removes the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. </rationale> <ident cce="" /> +<oval id="package_rsh_removed" /> +<tested by="JL" on="20140530"/> </Rule>
<Rule id="disable_rlogin" severity="high"> diff --git a/RHEL/7/input/checks/package_rsh_removed.xml b/RHEL/7/input/checks/package_rsh_removed.xml new file mode 120000 index 0000000..3b94a20 --- /dev/null +++ b/RHEL/7/input/checks/package_rsh_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_rsh_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 84ced10..888162d 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -170,6 +170,23 @@ stolen by eavesdroppers on the network. <tested by="DS" on="20121026"/> </Rule>
+<Rule id="package_rsh_removed"> +<title>Uninstal rsh Package</title> +<description>The <tt>rsh</tt> package contains the client commands +for the rsh services</description> +<ocil><package-remove-macro package="rsh"/></ocil> +<rationale>These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing +their credentials. Note that removing the <tt>rsh</tt> package removes +the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. +</rationale> +<ident cce="" /> +<oval id="package_rsh_removed" /> +<tested by="JL" on="20140530"/> +</Rule>
<Rule id="disable_rlogin" severity="high"> <title>Disable rlogin Service</title> <description>The <tt>rlogin</tt> service, which is available with
diff --git a/shared/oval/package_rsh_removed.xml b/shared/oval/package_rsh_removed.xml new file mode 100644 index 0000000..9f739ef --- /dev/null +++ b/shared/oval/package_rsh_removed.xml @@ -0,0 +1,27 @@ +<def-group>
<!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_rsh_removed"
- version="1">
<metadata>
<title>Package rsh Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM package rsh should be removed.</description>
<reference source="JL" ref_id="20140530" ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package rsh is removed"
test_ref="test_package_rsh_removed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_rsh_removed" version="1"
- comment="package rsh is removed">
- <linux:object object_ref="obj_package_rsh_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_rsh_removed" version="1">
- linux:namersh</linux:name>
- </linux:rpminfo_object>
+</def-group> -- 1.8.3.1
ack
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Saturday, May 31, 2014 4:15:08 AM Subject: Re: [PATCH] [RHEL/6] Start using package_rsh_removed OVAL check [RHEL/7] Define new XCCDF rule package_rsh_removed [shared] Move the RHEL-6 specific check to be shared one
On 5/30/14, 7:16 AM, Jan Lieskovsky wrote:
Proposed patch adds (previously missing) package_rsh_removed XCCDF reference to already existing OVAL check with same name. Also defines the same XCCDF rule for RHEL-7. Yet moves the original RHEL-6 specific package_rsh_removed OVAL check to be shared one.
Change has been tested on RHEL/6 & RHEL/7, rpms build correctly, underlying rule seems to work as expected (on both products).
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-Start-using-package_rsh_removed-OVAL-check.patch From d83bf8ee28da32bdf93af66cb2a9e578ddcbd889 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Fri, 30 May 2014 13:07:42 +0200 Subject: [PATCH] [RHEL/6] Start using package_rsh_removed OVAL check [RHEL/7] Define new XCCDF rule package_rsh_removed [shared] Move the RHEL-6 specific check to be shared one
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- RHEL/6/input/checks/package_rsh_removed.xml | 27 +-------------------------- RHEL/6/input/services/obsolete.xml | 4 +++- RHEL/7/input/checks/package_rsh_removed.xml | 1 + RHEL/7/input/services/obsolete.xml | 17 +++++++++++++++++ shared/oval/package_rsh_removed.xml | 27 +++++++++++++++++++++++++++ 5 files changed, 49 insertions(+), 27 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_rsh_removed.xml create mode 120000 RHEL/7/input/checks/package_rsh_removed.xml create mode 100644 shared/oval/package_rsh_removed.xml
diff --git a/RHEL/6/input/checks/package_rsh_removed.xml b/RHEL/6/input/checks/package_rsh_removed.xml deleted file mode 100644 index 11ae275..0000000 --- a/RHEL/6/input/checks/package_rsh_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT.
-->
- <definition class="compliance" id="package_rsh_removed"
- version="1">
<metadata>
<title>Package rsh Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package rsh should be removed.</description>
<reference source="swells" ref_id="20130829"
ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package rsh is removed"
test_ref="test_package_rsh_removed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_rsh_removed" version="1"
- comment="package rsh is removed">
- <linux:object object_ref="obj_package_rsh_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_rsh_removed" version="1">
- linux:namersh</linux:name>
- </linux:rpminfo_object>
-</def-group> diff --git a/RHEL/6/input/checks/package_rsh_removed.xml b/RHEL/6/input/checks/package_rsh_removed.xml new file mode 120000 index 0000000..3b94a20 --- /dev/null +++ b/RHEL/6/input/checks/package_rsh_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_rsh_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index ee980d4..c2e5b15 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -186,7 +186,7 @@ stolen by eavesdroppers on the network.
</Rule>
<Rule id="package_rsh_removed"> -<title>Remove rsh</title> +<title>Uninstal rsh Package</title> <description>The <tt>rsh</tt> package contains the client commands for the rsh services</description> <ocil><package-remove-macro package="rsh"/></ocil> @@ -198,6 +198,8 @@ their credentials. Note that removing the <tt>rsh</tt> package removes the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. </rationale> <ident cce="" /> +<oval id="package_rsh_removed" /> +<tested by="JL" on="20140530"/> </Rule>
<Rule id="disable_rlogin" severity="high"> diff --git a/RHEL/7/input/checks/package_rsh_removed.xml b/RHEL/7/input/checks/package_rsh_removed.xml new file mode 120000 index 0000000..3b94a20 --- /dev/null +++ b/RHEL/7/input/checks/package_rsh_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_rsh_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 84ced10..888162d 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -170,6 +170,23 @@ stolen by eavesdroppers on the network. <tested by="DS" on="20121026"/> </Rule>
+<Rule id="package_rsh_removed"> +<title>Uninstal rsh Package</title> +<description>The <tt>rsh</tt> package contains the client commands +for the rsh services</description> +<ocil><package-remove-macro package="rsh"/></ocil> +<rationale>These legacy clients contain numerous security exposures and have +been replaced with the more secure SSH package. Even if the server is removed, +it is best to ensure the clients are also removed to prevent users from +inadvertently attempting to use these commands and therefore exposing +their credentials. Note that removing the <tt>rsh</tt> package removes +the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. +</rationale> +<ident cce="" /> +<oval id="package_rsh_removed" /> +<tested by="JL" on="20140530"/> +</Rule>
<Rule id="disable_rlogin" severity="high"> <title>Disable rlogin Service</title> <description>The <tt>rlogin</tt> service, which is available with diff --git a/shared/oval/package_rsh_removed.xml b/shared/oval/package_rsh_removed.xml new file mode 100644 index 0000000..9f739ef --- /dev/null +++ b/shared/oval/package_rsh_removed.xml @@ -0,0 +1,27 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_rsh_removed" + version="1"> + <metadata> + <title>Package rsh Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package rsh should be removed.</description> + <reference source="JL" ref_id="20140530" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package rsh is removed" + test_ref="test_package_rsh_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_rsh_removed" version="1" + comment="package rsh is removed"> + <linux:object object_ref="obj_package_rsh_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_rsh_removed" version="1"> + <linux:name>rsh</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
ack
Thanks, pushed.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org