All: I tweaked the macro to facilitate the idea that service(s) that are deemed necessary to disable -- may/may not apply to all environments.
The reasoning for this is that the way it was worded previously, it appeared that they should be disabled, when in fact it is all contingent on the environment, climate, and mission. EX: of how it looks NOW: ----------------------------------- For pre-determined environments, it is prudent to check that the rhnsd service is disabled at boot time via chkconfig and not currently running on the system (runtime configuration). Run the following command to verify rhnsd is disabled through current runtime configuration: # service rhnsd status If the service is disabled, the command will return: rhnsd is stopped Run the following command to verify rhnsd is disabled through system boot configuration: # chkconfig rhnsd --list Output should indicate the rhnsd service has been disabled at all runlevels, as shown in the example below: # chkconfig rhnsd --list rhnsd 0:off 1:off 2:off 3:off 4:off 5:off 6:off If the service is running, this is a finding. -----------------------------------
>From 6f308f6993b090edeb485cc73dcb7918e8c80c59 Mon Sep 17 00:00:00 2001 From: Michael McConachie <[email protected]> Date: Tue, 2 Oct 2012 12:52:40 -0400 Subject: [PATCH 2/2] Small updates to service-disable-check-macro --- RHEL6/transforms/shorthand2xccdf.xslt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt index b1bfb1a..ae9f3d3 100644 --- a/RHEL6/transforms/shorthand2xccdf.xslt +++ b/RHEL6/transforms/shorthand2xccdf.xslt @@ -325,8 +325,7 @@ exclude-result-prefixes="xccdf xhtml dc"> </xsl:template> <xsl:template match="service-disable-check-macro"> - It is prudent to check that the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service is disabled in system boot - configuration via <xhtml:code>chkconfig</xhtml:code> and not currently running on the system (runtime configuration). + For pre-determined environments, it is prudent to check that the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service is disabled at boot time via <xhtml:code>chkconfig</xhtml:code> and not currently running on the system (runtime configuration). Run the following command to verify <xhtml:code><xsl:value-of select="@service"/></xhtml:code> is disabled through current runtime configuration: -- 1.7.11.4
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
