From Fedora Project Wiki

(Created page with '{{QA/Test_Case |description= Security settings(Rules) in "Desktop" profile are turned off/on according to default Fedora configuration. Purpose of this test is to enable securit...')
 
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 4: Line 4:


|setup=
|setup=
# The [[Test_Day:2010-08-26_OpenSCAP#How_to_test.3F|basic test day setup]]  
<ol>
# Enable security settings(rules) of your choice.
<li>Perform [[Test_Day:2010-08-26_OpenSCAP#How_to_test.3F|basic test day setup]]</li>
## Open '''scap-fedora14-xccdf.xml''' in text editor
<li>Enable security settings (rules) of your choice.</li>
## Find '''Desktop''' profile. Search for "PROFILES"
<ol>
## Look for rules. Ignore rules without '''DONE''' comment please.
<li>Open '''scap-fedora14-xccdf.xml''' in text editor</li>
## Enable rules of you favour '''selected="false" ->  selected="true"'''
<li>Find '''Desktop''' profile. Search for line <Profile id="Desktop" abstract="false"> </li>
## Example:
<li>Look for rules. Ignore rules without '''DONE''' comment please.</li>
<pre>
<li>Enable rules you like by replacing ''selected="false"'' with ''selected="true"''
<select idref="dcb-rhel5-rule-2.2.1.1.a" selected="true" />  <!-- DONE -->  <!-- Add nodev Option to Non-Root Local Partitions -->
<li>Example:
</pre>
<pre><select idref="rule-2.2.1.1.a" selected="true" />  <!-- DONE -->  <!-- Add nodev Option to Non-Root Local Partitions --></pre>
# Change system configuration
</li>
## Search for particular rule (idref='''xxx''') in scap-fedora14-xccdf.xml
</ol>
## You will get to the "text" section where is described what need to be reconfigured to make this rule pass on your system
<li>Change system configuration</li>
## Hint: you can generate Security guide written in HTML out of scap-fedora14-xccdf.xml by running this command.  
<ol>
<pre>
<li>Search for particular rule (idref='''rule-*''') in scap-fedora14-xccdf.xml</li>
oscap xccdf generate-guide --output guide.html scap-fedora14-xccdf.xml  
<li>You will get to the text section where it is described what needs to be reconfigured to make this rule pass on your system. Follow those steps. Example: </li>
</pre>
<pre>
          <Rule id="rule-2.2.1.1.a" selected="false" weight="10.0" role="full" severity="unknown">
            <title>Add nodev Option to Non-Root Local Partitions</title>
            <description>The nodev option should be disabled as appropriate for all non-root partitions.</description>
            <reference href="http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">PDI GEN002430</reference>
            <ident system="http://cce.mitre.org">CCE-4249-9</ident>
            <fix>Edit the file /etc/fstab. The important columns for purposes of this section are
              column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For
              any line which satisfies all of the conditions -- the filesystem type is ext2 or ext3,
              and the mount point is not / -- add the text ',nodev' to the list of mount options in
              column 4.
            </fix>
</pre>
<li>Hint: you can generate Security guide written in HTML out of scap-fedora14-xccdf.xml by running this command.
<pre>oscap xccdf generate-guide --output guide.html scap-fedora14-xccdf.xml</pre>
</li>
</ol>
</ol>
|actions=
|actions=
Run  
Run  
<pre>
<pre>
oscap xccdf eval --result-file result.xml --report-file report.html --oval-results --profile Desktop scap-fedora14-xccdf.xml scap-fedora14-oval.xml
# oscap xccdf eval --result-file result.xml --report-file report.html --oval-results --profile Desktop scap-fedora14-xccdf.xml scap-fedora14-oval.xml
</pre>
</pre>
|results=
|results=
Line 30: Line 48:


=Unexpected Results=
=Unexpected Results=
If there are rules with '''other results''' it might be either problem of system configuration or the scanning mechanism(SCAP content + oscap tool). If in doubts, paste relevant messages to [http://fpaste.org/ fpaste] and ask us on IRC.
If there are rules with '''other results''' it might be either problem of system configuration or the scanning mechanism (SCAP content + oscap tool). If in doubts, paste relevant messages to [http://fpaste.org/ fpaste] and ask us on IRC.


If you sure you hit a bug and you are about to file a bugzilla, please include '''scap-fedora14-oval.xml.result.xml''' file that should be generated in your working directory.
If you sure you hit a bug and you are about to file a bugzilla, please include '''scap-fedora14-oval.xml.result.xml''' file that should be generated in your working directory.

Latest revision as of 12:28, 25 August 2010

Description

Security settings(Rules) in "Desktop" profile are turned off/on according to default Fedora configuration. Purpose of this test is to enable security settings of your choice, change system configuration and run the system scan again. You will see whether test pass of fail.

Setup

  1. Perform basic test day setup
  2. Enable security settings (rules) of your choice.
    1. Open scap-fedora14-xccdf.xml in text editor
    2. Find Desktop profile. Search for line <Profile id="Desktop" abstract="false">
    3. Look for rules. Ignore rules without DONE comment please.
    4. Enable rules you like by replacing selected="false" with selected="true"
    5. Example: 
      <select idref="rule-2.2.1.1.a" selected="true" />  <!-- DONE -->  <!-- Add nodev Option to Non-Root Local Partitions -->
  3. Change system configuration
    1. Search for particular rule (idref=rule-*) in scap-fedora14-xccdf.xml
    2. You will get to the text section where it is described what needs to be reconfigured to make this rule pass on your system. Follow those steps. Example: 
      3.  
          <Rule id="rule-2.2.1.1.a" selected="false" weight="10.0" role="full" severity="unknown">
            <title>Add nodev Option to Non-Root Local Partitions</title>
            <description>The nodev option should be disabled as appropriate for all non-root partitions.</description>
            <reference href="http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">PDI GEN002430</reference>
            <ident system="http://cce.mitre.org">CCE-4249-9</ident>
            <fix>Edit the file /etc/fstab. The important columns for purposes of this section are
              column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For
              any line which satisfies all of the conditions -- the filesystem type is ext2 or ext3,
              and the mount point is not / -- add the text ',nodev' to the list of mount options in
              column 4.
            </fix>
    3. Hint: you can generate Security guide written in HTML out of scap-fedora14-xccdf.xml by running this command. 
      oscap xccdf generate-guide --output guide.html scap-fedora14-xccdf.xml

How to test

Run 

# oscap xccdf eval --result-file result.xml --report-file report.html --oval-results --profile Desktop scap-fedora14-xccdf.xml scap-fedora14-oval.xml

Expected Results

Selected rules should give result: pass or not checked. Note that not checked result is OK. It means the checking mechanism is not able to handle this type of tests. (example: BIOS settings)

Unexpected Results

If there are rules with other results it might be either problem of system configuration or the scanning mechanism (SCAP content + oscap tool). If in doubts, paste relevant messages to fpaste and ask us on IRC.

If you sure you hit a bug and you are about to file a bugzilla, please include scap-fedora14-oval.xml.result.xml file that should be generated in your working directory.

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:TestCase_OpenSCAP_Fedora_adjusted_settings&oldid=194175"