[PATCH] Added two potential manual audit/remediation profiles.

Tue, 14 Aug 2012 13:49:17 -0700 

Here are two potential profiles for manual actions on SCAP content.
They separately address manual audits and manual remediation (with overlap).
They are included in one patch, as they provide a solution to SCAP's
lack of coverage for audit and remediation.

I understand if these profiles are not adopted, but just to give an idea
of the scope of this (and as requested), I thought a patch would be
appreciated.

Feel free to provide input, as I'm sure there's something I missed.

---
 RHEL6/input/profiles/manual_audits.xml      |   40 +++++++++++++++++++++++++++
 RHEL6/input/profiles/manual_remediation.xml |   32 +++++++++++++++++++++
 2 files changed, 72 insertions(+), 0 deletions(-)
 create mode 100755 RHEL6/input/profiles/manual_audits.xml
 create mode 100755 RHEL6/input/profiles/manual_remediation.xml

diff --git a/RHEL6/input/profiles/manual_audits.xml 
b/RHEL6/input/profiles/manual_audits.xml
new file mode 100755
index 0000000..005bcd9
--- /dev/null
+++ b/RHEL6/input/profiles/manual_audits.xml
@@ -0,0 +1,40 @@
+<Profile id="manual_audits" xmlns="http://checklists.nist.gov/xccdf/1.1"; >
+<title>Profile for Attended/Manual portion of DCID6/3 remediation</title>
+<description>This profile contains items that require user interaction during 
audit.</description>
+<select idref="bios_disable_usb_boot" selected="true"/>
+<select idref="rsyslog_send_messages_to_logserver" selected="true"/>
+<select idref="no_empty_passwords" selected="true"/>
+<select idref="no_uidzero_except_root" selected="true"/>
+<select idref="postfix_create_cert" selected="true"/>
+<select idref="postfix_install_ssl_cert" selected="true"/>
+<select idref="network_ssl_create_ca" selected="true" />
+<select idref="network_ssl_create_ssl_certs" selected="true" />
+<select idref="network_ssl_create_ssl_certs" selected="true" />
+<select idref="network_ssl_enable_client_support" selected="true"/>
+<select idref="network_ssl_add_ca_firefox" selected="true"/>
+<select idref="network_ssl_add_ca_thunderbird" selected="true"/>
+<select idref="network_ssl_add_ca_evolution" selected="true"/>
+<select idref="network_ssl_remove_certs" selected="true"/>
+<select idref="network_ipv6_static_address" selected="true"/>
+<select idref="bios_disable_usb_boot" selected="true"/>
+<select idref="enable_gdm_login_banner" selected="true"/>
+<select idref="aide_build_database" selected="true"/>
+<select idref="wireless_disable_in_bios" selected="true"/>
+<select idref="deactivate_wireless_interfaces" selected="true"/>
+<select idref="iptables_log_and_drop_suspicious" selected="true"/>
+<select idref="network_ipv6_default_gateway" selected="true"/>
+<select idref="no_files_unowned_by_user" selected="true"/>
+<select idref="no_files_unowned_by_group" selected="true"/>
+<select idref="world_writable_files_system_ownership" selected="true"/>
+<select idref="aide_verify_integrity-manually" selected="true"/>
+<select idref="ldap_server_config_olcsuffix" selected="true"/>
+<select idref="ldap_server_config_olcrootpw" selected="true"/>
+<select idref="ldap_server_config_olcaccess" selected="true"/>
+<select idref="iptables_ldap_enabled" selected="true"/>
+<select idref="ldap_server_config_certificate_files" selected="true"/>
+<select idref="ldap_server_config_directory_domain" selected="true"/>
+<select idref="ldap_server_config_directory_users_groups" selected="true"/>
+<select idref="ldap_server_config_directory_accounts" selected="true"/>
+<select idref="ldap_server_config_directory_groups" selected="true"/>
+<select idref="ldap_server_config_directory_admin_group" selected="true"/>
+</Profile>
diff --git a/RHEL6/input/profiles/manual_remediation.xml 
b/RHEL6/input/profiles/manual_remediation.xml
new file mode 100755
index 0000000..84a8fe7
--- /dev/null
+++ b/RHEL6/input/profiles/manual_remediation.xml
@@ -0,0 +1,32 @@
+<Profile id="manual_audits" xmlns="http://checklists.nist.gov/xccdf/1.1"; >
+<title>Profile for Attended/Manual portion of DCID6/3 remediation</title>
+<description>This profile contains items that require user interaction during 
audit.</description>
+<select idref="install_aide" selected="true"/>
+<select idref="install_vsftpd" selected="true"/>
+<select idref="install_openswan" selected="true"/>
+<select idref="install_vlock_package" selected="true"/>
+<select idref="bios_disable_usb_boot" selected="true"/>
+<select idref="bootloader_password" selected="true"/>
+<select idref="rsyslog_send_messages_to_logserver" selected="true"/>
+<select idref="disable_dhcp_client" selected="true"/>
+<select idref="enable_gdm_login_banner" selected="true"/>
+<select idref="set_gdm_login_banner_text" selected="true"/>
+<select idref="no_empty_passwords" selected="true"/>
+<select idref="no_uidzero_except_root" selected="true"/>
+<select idref="postfix_create_cert" selected="true"/>
+<select idref="postfix_install_ssl_cert" selected="true"/>
+<select idref="postfix_seperate_internal_external" selected="true"/>
+<select idref="network_ipv6_static_address" selected="true"/>
+<select idref="bios_disable_usb_boot" selected="true"/>
+<select idref="enable_gdm_login_banner" selected="true"/>
+<select idref="aide_build_database" selected="true"/>
+<select idref="wireless_disable_in_bios" selected="true"/>
+<select idref="deactivate_wireless_interfaces" selected="true"/>
+<select idref="iptables_log_and_drop_suspicious" selected="true"/>
+<select idref="network_ipv6_default_gateway" selected="true"/>
+<select idref="no_files_unowned_by_user" selected="true"/>
+<select idref="no_files_unowned_by_group" selected="true"/>
+<select idref="world_writable_files_system_ownership" selected="true"/>
+<select idref="aide_verify_integrity-manually" selected="true"/>
+<select idref="iptables_ldap_enabled" selected="true"/>
+</Profile>
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to