Re: [PATCH 00/26] Resubmission of C2S profile

Shawn Wells Tue, 15 Apr 2014 11:50:31 -0700

On 4/15/14, 2:30 PM, Shawn Wells wrote:


0000-cover-letter.patch


 From 6d8d3b510c9261c022f70efa633d45b1acb1f26a Mon Sep 17 00:00:00 2001
From: Shawn Wells<[email protected]>
Date: Mon, 14 Apr 2014 23:29:41 -0400
Subject: [PATCH 00/26] Resubmission of C2S profile

After a few coffees and croissants this morning @ RHT Summit,
Jeff and I made friends and hashed out the details of the C2S profile.

Resubmitting patches to reflect Jan's feedback and adding details within
the C2S profile on rule mappings.

Shawn Wells (26):
   New Remediation: sticky_world_writable_dirs.sh
   New Remediation: enable_selinux_bootloader.sh
   Moved RHEL6 selinux_state.sh to shared
   Moved RHEL6 selinux_policytype.sh to shared/
   New RHEL6 Rule: package_setroubleshoot_removed
   typo fix
   New Rule: package_mcstrans_removed
   XCCDF Rule Rename: disable_setuid_coredumps -->
     sysctl_fs_suid_dumpable
   New RHEL6 Rule: package_telnet_removed
   New RHEL6 rule: package_rsh_removed
   New RHEL6 rule: package_ypbind_removed
   New RHEL6 rule: package_tftp_removed
   [bugfix] kernel_module_hfs_disabledplus -->
     kernel_module_hfsplus_disabled
   New Profile: C2S
   Adding C2S into build system
   Mapped C2S 9.2.11 to gid_passwd_group_same
   C2S 1.1.6 --> mount_option_var_tmp_bind_var
   C2S 1.1.10 --> mount_option_nodev_nonroot_local_partitions
   C2S 3.2 --> packagegroup_xwindows_remove
   C2S 3.16 --> postfix_network_listening_disabled
   Adding rsyslog_nolisten mapping
   C2S 6.1.10 --> service_atd_disabled
   C2S 7.1.1 --> accounts_maximum_age_login_defs
   Updating C2S profile
   Updating RHEL/6/output/.gitignore
   Updating commit per Jan's feedback

  RHEL/6/input/checks/package_mcstrans_removed.xml   |   26 +
  RHEL/6/input/checks/package_rsh_removed.xml        |   26 +
  .../checks/package_setroubleshoot_removed.xml      |   26 +
  RHEL/6/input/checks/package_telnet_removed.xml     |   26 +
  RHEL/6/input/checks/package_tftp_removed.xml       |   26 +
  RHEL/6/input/checks/templates/packages_removed.csv |    5 +
  .../input/fixes/bash/enable_selinux_bootloader.sh  |    1 +
  RHEL/6/input/fixes/bash/selinux_policytype.sh      |    9 +-
  RHEL/6/input/fixes/bash/selinux_state.sh           |    9 +-
  .../input/fixes/bash/sticky_world_writable_dirs.sh |    1 +
  RHEL/6/input/guide.xslt                            |    1 +
  RHEL/6/input/profiles/C2S.xml                      |  724 ++++++++++++++++++++
  RHEL/6/input/profiles/CS2.xml                      |    2 +-
  RHEL/6/input/profiles/CSCF-RHEL6-MLS.xml           |    2 +-
  .../6/input/profiles/fisma-medium-rhel6-server.xml |    2 +-
  RHEL/6/input/profiles/nist-CL-IL-AL.xml            |    6 +-
  .../input/profiles/stig-rhel6-server-upstream.xml  |   11 +-
  RHEL/6/input/profiles/usgcb-rhel6-server.xml       |    2 +-
  RHEL/6/input/services/obsolete.xml                 |   61 ++
  RHEL/6/input/system/permissions/execution.xml      |    2 +-
  RHEL/6/input/system/selinux.xml                    |   29 +
  shared/fixes/bash/enable_selinux_bootloader.sh     |    2 +
  shared/fixes/bash/selinux_policytype.sh            |    8 +
  shared/fixes/bash/selinux_state.sh                 |    8 +
  shared/fixes/bash/sticky_world_writable_dirs.sh    |    4 +
  25 files changed, 995 insertions(+), 24 deletions(-)
  create mode 100644 RHEL/6/input/checks/package_mcstrans_removed.xml
  create mode 100644 RHEL/6/input/checks/package_rsh_removed.xml
  create mode 100644 RHEL/6/input/checks/package_setroubleshoot_removed.xml
  create mode 100644 RHEL/6/input/checks/package_telnet_removed.xml
  create mode 100644 RHEL/6/input/checks/package_tftp_removed.xml
  create mode 120000 RHEL/6/input/fixes/bash/enable_selinux_bootloader.sh
  mode change 100644 => 120000 RHEL/6/input/fixes/bash/selinux_policytype.sh
  mode change 100644 => 120000 RHEL/6/input/fixes/bash/selinux_state.sh
  create mode 120000 RHEL/6/input/fixes/bash/sticky_world_writable_dirs.sh
  create mode 100644 RHEL/6/input/profiles/C2S.xml
  mode change 100644 => 100755 RHEL/6/output/.gitignore
  create mode 100644 shared/fixes/bash/enable_selinux_bootloader.sh
  create mode 100644 shared/fixes/bash/selinux_policytype.sh
  create mode 100644 shared/fixes/bash/selinux_state.sh
  create mode 100644 shared/fixes/bash/sticky_world_writable_dirs.sh


Also, not reflected in EMail... ran make && scan:

$ make

$ sudo oscap xccdf eval --profile C2S --cpeoutput/ssg-rhel6-cpe-dictionary.xml output/ssg-rhel6-xccdf.xml

... no errors ...

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Re: [PATCH 00/26] Resubmission of C2S profile

Reply via email to