Updating RHEL6 check to match RHEL7 style, as submitted by Simon Lukasik on 17-MAR-2014.
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/checks/installed_OS_is_rhel6.xml | 37 ++++++++++++++++--------- 1 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/RHEL/6/input/checks/installed_OS_is_rhel6.xml b/RHEL/6/input/checks/installed_OS_is_rhel6.xml index 7f77491..0c61df5 100644 --- a/RHEL/6/input/checks/installed_OS_is_rhel6.xml +++ b/RHEL/6/input/checks/installed_OS_is_rhel6.xml @@ -14,8 +14,12 @@ <criteria> <criterion comment="Installed operating system is part of the unix family" test_ref="test_unix_family" /> - <criterion comment="Red Hat Enterprise Linux 6 is installed" - test_ref="test_rhel_6" /> + <criteria operator="OR"> + <criterion comment="Red Hat Enterprise Linux 6 Workstation is installed" + test_ref="test_rhel_workstation" /> + <criterion comment="Red Hat Enterprise Linux 6 Server is installed" + test_ref="test_rhel_server" /> + </criteria> </criteria> </definition>
@@ -28,18 +32,25 @@ </ind:family_state> <ind:family_object id="obj_unix_family" version="1" />
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-* is version 6" id="test_rhel_6" version="1"> - <linux:object object_ref="obj_rhel_release" /> - <linux:state state_ref="state_rhel_6" /> + <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="test_rhel_workstation" version="1"> + <linux:object object_ref="obj_rhel_workstation" /> + <linux:state state_ref="state_rhel_workstation" /> </linux:rpminfo_test> - <linux:rpminfo_state id="state_rhel_6" version="1"> - <linux:name operation="pattern match">^redhat-release</linux:name> - <linux:version operation="pattern match">^6[^\d]</linux:version> + <linux:rpminfo_state id="state_rhel_workstation" version="1"> + <linux:version operation="pattern match">^6.\d+$</linux:version> </linux:rpminfo_state> - <linux:rpmverifyfile_object id="obj_rhel_release" version="1"> - <!-- Sadly, OVAL cannot do the right query (that is: rpm -q -whatprovides system-release). - Let's check the filename instead. --> - linux:filepath/etc/redhat-release</linux:filepath> - </linux:rpmverifyfile_object> + <linux:rpminfo_object id="obj_rhel_workstation" version="1"> + linux:nameredhat-release-workstation</linux:name> + </linux:rpminfo_object>
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="test_rhel_server" version="1"> + <linux:object object_ref="obj_rhel_server" /> + <linux:state state_ref="state_rhel_server" /> + </linux:rpminfo_test> + <linux:rpminfo_state id="state_rhel_server" version="1"> + <linux:version operation="pattern match">^6.\d+$</linux:version> + </linux:rpminfo_state> + <linux:rpminfo_object id="obj_rhel_server" version="1"> + linux:nameredhat-release-server</linux:name> + </linux:rpminfo_object> </def-group>
Moving all refine-values to the top of the profile for clarity.
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml | 18 ++++++++++++------ 1 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml index 82408ec..0a6c206 100644 --- a/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml +++ b/RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml @@ -1,6 +1,17 @@ <Profile id="CSCF-RHEL6-MLS"> <title>CSCF RHEL6 MLS Core Baseline</title> -<description> This profile reflects the Centralized Super Computing Facility (CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross domain overlay. This profile should be considered in active development. Additional tailoring will be needed, such as the creation of RBAC roles for production deployment.</description> +<description> This profile reflects the Centralized Super Computing Facility +(CSCF) baseline for Red Hat Enterprise Linux 6. This baseline has received +government ATO through the ICD 503 process, utilizing the CNSSI 1253 cross +domain overlay. This profile should be considered in active development. +Additional tailoring will be needed, such as the creation of RBAC roles +for production deployment.</description> + +<refine-value idref="var_auditd_max_log_file_action" selector="keep_logs" /> +<refine-value idref="var_accounts_max_concurrent_login_sessions" selector="3" /> +<refine-value idref="var_accounts_maximum_age_login_defs" selector="180" /> +<refine-value idref="var_accounts_password_minlen_login_defs" selector="12" /> +<refine-value idref="var_selinux_policy_name" selector="mls" />
<select idref="account_disable_post_pw_expiration" selected="true" /> <select idref="account_temp_expire_date" selected="true" /> @@ -46,7 +57,6 @@ <select idref="configure_auditd_audispd" selected="true" /> <select idref="configure_auditd_max_log_file" selected="true" /> <select idref="configure_auditd_max_log_file_action" selected="true" /> -<refine-value idref="var_auditd_max_log_file_action" selector="keep_logs" /> <select idref="configure_auditd_num_logs" selected="true" /> <select idref="auditd_data_retention_space_left_action" selected="true" /> <select idref="cups_disable_browsing" selected="true" /> @@ -129,7 +139,6 @@ <select idref="mountopt_noexec_on_removable_partitions" selected="true" /> <select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> <select idref="accounts_max_concurrent_login_sessions" selected="true" /> -<refine-value idref="var_accounts_max_concurrent_login_sessions" selector="3" /> <select idref="network_disable_zeroconf" selected="true" /> <select