A XCCDF file contains the baseline This baseline includes a list of rules (Rule dcb-rhel5-220.127.116.11.1.a) This rule is “Separate partition for /TMP” The description of the rule is included in the rule The id in listed in the rule as “Rule id” The CCE Number is assigned and listed in the rule The rule points to the OVAL file that will contains the test (dcb-rhel5_oval.xml) The rule points to the compliance description id (oval:mil.army.us.rhel5:def:20000) The OVAL file contains the compliance description (oval:mil.army.us.rhel5:def:20000) The compliance description also contains a pointer to the CCE number The compliance description also contains a description of the test The compliance description contains to pointer to the test reference test_ref=&quot;oval:mil.army.us.rhel5:tst:20000 . A separate section of the XML document contains the test reference The Test defines the test variable [State]… in this case called ‘/tmp’ The test case, also define the place it will look for the variable [Object] The Object id is referenced to find the location of the object The State id is referenced to find the location of the state , the State id is textfilecontent54_state id=&quot;oval:mil.army.us.rhel5:ste:20000 The Object id is (textfilecontent54_object id=&quot;oval:mil.army.us.rhel5:obj:20000) The location is defined the XML (/etc/fstab) The test condition is tested using a regular expression , and the result is saved
Compliance Overview Monday, August 29, 2011
Special Publication 800-53• In accordance with the provisions of FISMA, the Secretary of Commerce shall, on the basis of standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to federal information systems. The Secretary shall make standards compulsory and binding to the extent determined necessary by the Secretary to improve the efficiency of operation or security of federal information systems. Standards prescribed shall include information security standards that provide minimum information security requirements and are otherwise necessary to improve the security of federal information and information systems
CM-6 CONFIGURATION SETTINGS• Establishes and documents mandatory configuration settings for information technology products employed within the information system using Organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements;• Implements the configuration settings;• Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements;• and Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Microsoftcheck came Target of Link is installation instructions 1 from MicrosoftCompliance 2 Manager
Assigning server to a SCAP FileThe compliance process willCheck every CPE setting and lookFor match.The CPE picks the SCAP file“Not the user setting up”
<description xml:lang="en-US"> <definition class="compliance" id="oval:mil.army.us.rhel5:def:20000" version="1"> OVAL The purpose of this guide is to provide security 1 <metadata> 9 configuration recommendations for the Red Hat Enterprise Linux (RHEL) 5 operating <title>Ensure that /tmp has its own partition or logical volume</title> system. The guidance provided here should is applicable to desktop systems. Recommended <affected family ="unix"> settings for the basic operating system are provided , as well as for many commonly-used <platform>Red Hat Enterprise Linux 5</platform> services that the system can host in a network environment .<xhtml:br /><xhtml:br /> </affected> 10 The guide is intended for system administrators . Readers are assumed to <reference ref _id="CCE-14161-4" source="CCE" /> possess basic system administration skills for Unix-like systems, as well as some <description>The /tmp directory is a world-writable directory used for temporary file storage . familiarity with Red Hats documentation and administration conventions. Some Verify that it has its own partition or logical volume . instructions within this guide are complex. All directions should be followed completely </description> 11 and with understanding of their effects in order to avoid serious adverse effects on the </metadata> system and its security . <criteria> </description> <criterion test_ref="oval:mil.army.us.rhel5:tst:20000" <Profile id="DOD_baseline_18.104.22.168" abstract="false"> comment="Check in /etc/fstab for a /tmp mount point" /> <title xml:lang="en-US">Department of Defense Baseline 22.214.171.124</title> </criteria> 12 <description xml:lang="en-US">TODO::INSERT</description> </definition> 2 <select idref="dcb-rhel5-126.96.36.199.1.a" selected="true" /> <tests> <select idref="dcb-rhel5-188.8.131.52.2.a" selected="true" /> XCCDF <ind-def:textfilecontent54_test id="oval:mil.army.us.rhel5:tst:20000" version="1" check="all" . . comment="look for /tmp partition or logical volume in /etc/fstab" check_existence="at_least_one_exists"> . </Profile> 13 <ind-def:object object_ref="oval:mil.army.us.rhel5:obj:20000" /> 15 14 <ind-def:state state _ref="oval:mil.army.us.rhel5:ste:20000" /><Group id="dcb-rhel5-group-184.108.40.206.1" hidden="false"> 3 </ind-def:textfilecontent54_test> 16 <title xml:lang="en-US">Create Separate Partition or Logical Volume for /tmp</title> </tests> <description xml:lang="en-US"> 4 The /tmp directory is a world -writable directory used for temporary file storage . Ensure that it has its own <states> partition or logical volume.