added several OCIL checks
David Smith (1): additional OCIL checks
RHEL6/input/services/ldap.xml | 7 +++++++ RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ RHEL6/input/services/ntp.xml | 8 ++++++++ RHEL6/input/services/ssh.xml | 6 ++++++ RHEL6/input/system/logging.xml | 5 ++--- RHEL6/input/system/permissions/mounting.xml | 6 ++++++ 6 files changed, 54 insertions(+), 3 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/ldap.xml | 7 +++++++ RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ RHEL6/input/services/ntp.xml | 8 ++++++++ RHEL6/input/services/ssh.xml | 6 ++++++ RHEL6/input/system/logging.xml | 5 ++--- RHEL6/input/system/permissions/mounting.xml | 6 ++++++ 6 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index de3a552..7081ba5 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -85,6 +85,13 @@ machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed. </description> +<ocil clause="it does not"> +To verify the <tt>openldap-servers</tt> package is not installed, +run the following command: +<pre>$ rpm -q openldap-servers</pre> +The output should show: +<pre>package openldap-servers is not installed</pre> +</ocil> <ident cce="3501-4" /> <oval id="package_openldap-servers_removed" /> <ref nist="CM-6, CM-7" /> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 758c494..e72bc71 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -203,6 +203,20 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. <service-disable-macro service="nfs" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>nfs</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service nfs status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped +rpc.mountd is stopped +nfsd is stopped +rpc.rquotad is stopped</pre> +To verify that the <tt>nfs</tt> service is disabled, run the following command: +<pre>$ chkconfig --list nfs</pre> +If properly configured, the output should look like: +<pre>nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4473-5" /> <oval id="service_nfs_disabled" /> </Rule> @@ -212,6 +226,17 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. <service-disable-macro service="rpcsvcgssd" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service rpcsvcgssd status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped</pre> +To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the following command: +<pre>$ chkconfig --list rpcsvcgssd</pre> +If properly configured, the output should look like: +<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4491-7" /> <oval id="service_rpcsvcgssd_disabled" /> </Rule> diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index b3991ba..896ce33 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -59,6 +59,14 @@ substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>: This instructs the NTP software to contact that remote server to obtain time data. </description> +<ocil clause="this is not the case"> +A remote NTP server should be configured for time synchronization. To verify that +one is configured, open the following file: +<pre>/etc/ntp.conf</pre> +In the file, there should be a section similar to the following: +<pre># --- OUR TIMESERVERS ----- +server <i>ntpserver</i></pre> +</ocil> <rationale> Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 9bbab3a..4370eb8 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -341,6 +341,12 @@ may not support CTR mode. This may become an issue if, for example, these systems need to retrieve files from your SSH server using SFTP. TODO: Need to investigate current status of this. Earlier issues with CBC were supposed to be fixed.</description> +<ocil clause="that is not the case"> +Only FIPS-approved ciphers should be used. To verify that only FIPS-approved +ciphers are in use, run the following command: +<pre>$ grep Ciphers /etc/ssh/sshd_config</pre> +The output should contain only those ciphers which are FIPS-approved. +</ocil> <rationale> Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 564b811..eb3c2cf 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -358,7 +358,7 @@ Note that <tt>logrotate</tt> is run nightly by the cron job rotated more often than once a day, some other mechanism must be used.</description>
-<Rule id="ensure_logrotate_activated"> +<!-- <Rule id="ensure_logrotate_activated"> <title>Ensure Logrotate Runs Periodically</title> <description>The <tt>logrotate</tt> service must be configured to run periodically in order to perform its log rotation function.</description> @@ -366,9 +366,8 @@ periodically in order to perform its log rotation function.</description> that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> -<!-- TODO: this needs cleanup --> <ref nist="AU-2, AU-9, CM-6" /> -</Rule> +</Rule> -->
<Rule id="ensure_logrotate_rotates_all_files"> <title>Ensure Logrotate Runs Periodically</title> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index c52707a..a092bb8 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -130,6 +130,12 @@ If the <tt>autofs</tt> service is not needed to dynamically mount NFS filesystem or removable media, disable the service for all runlevels: <pre># chkconfig --level 0123456 autofs off</pre> </description> +<ocil clause="it does not"> +To verify that the <tt>autofs</tt> service is disabled, run the following command: +<pre>chkconfig --list autofs</pre> +If properly configured, the output should be: +<pre>autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <rationale>All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced via the automounter.</rationale>
There are macros for some of these (identical to the description macro, but with check inserted). Some of this looks like it was generated from the macro? Want to git-amend (or reset soft) and try the macros?