idref="network_ipv6_disable_rpc" selected="true" /> <select idref="network_sniffer_disabled" selected="true" /> @@ -151,9 +160,7 @@ <select idref="partition_for_var_log" selected="true" /> <select idref="partition_for_var_log_audit" selected="true" /> <select idref="accounts_maximum_age_login_defs" selected="true" /> -<refine-value idref="var_accounts_maximum_age_login_defs" selector="180" /> <select idref="accounts_password_minlen_login_defs" selected="true" /> -<refine-value idref="var_accounts_password_minlen_login_defs" selector="12" /> <select idref="password_require_consecrepeat" selected="true" /> <select idref="accounts_password_pam_cracklib_difok" selected="true" /> <select idref="accounts_password_pam_cracklib_dcredit" selected="true" /> @@ -221,7 +228,6 @@ <select idref="set_password_hashing_algorithm_libuserconf" selected="true" /> <select idref="set_screensaver_inactivity_timeout" selected="true" /> <select idref="selinux_policytype" selected="true" /> -<refine-value idref="var_selinux_policy_name" selector="mls" /> <select idref="selinux_state" selected="true" /> <select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true" /> <select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true" />
Catching up on mailing list traffic, noticed this issue reported by Michael DeLorenzo & Ronald on 1-APR. Fixing OVAL mapping.
Signed-off-by: Shawn Wells shawn@redhat.com --- RHEL/6/input/system/software/updating.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/system/software/updating.xml b/RHEL/6/input/system/software/updating.xml index aef22ec..46832a6 100644 --- a/RHEL/6/input/system/software/updating.xml +++ b/RHEL/6/input/system/software/updating.xml @@ -69,7 +69,7 @@ installation ensures the authenticity of the software and protects against malicious tampering. </rationale> <ident cce="26709-6" /> -<oval id="yum_gpgcheck_global_activation" /> +<oval id="ensure_gpgcheck_globally_activated" /> <ref nist="SI-7,MA-1(b)" disa="352,663" /> <tested by="MM" on="20120928"/> </Rule>
Similar to prior patch, but applied to Fedora codebase
Signed-off-by: Shawn Wells shawn@redhat.com --- .../checks/ensure_gpgcheck_globally_activated.xml | 1 + .../checks/yum_gpgcheck_global_activation.xml | 24 -------------------- Fedora/input/system/software/updating.xml | 2 +- shared/oval/ensure_gpgcheck_globally_activated.xml | 1 + 4 files changed, 3 insertions(+), 25 deletions(-) create mode 120000 Fedora/input/checks/ensure_gpgcheck_globally_activated.xml delete mode 100644 Fedora/input/checks/yum_gpgcheck_global_activation.xml
diff --git a/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml b/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml new file mode 120000 index 0000000..1168283 --- /dev/null +++ b/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml @@ -0,0 +1 @@ +../../../shared/oval/ensure_gpgcheck_globally_activated.xml \ No newline at end of file diff --git a/Fedora/input/checks/yum_gpgcheck_global_activation.xml b/Fedora/input/checks/yum_gpgcheck_global_activation.xml deleted file mode 100644 index a313351..0000000 --- a/Fedora/input/checks/yum_gpgcheck_global_activation.xml +++ /dev/null @@ -1,24 +0,0 @@ -<def-group> - <definition class="compliance" id="yum_gpgcheck_global_activation" version="1"> - <metadata> - <title>Ensure Yum gpgcheck Globally Activated</title> - <affected family="unix"> - <platform>Fedora 19</platform> - </affected> - <description>The gpgcheck option should be used to ensure that checking - of an RPM package's signature always occurs prior to its - installation.</description> - </metadata> - <criteria> - <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="test_yum_gpgcheck_global_activation" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="test_yum_gpgcheck_global_activation" version="1"> - <ind:object object_ref="object_yum_gpgcheck_global_activation" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_yum_gpgcheck_global_activation" comment="gpgcheck set in /etc/yum.conf" version="1"> - ind:filepath/etc/yum.conf</ind:filepath> - <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern> - <ind:instance datatype="int" operation="equals">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/Fedora/input/system/software/updating.xml b/Fedora/input/system/software/updating.xml index 84de806..1fb7512 100644 --- a/Fedora/input/system/software/updating.xml +++ b/Fedora/input/system/software/updating.xml @@ -38,7 +38,7 @@ Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. </rationale> -<oval id="yum_gpgcheck_global_activation" /> +<oval id="ensure_gpgcheck_globally_activated" /> <ref nist="SI-7,MA-1(b)" disa="352,663" /> </Rule>
diff --git a/shared/oval/ensure_gpgcheck_globally_activated.xml b/shared/oval/ensure_gpgcheck_globally_activated.xml index e397400..1e87276 100644 --- a/shared/oval/ensure_gpgcheck_globally_activated.xml +++ b/shared/oval/ensure_gpgcheck_globally_activated.xml @@ -5,6 +5,7 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform> + <platform>Fedora 20</platform> </affected> <description>The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its
As identified by Maura and Jan on 1-APR, RHEL7 doesn't use cracklib (but instead pam_pwquality). Removing the cracklib checks from RHEL7 now; longer term we'll review creating a consolidated check or net-new for RHEL7.
Signed-off-by: Shawn Wells shawn@redhat.com --- .../accounts_password_pam_cracklib_dcredit.xml | 1 - .../accounts_password_pam_cracklib_difok.xml | 1 - .../accounts_password_pam_cracklib_lcredit.xml | 1 - .../accounts_password_pam_cracklib_ocredit.xml | 1 - .../accounts_password_pam_cracklib_retry.xml | 1 - .../accounts_password_pam_cracklib_ucredit.xml | 1 - .../accounts_password_pam_cracklib_dcredit.xml | 1 - .../accounts_password_pam_cracklib_lcredit.xml | 1 - .../accounts_password_pam_cracklib_ocredit.xml | 1 - .../oval/accounts_password_pam_cracklib_retry.xml | 1 - .../accounts_password_pam_cracklib_ucredit.xml | 1 - 11 files changed, 0 insertions(+), 11 deletions(-) delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_dcredit.xml delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_difok.xml delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_ocredit.xml delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_retry.xml delete mode 120000 RHEL/7/input/checks/accounts_password_pam_cracklib_ucredit.xml
diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_dcredit.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_dcredit.xml deleted file mode 120000 index 2c6ed77..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_dcredit.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_dcredit.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_difok.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_difok.xml deleted file mode 120000 index ca78167..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_difok.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_difok.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml deleted file mode 120000 index 7e6ba85..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_lcredit.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_lcredit.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_ocredit.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_ocredit.xml deleted file mode 120000 index 6355aa0..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_ocredit.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_ocredit.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_retry.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_retry.xml deleted file mode 120000 index 6480704..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_retry.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_retry.xml \ No newline at end of file diff --git a/RHEL/7/input/checks/accounts_password_pam_cracklib_ucredit.xml b/RHEL/7/input/checks/accounts_password_pam_cracklib_ucredit.xml deleted file mode 120000 index 7aa3ff4..0000000 --- a/RHEL/7/input/checks/accounts_password_pam_cracklib_ucredit.xml +++ /dev/null @@ -1 +0,0 @@ -../../../../shared/oval/accounts_password_pam_cracklib_ucredit.xml \ No newline at end of file diff --git a/shared/oval/accounts_password_pam_cracklib_dcredit.xml b/shared/oval/accounts_password_pam_cracklib_dcredit.xml index b86836f..d0e8093 100644 --- a/shared/oval/accounts_password_pam_cracklib_dcredit.xml +++ b/shared/oval/accounts_password_pam_cracklib_dcredit.xml @@ -4,7 +4,6 @@ <title>Set Password dcredit Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> - <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password dcredit should meet minimum requirements using pam_cracklib</description> diff --git a/shared/oval/accounts_password_pam_cracklib_lcredit.xml b/shared/oval/accounts_password_pam_cracklib_lcredit.xml index bd0bb33..47306ec 100644 --- a/shared/oval/accounts_password_pam_cracklib_lcredit.xml +++ b/shared/oval/accounts_password_pam_cracklib_lcredit.xml @@ -4,7 +4,6 @@ <title>Set Password lcredit Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> - <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password lcredit should meet minimum requirements using pam_cracklib</description> diff --git a/shared/oval/accounts_password_pam_cracklib_ocredit.xml b/shared/oval/accounts_password_pam_cracklib_ocredit.xml index e4077ac..8a3c115 100644 --- a/shared/oval/accounts_password_pam_cracklib_ocredit.xml +++ b/shared/oval/accounts_password_pam_cracklib_ocredit.xml @@ -4,7 +4,6 @@ <title>Set Password ocredit Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> - <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password ocredit should meet minimum requirements using pam_cracklib</description> diff --git a/shared/oval/accounts_password_pam_cracklib_retry.xml b/shared/oval/accounts_password_pam_cracklib_retry.xml index 70f5a5b..175b55c 100644 --- a/shared/oval/accounts_password_pam_cracklib_retry.xml +++ b/shared/oval/accounts_password_pam_cracklib_retry.xml @@ -4,7 +4,6 @@ <title>Set Password retry Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> - <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password retry should meet minimum requirements using pam_cracklib</description> diff --git a/shared/oval/accounts_password_pam_cracklib_ucredit.xml b/shared/oval/accounts_password_pam_cracklib_ucredit.xml index 3d4de0e..e6151e7 100644 --- a/shared/oval/accounts_password_pam_cracklib_ucredit.xml +++ b/shared/oval/accounts_password_pam_cracklib_ucredit.xml @@ -4,7 +4,6 @@ <title>Set Password ucredit Requirements</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> - <platform>Red Hat Enterprise Linux 7</platform> </affected> <description>The password ucredit should meet minimum requirements using pam_cracklib</description>
These look excellent - ack to the patch set!
