----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Saturday, May 31, 2014 4:15:08 AM > Subject: Re: [PATCH] [RHEL/6] Start using package_rsh_removed OVAL check > [RHEL/7] Define new XCCDF rule > package_rsh_removed [shared] Move the RHEL-6 specific check to be shared one > > > On 5/30/14, 7:16 AM, Jan Lieskovsky wrote: > > > > Proposed patch adds (previously missing) package_rsh_removed XCCDF reference > to > already existing OVAL check with same name. Also defines the same XCCDF rule > for > RHEL-7. Yet moves the original RHEL-6 specific package_rsh_removed OVAL check > to > be shared one. > > Change has been tested on RHEL/6 & RHEL/7, rpms build correctly, underlying > rule > seems to work as expected (on both products). > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-Start-using-package_rsh_removed-OVAL-check.patch > From d83bf8ee28da32bdf93af66cb2a9e578ddcbd889 Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Fri, 30 May 2014 13:07:42 > +0200 > Subject: [PATCH] [RHEL/6] Start using package_rsh_removed OVAL check [RHEL/7] > Define new XCCDF rule package_rsh_removed [shared] Move the RHEL-6 specific > check to be shared one > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > RHEL/6/input/checks/package_rsh_removed.xml | 27 +-------------------------- > RHEL/6/input/services/obsolete.xml | 4 +++- > RHEL/7/input/checks/package_rsh_removed.xml | 1 + > RHEL/7/input/services/obsolete.xml | 17 +++++++++++++++++ > shared/oval/package_rsh_removed.xml | 27 +++++++++++++++++++++++++++ > 5 files changed, 49 insertions(+), 27 deletions(-) > mode change 100644 => 120000 RHEL/6/input/checks/package_rsh_removed.xml > create mode 120000 RHEL/7/input/checks/package_rsh_removed.xml > create mode 100644 shared/oval/package_rsh_removed.xml > > diff --git a/RHEL/6/input/checks/package_rsh_removed.xml > b/RHEL/6/input/checks/package_rsh_removed.xml > deleted file mode 100644 > index 11ae275..0000000 > --- a/RHEL/6/input/checks/package_rsh_removed.xml > +++ /dev/null > @@ -1,26 +0,0 @@ > -<def-group> > - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. > --> > - <definition class="compliance" id="package_rsh_removed" > - version="1"> > - <metadata> > - <title>Package rsh Removed</title> > - <affected family="unix"> > - <platform>Red Hat Enterprise Linux 6</platform> > - </affected> > - <description>The RPM package rsh should be removed.</description> > - <reference source="swells" ref_id="20130829" > ref_url="test_attestation"/> > - </metadata> > - <criteria> > - <criterion comment="package rsh is removed" > - test_ref="test_package_rsh_removed" /> > - </criteria> > - </definition> > - <linux:rpminfo_test check="all" check_existence="none_exist" > - id="test_package_rsh_removed" version="1" > - comment="package rsh is removed"> > - <linux:object object_ref="obj_package_rsh_removed" /> > - </linux:rpminfo_test> > - <linux:rpminfo_object id="obj_package_rsh_removed" version="1"> > - <linux:name>rsh</linux:name> > - </linux:rpminfo_object> > -</def-group> > diff --git a/RHEL/6/input/checks/package_rsh_removed.xml > b/RHEL/6/input/checks/package_rsh_removed.xml > new file mode 120000 > index 0000000..3b94a20 > --- /dev/null > +++ b/RHEL/6/input/checks/package_rsh_removed.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/package_rsh_removed.xml > \ No newline at end of file > diff --git a/RHEL/6/input/services/obsolete.xml > b/RHEL/6/input/services/obsolete.xml > index ee980d4..c2e5b15 100644 > --- a/RHEL/6/input/services/obsolete.xml > +++ b/RHEL/6/input/services/obsolete.xml > @@ -186,7 +186,7 @@ stolen by eavesdroppers on the network. > </Rule> > > <Rule id="package_rsh_removed"> > -<title>Remove rsh</title> > +<title>Uninstal rsh Package</title> > <description>The <tt>rsh</tt> package contains the client commands > for the rsh services</description> > <ocil><package-remove-macro package="rsh"/></ocil> > @@ -198,6 +198,8 @@ their credentials. Note that removing the <tt>rsh</tt> > package removes > the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. > </rationale> > <ident cce="" /> > +<oval id="package_rsh_removed" /> > +<tested by="JL" on="20140530"/> > </Rule> > > <Rule id="disable_rlogin" severity="high"> > diff --git a/RHEL/7/input/checks/package_rsh_removed.xml > b/RHEL/7/input/checks/package_rsh_removed.xml > new file mode 120000 > index 0000000..3b94a20 > --- /dev/null > +++ b/RHEL/7/input/checks/package_rsh_removed.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/package_rsh_removed.xml > \ No newline at end of file > diff --git a/RHEL/7/input/services/obsolete.xml > b/RHEL/7/input/services/obsolete.xml > index 84ced10..888162d 100644 > --- a/RHEL/7/input/services/obsolete.xml > +++ b/RHEL/7/input/services/obsolete.xml > @@ -170,6 +170,23 @@ stolen by eavesdroppers on the network. > <tested by="DS" on="20121026"/> > </Rule> > > +<Rule id="package_rsh_removed"> > +<title>Uninstal rsh Package</title> > +<description>The <tt>rsh</tt> package contains the client commands > +for the rsh services</description> > +<ocil><package-remove-macro package="rsh"/></ocil> > +<rationale>These legacy clients contain numerous security exposures and have > +been replaced with the more secure SSH package. Even if the server is > removed, > +it is best to ensure the clients are also removed to prevent users from > +inadvertently attempting to use these commands and therefore exposing > +their credentials. Note that removing the <tt>rsh</tt> package removes > +the clients for <tt>rsh</tt>,<tt>rcp</tt>, and <tt>rlogin</tt>. > +</rationale> > +<ident cce="" /> > +<oval id="package_rsh_removed" /> > +<tested by="JL" on="20140530"/> > +</Rule> > + > <Rule id="disable_rlogin" severity="high"> > <title>Disable rlogin Service</title> > <description>The <tt>rlogin</tt> service, which is available with > diff --git a/shared/oval/package_rsh_removed.xml > b/shared/oval/package_rsh_removed.xml > new file mode 100644 > index 0000000..9f739ef > --- /dev/null > +++ b/shared/oval/package_rsh_removed.xml > @@ -0,0 +1,27 @@ > +<def-group> > + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. > --> > + <definition class="compliance" id="package_rsh_removed" > + version="1"> > + <metadata> > + <title>Package rsh Removed</title> > + <affected family="unix"> > + <platform>Red Hat Enterprise Linux 6</platform> > + <platform>Red Hat Enterprise Linux 7</platform> > + </affected> > + <description>The RPM package rsh should be removed.</description> > + <reference source="JL" ref_id="20140530" ref_url="test_attestation"/> > + </metadata> > + <criteria> > + <criterion comment="package rsh is removed" > + test_ref="test_package_rsh_removed" /> > + </criteria> > + </definition> > + <linux:rpminfo_test check="all" check_existence="none_exist" > + id="test_package_rsh_removed" version="1" > + comment="package rsh is removed"> > + <linux:object object_ref="obj_package_rsh_removed" /> > + </linux:rpminfo_test> > + <linux:rpminfo_object id="obj_package_rsh_removed" version="1"> > + <linux:name>rsh</linux:name> > + </linux:rpminfo_object> > +</def-group> > -- > 1.8.3.1 > > ack
Thanks, pushed. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
