Signed-off-by: David Smith <[email protected]> --- RHEL6/input/system/accounts/pam.xml | 8 +++--- RHEL6/input/system/accounts/physical.xml | 10 ++++---- .../accounts/restrictions/password_expiration.xml | 12 +++++---- .../accounts/restrictions/password_storage.xml | 2 +- .../system/accounts/restrictions/root_logins.xml | 4 +- RHEL6/input/system/accounts/session.xml | 6 ++-- RHEL6/input/system/auditing.xml | 12 ++++----- RHEL6/input/system/logging.xml | 18 +++++++------- RHEL6/input/system/network/ipv6.xml | 4 +- RHEL6/input/system/network/kernel.xml | 24 ++++++++++---------- RHEL6/input/system/network/uncommon.xml | 8 +++--- RHEL6/input/system/network/wireless.xml | 4 +- RHEL6/input/system/permissions/files.xml | 22 ++++++++++------- RHEL6/input/system/selinux.xml | 8 +++--- RHEL6/input/system/software/disk_partitioning.xml | 12 +++++----- RHEL6/input/system/software/integrity.xml | 4 +- RHEL6/input/system/software/updating.xml | 4 +- 17 files changed, 83 insertions(+), 79 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index ec332d9..737fc4d 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -105,7 +105,7 @@ reason.</warning> operator="equals" interactive="0"> <title>minlen</title> <description>Minimum number of characters in password</description> -<value selector="">12</value> +<value selector="">14</value> <value selector="6">6</value> <!-- NIST 800-53 requires 1 in a million using brute force which translates to six numbers --> <value selector="8">8</value> @@ -158,7 +158,7 @@ operator="equals" interactive="0"> password</description> <warning category="general">Keep this high for short passwords</warning> -<value selector="">3</value> +<value selector="">4</value> <value selector="2">2</value> <value selector="3">3</value> <value selector="4">4</value> @@ -168,7 +168,7 @@ passwords</warning> operator="equals" interactive="0"> <title>fail_deny</title> <description>Number of failed login attempts before account lockout</description> -<value selector="">5</value> +<value selector="">3</value> <value selector="3">3</value> <value selector="5">5</value> <value selector="10">10</value> @@ -404,7 +404,7 @@ Using a stronger hashing algorithm makes password cracking attacks more difficul </rationale> <ident cce="14063-2" /> <oval id="accounts_password_hashing_algorithm" /> -<ref nist="IA-5" /> +<ref nist="IA-5" disa="803"/> </Rule> <Rule id="limiting_password_reuse"> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index ebe132e..b418393 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -40,7 +40,7 @@ Only root should be able to modify important boot parameters. </rationale> <ident cce="4144-2" /> <oval id="file_user_owner_grub_conf" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="group_owner_grub_conf"> @@ -57,7 +57,7 @@ file should not have any access privileges anyway. </rationale> <ident cce="4197-0" /> <oval id="file_group_owner_grub_conf" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="permissions_grub_conf"> @@ -73,7 +73,7 @@ parameters. </rationale> <ident cce="3923-0" /> <oval id="file_permissions_grub_conf" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="bootloader_password" severity="high"> @@ -160,7 +160,7 @@ services, weakening system security. </rationale> <ident cce="4245-7" /> <oval id="interactive_boot_disable" /> -<ref nist="CM-7, IA-4, SC-2"/> +<ref nist="CM-7, IA-4, SC-2" disa="213"/> </Rule> @@ -255,7 +255,7 @@ If properly configured, the output should be <tt>true</tt>. </ocil> <rationale> Enabling idle activation of the screen saver ensures that the -screensaver will be activated after the idle delay. +screensaver will be activated after the idle delay. Applications requiring continuous, real-time screen display (i.e., network management products) require the following and need to be documented with the IAO: the login session does not have administrator rights; and, the display station (i.e., keyboard, monitor, etc.) is located in a controlled-access area. </rationale> <ident cce="14604-3" /> <oval id="gconf_gnome_screensaver_idle_activation_enabled" /> diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index 3ac9f7a..a464c4e 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -81,7 +81,8 @@ age, and 7 day warning period with the following command: <description>To specify password length requirements for new accounts, edit the file <tt>/etc/login.defs</tt> and add or correct the following lines: -<pre>PASS_MIN_LEN <i>LENGTH</i></pre> +<pre>PASS_MIN_LEN 14<!