On Sun, May 11, 2014 at 9:30 PM, Shawn Wells shawn@redhat.com wrote:
Updating RHEL6 check to match RHEL7 style, as submitted by Simon Lukasik on 17-MAR-2014.
Signed-off-by: Shawn Wells shawn@redhat.com
RHEL/6/input/checks/installed_OS_is_rhel6.xml | 37 ++++++++++++++++--------- 1 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/RHEL/6/input/checks/installed_OS_is_rhel6.xml b/RHEL/6/input/checks/installed_OS_is_rhel6.xml index 7f77491..0c61df5 100644 --- a/RHEL/6/input/checks/installed_OS_is_rhel6.xml +++ b/RHEL/6/input/checks/installed_OS_is_rhel6.xml @@ -14,8 +14,12 @@ <criteria> <criterion comment="Installed operating system is part of the unix family" test_ref="test_unix_family" />
<criterion comment="Red Hat Enterprise Linux 6 is installed"
test_ref="test_rhel_6" />
<criteria operator="OR">
<criterion comment="Red Hat Enterprise Linux 6 Workstation is
installed"
test_ref="test_rhel_workstation" />
<criterion comment="Red Hat Enterprise Linux 6 Server is
installed"
test_ref="test_rhel_server" />
</criteria>
</criteria> </definition>
@@ -28,18 +32,25 @@ </ind:family_state> <ind:family_object id="obj_unix_family" version="1" />
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
comment="redhat-release-* is version 6" id="test_rhel_6" version="1">
- <linux:object object_ref="obj_rhel_release" />
- <linux:state state_ref="state_rhel_6" />
- <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
comment="redhat-release-workstation is version 6" id="test_rhel_workstation" version="1">
- <linux:object object_ref="obj_rhel_workstation" />
- <linux:state state_ref="state_rhel_workstation" /> </linux:rpminfo_test>
- <linux:rpminfo_state id="state_rhel_6" version="1">
- <linux:name operation="pattern match">^redhat-release</linux:name>
- <linux:version operation="pattern match">^6[^\d]</linux:version>
- <linux:rpminfo_state id="state_rhel_workstation" version="1">
- <linux:version operation="pattern match">^6.\d+$</linux:version> </linux:rpminfo_state>
- <linux:rpmverifyfile_object id="obj_rhel_release" version="1">
- <!-- Sadly, OVAL cannot do the right query (that is: rpm -q
-whatprovides system-release).
Let's check the filename instead. -->
- linux:filepath/etc/redhat-release</linux:filepath>
- </linux:rpmverifyfile_object>
<linux:rpminfo_object id="obj_rhel_workstation" version="1">
linux:nameredhat-release-workstation</linux:name>
</linux:rpminfo_object>
<linux:rpminfo_test check="all" check_existence="at_least_one_exists"
comment="redhat-release-server is version 6" id="test_rhel_server" version="1">
- <linux:object object_ref="obj_rhel_server" />
- <linux:state state_ref="state_rhel_server" />
- </linux:rpminfo_test>
- <linux:rpminfo_state id="state_rhel_server" version="1">
- <linux:version operation="pattern match">^6.\d+$</linux:version>
- </linux:rpminfo_state>
- <linux:rpminfo_object id="obj_rhel_server" version="1">
- linux:nameredhat-release-server</linux:name>
- </linux:rpminfo_object>
</def-group> -- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
On 5/12/14, 9:13 PM, David Smith wrote:
These look excellent - ack to the patch set!
pushed
https://fedorahosted.org/scap-security-guide/changeset/f1a0d1382e0c16c051325... https://fedorahosted.org/scap-security-guide/changeset/254a85515a974ed75298e... https://fedorahosted.org/scap-security-guide/changeset/623ae6f651f572ad264c2... https://fedorahosted.org/scap-security-guide/changeset/12348c7fa953a1284ee00... https://fedorahosted.org/scap-security-guide/changeset/473292d759a98869cdceb... https://fedorahosted.org/scap-security-guide/changeset/dfb1037ccfd38af2e1a7e...
scap-security-guide@lists.fedorahosted.org