oh my, you're right -- it was commented out of common to enable faster testing. i just added it to the STIG profile. we need a quick sanity check for the other filesystem walks, too.
I created a script to specifically check for this (and other completeness verifications) --- lemme re-run to ferret out any others: ./utils/verify-references.py --rules-with-disarefs-outside-profile stig-server ssg-rhel6-xccdf.xml in the glorious future it will be part of a more rigorous process for verification/submission. On 10/25/2012 04:28 PM, Steinke, Leland J CTR DISA FSO (US) wrote: > I know we talked about using RPM to verify security attributes on all system > files and hashes on non-configuration system files, but I don't see it in the > STIG content either. I see it in the SRG map content, but there needs to be > some kind of check against the original, cryptographically-signed package > manifests, as well as the file integrity baseline generated by AIDE or > equivalent. There is a race condition (admittedly limited potential) between > package installation and file integrity baseline updating. > > > Regards, > -- > Leland Steinke, Security+ > DISA FSO Technical Support Contractor > tapestry technologies, llc > 717-267-5797 (DSN 570) > leland.j.steinke....@mail.mil (gov't) > lstei...@tapestrytech.com (com'l) > > > > >> -----Original Message----- >> From: scap-security-guide-boun...@lists.fedorahosted.org [mailto:scap- >> security-guide-boun...@lists.fedorahosted.org] On Behalf Of Robert >> Sanders >> Sent: Thursday, October 25, 2012 4:17 PM >> To: 'scap-security-guide@lists.fedorahosted.org' >> Subject: RE: RPM verification/file permission question >> >> I saw the periodic RPM verify in the RHEL5 STIG (GEN006565), but didn't >> see the equivalent in the draft RHEL 6. >> >> -Rob >> >> >>> -----Original Message----- >>> From: scap-security-guide-boun...@lists.fedorahosted.org >>> [mailto:scap-security-guide-boun...@lists.fedorahosted.org] >>> On Behalf Of Jeffrey Blank >>> Sent: Thursday, October 25, 2012 3:41 PM >>> To: scap-security-guide@lists.fedorahosted.org >>> Subject: Re: RPM verification/file permission question >>> >>> This is a possibility, but for now the STIG profile is likely >>> to move forward with AIDE for verifying integrity >>> periodically. The auditing system will also detect changes >>> in ACLs for you. >>> >>> Interestingly, those using the STIG rules for CM purposes >>> will likely run the /entire/ STIG profile periodically, >>> including the RPM verify check. >>> >>> >>> >>> >>> On 10/25/2012 03:36 PM, Robert Sanders wrote: >>>> I raised a question on the call earlier noticing the absence of any >>>> ACL related checks in the RHEL6 STIG compared to the RHEL5 STIG. >>>> Someone (Shawn? - apologies if incorrect) that RPM would ensure >>>> correct settings. I was thinking about this afterward and >>> wondered if >>>> there should be a line item requiring a periodic 'have rpm >>> verify all >>>> installed packages' check. While RPM will make sure that >>> things are >>>> setup correctly, I didn't see any checks to see if a change >>> had been >>>> made to ACLs after the fact. AIDE might pick up on this also, but >>>> I've never used it so I don't know. >>>> >>>> Sincerely, Rob Sanders =========================== Rob Sanders Sr. >>>> Secure Systems Engineer Raytheon Trusted Computer Solutions 12950 >>>> Worldgate Drive, Suite 600 Herndon, Virginia 20170 Security Blanket >>>> Support: 1-866-230-1317 Security Blanket Email: >>>> securityblan...@trustedcs.com Office: 703-896-4762 Fax: >>>> 703-318-5041 Email: rsand...@trustedcs.com >>>> _______________________________________________ scap-security-guide >>>> mailing list scap-security-guide@lists.fedorahosted.org >>>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> _______________________________________________ >>> scap-security-guide mailing list >>> scap-security-guide@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> >> _______________________________________________ >> scap-security-guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> >> >> _______________________________________________ >> scap-security-guide mailing list >> scap-security-guide@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
