>From b221667c18c6d6a75ce3839f65a6887f26220085 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 25 Jan 2013 22:49:51 -0500 Subject: [PATCH 5/6] Finished USGCB profile - There were a few USGCBv5 rules that were not in SSG. Created a new ticket group to track these for inclusion/discussion: https://fedorahosted.org/scap-security-guide/report/3 ("USGCB Baseline Release" section)
- Updated all selector values to reflect USGCBv5 values - Did NOT include additional rules beyond what USGCBv5 had. --- RHEL6/input/profiles/usgcb-rhel6-server.xml | 129 ++++++++++++++++++++++++++- 1 files changed, 125 insertions(+), 4 deletions(-) diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index 6cf2d31..ec280f7 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -142,9 +142,130 @@ <select idref="set_sysctl_net_ipv4_conf_all_rp_filter" selected="true" /> <refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled" /> <select idref="set_sysctl_net_ipv4_tcp_syncookies" selected="true" /> +<refine-value idref="sysctl_net_ipv4_conf_default_rp_filter_value" selector="enabled" /> +<select idref="set_sysctl_net_ipv4_conf_default_rp_filter" selected="true" /> +<select idref="wireless_disable_in_bios" selected="true" /> +<select idref="deactivate_wireless_interfaces" selected="true" /> +<select idref="service_bluetooth_disabled" selected="true" /> +<select idref="disable_ipv6_module_loading" selected="true" /> +<select idref="network_ipv6_disable_interfaces" selected="true" /> +<select idref="network_ipv6_disable_rpc" selected="true" /> +<refine-value idref="sysctl_net_ipv6_conf_default_accept_ra_value" selector="disabled" /> +<select idref="set_sysctl_net_ipv6_conf_default_accept_ra" selected="true" /> +<select idref="set_sysctl_ipv6_default_accept_redirects" selected="true" /> +<select idref="enable_ip6tables" selected="true" /> +<select idref="enable_iptables" selected="true" /> +<select idref="set_iptables_default_rule" selected="true" /> +<select idref="set_iptables_default_rule_forward" selected="true" /> +<select idref="disable_protocol_dccp" selected="true" /> +<select idref="disable_protocol_sctp" selected="true" /> +<select idref="disable_protocol_rds" selected="true" /> +<select idref="disable_protocol_tipc" selected="true" /> +<select idref="package_rsyslog_installed" selected="true" /> +<select idref="service_rsyslog_enabled" selected="true" /> +<select idref="rsyslog_file_permissions" selected="true" /> +<select idref="groupowner_rsyslog_files" selected="true" /> +<select idref="userowner_rsyslog_files" selected="true" /> +<select idref="rsyslog_send_messages_to_logserver" selected="true" /> +<select idref="rsyslog_accept_remote_messages_none" selected="true" /> +<select idref="ensure_logrotate_activated" selected="true" /> +<select idref="enable_auditd_service" selected="true" /> +<select idref="enable_auditd_bootloader" selected="true" /> +<select idref="audit_rules_time_adjtimex" selected="true" /> +<select idref="audit_rules_time_settimeofday" selected="true" /> +<select idref="audit_rules_time_stime" selected="true" /> +<select idref="audit_rules_time_clock_settime" selected="true" /> +<select idref="audit_rules_time_watch_localtime" selected="true" /> +<select idref="audit_account_changes" selected="true" /> +<select idref="audit_network_modifications" selected="true" /> +<select idref="audit_mac_changes" selected="true" /> +<select idref="audit_rules_dac_modification_chmod" selected="true" /> +<select idref="audit_rules_dac_modification_chown" selected="true" /> +<select idref="audit_rules_dac_modification_fchmod" selected="true" /> +<select idref="audit_rules_dac_modification_fchmodat" selected="true" /> +<select idref="audit_rules_dac_modification_fchown" selected="true" /> +<select idref="audit_rules_dac_modification_fchownat" selected="true" /> +<select idref="audit_rules_dac_modification_fremovexattr" selected="true" /> +<select idref="audit_rules_dac_modification_fsetxattr" selected="true" /> +<select idref="audit_rules_dac_modification_lchown" selected="true" /> +<select idref="audit_rules_dac_modification_lremovexattr" selected="true" /> +<select idref="audit_rules_dac_modification_lsetxattr" selected="true" /> +<select idref="audit_rules_dac_modification_removexattr" selected="true" /> +<select idref="audit_rules_dac_modification_setxattr" selected="true" /> +<select idref="audit_file_access" selected="true" /> +<select idref="audit_privileged_commands" selected="true" /> +<select idref="audit_media_exports" selected="true" /> +<select idref="audit_file_deletions" selected="true" /> +<select idref="audit_sysadmin_actions" selected="true" /> +<select idref="audit_kernel_module_loading" selected="true" /> +<select idref="audit_config_immutable" selected="true" /> +<select idref="disable_xinetd" selected="true" /> +<select idref="uninstall_xinetd" selected="true" /> +<select idref="disable_telnet_service" selected="true" /> +<select idref="uninstall_telnet_server" selected="true" /> +<select idref="uninstall_rsh" selected="true" /> +<select idref="disable_ypbind" selected="true" /> +<select idref="uninstall_ypserv" selected="true" /> +<select idref="disable_tftp" selected="true" /> +<select idref="uninstall_tftp-server" selected="true" /> +<select idref="wireless_disable_in_bios" selected="true" /> +<select idref="deactivate_wireless_interfaces" selected="true" /> +<select idref="service_bluetooth_disabled" selected="true" /> +<select idref="kernel_module_bluetooth_disabled" selected="true" /> +<select idref="service_kdump_disabled" selected="true" /> +<select idref="network_disable_zeroconf" selected="true" /> +<select idref="enable_cron" selected="true" /> +<select idref="disable_anacron" selected="true" /> +<!-- PLACEHOLDER: cron file perms go here when ready --> +<select idref="disable_at" selected="true" /> +<select idref="sshd_allow_only_protocol2" selected="true" /> +<select idref="sshd_set_keepalive" selected="true" /> +<select idref="sshd_set_idle_timeout" selected="true" /> +<select idref="sshd_disable_rhosts" selected="true" /> +<select idref="disable_host_auth" selected="true" /> +<select idref="sshd_disable_root_login" selected="true" /> +<select idref="sshd_disable_empty_passwords" selected="true" /> +<select idref="sshd_enable_warning_banner" selected="true" /> +<select idref="sshd_do_not_permit_user_env" selected="true" /> +<select idref="sshd_use_approved_ciphers" selected="true" /> +<select idref="enable_gdm_login_banner" selected="true" /> +<select idref="disable_avahi" selected="true" /> +<select idref="disable_dhcp_server" selected="true" /> +<select idref="uninstall_dhcp_server" selected="true" /> +<select idref="enable_ntpd" selected="true" /> +<select idref="ntpd_specify_remote_server" selected="true" /> +<select idref="package_sendmail_removed" selected="true" /> +<!-- postfix package installed goes here --> +<select idref="postfix_network_listening" selected="true" /> +<select idref="ldap_client_start_tls" selected="true" /> +<select idref="ldap_client_tls_cacertpath" selected="true" /> +<select idref="package_openldap-servers_removed" selected="true" /> +<select idref="service_nfslock_disabled" selected="true" /> +<select idref="service_rpcgssd_disabled" selected="true" /> +<select idref="service_rpcidmapd_disabled" selected="true" /> +<select idref="service_netfs_disabled" selected="true" /> +<select idref="service_portreserve_disabled" selected="true" /> +<select idref="service_rpcbind_disabled" selected="true" /> +<select idref="service_rpcsvcgssd_disabled" selected="true" /> +<select idref="use_nodev_option_on_nfs_mounts" selected="true" /> +<select idref="use_nosuid_option_on_nfs_mounts" selected="true" /> +<select idref="disable_dns_server" selected="true" /> +<select idref="uninstall_bind" selected="true" /> +<select idref="disable_vsftpd" selected="true" /> +<select idref="uninstall_vsftpd" selected="true" /> +<select idref="disable_httpd" selected="true" /> +<select idref="uninstall_httpd" selected="true" /> +<select idref="disable_dovecot" selected="true" /> +<select idref="uninstall_dovecot" selected="true" /> +<select idref="disable_smb_server" selected="true" /> +<select idref="require_smb_client_signing" selected="true" /> +<select idref="require_smb_client_signing_mount.cifs" selected="true" /> +<select idref="disable_squid" selected="true" /> +<select idref="uninetall_squid" selected="true" /> +<select idref="disable_snmpd" selected="true" /> +<select idref="uninstall_net" selected="true" /> +<select idref="service_autofs_disabled" selected="true" /> +<refine-value idref="var_account_disable_post_pw_expiration" selector="30" /> +<select idref="account_disable_post_pw_expiration" selected="true" /> - -<!-- TO DO: - - Leaving off at RHEL5 CCE-3840-6 - - Would be good to review USGCB NIST mappings. Low(er) priority than completing the profile --> </Profile> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
