----- Original Message ----- > From: "Steve Grubb" <[email protected]> > To: [email protected] > Cc: "Jan Lieskovsky" <[email protected]> > Sent: Friday, October 31, 2014 6:08:00 PM > Subject: Re: Configuration testing vs Forensic testing > > On Friday, October 31, 2014 12:51:04 PM Jan Lieskovsky wrote: > > ----- Original Message ----- > > > > > From: "Steve Grubb" <[email protected]> > > > To: [email protected] > > > Sent: Friday, October 31, 2014 3:55:29 PM > > > Subject: Re: Configuration testing vs Forensic testing > > > > > > On Friday, October 31, 2014 10:47:37 AM Shawn Wells wrote: > > > > On 10/31/14, 10:31 AM, Steve Grubb wrote: > > > > > I think there is a problem in the SSG content. I think that the > > > > > current > > > > > content is intended to check the system configuration. This would be > > > > > done > > > > > by examining the files on disk to warn about changes or thing that > > > > > are > > > > > misconfigured. There is also another category of testing that is > > > > > forensics which checks the ephemeral / current values being enforced. > > > > > Both are necessary and useful, but they should not be mixed. > > > > > > <snip> > > > > > > > I've opened tickets to track mount vs fstab, sysctl, and service vs > > > > > > > chkconfig: > > > Thanks! > > > > > > > As/if you identify additional sections which need better separation, > > > > please bring them to our attention! > > > > > > Well, in a very brief look, the selinux label check in /dev is wrong, it > > > should be: > > > > > > find /dev -context *:device_t:* \( -type c -o -type b \) > > > > Just out-of-curiosity this doesn't seem to be working properly (or > > I am missing something obvious) [*]. E.g. sample output from RHEL-6 system: > > Something got snipped. Should have been: > > find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
Thank you. This works fine. > > > > [root@localhost ~]# cat /etc/redhat-release > > Red Hat Enterprise Linux Server release 6.6 (Santiago) > > [root@localhost ~]# ls -Z /dev/null > > crw-rw-rw-. root root system_u:object_r:null_device_t:s0 /dev/null > > [root@localhost ~]# chcon -t samba_share_t /dev/null > > [root@localhost ~]# ls -Z /dev/null > > crw-rw-rw-. root root system_u:object_r:samba_share_t:s0 /dev/null > > [root@localhost ~]# find /dev -context *:device_t:* \( -type c -o -type b > > \) > > [root@localhost ~]# find /dev -context *:device_t:* \( -type c -o -type b > > \) | wc -l 0 > > > > Shouldn't it be changed to e.g.: > > > > find /dev ! -context *\:*device_t\:* \( -type c -o -type b \) > > > > to get the list of devices that are not of :*_device_t: target? > > device_t is the default when selinux knows nothing about the device. You want > your system to have none of these. Yes. Confirmed by creating symlink to /dev/null & checking SELinux target of that new link. Thanks a lot! Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > > -Steve > -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
