[PATCH 0/4] Added content based on DISA FSO feedback.
by Willy Santos
This set of patches are all related to adding value selectors to the deny_password_attempts rule, based on feedback from DISA FSO.
Willy Santos (4):
Added Value section for login retries and made necessary changes to
the deny_password_attempts to reflect the use of these values.
Created OVAL check accounts_passwords_pam_faillock_deny, for checking
the configured maximum number of failed login attempts the system
will allow before locking the account.
Added <sub> sections to the deny_password_attempts rule for automatic
substitution of correct value depending on profile.
Added <refine-value> for STIG-specific value for failed login
attempts.
.../accounts_passwords_pam_faillock_deny.xml | 50 ++++++++++++++++++++
RHEL6/input/profiles/STIG-server.xml | 2 +
RHEL6/input/system/accounts/pam.xml | 25 +++++++---
3 files changed, 70 insertions(+), 7 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_passwords_pam_faillock_deny.xml
--
1.7.7.6
11 years, 10 months
[PATCH] additions to transition notes, STIG profile
by Jeffrey Blank
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++----
RHEL6/input/profiles/STIG-server.xml | 6 +++++
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml
index 32bdc9c..3141809 100644
--- a/RHEL6/input/auxiliary/transition_notes.xml
+++ b/RHEL6/input/auxiliary/transition_notes.xml
@@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper permissions provided
by the package manager. Automating this check became possible with OVAL 5.8.
</note>
-<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB">
+<note ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB">
The security argument is not apparent or salient.
</note>
@@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and checking for existence of
files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred).
</note>
-<note ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB">
+<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB">
This is covered in the RHEL6 content.
</note>
+<note ref="808" auth="JB">
+Bothering with umasks: worth the bother?
+</note>
+
+<note ref="805" auth="JB">
+This is covered in the RHEL6 content for NFS mounts. Need to investigate removable media (for which we put in a ticket for configuration options a long time ago).
+</note>
+
<note ref="11945" auth="JB">
What is the distinction and purpose of different MAC levels?
</note>
@@ -43,15 +51,27 @@ do not even support this capability.
This needs to be added to the RHEL6 content.
</note>
-<note ref="770,918" auth="JB">
+<note ref="812,813" auth="JB">
+This needs to be added to the RHEL6 content; oddly OVAL checks already exist for it.
+</note>
+
+<note ref="825,907,910,916,917" auth="JB">
+Is this a concern on a modern system?
+</note>
+
+<note ref="770,918,921,922" auth="JB">
This is covered in the RHEL6 content in a slightly different manner.
</note>
+<note ref="827" auth="JB">
+This needs to be added to the RHEL6 content, as well as a complete re-write of its CUPS section.
+</note>
+
<note ref="12022" auth="JB">
This is covered in the RHEL6 content in a slightly different manner: iptables is required.
</note>
-<note ref="12005" auth="JB">
+<note ref="1011,12005" auth="JB">
This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6.
</note>
@@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly different manner: xinetd serv
Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined.
</note>
-<note ref="4692,4694,12006" auth="JB">
+<note ref="835,4692,4694,12006" auth="JB">
Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply.
</note>
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml
index 08c8ddb..fa11c8e 100644
--- a/RHEL6/input/profiles/STIG-server.xml
+++ b/RHEL6/input/profiles/STIG-server.xml
@@ -30,6 +30,12 @@
<select idref="service_bluetooth_disabled" selected="true" />
<select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="sticky_world_writable_dirs" selected="true" />
+<select idref="world_writable_files_system_ownership" selected="true" />
+<select idref="tftpd_uses_secure_mode" selected="true" />
+
+
+
<select idref="ftp_present_banner" selected="true" />
<!-- from inherited Rule, limiting_password_reuse -->
--
1.7.1
11 years, 10 months
[PATCH] added css hacks to combine some columns to make reading easier * for users who aren't rocking dual 2560x1600 displays
by Jeffrey Blank
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/transforms/xccdf2table-stig.xslt | 42 +++++++++++++++++++++++++++----
1 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/RHEL6/transforms/xccdf2table-stig.xslt b/RHEL6/transforms/xccdf2table-stig.xslt
index e3024eb..3c83b81 100644
--- a/RHEL6/transforms/xccdf2table-stig.xslt
+++ b/RHEL6/transforms/xccdf2table-stig.xslt
@@ -34,12 +34,14 @@
{
border-collapse:collapse;
}
- table,th, td
+ table,th,td
{
border: 1px solid black;
vertical-align: top;
padding: 3px;
}
+ .bl, table.bl tr td { border:none; }
+ .bbl, table.bbl tr td { border:none; font-weight: bold;}
thead
{
display: table-header-group;
@@ -48,10 +50,24 @@
</style>
<table>
<thead>
+ <xsl:choose>
+ <xsl:when test="$notes">
+ <td>
+ <table class="bbl">
+ <tr><td class="bl">Title</td></tr>
+ <tr><td>V-ID</td></tr>
+ <tr><td>GEN-ID</td></tr>
+ <tr><td>CAT</td></tr>
+ </table>
+ </td>
+ </xsl:when>
+ <xsl:otherwise>
<td>V-ID</td>
<td>GEN-ID</td>
<td>CAT</td>
<td>Title</td>
+ </xsl:otherwise>
+ </xsl:choose>
<td>Description</td>
<td>Check Procedures</td>
<td>Fixtext</td>
@@ -68,11 +84,25 @@
<xsl:template name="rule-output">
<xsl:param name="vulnid"/>
<tr>
- <td><xsl:value-of select="@id"/></td>
- <!--<td> <xsl:value-of select="cdf:ident" /></td>-->
- <td> <xsl:value-of select="cdf:title" /></td>
- <td> <xsl:value-of select="cdf:Rule/@severity" /></td>
- <td> <xsl:value-of select="cdf:Rule/cdf:title" /></td>
+ <xsl:choose>
+ <xsl:when test="$notes">
+ <td>
+ <table class="bl">
+ <tr><td><xsl:value-of select="cdf:Rule/cdf:title" /></td></tr>
+ <tr><td><xsl:value-of select="@id"/></td></tr>
+ <tr><td><xsl:value-of select="cdf:title" /></td></tr>
+ <tr><td><xsl:value-of select="cdf:Rule/@severity" /></td></tr>
+ </table>
+ </td>
+ </xsl:when>
+ <xsl:otherwise>
+ <td><xsl:value-of select="@id"/></td>
+ <!--<td> <xsl:value-of select="cdf:ident" /></td>-->
+ <td> <xsl:value-of select="cdf:title" /></td>
+ <td> <xsl:value-of select="cdf:Rule/@severity" /></td>
+ <td> <xsl:value-of select="cdf:Rule/cdf:title" /></td>
+ </xsl:otherwise>
+ </xsl:choose>
<td> <xsl:call-template name="extract-vulndiscussion"><xsl:with-param name="desc" select="cdf:Rule/cdf:description"/></xsl:call-template> </td>
<td> <xsl:value-of select="cdf:Rule/cdf:check/cdf:check-content"/> </td>
<td> <xsl:value-of select="cdf:Rule/cdf:fixtext"/> </td>
--
1.7.1
11 years, 10 months
[PATCH 0/4] additions to Profiles for STIG-server and common
by Jeffrey Blank
* trying to ensure that if a Rule is denoted as satisfying a CCI, that it is included in the STIG-server profile
Jeffrey Blank (4):
added new Value for remembering 24 passwords * which increases
number of hashes that can be harvested at any one time * and
is apparently also some kind of policy requirement
added DoD banner (with minor changes) from RHEL 5 STIG
added Rules to the common and STIG-server Profiles to make them more
complete * driven by addition of CCI references to Rules
identified by verify-references.py
deprecating Rules which call for deletion of kernel modules in favor
of disabling them
RHEL6/input/profiles/STIG-server.xml | 26 ++++++++++++++++++++++++--
RHEL6/input/profiles/common.xml | 17 +++++++++++++++++
RHEL6/input/system/accounts/banners.xml | 7 +++++++
RHEL6/input/system/accounts/pam.xml | 6 +++++-
RHEL6/input/system/network/wireless.xml | 4 ++--
RHEL6/input/system/permissions/mounting.xml | 4 +++-
6 files changed, 58 insertions(+), 6 deletions(-)
11 years, 10 months
[PATCH] Modified no_empty_password rule.
by Willy Santos
Modified no_empty_password rule to check for nullok option in /etc/pam.d/system-auth instead of checking password field in /etc/shadow. Also created OVAL check accounts_pam_no_nullok.xml to support this. See Trac ticket #92: https://fedorahosted.org/scap-security-guide/ticket/92
---
RHEL6/input/checks/accounts_pam_no_nullok.xml | 24 ++++++++++++++++++++
.../accounts/restrictions/password_storage.xml | 18 ++++++++++-----
2 files changed, 36 insertions(+), 6 deletions(-)
create mode 100644 RHEL6/input/checks/accounts_pam_no_nullok.xml
diff --git a/RHEL6/input/checks/accounts_pam_no_nullok.xml b/RHEL6/input/checks/accounts_pam_no_nullok.xml
new file mode 100644
index 0000000..054cb94
--- /dev/null
+++ b/RHEL6/input/checks/accounts_pam_no_nullok.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="compliance" id="accounts_pam_no_nullok" version="1">
+ <metadata>
+ <title>No nullok Option in /etc/pam.d/system-auth</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TO:DO" source="CCE" />
+ <description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
+ </metadata>
+ <criteria>
+ <criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_accounts_pam_no_nullok" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="test_accounts_pam_no_nullok" version="1">
+ <ind:object object_ref="object_accounts_pam_no_nullok" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_accounts_pam_no_nullok" version="1">
+ <ind:path>/etc/pam.d/</ind:path>
+ <ind:filename>system-auth</ind:filename>
+ <ind:pattern operation="pattern match">\s*nullok\s*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml
index 8e1014b..8f39126 100644
--- a/RHEL6/input/system/accounts/restrictions/password_storage.xml
+++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml
@@ -17,11 +17,17 @@ should allow administrators to avoid such misconfiguration.
</description>
<Rule id="no_empty_passwords" severity="high">
-<title>Verify that No Accounts Have Empty Password Fields</title>
-<description>Run the command:
-<pre># awk -F: '($2 == "") {print}' /etc/shadow</pre>
-If this produces any output, fix the problem by locking each
-account or by setting a password.
+<title>Prevent Log In to Accounts With Empty Password</title>
+<description>If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Ensuring that the <tt>nullok</tt>
+option is <b>NOT</b> used in the <tt>/etc/pam.d/system-auth-ac</tt>
+prevents logins with empty passwords.
+<br /><br />
+To verify manually, the following command can be used:
+<pre># grep nullok /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre>
+If this produces any output, fix the problem by removing any instance
+of <tt>nullok</tt> in <tt>/etc/pam.d/system-auth-ac</tt>.
</description>
<rationale>
If an account has an empty password, anybody may log in and
@@ -30,7 +36,7 @@ empty passwords should never be used in operational
environments.
</rationale>
<ident cce="4238-2" />
-<oval id="accounts_no_empty_passwords" />
+<oval id="accounts_pam_no_nullok" />
<ref nist="AC-3, CM-6, IA-5" />
</Rule>
--
1.7.7.6
11 years, 10 months
[PATCH 0/4] notes toward consensus, additions from RHEL 5 STIG
by Jeffrey Blank
Added notes that indicate how I believe RHEL 5 settings
could transition to consensus settings for RHEL 6. Also identified
some items from the RHEL 5 STIG that should be leveraged in the RHEL 6
content.
Jeffrey Blank (4):
added notes to support transition of RHEL 5 content to consensus for
RHEL 6
normalize whitespace for each ref in (attribute) ref list, permitting
use of newlines or accidental spaces
added missing items to Profiles
added support for setting password expiration to 60 days * and
some additional rationale text
RHEL6/input/auxiliary/transition_notes.xml | 85 ++++++++++++++++++--
RHEL6/input/profiles/STIG-server.xml | 4 +
RHEL6/input/profiles/common.xml | 17 ++++
.../accounts/restrictions/password_expiration.xml | 9 ++-
RHEL6/transforms/xccdf2table-stig.xslt | 4 +-
5 files changed, 106 insertions(+), 13 deletions(-)
11 years, 10 months
[PATCH 0/3] Cleaned up some make validate errors and mapped some CCI's
by Kevin Spargur
Mapped CCI 382 which requires "The operating system must configure the
information system to specifically prohibit or restrict the use of
organization-defined functions, ports, protocols, and/or services" to all
the disable service xyz rules in base. Then make validate was making me sad
with the following errors so I cleaned it up.
oscap xccdf validate-xml output/rhel6-xccdf-scap-security-guide.xml
1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 237:
Element '{http://checklists.nist.gov/xccdf/1.1}refine-value': Duplicate
key-sequence ['var_umask_for_daemons'] in unique identity-constraint
'{http://checklists.nist.gov/xccdf/1.1}refineValueKey'.
