This patch adds particular XCCDF entry (to appropriate places) to start using existing package_talk-server_removed.xml OVAL check in RHEL-6 & RHEL-7. Update also test attestations for both systems & moved the check to shared.
The corresponding OVAL check & XCCDF definition for 'package talk removed' case will follow in separate patch.
Rationale: While none of talk-server / talk packages are installed nowadays by default on RHEL-6 / RHEL-7, there still might be instances, where these will get installed later, and during the scan of such a system the administrator should be notified talk services are considered outdated & insecure.
Testing status: Change has been tested on both (RHEL-6, RHEL-7) returning expected results. Also checked particular entry is created in *-guide.html version of both (RHEL-6, RHEL-7) benchmarks.
Please review.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 6/25/14, 7:09 AM, Jan Lieskovsky wrote:
This patch adds particular XCCDF entry (to appropriate places) to start using existing package_talk-server_removed.xml OVAL check in RHEL-6 & RHEL-7. Update also test attestations for both systems & moved the check to shared.
The corresponding OVAL check & XCCDF definition for 'package talk removed' case will follow in separate patch.
Rationale: While none of talk-server / talk packages are installed nowadays by default on RHEL-6 / RHEL-7, there still might be instances, where these will get installed later, and during the scan of such a system the administrator should be notified talk services are considered outdated & insecure.
Testing status: Change has been tested on both (RHEL-6, RHEL-7) returning expected results. Also checked particular entry is created in *-guide.html version of both (RHEL-6, RHEL-7) benchmarks.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-RHEL-7-shared-Start-using-package_talk-server.patch
From 718473e795794d38b782815fc5322efa281500db Mon Sep 17 00:00:00 2001 From: Jan Lieskovskyjlieskov@redhat.com Date: Wed, 25 Jun 2014 12:57:13 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Start using package_talk-server_removed.xml OVAL check by adding appropriate XCCDF entry
Signed-off-by: Jan Lieskovskyjlieskov@redhat.com
.../6/input/checks/package_talk-server_removed.xml | 27 +--------------------- RHEL/6/input/services/obsolete.xml | 27 ++++++++++++++++++++++ .../7/input/checks/package_talk-server_removed.xml | 1 + RHEL/7/input/services/obsolete.xml | 27 ++++++++++++++++++++++ shared/oval/package_talk-server_removed.xml | 26 +++++++++++++++++++++ 5 files changed, 82 insertions(+), 26 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_talk-server_removed.xml create mode 120000 RHEL/7/input/checks/package_talk-server_removed.xml create mode 100644 shared/oval/package_talk-server_removed.xml
diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml deleted file mode 100644 index aa51025..0000000 --- a/RHEL/6/input/checks/package_talk-server_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
<!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_talk-server_removed"
- version="1">
<metadata>
<title>Package talk-server Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package talk-server should be removed.</description>
<reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package talk-server is removed"
test_ref="test_package_talk-server_removed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_talk-server_removed" version="1"
- comment="package talk-server is removed">
- <linux:object object_ref="obj_package_talk-server_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_talk-server_removed" version="1">
- linux:nametalk-server</linux:name>
- </linux:rpminfo_object>
-</def-group> diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/6/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index c2e5b15..b46a912 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -396,4 +396,31 @@ server_args = -s /var/lib/tftpboot</pre>
</Rule>
</Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/RHEL/7/input/checks/package_talk-server_removed.xml b/RHEL/7/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/7/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 888162d..4fd80a0 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -350,4 +350,31 @@ server_args = -s /var/lib/tftpboot</pre> </Rule>
</Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/shared/oval/package_talk-server_removed.xml b/shared/oval/package_talk-server_removed.xml new file mode 100644 index 0000000..6db2fb8 --- /dev/null +++ b/shared/oval/package_talk-server_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="package_talk-server_removed" version="2"> + <metadata> + <title>Package talk-server Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package talk-server should be removed.</description> + <reference source="JL" ref_id="RHEL6_20140625" ref_url="test_attestation"/> + <reference source="JL" red_id="RHEL7_20140625" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package talk-server is removed" + test_ref="test_package_talk-server_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_talk-server_removed" version="1" + comment="package talk-server is removed"> + <linux:object object_ref="obj_package_talk-server_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> + <linux:name>talk-server</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
The underlying cause of removing talk is many customers don't want "Messaging Services" or "Chat Services" enabled. To align with this, what do you think of renaming the XCCDF group from "talk and talk-server" to "Chat/Messaging Services"?
----- Original Message -----
From: "Shawn Wells" shawn@redhat.com To: scap-security-guide@lists.fedorahosted.org Sent: Thursday, June 26, 2014 8:35:06 PM Subject: Re: [RHEL/6, RHEL/7, shared] Start using package_talk-server_removed.xml OVAL check by adding appropriate XCCDF entry
On 6/25/14, 7:09 AM, Jan Lieskovsky wrote:
This patch adds particular XCCDF entry (to appropriate places) to start using existing package_talk-server_removed.xml OVAL check in RHEL-6 & RHEL-7. Update also test attestations for both systems & moved the check to shared.
The corresponding OVAL check & XCCDF definition for 'package talk removed' case will follow in separate patch.
Rationale: While none of talk-server / talk packages are installed nowadays by default on RHEL-6 / RHEL-7, there still might be instances, where these will get installed later, and during the scan of such a system the administrator should be notified talk services are considered outdated & insecure.
Testing status: Change has been tested on both (RHEL-6, RHEL-7) returning expected results. Also checked particular entry is created in *-guide.html version of both (RHEL-6, RHEL-7) benchmarks.
Please review.
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Technologies Team
0001-RHEL-6-RHEL-7-shared-Start-using-package_talk-server.patch From 718473e795794d38b782815fc5322efa281500db Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky jlieskov@redhat.com Date: Wed, 25 Jun 2014 12:57:13 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Start using package_talk-server_removed.xml OVAL check by adding appropriate XCCDF entry
Signed-off-by: Jan Lieskovsky jlieskov@redhat.com --- .../6/input/checks/package_talk-server_removed.xml | 27 +--------------------- RHEL/6/input/services/obsolete.xml | 27 ++++++++++++++++++++++ .../7/input/checks/package_talk-server_removed.xml | 1 + RHEL/7/input/services/obsolete.xml | 27 ++++++++++++++++++++++ shared/oval/package_talk-server_removed.xml | 26 +++++++++++++++++++++ 5 files changed, 82 insertions(+), 26 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_talk-server_removed.xml create mode 120000 RHEL/7/input/checks/package_talk-server_removed.xml create mode 100644 shared/oval/package_talk-server_removed.xml
diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml deleted file mode 100644 index aa51025..0000000 --- a/RHEL/6/input/checks/package_talk-server_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT.
-->
- <definition class="compliance" id="package_talk-server_removed"
- version="1">
<metadata>
<title>Package talk-server Removed</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The RPM package talk-server should be
removed.</description>
<reference source="swells" ref_id="20130829"
ref_url="test_attestation"/>
</metadata>
<criteria>
<criterion comment="package talk-server is removed"
test_ref="test_package_talk-server_removed" />
</criteria>
</definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_talk-server_removed" version="1"
- comment="package talk-server is removed">
- <linux:object object_ref="obj_package_talk-server_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_talk-server_removed" version="1">
- linux:nametalk-server</linux:name>
- </linux:rpminfo_object>
-</def-group> diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/6/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index c2e5b15..b46a912 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -396,4 +396,31 @@ server_args = -s /var/lib/tftpboot</pre>
</Rule>
</Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/RHEL/7/input/checks/package_talk-server_removed.xml b/RHEL/7/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/7/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 888162d..4fd80a0 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -350,4 +350,31 @@ server_args = -s /var/lib/tftpboot</pre> </Rule>
</Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/shared/oval/package_talk-server_removed.xml b/shared/oval/package_talk-server_removed.xml new file mode 100644 index 0000000..6db2fb8 --- /dev/null +++ b/shared/oval/package_talk-server_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="package_talk-server_removed" version="2"> + <metadata> + <title>Package talk-server Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package talk-server should be removed.</description> + <reference source="JL" ref_id="RHEL6_20140625" ref_url="test_attestation"/> + <reference source="JL" red_id="RHEL7_20140625" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package talk-server is removed" + test_ref="test_package_talk-server_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_talk-server_removed" version="1" + comment="package talk-server is removed"> + <linux:object object_ref="obj_package_talk-server_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> + <linux:name>talk-server</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
The underlying cause of removing talk is many customers don't want "Messaging Services" or "Chat Services" enabled. To align with this, what do you think of renaming the XCCDF group from "talk and talk-server" to "Chat/Messaging Services"?
Thanks, updated the title of that group to "Chat/Messaging Services" (retested on both of RHEL-6 & RHEL-7) & pushed to master:
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=39dda59... https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=aa6bca1...
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org