Signed-off-by: Jeffrey Blank <[email protected]> --- RHEL6/input/system/auditing.xml | 6 ++-- RHEL6/input/system/network/ipsec.xml | 2 +- RHEL6/input/system/network/iptables.xml | 4 +- RHEL6/input/system/network/ssl.xml | 2 +- RHEL6/input/system/software/disk_partitioning.xml | 34 +++++++++++---------- RHEL6/input/system/software/integrity.xml | 2 +- 6 files changed, 26 insertions(+), 24 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 9c254a0..e6ab516 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -93,7 +93,7 @@ actions will be taken if other obstacles exist. </rationale> <ident cce="4292-9" /> <oval id="service_auditd_enabled" /> -<ref nist="CM-6, CM-7" disa="169,157,172,174,1353,1462,1487,1115,1454,067,158,831,1123,1190,1312,1263,130,120" /> +<ref nist="CM-6, CM-7" disa="169,157,172,174,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120" /> <tested by="DS" on="20121024"/> </Rule> @@ -459,7 +459,7 @@ After reviewing all the rules, reading the following sections, and editing as needed, the new rules can be activated as follows: <pre># service auditd restart</pre> </description> -<ref disa="171,172,1115,1454,1487,1571,1589,880,347,85,1274,1356,374,130" /> +<ref disa="171,172,1115,1454,1487,1571,1589,880,347,85,1356,374,130" /> <Group id="audit_time_rules"> <title>Records Events that Modify Date and Time Information</title> @@ -672,7 +672,7 @@ Audit logs must be mode 0640 or less permissive. If users can write to audit logs, audit trails can be modified or destroyed. </rationale> <oval id="file_permissions_var_log_audit" /> -<ref disa="166,1338" /> +<ref disa="166" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml index 02c5bde..f73e493 100644 --- a/RHEL6/input/system/network/ipsec.xml +++ b/RHEL6/input/system/network/ipsec.xml @@ -19,7 +19,7 @@ transmitted over a wide area network. </rationale> <!--<ident cce="TODO" />--> <oval id="package_openswan_installed" /> -<ref nist="AC-17, MA-4, SC-9" disa="1130,1131,1135" /> +<ref nist="AC-17, MA-4, SC-9" disa="1130,1131" /> </Rule> </Group> diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index 40f1746..d63b99f 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -60,7 +60,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,1117,1098,1100,1097,1123,1124,1414"/> +<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,1117,1098,1100,1097,1414"/> <tested by="DS" on="20121024"/> </Rule> @@ -76,7 +76,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,27,1117,1098,1100,1097,1123,1124,1414" /> +<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,27,1117,1098,1100,1097,1414" /> <tested by="DS" on="20121024"/> </Rule> </Group><!--<Group id="iptables_activation">--> diff --git a/RHEL6/input/system/network/ssl.xml b/RHEL6/input/system/network/ssl.xml index 77f3ecb..0c35dc7 100644 --- a/RHEL6/input/system/network/ssl.xml +++ b/RHEL6/input/system/network/ssl.xml @@ -50,7 +50,7 @@ process are: </description> -<ref disa="1141,1148,1130,1131,1127,1128,1135,1129,1132,1142,1147,187" /> +<ref disa="1130,1131,1127,1128,1129,187" /> <Group id="network_ssl_create_ca"> <title>Create a CA to Sign Certificates</title> diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index ac3ccc9..484117b 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -125,33 +125,35 @@ users cannot trivially fill partitions used for log or audit data storage. <tested by="MM" on="20120928"/> </Rule> -<Group id="partition_encryption" > -<title>Encrypting Partitions</title> +<Rule id="encrypt_partitions" > +<title>Encrypt Partitions</title> <description> Red Hat Enterprise Linux 6 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to -encrypt a partition is during install time. +encrypt a partition is during installation time. <br /><br /> -For manual installations, selecting the <tt>Encrypt</tt> checkbox during -partition creation is all that is needed to encrypt the partition. When this +For manual installations, select the <tt>Encrypt</tt> checkbox during +partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in -decrypting the partition. The passphrase will need to be entered manually +decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. <br /><br /> -For automated/unattended installations using Kickstart add the <tt>--encrypted</tt> -and <tt>--passphrase=</tt> options to the definition of each partition you want -encrypted. For example: -<pre>part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=<i>yourpassphrase</i></pre> -Where <i>yourpassphrase</i> is a passphrase of your choosing. The passphrase is -stored in the Kickstart file in clear-text. If that is of concern, leaving the -<tt>--passphrase=</tt> option off the partition definition will cause the -installer to pause and interactively ask for the passphrase during the install. +For automated/unattended installations, it is possible to use Kickstart by adding +the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be +encrypted. For example, the following line would encrypt the root partition: +<pre>part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted --passphrase=<i>PASSPHRASE</i></pre> +Any <i>PASSPHRASE</i> is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. +Omitting the <tt>--passphrase=</tt> option from the partition definition will cause the +installer to pause and interactively ask for the passphrase during installation. <br /><br /> Detailed information on encrypting partitions using LUKS can be found on the Red Had Documentation web site:<br /> https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html </description> -<ref disa="1199,1350,1200" /> -</Group> +<ocil clause="encryption must be used and is not employed"> +Determine if encryption must be used to protect data on the system. +</ocil> +<ref disa="1019,1199,1200" /> +</Rule> </Group> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 2aa54a2..fe548f3 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -97,7 +97,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. </rationale> -<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1166,1263"/> +<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1263"/> </Rule> <!-- <Group id="aide_verify_integrity_manually"> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
