Signed-off-by: David Smith <[email protected]> --- RHEL6/input/services/avahi.xml | 2 +- RHEL6/input/services/dhcp.xml | 6 +++--- RHEL6/input/services/dns.xml | 4 ++-- RHEL6/input/services/ftp.xml | 2 +- RHEL6/input/services/ldap.xml | 2 +- RHEL6/input/services/mail.xml | 2 +- RHEL6/input/services/obsolete.xml | 9 +++++++++ RHEL6/input/services/smb.xml | 1 + RHEL6/input/services/ssh.xml | 9 +++++++-- RHEL6/input/services/xorg.xml | 2 ++ 10 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/services/avahi.xml b/RHEL6/input/services/avahi.xml index 24b0544..1733519 100644 --- a/RHEL6/input/services/avahi.xml +++ b/RHEL6/input/services/avahi.xml @@ -29,7 +29,7 @@ can be trusted. </rationale> <ident cce="4365-3" /> <oval id="service_avahi-daemon_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> </Group> diff --git a/RHEL6/input/services/dhcp.xml b/RHEL6/input/services/dhcp.xml index a86271b..0013786 100644 --- a/RHEL6/input/services/dhcp.xml +++ b/RHEL6/input/services/dhcp.xml @@ -47,7 +47,7 @@ DHCP server if there is one. </rationale> <ident cce="4336-4" /> <oval id="service_dhcpd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> <Rule id="uninstall_dhcp_server"> @@ -63,7 +63,7 @@ accidentally reactivated and disrupt network operation. </rationale> <ident cce="4464-4" /> <oval id="package_dhcpd_removed" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> </Group> <!-- <Group id="disabling_dhcp_server"> --> @@ -229,7 +229,7 @@ DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances.</rationale> <ident cce="4191-3" /> <oval id="sysconfig_networking_bootproto_ifcfg" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> </Group> <!-- <Group id="disabling_dhcp_client"> --> diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index f630aed..a467115 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -28,7 +28,7 @@ implementation flaws and should be disabled if possible. </rationale> <ident cce="3578-2" /> <oval id="service_named_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> <Rule id="uninstall_bind"> @@ -44,7 +44,7 @@ removing it provides a safeguard against its activation. </rationale> <ident cce="4219-2" /> <oval id="package_bind_removed" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> </Group> <!--<Group id="disabling_dns_server">--> diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index b6a8f65..ade5c18 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -47,7 +47,7 @@ accidental activation. </rationale> <ident cce="14881-7" /> <oval id="package_vsftpd_removed" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1436"/> </Rule> </Group> <!-- <Group id="disabling_vsftpd"> --> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 5f52b06..575190b 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -98,7 +98,7 @@ The output should show: </ocil> <ident cce="3501-4" /> <oval id="package_openldap-servers_removed" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> <Rule id="ldap_server_config_olcsuffix"> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index e30d011..2e68796 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -81,7 +81,7 @@ and not from the network, which protects it from network attack. </rationale> <ident cce="15018-5" /> <oval id="postfix_network_listening_disabled" /> -<ref nist="CM-7" /> +<ref nist="CM-7" disa="382"/> </Rule> </Group><!