>From 19f0301428e4091129b7550b6bc47229096ff958 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Mon, 23 Dec 2013 08:58:44 -0500 Subject: [PATCH 24/25] Adding RHEL7 RHT-CCP profile
- Initial draft of RHEL7 CCP profile - Only verified uncommented OVAL checks work Signed-off-by: Shawn Wells <[email protected]> --- :100644 100644 9ba82d5... 98e8433... M RHEL/7/Makefile :100644 100644 0df84ce... 9c2ee03... M RHEL/7/input/guide.xslt :000000 100644 0000000... 3424223... A RHEL/7/input/profiles/rht-ccp.xml :100644 000000 ef079b4... 0000000... D RHEL/7/input/profiles/stig-rhel6-server-upstream.xml :000000 100644 0000000... ef079b4... A RHEL/7/input/profiles/stig-rhel7-server-upstream.xml RHEL/7/Makefile | 2 + RHEL/7/input/guide.xslt | 84 +++++++++++++ RHEL/7/input/profiles/rht-ccp.xml | 138 +++++++++++++++++++++ .../input/profiles/stig-rhel6-server-upstream.xml | 7 -- .../input/profiles/stig-rhel7-server-upstream.xml | 7 ++ 5 files changed, 231 insertions(+), 7 deletions(-) diff --git a/RHEL/7/Makefile b/RHEL/7/Makefile index 9ba82d5..98e8433 100644 --- a/RHEL/7/Makefile +++ b/RHEL/7/Makefile @@ -18,6 +18,8 @@ shorthand2xccdf: shorthand-guide oscap xccdf resolve -o $(OUT)/unlinked-rhel7-xccdf.xml $(OUT)/unlinked-unresolved-rhel7-xccdf.xml # xsltproc -stringparam profile "stig-rhel7-server" -o $(OUT)/unlinked-rhel7-xccdf.xml \ # $(TRANS)/xccdf-addrefs.xslt $(OUT)/unlinked-rhel7-xccdf.xml + xsltproc -stringparam profile "rht-ccp" -o $(OUT)/unlinked-rhel7-xccdf.xml \ + $(TRANS)/xccdf-addrefs.xslt $(OUT)/unlinked-rhel7-xccdf.xml # extract manual check instructions from xccdf into an ocil file xsltproc -o $(OUT)/unlinked-rhel7-ocil.xml $(TRANS)/xccdf-create-ocil.xslt $(OUT)/unlinked-rhel7-xccdf.xml xmllint --format --output $(OUT)/unlinked-rhel7-ocil.xml $(OUT)/unlinked-rhel7-ocil.xml diff --git a/RHEL/7/input/guide.xslt b/RHEL/7/input/guide.xslt index 0df84ce..9c2ee03 100644 --- a/RHEL/7/input/guide.xslt +++ b/RHEL/7/input/guide.xslt @@ -9,6 +9,7 @@ <!-- adding profiles here --> <xsl:apply-templates select="document('profiles/test.xml')" /> + <xsl:apply-templates select="document('profiles/rht-ccp.xml')" /> <xsl:apply-templates select="document('profiles/common.xml')" /> <xsl:apply-templates select="document('profiles/stig-rhel7-server-upstream.xml')" /> @@ -28,7 +29,13 @@ <xsl:template match="Group[@id='system']"> <xsl:copy> <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/software/software.xml')" /> + <xsl:apply-templates select="document('system/permissions/permissions.xml')" /> <xsl:apply-templates select="document('system/selinux.xml')" /> + <xsl:apply-templates select="document('system/accounts/accounts.xml')" /> + <xsl:apply-templates select="document('system/network/network.xml')" /> + <xsl:apply-templates select="document('system/logging.xml')" /> +<!-- <xsl:apply-templates select="document('system/auditing.xml')" /> --> </xsl:copy> </xsl:template> @@ -36,9 +43,85 @@ <xsl:copy> <xsl:copy-of select="@*|node()" /> <xsl:apply-templates select="document('system/software/disk_partitioning.xml')" /> + <xsl:apply-templates select="document('system/software/updating.xml')" /> + <xsl:apply-templates select="document('system/software/integrity.xml')" /> </xsl:copy> </xsl:template> + + <xsl:template match="Group[@id='accounts']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/accounts/restrictions/restrictions.xml')" /> + <xsl:apply-templates select="document('system/accounts/pam.xml')" /> +<!-- <xsl:apply-templates select="document('system/accounts/session.xml')" /> + <xsl:apply-templates select="document('system/accounts/physical.xml')" /> + <xsl:apply-templates select="document('system/accounts/banners.xml')" /> --> + </xsl:copy> + </xsl:template> + + + <xsl:template match="Group[@id='accounts-restrictions']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/accounts/restrictions/root_logins.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/password_storage.xml')" /> + <xsl:apply-templates select="document('system/accounts/restrictions/password_expiration.xml')" /> + <!-- <xsl:apply-templates select="document('system/accounts/restrictions/account_expiration.xml')" /> --> + </xsl:copy> + </xsl:template> + + <xsl:template match="Group[@id='permissions']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/permissions/partitions.xml')" /> + <!-- <xsl:apply-templates select="document('system/permissions/mounting.xml')" /> + <xsl:apply-templates select="document('system/permissions/files.xml')" /> + <xsl:apply-templates select="document('system/permissions/execution.xml')" /> --> + </xsl:copy> + </xsl:template> + +<!-- + <xsl:template match="Group[@id='network']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('system/network/kernel.xml')" /> + <xsl:apply-templates select="document('system/network/wireless.xml')" /> + <xsl:apply-templates select="document('system/network/ipv6.xml')" /> + <xsl:apply-templates select="document('system/network/iptables.xml')" /> + <xsl:apply-templates select="document('system/network/ssl.xml')" /> + <xsl:apply-templates select="document('system/network/uncommon.xml')" /> + <xsl:apply-templates select="document('system/network/ipsec.xml')" /> + </xsl:copy> + </xsl:template> +--> + +<!-- + <xsl:template match="Group[@id='services']"> + <xsl:copy> + <xsl:copy-of select="@*|node()" /> + <xsl:apply-templates select="document('services/obsolete.xml')" /> + <xsl:apply-templates select="document('services/base.xml')" /> + <xsl:apply-templates select="document('services/cron.xml')" /> + <xsl:apply-templates select="document('services/ssh.xml')" /> + <xsl:apply-templates select="document('services/xorg.xml')" /> + <xsl:apply-templates select="document('services/avahi.xml')" /> + <xsl:apply-templates select="document('services/printing.xml')" /> + <xsl:apply-templates select="document('services/dhcp.xml')" /> + <xsl:apply-templates select="document('services/ntp.xml')" /> + <xsl:apply-templates select="document('services/mail.xml')" /> + <xsl:apply-templates select="document('services/ldap.xml')" /> + <xsl:apply-templates select="document('services/nfs.xml')" /> + <xsl:apply-templates select="document('services/dns.xml')" /> + <xsl:apply-templates select="document('services/ftp.xml')" /> + <xsl:apply-templates select="document('services/http.xml')" /> + <xsl:apply-templates select="document('services/imap.xml')" /> + <xsl:apply-templates select="document('services/smb.xml')" /> + <xsl:apply-templates select="document('services/squid.xml')" /> + <xsl:apply-templates select="document('services/snmp.xml')" /> + </xsl:copy> + </xsl:template> --> + <!-- copy everything else through to final output --> <xsl:template match="@*|node()"> <xsl:copy> @@ -46,3 +129,4 @@ </xsl:copy> </xsl:template> </xsl:stylesheet> + diff --git a/RHEL/7/input/profiles/rht-ccp.xml b/RHEL/7/input/profiles/rht-ccp.xml new file mode 100644 index 0000000..3424223 --- /dev/null +++ b/RHEL/7/input/profiles/rht-ccp.xml @@ -0,0 +1,138 @@ +<Profile id="rht-ccp" xmlns="http://checklists.nist.gov/xccdf/1.1";> +<title>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</title> +<description>This is a *draft* SCAP profile for Red Hat Certified Cloud Providers</description> +<!-- CONFIGURATION OPTIONS --> +<refine-value idref="var_selinux_state" selector="enforcing"/> +<refine-value idref="var_selinux_policy_name" selector="targeted"/> +<refine-value idref="file_owner_logfiles_value" selector="root"/> +<refine-value idref="file_groupowner_logfiles_value" selector="root"/> +<refine-value idref="sshd_idle_timeout_value" selector="5_minutes"/> +<refine-value idref="var_accounts_password_minlen_login_defs" selector="6"/> +<refine-value idref="var_password_max_age" selector="90"/> +<refine-value idref="var_accounts_minimum_age_login_defs" selector="7"/> +<refine-value idref="var_accounts_password_warn_age_login_defs" selector="7"/> +<refine-value idref="var_password_pam_cracklib_retry" selector="3"/> +<refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/> +<refine-value idref="var_password_pam_cracklib_ucredit" selector="2"/> +<refine-value idref="var_password_pam_cracklib_ocredit" selector="2"/> +<refine-value idref="var_password_pam_cracklib_lcredit" selector="2"/> +<refine-value idref="var_password_pam_cracklib_difok" selector="3"/> +<refine-value idref="var_password_history_retain_limit" selector="5"/> +<refine-value idref="var_accounts_user_umask" selector="077"/> +<refine-value idref="login_banner_text" selector="usgcb_default"/> + +<!-- FILESYSTEM CHECKS --> +<select idref="partition_for_tmp" selected="true"/> +<select idref="partition_for_var" selected="true"/> +<select idref="partition_for_var_log" selected="true"/> +<select idref="partition_for_var_log_audit" selected="true"/> + +<!-- SELINUX CHECKS --> +<!-- rhel7 broke: <select idref="enable_selinux_bootloader" selected="true"/> --> +<select idref="selinux_state" selected="true"/> +<select idref="selinux_policytype" selected="true"/> +<!-- rhel7 broke: <select idref="selinux_all_devicefiles_labeled" selected="true"/> --> + + +<!-- UPDATING CHECKS --> +<select idref="ensure_redhat_gpgkey_installed" selected="true"/> +<select idref="security_patches_up_to_date" selected="true"/> +<select idref="ensure_gpgcheck_globally_activated" selected="true"/> +<select idref="ensure_gpgcheck_never_disabled" selected="true"/> + + +<select idref="package_aide_installed" selected="true"/> + +<!-- ACCOUNT MANAGEMENT CHECKS --> +<select idref="accounts_password_reuse_limit" selected="true"/> +<select idref="no_shelllogin_for_systemaccounts" selected="true"/> +<select idref="no_empty_passwords" selected="true"/> +<select idref="no_hashes_outside_shadow" selected="true"/> +<select idref="accounts_no_uid_except_zero" selected="true"/> +<select idref="accounts_password_minlen_login_defs" selected="true"/> +<select idref="accounts_minimum_age_login_defs" selected="true"/> +<select idref="accounts_password_warn_age_login_defs" selected="true"/> +<select idref="accounts_password_pam_cracklib_retry" selected="true"/> +<!-- + +<select idref="accounts_password_pam_cracklib_dcredit" selected="true"/> +<select idref="password_require_uppercases" selected="true"/> +<select idref="password_require_specials" selected="true"/> +<select idref="password_require_lowercases" selected="true"/> +<select idref="password_require_diffchars" selected="true"/> +<select idref="deny_password_attempts" selected="true"/> +<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> +<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> +<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> +<select idref="require_singleuser_auth" selected="true"/> + +FILE PERMISSION CHECKS +<select idref="userowner_shadow_file" selected="true"/> +<select idref="groupowner_shadow_file" selected="true"/> +<select idref="file_permissions_etc_shadow" selected="true"/> +<select idref="userowner_gshadow_file" selected="true"/> +<select idref="groupowner_gshadow_file" selected="true"/> +<select idref="perms_gshadow_file" selected="true"/> +<select idref="userowner_passwd_file" selected="true"/> +<select idref="groupowner_passwd_file" selected="true"/> +<select idref="file_permissions_etc_passwd" selected="true"/> +<select idref="userowner_group_file" selected="true"/> +<select idref="groupowner_group_file" selected="true"/> +<select idref="perms_group_file" selected="true"/> +<select idref="file_permissions_library_dirs" selected="true"/> +<select idref="file_ownership_library_dirs" selected="true"/> +<select