----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Thursday, June 26, 2014 8:35:06 PM > Subject: Re: [RHEL/6, RHEL/7, shared] Start using > package_talk-server_removed.xml OVAL check by adding appropriate > XCCDF entry > > > On 6/25/14, 7:09 AM, Jan Lieskovsky wrote: > > > > This patch adds particular XCCDF entry (to appropriate places) to > start using existing package_talk-server_removed.xml OVAL check > in RHEL-6 & RHEL-7. Update also test attestations for both systems & > moved the check to shared. > > The corresponding OVAL check & XCCDF definition for 'package talk > removed' case will follow in separate patch. > > Rationale: While none of talk-server / talk packages are installed > nowadays by default on RHEL-6 / RHEL-7, there still might be instances, > where these will get installed later, and during the scan of such a > system the administrator should be notified talk services are considered > outdated & insecure. > > Testing status: > Change has been tested on both (RHEL-6, RHEL-7) returning expected results. > Also checked particular entry is created in *-guide.html version of both > (RHEL-6, RHEL-7) benchmarks. > > Please review. > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Technologies Team > > 0001-RHEL-6-RHEL-7-shared-Start-using-package_talk-server.patch > From 718473e795794d38b782815fc5322efa281500db Mon Sep 17 00:00:00 2001 > From: Jan Lieskovsky <[email protected]> Date: Wed, 25 Jun 2014 12:57:13 > +0200 > Subject: [PATCH] [RHEL/6, RHEL/7, shared] Start using > package_talk-server_removed.xml OVAL check by adding appropriate XCCDF entry > > Signed-off-by: Jan Lieskovsky <[email protected]> --- > .../6/input/checks/package_talk-server_removed.xml | 27 > +--------------------- > RHEL/6/input/services/obsolete.xml | 27 > ++++++++++++++++++++++ > .../7/input/checks/package_talk-server_removed.xml | 1 + > RHEL/7/input/services/obsolete.xml | 27 > ++++++++++++++++++++++ > shared/oval/package_talk-server_removed.xml | 26 > +++++++++++++++++++++ > 5 files changed, 82 insertions(+), 26 deletions(-) > mode change 100644 => 120000 > RHEL/6/input/checks/package_talk-server_removed.xml > create mode 120000 RHEL/7/input/checks/package_talk-server_removed.xml > create mode 100644 shared/oval/package_talk-server_removed.xml > > diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml > b/RHEL/6/input/checks/package_talk-server_removed.xml > deleted file mode 100644 > index aa51025..0000000 > --- a/RHEL/6/input/checks/package_talk-server_removed.xml > +++ /dev/null > @@ -1,26 +0,0 @@ > -<def-group> > - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. > --> > - <definition class="compliance" id="package_talk-server_removed" > - version="1"> > - <metadata> > - <title>Package talk-server Removed</title> > - <affected family="unix"> > - <platform>Red Hat Enterprise Linux 6</platform> > - </affected> > - <description>The RPM package talk-server should be > removed.</description> > - <reference source="swells" ref_id="20130829" > ref_url="test_attestation"/> > - </metadata> > - <criteria> > - <criterion comment="package talk-server is removed" > - test_ref="test_package_talk-server_removed" /> > - </criteria> > - </definition> > - <linux:rpminfo_test check="all" check_existence="none_exist" > - id="test_package_talk-server_removed" version="1" > - comment="package talk-server is removed"> > - <linux:object object_ref="obj_package_talk-server_removed" /> > - </linux:rpminfo_test> > - <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> > - <linux:name>talk-server</linux:name> > - </linux:rpminfo_object> > -</def-group> > diff --git a/RHEL/6/input/checks/package_talk-server_removed.xml > b/RHEL/6/input/checks/package_talk-server_removed.xml > new file mode 120000 > index 0000000..b5f3aeb > --- /dev/null > +++ b/RHEL/6/input/checks/package_talk-server_removed.