Signed-off-by: Jeffrey Blank <[email protected]>
---
 RHEL6/input/services/ssh.xml                      |    1 -
 RHEL6/input/system/accounts/pam.xml               |    1 -
 RHEL6/input/system/auditing.xml                   |    3 +--
 RHEL6/input/system/network/iptables.xml           |    1 -
 RHEL6/input/system/network/ssl.xml                |    4 ----
 RHEL6/input/system/software/disk_partitioning.xml |    7 ++++++-
 RHEL6/input/system/software/integrity.xml         |    3 +--
 RHEL6/input/system/software/updating.xml          |    3 +--
 8 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml
index 4976568..901eefb 100644
--- a/RHEL6/input/services/ssh.xml
+++ b/RHEL6/input/services/ssh.xml
@@ -58,7 +58,6 @@ certain changes should be made to the OpenSSH daemon 
configuration
 file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be
 applied to this file. See the <tt>sshd_config(5)</tt> man page for more
 detailed information.</description>
-<ref disa="68,197,1632,779,781" />
 
 <Rule id="sshd_allow_only_protocol2" severity="high">
 <title>Allow Only SSH Protocol 2</title>
diff --git a/RHEL6/input/system/accounts/pam.xml 
b/RHEL6/input/system/accounts/pam.xml
index ba9a285..95b21c1 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -40,7 +40,6 @@ files, destroying any manually made changes and replacing 
them with
 a series of system defaults. One reference to the configuration
 file syntax can be found at
 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html.</warning>
-<ref disa="1391,1392" />
 
 <Value id="password_history_retain_number" type="number"
 operator="equals" interactive="0">
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index e6ab516..d07d9ed 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -93,7 +93,7 @@ actions will be taken if other obstacles exist.
 </rationale>
 <ident cce="4292-9" />
 <oval id="service_auditd_enabled" />
-<ref nist="CM-6, CM-7" 
disa="169,157,172,174,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120"
 />
+<ref nist="CM-6, CM-7" 
disa="347,169,157,172,174,880,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120,1589"
 />
 <tested by="DS" on="20121024"/>
 </Rule>
 
@@ -459,7 +459,6 @@ After reviewing all the rules, reading the following 
sections, and
 editing as needed, the new rules can be activated as follows:
 <pre># service auditd restart</pre>
 </description>
-<ref disa="171,172,1115,1454,1487,1571,1589,880,347,85,1356,374,130" />
 
 <Group id="audit_time_rules">
 <title>Records Events that Modify Date and Time Information</title>
diff --git a/RHEL6/input/system/network/iptables.xml 
b/RHEL6/input/system/network/iptables.xml
index d63b99f..cf39f23 100644
--- a/RHEL6/input/system/network/iptables.xml
+++ b/RHEL6/input/system/network/iptables.xml
@@ -18,7 +18,6 @@ the iptables and ip6tables configurations included with the 
system.
 For more complete information that may allow the construction of a
 sophisticated ruleset tailored to your environment, please consult
 the references at the end of this section.</description>
-<ref disa="66,86" />
 
 <Group id="iptables_activation">
 <title>Inspect and Activate Default Rules</title>
diff --git a/RHEL6/input/system/network/ssl.xml 
b/RHEL6/input/system/network/ssl.xml
index 0c35dc7..984d4a2 100644
--- a/RHEL6/input/system/network/ssl.xml
+++ b/RHEL6/input/system/network/ssl.xml
@@ -49,9 +49,6 @@ process are:
 </ol>
 </description>
 
-
-<ref disa="1130,1131,1127,1128,1129,187" />
-
 <Group id="network_ssl_create_ca">
 <title>Create a CA to Sign Certificates</title>
 <description>The following instructions apply to OpenSSL since it is included
@@ -137,7 +134,6 @@ To avoid this warning, and properly authenticate the 
servers, your CA certificat
 application on every client system that will be connecting to an SSL-enabled 
server.</description>
 <!--<ident cce="TODO" />-->
 <!--TODO:MANUAL<oval id="network_ssl_enable_client_support" />-->
-<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" disa="185" />
 </Group>
 
 <Group id="network_ssl_add_ca_firefox">
diff --git a/RHEL6/input/system/software/disk_partitioning.xml 
b/RHEL6/input/system/software/disk_partitioning.xml
index 484117b..932e6e8 100644
--- a/RHEL6/input/system/software/disk_partitioning.xml
+++ b/RHEL6/input/system/software/disk_partitioning.xml
@@ -100,7 +100,7 @@ of space.
 </rationale>
 <ident cce="14171-3" />
 <oval id="mount_var_log_audit_own_partition" />
-<ref nist="CM-6, AU-9" disa="137,1208"/>
+<ref nist="CM-6, AU-9" disa="137,138,1208"/>
 <tested by="MM" on="20120928"/>
 </Rule>
 
@@ -153,6 +153,11 @@ 
https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guid
 <ocil clause="encryption must be used and is not employed">
 Determine if encryption must be used to protect data on the system. 
 </ocil>
+<rationale>
+The risk of a system's physical compromise, particularly mobile systems such as
+laptops, places its data at risk of compromise.  Encrypting this data mitigates
+the risk of its loss if the system is lost.
+</rationale>
 <ref disa="1019,1199,1200" />
 </Rule>
 
diff --git a/RHEL6/input/system/software/integrity.xml 
b/RHEL6/input/system/software/integrity.xml
index fe548f3..9be9221 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -23,7 +23,6 @@ database should be created immediately after your system is 
built,
 and before the system is connected to any network. AIDE is highly
 configurable, with further configuration information located in
 <tt>/usr/share/doc/aide-<i>VERSION</i></tt></description>
-<ref disa="374,1069,1297,1589"/>
 
 
 <Rule id="install_aide" severity="medium">
@@ -97,7 +96,7 @@ To determine that periodic AIDE execution has been scheduled, 
run the following
 By default, AIDE does not install itself for periodic execution. Periodically
 running AIDE may reveal unexpected changes in installed files.
 </rationale>
-<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1263"/>
+<ref nist="CM-6, SC-28, SI-7" disa="374,416,1069,1263,1297,1589"/>
 </Rule>
 <!--
 <Group id="aide_verify_integrity_manually">
diff --git a/RHEL6/input/system/software/updating.xml 
b/RHEL6/input/system/software/updating.xml
index 00e44e7..2bd9fa4 100644
--- a/RHEL6/input/system/software/updating.xml
+++ b/RHEL6/input/system/software/updating.xml
@@ -16,7 +16,6 @@ with the Installed Software Catalog to ensure all system 
metadata is
 accurate with regard to installed software and security patches, and
 for this reason, their use is strongly encouraged.
 </description>
-<ref disa="1233" />
 
 <Rule id="ensure_redhat_gpgkey_installed" severity="high">
 <title>Ensure Red Hat GPG Key Installed</title>
@@ -124,7 +123,7 @@ to determine if the system is missing applicable updates.
 Installing software updates is a fundamental mitigation against
 the exploitation of publicly-known vulnerabilities.
 </rationale>
-<ref nist="SI-2" disa="1227"/>
+<ref nist="SI-2" disa="1227,1233"/>
 <tested by="MM" on="20120928"/>
 </Rule>
 </Group>
-- 
1.7.1

_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide

Reply via email to