This patch adds particular XCCDF entry (to appropriate places) to start using existing package_talk-server_removed.xml OVAL check in RHEL-6 & RHEL-7. Update also test attestations for both systems & moved the check to shared.
The corresponding OVAL check & XCCDF definition for 'package talk removed' case will follow in separate patch. Rationale: While none of talk-server / talk packages are installed nowadays by default on RHEL-6 / RHEL-7, there still might be instances, where these will get installed later, and during the scan of such a system the administrator should be notified talk services are considered outdated & insecure. Testing status: Change has been tested on both (RHEL-6, RHEL-7) returning expected results. Also checked particular entry is created in *-guide.html version of both (RHEL-6, RHEL-7) benchmarks. Please review. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
From 718473e795794d38b782815fc5322efa281500db Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Wed, 25 Jun 2014 12:57:13 +0200 Subject: [PATCH] [RHEL/6, RHEL/7, shared] Start using package_talk-server_removed.xml OVAL check by adding appropriate XCCDF entry Signed-off-by: Jan Lieskovsky <[email protected]> --- .../6/input/checks/package_talk-server_removed.xml | 27 +--------------------- RHEL/6/input/services/obsolete.xml | 27 ++++++++++++++++++++++ .../7/input/checks/package_talk-server_removed.xml | 1 + RHEL/7/input/services/obsolete.xml | 27 ++++++++++++++++++++++ shared/oval/package_talk-server_removed.xml | 26 +++++++++++++++++++++ 5 files changed, 82 insertions(+), 26 deletions(-) mode change 100644 => 120000 RHEL/6/input/checks/package_talk-server_removed.xml create mode 120000 RHEL/7/input/checks/package_talk-server_removed.xml create mode 100644 shared/oval/package_talk-server_removed.xml diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml deleted file mode 100644 index aa51025..0000000 --- a/RHEL/6/input/checks/package_talk-server_removed.xml +++ /dev/null @@ -1,26 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_talk-server_removed" - version="1"> - <metadata> - <title>Package talk-server Removed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package talk-server should be removed.</description> - <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> - </metadata> - <criteria> - <criterion comment="package talk-server is removed" - test_ref="test_package_talk-server_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_talk-server_removed" version="1" - comment="package talk-server is removed"> - <linux:object object_ref="obj_package_talk-server_removed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> - <linux:name>talk-server</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml b/RHEL/6/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/6/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index c2e5b15..b46a912 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -396,4 +396,31 @@ server_args = -s /var/lib/tftpboot</pre> </Rule> </Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/RHEL/7/input/checks/package_talk-server_removed.xml b/RHEL/7/input/checks/package_talk-server_removed.xml new file mode 120000 index 0000000..b5f3aeb --- /dev/null +++ b/RHEL/7/input/checks/package_talk-server_removed.xml @@ -0,0 +1 @@ +../../../../shared/oval/package_talk-server_removed.xml \ No newline at end of file diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index 888162d..4fd80a0 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -350,4 +350,31 @@ server_args = -s /var/lib/tftpboot</pre> </Rule> </Group> + +<Group id="talk"> +<title>talk-server and talk</title> +<description> +The talk software makes it possible for users to send and receive messages +across systems through a terminal session. +</description> + +<Rule id="uninstall_talk-server" severity="medium"> +<title>Uninstall talk-server Package</title> +<description> +<package-remove-macro package="talk-server" /> +</description> +<ocil> +<package-check-macro package="talk-server" /> +</ocil> +<rationale> +The talk software presents a security risk as it uses unencrypted protocols +for communications. Removing the <tt>talk-server</tt> package decreases the +risk of the accidental (or intentional) activation of talk services. +</rationale> +<ident cce="" /> +<oval id="package_talk-server_removed" /> +<tested by="JL" on="20140625"/> +</Rule> + +</Group> </Group> diff --git a/shared/oval/package_talk-server_removed.xml b/shared/oval/package_talk-server_removed.xml new file mode 100644 index 0000000..6db2fb8 --- /dev/null +++ b/shared/oval/package_talk-server_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="package_talk-server_removed" version="2"> + <metadata> + <title>Package talk-server Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + <platform>Red Hat Enterprise Linux 7</platform> + </affected> + <description>The RPM package talk-server should be removed.</description> + <reference source="JL" ref_id="RHEL6_20140625" ref_url="test_attestation"/> + <reference source="JL" red_id="RHEL7_20140625" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package talk-server is removed" + test_ref="test_package_talk-server_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_talk-server_removed" version="1" + comment="package talk-server is removed"> + <linux:object object_ref="obj_package_talk-server_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> + <linux:name>talk-server</linux:name> + </linux:rpminfo_object> +</def-group> -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
