There are macros for some of these (identical to the description macro, but with check inserted). Some of this looks like it was generated from the macro? Want to git-amend (or reset soft) and try the macros?
On 09/27/2012 02:17 PM, David Smith wrote: > > Signed-off-by: David Smith <[email protected]> > --- > RHEL6/input/services/ldap.xml | 7 +++++++ > RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ > RHEL6/input/services/ntp.xml | 8 ++++++++ > RHEL6/input/services/ssh.xml | 6 ++++++ > RHEL6/input/system/logging.xml | 5 ++--- > RHEL6/input/system/permissions/mounting.xml | 6 ++++++ > 6 files changed, 54 insertions(+), 3 deletions(-) > > diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml > index de3a552..7081ba5 100644 > --- a/RHEL6/input/services/ldap.xml > +++ b/RHEL6/input/services/ldap.xml > @@ -85,6 +85,13 @@ machines. It is needed only by the OpenLDAP server, not by > the > clients which use LDAP for authentication. If the system is not > intended for use as an LDAP Server it should be removed. > </description> > +<ocil clause="it does not"> > +To verify the <tt>openldap-servers</tt> package is not installed, > +run the following command: > +<pre>$ rpm -q openldap-servers</pre> > +The output should show: > +<pre>package openldap-servers is not installed</pre> > +</ocil> > <ident cce="3501-4" /> > <oval id="package_openldap-servers_removed" /> > <ref nist="CM-6, CM-7" /> > diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml > index 758c494..e72bc71 100644 > --- a/RHEL6/input/services/nfs.xml > +++ b/RHEL6/input/services/nfs.xml > @@ -203,6 +203,20 @@ There is no need to run the NFS server daemons > <tt>nfs</tt> and <tt>rpcsvcgssd</ > <description>The Network File System (NFS) service allows remote hosts to > mount and interact with shared filesystems on the local machine. If the local > machine is not designated as a NFS server then this service should be > disabled. > <service-disable-macro service="nfs" /> > </description> > +<ocil clause="it does not"> > +It is prudent to ensure the <tt>nfs</tt> service is disabled in system boot, > as well as > +not currently running. First, run the following to verify the service is > stopped: > +<pre>$ service nfs status</pre> > +If the service is stopped or disabled, it will return the following: > +<pre>rpc.svcgssd is stopped > +rpc.mountd is stopped > +nfsd is stopped > +rpc.rquotad is stopped</pre> > +To verify that the <tt>nfs</tt> service is disabled, run the following > command: > +<pre>$ chkconfig --list nfs</pre> > +If properly configured, the output should look like: > +<pre>nfs 0:off 1:off 2:off 3:off 4:off 5:off > 6:off</pre> > +</ocil> > <ident cce="4473-5" /> > <oval id="service_nfs_disabled" /> > </Rule> > @@ -212,6 +226,17 @@ There is no need to run the NFS server daemons > <tt>nfs</tt> and <tt>rpcsvcgssd</ > <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to > secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd > service is the server-side of RPCSEC GSS. If the system does not require > secure RPC then this service should be disabled. > <service-disable-macro service="rpcsvcgssd" /> > </description> > +<ocil clause="it does not"> > +It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in > system boot, as well as > +not currently running. First, run the following to verify the service is > stopped: > +<pre>$ service rpcsvcgssd status</pre> > +If the service is stopped or disabled, it will return the following: > +<pre>rpc.svcgssd is stopped</pre> > +To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the > following command: > +<pre>$ chkconfig --list rpcsvcgssd</pre> > +If properly configured, the output should look like: > +<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off > 6:off</pre> > +</ocil> > <ident cce="4491-7" /> > <oval id="service_rpcsvcgssd_disabled" /> > </Rule> > diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml > index b3991ba..896ce33 100644 > --- a/RHEL6/input/services/ntp.xml > +++ b/RHEL6/input/services/ntp.xml > @@ -59,6 +59,14 @@ substituting the IP or hostname of a remote NTP server for > <em>ntpserver</em>: > This instructs the NTP software to contact that remote server to obtain time > data. > </description> > +<ocil clause="this is not the case"> > +A remote NTP server should be configured for time synchronization. To > verify that > +one is configured, open the following file: > +<pre>/etc/ntp.conf</pre> > +In the file, there should be a section similar to the following: > +<pre># --- OUR TIMESERVERS ----- > +server <i>ntpserver</i></pre> > +</ocil> > <rationale> Synchronizing with an NTP server makes it possible > to collate system logs from multiple sources or correlate computer events > with > real time events. Using a trusted NTP server provided by your organization is > diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml > index 9bbab3a..4370eb8 100644 > --- a/RHEL6/input/services/ssh.xml > +++ b/RHEL6/input/services/ssh.xml > @@ -341,6 +341,12 @@ may not support CTR mode. This may become an issue if, > for example, > these systems need to retrieve files from your SSH server using SFTP. > TODO: Need to investigate current status of this. Earlier issues with > CBC were supposed to be fixed.</description> > +<ocil clause="that is not the case"> > +Only FIPS-approved ciphers should be used. To verify that only > FIPS-approved > +ciphers are in use, run the following command: > +<pre>$ grep Ciphers /etc/ssh/sshd_config</pre> > +The output should contain only those ciphers which are FIPS-approved. > +</ocil> > <rationale> > Approved algorithms should impart some level of confidence in their > implementation. These are also required for compliance. > diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml > index 564b811..eb3c2cf 100644 > --- a/RHEL6/input/system/logging.xml > +++ b/RHEL6/input/system/logging.xml > @@ -358,7 +358,7 @@ Note that <tt>logrotate</tt> is run nightly by the cron > job > rotated more often than once a day, some other mechanism must be > used.</description> > > -<Rule id="ensure_logrotate_activated"> > +<!-- <Rule id="ensure_logrotate_activated"> > <title>Ensure Logrotate Runs Periodically</title> > <description>The <tt>logrotate</tt> service must be configured to run > periodically in order to perform its log rotation function.</description> > @@ -366,9 +366,8 @@ periodically in order to perform its log rotation > function.</description> > that they fill up the /var/log partition. Valuable logging information could > be lost > if the /var/log partition becomes full.</rationale> > <ident cce="4182-2" /> > -<!-- TODO: this needs cleanup --> > <ref nist="AU-2, AU-9, CM-6" /> > -</Rule> > +</Rule> --> > > <Rule id="ensure_logrotate_rotates_all_files"> > <title>Ensure Logrotate Runs Periodically</title> > diff --git a/RHEL6/input/system/permissions/mounting.xml > b/RHEL6/input/system/permissions/mounting.xml > index c52707a..a092bb8 100644 > --- a/RHEL6/input/system/permissions/mounting.xml > +++ b/RHEL6/input/system/permissions/mounting.xml > @@ -130,6 +130,12 @@ If the <tt>autofs</tt> service is not needed to > dynamically mount NFS filesystem > or removable media, disable the service for all runlevels: > <pre># chkconfig --level 0123456 autofs off</pre> > </description> > +<ocil clause="it does not"> > +To verify that the <tt>autofs</tt> service is disabled, run the following > command: > +<pre>chkconfig --list autofs</pre> > +If properly configured, the output should be: > +<pre>autofs 0:off 1:off 2:off 3:off 4:off 5:off > 6:off</pre> > +</ocil> > <rationale>All filesystems that are required for the successful operation of > the system > should be explicitly listed in /etc/fstab by and administrator. New > filesystems should > not be arbitrarily introduced via the automounter.</rationale> _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
