rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   b5e1786ee96edc3aeff458e09d74d706e7313aaa
  2.   SOURCES
  3.   scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
Blob History Raw
b5e178 
From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
b5e178 
From: Watson Sato <wsato@redhat.com>
b5e178 
Date: Mon, 18 Jan 2021 11:18:43 +0100
b5e178 
Subject: [PATCH] Update metadata for a few miminal and intermediary
b5e178 
 requirements
b5e178
b5e178 
---
b5e178 
 controls/anssi.yml | 20 +++++++++++++++++---
b5e178 
 1 file changed, 17 insertions(+), 3 deletions(-)
b5e178
b5e178 
diff --git a/controls/anssi.yml b/controls/anssi.yml
b5e178 
index dec9d68c99..9288ac1663 100644
b5e178 
--- a/controls/anssi.yml
b5e178 
+++ b/controls/anssi.yml
b5e178 
@@ -506,7 +506,10 @@ controls:
b5e178 
   - id: R27
b5e178 
     title: Disabling service accounts
b5e178 
     level: intermediary
b5e178 
-    # rules: TBD
b5e178 
+    notes: >-
b5e178 
+      It is difficult to generally identify the system's service accounts.
b5e178 
+      Assisting rules could list users which are not disabled for manual review.
b5e178 
+    automated: no
b5e178
b5e178 
   - id: R28
b5e178 
     level: enhanced
b5e178 
@@ -530,7 +533,10 @@ controls:
b5e178 
   - id: R30
b5e178 
     level: minimal
b5e178 
     title: Applications using PAM
b5e178 
-    # rules: TBD
b5e178 
+    notes: >-
b5e178 
+      Manual review is necessary to decide if the list of applications using PAM is minimal.
b5e178 
+      Asssising rules could be created to list all applications using PAM for manual review.
b5e178 
+    automated: no
b5e178
b5e178 
   - id: R31
b5e178 
     title: Securing PAM Authentication Network Services
b5e178 
@@ -580,6 +586,7 @@ controls:
b5e178 
   - id: R36
b5e178 
     title: Rights to access sensitive content files
b5e178 
     level: intermediary
b5e178 
+    automated: yes
b5e178 
     rules:
b5e178 
     - file_owner_etc_shadow
b5e178 
     - file_permissions_etc_shadow
b5e178 
@@ -637,7 +644,10 @@ controls:
b5e178 
   - id: R42
b5e178 
     level: minimal
b5e178 
     title: In memory services and daemons
b5e178 
-    # rules: TBD
b5e178 
+    notes: >-
b5e178 
+      Manual review is necessary to decide if the list of resident daemons is minimal.
b5e178 
+      Asssising rules could be created to list sevices listening on the network for manual review.
b5e178 
+    automated: no
b5e178
b5e178 
   - id: R43
b5e178 
     title: Hardening and configuring the syslog
b5e178 
@@ -709,6 +719,7 @@ controls:
b5e178 
   - id: R48
b5e178 
     level: intermediary
b5e178 
     title: Configuring the local messaging service
b5e178 
+    automated: yes
b5e178 
     rules:
b5e178 
     - postfix_network_listening_disabled
b5e178
b5e178 
@@ -825,6 +836,7 @@ controls:
b5e178 
     level: intermediary
b5e178 
     title: Privileges of target sudo users
b5e178 
     description: The targeted users of a rule should be, as much as possible, non privileged users.
b5e178 
+    automated: yes
b5e178 
     rules:
b5e178 
     - sudoers_no_root_target
b5e178
b5e178 
@@ -840,12 +852,14 @@ controls:
b5e178 
     level: intermediary
b5e178 
     title: Good use of negation in a sudoers file
b5e178 
     description: The sudoers configuration rules should not involve negation.
b5e178 
+    automated: yes
b5e178 
     rules:
b5e178 
     - sudoers_no_command_negation
b5e178
b5e178 
   - id: R63
b5e178 
     level: intermediary
b5e178 
     title: Explicit arguments in sudo specifications
b5e178 
+    automated: yes
b5e178 
     rules:
b5e178 
     - sudoers_explicit_command_args
b5e178

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation