Based on:
https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-December/004616.html
update XCCDF rule names for Fedora (make the rules have desired target state in
their names).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
From abc901fad9c3542e02adf18e276a022d3fa79e4e Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <[email protected]>
Date: Mon, 9 Dec 2013 15:10:02 +0100
Subject: [PATCH] [Fedora] Rename XCCDF rules
Signed-off-by: Jan Lieskovsky <[email protected]>
---
Fedora/input/services/ntp.xml | 4 ++--
Fedora/input/services/ssh.xml | 8 ++++----
.../system/accounts/restrictions/password_expiration.xml | 8 ++++----
.../input/system/accounts/restrictions/password_storage.xml | 11 +++++------
Fedora/input/system/accounts/restrictions/root_logins.xml | 12 ++++++------
Fedora/input/system/permissions/files.xml | 10 +++++-----
Fedora/input/system/settings/disable_prelink.xml | 2 +-
Fedora/input/system/software/updating.xml | 4 ++--
Fedora/scap-security-guide.spec | 5 ++++-
9 files changed, 33 insertions(+), 31 deletions(-)
diff --git a/Fedora/input/services/ntp.xml b/Fedora/input/services/ntp.xml
index cf5fe50..61fc8c8 100644
--- a/Fedora/input/services/ntp.xml
+++ b/Fedora/input/services/ntp.xml
@@ -29,7 +29,7 @@ http://www.ntp.org.
</description>
<Rule id="service_ntpd_enabled" severity="medium">
-<title>Enable the NTP Daemon</title>
+<title>NTP Daemon Enabled</title>
<description> <service-enable-macro service="ntpd" /> </description>
<rationale>Enabling the <tt>ntpd</tt> service ensures that the <tt>ntpd</tt>
service will be running and that the system will synchronize its time to any
@@ -47,7 +47,7 @@ http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</rationale>
</Rule>
<Rule id="ntpd_specify_remote_server" severity="medium">
-<title>Specify a Remote NTP Server</title>
+<title>Remote NTP Server Specified</title>
<description>To specify a remote NTP server for time synchronization, edit
the file <tt>/etc/ntp.conf</tt>. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for <em>ntpserver</em>:
diff --git a/Fedora/input/services/ssh.xml b/Fedora/input/services/ssh.xml
index dee9899..d0ed58f 100644
--- a/Fedora/input/services/ssh.xml
+++ b/Fedora/input/services/ssh.xml
@@ -26,7 +26,7 @@ to this file. See the <tt>sshd_config(5)</tt> man page for more detailed
information.</description>
<Rule id="sshd_disable_root_login" severity="medium">
-<title>Disable SSH Root Login</title>
+<title>SSH Root Login Disabled</title>
<description>The root user should never be allowed to login to a system
directly over a network. To disable root login via SSH, add or correct the
following line in <tt>/etc/ssh/sshd_config</tt>:
@@ -42,7 +42,7 @@ root's password.
</Rule>
<Rule id="sshd_disable_empty_passwords" severity="high">
-<title>Disable SSH Access via Empty Passwords</title>
+<title>SSH Access via Empty Passwords Disabled</title>
<description>To explicitly disallow remote login from accounts with empty
passwords, add or correct the following line in <tt>/etc/ssh/sshd_config</tt>:
<pre>PermitEmptyPasswords no</pre>
@@ -60,7 +60,7 @@ misconfiguration elsewhere.
</Rule>
<Rule id="sshd_set_idle_timeout">
-<title>Set SSH Idle Timeout Interval</title>
+<title>SSH Idle Timeout Interval Used</title>
<description>SSH allows administrators to set an idle timeout interval.
After this interval has passed, the idle user will be automatically logged out.
<br /><br />
@@ -83,7 +83,7 @@ one system leading trivially to compromises on another.
</Rule>
<Rule id="sshd_set_keepalive">
-<title>Set SSH Client Alive Count</title>
+<title>SSH Client Alive Count Used</title>
<description>To ensure the SSH idle timeout occurs precisely when the
<tt>ClientAliveCountMax</tt> is set, edit <tt>/etc/ssh/sshd_config</tt> as
follows:
diff --git a/Fedora/input/system/accounts/restrictions/password_expiration.xml b/Fedora/input/system/accounts/restrictions/password_expiration.xml
index 2abd5ab..fd4646e 100644
--- a/Fedora/input/system/accounts/restrictions/password_expiration.xml
+++ b/Fedora/input/system/accounts/restrictions/password_expiration.xml
@@ -75,7 +75,7 @@ age, and 7 day warning period with the following command:
</Value>
<Rule id="accounts_password_minlen_login_defs" severity="medium">
-<title>Set Password Minimum Length in login.defs</title>
+<title>Password Minimum Length</title>
<description>To specify password length requirements for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the following
lines:
@@ -107,7 +107,7 @@ counterproductive behavior that may result.
</Rule>
<Rule id="accounts_minimum_age_login_defs" severity="medium">
-<title>Set Password Minimum Age</title>
+<title>Password Minimum Age</title>
<description>To specify password minimum age for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the
following line, replacing the <i>DAYS</i> item as appropriate:
@@ -129,7 +129,7 @@ requirement.
</Rule>
<Rule id="accounts_maximum_age_login_defs" severity="medium">
-<title>Set Password Maximum Age</title>
+<title>Password Maximum Age</title>
<description>To specify password maximum age for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the
following line, replacing the <i>DAYS</i> item appropriately:
@@ -152,7 +152,7 @@ location subject to physical compromise.</rationale>
</Rule>
<Rule id="accounts_password_warn_age_login_defs">
-<title>Set Password Warning Age</title>
+<title>Password Warning Age</title>
<description>To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <tt>/etc/login.defs</tt> and add or correct
diff --git a/Fedora/input/system/accounts/restrictions/password_storage.xml b/Fedora/input/system/accounts/restrictions/password_storage.xml
index d2337a9..2c7c957 100644
--- a/Fedora/input/system/accounts/restrictions/password_storage.xml
+++ b/Fedora/input/system/accounts/restrictions/password_storage.xml
@@ -1,6 +1,5 @@
<Group id="password_storage">
-<title>Verify Proper Storage and Existence of Password
-Hashes</title>
+<title>Proper Storage and Existence of Password Hashes</title>
<description>
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
@@ -17,7 +16,7 @@ should allow administrators to avoid such misconfiguration.
</description>
<Rule id="no_empty_passwords" severity="high">
-<title>Prevent Log In to Accounts With Empty Password</title>
+<title>Log In to Accounts With Empty Password Impossible</title>
<description>If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the <tt>nullok</tt>
@@ -41,7 +40,7 @@ environments.
</Rule>
<Rule id="no_hashes_outside_shadow" severity="medium">
-<title>Verify All Account Password Hashes are Shadowed</title>
+<title>Password Hashes For Each Account Shadowed</title>
<description>
If any password hashes are stored in <tt>/etc/passwd</tt> (in the second field,
instead of an <tt>x</tt>), the cause of this misconfiguration should be
@@ -65,7 +64,7 @@ which is readable by all users.
</Rule>
<Rule id="gid_passwd_group_same">
-<title>All GIDs referenced in /etc/passwd must be defined in /etc/group</title>
+<title>All GIDs referenced in /etc/passwd Defined in /etc/group</title>
<description>
Add a group to the system for each GID referenced without a corresponding group.
</description>
@@ -82,7 +81,7 @@ Inconsistency in GIDs between <tt>/etc/passwd</tt> and <tt>/etc/group</tt> could
</Rule>
<Rule id="no_netrc_files" severity="medium">
-<title>Verify No netrc Files Exist</title>
+<title>netrc Files Do Not Exist</title>
<description>The <tt>.netrc</tt> files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
diff --git a/Fedora/input/system/accounts/restrictions/root_logins.xml b/Fedora/input/system/accounts/restrictions/root_logins.xml
index 2cbacd9..c04dc22 100644
--- a/Fedora/input/system/accounts/restrictions/root_logins.xml
+++ b/Fedora/input/system/accounts/restrictions/root_logins.xml
@@ -57,7 +57,7 @@ by security standards.
</Rule>
<Rule id="securetty_root_login_console_only" severity="medium">
-<title>Restrict Virtual Console Root Logins</title>
+<title>Virtual Console Root Logins Restricted</title>
<description>
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
@@ -82,7 +82,7 @@ using the root account.
</Rule>
<Rule id="restrict_serial_port_logins">
-<title>Restrict Serial Port Root Logins</title>
+<title>Serial Port Root Logins Restricted</title>
<description>To restrict root logins on serial ports,
ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
<pre>ttyS0
@@ -105,7 +105,7 @@ using the root account.
</Rule>
<Rule id="no_root_webbrowsing">
-<title>Restrict Web Browser Use for Administrative Accounts</title>
+<title>Web Browser Use for Administrative Accounts Restricted</title>
<description>
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
@@ -122,7 +122,7 @@ administration should be documented in site-defined policy.
</Rule>
<Rule id="no_shelllogin_for_systemaccounts" severity="medium">
-<title>Ensure that System Accounts Do Not Run a Shell Upon Login</title>
+<title>System Accounts Do Not Run a Shell Upon Login</title>
<description>
Some accounts are not associated with a human
user of the system, and exist to perform some administrative
@@ -159,7 +159,7 @@ become inaccessible.
</Rule>
<Rule id="no_uidzero_except_root" severity="medium">
-<title>Verify Only Root Has UID 0</title>
+<title>Only Root Has UID 0</title>
<description>
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
@@ -182,7 +182,7 @@ access to root privileges in an accountable manner.
</Rule>
<Rule id="root_path_default">
-<title>Root Path Must Be Vendor Default</title>
+<title>Root Path Is Vendor Default</title>
<description>
Assuming root shell is bash, edit the following files:
<pre>~/.profile</pre>
diff --git a/Fedora/input/system/permissions/files.xml b/Fedora/input/system/permissions/files.xml
index 5d0e507..b365f1c 100644
--- a/Fedora/input/system/permissions/files.xml
+++ b/Fedora/input/system/permissions/files.xml
@@ -4,11 +4,11 @@
is notably important and may also be susceptible to misconfiguration over time,
particularly if unpackaged software is installed. As such, an argument exists
to verify that files' permissions within these directories remain configured
-correctly and restrictively.
+correctly and restrictively.
</description>
<Rule id="file_permissions_library_dirs" severity="medium">
-<title>Verify that Shared Library Files Have Restrictive Permissions</title>
+<title>Shared Library Files Have Restrictive Permissions</title>
<description>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
@@ -34,7 +34,7 @@ system.
</Rule>
<Rule id="file_ownership_library_dirs" severity="medium">
-<title>Verify that Shared Library Files Have Root Ownership</title>
+<title>Shared Library Files Have Root Ownership</title>
<description>System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
@@ -59,7 +59,7 @@ runtime. Proper ownership is necessary to protect the integrity of the system.
</Rule>
<Rule id="file_permissions_binary_dirs" severity="medium">
-<title>Verify that System Executables Have Restrictive Permissions</title>
+<title>System Executables Have Restrictive Permissions</title>
<description>
System executables are stored in the following directories by default:
<pre>/bin
@@ -82,7 +82,7 @@ these programs cannot be co-opted.
</Rule>
<Rule id="file_ownership_binary_dirs" severity="medium">
-<title>Verify that System Executables Have Root Ownership</title>
+<title>System Executables Have Root Ownership</title>
<description>
System executables are stored in the following directories by default:
<pre>/bin
diff --git a/Fedora/input/system/settings/disable_prelink.xml b/Fedora/input/system/settings/disable_prelink.xml
index ed9b492..a5871a6 100644
--- a/Fedora/input/system/settings/disable_prelink.xml
+++ b/Fedora/input/system/settings/disable_prelink.xml
@@ -1,5 +1,5 @@
<Rule id="disable_prelink">
-<title>Disable Prelinking</title>
+<title>Prelinking Disabled</title>
<description>
The prelinking feature changes binaries in an attempt to decrease their startup
time. In order to disable it, change or add the following line inside the file
diff --git a/Fedora/input/system/software/updating.xml b/Fedora/input/system/software/updating.xml
index 248c0d5..84de806 100644
--- a/Fedora/input/system/software/updating.xml
+++ b/Fedora/input/system/software/updating.xml
@@ -16,7 +16,7 @@ inventory of installed software on the system, and is highly recommended.
via the security_patches_up_to_date rule, we must
ensure they have configured an update source! -->
<Rule id="ensure_gpgcheck_globally_activated" severity="high">
-<title>Ensure gpgcheck Enabled In Main Yum Configuration</title>
+<title>gpgcheck Enabled In Main Yum Configuration</title>
<description>The <tt>gpgcheck</tt> option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
@@ -43,7 +43,7 @@ protects against malicious tampering.
</Rule>
<Rule id="ensure_gpgcheck_never_disabled" severity="high">
-<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
+<title>gpgcheck Enabled For All Yum Package Repositories</title>
<description>To ensure signature checking is not disabled for
any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:
<pre>gpgcheck=0</pre>
diff --git a/Fedora/scap-security-guide.spec b/Fedora/scap-security-guide.spec
index fc5cac3..c252535 100644
--- a/Fedora/scap-security-guide.spec
+++ b/Fedora/scap-security-guide.spec
@@ -5,7 +5,7 @@
# file one level up - in the main scap-security-guide directory (instead of
# this one).
-%global fedorassgversion 4.rc11
+%global fedorassgversion 4.rc12
Name: scap-security-guide
Version: 0.1.%{fedorassgversion}
@@ -54,6 +54,9 @@ cp -a Fedora/input/auxiliary/scap-security-guide.8 %{buildroot}%{_mandir}/en/man
%doc Fedora/LICENSE Fedora/output/ssg-fedora-guide.html
%changelog
+* Mon Dec 09 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc12-1
+- Rename XCCDF rules
+
* Fri Dec 06 2013 Jan iankko Lieskovsky <[email protected]> 0.1.4.rc11-1
- Shared OVAL check for Verify that Shared Library Files Have Root Ownership
- Shared OVAL check for Verify that System Executables Have Restrictive Permissions
--
1.8.3.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