--End <Group id="postfix_client"> --> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index eaf853c..015cf5d 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -38,6 +38,7 @@ attacks against xinetd itself. </rationale> <ident cce="4252-3" /> <oval id="service_xinetd_disabled" /> +<ref disa="305"/> </Rule> <Rule id="uninstall_xinetd"> @@ -52,6 +53,7 @@ xinetd service's accidental (or intentional) activation. </rationale> <ident cce="4164-0" /> <oval id="package_xinetd_removed" /> +<ref disa="305"/> </Rule> </Group> @@ -92,6 +94,7 @@ telnet service's accidental (or intentional) activation. </rationale> <ident cce="4330-7" /> <oval id="package_telnet-server_removed" /> +<ref disa="305"/> </Rule> </Group> @@ -117,6 +120,7 @@ activation. </rationale> <ident cce="4308-3" /> <oval id="package_rsh-server_removed" /> +<ref disa="305"/> </Rule> <Rule id="disable_rexec" severity="high"> @@ -134,6 +138,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="undefined" /> <oval id="service_rexec_disabled" /> +<ref disa="1436"/> </Rule> <Rule id="disable_rsh" severity="high"> @@ -216,6 +221,7 @@ accidental (or intentional) activation of NIS or NIS+ services. </rationale> <ident cce="4348-9" /> <oval id="package_ypserv_removed" /> +<ref disa="305"/> </Rule> <Rule id="disable_ypbind"> @@ -231,6 +237,7 @@ as a client in a NIS or NIS+ domain. </rationale> <ident cce="3705-1" /> <oval id="service_ypbind_disabled" /> +<ref disa="305"/> </Rule> </Group> @@ -274,6 +281,7 @@ accidental (or intentional) activation of tftp services. </rationale> <ident cce="3916-4" /> <oval id="package_tftp-server_removed" /> +<ref disa="305"/> </Rule> <Rule id="tftpd_uses_secure_mode" severity="high"> @@ -298,6 +306,7 @@ server_args = -s /var/lib/tftpboot</pre> </ocil> <ident cce="TODO" /> <oval id="tftpd_uses_secure_mode" /> +<ref disa="366"/> </Rule> </Group> diff --git a/RHEL6/input/services/smb.xml b/RHEL6/input/services/smb.xml index b46720a..709338c 100644 --- a/RHEL6/input/services/smb.xml +++ b/RHEL6/input/services/smb.xml @@ -34,6 +34,7 @@ should be disabled if not needed. </rationale> <ident cce="4551-8" /> <oval id="service_smb_disabled" /> +<ref disa="1436" /> </Rule> </Group> <!--<Group id="disabling_samba">--> diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 93427ac..f77effe 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -81,7 +81,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> -<ref disa="776,774,1135" /> +<ref disa="776,774,1135,1436" /> </Rule> <Rule id="sshd_limit_user_access"> @@ -187,11 +187,12 @@ If properly configured, output should be: <pre>ClientAliveCountMax 0</pre> </ocil> <rationale> -This ensures that a user login will be terminated as soon as the <tt>ClientAliveInternal</tt> +This ensures that a user login will be terminated as soon as the <tt>ClientAliveInterval</tt> is reached. </rationale> <ident cce="14061-6" /> <oval id="sshd_clientalivecountmax" /> +<ref disa="879,1133"/> </Rule> @@ -214,6 +215,7 @@ can allow an attacker to move trivially to other hosts. </rationale> <ident cce="4475-0" /> <oval id="sshd_rsh_emulation_disabled" /> +<ref disa="765,766"/> </Rule> @@ -238,6 +240,7 @@ can allow an attacker to move trivially to other hosts. </rationale> <ident cce="4370-3" /> <oval id="sshd_hostbasedauthentication" /> +<ref disa="765,766"/> </Rule> @@ -280,6 +283,7 @@ even in the event of misconfiguration elsewhere. </rationale> <ident cce="3660-8" /> <oval id="sshd_permitemptypasswords_no" /> +<ref disa="765,766"/> </Rule> <Rule id="sshd_enable_warning_banner"> @@ -325,6 +329,7 @@ access restriction in some configurations. </rationale> <ident cce="4422-2" /> <oval id="sshd_no_user_envset" /> +<ref disa="1414" /> </Rule> <Rule id="sshd_use_approved_ciphers"> diff --git a/RHEL6/input/services/xorg.xml b/RHEL6/input/services/xorg.xml index 0f76543..e8a2229 100644 --- a/RHEL6/input/services/xorg.xml +++ b/RHEL6/input/services/xorg.xml @@ -28,6 +28,7 @@ The output should show the following: </ocil> <ident cce="4462-8" /> <oval id="xwindows_runlevel_setting" /> +<ref disa="366" /> </Rule> @@ -46,6 +47,7 @@ The output should be: </ocil> <ident cce="4422-2" /> <oval id="package_xorg-x11-server-common_removed" /> +<ref disa="366" /> </Rule> <!-- to add: guidance in /etc/gdm/custom.conf for xdmcp disable, tcplisten disable --> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
