[PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared Library Files Have Restrictive Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
12:53 p.m.
Based on thread:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Decembe...
this patch adds first OVAL check into scap-security-guide/shared/oval directory
and modifies main Makefile wrt to building Fedora packages it to include OVAL
checks directly provided in input/checks directory, together with those linked
from shared/ directory.
For now didn't change the value of <platform> element (didn't implement the
XSLT transformation it to be modified automatically based on underlying system
version content is build at) - will do this in next steps, once we have agreed
on the expected form of test_attestation element.
Passed basic sanity && regression testing on Fedora system.
RHEL-6 content has been intentionally kept intact till the moment, we are sure
about the final shared OVAL check form.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
4:55 a.m.
New subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared Library Files Have Restrictive Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
Hello folks,
can I go ahead and push this patch upstream?
Right now it doesn't touch RHEL-6 code at all (RHEL-6 can
be attached later via symlinks to existing tests and providing
attestations).
But having this in upstream repo could simplify the approach
to me (not to need to keep two separate local git streams),
and focus on fixing further child bugs which might arise when
trying to implement this (like the already mentioned "platform"
XSLT transformation, checking for presence of attestation for
that platform, the -devel option etc.)
RHEL-6 can start joining this scheme later gradually moving
selected rules they to be used / obtained from the shared directory
(once confirmed for work on RHEL-6 too).
And should this have shown as to be a non-viable way, we can
always return back to the old (OVAL checks pre product) schema
later just by moving the checks and removing the symlinks (whole
/shared content).
Would this be just Fedora specific change, would go ahead and push
(and count with the responsibility that if some issue is found
later, I will need to fix it).
But since it introduces new main directory structure, would
like to have your blessing first / prior doing that.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
----- Original Message -----
From: "Jan Lieskovsky" <jlieskov(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Thursday, December 5, 2013 7:53:22 PM
Subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared
Library Files Have Restrictive
Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
Based on thread:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Decembe...
this patch adds first OVAL check into scap-security-guide/shared/oval
directory
and modifies main Makefile wrt to building Fedora packages it to include OVAL
checks directly provided in input/checks directory, together with those
linked
from shared/ directory.
For now didn't change the value of <platform> element (didn't implement
the
XSLT transformation it to be modified automatically based on underlying
system
version content is build at) - will do this in next steps, once we have
agreed
on the expected form of test_attestation element.
Passed basic sanity && regression testing on Fedora system.
RHEL-6 content has been intentionally kept intact till the moment, we are
sure
about the final shared OVAL check form.
Please review.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
8:31 a.m.
New subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared Library Files Have Restrictive Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
Ack - pls push
---
Shawn Wells
Director, Innovation Programs
shawn(a)redhat.com | 443.534.0130
@shawndwells
On Dec 6, 2013, at 5:56 AM, Jan Lieskovsky
<jlieskov(a)redhat.com> wrote:
Hello folks,
can I go ahead and push this patch upstream?
Right now it doesn't touch RHEL-6 code at all (RHEL-6 can
be attached later via symlinks to existing tests and providing
attestations).
But having this in upstream repo could simplify the approach
to me (not to need to keep two separate local git streams),
and focus on fixing further child bugs which might arise when
trying to implement this (like the already mentioned "platform"
XSLT transformation, checking for presence of attestation for
that platform, the -devel option etc.)
RHEL-6 can start joining this scheme later gradually moving
selected rules they to be used / obtained from the shared directory
(once confirmed for work on RHEL-6 too).
And should this have shown as to be a non-viable way, we can
always return back to the old (OVAL checks pre product) schema
later just by moving the checks and removing the symlinks (whole
/shared content).
Would this be just Fedora specific change, would go ahead and push
(and count with the responsibility that if some issue is found
later, I will need to fix it).
But since it introduces new main directory structure, would
like to have your blessing first / prior doing that.
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
----- Original Message -----
> From: "Jan Lieskovsky" <jlieskov(a)redhat.com>
> To: scap-security-guide(a)lists.fedorahosted.org
> Sent: Thursday, December 5, 2013 7:53:22 PM
> Subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that
Shared Library Files Have Restrictive
> Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
>
>
> Based on thread:
>
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Decembe...
>
> this patch adds first OVAL check into scap-security-guide/shared/oval
> directory
> and modifies main Makefile wrt to building Fedora packages it to include OVAL
> checks directly provided in input/checks directory, together with those
> linked
> from shared/ directory.
>
> For now didn't change the value of <platform> element (didn't implement
the
> XSLT transformation it to be modified automatically based on underlying
> system
> version content is build at) - will do this in next steps, once we have
> agreed
> on the expected form of test_attestation element.
>
> Passed basic sanity && regression testing on Fedora system.
>
> RHEL-6 content has been intentionally kept intact till the moment, we are
> sure
> about the final shared OVAL check form.
>
> Please review.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
8:56 a.m.
New subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared Library Files Have Restrictive Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
----- Original Message -----
From: "Shawn Wells" <swells(a)redhat.com>
To: scap-security-guide(a)lists.fedorahosted.org
Sent: Friday, December 6, 2013 3:31:45 PM
Subject: Re: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that Shared
Library Files Have Restrictive
Permissions' rule [was: [PATCH] [RFC] Creating shared bash script directory]
Ack - pls push
Thanks a lot.
Pushed as:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=b8bc...
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
---
Shawn Wells
Director, Innovation Programs
shawn(a)redhat.com | 443.534.0130
@shawndwells
> On Dec 6, 2013, at 5:56 AM, Jan Lieskovsky <jlieskov(a)redhat.com> wrote:
>
> Hello folks,
>
> can I go ahead and push this patch upstream?
>
> Right now it doesn't touch RHEL-6 code at all (RHEL-6 can
> be attached later via symlinks to existing tests and providing
> attestations).
>
> But having this in upstream repo could simplify the approach
> to me (not to need to keep two separate local git streams),
> and focus on fixing further child bugs which might arise when
> trying to implement this (like the already mentioned "platform"
> XSLT transformation, checking for presence of attestation for
> that platform, the -devel option etc.)
>
> RHEL-6 can start joining this scheme later gradually moving
> selected rules they to be used / obtained from the shared directory
> (once confirmed for work on RHEL-6 too).
>
> And should this have shown as to be a non-viable way, we can
> always return back to the old (OVAL checks pre product) schema
> later just by moving the checks and removing the symlinks (whole
> /shared content).
>
> Would this be just Fedora specific change, would go ahead and push
> (and count with the responsibility that if some issue is found
> later, I will need to fix it).
>
> But since it introduces new main directory structure, would
> like to have your blessing first / prior doing that.
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>
> ----- Original Message -----
>> From: "Jan Lieskovsky" <jlieskov(a)redhat.com>
>> To: scap-security-guide(a)lists.fedorahosted.org
>> Sent: Thursday, December 5, 2013 7:53:22 PM
>> Subject: [PATCH] [Shared] Add initial shared OVAL check for 'Verify that
>> Shared Library Files Have Restrictive
>> Permissions' rule [was: [PATCH] [RFC] Creating shared bash script
>> directory]
>>
>>
>> Based on thread:
>>
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-Decembe...
>>
>> this patch adds first OVAL check into scap-security-guide/shared/oval
>> directory
>> and modifies main Makefile wrt to building Fedora packages it to include
>> OVAL
>> checks directly provided in input/checks directory, together with those
>> linked
>> from shared/ directory.
>>
>> For now didn't change the value of <platform> element (didn't
implement
>> the
>> XSLT transformation it to be modified automatically based on underlying
>> system
>> version content is build at) - will do this in next steps, once we have
>> agreed
>> on the expected form of test_attestation element.
>>
>> Passed basic sanity && regression testing on Fedora system.
>>
>> RHEL-6 content has been intentionally kept intact till the moment, we are
>> sure
>> about the final shared OVAL check form.
>>
>> Please review.
>>
>> Thank you && Regards, Jan.
>> --
>> Jan iankko Lieskovsky / Red Hat Security Technologies Team
>>
>> _______________________________________________
>> scap-security-guide mailing list
>> scap-security-guide(a)lists.fedorahosted.org
>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> _______________________________________________
> scap-security-guide mailing list
> scap-security-guide(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________
scap-security-guide mailing list
scap-security-guide(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
3845
days inactive
3846
days old
scap-security-guide@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Jan Lieskovsky -
Shawn Wells