Skip to content

Comments

Debian 8 XCCDF content enhancement#959

Merged
iankko merged 7 commits intoComplianceAsCode:masterfrom
PThierry:debian_8
Jan 7, 2016
Merged

Debian 8 XCCDF content enhancement#959
iankko merged 7 commits intoComplianceAsCode:masterfrom
PThierry:debian_8

Conversation

@pthierry38
Copy link
Contributor

  • add logging xccdf content in Debian 8 directory
  • Cleaning old xccdf content to templated oval based one
  • deleted some residual auto-generated file from git
  • merged 'install' xccdf part into system part for better homogeneity between distro

@iankko iankko added the enhancement General enhancements to the project. label Jan 7, 2016
@iankko iankko added this to the 0.1.28 milestone Jan 7, 2016
@iankko
Copy link

iankko commented Jan 7, 2016

ACK. Verified on Jessie guest (with libopenscap8 version installed from Stretch [to get rid of systemdunitdependency not supported warning / error messages]) that the newly added checks work fine:

root@jessie:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.2 (jessie)
Release:    8.2
Codename:   jessie

root@jessie:~# dpkg -l libopenscap8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-============================================================================
ii  libopenscap8                        1.2.7-1+b1             amd64                  Set of libraries enabling integration of the SCAP line of standards

root@jessie:~# grep 'Profile' ssg-debian8-ds-tailoring.xml 
  <xccdf:Profile id="xccdf_org.ssgproject.content_profile_common_customized" extends="xccdf_org.ssgproject.content_profile_common">
    <xccdf:title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Common Profile for General-Purpose Debian Systems [CUSTOMIZED]</xccdf:title>
  </xccdf:Profile>

root@jessie:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_common_customized --tailoring-file ssg-debian8-ds-tailoring.xml --report /tmp/jessie_report.html ssg-debian8-ds.xml
Title   Ensure rsyslog is Installed
Rule    xccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result  fail

Title   Enable rsyslog Service
Rule    xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result  fail

Title   Ensure Log Files Are Owned By Appropriate User
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_ownership
Result  pass

Title   Ensure Log Files Are Owned By Appropriate Group
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership
Result  pass

Title   Ensure System Log Files Have Correct Permissions
Rule    xccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result  pass

Just the Ensure rsyslog is Installed and Enable rsyslog Service doesn't seem to be working properly:

root@jessie:~# dpkg -l rsyslog
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-============================================================================
ii  rsyslog                             8.4.2-1+deb8u1         amd64                  reliable system and kernel logging daemon

root@jessie:~# systemctl is-enabled rsyslog
enabled

But I would consider those two changes as subject for future PRs / future bugfix.

@iankko iankko self-assigned this Jan 7, 2016
iankko pushed a commit that referenced this pull request Jan 7, 2016
Debian 8 XCCDF content enhancement
@iankko iankko merged commit 7153fe7 into ComplianceAsCode:master Jan 7, 2016
@pthierry38
Copy link
Contributor Author

Hello @iankko, I'm working on the service enable check on jessie. Though the install check is working fine. I'll deploy the same configuration as you to compare (I've used a custom build of openscap, not the one from stretch).

@pthierry38 pthierry38 deleted the debian_8 branch January 7, 2016 12:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement General enhancements to the project.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants