Security settings(Rules) in "Desktop" profile are turned off/on according to default Fedora configuration. Purpose of this test is to enable security settings of your choice, change system configuration and run the system scan again. You will see whether test pass of fail.
- Perform basic test day setup
- Enable security settings (rules) of your choice.
- Open scap-fedora14-xccdf.xml in text editor
- Find Desktop profile. Search for line <Profile id="Desktop" abstract="false">
- Look for rules. Ignore rules without DONE comment please.
- Enable rules you like by replacing selected="false" with selected="true"
<select idref="rule-220.127.116.11.a" selected="true" /> <!-- DONE --> <!-- Add nodev Option to Non-Root Local Partitions -->
- Change system configuration
- Search for particular rule (idref=rule-*) in scap-fedora14-xccdf.xml
- You will get to the text section where it is described what needs to be reconfigured to make this rule pass on your system. Follow those steps. Example:
- Hint: you can generate Security guide written in HTML out of scap-fedora14-xccdf.xml by running this command.
oscap xccdf generate-guide --output guide.html scap-fedora14-xccdf.xml
<Rule id="rule-18.104.22.168.a" selected="false" weight="10.0" role="full" severity="unknown"> <title>Add nodev Option to Non-Root Local Partitions</title> <description>The nodev option should be disabled as appropriate for all non-root partitions.</description> <reference href="http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf">ECSC-1</reference> <reference href="http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf">PDI GEN002430</reference> <ident system="http://cce.mitre.org">CCE-4249-9</ident> <fix>Edit the file /etc/fstab. The important columns for purposes of this section are column 2 (mount point), column 3 (filesystem type), and column 4 (mount options). For any line which satisfies all of the conditions -- the filesystem type is ext2 or ext3, and the mount point is not / -- add the text ',nodev' to the list of mount options in column 4. </fix>
How to test
# oscap xccdf eval --result-file result.xml --report-file report.html --oval-results --profile Desktop scap-fedora14-xccdf.xml scap-fedora14-oval.xml
Selected rules should give result: pass or not checked. Note that not checked result is OK. It means the checking mechanism is not able to handle this type of tests. (example: BIOS settings)
If there are rules with other results it might be either problem of system configuration or the scanning mechanism (SCAP content + oscap tool). If in doubts, paste relevant messages to fpaste and ask us on IRC.
If you sure you hit a bug and you are about to file a bugzilla, please include scap-fedora14-oval.xml.result.xml file that should be generated in your working directory.