1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 261:
Element '{http://checklists.nist.gov/xccdf/1.1}refine-value': Duplicate
key-sequence ['password_history_retain_number'] in unique identity-constraint
'{http://checklists.nist.gov/xccdf/1.1}refineValueKey'.
1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 3212:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is not
expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1}signature ).
oscap was unable to validate the XML document you provided.
Kevin Spargur (3):
Removed duplicate entries causing make validate to fail
Added some spacing to remove a make validate error
Mapped CCI382 to several disable service xyz rules
RHEL6/input/profiles/common.xml | 4 ---
RHEL6/input/services/base.xml | 46 +++++++++++++++++-----------------
RHEL6/input/system/accounts/pam.xml | 4 +-
3 files changed, 25 insertions(+), 29 deletions(-)
--
1.7.7.6
11 years, 10 months
[PATCH] Added prose to describe audit messages.
by Willy Santos
---
RHEL6/input/system/auditing.xml | 74 ++++++++++++++++++++++++++++++++++++++-
1 files changed, 73 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index acfee4e..11e1ad6 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -53,7 +53,79 @@ data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
-it can be configured to do).
+it can be configured to do).
+<br /><br />
+The following is an example of a typical "raw" audit message and a breakdown of
+what the most important fields mean. In this example the message is SELinux
+related and reports an AVC denial (and the associated system call) that occurred
+when the Apache HTTP Server (running in the <tt>httpd_t</tt> domain)
+attempted to access the <tt>/var/www/html/file1</tt> file (labeled with the
+<tt>samba_share_t</tt> type):
+<pre>type=AVC msg=audit(1226874073.147:96): avc: denied { getattr } for pid=2465 comm="httpd"
+path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
+tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
+
+type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
+a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
+gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
+exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
+</pre>
+<ul>
+<li><tt>msg=audit(1226874073.147:96)</tt>
+<ul><li>The number in parentheses is the unformatted current time (Epoch time) or
+time stamp for the event. It can be converted to standard time by using the
+<tt>date</tt> command:
+<pre># date -d @1226874073.147
+<i>Sun Nov 16 17:21:13 EST 2008</i>
+</pre>
+</li></ul>
+</li>
+<li><tt>{ getattr }</tt>
+<ul><li>The item in braces indicates the permission that was denied. <tt>getattr</tt>
+indicates the source process was trying to read the target file's status information.
+This occurs before reading files. This action is denied due to the file being
+accessed having the wrong label. Commonly seen permissions include <tt>getattr</tt>,
+<tt>read</tt>, and <tt>write</tt>.</li></ul>
+</li>
+<li><tt>comm="httpd"</tt>
+<ul><li>The executable that launched the process. The full path of the executable is
+found in the <tt>exe=</tt> section of the system call (<tt>SYSCALL</tt>) message,
+which in this case, is <tt>exe="/usr/sbin/httpd"</tt>.
+</li></ul>
+</li>
+<li><tt>path="/var/www/html/file1"</tt>
+<ul><li>The path to the object (target) the process attempted to access.
+</li></ul>
+</li>
+<li><tt>scontext="unconfined_u:system_r:httpd_t:s0"</tt>
+<ul><li>The SELinux context of the process that attempted the denied action. In
+this case, it is the SELinux context of the Apache HTTP Server, which is running
+in the <tt>httpd_t</tt> domain.
+</li></ul>
+</li>
+<li><tt>tcontext="unconfined_u:object_r:samba_share_t:s0"</tt>
+<ul><li>The SELinux context of the object (target) the process attempted to access.
+In this case, it is the SELinux context of <tt>file1</tt>. Note: the <tt>samba_share_t</tt>
+type is not accessible to processes running in the <tt>httpd_t</tt> domain.</li>
+<li>In certain situations, the <tt>tcontext</tt> may match the <tt>scontext</tt>,
+for example, when a process attempts to execute a system service that will change
+characteristics of that running process, such as the user ID. Also, the <tt>tcontext</tt>
+may match the <tt>scontext</tt> when a process tries to use more resources (such as
+memory) than normal limits allow, resulting in a security check to see if that
+process is allowed to break those limits.
