Note
This is an example report template to be used when responding to SCAP Scan results.
The following is a short example from a CentOS 7 scan. You will need to adjust all content as appropriate.
8.5.1.2. TEMPLATE - SSG Scan - EL 7 STIG
Scan Date: 1/1/1970
SIMP Version:
6.1.0-RC1
SSG Version:
0.1.36
Data Stream:
ssh-centos7-ds.xml
SIMP Enforcement Profile:
disa_stig
Terminology:
- Finding
Valid issues found by the scanner
- Alternate Implementation
Valid implementations per policy that do not match the scan
- Exception
Items that will need to be declared as a policy exception for the stated reason
- False Positive
Bugs in the scanner that should be reported
8.5.1.2.1. Ensure gpgcheck Enabled for Repository Metadata
Rule ID:
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata
Type: Exception
Recommend SSG Feedback
This should not be a
high
severity if using TLSThis opens potential vulnerabilities to all client systems
Discussion ongoing on SSG mailing list and ComplianceAsCode/content#2455
8.5.1.2.1.1. Justification
The way that YUM works means that all GPG keys become trusted by the entire system. Enabling repository metadata signatures globally means that RPMs will be trusted that come from any system with a trusted GPG key and may allow software to be installed on systems that does not come from the vendor.
8.5.1.2.2. Configure Periodic Execution of AIDE
Rule ID:
xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Type: Alternate Implementation
8.5.1.2.2.1. Notes
We use the Puppet cron
resource to add the AIDE rule to the root
user’s
crontab
.
8.5.1.2.2.2. System Result
# crontab -l
# Puppet Name: aide_schedule 5 4 *
* 0 /bin/nice -n 19 /usr/sbin/aide -C
8.5.1.2.3. Build and Test AIDE Database
Rule ID:
xccdf_org.ssgproject.content_rule_aide_build_database
Type: False Positive
8.5.1.2.3.1. System Result
# ls /var/lib/aide/
aide.db.gz
8.5.1.2.4. Record Attempts to Alter Logon and Logout Events - faillock
Rule ID:
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
Type: Finding
8.5.1.2.4.1. Notes
Marked as a valid finding and tracked as SIMP-4047