Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

2017-09-06 Thread Ruben Oliva 

Hello RHEL community.
 
As a matter of opinion, I think we should focus on RHEL 7.
Is there any content for SELinux? 
 
David Oliva
 
 
-Original Message-
From: Shawn Wells 
To: open-scap-list 
Sent: Tue, Sep 5, 2017 11:20 am
Subject: Re: [Open-scap] [open-scap] scan percentage with respect to rules 
specified by STIG

On 9/5/17 4:38 AM, Wesley Ceraso Prudencio wrote:> I'm not an expert, but if I 
got it right, we currently cover approximately 85% of STIG rules for RHEL7 and 
23% for RHEL6.Something seems offIn RHEL6, the STIG profile extends the 
common profile:> $ head -1 stig-rhel6-server-upstream.xml> So, adding in rules from 
'common' and STIG profiles:> $ grep -v ' 
182>> $ grep -v ' 68Then subtracting 
things that are turned off:> $ grep false stig-rhel6-* | wc -l> 4= 246 
rules.Then compared to RHEL6 STIG from DISA:> $ grep " 259246 / 259 = 95%Some gaps are 
expected (e.g. update 3rd party patches, install 3rd partysoftware), so we'll 
never have 100% until baseline owners drop suchrules. This is common across 
most third parties (e.g. CIS), not just DISA.. now ensuring the content 
of the selected rules aligns betweenDISA and SSG is another question 
:)___Open-scap-list mailing 
listOpen-scap-list@redhat.comhttps://www.redhat.com/mailman/listinfo/open-scap-list
___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] [open-scap] scan percentage with respect to rules specified by STIG

2017-09-06 Thread Shawn Wells 


On 9/6/17 9:58 AM, Wesley Ceraso Prudencio wrote:
> Thanks Shawn, I didn't notice the extension from common profile.

Of course.

It's incredibly hard to keep tabs on what 3rd parties are putting into
their baselines so while our rule counts may be close, there's
little assurance that mappings are kept updated and rule content aligns.
It's been awhile since anyone has combed through DISA's RHEL6
content. wonder if there's enough community interest to warrant it.

___
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list

Re: [Open-scap] Change an existing tailoring file with scap-workbench

2017-09-06 Thread Mathias Münch 
Hi Marek,

thank you for the answer.  I am afraid it is worse than that, there are
also rules added to the new file.  See an example diff below.

Shall I change the tracking to bugzilla or stay on the mailing list?

Best regards,

Mathias

Am 04.09.2017 um 16:10 schrieb Marek Haicman:
> Err, clicked reply instead of reply-all :)
> 
> On 09/04/2017 03:36 PM, Marek Haicman wrote:
>> On 09/03/2017 01:55 PM, Mathias Münch wrote:
>>> Hello!
>>>
>>> When I create a tailoring file with the scap workbench (SCAP Workbench
>>> 1.1.5, compiled with Qt 4.8.7, using OpenSCAP 1.2.14) everything works
>>> fine for the original customization.
>>>
>>> Now when I load the tailoring file again into the workbench in order to
>>> change things (e.g. re-enable one rule) and save, then the "extends"
>>> attribute is gone from the Profile tag and lots of additional rules
>>> (that I did not touch) are added to the tailoring.
>>>
>>> Am I missing some point or is this expected behaviour?
>>>
>>> Best regards,
>>>
>>> Mathias
>>>
>>> ___
>>> Open-scap-list mailing list
>>> Open-scap-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/open-scap-list
>>>
>>
>> Hello Mathias,
>> thank you for the report! This issue has been already reported in
>> RHBZ, https://bugzilla.redhat.com/show_bug.cgi?id=1454455 it's not
>> expected behaviour. :) Please take a look at your reproducer, if only
>> groups are newly added there. In that case, it SHOULD be harmless.
>>
>> Thanks!
>> Marek
> 
5c5
<   
---
>id="xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream_customized">
7a8,189
>  idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_disable_interactive_boot" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route"
>  selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"
>  selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_rexec_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_rsh_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_ypbind_disabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_package_talk_removed" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" 
> selected="true"/>
>  selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_enable_selinux_bootloader" 
> selected="true"/>
>  selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" 
> selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" 
> selected="true"/>
>  selected="true"/>
>  selected="true"/>
>  idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" 
> selected="true"/>
>