-- <sub idref="var_password_min_len"> --></pre> +TODO: More research needed to understand exact interaction: when precisely is this file consulted? <br/><br/> The DoD requirement is <tt>14</tt>. If a program consults <tt>/etc/login.defs</tt> and also another PAM module @@ -113,12 +114,13 @@ behavior that may result. edit the file <tt>/etc/login.defs</tt> and add or correct the following line, replacing <i>DAYS</i> appropriately: <pre>PASS_MIN_DAYS <i>DAYS</i></pre> -The DoD requirement is 7. +A value of 1 day is considered for sufficient for many +environments. </description> <ocil clause="it is not set to the required value"> To check the minimum password age, run the command: <pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre> -The DoD requirement is 7. +The DoD requirement is 1. </ocil> <rationale> Setting the minimum password age protects against @@ -154,7 +156,7 @@ increases the risk of users writing down the password in a convenient location subject to physical compromise.</rationale> <ident cce="4092-3" /> <oval id="accounts_maximum_age_login_defs" value="var_password_max_age"/> -<ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/> +<ref nist="CM-6, CM-7, IA-5, AC-3" disa="180"/> </Rule> @@ -165,7 +167,7 @@ expiration that a warning will be issued to users, edit the file <tt>/etc/login.defs</tt> and add or correct the following line: <pre>PASS_WARN_AGE <i>DAYS</i></pre> -A value of 7 days is considered for appropriate for many +A value of 14 days is considered for appropriate for many environments. <!-- <sub idref="password_warn_age_login_defs_value" /> --> </description> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 415bfd2..3b6a98d 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -63,7 +63,7 @@ which is readable by all users. </rationale> <ident cce="14300-8" /> <oval id="accounts_password_all_shadowed" /> -<ref nist="IA-5" disa="196" /> +<ref nist="IA-5" disa="201" /> </Rule> <Rule id="no_netrc_files"> diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index b19bce7..244bd4b 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -127,7 +127,7 @@ become inaccessible. </warning> <ident cce="3987-5" /> <oval id="accounts_nologin_for_system" /> -<ref nist="AC-3, CM-6" /> +<ref nist="AC-3, CM-6" disa="178" /> </Rule> @@ -153,7 +153,7 @@ access to the root account. </rationale> <ident cce="4009-7" /> <oval id="accounts_no_uid_except_zero" /> -<ref nist="AC-3, AC-11, CM-6, CM-7" disa="366"/> +<ref nist="AC-3, AC-11, CM-6, CM-7" disa="366" /> </Rule> </Group> diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index a6ba3ad..457dc20 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -251,7 +251,7 @@ umask 077</pre> </ocil> <ident cce="4227-5" /> <oval id="accounts_umask_csh" value="umask_user_value"/> -<ref nist="CM-6, CM-7"/> +<ref nist="CM-6, CM-7" disa="366"/> <tested by="swells" on="20120929"/> </Rule> @@ -276,7 +276,7 @@ umask 077</pre> </ocil> <oval id="accounts_umask_etc_profile" value="umask_user_value" /> <tested by="swells" on="20120929"/> -<ref nist="CM-6, CM-7"/> +<ref nist="CM-6, CM-7" disa="366"/> </Rule> <Rule id="user_umask_logindefs"> @@ -299,7 +299,7 @@ umask 077</pre> </ocil> <ident cce="14107-7" /> <oval id="accounts_umask_login_defs" value="umask_user_value" /> -<ref nist="CM-6, CM-7"/> +<ref nist="CM-6, CM-7" disa="366"/> <tested by="swells" on="20120929" /> </Rule> diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index e87154d..163624d 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -648,8 +648,7 @@ audited.</rationale> <Rule id="audit_mac_changes"> -<title>Record Events that Modify the System's Mandatory Access -Controls</title> +<title>Record Events that Modify the System's Mandatory Access Controls</title> <description>Add the following to <tt>/etc/audit/audit.rules</tt>: <pre>-w /etc/selinux/ -p wa -k MAC-policy</pre> </description> @@ -670,8 +669,7 @@ MAC policy should be audited.