Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

persistent vs runtime in OVAL+OCIL for mount checks #320

Closed
shawndwells opened this issue Oct 31, 2014 · 4 comments
Closed

persistent vs runtime in OVAL+OCIL for mount checks #320

shawndwells opened this issue Oct 31, 2014 · 4 comments
Labels
bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments.
Milestone

Comments

@shawndwells
Copy link
Member

Many of the filesystem guidance uses mount vs /etc/fstab interchangable. Need to verify XCCDF matches OVAL, and create two rules for unique identification of persistent vs runtime checks.

@shawndwells shawndwells added bugfix Fixes to reported bugs. BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax labels Oct 31, 2014
@shawndwells shawndwells added this to the 0.1.20 milestone Oct 31, 2014
redhatrises added a commit to redhatrises/scap-security-guide that referenced this issue Nov 14, 2014
- Match Rule and OVAL IDs and update profile checks
- Make sure mount OVALs check persistent and runtime configurations
- Add OCIL for mount XCCDFs
- Fixes ComplianceAsCode#320
@iankko
Copy link

iankko commented Nov 30, 2014

@shawndwells

and create two rules for unique identification of persistent vs runtime checks.
If I got the configuration vs. forensic testing SSG thread right, the expected layout of all of the mount checks should be there should be clear separation (e.g. two rules) which of them is for configuration testing & which is for forensic testing, right?

So e.g. for mount_option_dev_shm_nodev rule there should be two rules:

  • mount_option_dev_shm_nodev_persistent, and
  • mount_option_dev_shm_nodev_runtime

each of them checking particular settings (either permanent or temporary ones). And this should be performed for each of the mount OVAL checks. Or is rules separation as outlined / proposed in Gabe's PR sufficient? (IOW it's sufficient to update OVAL items comments to clarify which tests are for permanent vs for temporary settings testing)

Thanks, Jan.

@iankko
Copy link

iankko commented Nov 30, 2014

If we want two separated (*_persistent vs *_runtime) rules, another question is what to do with XCCDF - should also rules be duplicated (having two of them for each), each of them stating what settings it's checking - e.g.

  • rule_persistent
    to state to check system configuration perform abc while
  • rule_runtime
    to state to check runtime settings perform xyz.

Thanks, Jan.

@iankko
Copy link

iankko commented Dec 17, 2014

Based on Steve's reply my interpretation is the problem (not completely being) mixing of configuration vs runtime checks / fixes. But mainly the discrepancies among OVAL content vs XCCDF description. Taking e.g. "Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces" rule as an example:

  • corresponding OVAL check tests both configuration & runtime setting (which is probably OK considering the OVAL language provides sysctl test implementation). But we currently describe the rule as:
To set the runtime status of the net.ipv4.conf.default.send_redirects</code> kernel parameter,     run the following command:     # sysctl -w net.ipv4.conf.default.send_redirects=0
If this is not the system's default value, add the following line to /etc/sysctl.conf:
net.ipv4.conf.default.send_redirects = 0

Sending ICMP redirects permits the system to instruct other systems
to update their routing information.  The ability to send ICMP redirects is
only appropriate for systems acting as routers.

while should describe in both XCCDF & OCIL rather like:
"To check the default (boot) setting of the net.ipv4.conf.default.send_redirects variable run the following command:
cat /etc/sysctl.conf | grep net.ipv4.conf.default.send_redirects

To check the current value of the net.ipv4.conf.default.send_redirects variable run the following command:
cat /proc/sys/net/ipv4/conf/default/send_redirects"

IOW for the latter instead of suggesting: "sysctl net.ipv4.conf.default.send_redirects" command, we should use / suggest cat.

@iankko iankko modified the milestones: 0.1.21, 0.1.20 Dec 23, 2014
@iankko iankko modified the milestones: 0.1.23, 0.1.22 May 4, 2015
@redhatrises redhatrises modified the milestones: 0.1.23, Unimplemented OVAL checks May 13, 2015
@mpreisler mpreisler modified the milestone: Unimplemented OVAL checks Jul 25, 2016
@redhatrises redhatrises removed the BLOCKER Impediments to release, like failure to build content, or content built is out of standard's syntax label Oct 26, 2017
@yuumasato yuumasato added OVAL OVAL update. Related to the systems assessments. and removed Unimplemented OVAL checks labels Aug 29, 2018
@redhatrises redhatrises added this to the Backlog milestone Oct 1, 2018
@shawndwells
Copy link
Member Author

4-5 year old ticket - closing due to lack of activity.

anivan-suse pushed a commit to anivan-suse/content that referenced this issue Jun 24, 2021
* Add Rule for SLES-15-020210

* remove spaces from  nist@sle15 record

Co-authored-by: Earl Sampson <ESampson@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugfix Fixes to reported bugs. OVAL OVAL update. Related to the systems assessments.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants