Hello Ronald, Michael, folks, ----- Original Message ----- > From: "Ronald" <[email protected]> > To: "SCAP Security Guide" <[email protected]> > Sent: Tuesday, April 1, 2014 2:53:59 PM > Subject: Re: ensure_gpgcheck_globally_activated > > no problem. > > Shall this diff be integrated in further releases?
(Slightly modified version) Will be, yes. See below. > github-like pull request > feature would be ideal to better manage patches and enable efficient > community patch submission. > > Ronald > > > On Tue, Apr 1, 2014 at 2:14 PM, Delorenzo, Michael A CIV USARMY ARDEC (US) < > [email protected] > wrote: > > > Ronald, > > Thank you for the information. This worked out fine for me. > > Thanks, > > Michael DeLorenzo > Computer Scientist > Picatinny Arsenal > Business Transformation & E-Systems Office, RDAR-WSE, Building 93 > W: (973)-724-1370 > BB: (862)-432-6071 > > > > -----Original Message----- > From: [email protected] [mailto: > [email protected] ] On Behalf Of Ronald > Sent: Tuesday, April 01, 2014 6:15 AM > To: SCAP Security Guide > Subject: Re: ensure_gpgcheck_globally_activated > > its because the XCCDF test ensure_gpgcheck_globally_activated (in file > "system/software/updating.xml") references an unknown/non-existent OVAL > check (yum_gpgcheck_global_activation). This is correct (looks to be undesired side effect of RHEL6 content to RHEL/6 and RHEL/7 content migration: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/RHEL/6/input/system/software/updating.xml?id=dea9eb50c94a22e37911a93290be7cc425a00052 ) Originally there truly seems to have been "yum_gpgcheck_global_activation" OVAL check since Fedora has had the same name (content created before the RHEL/ directory split yet). In any case "ensure_gpgcheck_globally_activated" name is the right one, the /etc/yum.conf gpgcheck=1 ? check should be referred under now. Attached is a patch fixing this for all of RHEL-{6,7} and Fedora. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team P.S.: The proposal has been tested on all of RHEL-{6,7} and Fedora Rawhide products, and seems to be working properly. P.S.#2: It's possible due to RHEL6 to RHEL/{6,7} directory structure migration there will be more issues like this one (though on brief testing could find more of them). In any case further testing & issue reports to the list appreciated as always. > > I solved this by changing yum_gpgcheck_global_activation to > "ensure_gpgcheck_globally_activated" (which is the valid OVAL check ref id > in checks/ensure_gpgcheck_globally_activated.xml) in file > "system/software/updating.xml" > > > Find diff file in attachment. > > > krs, > > > Ronald > > > > On Mon, Mar 31, 2014 at 7:32 PM, Delorenzo, Michael A CIV USARMY ARDEC (US) < > [email protected] > wrote: > > > Hello everyone, > > > > I noticed that after a newer git pull this referenced check is now set as not > checked, when it previously was checked. I can't seem to find an explanation > in the mailing list emails. Does anyone have any explanation? > > > > Thanks, > > > > Michael DeLorenzo > > Computer Scientist > > Picatinny Arsenal > > Business Transformation & E-Systems Office, RDAR-WSE, Building 93 > > W: (973)-724-1370 <tel:%28973%29-724-1370> > > BB: (862)-432-6071 <tel:%28862%29-432-6071> > > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >
From 1707de049c77bc11c2e8287ac8136897d11757cc Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Tue, 1 Apr 2014 15:08:37 +0200 Subject: [PATCH] Fix broken references to ensure_gpgcheck_globally_activated OVAL check (side effect of RHEL/6 to => RHEL/{6,7} migration). See thread: https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-April/005157.html for further details. Also make Fedora version to use the shared check. Signed-off-by: Jan Lieskovsky <[email protected]> --- .../checks/ensure_gpgcheck_globally_activated.xml | 1 + .../checks/yum_gpgcheck_global_activation.xml | 24 ---------------------- Fedora/input/system/software/updating.xml | 2 +- RHEL/6/input/system/software/updating.xml | 2 +- RHEL/7/input/system/software/updating.xml | 2 +- shared/oval/ensure_gpgcheck_globally_activated.xml | 1 + 6 files changed, 5 insertions(+), 27 deletions(-) create mode 120000 Fedora/input/checks/ensure_gpgcheck_globally_activated.xml delete mode 100644 Fedora/input/checks/yum_gpgcheck_global_activation.xml diff --git a/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml b/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml new file mode 120000 index 0000000..1168283 --- /dev/null +++ b/Fedora/input/checks/ensure_gpgcheck_globally_activated.xml @@ -0,0 +1 @@ +../../../shared/oval/ensure_gpgcheck_globally_activated.xml \ No newline at end of file diff --git a/Fedora/input/checks/yum_gpgcheck_global_activation.xml b/Fedora/input/checks/yum_gpgcheck_global_activation.xml deleted file mode 100644 index a313351..0000000 --- a/Fedora/input/checks/yum_gpgcheck_global_activation.xml +++ /dev/null @@ -1,24 +0,0 @@ -<def-group> - <definition class="compliance" id="yum_gpgcheck_global_activation" version="1"> - <metadata> - <title>Ensure Yum gpgcheck Globally Activated</title> - <affected family="unix"> - <platform>Fedora 19</platform> - </affected> - <description>The gpgcheck option should be used to ensure that checking - of an RPM package's signature always occurs prior to its - installation.</description> - </metadata> - <criteria> - <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="test_yum_gpgcheck_global_activation" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="test_yum_gpgcheck_global_activation" version="1"> - <ind:object object_ref="object_yum_gpgcheck_global_activation" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_yum_gpgcheck_global_activation" comment="gpgcheck set in /etc/yum.conf" version="1"> - <ind:filepath>/etc/yum.conf</ind:filepath> - <ind:pattern operation="pattern match">^\s*gpgcheck\s*=\s*1\s*$</ind:pattern> - <ind:instance datatype="int" operation="equals">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/Fedora/input/system/software/updating.xml b/Fedora/input/system/software/updating.xml index 84de806..1fb7512 100644 --- a/Fedora/input/system/software/updating.xml +++ b/Fedora/input/system/software/updating.xml @@ -38,7 +38,7 @@ Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering. </rationale> -<oval id="yum_gpgcheck_global_activation" /> +<oval id="ensure_gpgcheck_globally_activated" /> <ref nist="SI-7,MA-1(b)" disa="352,663" /> </Rule> diff --git a/RHEL/6/input/system/software/updating.xml b/RHEL/6/input/system/software/updating.xml index aef22ec..46832a6 100644 --- a/RHEL/6/input/system/software/updating.xml +++ b/RHEL/6/input/system/software/updating.xml @@ -69,7 +69,7 @@ installation ensures the authenticity of the software and protects against malicious tampering. </rationale> <ident cce="26709-6" /> -<oval id="yum_gpgcheck_global_activation" /> +<oval id="ensure_gpgcheck_globally_activated" /> <ref nist="SI-7,MA-1(b)" disa="352,663" /> <tested by="MM" on="20120928"/> </Rule> diff --git a/RHEL/7/input/system/software/updating.xml b/RHEL/7/input/system/software/updating.xml index 0abb3c9..cea9f85 100644 --- a/RHEL/7/input/system/software/updating.xml +++ b/RHEL/7/input/system/software/updating.xml @@ -69,7 +69,7 @@ installation ensures the authenticity of the software and protects against malicious tampering. </rationale> <ident cce="RHEL7-CCE-TBD" /> -<oval id="yum_gpgcheck_global_activation" /> +<oval id="ensure_gpgcheck_globally_activated" /> <ref nist="SI-7,MA-1(b)" disa="352,663" /> <tested by="MM" on="20120928"/> </Rule> diff --git a/shared/oval/ensure_gpgcheck_globally_activated.xml b/shared/oval/ensure_gpgcheck_globally_activated.xml index e397400..96099dc 100644 --- a/shared/oval/ensure_gpgcheck_globally_activated.xml +++ b/shared/oval/ensure_gpgcheck_globally_activated.xml @@ -5,6 +5,7 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> <platform>Red Hat Enterprise Linux 7</platform> + <platform>Fedora 19</platform> </affected> <description>The gpgcheck option should be used to ensure that checking of an RPM package's signature always occurs prior to its -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