On 09/27/2012 02:17 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/ldap.xml | 7 +++++++ RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ RHEL6/input/services/ntp.xml | 8 ++++++++ RHEL6/input/services/ssh.xml | 6 ++++++ RHEL6/input/system/logging.xml | 5 ++--- RHEL6/input/system/permissions/mounting.xml | 6 ++++++ 6 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index de3a552..7081ba5 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -85,6 +85,13 @@ machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
</description> +<ocil clause="it does not"> +To verify the <tt>openldap-servers</tt> package is not installed, +run the following command: +<pre>$ rpm -q openldap-servers</pre> +The output should show: +<pre>package openldap-servers is not installed</pre> +</ocil> <ident cce="3501-4" /> <oval id="package_openldap-servers_removed" /> <ref nist="CM-6, CM-7" /> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 758c494..e72bc71 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -203,6 +203,20 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. <service-disable-macro service="nfs" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>nfs</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service nfs status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped +rpc.mountd is stopped +nfsd is stopped +rpc.rquotad is stopped</pre> +To verify that the <tt>nfs</tt> service is disabled, run the following command: +<pre>$ chkconfig --list nfs</pre> +If properly configured, the output should look like: +<pre>nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4473-5" /> <oval id="service_nfs_disabled" /> </Rule> @@ -212,6 +226,17 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. <service-disable-macro service="rpcsvcgssd" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service rpcsvcgssd status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped</pre> +To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the following command: +<pre>$ chkconfig --list rpcsvcgssd</pre> +If properly configured, the output should look like: +<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4491-7" /> <oval id="service_rpcsvcgssd_disabled" /> </Rule> diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index b3991ba..896ce33 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -59,6 +59,14 @@ substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>: This instructs the NTP software to contact that remote server to obtain time data. </description> +<ocil clause="this is not the case"> +A remote NTP server should be configured for time synchronization. To verify that +one is configured, open the following file: +<pre>/etc/ntp.conf</pre> +In the file, there should be a section similar to the following: +<pre># --- OUR TIMESERVERS ----- +server <i>ntpserver</i></pre> +</ocil> <rationale> Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 9bbab3a..4370eb8 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -341,6 +341,12 @@ may not support CTR mode. This may become an issue if, for example, these systems need to retrieve files from your SSH server using SFTP. TODO: Need to investigate current status of this. Earlier issues with CBC were supposed to be fixed.</description> +<ocil clause="that is not the case"> +Only FIPS-approved ciphers should be used. To verify that only FIPS-approved +ciphers are in use, run the following command: +<pre>$ grep Ciphers /etc/ssh/sshd_config</pre> +The output should contain only those ciphers which are FIPS-approved. +</ocil> <rationale> Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 564b811..eb3c2cf 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -358,7 +358,7 @@ Note that <tt>logrotate</tt> is run nightly by the cron job rotated more often than once a day, some other mechanism must be used.</description>
-<Rule id="ensure_logrotate_activated"> +<!-- <Rule id="ensure_logrotate_activated">
<title>Ensure Logrotate Runs Periodically</title> <description>The <tt>logrotate</tt> service must be configured to run periodically in order to perform its log rotation function.</description> @@ -366,9 +366,8 @@ periodically in order to perform its log rotation function.</description> that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> -<!-- TODO: this needs cleanup --> <ref nist="AU-2, AU-9, CM-6" /> -</Rule> +</Rule> -->
<Rule id="ensure_logrotate_rotates_all_files"> <title>Ensure Logrotate Runs Periodically</title> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index c52707a..a092bb8 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -130,6 +130,12 @@ If the <tt>autofs</tt> service is not needed to dynamically mount NFS filesystem or removable media, disable the service for all runlevels: <pre># chkconfig --level 0123456 autofs off</pre> </description> +<ocil clause="it does not"> +To verify that the <tt>autofs</tt> service is disabled, run the following command: +<pre>chkconfig --list autofs</pre> +If properly configured, the output should be: +<pre>autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <rationale>All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced via the automounter.</rationale>
Sure; I'll do that right now.
On 09/27/2012 02:55 PM, Jeffrey Blank wrote:
There are macros for some of these (identical to the description macro, but with check inserted). Some of this looks like it was generated from the macro? Want to git-amend (or reset soft) and try the macros?
On 09/27/2012 02:17 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/ldap.xml | 7 +++++++ RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ RHEL6/input/services/ntp.xml | 8 ++++++++ RHEL6/input/services/ssh.xml | 6 ++++++ RHEL6/input/system/logging.xml | 5 ++--- RHEL6/input/system/permissions/mounting.xml | 6 ++++++ 6 files changed, 54 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index de3a552..7081ba5 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -85,6 +85,13 @@ machines. It is needed only by the OpenLDAP server, not by the clients which use LDAP for authentication. If the system is not intended for use as an LDAP Server it should be removed.
