On Friday, October 31, 2014 12:51:04 PM Jan Lieskovsky wrote: > ----- Original Message ----- > > > From: "Steve Grubb" <[email protected]> > > To: [email protected] > > Sent: Friday, October 31, 2014 3:55:29 PM > > Subject: Re: Configuration testing vs Forensic testing > > > > On Friday, October 31, 2014 10:47:37 AM Shawn Wells wrote: > > > On 10/31/14, 10:31 AM, Steve Grubb wrote: > > > > I think there is a problem in the SSG content. I think that the > > > > current > > > > content is intended to check the system configuration. This would be > > > > done > > > > by examining the files on disk to warn about changes or thing that are > > > > misconfigured. There is also another category of testing that is > > > > forensics which checks the ephemeral / current values being enforced. > > > > Both are necessary and useful, but they should not be mixed. > > > > <snip> > > > > > I've opened tickets to track mount vs fstab, sysctl, and service vs > > > > > chkconfig: > > Thanks! > > > > > As/if you identify additional sections which need better separation, > > > please bring them to our attention! > > > > Well, in a very brief look, the selinux label check in /dev is wrong, it > > should be: > > > > find /dev -context *:device_t:* \( -type c -o -type b \) > > Just out-of-curiosity this doesn't seem to be working properly (or > I am missing something obvious) [*]. E.g. sample output from RHEL-6 system:
Something got snipped. Should have been: find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" > [root@localhost ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 6.6 (Santiago) > [root@localhost ~]# ls -Z /dev/null > crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null > [root@localhost ~]# chcon -t samba_share_t /dev/null > [root@localhost ~]# ls -Z /dev/null > crw-rw-rw-. root root system_u:object_r:samba_share_t:s0 /dev/null > [root@localhost ~]# find /dev -context *:device_t:* \( -type c -o -type b \) > [root@localhost ~]# find /dev -context *:device_t:* \( -type c -o -type b > \) | wc -l 0 > > Shouldn't it be changed to e.g.: > > find /dev ! -context *\:*device_t\:* \( -type c -o -type b \) > > to get the list of devices that are not of :*_device_t: target? device_t is the default when selinux knows nothing about the device. You want your system to have none of these. -Steve -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