</rationale> </Rule> <Group id="audit_dac_actions"> -<title>Record Events that Modify the System's Discretionary -Access Controls</title> +<title>Record Events that Modify the System's Discretionary Access Controls</title> <description>At a minimum the audit system should collect file permission changes for all users and root. Note that the "-F arch=b32" lines should be present even on a 64 bit system. These commands identify system calls for @@ -1182,7 +1180,7 @@ trail should be created each time a filesystem is mounted to help identify and g loss.</rationale> <ident cce="14569-8" /> <oval id="audit_rules_media_export" /> -<ref nist="AU-2" /> +<ref nist="AU-2" disa="126"/> </Rule> <Rule id="audit_file_deletions"> @@ -1223,7 +1221,7 @@ To verify that auditing is configured for system administrator actions, run the of what was executed on the system as well as for accountability purposes.</rationale> <ident cce="14824-7" /> <oval id="audit_rules_sysadmin_actions" /> -<ref nist="AU-2" /> +<ref nist="AU-2" disa="126"/> </Rule> <Rule id="audit_kernel_module_loading"> @@ -1245,7 +1243,7 @@ the kernel and potentially introduce malicious code into kernel space. It is imp to have an audit trail of modules that have been introduced into the kernel.</rationale> <ident cce="14688-6" /> <oval id="audit_rules_kernel_module_loading" /> -<ref nist="AU-2" /> +<ref nist="AU-2" disa="126"/> </Rule> <Rule id="audit_config_immutable"> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index eb3c2cf..b676ea9 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -32,7 +32,7 @@ system logging services. </rationale> <ident cce="17742-8" /> <oval id="package_rsyslog_installed" /> -<ref nist="AU-2, AU-9, CM-6" /> +<ref nist="AU-2, AU-9, CM-6" disa="1311,1312"/> </Rule> @@ -135,7 +135,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="17857-4" /> <oval id="rsyslog_files_ownership" /> -<ref nist="AC-3, CM-6" /> +<ref nist="AC-3, CM-6" disa="1314"/> </Rule> <Rule id="groupowner_rsyslog_files"> @@ -160,7 +160,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="18240-2" /> <oval id="rsyslog_files_groupownership" /> -<ref nist="AC-3, CM-6" /> +<ref nist="AC-3, CM-6" disa="1314"/> </Rule> @@ -257,7 +257,7 @@ place to view the status of multiple hosts within the enterprise. </rationale> <ident cce="17248-6" /> <oval id="rsyslog_remote_loghost" /> -<ref nist="AU-2, AU-9" disa="1348, 136, 1352" /> +<ref nist="AU-2, AU-9" disa="1348, 136" /> </Rule> </Group> @@ -358,7 +358,8 @@ Note that <tt>logrotate</tt> is run nightly by the cron job rotated more often than once a day, some other mechanism must be used.</description> -<!-- <Rule id="ensure_logrotate_activated"> +<!-- TODO: this needs cleanup +<Rule id="ensure_logrotate_activated"> <title>Ensure Logrotate Runs Periodically</title> <description>The <tt>logrotate</tt> service must be configured to run periodically in order to perform its log rotation function.</description> @@ -366,8 +367,8 @@ periodically in order to perform its log rotation function.</description> that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> -<ref nist="AU-2, AU-9, CM-6" /> -</Rule> --> +<ref nist="AU-2, AU-9, CM-6" disa="366"/> +</Rule> <Rule id="ensure_logrotate_rotates_all_files"> <title>Ensure Logrotate Runs Periodically</title> @@ -377,7 +378,6 @@ enabled.</description> that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> <ident cce="4182-2" /> -<!-- TODO: this needs cleanup --> <oval id="logrotate_rotate_all_files" /> <ref nist="AU-2, AU-9, CM-6" /> </Rule> @@ -410,7 +410,7 @@ information is almost always necessary <oval id="logwatch_configured_splithosts" /> </Rule> -<!--Ensure that <tt>logwatch.pl</tt> is run nightly from <tt>cron</tt>. (This is the default): +Ensure that <tt>logwatch.pl</tt> is run nightly from <tt>cron</tt>. (This is the default): <pre># cd /etc/cron.daily # ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch </pre> diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml index 68dc0a4..b7e8ad0 100644 --- a/RHEL6/input/system/network/ipv6.xml +++ b/RHEL6/input/system/network/ipv6.xml @@ -39,7 +39,7 @@ Any unnecessary network stacks - including IPv6 - should be disabled, to reduce </rationale> <ident cce="CCE-3562-6" /> <oval id="kernel_module_ipv6_option_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1551"/> </Rule> <Rule id="network_ipv6_disable_interfaces"> @@ -135,7 +135,7 @@ An illicit ICMP redirect message could result in a man-in-the-middle attack. </rationale> <ident cce="CCE-4313-3" /> <oval id="sysctl_net_ipv6_conf_default_accept_redirects" value="sysctl_net_ipv6_conf_default_accept_redirects_value" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="1551"/> </Rule> </Group><!--<Group id="disabling_ipv6_autoconfig">--> diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 5485fcd..0c44281 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -24,7 +24,7 @@ to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</rationale> <ident cce="4151-7" /> <oval id="sysctl_net_ipv4_conf_default_send_redirects" /> -<ref nist="AC-4, SC-5, SC-7" /> +<ref nist="AC-4, SC-5, SC-7" disa="1551"/> </Rule> <Rule id="disable_sysctl_ipv4_all_send_redirects"> @@ -40,7 +40,7 @@ to update their routing information. The ability to send ICMP redirects is only appropriate for routers.</rationale> <ident cce="4155-8" /> <oval id="sysctl_net_ipv4_conf_all_send_redirects" /> -<ref nist="CM-6" /> +<ref nist="CM-6" disa="1551"/> </Rule> <Rule id="disable_sysctl_ipv4_ip_forward"> @@ -56,7 +56,7 @@ interface to another. The ability to forward packets between two networks is only appropriate for routers.</rationale> <ident cce="3561-8" /> <oval id="sysctl_net_ipv4_ip_forward" /> -<ref nist="AC-3, CM-6, CM-7, SC-5" /> +<ref nist="AC-3, CM-6, CM-7, SC-5" disa="366"/> </Rule> </Group> @@ -206,7 +206,7 @@ operator="equals" interactive="0"> uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4236-6" /> <oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_all_accept_source_route_value" /> -<ref nist="CM-7" /> +<ref nist="CM-7" disa="1551"/> </Rule> <Rule id="set_sysctl_net_ipv4_conf_all_accept_redirects"> @@ -221,7 +221,7 @@ uses. It should be disabled unless it is absolutely required.</rationale> uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4217-6" /> <oval id="sysctl_net_ipv4_conf_all_accept_redirects" value="sysctl_net_ipv4_conf_all_accept_redirects_value" /> -<ref nist="CM-7" /> +<ref nist="CM-7" disa="1503,1551"/> </Rule> @@ -238,7 +238,7 @@ default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="3472-8" /> <oval id="sysctl_net_ipv4_conf_all_secure_redirects" value="sysctl_net_ipv4_conf_all_secure_redirects_value" /> -<ref nist="CM-7, AC-4" /> +<ref nist="CM-7, AC-4" disa="1503,1551"/> </Rule> <Rule id="set_sysctl_net_ipv4_conf_all_log_martians"> @@ -255,7 +255,7 @@ sign of nefarious network activity. Logging these packets enables this activity to be detected.</rationale> <ident cce="4320-8" /> <oval id="sysctl_net_ipv4_conf_all_log_martians" value="sysctl_net_ipv4_conf_all_log_martians_value" /> -<ref nist="CM-7" /> +<ref nist="CM-7" disa="126"/> </Rule> @@ -271,7 +271,7 @@ to be detected.</rationale> uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4091-5" /> <oval id="sysctl_net_ipv4_conf_all_accept_source_route" value="sysctl_net_ipv4_conf_all_accept_source_route_value" /> -<ref nist="AC-4, SC-5, SC-7" /> +<ref nist="AC-4, SC-5, SC-7" disa="1551"/> </Rule> @@ -287,7 +287,7 @@ uses. It should be disabled unless it is absolutely required.</rationale> uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="4186-3" /> <oval id="sysctl_net_ipv4_conf_default_accept_redirects" /> -<ref nist="AC-4, SC-5, SC-7" /> +<ref nist="AC-4, SC-5, SC-7" disa="1551"/> </Rule> @@ -304,7 +304,7 @@ default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.</rationale> <ident cce="3339-9" /> <oval id="sysctl_net_ipv4_conf_default_secure_redirects" value="sysctl_net_ipv4_conf_default_secure_redirects_value" /> -<ref nist="AC-4, SC-5, SC-7" /> +<ref nist="AC-4, SC-5, SC-7" disa="1551"/> </Rule> @@ -321,7 +321,7 @@ addresses makes the system slightly more difficult to enumerate on the network. </rationale> <ident cce="3644-2" /> <oval id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" value="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" /> -<ref nist="AC-3, CM-6, CM-7, SC-5" /> +<ref nist="AC-3, CM-6, CM-7, SC-5" disa="1551"/> </Rule> @@ -375,7 +375,7 @@ complicated networks, but is helpful for end hosts and routers serving small networks.