[Open-scap] syslog-ng setting issue in debian 8

[Dhanushka Parakrama]

Hi  Team

We have ran the scan for debian 8 using below command

*oscap  xccdf eval   --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
report.html  ssg-debian8-ds.xml*

Got alerts as below ,
==
[image: image.png]


To Fixed it we ran the below commands as suggested by the report

* apt-get install syslog-ng-core

* systemctl status syslog-ng

● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled)
   Active: active (running) since Tue 2018-08-28 15:04:28 IST; 23h ago
 Docs: man:syslog-ng(8)
  Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
status=0/SUCCESS)
 Main PID: 14555 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
   └─14555 /usr/sbin/syslog-ng -F

Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger Daemon...
Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger Daemon.


But even after we ran the scan after fixing it  Report still shows as

Ensure syslog-ng is installed -> FAILED
Ensure Syslog-ng Service ->  FAILED


Is there any reason for that ?
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] syslog-ng setting issue in debian 8

[Watson Yuuma Sato]

On 29/08/18 11:05, Dhanushka Parakrama wrote:

Hi  Team


Hello Dhanushka,

What version of SSG are you using?
This looks like a bug on 0.1.40 release, the package and service names 
used in bash remediation for syslog-ng are different than your commands, 
we use "syslogng" for package and service name.


Would you be willing to propose a fix for that?
These are the files that would need to be changed:
https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/packages_installed.csv
https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/services_enabled.csv



We have ran the scan for debian 8 using below command

*oscap  xccdf eval   --profile 
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report 
report.html  ssg-debian8-ds.xml*


Got alerts as below ,
==
image.png


To Fixed it we ran the below commands as suggested by the report

* apt-get install syslog-ng-core

* systemctl status syslog-ng

● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled)
   Active: active (running) since Tue 2018-08-28 15:04:28 IST; 23h ago
     Docs: man:syslog-ng(8)
  Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited, 
status=0/SUCCESS)

 Main PID: 14555 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─14555 /usr/sbin/syslog-ng -F

Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger Daemon...
Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger Daemon.


But even after we ran the scan after fixing it  Report still shows as

Ensure syslog-ng is installed -> FAILED
Ensure Syslog-ng Service ->  FAILED


Is there any reason for that ?


___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list



--
Watson Sato
Security Technologies | Red Hat, Inc

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] syslog-ng setting issue in debian 8

[Dhanushka Parakrama]

Hi  Watson



On Wed, 29 Aug 2018 at 14:51, Watson Yuuma Sato  wrote:

> On 29/08/18 11:05, Dhanushka Parakrama wrote:
>
> Hi  Team
>
>
> Hello Dhanushka,
>
> What version of SSG are you using?
> This looks like a bug on 0.1.40 release, the package and service names
> used in bash remediation for syslog-ng are different than your commands, we
> use "syslogng" for package and service name.
>
> Would you be willing to propose a fix for that?
> These are the files that would need to be changed:
>
> https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/packages_installed.csv
>
> https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/services_enabled.csv
>
> I have send the Pull request for those files

>
> We have ran the scan for debian 8 using below command
>
> *oscap  xccdf eval   --profile
> xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
> report.html  ssg-debian8-ds.xml*
>
> Got alerts as below ,
> ==
> [image: image.png]
>
>
> To Fixed it we ran the below commands as suggested by the report
>
> * apt-get install syslog-ng-core
>
> * systemctl status syslog-ng
>
> ● syslog-ng.service - System Logger Daemon
>Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled)
>Active: active (running) since Tue 2018-08-28 15:04:28 IST; 23h ago
>  Docs: man:syslog-ng(8)
>   Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
> status=0/SUCCESS)
>  Main PID: 14555 (syslog-ng)
>CGroup: /system.slice/syslog-ng.service
>└─14555 /usr/sbin/syslog-ng -F
>
> Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger Daemon...
> Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon.
> Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger Daemon.
> Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger Daemon.
>
>
> But even after we ran the scan after fixing it  Report still shows as
>
> Ensure syslog-ng is installed -> FAILED
> Ensure Syslog-ng Service ->  FAILED
>
>
> Is there any reason for that ?
>
>
> ___
> Open-scap-list mailing 
> listOpen-scap-list@redhat.comhttps://www.redhat.com/mailman/listinfo/open-scap-list
>
>
> --
> Watson Sato
> Security Technologies | Red Hat, Inc
>
> ___
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] syslog-ng setting issue in debian 8

