Sure; I'll do that right now.
On 09/27/2012 02:55 PM, Jeffrey Blank wrote: > There are macros for some of these (identical to the description macro, > but with check inserted). Some of this looks like it was generated from > the macro? Want to git-amend (or reset soft) and try the macros? > > > > On 09/27/2012 02:17 PM, David Smith wrote: >> Signed-off-by: David Smith <[email protected]> >> --- >> RHEL6/input/services/ldap.xml | 7 +++++++ >> RHEL6/input/services/nfs.xml | 25 +++++++++++++++++++++++++ >> RHEL6/input/services/ntp.xml | 8 ++++++++ >> RHEL6/input/services/ssh.xml | 6 ++++++ >> RHEL6/input/system/logging.xml | 5 ++--- >> RHEL6/input/system/permissions/mounting.xml | 6 ++++++ >> 6 files changed, 54 insertions(+), 3 deletions(-) >> >> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml >> index de3a552..7081ba5 100644 >> --- a/RHEL6/input/services/ldap.xml >> +++ b/RHEL6/input/services/ldap.xml >> @@ -85,6 +85,13 @@ machines. It is needed only by the OpenLDAP server, not >> by the >> clients which use LDAP for authentication. If the system is not >> intended for use as an LDAP Server it should be removed. >> </description> >> +<ocil clause="it does not"> >> +To verify the <tt>openldap-servers</tt> package is not installed, >> +run the following command: >> +<pre>$ rpm -q openldap-servers</pre> >> +The output should show: >> +<pre>package openldap-servers is not installed</pre> >> +</ocil> >> <ident cce="3501-4" /> >> <oval id="package_openldap-servers_removed" /> >> <ref nist="CM-6, CM-7" /> >> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml >> index 758c494..e72bc71 100644 >> --- a/RHEL6/input/services/nfs.xml >> +++ b/RHEL6/input/services/nfs.xml >> @@ -203,6 +203,20 @@ There is no need to run the NFS server daemons >> <tt>nfs</tt> and <tt>rpcsvcgssd</ >> <description>The Network File System (NFS) service allows remote hosts to >> mount and interact with shared filesystems on the local machine. If the >> local machine is not designated as a NFS server then this service should be >> disabled. >> <service-disable-macro service="nfs" /> >> </description> >> +<ocil clause="it does not"> >> +It is prudent to ensure the <tt>nfs</tt> service is disabled in system >> boot, as well as >> +not currently running. First, run the following to verify the service is >> stopped: >> +<pre>$ service nfs status</pre> >> +If the service is stopped or disabled, it will return the following: >> +<pre>rpc.svcgssd is stopped >> +rpc.mountd is stopped >> +nfsd is stopped >> +rpc.rquotad is stopped</pre> >> +To verify that the <tt>nfs</tt> service is disabled, run the following >> command: >> +<pre>$ chkconfig --list nfs</pre> >> +If properly configured, the output should look like: >> +<pre>nfs 0:off 1:off 2:off 3:off 4:off 5:off >> 6:off</pre> >> +</ocil> >> <ident cce="4473-5" /> >> <oval id="service_nfs_disabled" /> >> </Rule> >> @@ -212,6 +226,17 @@ There is no need to run the NFS server daemons >> <tt>nfs</tt> and <tt>rpcsvcgssd</ >> <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to >> secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd >> service is the server-side of RPCSEC GSS. If the system does not require >> secure RPC then this service should be disabled. >> <service-disable-macro service="rpcsvcgssd" /> >> </description> >> +<ocil clause="it does not"> >> +It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in >> system boot, as well as >> +not currently running. First, run the following to verify the service is >> stopped: >> +<pre>$ service rpcsvcgssd status</pre> >> +If the service is stopped or disabled, it will return the following: >> +<pre>rpc.svcgssd is stopped</pre> >> +To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the >> following command: >> +<pre>$ chkconfig --list rpcsvcgssd</pre> >> +If properly configured, the output should look like: >> +<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off >> 6:off</pre> >> +</ocil> >> <ident cce="4491-7" /> >> <oval id="service_rpcsvcgssd_disabled" /> >> </Rule> >> diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml >> index b3991ba..896ce33 100644 >> --- a/RHEL6/input/services/ntp.xml >> +++ b/RHEL6/input/services/ntp.xml >> @@ -59,6 +59,14 @@ substituting the IP or hostname of a remote NTP server >> for <em>ntpserver</em>: >> This instructs the NTP software to contact that remote server to obtain time >> data. >> </description> >> +<ocil clause="this is not the case"> >> +A remote NTP server should be configured for time synchronization. To >> verify that >> +one is configured, open the following file: >> +<pre>/etc/ntp.conf</pre> >> +In the file, there should be a section similar to the following: >> +<pre># --- OUR TIMESERVERS ----- >> +server <i>ntpserver</i></pre> >> +</ocil> >> <rationale> Synchronizing with an NTP server makes it possible >> to collate system logs from multiple sources or correlate computer events >> with >> real time events. Using a trusted NTP server provided by your organization >> is >> diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml >> index 9bbab3a..4370eb8 100644 >> --- a/RHEL6/input/services/ssh.xml >> +++ b/RHEL6/input/services/ssh.xml >> @@ -341,6 +341,12 @@ may not support CTR mode. This may become an issue if, >> for example, >> these systems need to retrieve files from your SSH server using SFTP. >> TODO: Need to investigate current status of this. Earlier issues with >> CBC were supposed to be fixed.</description> >> +<ocil clause="that is not the case"> >> +Only FIPS-approved ciphers should be used. To verify that only >> FIPS-approved >> +ciphers are in use, run the following command: >> +<pre>$ grep Ciphers /etc/ssh/sshd_config</pre> >> +The output should contain only those ciphers which are FIPS-approved. >> +</ocil> >> <rationale> >> Approved algorithms should impart some level of confidence in their >> implementation. These are also required for compliance. >> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml >> index 564b811..eb3c2cf 100644 >> --- a/RHEL6/input/system/logging.xml >> +++ b/RHEL6/input/system/logging.xml >> @@ -358,7 +358,7 @@ Note that <tt>logrotate</tt> is run nightly by the cron >> job >> rotated more often than once a day, some other mechanism must be >> used.</description> >> >> -<Rule id="ensure_logrotate_activated"> >> +<!-- <Rule id="ensure_logrotate_activated"> >> <title>Ensure Logrotate Runs Periodically</title> >> <description>The <tt>logrotate</tt> service must be configured to run >> periodically in order to perform its log rotation function.</description> >> @@ -366,9 +366,8 @@ periodically in order to perform its log rotation >> function.</description> >> that they fill up the /var/log partition. Valuable logging information >> could be lost >> if the /var/log partition becomes full.</rationale> >> <ident cce="4182-2" /> >> -<!-- TODO: this needs cleanup --> >> <ref nist="AU-2, AU-9, CM-6" /> >> -</Rule> >> +</Rule> --> >> >> <Rule id="ensure_logrotate_rotates_all_files"> >> <title>Ensure Logrotate Runs Periodically</title> >> diff --git a/RHEL6/input/system/permissions/mounting.xml >> b/RHEL6/input/system/permissions/mounting.xml >> index c52707a..a092bb8 100644 >> --- a/RHEL6/input/system/permissions/mounting.xml >> +++ b/RHEL6/input/system/permissions/mounting.xml >> @@ -130,6 +130,12 @@ If the <tt>autofs</tt> service is not needed to >> dynamically mount NFS filesystem >> or removable media, disable the service for all runlevels: >> <pre># chkconfig --level 0123456 autofs off</pre> >> </description> >> +<ocil clause="it does not"> >> +To verify that the <tt>autofs</tt> service is disabled, run the following >> command: >> +<pre>chkconfig --list autofs</pre> >> +If properly configured, the output should be: >> +<pre>autofs 0:off 1:off 2:off 3:off 4:off 5:off >> 6:off</pre> >> +</ocil> >> <rationale>All filesystems that are required for the successful operation >> of the system >> should be explicitly listed in /etc/fstab by and administrator. New >> filesystems should >> not be arbitrarily introduced via the automounter.</rationale> > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
