From owner-freebsd-security@freebsd.org Fri Jul 21 19:04:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 263EFDAEE03 for ; Fri, 21 Jul 2017 19:04:32 +0000 (UTC) (envelope-from matt@pair.com) Received: from phi.pair.com (phi.pair.com [216.92.130.221]) by mx1.freebsd.org (Postfix) with ESMTP id DB6F980217 for ; Fri, 21 Jul 2017 19:04:31 +0000 (UTC) (envelope-from matt@pair.com) Received: from [192.168.42.10] (iphi.pair.com [216.92.130.103]) by phi.pair.com (Postfix) with ESMTPSA id 0552D8FC1E for ; Fri, 21 Jul 2017 14:57:46 -0400 (EDT) From: Matt Riffle Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: ACK Storm protection? Message-Id: <8F4BB6E0-66A3-4367-BD86-DC29F2BA3C0A@pair.com> Date: Fri, 21 Jul 2017 14:57:45 -0400 To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.3273) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 19:04:32 -0000 Hello, Starting on July 11, I=E2=80=99ve started to see an increasing number of = what appear to be =E2=80=9CACK storms=E2=80=9D affecting a number of = FreeBSD boxes I=E2=80=99m administering. There are a few unsupported = releases mixed in, but, this is also happening on boxes running = 10.3-RELEASE-p3. In the cases we=E2=80=99re seeing, it begins with legitimate TCP traffic = requesting something over HTTP, but soon thereafter we get an out of = window packet and get in to a loop. If anybody is interested or = especially if they=E2=80=99ve experienced something similar, there are a = few more details I could share privately. Setting aside the cause, I=E2=80=99m interested in trying to mitigate = the problem. None of my Ubuntu boxes appear to be affected, I presume = because of these patches Google made to the kernel there: https://www.ietf.org/mail-archive/web/tcpm/current/msg09445.html = Is there any equivalent protection for FreeBSD? In my own research = I=E2=80=99ve been unable to find anything. In fact, beyond the message = above you can=E2=80=99t find very much about ACK storms at all. Right now we=E2=80=99re mitigating with custom code that is sniffing = packets and adding temporary firewall rules whenever it sees a loop = start, and that=E2=80=99s working well enough, but, I=E2=80=99d prefer = to handle it at a lower level if possible. Thanks, Matt R. From owner-freebsd-security@freebsd.org Fri Jul 21 23:21:11 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 147FFC0A291 for ; Fri, 21 Jul 2017 23:21:11 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D11392887 for ; Fri, 21 Jul 2017 23:21:10 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-it0-x243.google.com with SMTP id r9so3681285ita.3 for ; Fri, 21 Jul 2017 16:21:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=to:from:subject:message-id:date:user-agent:mime-version :content-language; bh=/vymi/8LrcGDlf+VzvOeUQtWdAe2Kk1aTDs4Y5DWC4k=; b=D1O21dYxfLv1UuluDyd9pox1bI4Tci/Ffhn7BDzWr1WjWDxxqHdNEVOT46Vk7xj+Vx +ZCOlRROr5IBgX3e0K+esGL2y2qA+SQH0NgS6vjo7XcHApRgy0llPJzj4fE5CP+Mw4Z7 FKAnY9ScJIJ2OZg02u2n8N3t/Yz7vv/pxwr1E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=/vymi/8LrcGDlf+VzvOeUQtWdAe2Kk1aTDs4Y5DWC4k=; b=SBwKvzOcUbcUCF9Y2Zj6q/PQIcbDDL2y/XH+YdC0YCX948SC51guqEqy1ZzOu9vOGP bpHwVXm2jm94umou+G4KWwNjRxrs0UWdR9maoaOncjp4ecHWiZpSX4GqqCHkmtUrSqoq BmTtVgqp6n9XTYzCzx7VWWAPlOjNkMbMtOui11dPbSajSjzrmeS+YaUFZnDIqPRUJ62e ksn1jh5JpmRxEGa41KiCXl7jd06au655ilSQEZFrAdRbsqN0dx51GCM11mI5GhcF0DFo trA8zFPZiN9v+JmwL8MdnsCRPgx+JlfbclEJQ75sqIKR/MJTeEWxX0j6+RO+8fQOSX+a 1lxQ== X-Gm-Message-State: AIVw1119VE6g4cLWfhJLD9JNrM2V++mt6GErtiTctAYduw64kjGdhsx0 qVtdBJx7VqguW6WDpFIaJQ== X-Received: by 10.36.14.151 with SMTP id 145mr563073ite.85.1500679269866; Fri, 21 Jul 2017 16:21:09 -0700 (PDT) Received: from [192.168.2.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id g198sm997338itb.3.2017.07.21.16.21.08 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jul 2017 16:21:08 -0700 (PDT) To: freebsd-security@freebsd.org From: Yonas Yanfa Subject: OpenSCAP for FreeBSD Message-ID: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> Date: Fri, 21 Jul 2017 19:21:10 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2017 23:21:11 -0000 Hi, Is there anything like OpenSCAP for FreeBSD? Links: https://www.open-scap.org https://www.youtube.com/watch?v=zda_N9FjE90 Cheers, Yonas -- Yonas Yanfa In Love With Open Source Drupal :: GitHub :: Mozilla fizk.net | yonas@fizk.net From owner-freebsd-security@freebsd.org Sat Jul 22 00:24:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0974DC31533 for ; Sat, 22 Jul 2017 00:24:32 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D0EFC633AC for ; Sat, 22 Jul 2017 00:24:31 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id E4C194405 for ; Fri, 21 Jul 2017 19:17:51 -0500 (CDT) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id unQYcOc2aYpt for ; Fri, 21 Jul 2017 19:17:49 -0500 (CDT) Received: from freechin.atlnet (47-48-196-90.static.gwnt.ga.charter.com [47.48.196.90]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id 971AB4288 for ; Fri, 21 Jul 2017 19:17:48 -0500 (CDT) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: OpenSCAP for FreeBSD Date: Fri, 21 Jul 2017 20:17:47 -0400 Message-ID: <2651306.a2lTSCmlO7@freechin.atlnet> User-Agent: KMail/4.14.10 (FreeBSD/11.0-RELEASE-p9; KDE/4.14.30; amd64; ; ) In-Reply-To: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 00:24:32 -0000 On Friday 21 July 2017 19:21:10 Yonas Yanfa wrote: > Hi, > > Is there anything like OpenSCAP for FreeBSD? If it's a matter of selecting an XML profile, then surely one can be crafted for any OS you choose. -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Sat Jul 22 01:49:16 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D74BC7A7EC for ; Sat, 22 Jul 2017 01:49:16 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-io0-x244.google.com (mail-io0-x244.google.com [IPv6:2607:f8b0:4001:c06::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F040D65D03 for ; Sat, 22 Jul 2017 01:49:15 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-io0-x244.google.com with SMTP id f1so4464672ioj.2 for ; Fri, 21 Jul 2017 18:49:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=8TqvzxWj7MRAegGrdPIeO8pdV7Bi3DcuMqQKP8zQGfI=; b=cOZBkbRd4T5zUmE/KXLM4q5zffRNjM+VZVOvvNlgQEIakVb2uRncSwCKnfoCWkzwPk a2kuX1XF2pXJzMeJx7Xy0mpF8dSZRdu4nXvMq2MXK5Ha9EdFGaWMNLA1wde75Bg8RkSv LYsC2USQo2PMVZHrNfqLleTvIaw+Hvv/t2cGg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=8TqvzxWj7MRAegGrdPIeO8pdV7Bi3DcuMqQKP8zQGfI=; b=IoBiTDGXoKXy7TbUWEOQM04u9Y9u44msvB/q4ZfdndnVX3oGgpR1penk2yyJAz7Gx/ 7S65uPCKNu7LOkZA9PiULcn0o+zqY9iHfPuBz1xUUMKIFL2M5vzDcSmAtcOYjS4ORhEZ ELz2an+PXqqgs+aE+m9vLs8VZUwqmgsNHX978Dg3nkBeSY1bBsSqfLxj7RQEJViMaZLV YLDt7AzbsVgHsIj22bWIXPOyLTqshmqShmwcbBYqWDovkSSm+oq9YQtUBugOay5ts7AX nNMCdviCeurKdXJSD84T+gsYAKmT2cnlcraNVDXQMIc4J6HjUPudHzMVg/+lxSIBgseI V5zg== X-Gm-Message-State: AIVw113tR/6v8uZ0lWNTu8Psa6aTPaDj3w4SrC1Jg3nDhlXgMXqa4zlp 0tCxCQhAukwcXhzWOR39hA== X-Received: by 10.107.41.5 with SMTP id p5mr8572030iop.165.1500688154819; Fri, 21 Jul 2017 18:49:14 -0700 (PDT) Received: from [192.168.2.