[Watson Yuuma Sato]

On 29/08/18 11:35, Dhanushka Parakrama wrote:

Hi  Watson



On Wed, 29 Aug 2018 at 14:51, Watson Yuuma Sato > wrote:


On 29/08/18 11:05, Dhanushka Parakrama wrote:

Hi  Team


Hello Dhanushka,

What version of SSG are you using?
This looks like a bug on 0.1.40 release, the package and service
names used in bash remediation for syslog-ng are different than
your commands, we use "syslogng" for package and service name.

Would you be willing to propose a fix for that?
These are the files that would need to be changed:

https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/packages_installed.csv

https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/templates/csv/services_enabled.csv

I have send the Pull request for those files


Thanks, they have been merged.

Tip: as these changes were closely related they could have been done in 
the same PR, easier for submitter and reviewer.


Thanks again.




We have ran the scan for debian 8 using below command

*oscap  xccdf eval   --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
report.html  ssg-debian8-ds.xml*

Got alerts as below ,
==
image.png


To Fixed it we ran the below commands as suggested by the report

* apt-get install syslog-ng-core

* systemctl status syslog-ng

● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/lib/systemd/system/syslog-ng.service; enabled)
   Active: active (running) since Tue 2018-08-28 15:04:28 IST;
23h ago
     Docs: man:syslog-ng(8)
  Process: 16275 ExecReload=/bin/kill -HUP $MAINPID (code=exited,
status=0/SUCCESS)
 Main PID: 14555 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─14555 /usr/sbin/syslog-ng -F

Aug 28 15:04:28 oscapserver systemd[1]: Starting System Logger
Daemon...
Aug 28 15:04:28 oscapserver systemd[1]: Started System Logger Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloading System Logger
Daemon.
Aug 29 06:25:03 oscapserver systemd[1]: Reloaded System Logger
Daemon.


But even after we ran the scan after fixing it Report still shows as

Ensure syslog-ng is installed -> FAILED
Ensure Syslog-ng Service ->  FAILED


Is there any reason for that ?


___
Open-scap-list mailing list
Open-scap-list@redhat.com 
https://www.redhat.com/mailman/listinfo/open-scap-list



-- 
Watson Sato

Security Technologies | Red Hat, Inc

___
Open-scap-list mailing list
Open-scap-list@redhat.com 
https://www.redhat.com/mailman/listinfo/open-scap-list



--
Watson Sato
Security Technologies | Red Hat, Inc

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Ensure Log Files Are Owned By Appropriate Group setting Issue in Debian 8

[Dhanushka Parakrama]

Hi  Team

We have ran the scan for debian 8 using below command

*oscap  xccdf eval   --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
report.html  ssg-debian8-ds.xml*

Got alerts as below ,
===

[image: image.png]

As the solution suggested change the group as below

* chgrp adm /var/log/* -R *


[image: image.png]

but we still getting the


*Ensure Log Files Are Owned By Appropriate Group -> Failed *


Is there any reason for that ?


Thank You

Dhanushka
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] ntp and auditd setting issue in debian 8

[Dhanushka Parakrama]

Hi  Team

We have ran the scan for debian 8 using below command

*oscap  xccdf eval   --profile
xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
report.html  ssg-debian8-ds.xml*

Got alerts as below ,
===

[image: image.png]



To Fixed it we ran the below commands as suggested by the report

*service ntp status*
● ntp.service - LSB: Start NTP daemon
   Loaded: loaded (/etc/init.d/ntp)
   Active: active (running) since Mon 2018-08-27 18:24:21 IST; 2 days ago
   CGroup: /system.slice/ntp.service
   └─473 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 112:120

Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 0 v4wildcard
0.0.0.0 UDP 123
Aug 27 18:24:21 oscapserver ntpd[473]: Listen and drop on 1 v6wildcard ::
UDP 123
Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 2 lo 127.0.0.1
UDP 123
Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 3 eth0
192.168.8.150 UDP 123
Aug 27 18:24:21 oscapserver ntpd[473]: Listen normally on 4 lo ::1 UDP 123
Aug 27 18:24:21 oscapserver ntpd[473]: peers refreshed
Aug 27 18:24:21 oscapserver ntpd[473]: Listening on routing socket on fd
#21 for interface updates
Aug 27 18:24:21 oscapserver systemd[1]: Started LSB: Start NTP daemon.
Aug 27 18:24:24 oscapserver ntpd[473]: Listen normally on 5 eth0
fe80::250:56ff:fe94:6150 UDP 123
Aug 27 18:24:24 oscapserver ntpd[473]: peers refreshed


*service auditd status*
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since Tue 2018-08-28 14:41:28 IST; 1 day 6h ago
 Main PID: 12464 (auditd)
   CGroup: /system.slice/auditd.service
   └─12464 /sbin/auditd -n


But even after we ran the scan after fixing it  Report still shows as


[image: image.png]

Is there any reason for that ?


Thank You
Dhanushka
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

[Open-scap] Set SSH Idle Timeout Interval Debian 8

[Dhanushka Parakrama]

Guys

In Debian 8 i have configured the settings as below for ssh client timeout

ClientAliveInterval 400

but seems like scan is not picking it up ,
Version scap-security-guide-0.1.40


*oscap-ssh  --sudo wso2@192.168.8.150  22 xccdf eval
 --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_high --report
abc.html  ssg-debian8-ds.xml*


and still shows output as below

*Title   Set SSH Idle Timeout Interval*
*Rulexccdf_org.ssgproject.content_rule_sshd_set_idle_timeout*
*Result  fail*
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Guide Mergers and Simplifications in SCAP Security Guide

[Martin Preisler]

On Thu, Aug 23, 2018 at 10:16 AM Alexander Scheel  wrote:
>
> [snip]
>
> Thanks everyone for their support, advice, and reviews! As always, we're
> happy to receive feedback, issues regarding the content, or PRs helping
> to improve the content. We'll do our best to review these in a timely manner
> and will try and tag some issues as easy fix or help wanted if people are
> looking for a place to get started. And lastly, a shout-out and thanks to
> all our external contributors!

Hi Alex,
thank you very much for your contributions this summer. It has helped
the project tremendously! I hope you had fun!

-- 
Martin Preisler

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] rsyslog and syslog-ng issue in Debian 8

[Marek Haicman]

Hah, that one is funny :) Good catch Dhanushka. Basically what what 
these rules are trying to achieve is to have logging on your system. So 
either of those is enough to fulfill that.


If you don't mind, could you create PR removing one of the pairs from 
the profile [1]? I am not Debian user, so I don't know which one is 
default/recommended. It should be in line with OS recommendation. Just 
beware - if the recommended syslog is syslog-ng, then it's probably 
appropriate to also remove all rsyslog-related rules in other ANSSI 
levels (I have seen some in `average`)


Thanks,
Marek

[1] 
https://github.com/OpenSCAP/scap-security-guide/blob/master/debian8/profiles/



On 08/29/2018 07:22 PM, Dhanushka Parakrama wrote:

Hi  Team

When i'm using* xccdf_org.ssgproject.content_profile_anssi_np_nt28_high 
*profile in Debian 8 *ssg-debian8-ds.xml*

in version scap-security-guide-0.1.40

it says

Title   Ensure syslog-ng is Installed
Rule    xccdf_org.ssgproject.content_rule_package_syslogng_installed
Result  fail

Title   Enable syslog-ng Service
Rule    xccdf_org.ssgproject.content_rule_service_syslogng_enabled
Result  fail

Title   Ensure rsyslog is Installed
Rule    xccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result  fail

Title   Enable rsyslog Service
Rule    xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result  fail


But when i'm installing rsyslog   Debian 8 System automatically removes 
the syslog-ng package and vice versa . So one of the conditions will 
always failed


Please see the below screenshot

image.png




___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list



___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Guide Mergers and Simplifications in SCAP Security Guide

[Martin Preisler]

On Thu, Aug 23, 2018 at 11:24 AM Trey Henefield
 wrote:
>
> [snip]
>
> I have contributed a fair ammount of content in the past and would love to 
> continue to do so.
>
> The biggest challenge Iv'e had in working with this group is the rapid number 
> of structural changes.

I hear you but it has been necessary and long overdue. We try to limit
the pain as much as possible but there certainly have been breakages
between 0.1.39 and 0.1.40.

It has made a lot of my knowledge of the old SSG structure obsolete
but I would still like to thank everyone who worked to make SSG easier
for newcomers and cleaner for everyone. The current system is
light-years ahead of the old one in terms of productivity.

> Secondly, there seems to be some difference of opinions between what RedHat 
> feels should be implemented for a requirement versus what DISA requires to be 
> configured to meet a requirement. Ive had commits rejected for that very 
> reason. This has pretty much discouraged me from commiting any other changes. 
> While we still develop content to support ensuring our systems are compliant 
> with the DISA STIGs, it would be nice to put aside difference of opinions and 
> support bringing compliance to currently enforced DISA STIG requirements 
> within the SSG baseline.
>
> I think that once those two issues are resolved, you will likely see further 
> enhanced content being contributed.

I am not 100% sure what you are referring to, links would help.

Working with open source communities can be frustrating and political.
I would like to think that we are "better than your average community"
but I know exactly how you feel regarding having code rejected.
Definitely experienced that many many times in SSG. In my experience
it really helps to submit pull requests quickly and mark them WIP.
That way you can get feedback early and avoid having to thrash a lot
of code. And keep in mind that you can review our pull requests back
and give us comments. AFAIK we have never ignored community feedback
and generally try to solicit feedback for large changes either via
mailing list or github.




>
> Best regards,
>
> Trey Henefield, CISSP
> Senior IAVA Engineer
>
> Ultra Electronics
> Advanced Tactical Systems, Inc.
> 4101 Smith School Road
> Building IV, Suite 100
> Austin, TX 78744 USA
>
> trey.henefi...@ultra-ats.com
> Tel: +1 512 327 6795 ext. 647
> Fax: +1 512 327 8043
> Mobile: +1 512 541 6450
>
> -Original Message-
> From: open-scap-list-boun...@redhat.com  
> On Behalf Of Alexander Scheel
> Sent: Thursday, August 23, 2018 9:16 AM
> To: open-scap-list@redhat.com
> Subject: [Open-scap] Guide Mergers and Simplifications in SCAP Security Guide
>
> Greetings, everyone!
>
>
> I'm Alex, the US-based intern working with the OpenSCAP team this summer. We 
> also have an intern in Brno, Milan, who has been with the team for longer.
> I'm posting to highlight some of the work I've done, and how I think this 
> will help the OpenSCAP community at large. I’ll be focusing on the SCAP 
> Security Guide (SSG) project, where we host all of our compliance content.
>
> Part of the problems facing the OpenSCAP team is that we’re not experts with 
> the complete matrix of different compliance documents, Linux distributions, 
> or projects that we provide content for. As different individuals contribute 
> to SSG, they usually do so for only the projects they’re familiar with. A 
> direct result of this was that, over time, Debian, RHEL6, and RHEL7 content 
> grew increasingly fragmented despite starting out largely similar. Partly, 
> this was due to the complexity of writing content in XML format and using 
> XSLT macros; with the migration to YAML markup and Jinja2 macros, maintaining 
> a shared directory which supports all distributions is now easier than 
> separate directories. On top of this, having many independent locations for 
> content made it hard for individuals new to the project to find where to make 
> their changes. Thus, merging the guides was an important step in reducing 
> technical debt in SCAP Security Guide.
>
> Below, I outline one of the things we’ve improved this summer, with the hopes 
> of encouraging more individuals to contribute to the SSG project. Hopefully a 
> few users will be inspired to create quick PRs fixing issues you see on a 
> day-to-day basis. Stay tuned for a later mailing list post about additional 
> changes made. :)
>
> With the help of Martin Preisler, Gabe Alford, and everyone else, I've been 
> collapsing the disparate Linux guides into a shared location: 
> `linux_os/guide`.
> This helps to improve maintainability, finding the location of rules, and 
> fixing any issues they have. Changes against one product will now benefit all 
> products:
> typos, new additions, compliance with standardized language, etc.
>
> This means that, if anyone is carrying internal patches or tailoring files 
> against rhel6, debian8, or wrlinux, your changes will not apply cleanly to the
>