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/package_talk-server_removed.xml > \ No newline at end of file > diff --git a/RHEL/6/input/services/obsolete.xml > b/RHEL/6/input/services/obsolete.xml > index c2e5b15..b46a912 100644 > --- a/RHEL/6/input/services/obsolete.xml > +++ b/RHEL/6/input/services/obsolete.xml > @@ -396,4 +396,31 @@ server_args = -s /var/lib/tftpboot</pre> > </Rule> > > </Group> > + > +<Group id="talk"> > +<title>talk-server and talk</title> > +<description> > +The talk software makes it possible for users to send and receive messages > +across systems through a terminal session. > +</description> > + > +<Rule id="uninstall_talk-server" severity="medium"> > +<title>Uninstall talk-server Package</title> > +<description> > +<package-remove-macro package="talk-server" /> > +</description> > +<ocil> > +<package-check-macro package="talk-server" /> > +</ocil> > +<rationale> > +The talk software presents a security risk as it uses unencrypted protocols > +for communications. Removing the <tt>talk-server</tt> package decreases the > +risk of the accidental (or intentional) activation of talk services. > +</rationale> > +<ident cce="" /> > +<oval id="package_talk-server_removed" /> > +<tested by="JL" on="20140625"/> > +</Rule> > + > +</Group> > </Group> > diff --git a/RHEL/7/input/checks/package_talk-server_removed.xml > b/RHEL/7/input/checks/package_talk-server_removed.xml > new file mode 120000 > index 0000000..b5f3aeb > --- /dev/null > +++ b/RHEL/7/input/checks/package_talk-server_removed.xml > @@ -0,0 +1 @@ > +../../../../shared/oval/package_talk-server_removed.xml > \ No newline at end of file > diff --git a/RHEL/7/input/services/obsolete.xml > b/RHEL/7/input/services/obsolete.xml > index 888162d..4fd80a0 100644 > --- a/RHEL/7/input/services/obsolete.xml > +++ b/RHEL/7/input/services/obsolete.xml > @@ -350,4 +350,31 @@ server_args = -s /var/lib/tftpboot</pre> > </Rule> > > </Group> > + > +<Group id="talk"> > +<title>talk-server and talk</title> > +<description> > +The talk software makes it possible for users to send and receive messages > +across systems through a terminal session. > +</description> > + > +<Rule id="uninstall_talk-server" severity="medium"> > +<title>Uninstall talk-server Package</title> > +<description> > +<package-remove-macro package="talk-server" /> > +</description> > +<ocil> > +<package-check-macro package="talk-server" /> > +</ocil> > +<rationale> > +The talk software presents a security risk as it uses unencrypted protocols > +for communications. Removing the <tt>talk-server</tt> package decreases the > +risk of the accidental (or intentional) activation of talk services. > +</rationale> > +<ident cce="" /> > +<oval id="package_talk-server_removed" /> > +<tested by="JL" on="20140625"/> > +</Rule> > + > +</Group> > </Group> > diff --git a/shared/oval/package_talk-server_removed.xml > b/shared/oval/package_talk-server_removed.xml > new file mode 100644 > index 0000000..6db2fb8 > --- /dev/null > +++ b/shared/oval/package_talk-server_removed.xml > @@ -0,0 +1,26 @@ > +<def-group> > + <definition class="compliance" id="package_talk-server_removed" > version="2"> > + <metadata> > + <title>Package talk-server Removed</title> > + <affected family="unix"> > + <platform>Red Hat Enterprise Linux 6</platform> > + <platform>Red Hat Enterprise Linux 7</platform> > + </affected> > + <description>The RPM package talk-server should be > removed.</description> > + <reference source="JL" ref_id="RHEL6_20140625" > ref_url="test_attestation"/> > + <reference source="JL" red_id="RHEL7_20140625" > ref_url="test_attestation"/> > + </metadata> > + <criteria> > + <criterion comment="package talk-server is removed" > + test_ref="test_package_talk-server_removed" /> > + </criteria> > + </definition> > + <linux:rpminfo_test check="all" check_existence="none_exist" > + id="test_package_talk-server_removed" version="1" > + comment="package talk-server is removed"> > + <linux:object object_ref="obj_package_talk-server_removed" /> > + </linux:rpminfo_test> > + <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> > + <linux:name>talk-server</linux:name> > + </linux:rpminfo_object> > +</def-group> > -- > 1.8.3.1 > > The underlying cause of removing talk is many customers don't want "Messaging > Services" or "Chat Services" enabled. To align with this, what do you think > of renaming the XCCDF group from "talk and talk-server" to "Chat/Messaging > Services"?
Thanks, updated the title of that group to "Chat/Messaging Services" (retested on both of RHEL-6 & RHEL-7) & pushed to master: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=39dda59b5002d64149a9403b2996eb609a517a3c https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=aa6bca1cd26a4eb1c9a22f913d8d7f5416e113d8 Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
