This is to allow easy generation of "if [clause], this is a finding" or whatever robotic boilerplate text is needed, in the event that your state of compliance is somehow not apparent after performing a manual check.
Jeffrey Blank (4): fixes to check text for services typo fixes to checks in auditing section typo fixes for service checks support for including clauses with macro-ized check texts
RHEL6/input/services/dns.xml | 4 +- RHEL6/input/services/ftp.xml | 6 ++-- RHEL6/input/services/http.xml | 6 ++-- RHEL6/input/services/obsolete.xml | 17 +++++++------ RHEL6/input/services/smb.xml | 4 ++- RHEL6/input/system/auditing.xml | 8 +++--- RHEL6/transforms/shorthand2xccdf.xslt | 28 +++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 8 files changed, 47 insertions(+), 28 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/dns.xml | 2 +- RHEL6/input/services/ftp.xml | 6 +++--- RHEL6/input/services/http.xml | 6 +++--- RHEL6/input/services/obsolete.xml | 15 ++++++++------- RHEL6/input/services/smb.xml | 4 +++- 5 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 619f99f..2dbc552 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,7 +37,7 @@ implementation flaws and should be disabled if possible. <tt>named</tt> service, run the following command: <pre># yum erase bind</pre> </description> -<ocil><package-remove-macro package="package_bind_removed" /> </ocil> +<ocil><package-check-macro package="bind" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index 1752e4c..7d62c2c 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -20,7 +20,7 @@ data available to the public.</description> <service-disable-macro service="vsftpd" /> </description> <ocil> -<service-disable-macro service="vsftpd" /> +<service-disable-check-macro service="vsftpd" /> </ocil> <rationale> Running FTP server software provides a network-based avenue @@ -36,10 +36,10 @@ a risk of compromising sensitive information. <Rule id="uninstall_vsftpd"> <title>Uninstall vsftpd Package</title> <description> -<package-remove-macro service="vsftpd" /> +<package-remove-macro package="vsftpd" /> </description> <ocil> -<package-check-macro service="vsftpd" /> +<package-check-macro package="vsftpd" /> </ocil> <rationale> Removing the vsftpd package decreases the risk of its diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 679d32a..2e29a70 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -28,7 +28,7 @@ and removed from the system. <service-disable-macro service="httpd" /> </description> <ocil> -<service-disable-macro service="httpd" /> +<service-disable-check-macro service="httpd" /> </ocil> <rationale> Running web server software provides a network-based avenue @@ -42,10 +42,10 @@ of attack, and should be disabled if not needed. <Rule id="uninstall_httpd"> <title>Uninstall httpd Package</title> <description> -<package-remove-macro service="httpd" /> +<package-remove-macro package="httpd" /> </description> <ocil> -<package-check-macro service="httpd" /> +<package-check-macro package="httpd" /> </ocil> <rationale> If there is no need to make the web server software available, diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index c60fd2c..f28f833 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,7 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> -<ocil><package-remove-macro package="xinetd" /> </ocil> +<ocil><package-check-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -85,7 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> -<ocil><package-remove-macro package="telnet-server" /> </ocil> +<ocil><package-check-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -109,7 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> -<ocil><package-remove-macro package="rsh-server" /> </ocil> +<ocil><package-check-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -262,11 +262,12 @@ as a tftp server, which does not provide encryption or authentication.
<Rule id="uninstall_tftp-server"> <title>Uninstall tftp-server Package</title> -<description>The <tt>tftp-server</tt> package can be removed with the following -command: -<pre># yum erase tftp-server</pre> +<description> +<package-remove-macro package="tftp-server" /> </description> -<ocil><package-remove-macro package="tftp-server" /> </ocil> +<ocil> +<package-check-macro package="tftp-server" /> +</ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/services/smb.xml b/RHEL6/input/services/smb.xml index 7c54e33..1f1e05d 100644 --- a/RHEL6/input/services/smb.xml +++ b/RHEL6/input/services/smb.xml @@ -25,7 +25,9 @@ sharing functionality. <description> <service-disable-macro service="smb" /> </description> -<ocil><service-disable-macro service="smb" /></ocil> +<ocil> +<service-disable-check-macro service="smb" /> +</ocil> <rationale> Running a Samba server provides a network-based avenue of attack, and should be disabled if not needed.
