Introduce rule that will be checking if fedora-updates.repo repository is enabled.
While that repository being enabled by default, this rule is required as prerequisite for the upcoming 'ensure software security patches installed' rule - because if fedora-updates.repo Yum repository would be disabled on particular system (hopefully no-one is doing this), the 'ensure software security patches installed' rule would subsequently realize there are no security updates available, and might (wrongly) assume / return success. Thus prevent this scenario by explicitly checking state of fedora-updates.repo. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 1ac92ce880182b0c6f7ccbe06b255a7ef5bf476d Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 3 Oct 2013 16:38:23 +0200 Subject: [PATCH 1/2] [Fedora] Introduce 'Ensure Yum fedora-updates Repository Enabled' rule Signed-off-by: Jan Lieskovsky <[email protected]> --- .../ensure_yum_fedora_updates_repo_enabled.xml | 29 ++++++++++++++++++++++ Fedora/input/guide.xml | 2 +- Fedora/input/profiles/common.xml | 1 + Fedora/input/system/software/updating.xml | 17 +++++++++++++ Fedora/scap-security-guide.spec | 5 +++- 5 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 Fedora/input/checks/ensure_yum_fedora_updates_repo_enabled.xml diff --git a/Fedora/input/checks/ensure_yum_fedora_updates_repo_enabled.xml b/Fedora/input/checks/ensure_yum_fedora_updates_repo_enabled.xml new file mode 100644 index 0000000..4cf8bc8 --- /dev/null +++ b/Fedora/input/checks/ensure_yum_fedora_updates_repo_enabled.xml @@ -0,0 +1,29 @@ +<def-group> + <definition class="compliance" id="ensure_yum_fedora_updates_repo_enabled" version="1"> + <metadata> + <title>Ensure Yum fedora-updates Repository Enabled</title> + <affected family="unix"> + <platform>Fedora 19</platform> + </affected> + <description> + Installing software security updates is a fundamental mitigation + against the exploitation of publicly-known vulnerabilities. + + In order to install updates system must be configured to use a + yum server. fedora-updates repository provides package updates + for packages installed on a Fedora system. + </description> + </metadata> + <criteria> + <criterion comment="check value of enabled in /etc/yum.repos.d/fedora-updates.repo" test_ref="test_yum_fedora_updates_repo_enabled" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of enabled in /etc/yum.repos.d/fedora-updates.repo" id="test_yum_fedora_updates_repo_enabled" version="1"> + <ind:object object_ref="object_yum_fedora_updates_repo_enabled" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="object_yum_fedora_updates_repo_enabled" comment="enabled set in /etc/yum.repos.d/fedora-updates.repo" version="1"> + <ind:filepath>/etc/yum.repos.d/fedora-updates.repo</ind:filepath> + <ind:pattern operation="pattern match">^\s*enabled\s*=\s*1\s*$</ind:pattern> + <ind:instance datatype="int" operation="equals">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/Fedora/input/guide.xml b/Fedora/input/guide.xml index c76b795..6e276b1 100644 --- a/Fedora/input/guide.xml +++ b/Fedora/input/guide.xml @@ -36,5 +36,5 @@ trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.</rear-matter> <platform idref="cpe:/o:fedoraproject:fedora:19" /> -<version>0.0.1</version> +<version>0.0.2</version> </Benchmark> diff --git a/Fedora/input/profiles/common.xml b/Fedora/input/profiles/common.xml index 18c8f3e..10c1d14 100644 --- a/Fedora/input/profiles/common.xml +++ b/Fedora/input/profiles/common.xml @@ -4,5 +4,6 @@ <select idref="ensure_gpgcheck_globally_activated" selected="true"/> <select idref="ensure_gpgcheck_never_disabled" selected="true"/> +<select idref="ensure_yum_fedora_updates_repo_enabled" selected="true"/> </Profile> diff --git a/Fedora/input/system/software/updating.xml b/Fedora/input/system/software/updating.xml index 248c0d5..b03c42f 100644 --- a/Fedora/input/system/software/updating.xml +++ b/Fedora/input/system/software/updating.xml @@ -65,4 +65,21 @@ protects against malicious tampering. <ref nist="SI-7,MA-1(b)" disa="352,663"/> </Rule> +<Rule id="ensure_yum_fedora_updates_repo_enabled" severity="high"> +<title>Ensure Yum fedora-updates Repository Enabled</title> +<description>To ensure fedora-updates repository is not disabled, +change line from file <tt>/etc/yum.repos.d/fedora-updates.repo</tt> of the form: +<pre>enabled=0</pre> +to the form of: +<pre>enabled=1</pre> +</description> +<rationale> +Installing software security updates is a fundamental mitigation against +the exploitation of publicly-known vulnerabilities. In order to install +package updates on Fedora system the particular system must be configured to +use a yum server and fedora-updates repository needs to be enabled. +</rationale> +<oval id="ensure_yum_fedora_updates_repo_enabled" /> +</Rule> + </Group> diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec index 4ef3713..f0ebd16 100644 --- a/Fedora/scap-security-guide.spec +++ b/Fedora/scap-security-guide.spec @@ -5,7 +5,7 @@ # file one level up - in the main scap-security-guide directory (instead of # this one). -%global fedorassgrelease 2.rc1 +%global fedorassgrelease 2.rc2 Name: scap-security-guide Version: 0.1 @@ -50,6 +50,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/xml/scap/ssg/fedora/19/* %changelog +* Thu Oct 03 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc2 +- Introduce 'Ensure Yum fedora-updates Repository Enabled' rule. + * Wed Oct 02 2013 Jan iankko Lieskovsky <[email protected]> 0.1-2.rc1 - Set proper name of the build directory in the spec's %setup macro. - Replace hard-wired paths with macros. Preserve attributes when copying files. -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
