Rechercher une page de manuel

secstate

Langue: en

Version: 369511 (fedora - 01/12/10)

Section: 1 (Commandes utilisateur)

Sommaire

SYNOPSIS
DESCRIPTION
COMMANDS
EXIT STATUS
AUTHOR
SEE ALSO

secstate - security auditing and remediation.

SYNOPSIS

secstate <command> [options]

DESCRIPTION

Secstate is a tool that streamlines security lockdown and monitoring on Linux systems. It provides auditing of a system against security requirements and, optionally, remediating a system to meet those requirements. Secstate uses the SCAP language (a NIST standard - http://scap.nist.gov) and Puppet internally (http://www.puppetlabs.com).

Using secstate involves importing security auditing and remediation information (referred to generically as content in this documentation) into a stored content directory, customizing that content, and using it to audit and remediate the state of the system.

The results of system audits are available as in SCAP XML formats or HTML.

COMMANDS

import [options] <ContentFile>

Validate and import an XCCDF benchmark and referenced OVAL and Puppet files or a stand-alone OVAL file into the secstate stored content directory. Content can be stored as an XCCDF file, OVAL file, ZIP file, tarball (.tar.gz).

If an XCCDF file is provided that XCCDF benchmark is imported and all dependent OVAL and Puppet files are imported from the directory containing the XCCDF file. Archives (ZIP or .tar.gz) are assumed to contain an XCCDF file and one or more dependent OVAL and Puppet files and are imported as a group. Finally, a single (stand-alone) OVAL or Puppet file can be imported.

An OVAL file which is imported on its own is treated as a top-level item and it is audited separately from any XCCDF content. All Puppet files which are imported are stored in a common location and are available to all imported XCCDF content for remediation.

After import, the content can be viewed using list or search, customized using select / deselect, and used to audit and remediate. By default, top-level content is selected after import.

Example of importing an XCCDF file:

 # ls content/
 2-19PasswordComlexity_Lowercase.xml  2-22PasswordComplexityy_Special.xml
 PasswordComplexity.xccdf.xml         2-23PasswordComplexity_Upercase.xml
 # secstate import content/PasswordComplexity.xccdf.xml
 
 Example of importing a tarball containing XCCDF and OVAL:
 # secstate import PasswordComplexity.tar.gz
 
 Options:
 
 -h
 Show the help message for import
 
 --profile=PROFILE
 Set the active profile during import.  The profile must exist in the
 XCCDF benchmark.

remove [options] <ContentID>

Remove previously imported content. Like import, remove will remove associated OVAL content if an XCCDF benchmark is specified. The content ID can be found using the list command for both XCCDF and stand-alone OVAL. Example of removing a benchmark: # secstate list Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: None # secstate remove PassComp