</description> +<ocil clause="it does not"> +To verify the <tt>openldap-servers</tt> package is not installed, +run the following command: +<pre>$ rpm -q openldap-servers</pre> +The output should show: +<pre>package openldap-servers is not installed</pre> +</ocil> <ident cce="3501-4" /> <oval id="package_openldap-servers_removed" /> <ref nist="CM-6, CM-7" /> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 758c494..e72bc71 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -203,6 +203,20 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. <service-disable-macro service="nfs" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>nfs</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service nfs status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped +rpc.mountd is stopped +nfsd is stopped +rpc.rquotad is stopped</pre> +To verify that the <tt>nfs</tt> service is disabled, run the following command: +<pre>$ chkconfig --list nfs</pre> +If properly configured, the output should look like: +<pre>nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4473-5" /> <oval id="service_nfs_disabled" /> </Rule> @@ -212,6 +226,17 @@ There is no need to run the NFS server daemons <tt>nfs</tt> and <tt>rpcsvcgssd</ <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. <service-disable-macro service="rpcsvcgssd" /> </description> +<ocil clause="it does not"> +It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in system boot, as well as +not currently running. First, run the following to verify the service is stopped: +<pre>$ service rpcsvcgssd status</pre> +If the service is stopped or disabled, it will return the following: +<pre>rpc.svcgssd is stopped</pre> +To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the following command: +<pre>$ chkconfig --list rpcsvcgssd</pre> +If properly configured, the output should look like: +<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <ident cce="4491-7" /> <oval id="service_rpcsvcgssd_disabled" /> </Rule> diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index b3991ba..896ce33 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -59,6 +59,14 @@ substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>: This instructs the NTP software to contact that remote server to obtain time data. </description> +<ocil clause="this is not the case"> +A remote NTP server should be configured for time synchronization. To verify that +one is configured, open the following file: +<pre>/etc/ntp.conf</pre> +In the file, there should be a section similar to the following: +<pre># --- OUR TIMESERVERS ----- +server <i>ntpserver</i></pre> +</ocil> <rationale> Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 9bbab3a..4370eb8 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -341,6 +341,12 @@ may not support CTR mode. This may become an issue if, for example, these systems need to retrieve files from your SSH server using SFTP. TODO: Need to investigate current status of this. Earlier issues with CBC were supposed to be fixed.</description> +<ocil clause="that is not the case"> +Only FIPS-approved ciphers should be used. To verify that only FIPS-approved +ciphers are in use, run the following command: +<pre>$ grep Ciphers /etc/ssh/sshd_config</pre> +The output should contain only those ciphers which are FIPS-approved. +</ocil> <rationale> Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance. diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 564b811..eb3c2cf 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -358,7 +358,7 @@ Note that <tt>logrotate</tt> is run nightly by the cron job rotated more often than once a day, some other mechanism must be used.</description>
-<Rule id="ensure_logrotate_activated"> +<!-- <Rule id="ensure_logrotate_activated">
<title>Ensure Logrotate Runs Periodically</title> <description>The <tt>logrotate</tt> service must be configured to run periodically in order to perform its log rotation function.</description> @@ -366,9 +366,8 @@ periodically in order to perform its log rotation function.</description> that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> -<!-- TODO: this needs cleanup --> <ref nist="AU-2, AU-9, CM-6" /> -</Rule> +</Rule> -->
<Rule id="ensure_logrotate_rotates_all_files"> <title>Ensure Logrotate Runs Periodically</title> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index c52707a..a092bb8 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -130,6 +130,12 @@ If the <tt>autofs</tt> service is not needed to dynamically mount NFS filesystem or removable media, disable the service for all runlevels: <pre># chkconfig --level 0123456 autofs off</pre> </description> +<ocil clause="it does not"> +To verify that the <tt>autofs</tt> service is disabled, run the following command: +<pre>chkconfig --list autofs</pre> +If properly configured, the output should be: +<pre>autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off</pre> +</ocil> <rationale>All filesystems that are required for the successful operation of the system should be explicitly listed in /etc/fstab by and administrator. New filesystems should not be arbitrarily introduced via the automounter.</rationale>
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Just a quick note to anyone doing QA testing with the fix/check texts: avoid the "Set Deny For Failed Password Attempts" test. The instructions are incorrect; I'll be working on revised instructions in the next day or so.
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank -
Michael J. McConachie