</rationale> <ident cce="4080-8" /> <oval id="sysctl_net_ipv4_conf_all_rp_filter" value="sysctl_net_ipv4_conf_all_rp_filter_value" /> -<ref nist="AC-4, SC-5, SC-7" /> +<ref nist="AC-4, SC-5, SC-7" disa="1551"/> </Rule> <Rule id="set_sysctl_net_ipv4_conf_default_rp_filter"> diff --git a/RHEL6/input/system/network/uncommon.xml b/RHEL6/input/system/network/uncommon.xml index 84697d5..bd6eeee 100644 --- a/RHEL6/input/system/network/uncommon.xml +++ b/RHEL6/input/system/network/uncommon.xml @@ -29,7 +29,7 @@ the system against exploitation of any flaws in its implementation. </rationale> <ident cce="14268-7" /> <oval id="kernel_module_dccp_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382"/> </Rule> @@ -51,7 +51,7 @@ the system against exploitation of any flaws in its implementation. </rationale> <ident cce="14132-5" /> <oval id="kernel_module_sctp_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382"/> </Rule> @@ -72,7 +72,7 @@ the system against exploitation of any flaws in its implementation. </rationale> <ident cce="14027-7" /> <oval id="kernel_module_rds_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382"/> </Rule> @@ -93,7 +93,7 @@ the system against exploitation of any flaws in its implementation. </rationale> <ident cce="14911-2" /> <oval id="kernel_module_tipc_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382"/> </Rule> </Group> diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index e76d569..8366164 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -99,7 +99,7 @@ Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range.</rationale> <ident cce="4355-4" /> <oval id="service_bluetooth_disabled" /> -<ref nist="AC-18, CM-6, CM-7" disa="85" /> +<ref nist="AC-18, CM-6, CM-7" disa="85,1551" /> </Rule> <Rule id="kernel_module_bluetooth_disabled"> @@ -120,7 +120,7 @@ from loading the kernel module provides an additional safeguard against its activation.</rationale> <ident cce="14948-4" /> <oval id="kernel_module_bluetooth_disabled" /> -<ref nist="AC-18, CM-6, CM-7" disa="85" /> +<ref nist="AC-18, CM-6, CM-7" disa="85,1551" /> </Rule> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 6d26be7..ee509ad 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -39,7 +39,7 @@ which could weaken the system security posture.</rationale> critical for system security.</rationale> <ident cce="3988-3" /> <oval id="file_groupowner_etc_shadow" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="perms_shadow_file"> @@ -75,7 +75,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="3883-6" /> <oval id="file_groupowner_etc_group" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="perms_group_file"> @@ -86,7 +86,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="3967-7" /> <oval id="file_permissions_etc_group" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="userowner_gshadow_file"> @@ -97,7 +97,7 @@ on the system. Protection of this file is important for system security.</ration is critical for system security.</rationale> <ident cce="4210-1" /> <oval id="file_owner_etc_gshadow" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="groupowner_gshadow_file"> @@ -108,7 +108,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="4064-2" /> <oval id="file_groupowner_etc_gshadow" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="perms_gshadow_file"> @@ -119,7 +119,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="3932-1" /> <oval id="file_permissions_etc_gshadow" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="userowner_passwd_file"> @@ -130,7 +130,7 @@ is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="3958-6" /> <oval id="file_owner_etc_passwd" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="groupowner_passwd_file"> @@ -141,7 +141,7 @@ the system. Protection of this file is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="3495-9" /> <oval id="file_groupowner_etc_passwd" /> -<ref nist="AC-3, CM-6"/> +<ref nist="AC-3, CM-6" disa="225"/> </Rule> <Rule id="file_permissions_etc_passwd"> @@ -193,6 +193,7 @@ run the following command for each directory <i>DIR</i> which contains shared li space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. </rationale> +<ref disa="1499"/> </Rule> <Rule id="file_ownership_library_dirs"> @@ -218,6 +219,7 @@ run the following command for each directory <i>DIR</i> which contains shared li space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. </rationale> +<ref disa="1499"/> </Rule> @@ -242,6 +244,7 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. </rationale> +<ref