On 10/15/14, 1:07 PM, Shawn Wells wrote: > On 10/15/14, 10:17 AM, Jan Lieskovsky wrote: >> Hello folks, >> >> in relation to the recent SSLv3 CVE-2014-3566 / "POODLE" flaw: >> [1] >> http://fedoramagazine.org/what-you-need-to-know-about-the-sslv3-poodle-flaw-cve-2014-3566/ >> >> got wondering if there's anything SSG should do to react against it. >> Possibly to add / update system service rules checking for system SSL >> version that it is higher than SSLv3? [1] suggest httpd would be >> one candidate, but I am sure there would be more of them. Should this be >> investigated further & particular rules updated? >> >> Thanks && Regards, Jan. >> -- >> Jan iankko Lieskovsky / Red Hat Security Technologies Team >> >> P.S.: For those possibly wondering the proposal is not to add rule checking >> particular package version is >= than the updated version disabling >> use of SSLv3 (IOW not to perform the CVE check itself). But rather >> check configuration of possibly affected system services, if they >> aren't using SSLv3 via their configuration files (since setting >> default SSL version higher than SSLv3 is one thing, but actually >> checking if that version isn't enabled again [by administrator] an >> another one). > > > Already reflect using TLS for SMTP: > http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#postfix_server_mail_relay_require_tls_for_smtp_auth > > And using TLS for LDAP: > http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#ldap_client_start_tls > http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#ldap_client_tls_cacertpath > > And using TLS for SSL: > http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#network_ssl > > And then specifically calls out using FIPS 140-2 certified ciphers, > which means the system forces protocols of TLSv1.1 and TLSv1.0 and > disables all other ciphers but the FIPS ones: > http://people.redhat.com/swells/scap-security-guide/RHEL/6/output/rhel6-guide-custom.html#sshd_use_approved_ciphers > > > Big RHT has published some guidance for services such as Tomcat, > Firefox/Chrome, and httpd here: > https://access.redhat.com/articles/1232123 > > Pulling in the guidance for Apache makes sense... something like >> >> set the SSLProtocol directive as follows in /etc/httpd/conf.d/ssl.conf: >> >> *D**isable everything except TLSv1.x* >> >> On RHEL 7 or RHEL 6.6 and later: >> >> | SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2|
Just double checked the JBoss EAP guidance, has TLS written in: " 2.14 - Ensure applications deployed by JBoss present valid DoD certificates where applicable" http://people.redhat.com/swells/scap-security-guide/JBossEAP5/docs/JBossEAP5_Guide.html#rule_xccdf_com.redhat.eap5.scap_rule_4005 " 2.17 - Enable Federal Information and Processing Systems 140-2 (FIPS) compliant cryptographic modules for use by JBoss Java environment" http://people.redhat.com/swells/scap-security-guide/JBossEAP5/docs/JBossEAP5_Guide.html#rule_xccdf_com.redhat.eap5.scap_rule_4008 " 5.5 - Do not transmit sensitive information over unsecured HTTP connections" http://people.redhat.com/swells/scap-security-guide/JBossEAP5/docs/JBossEAP5_Guide.html#rule_xccdf_com.redhat.eap5.scap_rule_1094
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
