[prev in list] [next in list] [prev in thread] [next in thread] 

List:       scap-security-guide
Subject:    Re: why is testing for file integrity monitoring technology specific?
From:       Gabe Alford <redhatrises () gmail ! com>
Date:       2015-08-04 15:02:44
Message-ID: CAGLxfGxJeWxoPxD_7RzYwKG+zEvco9sDezPOk0J=BV6Z+ZsnqQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Tue, Aug 4, 2015 at 8:43 AM, Shawn Wells <shawn@redhat.com> wrote:

>
>
> On 7/30/15 5:57 PM, Bond Masuda wrote:
>
>> Ok. I guess I will need to learn how to write OVAL and XCCDF content....
>>
>>
> Writing SCAP isn't the only way to contribute :)
>
> If you can create guidance (just text) for a tool, people here can help
> convert to XCCDF. On the OVAL side, if you can help us understand what
> regex/files/system attributes need to be examined for a pass/fail, that's a
> huge jumping off point too.
>
> Besides that, my coworker and I just noticed that although we fail the
>> AIDE test, we are passing the aide_periodic_cron_checking test. This might
>> be a bug??? Can anyone replicate?
>>
>
> Skimming the code, likely a bug.  Do you mind opening a ticket? The OVAL
> code checks to see if aide is installed:
>
>>     <criteria operator="AND">
>>       <extend_definition comment="Aide is installed"
>> definition_ref="package_aide_installed" />
>>       <criteria operator="OR">
>>         <criterion comment="run aide daily with cron"
>> test_ref="test_aide_periodic_cron_checking" />
>>         <criterion comment="run aide daily with cron"
>> test_ref="test_aide_crond_checking" />
>>         <criterion comment="run aide daily with cron"
>> test_ref="test_aide_var_cron_checking" />
>>       </criteria>
>>     </criteria>
>>
>
This was recently fixed with
https://github.com/OpenSCAP/scap-security-guide/pull/631 (which is actually
listed above by Shawn)


> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
>

[Attachment #5 (text/html)]

<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Aug 4, 2015 \
at 8:43 AM, Shawn Wells <span dir="ltr">&lt;<a href="mailto:shawn@redhat.com" \
target="_blank">shawn@redhat.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> <br>
On 7/30/15 5:57 PM, Bond Masuda wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Ok. I guess I will need to learn how to write OVAL and XCCDF \
content....<br> <br>
</blockquote>
<br></span>
Writing SCAP isn&#39;t the only way to contribute :)<br>
<br>
If you can create guidance (just text) for a tool, people here can help convert to \
XCCDF. On the OVAL side, if you can help us understand what regex/files/system \
attributes need to be examined for a pass/fail, that&#39;s a huge jumping off point \
too.<span class=""><br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Besides that, my coworker and I just noticed that although \
we fail the AIDE test, we are passing the aide_periodic_cron_checking test. This \
might be a bug??? Can anyone replicate?<br> </blockquote>
<br></span>
Skimming the code, likely a bug.   Do you mind opening a ticket? The OVAL code checks \
to see if aide is installed:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">  &lt;criteria \
                operator=&quot;AND&quot;&gt;<br>
         &lt;extend_definition comment=&quot;Aide is installed&quot; \
definition_ref=&quot;package_aide_installed&quot; /&gt;<br>  &lt;criteria \
                operator=&quot;OR&quot;&gt;<br>
            &lt;criterion comment=&quot;run aide daily with cron&quot; \
                test_ref=&quot;test_aide_periodic_cron_checking&quot; /&gt;<br>
            &lt;criterion comment=&quot;run aide daily with cron&quot; \
                test_ref=&quot;test_aide_crond_checking&quot; /&gt;<br>
            &lt;criterion comment=&quot;run aide daily with cron&quot; \
test_ref=&quot;test_aide_var_cron_checking&quot; /&gt;<br>  &lt;/criteria&gt;<br>
      &lt;/criteria&gt;<br>
</blockquote></blockquote><div>  <br>This was recently fixed with <a \
href="https://github.com/OpenSCAP/scap-security-guide/pull/631">https://github.com/OpenSCAP/scap-security-guide/pull/631</a> \
(which is actually listed above by Shawn)<br>  </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
                class="HOEnZb"><div class="h5">
-- <br>
SCAP Security Guide mailing list<br>
<a href="mailto:scap-security-guide@lists.fedorahosted.org" \
target="_blank">scap-security-guide@lists.fedorahosted.org</a><br> <a \
href="https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide</a><br>
 <a href="https://github.com/OpenSCAP/scap-security-guide/" rel="noreferrer" \
target="_blank">https://github.com/OpenSCAP/scap-security-guide/</a></div></div></blockquote></div><br></div></div>



[Attachment #6 (text/plain)]

-- 
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic