>From 253d7ed477d222461495bbf19a1568e9210594c2 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Tue, 25 Dec 2012 17:01:10 -0500 Subject: [PATCH 08/17] Removed AC-4 mappings Removed numberous AC-4 mappings. AC-4 calls for the IS to *enforce* flow control (e.g. turn on iptables, selinux) but does not give configuration guidance. This is enabled in later controls.
--- RHEL6/input/services/avahi.xml | 8 ++++---- RHEL6/input/services/ldap.xml | 4 ++-- RHEL6/input/services/mail.xml | 3 +-- RHEL6/input/system/network/iptables.xml | 18 +++++++++--------- RHEL6/input/system/selinux.xml | 6 +++--- 5 files changed, 19 insertions(+), 20 deletions(-) diff --git a/RHEL6/input/services/avahi.xml b/RHEL6/input/services/avahi.xml index f7ad4c9..fcfb8ec 100644 --- a/RHEL6/input/services/avahi.xml +++ b/RHEL6/input/services/avahi.xml @@ -75,7 +75,7 @@ properly-configured router or firewall should not allow mDNS packets into the local network at all, this option provides another check to ensure they are not permitted. </rationale> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Rule> @@ -90,7 +90,7 @@ and ensure the following line appears in the <tt>[server]</tt> section. This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. </rationale> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Rule> @@ -105,7 +105,7 @@ and ensure the following line appears in the <tt>[server]</tt> section. This helps ensure that only Avahi is responsible for mDNS traffic coming from that port on the system. </rationale> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Rule> @@ -135,7 +135,7 @@ disable-publishing. Alternatively, these can be used to restrict the types of published information in the event that some information must be published. </rationale> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Group> </Group> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 5246370..f8ef293 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -344,7 +344,7 @@ be able to change data without an explicit access statement. </description> <!--<ident cce="TODO:CCE" />--> <oval id="ldap_server_config_olcaccess" /> -<ref nist="AC-2, AC-4, AC-6, CM-7, SC-2" /> +<ref nist="AC-2, AC-6, CM-7, SC-2" /> </Rule> <Rule id="ldap_server_config_directory_file_security"> @@ -377,7 +377,7 @@ by connecting to the primary port and issuing the STARTTLS command. </description> <!--<ident cce="TODO:CCE" />--> <oval id="iptables_ldap_enabled" /> -<ref nist="AC-4, CM-7, SC-2, SC-5, SC-7" /> +<ref nist="CM-7, SC-2, SC-5, SC-7" /> </Rule> <Rule id="ldap_server_config_logging"> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 2e2fe35..cd545b7 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -128,7 +128,6 @@ escalation or denial of service attacks which might compromise the mail service. ensure that only system administrators are allowed shell access to the MTA host. </description> <!-- <ident cce="TODO:CCE" /> --> -<ref nist="AC-2, AC-4, CM-7, SC-2" /> </Group> <Rule id="iptables_smtp_enabled"> @@ -141,7 +140,7 @@ that access, while keeping other ports on the server in their default protected </rationale> <!-- <ident cce="TODO:CCE" /> --> <oval id="iptables_smtp_enabled" /> -<ref nist="AC-4, CM-7, SC-7" /> +<ref nist="CM-7, SC-7" /> </Rule> <Rule id="postfix_logging"> diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index 141705d..755c51d 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -1,5 +1,5 @@ <Group id="network-iptables"> -<title>Iptables and Ip6tables</title> +<title>IPTables and Ip6tables</title> <description>A host-based firewall called Netfilter is included as part of the Linux kernel distributed with the system. It is activated by default. This firewall is controlled by the program @@ -59,7 +59,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="27006-6" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="32,66,1115,1118,1092,1117,1098,1100,1097,1414"/> +<ref nist="AC-4,CM-6,CM-7" disa="32,66,1115,1118,1092,1117,1098,1100,1097,1414"/> <tested by="DS" on="20121024"/> </Rule> @@ -75,7 +75,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="27018-1" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" disa="32,66,1115,1118,1092,1117,1098,1100,1097,1414" /> +<ref nist="AC-4,CM-6,CM-7" disa="32,66,1115,1118,1092,1117,1098,1100,1097,1414" /> <tested by="DS" on="20121024"/> </Rule> </Group><!--<Group id="iptables_activation">--> @@ -112,7 +112,7 @@ changes to the firewall configuration because it re-writes the saved configuration file.</warning> <Rule id="set_iptables_default_rule" severity="medium"> -<title>Set Default Iptables Policy for Incoming Packets</title> +<title>Set Default IPTables Policy for Incoming Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in @@ -130,11 +130,11 @@ any packets which are not explicitly permitted should not be accepted.</rationale> <ident cce="26444-0" /> <oval id="iptables_default_policy_drop" /> -<ref nist="AC-4, CM-6" disa="66,1109,1154,1414" /> +<ref nist="CM-6" disa="66,1109,1154,1414" /> </Rule> <Rule id="set_iptables_default_rule_forward" severity="medium"> -<title>Set Default Iptables Policy for Forwarded Packets</title> +<title>Set Default IPTables Policy for Forwarded Packets</title> <description>To set the default policy to DROP (instead of ACCEPT) for the built-in FORWARD chain which processes packets that will be forwarded from one interface to another, @@ -153,7 +153,7 @@ The output should be similar to the following: <pre># grep ":FORWARD" /etc/sysconfig/iptables :FORWARD DROP [0:0</pre></ocil> <ident cce="27186-6" /> -<ref nist="AC-4, CM-6" disa="1109" /> +<ref nist="CM-6" disa="1109" /> </Rule> <Group id="iptables_icmp_disabled"> @@ -174,7 +174,7 @@ If you are going to statically configure the machine's address, it should ignore could add another IPv6 address to the interface or alter important network settings: <pre>-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</pre> </description> -<ref nist="AC-4, CM-6" /> +<ref nist="CM-6" /> <rationale>Restricting other ICMPv6 message types in <tt>/etc/sysconfig/ip6tables</tt> is not recommended because the operation- of IPv6 depends heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</rationale> <!--<ident cce="26444-0" />--> @@ -226,7 +226,7 @@ The following rule will log all traffic originating from a site-local address, w </description> <!--<ident cce="26444-0" />--> <!--MANUAL<oval id="iptables_log_and_drop_suspicious" />--> -<ref nist="AC-4, AC-17, CM-6" /> +<ref nist="AC-17, CM-6" /> </Group> </Group><!--<Group id="ruleset_modifications">--> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index d01d89f..a409ae7 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -122,7 +122,7 @@ privileges. </rationale> <ident cce="26969-6" /> <oval id="selinux_mode" value="var_selinux_state_name"/> -<ref nist="AC-3, AC-6, CM-6" disa="22,32,26"/> +<ref nist="AC-3,AC-4,AC-6,CM-6" disa="22,32,26"/> <tested by="DS" on="20121024"/> </Rule> @@ -148,7 +148,7 @@ targeted for exploitation, such as network or system services. </rationale> <ident cce="26875-5" /> <oval id="selinux_policytype" value="var_selinux_policy_name"/> -<ref nist="CM-6" disa="22,32"/> +<ref nist="AC-4,CM-6" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> </Group> @@ -167,7 +167,7 @@ file context is applied to files. This allows automatic correction of file contexts created by some programs.</rationale> <ident cce="26991-0" /> <oval id="service_restorecond_enabled" /> -<ref nist="AC-3, AC-6, CM-6" /> +<ref nist="AC-3,AC-4,AC-6, CM-6" /> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