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/system/auditing.xml | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 5cdb2ff..a8ebc90 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -471,7 +471,7 @@ desired, but is not required. See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil> -<audit-syscall-check-macro syscall="fchmod" /> +<audit-syscall-check-macro syscall="adjtimex" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that @@ -499,7 +499,7 @@ desired, but is not required. See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil> -<audit-syscall-check-macro syscall="fchmod" /> +<audit-syscall-check-macro syscall="settimeofday" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that @@ -525,7 +525,7 @@ See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil> -<audit-syscall-check-macro syscall="fchmod" /> +<audit-syscall-check-macro syscall="stime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that @@ -553,7 +553,7 @@ desired, but is not required. See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil> -<audit-syscall-check-macro syscall="fchmod" /> +<audit-syscall-check-macro syscall="clock_settime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate nefarious activites in log files as well as to confuse network services that
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/dns.xml | 2 +- RHEL6/input/services/obsolete.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 2dbc552..f630aed 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -21,7 +21,7 @@ nameservers. <description> <service-disable-macro service="named" /> </description> -<ocil><service-disable-macro service="named" /></ocil> +<ocil><service-disable-check-macro service="named" /></ocil> <rationale> All network services involve some risk of compromise due to implementation flaws and should be disabled if possible. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index f28f833..9484265 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -210,7 +210,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> -<ocil><package-remove-macro package="ypserv" /> </ocil> +<ocil><package-check-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/transforms/shorthand2xccdf.xslt | 28 +++++++++++++++++---- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 2 +- 2 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index 82b6769..e046709 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -185,12 +185,28 @@ exclude-result-prefixes="xccdf xhtml"> <xsl:template match="Rule/ocil"> <check> <xsl:attribute name="system">ocil-transitional</xsl:attribute> - <xsl:if test="@clause"> <check-export> - <xsl:attribute name="export-name"><xsl:value-of select="@clause" /></xsl:attribute> + + <xsl:attribute name="export-name"> + <!-- add clauses if specific macros are found within --> + <xsl:if test="sysctl-check-macro">the correct value is not returned</xsl:if> + <xsl:if test="fileperms-check-macro or fileowner-check-macro or filegroupowner-check-macro">it does not</xsl:if> + <xsl:if test="partition-check-macro">no line is returned</xsl:if> + <xsl:if test="service-disable-check-macro">the service is running</xsl:if> + <xsl:if test="service-enable-check-macro">the service is not running</xsl:if> + <xsl:if test="package-check-macro">the package is installed</xsl:if> + <xsl:if test="module-disable-check-macro">no line is returned</xsl:if> + <xsl:if test="audit-syscall-check-macro">no line is returned</xsl:if> + </xsl:attribute> + + <!-- add clause if explicitly specified (and also override any above) --> + <xsl:if test="@clause"> + <xsl:attribute name="export-name"><xsl:value-of select="@clause" /></xsl:attribute> + </xsl:if> + <xsl:attribute name="value-id">conditional_clause</xsl:attribute> </check-export> - </xsl:if> + <!-- add the actual manual checking text --> <check-content> <xsl:apply-templates select="node()"/> </check-content> @@ -224,17 +240,17 @@ exclude-result-prefixes="xccdf xhtml">
<xsl:template match="fileperms-desc-macro"> To properly set the permissions of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command: - <xhtml:pre xml:space="preserve"># chmod <xsl:value-of select="@file"/> <xsl:value-of select="@perms"/></xhtml:pre> + <xhtml:pre xml:space="preserve"># chmod <xsl:value-of select="@perms"/> <xsl:value-of select="@file"/></xhtml:pre> </xsl:template>
<xsl:template match="fileowner-desc-macro"> To properly set the owner of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command: - <xhtml:pre xml:space="preserve"># chown <xsl:value-of select="@file"/> <xsl:value-of select="@owner"/></xhtml:pre> + <xhtml:pre xml:space="preserve"># chown <xsl:value-of select="@owner"/> <xsl:value-of select="@file"/> </xhtml:pre> </xsl:template>
<xsl:template match="filegroupowner-desc-macro"> To properly set the group owner of xhtml:code<xsl:value-of select="@file"/></xhtml:code>, run the command: - <xhtml:pre xml:space="preserve"># chown <xsl:value-of select="@file"/> <xsl:value-of select="@group"/></xhtml:pre> + <xhtml:pre xml:space="preserve"># chgrp <xsl:value-of select="@group"/> <xsl:value-of select="@file"/> </xhtml:pre> </xsl:template>
<xsl:template match="fileperms-check-macro"> diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index e047cfd..dfa0c80 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -150,7 +150,7 @@ <xsl:if test="@system=$ociltransitional"> <xsl:apply-templates select="cdf:check-content" /> <!-- print clause with "finding" text --> - <xsl:if test="cdf:check-export"> + <xsl:if test="cdf:check-export/@export-name != ''"> <br/>If <xsl:value-of select="cdf:check-export/@export-name" />, this is a finding. </xsl:if> </xsl:if>
scap-security-guide@lists.fedorahosted.org