>From 22ac728392a4ab4c88c8a02842be7988ab1f4214 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Tue, 25 Dec 2012 16:18:32 -0500 Subject: [PATCH 07/17] Removed AC-3 mapping against various rules AC-3 states that DAC and MAC systems must be enabled, and that FIPS used whenever possible. It does *not* call out file permissions, network firewalls, etc... those things are set later (e.g. CM-6, SC-*).
--- RHEL6/input/system/accounts/banners.xml | 6 ++-- RHEL6/input/system/accounts/physical.xml | 12 ++++---- .../accounts/restrictions/password_expiration.xml | 6 ++-- .../accounts/restrictions/password_storage.xml | 2 +- .../system/accounts/restrictions/root_logins.xml | 6 ++-- RHEL6/input/system/accounts/session.xml | 2 +- RHEL6/input/system/logging.xml | 8 ++-- RHEL6/input/system/network/kernel.xml | 6 ++-- RHEL6/input/system/network/ssl.xml | 8 ++-- RHEL6/input/system/permissions/execution.xml | 4 +- RHEL6/input/system/permissions/files.xml | 32 ++++++++++---------- RHEL6/input/system/software/integrity.xml | 2 +- 12 files changed, 47 insertions(+), 47 deletions(-) diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index 157edc8..b0e087e 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -79,7 +79,7 @@ process and facilitates possible legal action against attackers. </rationale> <ident cce="26974-6" /> <oval id="banner_etc_issue" value="login_banner_text"/> -<ref nist="AC-3, CM-6, AC-8" disa="48,1384,1385,1386,1387,1388" /> +<ref nist="CM-6, AC-8" disa="48,1384,1385,1386,1387,1388" /> <tested by="DS" on="20121026"/> </Rule> @@ -116,7 +116,7 @@ process and facilitates possible legal action against attackers. </rationale> <ident cce="27195-7" /> <oval id="banner_gui_enabled" /> -<ref nist="AC-3, CM-6, AC-8" disa="48,50" /> +<ref nist="CM-6, AC-8" disa="48,50" /> </Rule> <Rule id="set_gdm_login_banner_text" severity="medium"> @@ -144,7 +144,7 @@ process and facilitates possible legal action against attackers. </rationale> <ident cce="27017-3" /> <oval id="banner_gui_text_set" value="login_banner_text" /> -<ref nist="AC-3, CM-6, AC-8" disa="48,1384,1385,1386,1387,1388" /> +<ref nist="CM-6, AC-8" disa="48,1384,1385,1386,1387,1388" /> </Rule> </Group> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index e914c6a..3ed7712 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -35,7 +35,7 @@ Only root should be able to modify important boot parameters. </rationale> <ident cce="26995-1" /> <oval id="file_user_owner_grub_conf" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -53,7 +53,7 @@ file should not have any access privileges anyway. </rationale> <ident cce="27022-3" /> <oval id="file_group_owner_grub_conf" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -70,7 +70,7 @@ parameters. </rationale> <ident cce="26949-8" /> <oval id="file_permissions_grub_conf" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -99,7 +99,7 @@ and whether to enter single-user mode. </rationale> <ident cce="26911-8" /> <oval id="bootloader_password" /> -<ref nist="CM-7, IA-5, AC-3" disa="213" /> +<ref nist="CM-7, IA-5" disa="213" /> <tested by="DS" on="20121026"/> </Rule> @@ -265,7 +265,7 @@ screen locking to prevent access from passersby. </rationale> <ident cce="26828-4" /> <oval id="gconf_gnome_screensaver_idle_delay" value="inactivity_timeout_value" /> -<ref nist="AC-3, CM-6, CM-7, AC-11" disa="57"/> +<ref nist="CM-6, CM-7, AC-11" disa="57"/> </Rule> <Rule id="enable_screensaver_after_idle" severity="medium"> @@ -316,7 +316,7 @@ access the system, preventing access by passersby. </rationale> <ident cce="26235-2" /> <oval id="gconf_gnome_screensaver_lock_enabled" /> -<ref nist="AC-3, CM-6, CM-7, AC-11" disa="57" /> +<ref nist="CM-6, CM-7, AC-11" disa="57" /> </Rule> <Rule id="set_blank_screensaver"> diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index fd26a64..9a73326 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -103,7 +103,7 @@ behavior that may result. </rationale> <ident cce="27002-5" /> <oval id="accounts_password_minlen_login_defs" value="var_password_min_len"/> -<ref nist="CM-6, CM-7, IA-5, AC-3" disa="205"/> +<ref nist="CM-6, CM-7, IA-5" disa="205"/> <tested by="DS" on="20121026"/> </Rule> @@ -158,7 +158,7 @@ increases the risk of users writing down the password in a convenient location subject to physical compromise.</rationale> <ident cce="26985-2" /> <oval id="accounts_maximum_age_login_defs" value="var_password_max_age"/> -<ref nist="CM-6, CM-7, IA-5, AC-3" disa="180,199" /> +<ref nist="CM-6, CM-7, IA-5" disa="180,199" /> <tested by="DS" on="20121026"/> </Rule> @@ -184,7 +184,7 @@ make the change at a practical time. </rationale> <ident cce="26988-6" /> <oval id="accounts_password_warn_age_login_defs" value="var_password_warn_age" /> -<ref nist="CM-6, CM-7, IA-5, AC-3" /> +<ref nist="CM-6, CM-7, IA-5" /> <tested by="DS" on="20121026"/> </Rule> </Group> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 21de2d2..c94d8be 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -38,7 +38,7 @@ environments. </rationale> <ident cce="27038-9" /> <oval id="accounts_pam_no_nullok" /> -<ref nist="AC-3, CM-6, IA-5" /> +<ref nist="CM-6, IA-5" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 35bac20..3e12104 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -84,7 +84,7 @@ using the root account. </rationale> <ident cce="27047-0" /> <oval id="securetty_no_serial" /> -<ref nist="AC-3, AC-6" disa="770" /> +<ref nist="AC-6" disa="770" /> <tested by="DS" on="20121024"/> </Rule> @@ -141,7 +141,7 @@ become inaccessible. </warning> <ident cce="26966-2" /> <oval id="accounts_nologin_for_system" /> -<ref nist="AC-3, CM-6" disa="178" /> +<ref nist="CM-6" disa="178" /> <tested by="DS" on="20121024"/> </Rule> @@ -167,7 +167,7 @@ access to root privileges in an accountable manner. </rationale> <ident cce="26971-2" /> <oval id="accounts_no_uid_except_zero" /> -<ref nist="AC-3, AC-11, CM-6, CM-7" disa="366" /> +<ref nist="AC-11, CM-6, CM-7" disa="366" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index 1958bb7..a304ba5 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -147,7 +147,7 @@ groups or ACLs. </rationale> <ident cce="26981-1" /> <oval id="file_permissions_home_dirs" /> -<ref nist="AC-3, CM-6"/> +<ref nist="CM-6"/> </Rule> <Group id="user_umask"> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 9a490eb..a557e5a 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -112,7 +112,7 @@ permissions: will not create it and important log messages can be lost. </rationale> <ident cce="26818-5" /> -<ref nist="AC-3, CM-6" /> +<ref nist="CM-6" /> </Rule> <Rule id="userowner_rsyslog_files" severity="medium"> @@ -137,7 +137,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="26812-8" /> <oval id="rsyslog_files_ownership" /> -<ref nist="AC-3, CM-6" disa="1314"/> +<ref nist="CM-6" disa="1314"/> <tested by="DS" on="20121024"/> </Rule> @@ -163,7 +163,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="26821-9" /> <oval id="rsyslog_files_groupownership" /> -<ref nist="AC-3, CM-6" disa="1314"/> +<ref nist="CM-6" disa="1314"/> <tested by="DS" on="20121024"/> </Rule> @@ -192,7 +192,7 @@ users could change the logged data, eliminating their forensic value. </rationale> <ident cce="27190-8" /> <oval id="rsyslog_files_permissions" /> -<ref nist="AC-3, CM-6" disa="1314"/> +<ref nist="CM-6" disa="1314"/> <tested by="DS" on="20121024"/> </Rule> </Group> diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 08190ba..a7320ad 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -58,7 +58,7 @@ interface to another. The ability to forward packets between two networks is only appropriate for routers.</rationale> <ident cce="26866-4" /> <oval id="sysctl_net_ipv4_ip_forward" /> -<ref nist="AC-3, CM-6, CM-7, SC-5" disa="366"/> +<ref nist="CM-6, CM-7, SC-5" disa="366"/> <tested by="DS" on="20121024"/> </Rule> </Group> @@ -331,7 +331,7 @@ addresses makes the system slightly more difficult to enumerate on the network. </rationale> <ident cce="26883-9" /> <oval id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" value="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" /> -<ref nist="AC-3, CM-6, CM-7, SC-5" disa="1551"/> +<ref nist="CM-6, CM-7, SC-5" disa="1551"/> <tested by="DS" on="20121024"/> </Rule> @@ -348,7 +348,7 @@ addresses makes the system slightly more difficult to enumerate on the network. log size, although some activity would not be logged.</rationale> <ident cce="26993-6" /> <oval id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" value="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" /> -<ref nist="AC-3, CM-6, CM-7, SC-5" /> +<ref nist="CM-6, CM-7, SC-5" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/network/ssl.xml b/RHEL6/input/system/network/ssl.xml index 984d4a2..0fb8c59 100644 --- a/RHEL6/input/system/network/ssl.xml +++ b/RHEL6/input/system/network/ssl.xml @@ -152,7 +152,7 @@ web sites, e-mail users, and software developers and trust it for each according </description> <!--<ident cce="TODO" />--> <!--TODO:MANUAL<oval id="network_ssl_add_ca_firefox" />--> -<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-17, CM-6, SC-12, SC-13" /> </Group> <Group id="network_ssl_add_ca_thunderbird"> @@ -171,7 +171,7 @@ web sites, e-mail users, and software developers and trust it for each according </description> <!--<ident cce="TODO" />--> <!--TODO:MANUAL<oval id="network_ssl_add_ca_thunderbird" />--> -<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-17, CM-6, SC-12, SC-13" /> </Group> <Group id="network_ssl_add_ca_evolution"> @@ -190,7 +190,7 @@ web sites, e-mail users, and software developers and trust it for each according </description> <!--<ident cce="TODO" />--> <!--TODO:MANUAL<oval id="network_ssl_add_ca_evolution" />--> -<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-17, CM-6, SC-12, SC-13" /> </Group> <Group id="network_ssl_remove_certs"> @@ -202,7 +202,7 @@ Internet-connected system. </description> <!--<ident cce="TODO" />--> <!