[prev in list] [next in list] [prev in thread] [next in thread]
List: scap-security-guide
Subject: Re: why is testing for file integrity monitoring technology specific?
From: Gabe Alford <redhatrises () gmail ! com>
Date: 2015-08-04 15:02:44
Message-ID: CAGLxfGxJeWxoPxD_7RzYwKG+zEvco9sDezPOk0J=BV6Z+ZsnqQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Aug 4, 2015 at 8:43 AM, Shawn Wells <shawn@redhat.com> wrote:
>
>
> On 7/30/15 5:57 PM, Bond Masuda wrote:
>
>> Ok. I guess I will need to learn how to write OVAL and XCCDF content....
>>
>>
> Writing SCAP isn't the only way to contribute :)
>
> If you can create guidance (just text) for a tool, people here can help
> convert to XCCDF. On the OVAL side, if you can help us understand what
> regex/files/system attributes need to be examined for a pass/fail, that's a
> huge jumping off point too.
>
> Besides that, my coworker and I just noticed that although we fail the
>> AIDE test, we are passing the aide_periodic_cron_checking test. This might
>> be a bug??? Can anyone replicate?
>>
>
> Skimming the code, likely a bug. Do you mind opening a ticket? The OVAL
> code checks to see if aide is installed:
>
>> <criteria operator="AND">
>> <extend_definition comment="Aide is installed"
>> definition_ref="package_aide_installed" />
>> <criteria operator="OR">
>> <criterion comment="run aide daily with cron"
>> test_ref="test_aide_periodic_cron_checking" />
>> <criterion comment="run aide daily with cron"
>> test_ref="test_aide_crond_checking" />
>> <criterion comment="run aide daily with cron"
>> test_ref="test_aide_var_cron_checking" />
>> </criteria>
>> </criteria>
>>
>
This was recently fixed with
https://github.com/OpenSCAP/scap-security-guide/pull/631 (which is actually
listed above by Shawn)
> --
> SCAP Security Guide mailing list
> scap-security-guide@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
> https://github.com/OpenSCAP/scap-security-guide/
>
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Aug 4, 2015 \
at 8:43 AM, Shawn Wells <span dir="ltr"><<a href="mailto:shawn@redhat.com" \
target="_blank">shawn@redhat.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span class=""><br> <br>
On 7/30/15 5:57 PM, Bond Masuda wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Ok. I guess I will need to learn how to write OVAL and XCCDF \
content....<br> <br>
</blockquote>
<br></span>
Writing SCAP isn't the only way to contribute :)<br>
<br>
If you can create guidance (just text) for a tool, people here can help convert to \
XCCDF. On the OVAL side, if you can help us understand what regex/files/system \
attributes need to be examined for a pass/fail, that's a huge jumping off point \
too.<span class=""><br> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Besides that, my coworker and I just noticed that although \
we fail the AIDE test, we are passing the aide_periodic_cron_checking test. This \
might be a bug??? Can anyone replicate?<br> </blockquote>
<br></span>
Skimming the code, likely a bug. Do you mind opening a ticket? The OVAL code checks \
to see if aide is installed:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <criteria \
operator="AND"><br>
<extend_definition comment="Aide is installed" \
definition_ref="package_aide_installed" /><br> <criteria \
operator="OR"><br>
<criterion comment="run aide daily with cron" \
test_ref="test_aide_periodic_cron_checking" /><br>
<criterion comment="run aide daily with cron" \
test_ref="test_aide_crond_checking" /><br>
<criterion comment="run aide daily with cron" \
test_ref="test_aide_var_cron_checking" /><br> </criteria><br>
</criteria><br>
</blockquote></blockquote><div> <br>This was recently fixed with <a \
href="https://github.com/OpenSCAP/scap-security-guide/pull/631">https://github.com/OpenSCAP/scap-security-guide/pull/631</a> \
(which is actually listed above by Shawn)<br> </div><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
class="HOEnZb"><div class="h5">
-- <br>
SCAP Security Guide mailing list<br>
<a href="mailto:scap-security-guide@lists.fedorahosted.org" \
target="_blank">scap-security-guide@lists.fedorahosted.org</a><br> <a \
href="https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide" \
rel="noreferrer" target="_blank">https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide</a><br>
<a href="https://github.com/OpenSCAP/scap-security-guide/" rel="noreferrer" \
target="_blank">https://github.com/OpenSCAP/scap-security-guide/</a></div></div></blockquote></div><br></div></div>
[Attachment #6 (text/plain)]
--
SCAP Security Guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic