-
Notifications
You must be signed in to change notification settings - Fork 676
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #33 from redhatrises/add_SmartCard_oval
Add OVAL for Smart Card checks
- Loading branch information
Showing
7 changed files
with
201 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<def-group> | ||
<definition class="compliance" id="package_esc_installed" | ||
version="1"> | ||
<metadata> | ||
<title>Package esc Installed</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 6</platform> | ||
</affected> | ||
<description>The RPM package esc should be installed.</description> | ||
<reference source="galford" ref_id="20140815" ref_url="test_attestation"/> | ||
</metadata> | ||
<criteria> | ||
<criterion comment="package esc is installed" | ||
test_ref="test_package_esc_installed" /> | ||
</criteria> | ||
</definition> | ||
<linux:rpminfo_test check="all" check_existence="all_exist" | ||
id="test_package_esc_installed" version="1" | ||
comment="package esc is installed"> | ||
<linux:object object_ref="obj_package_esc_installed" /> | ||
</linux:rpminfo_test> | ||
<linux:rpminfo_object id="obj_package_esc_installed" version="1"> | ||
<linux:name>esc</linux:name> | ||
</linux:rpminfo_object> | ||
</def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<def-group> | ||
<definition class="compliance" id="package_pcsc-lite_installed" | ||
version="1"> | ||
<metadata> | ||
<title>Package pcsc-lite Installed</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 6</platform> | ||
</affected> | ||
<description>The RPM package pcsc-lite should be installed.</description> | ||
<reference source="galford" ref_id="20140815" ref_url="test_attestation"/> | ||
</metadata> | ||
<criteria> | ||
<criterion comment="package pcsc-lite is installed" | ||
test_ref="test_package_pcsc-lite_installed" /> | ||
</criteria> | ||
</definition> | ||
<linux:rpminfo_test check="all" check_existence="all_exist" | ||
id="test_package_pcsc-lite_installed" version="1" | ||
comment="package pcsc-lite is installed"> | ||
<linux:object object_ref="obj_package_pcsc-lite_installed" /> | ||
</linux:rpminfo_test> | ||
<linux:rpminfo_object id="obj_package_pcsc-lite_installed" version="1"> | ||
<linux:name>pcsc-lite</linux:name> | ||
</linux:rpminfo_object> | ||
</def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
<def-group> | ||
<definition class="compliance" id="service_pcscd_enabled" version="1"> | ||
<metadata> | ||
<title>Service pcscd Enabled</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 6</platform> | ||
</affected> | ||
<description>The pcscd service should be enabled if possible.</description> | ||
<reference source="galford" ref_id="20140815" ref_url="test_attestation" /> | ||
</metadata> | ||
<criteria comment="package pcsc-lite installed and service pcscd is configured to start" operator="AND"> | ||
<extend_definition comment="pcsc-lite installed" definition_ref="package_pcsc-lite_installed" /> | ||
<criteria operator="OR" comment="service pcscd is configured to start"> | ||
<criterion comment="pcscd runlevel 0" test_ref="test_runlevel0_pcscd" /> | ||
<criterion comment="pcscd runlevel 1" test_ref="test_runlevel1_pcscd" /> | ||
<criterion comment="pcscd runlevel 2" test_ref="test_runlevel2_pcscd" /> | ||
<criterion comment="pcscd runlevel 3" test_ref="test_runlevel3_pcscd" /> | ||
<criterion comment="pcscd runlevel 4" test_ref="test_runlevel4_pcscd" /> | ||
<criterion comment="pcscd runlevel 5" test_ref="test_runlevel5_pcscd" /> | ||
<criterion comment="pcscd runlevel 6" test_ref="test_runlevel6_pcscd" /> | ||
</criteria> | ||
</criteria> | ||
</definition> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel0_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel0_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel1_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel1_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel2_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel2_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel3_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel3_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel4_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel4_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel5_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel5_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_test check="all" check_existence="any_exist" | ||
comment="Runlevel test" id="test_runlevel6_pcscd" | ||
version="2"> | ||
<unix:object object_ref="obj_runlevel6_pcscd" /> | ||
<unix:state state_ref="state_service_pcscd_on" /> | ||
</unix:runlevel_test> | ||
<unix:runlevel_object id="obj_runlevel0_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">0</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel1_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">1</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel2_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">2</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel3_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">3</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel4_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">4</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel5_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">5</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_object id="obj_runlevel6_pcscd" version="1"> | ||
<unix:service_name>pcscd</unix:service_name> | ||
<unix:runlevel operation="equals">6</unix:runlevel> | ||
</unix:runlevel_object> | ||
<unix:runlevel_state comment="configured to start" id="state_service_pcscd_on" version="1"> | ||
<unix:start datatype="boolean">true</unix:start> | ||
<unix:kill datatype="boolean">false</unix:kill> | ||
</unix:runlevel_state> | ||
</def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
<def-group> | ||
<definition class="compliance" id="smartcard_auth" version="1"> | ||
<metadata> | ||
<title>Enable Smart Card Login</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 6</platform> | ||
</affected> | ||
<description>Enable Smart Card logins</description> | ||
<reference source="galford" ref_id="20140815" ref_url="test_attestation" /> | ||
</metadata> | ||
<criteria operator="AND" comment="Smart Card is required to login"> | ||
<extend_definition comment="pcscd service is enabled" definition_ref="service_pcscd_enabled" /> | ||
<extend_definition comment="esc package is installed" definition_ref="package_esc_installed" /> | ||
<criterion comment="use smart card login for specific services" test_ref="test_smartcard_services_system-auth" /> | ||
<criterion comment="require smart card login" test_ref="test_require_smartcard_system-auth" /> | ||
<criterion comment="enable OCSP" test_ref="test_require_ocsp_configured" /> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check for specific services for smart card login in /etc/pam.d/system-auth" id="test_smartcard_services_system-auth" version="1"> | ||
<ind:object object_ref="object_smartcard_services_system-auth" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="require smart card login in /etc/pam.d/system-auth" id="test_require_smartcard_system-auth" version="1"> | ||
<ind:object object_ref="object_require_smartcard_system-auth" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="require OCSP is enabled" id="test_require_ocsp_configured" version="1"> | ||
<ind:object object_ref="object_require_ocsp_configured" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_object id="object_smartcard_services_system-auth" version="1"> | ||
<ind:filepath>/etc/pam.d/system-auth</ind:filepath> | ||
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:required)|(?:\[success=1\s*default=ignore\]))\s+pam_succeed_if\.so\s*service\s*notin\s*login.*quiet\s*use_uid$</ind:pattern> | ||
<ind:instance datatype="int">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_require_smartcard_system-auth" version="1"> | ||
<ind:filepath>/etc/pam.d/system-auth</ind:filepath> | ||
<ind:pattern operation="pattern match">^\s*auth\s+(?:(?:sufficient)|(?:\[success=done\s*ignore=ignore\s*default=die\]))\s+pam_pkcs11\.so\s*wait_for_card\s*card_only$</ind:pattern> | ||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_object id="object_require_ocsp_configured" version="1"> | ||
<ind:filepath>/etc/pam_pkcs11/pam_pkcs11.conf</ind:filepath> | ||
<ind:pattern operation="pattern match">^\s*cert_policy( )=( )ca,( )ocsp_on,( )signature;$</ind:pattern> | ||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
</def-group> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
aide | ||
audit | ||
cronie | ||
esc | ||
GConf2 | ||
gdm | ||
iptables | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters