On 9/28/12 1:17 PM, Michael J. McConachie wrote:
0001-Test-tags-added-to-input-system-software-disk_partit.patch
From 6c89fda05476255dc941b8ebe6c72d989ca3a3b7 Mon Sep 17 00:00:00 2001 From: Michael McConachiemichael@redhat.com Date: Fri, 28 Sep 2012 13:17:03 -0400 Subject: [PATCH] Test tags added to input/system/software/disk_partitioning.xml
RHEL6/input/system/software/disk_partitioning.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index e678d61..ef2ef29 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -38,8 +38,9 @@ Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
</rationale> <ident cce="14161-4"/> -<oval id="mount_tmp_own_partition" /> +<oval id="mount_tmp_own_partition"/> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var"> @@ -59,6 +60,7 @@ world-writable directories, installed by other software packages. <ident cce="14777-7"/> <oval id="mount_var_own_partition" /> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log"> @@ -77,6 +79,7 @@ and other files in <tt>/var/</tt>. <ident cce="14011-1" /> <oval id="mount_var_log_own_partition" /> <ref nist="CM-6, AU-9" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log_audit"> @@ -98,6 +101,7 @@ of space. <ident cce="14171-3" /> <oval id="mount_var_log_audit_own_partition" /> <ref nist="CM-6, AU-9" disa="137"/> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_home"> @@ -118,6 +122,7 @@ users cannot trivially fill partitions used for log or audit data storage. <ident cce="14559-9" /> <oval id="mount_home_own_partition" /> <ref nist="CM-6"/> +<tested by="MM" on="20120928"/> </Rule>
<Group id="partition_encryption" > -- 1.7.11.4
Nack
OCIL unclear. According to current wording, my system config is compliant: $ df -h /tmp Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_rhel6-lv_root 5.5G 3.0G 2.2G 58% /
clearly it is not
Hi Shawn,
I see the wording as literal: "Run the following command to verify that |/(whateverfs)| lives on its own partition:" -- The text in question was automatically generated from the macros that were pushed early last week.
There is nothing below to me that indicates that your system is "compliant", (I am not sure how you determined that. ) It simply informed you that your /tmp slice lives on: "/dev/mapper/vg_rhel6-lv_root" -- which tells you that you aren't compliant with the policy, right?
When I asked the same question, I was told that it was up to the user to interpret the output of the provided texts -- in order to determine if the system in question is compliant, or non compliant. Not to script the Check Text commands -- to provide a response which then informs the end user how to the response. I started down a similar path (which I think you're also forseeing) and was asked to curb that for the time being. I was in fact getting a bit too granular, and scripty with the checks that I was writing, which now is a mute point since the macros that were implemented (pretty much) took care of the bulk of the text that we now see in that column, negating and/or erasing what I had provided in the weeks prior - which was more along the lines of what I think you would like to see.
Not sure how you want to handle this one, but that is what I have been told. What would you prefer to do for all of the FS / Slice / LV checks?
Thanks,
MM
On 09/30/2012 02:57 PM, Shawn Wells wrote:
On 9/28/12 1:17 PM, Michael J. McConachie wrote:
0001-Test-tags-added-to-input-system-software-disk_partit.patch
From 6c89fda05476255dc941b8ebe6c72d989ca3a3b7 Mon Sep 17 00:00:00 2001 From: Michael McConachie michael@redhat.com Date: Fri, 28 Sep 2012 13:17:03 -0400 Subject: [PATCH] Test tags added to input/system/software/disk_partitioning.xml
RHEL6/input/system/software/disk_partitioning.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index e678d61..ef2ef29 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -38,8 +38,9 @@ Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
</rationale> <ident cce="14161-4"/> -<oval id="mount_tmp_own_partition" /> +<oval id="mount_tmp_own_partition"/> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var"> @@ -59,6 +60,7 @@ world-writable directories, installed by other software packages. <ident cce="14777-7"/> <oval id="mount_var_own_partition" /> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log"> @@ -77,6 +79,7 @@ and other files in <tt>/var/</tt>. <ident cce="14011-1" /> <oval id="mount_var_log_own_partition" /> <ref nist="CM-6, AU-9" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log_audit"> @@ -98,6 +101,7 @@ of space. <ident cce="14171-3" /> <oval id="mount_var_log_audit_own_partition" /> <ref nist="CM-6, AU-9" disa="137"/> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_home"> @@ -118,6 +122,7 @@ users cannot trivially fill partitions used for log or audit data storage. <ident cce="14559-9" /> <oval id="mount_home_own_partition" /> <ref nist="CM-6"/> +<tested by="MM" on="20120928"/> </Rule>
<Group id="partition_encryption" > -- 1.7.11.4
Nack
OCIL unclear. According to current wording, my system config is compliant: $ df -h /tmp Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_rhel6-lv_root 5.5G 3.0G 2.2G 58% /
clearly it is not
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
I see the wording as literal: "Run the following command to verify that |/(whateverfs)| lives on its own partition:" -- The text in question was automatically generated from the macros that were pushed early last week.
There is nothing below to me that indicates that your system is "compliant", (I am not sure how you determined that. ) It simply informed you that your /tmp slice lives on: "/dev/mapper/vg_rhel6-lv_root" -- which tells you that you aren't compliant with the policy, right?
Right -- but I think we're after making it a little more obvious.
When I asked the same question, I was told that it was up to the user to interpret the output of the provided texts -- in order to determine if the system in question is compliant, or non compliant.
Right -- but I think we want to make it a little more obvious.
Not to script the Check Text commands -- to provide a response which then informs the end user how to the response. I started down a similar path (which I think you're also forseeing) and was asked to curb that for the time being. I was in fact getting a bit too granular, and scripty with the checks that I was writing, which now is a mute point since the macros that were implemented (pretty much) took care of the bulk of the text that we now see in that column, negating and/or erasing what I had provided in the weeks prior - which was more along the lines of what I think you would like to see. Not sure how you want to handle this one, but that is what I have been told. What would you prefer to do for all of the FS / Slice / LV checks?
If you see here: http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel5-table... ...and then look for "V-23739" you can see the approach taken for the RHEL 5 STIG. It's okay, if a bit scripty. The goal is to provide a command that is: 1) easy to enter 2) easy to understand the output of
And this is for humans, not machines. For most of these, the OVAL will get evaluated and that will be just fine.
The approach for the RHEL 5 STIG was okay, but could perhaps be easier. (I'm not asserting, just suggesting.) Please edit the macros if they can be improved.
On 09/30/2012 02:57 PM, Shawn Wells wrote:
On 9/28/12 1:17 PM, Michael J. McConachie wrote:
0001-Test-tags-added-to-input-system-software-disk_partit.patch From 6c89fda05476255dc941b8ebe6c72d989ca3a3b7 Mon Sep 17 00:00:00 2001 From: Michael McConachie michael@redhat.com mailto:michael@redhat.com Date: Fri, 28 Sep 2012 13:17:03 -0400 Subject: [PATCH] Test tags added to input/system/software/disk_partitioning.xml
RHEL6/input/system/software/disk_partitioning.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index e678d61..ef2ef29 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -38,8 +38,9 @@ Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
</rationale> <ident cce="14161-4"/> -<oval id="mount_tmp_own_partition" /> +<oval id="mount_tmp_own_partition"/> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var"> @@ -59,6 +60,7 @@ world-writable directories, installed by other software packages. <ident cce="14777-7"/> <oval id="mount_var_own_partition" /> <ref nist="CM-6" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log"> @@ -77,6 +79,7 @@ and other files in <tt>//var//</tt>. <ident cce="14011-1" /> <oval id="mount_var_log_own_partition" /> <ref nist="CM-6, AU-9" /> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_var_log_audit"> @@ -98,6 +101,7 @@ of space. <ident cce="14171-3" /> <oval id="mount_var_log_audit_own_partition" /> <ref nist="CM-6, AU-9" disa="137"/> +<tested by="MM" on="20120928"/> </Rule>
<Rule id="partition_for_home"> @@ -118,6 +122,7 @@ users cannot trivially fill partitions used for log or audit data storage. <ident cce="14559-9" /> <oval id="mount_home_own_partition" /> <ref nist="CM-6"/> +<tested by="MM" on="20120928"/> </Rule>
<Group id="partition_encryption" > -- 1.7.11.4
Nack
OCIL unclear. According to current wording, my system config is compliant: $ df -h /tmp Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_rhel6-lv_root 5.5G 3.0G 2.2G 58% /
clearly it is not
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org mailto:scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org