Hi,
RHEL6/input/checks/templates/packages_installed.csv contains rhn_gpgkey but the real Red Hat release signing key package name is gpg-pubkey. The version and release strings must be used since they specify the key ID and there are usually several versions of gpg-pubkey installed at the same time.
Unless create_package_installed.py and template_package_installed are refactored to support specifying RPM version and release strings this test can't use templating.
Given that the only two packages that can have multiple versions installed are gpg-pubkey and kernel is it worth modifying the templating code to support these special cases?
Thanks, Kenneth
I believe it's more complicated than that. Here's another case of where the XCCDF text simply doesn't align with the OVAL check. (So I appreciate the QA.) And this is an important check since it ensures the system is configured to cryptographically verify the authenticity of updates.
Regarding what the actual check should be: it's not just that a package is installed with that name, it's that it's a Red Hat release key (as indicated in the Rule). Perhaps there is a way to get at the particular package summary name using the rpminfo test. And yes, that would definitely need to be a custom (non-templated) test...
Steve G would know more.
On 09/10/2012 05:25 PM, Kenneth Stailey wrote:
Hi,
RHEL6/input/checks/templates/packages_installed.csv contains rhn_gpgkey but the real Red Hat release signing key package name is gpg-pubkey. The version and release strings must be used since they specify the key ID and there are usually several versions of gpg-pubkey installed at the same time.
Unless create_package_installed.py and template_package_installed are refactored to support specifying RPM version and release strings this test can't use templating.
Given that the only two packages that can have multiple versions installed are gpg-pubkey and kernel is it worth modifying the templating code to support these special cases?
Thanks, Kenneth _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On Mon, Sep 10, 2012 at 5:39 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
[...] Regarding what the actual check should be: it's not just that a package is installed with that name, it's that it's a Red Hat release key (as indicated in the Rule). Perhaps there is a way to get at the particular package summary name using the rpminfo test. [...]
The OVAL 5.10.1 Linux definition does not provide a means to examine an RPM package summary.
The OVAL checks provided as USGCB 1.0.5.0 content do not examine the Red Hat release key RPM summary. Instead they confirm that there is a package installed with the name gpg-pubkey and with the version string set to the 32-bits of the Red Hat release key ID and with the release string set to the 32-bits of the Red Hat release key signature date.
Unlike RHEL 5, RHEL 6 comes with an auxiliary key that is used for disaster recovery. For details:
http://www.awe.com/mark/blog/20101111.html https://access.redhat.com/security/team/key/
It seems important to verify that the auxiliary key package is is also installed.
Are there issues with continuing to use the (package name, key ID, signature date) combination to specify the release key RPM?
Regards,
Kenneth
On Tuesday, September 11, 2012 01:17:26 PM Kenneth Stailey wrote:
On Mon, Sep 10, 2012 at 5:39 PM, Jeffrey Blank blank@eclipse.ncsc.mil
wrote:
The OVAL checks provided as USGCB 1.0.5.0 content do not examine the Red Hat release key RPM summary. Instead they confirm that there is a package installed with the name gpg-pubkey and with the version string set to the 32-bits of the Red Hat release key ID and with the release string set to the 32-bits of the Red Hat release key signature date.
Unlike RHEL 5, RHEL 6 comes with an auxiliary key that is used for disaster recovery. For details:
http://www.awe.com/mark/blog/20101111.html https://access.redhat.com/security/team/key/
It seems important to verify that the auxiliary key package is is also installed.
Are there issues with continuing to use the (package name, key ID, signature date) combination to specify the release key RPM?
I think that is the way to go as there is no way to dig any deeper. The gpg- pubkey package appears to be created on demand when you do an rpm --import of the GPG key. That's why the build system is localhost and no source package listed.
But the idea is to work backwards from other packages to these to establish they are all signed with a key.
-Steve
CCE-14440-2 specifies to search the RPM summary tags of all packages named gpg-pubkey for a text string indicating one of them is the Red Hat release key but this is not possible to implement in OVAL 5.10.1.
This implementation builds on the SCAP content provided with USGCB 1.0.5.0 by searching for the Red Hat release key by RPM name, version and release tags. It also confirms that the Red Hat auxiliary key is installed to support this new feature that RHEL 6 has.
Kenneth Stailey (1): Update CCE-14440-2 "Ensure Red Hat GPG Key is Installed"
.../checks/package_red_hat_gpgkeys_installed.xml | 45 ++++++++++++++++++++++ .../input/checks/package_rhn_gpgkey_installed.xml | 25 ------------ .../input/checks/templates/packages_installed.csv | 1 - RHEL6/input/system/software/updating.xml | 2 +- 4 files changed, 46 insertions(+), 27 deletions(-) create mode 100644 RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml delete mode 100644 RHEL6/input/checks/package_rhn_gpgkey_installed.xml
Confirm that RPM packages gpg-pubkey-fd431d51-4ae0493b and gpg-pubkey-2fa658e0-45700c69 are installed. The Red Hat release key package is gpg-pubkey-fd431d51-4ae0493b. The Red Hat auxiliary key package is gpg-pubkey-2fa658e0-45700c69.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com --- .../checks/package_red_hat_gpgkeys_installed.xml | 45 ++++++++++++++++++++++ .../input/checks/package_rhn_gpgkey_installed.xml | 25 ------------ .../input/checks/templates/packages_installed.csv | 1 - RHEL6/input/system/software/updating.xml | 2 +- 4 files changed, 46 insertions(+), 27 deletions(-) create mode 100644 RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml delete mode 100644 RHEL6/input/checks/package_rhn_gpgkey_installed.xml
diff --git a/RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml b/RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml new file mode 100644 index 0000000..ccdeb89 --- /dev/null +++ b/RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml @@ -0,0 +1,45 @@ +<def-group> + <definition class="compliance" id="package_red_hat_gpgkeys_installed" + version="1"> + <metadata> + <title>Red Hat Release and Auxiliary gpg-pubkey Packages Installed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The Red Hat release and auxiliary key packages are required to be installed.</description> + </metadata> + <criteria comment="packages gpg-pubkey-fd431d51-4ae0493b and gpg-pubkey-2fa658e0-45700c69 are installed" + operator="AND"> + <criterion comment="package gpg-pubkey-fd431d51-4ae0493b is installed" + test_ref="test_package_gpgkey-fd431d51-4ae0493b_installed" /> + <criterion comment="package gpg-pubkey-2fa658e0-45700c69 is installed" + test_ref="test_package_gpgkey-2fa658e0-45700c69_installed" /> + </criteria> + </definition> + <linux:rpminfo_test check="only one" check_existence="any_exist" + id="test_package_gpgkey-fd431d51-4ae0493b_installed" version="1" + comment="Red Hat release key package is installed"> + <linux:object object_ref="obj_package_gpg-pubkey" /> + <linux:state state_ref="state_package_gpg-pubkey" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_gpg-pubkey" version="1"> + linux:namegpg-pubkey</linux:name> + </linux:rpminfo_object> + <linux:rpminfo_state id="state_package_gpg-pubkey" version="1"> + linux:release4ae0493b</linux:release> + linux:versionfd431d51</linux:version> + </linux:rpminfo_state> + <linux:rpminfo_test check="only one" check_existence="any_exist" + id="test_package_gpgkey-2fa658e0-45700c69_installed" version="1" + comment="Red Hat auxiliary key package is installed"> + <linux:object object_ref="obj_package_gpg-pubkey" /> + <linux:state state_ref="state_package_gpg-pubkey" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_gpg-pubkey" version="1"> + linux:namegpg-pubkey</linux:name> + </linux:rpminfo_object> + <linux:rpminfo_state id="state_package_gpg-pubkey" version="1"> + linux:release2fa658e0</linux:release> + linux:version45700c69</linux:version> + </linux:rpminfo_state> +</def-group> diff --git a/RHEL6/input/checks/package_rhn_gpgkey_installed.xml b/RHEL6/input/checks/package_rhn_gpgkey_installed.xml deleted file mode 100644 index 9628434..0000000 --- a/RHEL6/input/checks/package_rhn_gpgkey_installed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_rhn_gpgkey_installed" - version="1"> - <metadata> - <title>Package rhn_gpgkey Installed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package rhn_gpgkey should be installed.