idref="file_permissions_binary_dirs" selected="true"/> +<select idref="file_ownership_binary_dirs" selected="true"/> +<select idref="audit_logs_permissions" selected="true"/> +<select idref="user_owner_grub_conf" selected="true"/> +<select idref="group_owner_grub_conf" selected="true"/> +<select idref="permissions_grub_conf" selected="true"/> +<select idref="bootloader_password" selected="true"/> + +KERNEL SETTINGS +<select idref="enable_randomize_va_space" selected="true"/> +<select idref="enable_execshield" selected="true"/> +<select idref="kernel_module_ipv6_option_disabled" selected="true"/> +<select idref="service_ip6tables_enabled" selected="true"/> +<select idref="service_iptables_enabled" selected="true"/> +<select idref="set_iptables_default_rule" selected="true"/> +<select idref="kernel_module_dccp_disabled" selected="true"/> +<select idref="kernel_module_sctp_disabled" selected="true"/> +<select idref="kernel_module_rds_disabled" selected="true"/> +<select idref="kernel_module_tipc_disabled" selected="true"/> + +ANTIQUATED SERVICES +<select idref="disable_xinetd" selected="true"/> +<select idref="uninstall_xinetd" selected="true"/> +<select idref="uninstall_telnet_server" selected="true"/> +<select idref="disable_telnet_service" selected="true"/> +<select idref="uninstall_rsh-server" selected="true"/> +<select idref="disable_rsh" selected="true"/> +<select idref="disable_rexec" selected="true"/> +<select idref="disable_rlogin" selected="true"/> +<select idref="uninstall_ypserv" selected="true"/> +<select idref="disable_ypbind" selected="true"/> +<select idref="uninstall_tftp-server" selected="true"/> +<select idref="disable_tftp" selected="true"/> +<select idref="disable_avahi" selected="true"/> +<select idref="service_abrtd_disabled" selected="true"/> +<select idref="service_atd_disabled" selected="true"/> +<select idref="service_autofs_disabled" selected="true"/> +<select idref="service_ntpdate_disabled" selected="true"/> +<select idref="service_oddjobd_disabled" selected="true"/> +<select idref="service_qpidd_disabled" selected="true"/> +<select idref="service_rdisc_disabled" selected="true"/> + +SSH / REMOTE ACCESS CHECKS +<select idref="sshd_allow_only_protocol2" selected="true"/> +<select idref="sshd_set_idle_timeout" selected="true"/> +<select idref="sshd_set_keepalive" selected="true"/> +<select idref="sshd_disable_rhosts" selected="true"/> +<select idref="disable_host_auth" selected="true"/> +<select idref="sshd_disable_root_login" selected="true"/> +<select idref="sshd_disable_empty_passwords" selected="true"/> +<select idref="sshd_enable_warning_banner" selected="true"/> +<select idref="sshd_do_not_permit_user_env" selected="true"/> +<select idref="sshd_use_approved_ciphers" selected="true"/> +--> +</Profile> diff --git a/RHEL/7/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel6-server-upstream.xml deleted file mode 100644 index ef079b4..0000000 --- a/RHEL/7/input/profiles/stig-rhel6-server-upstream.xml +++ /dev/null @@ -1,7 +0,0 @@ -<Profile id="stig-rhel7-server-upstream" extends="common"> -<title>Pre-release Draft STIG for RHEL 7 Server</title> -<description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description> - -<select idref="encrypt_partitions" selected="true"/> - -</Profile> diff --git a/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml new file mode 100644 index 0000000..ef079b4 --- /dev/null +++ b/RHEL/7/input/profiles/stig-rhel7-server-upstream.xml @@ -0,0 +1,7 @@ +<Profile id="stig-rhel7-server-upstream" extends="common"> +<title>Pre-release Draft STIG for RHEL 7 Server</title> +<description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description> + +<select idref="encrypt_partitions" selected="true"/> + +</Profile> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