export [options] <ContentID> <OutputFile>: The export command exports an XCCDF benchmark or stand-alone OVAL file from the secstate stored content directory. The content ID can be obtained with secstate list. By default, the exported version includes any profiles and customizations. Use -o to export the originally imported file. # secstate list Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: None # secstate export PassComp PassComp.xccdf.xml # ls PassComp.xccdf.xml PassComp.xccdf.xml Options: -h show the help message for import -o, --original exports the original imported content without customizations or profiles.
select [options] <ContentID> [GroupID|RuleID|ProfileID]: The select command sets an XCCDF benchmark, group, rule, profile, or a stand-alone OVAL file as active. Only selected items will be used for auditing and remediation. When selecting an XCCDF group, rule, or profile the XCCDF benchmark ID must be also be provided. This eliminates the possibility of inadvertently selecting the wrong item when multiple benchmarks contain the same ID for a group, rule, or profile. Profile selection: Selecting a profile changes the active profile for an XCCDF benchmark. Profiles can contain modifications to the default state of a benchmark including but not limited to rule/group selection status. Group/Rule selection: A rule and every one of its ancestor groups and its XCCDF benchmark must be selected in order for the rule to be active during auditing and remediation. Selecting a rule or group will cause every one of its ancestors to also be selected. When a selection is made on an XCCDF rule or group, the change is stored in a profile. If the active profile at the time of the selection was a profile native to the rule or group's parent benchmark, then a new profile named 'Custom' is added which extends the original profile. If the active profile was one added by using the select or deselect commands, then the active profile is modified. Benchmark/OVAL selection: Selecting an XCCDF benchmark or stand-alone OVAL file marks the content as active when auditing or remediating imported content. Examples of select: # secstate list -a -r [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [ ]Group - ID: PassComp-G-2-2, Title: 'Password' [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [ ]Rule - ID: PassComp-R-2-4, Title: 'Special' [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [ ]OVAL File - ID: homedirs.oval # secstate select PassComp PassComp-R-2-2 # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [ ]Rule - ID: PassComp-R-2-4, Title: 'Special' [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [ ]OVAL File - ID: homedirs.oval # secstate select -r PassComp # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [X]Rule - ID: PassComp-R-2-4, Title: 'Special' [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [ ]OVAL File - ID: homedirs.oval # secstate select homedirs.oval # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [X]Rule - ID: PassComp-R-2-4, Title: 'Special' [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [X]OVAL File - ID: homedirs.oval Options: -h show the help text. -r, --recurse Recursively select XCCDF groups and rules inside groups or benchmarks.
deselect [options] <ContentID> [GroupID|RuleID]: The deselect command sets an XCCDF benchmark, group, or rule, or a stand-alone OVAL file as deselected. Deselected items will be omitted from auditing and remediation. When deselecting an XCCDF group, rule, or profile the XCCDF benchmark ID must be also be provided. This eliminates the possibility of inadvertently deselecting the wrong item when multiple benchmarks contain the same ID for a group, rule, or profile. Group/Rule deselection: An XCCDF rule and every one of its ancestor groups and its parent benchmark must be selected in order for the rule to be active during auditing and remediation. Deselecting a group will cause any child groups or rules to be omitted during auditing and remediation regardless of their selection status. When a deselection is made on an XCCDF rule or group, the change is stored in a profile. If the active profile at the time of the deselection was a profile native to the rule or group's parent benchmark, then a new profile named 'Custom' is addedwhich extends the original profile. If the active profile was one added by using the select or deselect commands, then the active profile is modified. Benchmark/OVAL deselection: Deselecting an XCCDF benchmark or a stand-alone OVAL file marks the content as inactive when auditing or remediating imported content. Examples of deselect: # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [X]Rule - ID: PassComp-R-2-4, Title: 'Special' [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [X]OVAL File - ID: homedirs.oval # secstate deselect PassComp PassComp-R-2-3 # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [X]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [X]Rule - ID: PassComp-R-2-4, Title: 'Special' [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [X]OVAL File - ID: homedirs.oval # secstate deselect -r PassComp # secstate list -a -r [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [ ]Group - ID: PassComp-G-2-2, Title: 'Password' [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [ ]Rule - ID: PassComp-R-2-4, Title: 'Special' [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [X]OVAL File - ID: homedirs.oval # secstate deselect homedirs.oval # secstate list -a -r [ ]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'Custom' [ ]Group - ID: PassComp-G-2-2, Title: 'Password' [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [ ]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [ ]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [ ]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [ ]Rule - ID: PassComp-R-2-4, Title: 'Special' [ ]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [ ]OVAL File - ID: homedirs.oval Options: -h show the help text. -r, --recurse Recursively deselect XCCDF groups and rules rules inside group or benchmark.
save <BenchmarkID> <ProfileName>: The save command saves the currently active profile to a profile of the provided name. Options: -h show the help text.
list [options] [ContentID]: The list command displays the available XCCDF benchmarks and/or stand-alone OVAL. By default, list only shows the benchmarks and OVAL that are currently selected. The -a and -r can show deselected items and all of the groups and rules in an XCCDF benchmark respectively. Examples of list: # secstate list Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected' # secstate list -r Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected' Group - ID: PassComp-G-2-2, Title: 'Password' # secstate list -a -r [X]Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected' [X]Group - ID: PassComp-G-2-2, Title: 'Password' [ ]Group - ID: PassComp-G-2-3, Title: 'Password Complexity' [X]Rule - ID: PassComp-R-2-1, Title: 'Lowercase' [X]Rule - ID: PassComp-R-2-2, Title: 'Min. Length' [X]Rule - ID: PassComp-R-2-3, Title: 'Numeric' [X]Rule - ID: PassComp-R-2-4, Title: 'Special' [X]Rule - ID: PassComp-R-2-5, Title: 'Uppercase' [ ]OVAL File - ID: 2-20PasswordComplexity_MinLen Options: -h show the help text. -a, --all Show all items regardless of selection status. -r, --recurse Recursively list XCCDF rules inside groups or benchmarks.
show [options] <ContentID>: Show information on an XCCDF benchmark, rule, or group. Example of show on various types of items: # secstate show PassComp PassComp: Title: 'Password Complexity' Selected: True Profiles: [ ]emptyProfile - 'An empty profile' [ ]None [X]all_deselected # secstate show PassComp-G-2-3 PassComp-G-2-3: Title: 'Password Complexity' Description: Group pertaining specifically to password complexity. Selected: True # secstate show PassComp-R-2-1 PassComp-R-2-1: Title: 'Lowercase' Description: Password contains minimum number of lowercase letters. Selected: True # secstate show -v PassComp-R-2-1 PassComp-R-2-1: Title: 'Lowercase' Description: Password contains minimum number of lowercase letters. Selected: True Member of PassComp-G-2-3 Referenced Definitions: oval:com.tresys.oval.rhel:def:1000 Options: -h show the help text. -v, --verbose Show additional information on the item.
search [options] <string>: The search command searches through titles and descriptions of all imported content and returns all items which match the provided string. Options: -h show the help text. -r, --reverse Search for XCCDF rules which match an OVAL definition id. -v, --verbose Show additional information on matching items.
remediate [options] [BenchmarkID|BenchmarkFile]: The remediate command brings the system into compliance with one or more XCCDF benchmarks. It uses information from the fix elements of selected rules and passes that information on to Puppet which makes changes to the system. Options: -h show the help text. -l, --log-dest Output logs to FILE instead of stdout. -n, --noop Run puppet in noop mode. No changes will be made to the system. -p, --profile Specifies the profile to use when remediating the system. -v, --verbose Prints out extra information during the remediate process. -x, --xccdf-results XCCDF results file to provide for selective remediation. -y, --yes Respond 'yes' to all prompts.
audit [options] [ContentID|ContentFile]: The audit command evaluates whether the current state of the system complies with the selected rules in the specified content. If no content is specified then all imported content that is selected is evaluated. After scanning, a summary is printed and by default a report is generated in SCAP XML and HTML and saved to a directory named based on the hostname, date, and time. Example showing the use of audit: # secstate list Benchmark - ID: PassComp, Title: 'Password Complexity', Profile: 'all_deselected' OVAL File - ID: 2-20PasswordComplexity_MinLen # secstate audit PassComp --Results for 'PassComp' (Profile: 'all_deselected')-- Passed: 0 Failed: 5 Fixed: 0 Not Selected: 0 Not Checked: 0 Not Applicable: 0 Error: 0 Informational: 0 Unknown: 0 # ls audit-localhost.localdomain-Fri-August-27-22_30_12-2010/ 2-19PasswordComplexity_Lowercase.results.xml index.html 2-20PasswordComplexity_MinLen.results.xml media 2-21PasswordComplexity_Numeric.results.xml PassComp.results.html 2-22PasswordComplexity_Special.results.xml PassComp.results.xml 2-23PasswordComplexity_Uppercase.results.xml Options: -h show the help text. -p <PROFILE>, --profile=<PROFILE> Selects the profile to use during auditing. -o <OUTPUT>, --output=<OUTPUT> Set the name of the output directory for XML or HTML output. --no-xml Disable XML output. --no-html Disable HTML output. -v, --verbose Show additional information on the item. -a, --all Audit all rules and groups regardless of selection status. -r <RULE>, --rule=<RULE> Audit only the specified rule.

EXIT STATUS

secstate returns 0 for success and non-0 for error.

AUTHOR

Karl MacMillan <kmacmillan@tresys.com>

Linux Certif

Toute la documentation sur la certification Linux LPI

Rechercher une page de manuel

secstate

Sommaire

SYNOPSIS

DESCRIPTION

COMMANDS

EXIT STATUS

AUTHOR

SEE ALSO

Découvrir

Apprendre

Linux Certif

Toute la documentation sur la certification Linux LPI

Rechercher une page de manuel

secstate

Sommaire

SYNOPSIS

DESCRIPTION

COMMANDS

EXIT STATUS

AUTHOR

SEE ALSO

Découvrir

Apprendre

Partager