</description> - </metadata> - <criteria> - <criterion comment="package rhn_gpgkey is installed" - test_ref="test_package_rhn_gpgkey_installed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="all_exist" - id="test_package_rhn_gpgkey_installed" version="1" - comment="package rhn_gpgkey is installed"> - <linux:object object_ref="obj_package_rhn_gpgkey" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_rhn_gpgkey" version="1"> - linux:namerhn_gpgkey</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL6/input/checks/templates/packages_installed.csv b/RHEL6/input/checks/templates/packages_installed.csv index 0028011..2a9fe8b 100644 --- a/RHEL6/input/checks/templates/packages_installed.csv +++ b/RHEL6/input/checks/templates/packages_installed.csv @@ -13,7 +13,6 @@ openswan policycoreutils postfix psacct -rhn_gpgkey rsyslog vlock vsftpd diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 2670147..b43e21f 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -37,7 +37,7 @@ This key is necessary to cryptographically verify that packages are from Red Hat. </rationale> <ident cce="14440-2"/> -<oval id="package_rhn_gpgkey_installed" /> +<oval id="package_red_hat_gpgkeys_installed" /> <ref nist="SI-2, SI-7, SC-13"/> </Rule>
This seems right to me. I'd prefer having Steve or Peter comment on whether this is The Right Way To Check, but it's certainly an improvement (which makes it good enough to commit in my book, so you've got an ACK, and then we can change if so told.)
On 09/12/2012 12:30 PM, Kenneth Stailey wrote:
CCE-14440-2 specifies to search the RPM summary tags of all packages named gpg-pubkey for a text string indicating one of them is the Red Hat release key but this is not possible to implement in OVAL 5.10.1.
This implementation builds on the SCAP content provided with USGCB 1.0.5.0 by searching for the Red Hat release key by RPM name, version and release tags. It also confirms that the Red Hat auxiliary key is installed to support this new feature that RHEL 6 has.
Kenneth Stailey (1): Update CCE-14440-2 "Ensure Red Hat GPG Key is Installed"
.../checks/package_red_hat_gpgkeys_installed.xml | 45 ++++++++++++++++++++++ .../input/checks/package_rhn_gpgkey_installed.xml | 25 ------------ .../input/checks/templates/packages_installed.csv | 1 - RHEL6/input/system/software/updating.xml | 2 +- 4 files changed, 46 insertions(+), 27 deletions(-) create mode 100644 RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml delete mode 100644 RHEL6/input/checks/package_rhn_gpgkey_installed.xml
On Thursday, September 13, 2012 04:07:06 PM Jeffrey Blank wrote:
This seems right to me. I'd prefer having Steve or Peter comment on whether this is The Right Way To Check, but it's certainly an improvement (which makes it good enough to commit in my book, so you've got an ACK, and then we can change if so told.)
Checking for the rpm name is as good as it gets. :-)
-Steve
On 09/12/2012 12:30 PM, Kenneth Stailey wrote:
CCE-14440-2 specifies to search the RPM summary tags of all packages named gpg-pubkey for a text string indicating one of them is the Red Hat release key but this is not possible to implement in OVAL 5.10.1.
This implementation builds on the SCAP content provided with USGCB 1.0.5.0 by searching for the Red Hat release key by RPM name, version and release tags. It also confirms that the Red Hat auxiliary key is installed to support this new feature that RHEL 6 has.
Kenneth Stailey (1): Update CCE-14440-2 "Ensure Red Hat GPG Key is Installed"
.../checks/package_red_hat_gpgkeys_installed.xml | 45 ++++++++++++++++++++++ .../input/checks/package_rhn_gpgkey_installed.xml | 25 ------------ .../input/checks/templates/packages_installed.csv | 1 - RHEL6/input/system/software/updating.xml | 2 +- 4 files changed, 46 insertions(+), 27 deletions(-) create mode 100644 RHEL6/input/checks/package_red_hat_gpgkeys_installed.xml delete mode 100644 RHEL6/input/checks/package_rhn_gpgkey_installed.xml
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Kenneth Stailey -
Steve Grubb