Re: Any rumors on next draft for RHEL 8 STIG from DISA?

Unfortunately, no. They will probably be updated and release next year due to covid and backlogs and such. On Wed, Dec 2, 2020 at 1:33 PM Todd, Charles wrote: > Or the FIPS 140-2/3 and CC certifications? They seem to be stuck in limbo > too. > > > > Charlie Todd > > Ball Aerospace &

Re: New Github issue template for requesting a new rule

Looks good. I assume that this is going to be in addition to and not a replacement of the existing template? Having more than one issue template that GH creates a menu for you to choose is kinda nice. On Fri, Nov 6, 2020 at 8:54 AM Vojtech Polasek wrote: > Hello all, > I would like to propose a

Re: Refresh of how we track a profile - tracking the policy

On Thu, Aug 13, 2020 at 1:34 AM Watson Sato wrote: > > > On Wed, Aug 12, 2020 at 1:40 AM Gabe Alford wrote: > >> >> >> On Tue, Aug 11, 2020 at 6:00 AM Watson Sato wrote: >> >>> >>> >>> On Tue, Aug 11, 2020 at 1:24 AM Shane Boulden

Re: Refresh of how we track a profile - tracking the policy

and increases > requirements on the codeowners. > I actually really like this idea of using codeowners to track profile maintainers and think it is a more elegant solution than keeping track in the profile. > > >> On Mon, Aug 10, 2020 at 8:18 PM Matej Tyc wrote: >> >

Re: Refresh of how we track a profile - tracking the policy

Anything that is metadata should conform to the Dublin Core per the XCCDF specification for the .profile files, or it can be a commented out section at the top of the .profile. Alternatively, a single file like maintainers or profile maintainers would be better as a single source of truth.

Re: Lets do potentially breaking project changes now

On Wed, Jul 29, 2020 at 10:56 AM Matej Tyc wrote: > The PR https://github.com/ComplianceAsCode/content/pull/5606 introduced > a large number of changes that may break patches, but those changes were > much needed in the project. So I think that we should use this > opportunity to introduce more

Re: Approach to allow support of UEFI grub2 for grub2_audit_argument rule

bios is an interesting idea. Currently, we do not check for the > grub.cfg file in case of UEFI, at least not in this template. > This is a bug that we should fix quickly since it affects all our grub checks. > Vojta > > > > > > > > > Dne 20. 07. 20 v

Re: Approach to allow support of UEFI grub2 for grub2_audit_argument rule

On Wed, Jul 15, 2020 at 2:28 AM Andy Coates wrote: > Hi All, > > First I'm jumping in the deep end with this - I've only just discovered > the ComplianceAsCode/content repo and whilst loving the design and > flexibility, as a newbie it is very daunting to ingest how all the rules > are generated

Re: AppArmor Support

No. Go right on and create them. The AppArmor checks should definitely be under their own directory. Thanks! On Tue, Jun 9, 2020 at 9:23 AM Jon Thompson wrote: > Is there any objection to developing AppArmor checks for those OS that use > it? If so, would they exist in their own folder like

Re: Policy source data format proposal is ready for comments

NACK. If you would like to work on real policy evaluation, there are projects that we can hook you up with. There is a lot more to policy evaluation than what this proposal is and incorporates more work than the members of this project have time for. This problem is being worked on in other

Re: The Machine Platform Great Controversy

Containers are changing from where we originally thought certain practices were going to hold true. These ideas and practices no longer hold true. Kernel modules are going to start to be installed, delivered, and configured through containers (delivered by Red Hat). SSH servers are now running in

Re: [EXTERNAL] Questions about OSCAP for NIST Compliance checking

There definitely needs to be more information as there is moderate, high, and those like DHS5300A that select everything. CUI 800-171 is a subset of 800-53. As rehashed over and over again, CentOS will never meet 800-53 or 800-171 requirements. It is not meant to. There is and won't be a USGCB or

Re: Checks for removable partitions mount options

Originally, these rules were only written for cdrom with the guidance never changing to handle other devices even though it reads like they do handle other devices. You are correct in that the rules are to check for all types of removable devices. They were just never updated to fully address all

Short form references

Hello, Currently for references (STIGID, NIST, CUI, etc.) in our yaml content, we use a form of shortening the reference for STIGID and CCI e.g. For CCI, we do something like the following: ``` disa: 2165,2696 ``` For STIGID, we do something like the following: ``` stigid: "020210" ``` This

Re: OCP4 content for RHCOS and RHEL

It's a good idea to focus on the RHCOS content first as that should be the priority first. Since Kubernetes is the orchestration engine for worker nodes, RHEL content should exist under the OCP product as Kubernetes will be manage everything. Just like the CoreOS content is done right now. On

Re: Question about the 'remediation script' sections

Are they modules default in Puppet or are they custom or downloaded separately? If they are default in a standard Puppet install, it should be no problem as that is what we do with Ansible tasks. On Mon, Feb 17, 2020 at 2:58 PM Trevor Vaughan wrote: > I was looking to update the Puppet

Re: NIAP OSPP/Draft RHEL8 STIG ansible plays - disabled options for virtual guests and docker containers

Not fully true. The intent is such, but the code does more than just containers. Setting ansible_virtualization_role != "guest" applies to virtual machines AND any undefined container technology that Ansible facts do not understand or know about. On Wed, Feb 12, 2020 at 3:33 AM Jan Cerny wrote:

Re: NIAP OSPP/Draft RHEL8 STIG ansible plays - disabled options for virtual guests and docker containers

ansible_virtualization_role != "guest" should never have been added as all of the rules of a physical machine apply to a virtual machine. However, keeping `ansible_virtualization_type != "docker"` makes sense because many of controls don't make sense for containers themselves. There is a bug open

Re: RHV and host support

Considering the amount of content that needs to be updated for new releases of STIG and replacement of authconfig, updates to pam checks, etc. I would consider this a very low priority at this time. On Wed, Dec 18, 2019 at 9:18 AM Matěj Týč wrote: > ... > > Alternatively, many the rules are

Re: Define profile for centos7 derivative

IIRC the ENS standard uses ISO 27001 which CentOS doesn't meet. In addition if ISO/IEC 15408 is applied against ENS, CentOS does not meet this in any way. On Tue, Dec 10, 2019 at 3:33 AM Kuko Armas wrote: > > Hello, I'm starting to take a look at the SSG content repo in github, and > I tried to

Re: SSSD configuration checks clarification

On Thu, Nov 14, 2019 at 1:30 PM Trevor Vaughan wrote: > Ilya, > > Could you link to the specific sections please? > > In my opinion, SSSD should be completely removed if not utilized and the > LOCAL provider should never be configured since it allows you to > effectively hide accounts from

Re: SSSD configuration checks clarification

On Thu, Nov 14, 2019 at 12:12 PM Ilya Okomin wrote: > Hello experts! > > I've noticed SSSD configuration rules implemented without verification > if SSSD package/service installed/enabled. To be added, remediation part > doesn't install sssd in case it is missing on the system, thus fix >

Re: removing telnet client breaks fence agents

On Fri, Nov 1, 2019 at 10:46 AM Trevor Vaughan wrote: > I don't see a reason to remove the rule in general but: > > 1) Having the telnet *client* present isn't really a big deal if you have > pretty much any scripting language, or modern SSH that allows the NULL > cipher > IIRC as of one of the

Re: EXTERNAL: Excessive FIPS checks

On Fri, Oct 11, 2019 at 12:25 PM Chuck Atkins wrote: > > >> FIPS certification is more than just turning on ciphers, >> > > For sure, I'm not arguing that point at all. > > >> but doing so only does the technical part, but it’s not the whole chain. >> > > So, that's what the rules in question

Re: SCAP not Matching STIG

Are the checks manual checks and can't be automated through SCAP? On Fri, Oct 11, 2019 at 3:26 PM wrote: > This may be the wrong place to ask this, but I've been looking at this for > hours and was hoping someone could either explain what I'm seeing or point > to someplace that I can ask. > >

Re: Scan-workbench - modifying customizations, and comparing profiles

On Tue, Sep 17, 2019 at 1:50 PM Sanders, Robert wrote: > Hello all, > > Is there any way to load a set of customizations into scap-workbench, > make some additional tweaks, and then output *only* the customizations > themselves (old + new changes)? Everytime I’ve tried to do this I wind up >

Re: Short lived branches for stabilization before release

The project discussed this several years ago as well as adding LTS brances but ultimately decided against it due to the maintenance costs and burdens placed on owners. Not sure what has changed since security is always changing and evolving. > I have so many commits I have yet to get commited

Re: Getting Started

Actually it is more than that. RHEL certifications including profiles that go through certification do not apply to CentOS and actually do not flow down from RHEL to CentOS. CentOS fails to meet certification requirements in the areas of cryptography and now in secure software supply chain which

Re: Benchmark Group Rule order

On Wed, Apr 17, 2019 at 11:48 AM Alexander Bergmann wrote: > Hi everyone, > > I have a question about the rules execution order. From my testing the > execution order is simply the rule order inside a group of a benchmark. > It looks like the order simply depends on the directory structure of >

Re: "Could not parse profile" error

? On Fri, Apr 5, 2019 at 4:22 PM Shawn Wells wrote: > > On 4/5/19 6:14 PM, Gabe Alford wrote: > > Personally, I don't see the benefit of these errors that are > > mentioned, and they should be removed. > > > Imagine if you're a developer making a profile and it's not appearin

Re: "Could not parse profile" error

Personally, I don't see the benefit of these errors that are mentioned, and they should be removed. On Fri, Apr 5, 2019 at 3:49 PM Shawn Wells wrote: > > On 4/5/19 7:16 AM, Watson Sato wrote: > > > > On Wed, Apr 3, 2019 at 4:49 PM Shawn Wells wrote: > >> When building off master, I receive the

Re: Strip down XML output (XCCDF,OVAL,DS)

In each profile, you could set `documentation_complete` to `False` except for the profile that you want to build. However, there will still be some content that gets added because it applies to all products. But outside of filesize, why are you wanting to remove content that is tailorable and

Re: multiple configurations fixed by one ansible snippet

Because they are separate rules, they should be separate remediations. Of course if the upstream faillock BZ [1] was prioritized and dealt with sooner, we probably wouldn't necessarily be having this discussion. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1537242 On Tue, Feb 12, 2019 at

Re: Rule rpm_verify_file_hashes and config files

On Wed, Jan 9, 2019 at 9:09 AM Watson Sato wrote: > > > On Wed, Jan 9, 2019 at 3:28 AM Shawn Wells wrote: > >> >> On 1/8/19 1:39 PM, Gabe Alford wrote: >> >> On Tue, Jan 8, 2019 at 7:08 AM Watson Sato wrote: >> >>> >>>

Re: Rule rpm_verify_file_hashes and config files

On Tue, Jan 8, 2019 at 7:08 AM Watson Sato wrote: > > > On Tue, Jan 8, 2019 at 2:57 PM Trevor Vaughan > wrote: > >> Personally, I think that anything marked as %config should not be checked >> because they are allowed to vary anyway. >> > > I'm leaning towards ignoring config files in OVAL

Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?

irst place? > > > I can't be the only person in this boat. What are others doing? > > Wonder if this is something that could be incorporated into Security > Central? > > /me glances at @Gabe Alford > ___ scap-security-guid

Re: alternatives to STIG Viewer once Oracle JDK 8 / JavaFX 8 is EOL in January 2019?

This would be a great RFE to file upstream as well as with Red Hat for SCAP-workbench to support this workflow. Gabe On Tuesday, November 27, 2018, James Ralston wrote: > I apologize if this is a little off-topic for this list, but a > question: what are others who use STIG Viewer planning to

Re: FIPS Checker

those could be used >> to compare a running system against the certification report. >> >> Yes, I also understand that sometimes the desire is to be able to show >> that CentOS or Fedora is NOT FIPS certified verses RHEL. Of course, that >> assumes that the RHEL you

Re: FIPS Checker

Outside of going to https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search and clicking `search` with empty search parameters, don't know of anything. On Mon, Oct 29, 2018 at 1:33 PM Trevor Vaughan wrote: > Hi All, > > Does anyone know of a project that

Re: False positive message for sshd key file permission

The scan fails because permissions should be 0640 for the private key. If they are not set to 0640, this prevents sshd from generating keys. On Thu, Sep 20, 2018 at 8:40 AM, Dushyant Uge wrote: > Hello Team, > > One of our customer raised concern that -- > The rule going wrong are: >

Re: Updating audit rules for container platforms

CIS Benchmark requires the auditing of /var/lib/docker for this reason which might be the simplest answer to handling these cases. On Tue, Sep 4, 2018 at 7:06 AM, Steve Grubb wrote: > On Monday, September 3, 2018 12:01:11 PM EDT Matus Marhefka wrote: > > Hello, > > > > I would discuss this with

Re: CI Enabled Cross Checking

If you want to submit a PR with putting Inspection content under shared/checks/inspec, that would be great. We can then look at the content and determine what needs to be done. On Wednesday, June 20, 2018, Trevor Vaughan wrote: > I'd like to contribute the checks (they're not remediations) but

Re: Looks like the SSG build might be broken

The SSG python modules are currently going through a refactoring, so build failures are currently possible on master. Building SSG on Windows will soon be possible as well. On Friday, June 22, 2018, Trevor Vaughan wrote: > The last tag is just fine. > > I've changed my code to only use the last

Re: Reg: Openscap scanning for SSH

Yes, version 0.1.36 has been released. On Fri, Apr 20, 2018 at 11:10 AM, Dushyant Uge wrote: > Hello, > > I checked RHEL7.5 has been released now. > > My question -- > > Is SCAP Security Guide 0.1.36 released with RHEL7.5? > > > Thanks & Regards, > Dushyant Uge > > On Tue, Apr

Re: Disabling specific bash remediations

Fen, There is an RFE open in OpenSCAP for this very thing at https://github.com/OpenSCAP/openscap/issues/633 Outside of tailoring a profile, nothing super easy from the OpenSCAP side of the house. Gabe On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme wrote: > The

Re: [Open-scap] oscap results stored in central database?

Awesome Fen! Can you provide insight into your usage of Graylog instead of ELK or EFK? On Thu, Feb 1, 2018 at 3:37 PM, Fen Labalme wrote: > Would love some XSLT files for parsing the XML files nicely (I've been > wanting this, but am not an XSLT sorta guy). If the

Re: [Open-scap] oscap results stored in central database?

A couple of things to think about as we move towards the idea of Compliance As Code and a central CLI/WebUI. 1. We are moving away from authoring content in XML and towards a YAML style format which was shown at Defense in Depth last year. Many people were smiling and liking the idea.

Re: Ansible vs bash fixup scripts

Chuck, I completely understand your frustrations. SSG is evolving to handle different types of remediation languages for consumption by environments that may use different remediation technologies like puppet, ansible, etc. besides just bash. By default, oscap does only bash remediations. One of

Re: stig-overlays.xml usage

On Thu, Nov 16, 2017 at 8:49 AM, Olivier BONHOMME wrote: > On Wed, Nov 15, 2017 at 05:52:35PM +0100, Watson Yuuma Sato wrote: > > On 15/11/17 13:15, Olivier BONHOMME wrote: > > > Dear OpenScap community, > > > > > > I'm currently working for my company on checking the RHEL 7

Re: Why is xml-common required for SSG RPMs, and where do I find it?

I *think* that this is actually expected behavior if you have clean_requirements_on_remove enabled. On Thu, Oct 26, 2017 at 11:23 AM, Shawn Wells <sh...@redhat.com> wrote: > > > On 10/26/17 1:11 PM, Gabe Alford wrote: > > Should be able to install with: > > > &

Re: Why is xml-common required for SSG RPMs, and where do I find it?

Should be able to install with: $ sudo yum install xml-common and I believe that it is included in the base repo. It has actually always been required as it provides `/usr/share/xml` On Thu, Oct 26, 2017 at 10:55 AM, Shawn Wells wrote: > Attempting to install RPM, receive

Re: STIG Rule Id vs Version

On Mon, Oct 9, 2017 at 2:14 PM, Shawn Wells wrote: > > > On 10/9/17 1:19 PM, Wesley Ceraso Prudencio wrote: > > Hi all, > > I noticed something strange in the information we have about the STIG > Profiles. The problem is that what we internally refer as "Stig ID" is >

Re: Time to drop bash remediations?

I say we keep bash scripts as other distros will probably need them. Plus, I would think that we would want to handle environments where ansible will never be used. On Tue, Aug 1, 2017 at 5:20 PM, Shawn Wells wrote: > RHEL 7.4 is out! That means we can now be public on how

Re: Help with Compiling SSG

Where the rules that you added inside the elements rather than just appended to the bottom of the file? > The SSG can be installed by using `yum install scap-security-guide` as a root user Use yum install scap-security-guide or yum install scap-security-guide here. Gabe On Wed, Jun 21, 2017

Re: xccdf_org.ssgproject URN

On Fri, Mar 24, 2017 at 12:20 PM, Shawn Wells wrote: > We currently use "xccdf_org.ssgproject" -- should this be changed to > "xccdf_io.openscap" or "xccdf_org.open-scap"? > > Has been bugging me for awhile. > > For downstream, should we use xccdf_com.redhat? > +1, please do!

Re: findings not being detected properly.

Can you provide the HTML output at all? Also permissions of /boot/grub2 and grub.cfg? What superusers to you have configured? On Thursday, March 23, 2017, Albert Roberson wrote: > I hope it is obvious that i meant to type that i am logged in as "root" > when i run the scan.

Re: RFC: chef.io Inspec

I'm all for simplifying SSG; however, the roadblocks that Shawn has listed cannot be understated. How would environments using puppet or ansible or bash or work with Inspect especially as Inspect appears to be more of a Chef component? Moving away from a defined standard SCAP (for better or for

Re: findings not being detected properly.

On Mon, Mar 20, 2017 at 12:44 PM, wrote: > There are several items that are showing failures in spite of remediation. > Where is the best place to search/file findings such as these. As an > example, the scan fails even though the boot loader password is enabled and > the

Re: Where did the HTML tables go?

On Thu, Feb 23, 2017 at 1:48 PM, Shawn Wells wrote: > Went to give a demo of SSG this morning - and noticed the HTML tables > are no longer in RHEL/7/output/*. > > Where did the HTML tables go? I can't find any documentation on the new > build flags. > I believe that they are

Re: DISA Coverage Rate for RHEL7

Hello, Both the DISA SRGs and STIGIDs are added to the applicable RHEL/7 content. You can verify this by either `grep -rni 'stigid\|srg' RHEL/7/input/xccdf`, or `grep 'SRG\|RHEL-07' ssg-rhel7-xccdf.xml` Also, when a report is generated with the oscap --report option, the SRG and STIGID

Re: Adding rules for SUSE.

On Fri, Sep 30, 2016 at 2:19 AM, wrote: > Hello, > > I am trying to test how new rules can be added to SUSE. I could not find > any documentation so this is what I have done so far: > > 1) Added a new file input/xccdf/system/permissions/files.xml with a > couple of rules to

Re: Can we change the banner text requirement for "dconf_gnome_login_banner_text" to allow custom banner text? (RH BZ#1357620)

On Wed, Aug 3, 2016 at 6:40 AM, Steve Grubb wrote: > On Wednesday, August 3, 2016 7:17:15 AM EDT Jan Lieskovsky wrote: > > Hello, > > > > please see downstream report: > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1357620 > > > > In short the reason for the failure

Re: Latest OpenSCAP changes to speed up SSG builds

On Tue, Jul 26, 2016 at 3:24 PM, Martin Preisler wrote: > I found pretty bad inefficiencies in some of our XSLTs. > > Check out > https://github.com/OpenSCAP/openscap/commit/a65bf27dec4a93e2b87cec8cbcd80bec4fd2328a > or >

Re: Question about scap-security-guide 0.1.28 and Centos 6.5

Hello Phil, It is nothing to be concerned about. Basically, the warning message is letting you know that the OpenSCAP scan cannot download the latest CVE OVAL file from redhat.com which makes sense as the system cannot access the internet. Thanks, Gabe On Mon, Jul 11, 2016 at 12:59 PM,

Re: investigating "notapplicable"

Hello Radzy, > I'm trying to figure out how to go about investigating why "notapplicable" > is returned. Mostly, I'm working with a new directory for WR Linux. Are you saying that all checks return "notapplicable" when you run a scan? Or are you saying that you created a custom OVAL and the

Re: [Proposal] Replace SSG feature milestones on GitHub with GH feature labels -- any objections?

On Fri, Jun 24, 2016 at 10:19 AM, Shawn Wells wrote: > > > On 6/24/16 12:16 PM, Jan Lieskovsky wrote: > >> Hello folks, >> >>so there are these SSG "feature milestones" on GitHub: >>* Infrastructure Enhancements and Fixes >> ( >>

Re: Use /etc/passwd directly instead of sources in NSS

om /etc/passwd that have UID greater or equal > to 500 without using password_object? I have been trying to do this for > many days now without any luck. > > Thanks for your time > > -- > Rodolfo Martínez > > On Tue, Jun 7, 2016 at 1:03 PM, Gabe Alford <redhatri...@gmail.co

Re: Use /etc/passwd directly instead of sources in NSS

Hello Rodolfo, I just did a quick glance as I currently don't have the cycles to look into this but the "state_at_system_accounts_at_allow_uid" exclude filter is where this is not working. It is not filtering UIDs greater than 1 or 500 for that matter. Specifically this subexpression is what is

Re: "No definition with ID: ...." errors on RHEL 7.2 / SSG 0.1.25-3

Just curious but would a `yum reinstall` work? On Tue, Nov 24, 2015 at 11:52 AM, Shawn Wells wrote: > > > On 11/24/15 1:32 PM, Shawn Wells wrote: > >> Running on RHEL 7.2, receiving "No definition with ID: " errors. >> Known issue? >> >> >> >> >> # cat /etc/redhat-release

Re: [Open-scap] RHEL FirewallD Requirement for Hosts that have well defined STATIC configurations

Here are some old threads that discussed this that *I think* (should say vaguely remember) moved to usage of Firewalld over the IPTables services. https://lists.fedorahosted.org/pipermail/scap-security-guide/2014-October/006214.html

Re: why is testing for file integrity monitoring technology specific?

On Tue, Aug 4, 2015 at 8:43 AM, Shawn Wells sh...@redhat.com wrote: On 7/30/15 5:57 PM, Bond Masuda wrote: Ok. I guess I will need to learn how to write OVAL and XCCDF content Writing SCAP isn't the only way to contribute :) If you can create guidance (just text) for a tool, people

Re: I think I found a problem with CentOS content

This is true. Most likely the same for Scientific Linux. Would you mind opening a ticket on github? On Thu, Jul 30, 2015 at 2:40 PM, Bond Masuda bond.mas...@hexadiam.com wrote: For rule id: ensure_redhat_gpgkey_installed, it appears to be looking for

Re: Blog post - SSG now builds HTML guide for every profile

On Wednesday, July 8, 2015, Shawn Wells sh...@redhat.com wrote: On 7/8/15 7:41 AM, Martin Preisler wrote: I wrote a small blog post about a new feature in SSG 0.1.24 - building one HTML guide for each profile we ship and providing a convenient switcher.

Re: Using the RHEL specific SCAP content for CentOS

Bond, Try running the following: # oscap xccdf eval --profile stig-rhel6-server-upstream \ --results /tmp/`hostname`-ssg-results.xml \ --report /tmp/`hostname`-ssg-results.html \ --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml \

Re: Using the RHEL specific SCAP content for CentOS

Hey Bond, As of SCAP Security Guide release 0.1.23, CentOS content is now available (any older version will require tweaking). See the announcement here: https://lists.fedorahosted.org/pipermail/scap-security-guide/2015-June/006462.html You can download and build the SSG content from

Re: Porting RHEL6 XCDDF Profiles to RHEL7

Greg, I don't think that it should be too much of a problem migrating the profiles. See https://github.com/OpenSCAP/scap-security-guide/pull/550 for an example. Gabe On Thu, May 7, 2015 at 10:42 AM, Greg Elin grege...@gitmachines.com wrote: Fend and I are looking at moving a client from AWS

Re: OVAL 5.11 Woes

Branching is not a bad idea. We could also develop platform build code that could handle specific version/os use cases as another option. Gabe On Wed, Apr 22, 2015 at 7:00 AM, Steve Grubb sgr...@redhat.com wrote: On Wednesday, April 22, 2015 10:50:36 AM Šimon Lukašík wrote: And here comes

Re: Shared Checks/Fixes ...

On Thu, Apr 9, 2015 at 8:04 AM, Trey Henefield trey.henefi...@ultra-ats.com wrote: Thank you everyone for the responses! I completely agree with the benefits of the shared directory. That really wasn't so much my concern, but rather a better way of utilizing it. As Jan pointed out, I am

Re: Shared Checks/Fixes ...

: scap-security-guide-boun...@lists.fedorahosted.org] *On Behalf Of *Gabe Alford *Sent:* Thursday, April 09, 2015 9:59 AM *To:* SCAP Security Guide *Subject:* Re: Shared Checks/Fixes ... On Thu, Apr 9, 2015 at 8:04 AM, Trey Henefield trey.henefi...@ultra-ats.com wrote: Thank you everyone

Re: Shared Checks/Fixes ...

I agree with Greg about providing more detail. I am especially curious about the multiple filesystems and version control systems. The (shared/oval) and (shared/fixes/bash) are for checks and fixes that span multiple OS versions (App versions can be used as well if needed). Not all the checks and

Re: BIND and HTTP STIGs

On Fri, Mar 20, 2015 at 10:56 AM, Shawn Wells sh...@redhat.com wrote: On 3/20/15 9:23 AM, Gabe Alford wrote: Depends on how agnostic the content is. It would just be primarily for the RHEL/Fedora products and derivatives i.e CentOS, etc. Makes sense to drop into existing directories

Re: BIND and HTTP STIGs

/Ubuntu in addition to RHEL, so made sense for its own tree. -- Shawn Wells Director, Innovation Programs sh...@redhat.com | 443.534.0130 @shawndwells On Mar 20, 2015, at 9:01 AM, Gabe Alford redhatri...@gmail.com wrote: Sorry user keyboard error. I am currently in the mist of securing

Re: BIND and HTTP STIGs

. but for BIND and HTTP, or should the XCCDF be added to RHEL/6/input/services/dns.xml and RHEL/6/input/services/http.xml? Thanks, Gabe On Fri, Mar 20, 2015 at 6:57 AM, Gabe Alford redhatri...@gmail.com wrote: Hello, I am currently in the mist of securing some of my systems

BIND and HTTP STIGs

Hello, I am currently in the mist of securing some of my systems with the BIND and HTTP STIGs, and -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Re: Handling various sysctl locations, runtime vs persistent checks

Here is a man page that seems to explain it for systems running systemd: http://www.freedesktop.org/software/systemd/man/sysctl.d.html Gabe On Mon, Feb 2, 2015 at 7:05 AM, Trevor Vaughan tvaug...@onyxpoint.com wrote: That's a really good question. If it's implemented in the same way as

Re: sshd banner warning

...@linqhost.nl wrote: Because we would like to have 2 different issue files (different content): tty and ssh. But guess I have to make a patch then for internal use :-) - Gerwin On 01/21/2015 04:02 PM, Gabe Alford wrote: Just read this thread. I may be missing something here, but why

Re: Waiver support in HTML report

Really like the new feature! One thing is how do I remove a waiver, e.g. what if I accidentally add a waiver to the wrong rule? Gabe On Wed, Nov 12, 2014 at 9:36 AM, Martin Preisler mprei...@redhat.com wrote: - Original Message - From: Shawn Wells sh...@redhat.com To: Martin

Re: Use of RHEV

Thanks all! Very helpful. Gabe On Thu, Oct 30, 2014 at 7:57 PM, Shawn Wells sh...@redhat.com wrote: On 10/29/14, 4:50 PM, Gabe Alford wrote: I wanted to ask if anyone is using RHEV at all especially in an IC/DoD environment. Has it been approved? Secured? What issues

Use of RHEV

Hello list, I wanted to ask if anyone is using RHEV at all especially in an IC/DoD environment. Has it been approved? Secured? What issues are there? Thanks, Gabe -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org

Re: RHEL 7 Direction

On Fri, Oct 3, 2014 at 5:08 PM, Shawn Wells sh...@redhat.com wrote: On 10/3/14, 3:31 PM, Crawford, Nicholas P CTR USARMY CERDEC (US) wrote: Greetings, I had a couple of questions about the direction the RHEL 7 SSG will be going; Particularly with the below new subsystems in

Re: Confirming install requirements to build scap-security-guide

Depends on the project (which those projects may/may not be doing it right). Katello a README ( https://git.fedorahosted.org/cgit/katello.git/tree/README.md). FreeIPA and SSSD use a README ( https://git.fedorahosted.org/cgit/freeipa.git/tree/README) and BUILD.txt (

GitHub Contributing Wiki Page

Hello, I have added a wiki page for contributing on GitHub for our project here https://github.com/OpenSCAP/scap-security-guide/wiki/Contributing. Please let me know what you think and what needs to be added/deleted. If the fedorahosted wiki is what needs to be updated and used for a

Re: Implementing GitHub Milestones

Having pull requests merged against the existing baseline would be huge as well, especially for release note documentation. Any idea how to set that up? Do you mean that all pull requests from the time github use started to today be added to the 0.1.19 milestone? Or.? -- SCAP Security

Re: Implementing GitHub Milestones

Speaking about blockers (issues that definitely need to go into next release) would it be possible to set up an agreement that such fixes would receive the [BLOCKER] prefix together with the [PATCH] prefix? Are you talking about adding a Blocker label to the pull request? Or when you `git

Re: Implementing GitHub Milestones

Went ahead and added some milestones. Check them out here: https://github.com/OpenSCAP/scap-security-guide/milestones Also added a BLOCKER and bugfix label to the github labels. On Wed, Sep 3, 2014 at 8:02 AM, Gabe Alford redhatri...@gmail.com wrote: Speaking about blockers (issues

Re: SCAP Security Guide - make validate fails after make templates run

Hello, Just checking on the latest master, this is appearing to fail because the 'make templates' generates a file permission OVAL check for grub that is not in the XCCDF. The offending xml file is file_permissions_boot_grub_grub_conf.xml which if you `rm

git pull requests final review

Hello, I have the following git pull requests below that need final review. I can merge if ack'ed - https://github.com/OpenSCAP/scap-security-guide/pull/38 - https://github.com/OpenSCAP/scap-security-guide/pull/33 - https://github.com/OpenSCAP/scap-security-guide/pull/30 Thanks,

Re: New report and guide in openscap 1.1.0

Agree about the *The system is not compliant!* text. A lot of our security people will freak out over it. Maybe either different types of non-compliance messages are based off of a %, or better non-compliance messages that are not so alarming. Gabe On Thu, Aug 28, 2014 at 12:29 PM, Andrew

git pull request - enabling gconf-tree.xml OAVL support (#22)

Hello, I have a git pull request waiting for review at https://github.com/OpenSCAP/scap-security-guide/pull/22. If ack'ed, it would need to be merged by project collaborators. Thanks, Gabe -- SCAP Security Guide mailing list scap-security-guide@lists.fedorahosted.org

Re: selinux_all_devicefiles_labeled not working

Just checked the source, and the error is still there. It is still appearing to fail over /dev/.udev Here are some examples of patterns that generate errors: /dev/.udev/links/disk\x2fby-uuid\actual_uuid/b8 /dev/.udev/db/tty:ttyS0 Thanks, Gabe On Thu, Aug 14, 2014 at 1:38 PM, Shawn Wells

  1   2   >