>From f886bdf2942ff7da5ca18ecff02e063e1337aafb Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sun, 15 Sep 2013 19:05:08 -0400 Subject: [PATCH 16/22] [ticket 393] Updated securetty_root_login_console_only - Updated XCCDF/OVAL namings - filename ->filepath - Added remediation
TESTING: [root@SSG-RHEL6 checks]# ./testcheck.py securetty_root_login_console_only.xml Evaluating with OVAL tempfile : /tmp/securetty_root_login_console_onlyPRqW61.xml Writing results to : /tmp/securetty_root_login_console_onlyPRqW61.xml-results Definition oval:scap-security-guide.testing:def:202: false Evaluation done. [root@SSG-RHEL6 checks]# bash ../fixes/bash/securetty_root_login_console_only.sh [root@SSG-RHEL6 checks]# ./testcheck.py securetty_root_login_console_only.xml Evaluating with OVAL tempfile : /tmp/securetty_root_login_console_onlyCh84Vl.xml Writing results to : /tmp/securetty_root_login_console_onlyCh84Vl.xml-results Definition oval:scap-security-guide.testing:def:202: true Evaluation done. --- RHEL6/input/auxiliary/transition_notes.xml | 4 +- RHEL6/input/checks/file_permissions_unowned.xml | 38 -------------------- RHEL6/input/checks/no_files_unowned_by_user.xml | 38 ++++++++++++++++++++ .../checks/securetty_root_login_console_only.xml | 3 +- .../bash/securetty_root_login_console_only.sh | 1 + RHEL6/input/profiles/CS2.xml | 4 +- RHEL6/input/profiles/common.xml | 4 +- RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 6 ++-- RHEL6/input/profiles/nist-CL-IL-AL.xml | 4 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/test.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 4 +- .../system/accounts/restrictions/root_logins.xml | 2 +- 13 files changed, 56 insertions(+), 56 deletions(-) delete mode 100644 RHEL6/input/checks/file_permissions_unowned.xml create mode 100644 RHEL6/input/checks/no_files_unowned_by_user.xml create mode 100644 RHEL6/input/fixes/bash/securetty_root_login_console_only.sh diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index d4d4cba..f2e18dd 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -5,7 +5,7 @@ <note ref="811" auth="GG" rule="service_auditd_enabled">This is covered in RHEL 6 content</note> -<note ref="778" auth="GG" rule="restrict_root_console_logins">This is covered in RHEL 6 content</note> +<note ref="778" auth="GG" rule="securetty_root_login_console_only">This is covered in RHEL 6 content</note> <note ref="768" auth="GG" rule="">This is not covered in RHEL 6 content</note> @@ -1560,7 +1560,7 @@ rule=no_hashes_outside_shadow manual=no <note ref="22375" auth="KS"> Check does exist in the RHEL6 prose, it can be automated and the OVAL for it does exist. -rule=configure_auditd_space_left_action manual=no +rule=auditd_data_retention_space_left_action manual=no </note> <note ref="22376,22377" auth="KS"> diff --git a/RHEL6/input/checks/file_permissions_unowned.xml b/RHEL6/input/checks/file_permissions_unowned.xml deleted file mode 100644 index 5fc8afc..0000000 --- a/RHEL6/input/checks/file_permissions_unowned.xml +++ /dev/null @@ -1,38 +0,0 @@ -<def-group> - <definition class="compliance" - id="file_permissions_unowned" version="1"> - <metadata> - <title>Find files unowned by a user</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>All files should be owned by a - user</description> - </metadata> - <criteria> - <criterion comment="Check all files and make sure they are owned by a user" - negate="true" - test_ref="test_20050" /> - </criteria> - </definition> - <unix:file_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; - check="all" comment="files with no user owner" - id="test_20050" version="1"> - <notes> - <note>This will enumerate all files on local - partitions</note> - </notes> - <unix:object object_ref="obj_20022" /> - <unix:state state_ref="state_20050" /> - </unix:file_test> - <unix:file_state comment="Executables with suid set" - id="state_20050" version="1"> - <unix:user_id datatype="int">0</unix:user_id> - </unix:file_state> - <unix:file_object comment="all local files" - id="obj_20022" version="1"> - <unix:behaviors recurse="symlinks and directories" recurse_file_system="local" /> - <unix:path>/</unix:path> - <unix:filename operation="pattern match">.*</unix:filename> - </unix:file_object> -</def-group> diff --git a/RHEL6/input/checks/no_files_unowned_by_user.xml b/RHEL6/input/checks/no_files_unowned_by_user.xml new file mode 100644 index 0000000..5fc8afc --- /dev/null +++ b/RHEL6/input/checks/no_files_unowned_by_user.xml @@ -0,0 +1,38 @@ +<def-group> + <definition class="compliance" + id="file_permissions_unowned" version="1"> + <metadata> + <title>Find files unowned by a user</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>All files should be owned by a + user</description> + </metadata> + <criteria> + <criterion comment="Check all files and make sure they are owned by a user" + negate="true" + test_ref="test_20050" /> + </criteria> + </definition> + <unix:file_test xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"; + check="all" comment="files with no user owner" + id="test_20050" version="1"> + <notes> + <note>This will enumerate all files on local + partitions</note> + </notes> + <unix:object object_ref="obj_20022" /> + <unix:state state_ref="state_20050" /> + </unix:file_test> + <unix:file_state comment="Executables with suid set" + id="state_20050" version="1"> + <unix:user_id datatype="int">0</unix:user_id> + </unix:file_state> + <unix:file_object comment="all local files" + id="obj_20022" version="1"> + <unix:behaviors recurse="symlinks and directories" recurse_file_system="local" /> + <unix:path>/</unix:path> + <unix:filename operation="pattern match">.*</unix:filename> + </unix:file_object> +</def-group> diff --git a/RHEL6/input/checks/securetty_root_login_console_only.xml b/RHEL6/input/checks/securetty_root_login_console_only.xml index 7a686ec..5b0e378 100644 --- a/RHEL6/input/checks/securetty_root_login_console_only.xml +++ b/RHEL6/input/checks/securetty_root_login_console_only.xml @@ -20,8 +20,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="object_virtual_consoles_etc_securetty" version="1"> - <ind:path>/etc</ind:path> - <ind:filename>securetty</ind:filename> + <ind:filepath>/etc/securetty</ind:filepath> <ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern> <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> </ind:textfilecontent54_object> diff --git a/RHEL6/input/fixes/bash/securetty_root_login_console_only.sh b/RHEL6/input/fixes/bash/securetty_root_login_console_only.sh new file mode 100644 index 0000000..2d1dd44 --- /dev/null +++ b/RHEL6/input/fixes/bash/securetty_root_login_console_only.sh @@ -0,0 +1 @@ +sed -i '/^vc\//d' /etc/securetty diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml index 84329b4..57651e7 100644 --- a/RHEL6/input/profiles/CS2.xml +++ b/RHEL6/input/profiles/CS2.xml @@ -145,7 +145,7 @@ <select idref="audit_media_exports" selected="true"/> <select idref="audit_file_deletions" selected="true"/> -<select idref="restrict_root_console_logins" selected="true" /> +<select idref="securetty_root_login_console_only" selected="true" /> <select idref="no_direct_root_logins" selected="true" /> <select idref="userowner_shadow_file" selected="true"/> @@ -174,7 +174,7 @@ <select idref="service_restorecond_enabled" selected="true" /> <select idref="selinux_confinement_of_daemons" selected="true" /> -<select idref="selinux_unlabeled_device_files" selected="true"/> +<select idref="selinux_all_devicefiles_labeled" selected="true"/> <select idref="set_selinux_state" selected="true"/> <select idref="set_selinux_policy" selected="true"/> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index dc6cd10..6c6aa07 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -16,8 +16,8 @@ <select idref="no_rsh_trust_files" selected="true"/> <select idref="set_selinux_state" selected="true"/> <select idref="set_selinux_policy" selected="true"/> -<select idref="selinux_unlabeled_device_files" selected="true"/> -<select idref="restrict_root_console_logins" selected="true"/> +<select idref="selinux_all_devicefiles_labeled" selected="true"/> +<select idref="securetty_root_login_console_only" selected="true"/> <select idref="restrict_serial_port_logins" selected="true"/> <select idref="no_shelllogin_for_systemaccounts" selected="true"/> <select idref="no_empty_passwords" selected="true"/> diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml index d50a06d..afe5f47 100644 --- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml @@ -61,7 +61,7 @@ <select idref="no_files_unowned_by_group" selected="true" /> <select idref="world_writable_files_system_ownership" selected="true" /> <select idref="selinux_confinement_of_daemons" selected="true" /> -<select idref="selinux_unlabeled_device_files" selected="true" /> +<select idref="selinux_all_devicefiles_labeled" selected="true" /> <select idref="userowner_rsyslog_files" selected="true" /> <select idref="groupowner_rsyslog_files" selected="true" /> <select idref="audit_logs_permissions" selected="true" /> @@ -71,7 +71,7 @@ <select idref="rpm_verify_permissions" selected="true" /> <!-- AC-6(2) --> -<select idref="restrict_root_console_logins" selected="true" /> +<select idref="securetty_root_login_console_only" selected="true" /> <select idref="restrict_serial_port_logins" selected="true" /> <!-- AC-7(a) @@ -193,7 +193,7 @@ <select idref="configure_auditd_num_logs" selected="true" /> <select idref="configure_auditd_max_log_file" selected="true" /> <select idref="configure_auditd_max_log_file_action" selected="true" /> -<select idref="configure_auditd_space_left_action" selected="true" /> +<select idref="auditd_data_retention_space_left_action" selected="true" /> <refine-value idref="var_auditd_admin_space_left_action" selector="halt" /> <select idref="auditd_data_retention_admin_space_left_action" selected="true" /> <select idref="configure_auditd_action_mail_acct" selected="true" /> diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml index a85fc15..28e65dc 100644 --- a/RHEL6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml @@ -161,7 +161,7 @@ assurance."</description> <select idref="groupowner_rsyslog_files" selected="true" \> <!-- AC-6(2) --> -<select idref="restrict_root_console_logins" selected="true" \> +<select idref="securetty_root_login_console_only" selected="true" \> <select idref="restrict_serial_port_logins" selected="true" \> <select idref="sshd_disable_root_login" selected="true" \> @@ -267,7 +267,7 @@ assurance."</description> <select idref="configure_auditd_num_logs" selected="true" \> <select idref="configure_auditd_max_log_file" selected="true" \> <select idref="configure_auditd_max_log_file_action" selected="true" \> -<select idref="configure_auditd_space_left_action" selected="true" \> +<select idref="auditd_data_retention_space_left_action" selected="true" \> <select idref="auditd_data_retention_admin_space_left_action" selected="true" \> <select idref="configure_auditd_action_mail_acct" selected="true" \> <select idref="configure_auditd_audispd" selected="true" \> diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index 2058cdf..2e95ec9 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -36,7 +36,7 @@ <select idref="aide_periodic_cron_checking" selected="true"/> <select idref="disable_users_coredumps" selected="true"/> <select idref="no_insecure_locks_exports" selected="true" /> -<select idref="configure_auditd_space_left_action" selected="true" /> +<select idref="auditd_data_retention_space_left_action" selected="true" /> <select idref="configure_auditd_action_mail_acct" selected="true" /> <select idref="kernel_module_bluetooth_disabled" selected="true"/> diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml index e980e04..a729046 100644 --- a/RHEL6/input/profiles/test.xml +++ b/RHEL6/input/profiles/test.xml @@ -32,7 +32,7 @@ <select idref="configure_auditd_num_logs" selected="true"/> <select idref="configure_auditd_max_log_file" selected="true"/> <select idref="configure_auditd_action_mail_acct" selected="true"/> -<select idref="configure_auditd_space_left_action" selected="true"/> +<select idref="auditd_data_retention_space_left_action" selected="true"/> <select idref="auditd_data_retention_admin_space_left_action" selected="true"/> <select idref="configure_auditd_max_log_file_action" selected="true"/> diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index fd2c857..246931c 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -61,7 +61,7 @@ <select idref="enable_randomize_va_space" selected="true" /> <select idref="enable_execshield" selected="true" /> <select idref="install_PAE_kernel_on_x86" selected="true" /> -<select idref="restrict_root_console_logins" selected="true" /> <!-- slightly different language than rhel5 --> +<select idref="securetty_root_login_console_only" selected="true" /> <!-- slightly different language than rhel5 --> <select idref="restrict_serial_port_logins" selected="true" /> <select idref="no_empty_passwords" selected="true" /> <select idref="no_hashes_outside_shadow" selected="true" /> @@ -116,7 +116,7 @@ <select idref="set_selinux_policy" selected="true" /> <select idref="enable_selinux_bootloader" selected="true" /> <select idref="selinux_confinement_of_daemons" selected="true" /> -<select idref="selinux_unlabeled_device_files" selected="true" /> +<select idref="selinux_all_devicefiles_labeled" selected="true" /> <select idref="sysctl_ipv4_ip_forward" selected="true" /> <select idref="sysctl_ipv4_all_send_redirects" selected="true" /> <select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true" /> diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 1f2a840..0701ddb 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -54,7 +54,7 @@ and FISMA Moderate systems. <tested by="DS" on="20121024"/> </Rule> -<Rule id="restrict_root_console_logins" severity="medium"> +<Rule id="securetty_root_login_console_only" severity="medium"> <title>Restrict Virtual Console Root Logins</title> <description> To restrict root logins through the (deprecated) virtual console devices, -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