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id 5sm1495708iox.9.2017.07.21.18.49.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Jul 2017 18:49:13 -0700 (PDT) Subject: Re: OpenSCAP for FreeBSD To: freebsd-security@freebsd.org References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <2651306.a2lTSCmlO7@freechin.atlnet> From: Yonas Yanfa Message-ID: <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> Date: Fri, 21 Jul 2017 21:49:14 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <2651306.a2lTSCmlO7@freechin.atlnet> Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 01:49:16 -0000 On 07/21/2017 20:17, Joey Kelly wrote: > On Friday 21 July 2017 19:21:10 Yonas Yanfa wrote: >> Hi, >> >> Is there anything like OpenSCAP for FreeBSD? > If it's a matter of selecting an XML profile, then surely one can be crafted > for any OS you choose. > Yes, and it shouldn't be too hard to port this to FreeBSD, but possibly time consuming. The benefit of porting it is that they already have a lot of security policies written (eg. USGCB, PCI DSS). Scanning and remedying Linux and FreeBSD systems for vulnerabilities could be done using the same XML file. Also, you can use their installer plugin to set security profiles during install. -- Yonas Yanfa In Love With Open Source Drupal :: GitHub :: Mozilla fizk.net | yonas@fizk.net From owner-freebsd-security@freebsd.org Sat Jul 22 12:47:17 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD962D7FD14 for ; Sat, 22 Jul 2017 12:47:17 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 503797CEFD for ; Sat, 22 Jul 2017 12:47:17 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x230.google.com with SMTP id c184so434210wmd.0 for ; Sat, 22 Jul 2017 05:47:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=cnFdYDbcxgzk/HSRrZo7KFO5Ftnv07XBE4LUWnJwIlg=; b=lEyLk3LFsY8Sn7NFLQJHE1tbRojUgZtUSfS/7diU1gSakRx/e92bkvvTnyyWH/pHSg CVHBIq7E37bt5vcx2df99PAoYEdink1YsRxCuNgn5XUDAgXaAVTdrtjohfX0Th9T6OYN xBek9RcOunXqqXasqh1pJGivFv0OoVCxvd052FhT0UFxKMPhNcYYF3LDFQ3fJUl/Ld72 jcKNzOVhK6QR957M6gzI7WpxdvF8GAYRAXtiNgPETd6Lw+3RGO7t5jX9dOZqQvvVKnJZ rypT40CQGi1BLKv0DJ3DzERiRN5uGbDSi53/FvQPATfoj0uIHDY4wWK2yhRs705ZZU8a GjJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=cnFdYDbcxgzk/HSRrZo7KFO5Ftnv07XBE4LUWnJwIlg=; b=AWVlx5zHIJQy+LuCcpu1Vtpe92XOCwwVUjs+w8I+PCAbxkfitrfjyLH6j7G8B0Sysn pa1fYSETq6l3Td6UCjEgwIiX7eNR7DYMdlnH6qCsXJ46HTXzed/5+vj9yZDDAcR9zjIS gftFIAzfb5d1fziWe/1w1LyPT5oqIdVXx0M9l7DK5ewwPN3NF+8E8GjznCEncxwkGPvd N3+O4kx6qEyjoTCeMFwcAbW1BX/Vie0JPSvraWASM1IcgEhTYcehXA5A6GAP3j2OqAuP 232nbs5brVyphvIPCi5CPk1VjIWqjocWy8rmJ2jAFYpOfeNiPepFB/NRr04ul0iycMVq rfHg== X-Gm-Message-State: AIVw112MdhUY0nYZ3BKH/4dVoGIY77dHJ/IR2LaMJBMexyaKR131ckoL LAaVe/7xEiTKCaoe+vheUw== X-Received: by 10.28.54.202 with SMTP id y71mr1407228wmh.106.1500727635649; Sat, 22 Jul 2017 05:47:15 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-230-154.bltmmd.fios.verizon.net. [100.16.230.154]) by smtp.gmail.com with ESMTPSA id k4sm2498732wrc.34.2017.07.22.05.47.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 22 Jul 2017 05:47:14 -0700 (PDT) Date: Sat, 22 Jul 2017 08:47:12 -0400 From: Shawn Webb To: Yonas Yanfa Cc: freebsd-security@freebsd.org Subject: Re: OpenSCAP for FreeBSD Message-ID: <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <2651306.a2lTSCmlO7@freechin.atlnet> <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="n5gdkrdpw746dogn" Content-Disposition: inline In-Reply-To: <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170609 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 12:47:17 -0000 --n5gdkrdpw746dogn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 21, 2017 at 09:49:14PM -0400, Yonas Yanfa wrote: > On 07/21/2017 20:17, Joey Kelly wrote: > > On Friday 21 July 2017 19:21:10 Yonas Yanfa wrote: > > > Hi, > > >=20 > > > Is there anything like OpenSCAP for FreeBSD? > > If it's a matter of selecting an XML profile, then surely one can be cr= afted > > for any OS you choose. > >=20 >=20 > Yes, and it shouldn't be too hard to port this to FreeBSD, but possibly t= ime > consuming. >=20 > The benefit of porting it is that they already have a lot of security > policies written (eg. USGC= B, > PCI DSS). Scanning and remedying Linux and FreeBSD systems for > vulnerabilities could be done using the same XML file. Also, you can use > their installer plugin > to set security > profiles during install. I'll get in touch with some of my coworkers, who were instrumental in the creation of SCAP. I'll get their thoughts on LoE for porting to FreeBSD. Depending on their schedules, my response may be delayed. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --n5gdkrdpw746dogn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllzSU0ACgkQaoRlj1JF bu6n3g/+Izrnz+2Ma3L170xZsO/ZrY1XhKq1LjBOovN6jhHpJ5ercUm4QioxpxW5 XloFBX/CNn2rFmyK+nf7AonjaR1rkMYMNJGS2Kd+GwDK3sBFvE9CC62O/eHcuN7b olCN6cRlDMMBm2hPZKp7J0o39OJChRn7VFVNfynFjvOEZycTQgO1b6XHgRbo6p8y nwMH8hdCJAuSLJJbT4/vKxm93O3Ep/yRSR48p3BQin89PcY8KMCnIjhk/Q9VUrDC LlXpm+9Cax4eXz1P7Y8Eae9lqaLISTWcWzeHFRk4kQhMBkYTFZXWE2OJVG1RsjvX xGGtt4P2aR4jPdqSmwg9hwtrzjO8IwMN4L76+sujuKgux8zAh1kjB2xG/Cub52Z0 g0offIfe8oTv/I9Ym3nolZWkh5A2lPE14sc5hrhZ8Eo66Ne/3PvAjOEYtCEMqGOg sE9ZMWzC2HUW6ZleGVQVrPOVgQkvgW6zyjOFnZATWZeYrfEBe0FnIgUbqCwvbL7g S1zXBa8Josopo3EjJNkq+Mysz7JBaJmTRKJEv7Ood1iH0bfqdwEBxTzrghyztZlC QACcLs8O61+gfLcgwrLU27bIYgsjEJ7KXLBNyf4uwuLxhsM94lXIo9sr0pF8Fcn1 L1+tLJo74V0IjJ49oF6ppuB/LCIUhTYe1U93SiSogRyRx7zfi+I= =MwbR -----END PGP SIGNATURE----- --n5gdkrdpw746dogn-- From owner-freebsd-security@freebsd.org Sat Jul 22 13:17:31 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0959ED9A638 for ; Sat, 22 Jul 2017 13:17:31 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from safegreet.com (safegreet.com [173.230.129.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DBAFF7DF9F for ; Sat, 22 Jul 2017 13:17:30 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from localhost (localhost [127.0.0.1]) by safegreet.com (Postfix) with ESMTP id DC9B2428D for ; Sat, 22 Jul 2017 08:17:28 -0500 (CDT) X-Virus-Scanned: amavisd-new at safegreet.com Received: from safegreet.com ([127.0.0.1]) by localhost (safegreet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id MOG_-LldDM30 for ; Sat, 22 Jul 2017 08:17:28 -0500 (CDT) Received: from freechin.atlnet (47-48-196-90.static.gwnt.ga.charter.com [47.48.196.90]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by safegreet.com (Postfix) with ESMTPSA id B77864288 for ; Sat, 22 Jul 2017 08:17:27 -0500 (CDT) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: OpenSCAP for FreeBSD Date: Sat, 22 Jul 2017 09:17:26 -0400 Message-ID: <1728515.Ju1NQlN6ld@freechin.atlnet> User-Agent: KMail/4.14.10 (FreeBSD/11.0-RELEASE-p9; KDE/4.14.30; amd64; ; ) In-Reply-To: <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 13:17:31 -0000 On Saturday 22 July 2017 08:47:12 Shawn Webb wrote: > On Fri, Jul 21, 2017 at 09:49:14PM -0400, Yonas Yanfa wrote: > > > > Yes, and it shouldn't be too hard to port this to FreeBSD, but possibly > > time consuming. > > I'll get in touch with some of my coworkers, who were instrumental in > the creation of SCAP. I'll get their thoughts on LoE for porting to > FreeBSD. Depending on their schedules, my response may be delayed. Maybe I'm showing my ignorance, but since it's a Linux app to begin with, would it be therefore easier to get it to run under Linux emulation, rather than making a straight FreeBSD port? -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 From owner-freebsd-security@freebsd.org Sat Jul 22 13:22:39 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C930D9A9F1 for ; Sat, 22 Jul 2017 13:22:39 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B08117E3A5 for ; Sat, 22 Jul 2017 13:22:38 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-wm0-x22f.google.com with SMTP id w191so33381796wmw.1 for ; Sat, 22 Jul 2017 06:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=IRBbCqAcNt4KHv1WwMuW1yyb28xIh1Z6BC8G7J0/rfs=; b=E9P8g6hSb0UCpWDqZ19L3z3QG4eOLEZln4ZUYTg9o5V1eYYD8QGAxwCTZH6KaerDT1 cOro/EPvUoHWvFLTjIXYI6SlmJfybJh4VvF+F3JUUgw1358DmIz+iFHK8b2hj9sMfQ7+ G8DEf56xI5jEEi09QrW/qzVYSkNM4+53uDN++XpWexS4Z5qx3U218Ip4gA47UA4TVxCr t/SOwEn07YYaFW+HhTTrhyg9wVYHm47rJnwRweddMqmkAbNaOPCNIfCwFjsfUQ+jUsOv NrmD4eFAcidOPie4X+/SlP/iLHpN/2F2UTBlLzqBpe4uvEOqDwQpypVaqBKLUpBgad2z 2xdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=IRBbCqAcNt4KHv1WwMuW1yyb28xIh1Z6BC8G7J0/rfs=; b=Cy/6YmbAab9YkGBZf5kmeHcW6nz6g4/71N3FbYFANPWva3F/P0fS9sbTtnlkB9l20H lMRDSXdda7khxElDVmXheW4ytHG2srrIyT0oie0qlC+/JqC99CCmrhEQv9u7KJ3eT4S9 lOvFo1qrQZ7BycL20dyhOA0UDDfiTGz+hc6uK3z3aWF9dtQ0orUJYYwUOsn3qsXsaRLq dz+Q4kgpnzuHrKL7kPcTFtHfNyPw3jKuex3IELaDHO8eNsqS8tgmG0XnxTQN74lOICb9 YtDxH78U1Bp2jqBnvk/FhG7hlPQWTkAwlCyZeQChmdtyXdd1WjD611z+7zthIahTYyyc hcrg== X-Gm-Message-State: AIVw113jJBs5lnXxCuj+NFW5OrHpE7UWaNdLhDFaO20JybvB5tVzlJ/6 Mmo7C4iE0Sr5/D+BimbxMQ== X-Received: by 10.28.113.23 with SMTP id m23mr1326136wmc.128.1500729756905; Sat, 22 Jul 2017 06:22:36 -0700 (PDT) Received: from mutt-hbsd (pool-100-16-230-154.bltmmd.fios.verizon.net. [100.16.230.154]) by smtp.gmail.com with ESMTPSA id h1sm9342276wrb.25.2017.07.22.06.22.35 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 22 Jul 2017 06:22:35 -0700 (PDT) Date: Sat, 22 Jul 2017 09:22:34 -0400 From: Shawn Webb To: Joey Kelly Cc: freebsd-security@freebsd.org Subject: Re: OpenSCAP for FreeBSD Message-ID: <20170722132234.auv3hqfbrnahnz6i@mutt-hbsd> References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> <1728515.Ju1NQlN6ld@freechin.atlnet> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="g3jxghkauzhb324b" Content-Disposition: inline In-Reply-To: <1728515.Ju1NQlN6ld@freechin.atlnet> X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE User-Agent: NeoMutt/20170609 (1.8.3) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 13:22:39 -0000 --g3jxghkauzhb324b Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 22, 2017 at 09:17:26AM -0400, Joey Kelly wrote: > On Saturday 22 July 2017 08:47:12 Shawn Webb wrote: > > On Fri, Jul 21, 2017 at 09:49:14PM -0400, Yonas Yanfa wrote: >=20 > > >=20 > > > Yes, and it shouldn't be too hard to port this to FreeBSD, but possib= ly > > > time consuming. > >=20 > > I'll get in touch with some of my coworkers, who were instrumental in > > the creation of SCAP. I'll get their thoughts on LoE for porting to > > FreeBSD. Depending on their schedules, my response may be delayed. >=20 > Maybe I'm showing my ignorance, but since it's a Linux app to begin with,= =20 > would it be therefore easier to get it to run under Linux emulation, rath= er=20 > than making a straight FreeBSD port? It's more about the SCAP rules and validation, which are currently Linux-centric. Thanks, --=20 Shawn Webb Cofounder and Security Engineer HardenedBSD GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE --g3jxghkauzhb324b Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAllzUZcACgkQaoRlj1JF bu4ung/9FdLaYl2PjOlW2lrTY3MCM6yE5NqjSN2EN68QsETtuT4XlMGTZ91uLamo rshBNzjpb7uIAAcqP04YjlkHGlMyGYEAMhwVp68o8SUjQ3IjvIj6iWZQOqAY6y/L 9O0cSOH4d8kbm4eR/JCaGpteXxM900kYEN+d+HqV+ABbKoNjyH0BSFqO9w9Ogyri g5tP37qblgH/55PzdHc36aHy6ro5wnkTameDdztJ2oj+EC6lns1vgtyzVOYfXcW6 Ai7D06EbfPlPJkxcrumG6eOFhw+m4RFQQObxvOvVWIQPs+mTvT57gtDXcS5Yc3Qn FRyHH9jNRWmzAl86kdDk4ZI6krgyia/1+10RZFs/jOIhsfbmDYa28DKgfy4LgZ9T h4zCq9kgST3XoL6rQLIF03kNULn981Usmr7S4/rSFWRhyfWnK8PMQrNZQCU/Kp3N EVmURXp8/UQxSuYn8xLsvxj0rTHtGy+039P1vj/hRFGFnOMcWPTvMjqwK5C9FzMR +T1Z/kfN5wy8j7NHe7hdAEKbHEPjbjrKGm7S+A7kHjzy5XP5yR72i+lG5tN0i0Ww UAredjTfFD8klEfPMxK7b5/7I2CooK/5Q29EhZiLmzvukRlamH1GBXWsjhlmQWXM q/JRg7eMaAc7vgmUrr/Jgraf9vlRhvzXEZaZhAO2Rw9b4FXdjTk= =leMu -----END PGP SIGNATURE----- --g3jxghkauzhb324b-- From owner-freebsd-security@freebsd.org Sat Jul 22 13:24:51 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D954ED9AB91 for ; Sat, 22 Jul 2017 13:24:51 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D5167E52F for ; Sat, 22 Jul 2017 13:24:51 +0000 (UTC) (envelope-from dan@obluda.cz) X-SubmittedBy: id 100000045929 subject /DC=org/DC=terena/DC=tcs/C=CZ/O=Charles+20University/CN=Dan+20Lukes+20100000045929 issued by /C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA+20eScience+20Personal+20CA+203 auth type TLS.MFF Received: from [10.20.12.2] ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.15.2/8.15.2) with ESMTPS id v6MDOlHm035694 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sat, 22 Jul 2017 15:24:48 +0200 (CEST) (envelope-from dan@obluda.cz) Subject: Re: OpenSCAP for FreeBSD To: freebsd-security@freebsd.org References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> <1728515.Ju1NQlN6ld@freechin.atlnet> From: Dan Lukes Message-ID: <5c3d0376-d9ca-df3f-c35b-b56e2952e87c@obluda.cz> Date: Sat, 22 Jul 2017 15:24:47 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 SeaMonkey/2.48 MIME-Version: 1.0 In-Reply-To: <1728515.Ju1NQlN6ld@freechin.atlnet> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 13:24:51 -0000 On 22.7.2017 15:17, Joey Kelly wrote: > Maybe I'm showing my ignorance, but since it's a Linux app to begin with, would it be therefore easier to get it to run under Linux It's not matter of ignorance, but lack of paranoia. If I wish to test security of particular system, I wish not to