There are a number of items present in the SRG mapping, but missing from the Profile. Adding these now.
On 10/25/2012 04:59 PM, Jeffrey Blank wrote: > oh my, you're right -- it was commented out of common to enable faster > testing. i just added it to the STIG profile. we need a quick sanity > check for the other filesystem walks, too. > > I created a script to specifically check for this (and other > completeness verifications) --- lemme re-run to ferret out any others: > > ./utils/verify-references.py --rules-with-disarefs-outside-profile > stig-server ssg-rhel6-xccdf.xml > > in the glorious future it will be part of a more rigorous process for > verification/submission. > > > > > On 10/25/2012 04:28 PM, Steinke, Leland J CTR DISA FSO (US) wrote: >> I know we talked about using RPM to verify security attributes on all system >> files and hashes on non-configuration system files, but I don't see it in >> the STIG content either. I see it in the SRG map content, but there needs >> to be some kind of check against the original, cryptographically-signed >> package manifests, as well as the file integrity baseline generated by AIDE >> or equivalent. There is a race condition (admittedly limited potential) >> between package installation and file integrity baseline updating. >> >> >> Regards, >> -- >> Leland Steinke, Security+ >> DISA FSO Technical Support Contractor >> tapestry technologies, llc >> 717-267-5797 (DSN 570) >> leland.j.steinke....@mail.mil (gov't) >> lstei...@tapestrytech.com (com'l) >> >> >> >> >>> -----Original Message----- >>> From: scap-security-guide-boun...@lists.fedorahosted.org [mailto:scap- >>> security-guide-boun...@lists.fedorahosted.org] On Behalf Of Robert >>> Sanders >>> Sent: Thursday, October 25, 2012 4:17 PM >>> To: 'scap-security-guide@lists.fedorahosted.org' >>> Subject: RE: RPM verification/file permission question >>> >>> I saw the periodic RPM verify in the RHEL5 STIG (GEN006565), but didn't >>> see the equivalent in the draft RHEL 6. >>> >>> -Rob >>> >>> >>>> -----Original Message----- >>>> From: scap-security-guide-boun...@lists.fedorahosted.org >>>> [mailto:scap-security-guide-boun...@lists.fedorahosted.org] >>>> On Behalf Of Jeffrey Blank >>>> Sent: Thursday, October 25, 2012 3:41 PM >>>> To: scap-security-guide@lists.fedorahosted.org >>>> Subject: Re: RPM verification/file permission question >>>> >>>> This is a possibility, but for now the STIG profile is likely >>>> to move forward with AIDE for verifying integrity >>>> periodically. The auditing system will also detect changes >>>> in ACLs for you. >>>> >>>> Interestingly, those using the STIG rules for CM purposes >>>> will likely run the /entire/ STIG profile periodically, >>>> including the RPM verify check. >>>> >>>> >>>> >>>> >>>> On 10/25/2012 03:36 PM, Robert Sanders wrote: >>>>> I raised a question on the call earlier noticing the absence of any >>>>> ACL related checks in the RHEL6 STIG compared to the RHEL5 STIG. >>>>> Someone (Shawn? - apologies if incorrect) that RPM would ensure >>>>> correct settings. I was thinking about this afterward and >>>> wondered if >>>>> there should be a line item requiring a periodic 'have rpm >>>> verify all >>>>> installed packages' check. While RPM will make sure that >>>> things are >>>>> setup correctly, I didn't see any checks to see if a change >>>> had been >>>>> made to ACLs after the fact. AIDE might pick up on this also, but >>>>> I've never used it so I don't know. >>>>> >>>>> Sincerely, Rob Sanders =========================== Rob Sanders Sr. >>>>> Secure Systems Engineer Raytheon Trusted Computer Solutions 12950 >>>>> Worldgate Drive, Suite 600 Herndon, Virginia 20170 Security Blanket >>>>> Support: 1-866-230-1317 Security Blanket Email: >>>>> securityblan...@trustedcs.com Office: 703-896-4762 Fax: >>>>> 703-318-5041 Email: rsand...@trustedcs.com >>>>> _______________________________________________ scap-security-guide >>>>> mailing list scap-security-guide@lists.fedorahosted.org >>>>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>>> _______________________________________________ >>>> scap-security-guide mailing list >>>> scap-security-guide@lists.fedorahosted.org >>>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>>> >>> _______________________________________________ >>> scap-security-guide mailing list >>> scap-security-guide@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >>> >>> >>> _______________________________________________ >>> scap-security-guide mailing list >>> scap-security-guide@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