--TODO:MANUAL<oval id="network_ssl_remove_certs" />--> -<ref nist="AC-3, AC-17, CM-6, SC-12, SC-13" /> +<ref nist="AC-17, CM-6, SC-12, SC-13" /> </Group> </Group><!--<Group id="network_ssl">--> diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index f04432a..e4e2a1b 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -47,7 +47,7 @@ process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</rationale> <ident cce="27031-4" /> <oval id="umask_for_daemons" value="var_umask_for_daemons"/> -<ref nist="AC-3, CM-6"/> +<ref nist="CM-6"/> </Rule> </Group> @@ -148,7 +148,7 @@ in order to re-purpose it using return oriented programming (ROP) techniques. </rationale> <ident cce="26999-3" /> <oval id="sysctl_kernel_randomize_va_space" /> -<ref nist="AC-3, CM-6" /> +<ref nist="CM-6" /> <tested by="DS" on="20121024"/> </Rule> </Group> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index d9940aa..f614569 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -28,7 +28,7 @@ to root provides the designated owner with access to sensitive information which could weaken the system security posture.</rationale> <ident cce="26947-2" /> <oval id="file_owner_etc_shadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -40,7 +40,7 @@ which could weaken the system security posture.</rationale> critical for system security.</rationale> <ident cce="26967-0" /> <oval id="file_groupowner_etc_shadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -55,7 +55,7 @@ to root provides the designated owner with access to sensitive information which could weaken the system security posture.</rationale> <ident cce="26992-8" /> <oval id="file_permissions_etc_shadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -67,7 +67,7 @@ which could weaken the system security posture.</rationale> on the system. Protection of this file is important for system security.</rationale> <ident cce="26822-7" /> <oval id="file_owner_etc_group" /> -<ref nist="AC-3, CM-6"/> +<ref nist="CM-6"/> <tested by="DS" on="20121026"/> </Rule> @@ -79,7 +79,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="26930-8" /> <oval id="file_groupowner_etc_group" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -91,7 +91,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="26954-8" /> <oval id="file_permissions_etc_group" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -103,7 +103,7 @@ on the system. Protection of this file is important for system security.</ration is critical for system security.</rationale> <ident cce="27026-4" /> <oval id="file_owner_etc_gshadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -115,7 +115,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="26975-3" /> <oval id="file_groupowner_etc_gshadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -127,7 +127,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="26951-4" /> <oval id="file_permissions_etc_gshadow" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -139,7 +139,7 @@ is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="26953-0" /> <oval id="file_owner_etc_passwd" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -151,7 +151,7 @@ the system. Protection of this file is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="26856-5" /> <oval id="file_groupowner_etc_passwd" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -165,7 +165,7 @@ accounts on the system and associated information, and protection of this file is critical for system security.</rationale> <ident cce="26868-0" /> <oval id="file_permissions_etc_passwd" /> -<ref nist="AC-3, CM-6" disa="225"/> +<ref nist="CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> </Group> @@ -397,7 +397,7 @@ unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.</rationale> <ident cce="26497-8" /> <oval id="file_permissions_unauthorized_suid" /> -<ref nist="AC-3, CM-6"/> +<ref nist="CM-6"/> </Rule> @@ -425,7 +425,7 @@ and the cause should be discovered and addressed. </rationale> <ident cce="27032-2" /> <oval id="file_permissions_unowned" /> -<ref nist="AC-3, CM-6" disa="224"/> +<ref nist="CM-6" disa="224"/> </Rule> <Rule id="no_files_unowned_by_group"> @@ -452,7 +452,7 @@ and the cause should be discovered and addressed. </rationale> <ident cce="26872-2" /> <oval id="file_permissions_ungroupowned" /> -<ref nist="AC-3, CM-6" disa="224"/> +<ref nist="CM-6" disa="224"/> </Rule> <Rule id="world_writable_files_system_ownership"> @@ -478,7 +478,7 @@ users. </rationale> <ident cce="26642-9" /> <oval id="dir_perms_world_writable_system_owned" /> -<ref nist="AC-3, CM-6"/> +<ref nist="CM-6"/> <tested by="swells" on="20120929"/> </Rule> </Group> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 184efdb..e1308f6 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -161,7 +161,7 @@ The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</rationale> <ident cce="26731-0" /> <oval id="rpm_verify_permissions" /> -<ref nist="AC-3" disa="1493,1494,1495" /> +<ref nist="CM-6" disa="1493,1494,1495" /> </Rule> <Rule id="rpm_verify_hashes"> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