make it less secure by installing complex emulation subsystem of any kind. Just my $0.02 Dan From owner-freebsd-security@freebsd.org Sat Jul 22 19:02:53 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6556DAAC97 for ; Sat, 22 Jul 2017 19:02:53 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3CE1C2FF7 for ; Sat, 22 Jul 2017 19:02:53 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-io0-x234.google.com with SMTP id q2so31712336ioe.3 for ; Sat, 22 Jul 2017 12:02:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=pKZMNRe6f8sFdsLasSWv+/RJUZg6Egr2MboVocbsOw4=; b=Z5+QFtYuLqpb+OalRJmyzz/jYNXCJ4gktMfGn78xzLv+60qfR4kD6jN9y0WAPvTepa zJW2qlWlMVNvK+CwxxOF1FhAdkht8fypdacH79wrNivNH0WhaW0ydrrcdfR4dduIiHi0 48MLaXdafyki6fKzHE8z+5fMpRWeoA1k694/Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=pKZMNRe6f8sFdsLasSWv+/RJUZg6Egr2MboVocbsOw4=; b=gmCBsapE+nsGd/0b7pZc2W1NeaJ8v8P+PINcd8o8YcXtUZ0gHUA7IpWQY9tQALzEzH 9jdpiS5yubI/6csD4EFYdeD7EJNYX48hn1Y313lGSjH300EeDAQF0OsKPdax8lg1fA1k fP5KBTvYdQmvd/CsijPaNC8UbqxituzyOtG03g8P/BORxabUBcdNspJiM6Rl9Mq1D+Pk peKJDaddrilnKPD4BWIkunGFghkIewb/2ikse9r57KCC56v+1ZpgxX4dSNaSCN8xUbdh u2QTesoqt5WzN77070vp0Iw3Y21NBnvmazyKq5xV/i7dwcZAaOh34b/24m8gbnZ3ygsy OloQ== X-Gm-Message-State: AIVw110Zw/C38O0WSwU/YmGWBGngx/tg3ydkZJvdjXwxJ6RrBVuuZ9Tc UaDXx6n+3nXT79a7xUZ+sEFr X-Received: by 10.107.21.196 with SMTP id 187mr10456594iov.86.1500750171766; Sat, 22 Jul 2017 12:02:51 -0700 (PDT) Received: from [192.168.2.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [174.117.121.225]) by smtp.gmail.com with ESMTPSA id h196sm3751288ioe.41.2017.07.22.12.02.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 22 Jul 2017 12:02:50 -0700 (PDT) Subject: Re: OpenSCAP for FreeBSD To: Shawn Webb Cc: freebsd-security@freebsd.org References: <3056b3dc-82d6-0634-0f14-2a4308488a95@fizk.net> <2651306.a2lTSCmlO7@freechin.atlnet> <72d3444e-5174-776e-049e-8b3099fab779@fizk.net> <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> From: Yonas Yanfa Message-ID: <01e93875-65d6-0332-f0c5-7d2614cde266@fizk.net> Date: Sat, 22 Jul 2017 15:02:49 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <20170722124712.oxl6yalmhdetbwfe@mutt-hbsd> Content-Language: en-US Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Jul 2017 19:02:53 -0000 On 07/22/2017 08:47, Shawn Webb wrote: > On Fri, Jul 21, 2017 at 09:49:14PM -0400, Yonas Yanfa wrote: >> On 07/21/2017 20:17, Joey Kelly wrote: >>> On Friday 21 July 2017 19:21:10 Yonas Yanfa wrote: >>>> Hi, >>>> >>>> Is there anything like OpenSCAP for FreeBSD? >>> If it's a matter of selecting an XML profile, then surely one can be crafted >>> for any OS you choose. >>> >> Yes, and it shouldn't be too hard to port this to FreeBSD, but possibly time >> consuming. >> >> The benefit of porting it is that they already have a lot of security >> policies written (eg. USGCB, >> PCI DSS). Scanning and remedying Linux and FreeBSD systems for >> vulnerabilities could be done using the same XML file. Also, you can use >> their installer plugin >> to set security >> profiles during install. > I'll get in touch with some of my coworkers, who were instrumental in > the creation of SCAP. I'll get their thoughts on LoE for porting to > FreeBSD. Depending on their schedules, my response may be delayed. Thanks Shawn!!! :-) -- Yonas Yanfa In Love With Open Source Drupal :: GitHub :: Mozilla fizk.net | yonas@fizk.net