+</li></ul>
+</li>
+<li> From the system call (<tt>SYSCALL</tt>) message, two items are of interest:
+<ul><li><tt>success=no</tt>: indicates whether the denial (AVC) was enforced or not.
+<tt>success=no</tt> indicates the system call was not successful (SELinux denied
+access). <tt>success=yes</tt> indicates the system call was successful - this can
+be seen for permissive domains or unconfined domains, such as <tt>initrc_t</tt>
+and <tt>kernel_t</tt>.
+</li>
+<li><tt>exe="/usr/sbin/httpd"</tt>: the full path to the executable that launched
+the process, which in this case, is <tt>exe="/usr/sbin/httpd"</tt>.
+</li></ul>
+</li></ul>
</description>
<ref disa="120,135,166,1338,1339,157" />
--
1.7.7.6
11 years, 10 months
"This element is not expected." running oscap
by Willem Bos
Hi All,
Before bothering you with my problems I would just like to say thanks
for all the great work on scap-security-guide you guys are doing.
We're investigating a good basis for our Linux security baseline and
OpenSCAP+SSG is spot on.
When running `oscap xccdf eval --profile server
rhel6-xccdf-scap-security-guide.xml` the following error is returned :
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
I'm new to scap-security-guide (so browsing the xccdf file was a bit
daunting :-) but the above mentioned <Value
id="password_history_retain_number"...> tag seems out of place in a
'<Rule id="set_password_hashing_algorithm"...>' context :
<Rule id="set_password_hashing_algorithm" severity="low"
selected="false">
<title>Set Password Hashing Algorithm</title>
<description>...
</description>
<reference
href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-fina...">IA-5</reference>
<rationale>
Using a stronger hashing algorithm makes password cracking attacks
more difficult.
</rationale>
<ident system="http://cce.mitre.org">CCE-14063-2</ident>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref
href="rhel6-oval-scap-security-guide.xml"
name="oval:scap-security-guide:def:839"/>
</check>
</Rule>
<Value id="password_history_retain_number" type="number"
operator="equals" interactive="0">
<title>remember</title>
<description>The last n passwords for each user are saved in
<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/security/opasswd</xhtml:code>
in order to force password change history and
keep the user from alternating between the same password too
frequently.</description>
<value selector="">5</value>
<value selector="0">0</value>
<value selector="5">5</value>
<value selector="10">10</value>
</Value>
I'm on RHEL6 and so might be running old(er) software. Is Fedora 16/17
necessary or am I missing something? Here's what I did:
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.3 (Santiago)
rpm -q git openscap-utils python-lxml
git-1.7.1-2.el6_0.1.x86_64
openscap-utils-0.8.0-2.el6.x86_64
python-lxml-2.2.3-1.1.el6.x86_64
cd scap-security-guide
git log
commit 5454d44eee80becb5c1b8929bf6498edfa3bfdcb
Merge: 405d61e a0f2e7e
Author: Kevin Spargur <kspargur(a)redhat.com>
Date: Wed Jul 25 19:59:05 2012 -0400
Merge branch 'master' of ssh://git.fedorahosted.org/git/scap-securi
...
cd scap-security-guide/RHEL6
make all
...
oscap xccdf generate guide --profile allrules output/rhel6-xccdf.xml >
output/rhel6-guide.html
WARNING: Processing an unresolved XCCDF document. This may have
unexpected results.
...
Duplicate ID, which will not be added: var_samba_private_directory
Duplicate ID, which will not be added: state_uid_root
Duplicate ID, which will not be added: object_etc_skel_files
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_removable_partition
Duplicate ID, which will not be added: var_ssh_config_directory
...
cd dist/content
oscap xccdf eval --profile server rhel6-xccdf-scap-security-guide.xml
1 1871 In file 'rhel6-xccdf-scap-security-guide.xml' on line 3201:
Element '{http://checklists.nist.gov/xccdf/1.1}Value': This element is
not expected. Expected is (
{http://checklists.nist.gov/xccdf/1.1}signature ).
Regards,
Willem.
11 years, 10 months