<xhtml:br /><xhtml:br /> <ind-def:textfilecontent54_state id="oval:mil.army.us.rhel5:ste:20000" Because software may need to use /tmp to temporarily store version="1" Large files, ensure that it is of adequate size . For a modern, comment="/tmp mount point is defined "> general-purpose system, 10GB should be adequate. Smaller or larger sizes <ind-def:subexpression datatype="string" operation="equals" entity_check="all"> could be used, depending on the availability of space on the drive and /tmp the system’s operating requirements </ind-def:subexpression> </description> </ind-def:textfilecontent54_state> 5 </states> <Rule id="dcb-rhel5-220.127.116.11.1.a" selected="false" weight="10.0"> <status date ="2010-07-01">draft</status> <version update="1" /> <title xml:lang="en-US">Ensure that /tmp has its own partition or logical volume</title> <objects> 17 <description xml:lang="en-US">The /tmp directory is a world-writable <ind-def:textfilecontent54_object id="oval:mil.army.us.rhel5:obj:20000" directory used for temporary file storage . Ensure that it has its own version="1" comment="look for the partition mount point in /etc/fstab"> 18 partition or logical volume.</description> <ind-def:path> /etc </ind-def:path> 6 <ind-def:filename> fstab </ind-def:filename> <ident system="http://cce.mitre.org">CCE-14161-4</ident> 8 <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <ind-def:pattern operation="pattern match ">^[s]*[S]+[s]+([S]+)[s]+[S]+[s]+[S]+[s]+[S]+[s]+[S]+</ind- <check-content-ref href="dcb-rhel5_oval.xml" name="oval:mil.army.us.rhel5:def:20000" /> def:pattern> </check> <ind-def:instance datatype="int" operation="greater than or equal ">1</ind-def:instance> 7 </ind-def:textfilecontent54_object> </Rule> </objects> 19 </Group> Regular Expression : Testing if 6 strings (separated by tabs ^ = start of line or spaces ) exist in file and save the [s]* = 0 to whitespace second string [S]+ = 1 to many NOT whitespace ([S]) = Save this value
Trending – CIO Level ReportMagnus CIO Level reports missed the point did not easily answer the question“Are we doing better?”We developed general trending info that showed at the CIO level we were movingIn the right direction…Once the “number of servers” “Flatlines”, we hope to see a general increase in percentcompliance over time.
Reporting Requirements [Adding a server]Adding a ServerWhenever a server is commissioned for production, the NIST Security Checklist Compliance Manager orIT Services shall enter the server into Secutor Magnus and the associated scheduling and reporting toolsand conduct an initial manual scan and verify the scan produced reasonable results. Once this is complete,they will inform the administrator and the DCIO that the scan results are ready to be reviewed. The DCIOand the administrator shall review the results of the scan, comparing the percent compliance forany product instances on the server to the overall percent compliance for the product, taken overall current instances of the product. Commissioning a server that will reduce overall percent compliancefor any product requires approval of the CIO. See Compliance Trending Application, menu “Report” > “CIO Reports” > “servers compared to profile”
Review compliance of a server Review of Compliance for a Server Whenever the configuration of a server changes, the DCIO shall review the percent compliance for all product instances measured in the scan taken after the change to the latest previous measure of percent compliance for each instance. Should percent compliance be reduced, the DCIO shall report this to the ISSO as a compliance incident  See Compliance Trending Application, menu “Report” > “CIO Reports” > “Compare to last snapshot”
Monthly Review of Overall Percent Compliance Monthly Review of Overall Percent Compliance Each month, DCIO shall review the history of overall percent compliance for all products included in the NIST Security Checklist Scanning process. Should there be a reduction in overall percent compliance for any product, the DCIO shall notify the ISSO and CIO that a compliance incident exists.  See Compliance Trending Application, menu “Report” > “CIO Reports” > “Profile Summary”
SchedulingMagnus could only schedule on:Day:Week:Month Day: We wanted to schedule based on “Tier” … So we “Inactivitiated” all magnus runs, And set them to run everyday, then we made them “Active” based on the tier …