From 627b3cb2fb2aabaf9f260143ee7a2e723290aa0d Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Tue, 17 Sep 2013 16:33:08 +0200 Subject: [PATCH 5/8] Add 'Installing and Maintaining Software', and 'Updating Software' XML files.
Signed-off-by: Jan Lieskovsky <[email protected]> --- FEDORA/input/system/software/software.xml | 8 ++++ FEDORA/input/system/software/updating.xml | 68 +++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 FEDORA/input/system/software/software.xml create mode 100644 FEDORA/input/system/software/updating.xml diff --git a/FEDORA/input/system/software/software.xml b/FEDORA/input/system/software/software.xml new file mode 100644 index 0000000..97558fb --- /dev/null +++ b/FEDORA/input/system/software/software.xml @@ -0,0 +1,8 @@ +<Group id="software"> +<title>Installing and Maintaining Software</title> +<description>The following sections contain information on +security-relevant choices during the initial operating system +installation process and the setup of software +updates.</description> + +</Group> diff --git a/FEDORA/input/system/software/updating.xml b/FEDORA/input/system/software/updating.xml new file mode 100644 index 0000000..248c0d5 --- /dev/null +++ b/FEDORA/input/system/software/updating.xml @@ -0,0 +1,68 @@ +<Group id="updating"> +<title>Updating Software</title> +<description>The <tt>yum</tt> command line tool is used to install and +update software packages. The system also provides a graphical +software update tool in the <b>System</b> menu, in the <b>Administration</b> submenu, +called <b>Software Update</b>. +<br /><br /> +Fedora systems contain an installed software catalog called +the RPM database, which records metadata of installed packages. Tools such as +<tt>yum</tt> or the graphical <b>Software Update</b> ensure usage of RPM +packages for software installation. This allows for insight into the current +inventory of installed software on the system, and is highly recommended. +</description> + +<!-- REMINDER: Before telling people to update their systems + via the security_patches_up_to_date rule, we must + ensure they have configured an update source! --> +<Rule id="ensure_gpgcheck_globally_activated" severity="high"> +<title>Ensure gpgcheck Enabled In Main Yum Configuration</title> +<description>The <tt>gpgcheck</tt> option should be used to ensure +checking of an RPM package's signature always occurs prior to its +installation. To configure yum to check package signatures before installing +them, ensure the following line appears in <tt>/etc/yum.conf</tt> in +the <tt>[main]</tt> section: +<pre>gpgcheck=1</pre> +</description> +<ocil clause="GPG checking is not enabled"> +To determine whether <tt>yum</tt> is configured to use <tt>gpgcheck</tt>, +inspect <tt>/etc/yum.conf</tt> and ensure the following appears in the +<tt>[main]</tt> section: +<pre>gpgcheck=1</pre> +A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of a +<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is +disabled. +</ocil> +<rationale> +Ensuring the validity of packages' cryptographic signatures prior to +installation ensures the provenance of the software and +protects against malicious tampering. +</rationale> +<oval id="yum_gpgcheck_global_activation" /> +<ref nist="SI-7,MA-1(b)" disa="352,663" /> +</Rule> + +<Rule id="ensure_gpgcheck_never_disabled" severity="high"> +<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title> +<description>To ensure signature checking is not disabled for +any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form: +<pre>gpgcheck=0</pre> +</description> +<ocil clause="GPG checking is disabled"> +To determine whether <tt>yum</tt> has been configured to disable +<tt>gpgcheck</tt> for any repos, inspect all files in +<tt>/etc/yum.repos.d</tt> and ensure the following does not appear in any +sections: +<pre>gpgcheck=0</pre> +A value of <tt>0</tt> indicates that <tt>gpgcheck</tt> has been disabled for that repo. +</ocil> +<rationale> +Ensuring all packages' cryptographic signatures are valid prior to +installation ensures the provenance of the software and +protects against malicious tampering. +</rationale> +<oval id="ensure_gpgcheck_never_disabled" /> +<ref nist="SI-7,MA-1(b)" disa="352,663"/> +</Rule> + +</Group> -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