disa="1499"/> </Rule> <Rule id="file_ownership_binary_dirs"> @@ -265,6 +268,7 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. </rationale> +<ref disa="1499"/> </Rule> @@ -432,7 +436,7 @@ accounts have a uid lower than 500. Run it once for each local partition <i>PAR <pre># find <i>PART</i> -xdev -type d -perm 0002 -uid +500 -print</pre> </ocil> <rationale> -Allowing a user account to own a world-writeable directory is +Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index 286f324..b44a145 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -101,7 +101,7 @@ the chances that it will remain off during system operation. </rationale> <ident cce="3977-6" /> <oval id="selinux_bootloader_notdisabled" /> -<ref nist="AC-3, CM-6" /> +<ref nist="AC-3, CM-6" disa="22,32"/> </Rule> <Rule id="set_selinux_state"> @@ -123,7 +123,7 @@ privileges. </rationale> <ident cce="3999-0" /> <oval id="selinux_mode" value="var_selinux_state_name"/> -<ref nist="CM-6, CM-7" disa="22"/> +<ref nist="CM-6, CM-7" disa="22,32"/> </Rule> <Rule id="set_selinux_policy"> @@ -148,7 +148,7 @@ targeted for exploitation, such as network services or system services. </rationale> <ident cce="3624-4" /> <oval id="selinux_policytype" value="var_selinux_policy_name"/> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="22,32"/> </Rule> </Group> @@ -242,7 +242,7 @@ If a device file is not labeled, then misconfiguration is likely. <ident cce="14991-4" /> <oval id="selinux_all_devicefiles_labeled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="22,32"/> </Rule> </Group> diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index ef2ef29..71a3b10 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -38,8 +38,8 @@ Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. </rationale> <ident cce="14161-4"/> -<oval id="mount_tmp_own_partition"/> -<ref nist="CM-6" /> +<oval id="mount_tmp_own_partition" /> +<ref nist="CM-6" disa="1208"/> <tested by="MM" on="20120928"/> </Rule> @@ -59,7 +59,7 @@ world-writable directories, installed by other software packages. </rationale> <ident cce="14777-7"/> <oval id="mount_var_own_partition" /> -<ref nist="CM-6" /> +<ref nist="CM-6" disa="1208"/> <tested by="MM" on="20120928"/> </Rule> @@ -78,7 +78,7 @@ and other files in <tt>/var/</tt>. </rationale> <ident cce="14011-1" /> <oval id="mount_var_log_own_partition" /> -<ref nist="CM-6, AU-9" /> +<ref nist="CM-6, AU-9" disa="1208"/> <tested by="MM" on="20120928"/> </Rule> @@ -100,7 +100,7 @@ of space. </rationale> <ident cce="14171-3" /> <oval id="mount_var_log_audit_own_partition" /> -<ref nist="CM-6, AU-9" disa="137"/> +<ref nist="CM-6, AU-9" disa="137,1208"/> <tested by="MM" on="20120928"/> </Rule> @@ -121,7 +121,7 @@ users cannot trivially fill partitions used for log or audit data storage. </rationale> <ident cce="14559-9" /> <oval id="mount_home_own_partition" /> -<ref nist="CM-6"/> +<ref nist="CM-6" disa="1208"/> <tested by="MM" on="20120928"/> </Rule> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 65ed613..0794be6 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -37,7 +37,7 @@ The AIDE package must be installed if it is to be available for integrity checki </rationale> <ident cce="4209-3" /> <oval id="package_aide_installed" /> -<ref nist="CM-6, CM-7, SC-28, SI-7" /> +<ref nist="CM-6, CM-7, SC-28, SI-7" disa="1069"/> </Rule> <Rule id="disable_prelink"> @@ -93,7 +93,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. </rationale> -<ref nist="CM-6, SC-28, SI-7" disa="416,1166,1263,1496"/> +<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1166,1263"/> </Rule> <Rule id="aide_verify_integrity_manually"> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index c146189..9e3bd6d 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -38,7 +38,7 @@ are from Red Hat. </rationale> <ident cce="14440-2"/> <oval id="package_red_hat_gpgkeys_installed" /> -<ref nist="SI-2, SI-7, SC-13"/> +<ref nist="SI-2, SI-7, SC-13" disa="351"/> <tested by="MM" on="20120928"/> </Rule> @@ -117,7 +117,7 @@ successful. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. </rationale> -<ref nist="SI-2" disa="1232"/> +<ref nist="SI-2" disa="1227"/> <tested by="MM" on="20120928"/> </Rule> </Group> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
