I nuked by git repo, recloned, and am still having the same problem. The docs have /bin/true but the check is for /bin/false.
Looks like the check is defined here: input/checks/kernel_module_dccp_disabled.xml: <ind:pattern operation="pattern match">^\s*install\s+dccp\s+/bin/false$</ind:pattern> And the documentation is driven by this macro: scap-security-guide/RHEL6/ transforms/shorthand2xccdf.xslt: <xsl:template match="module-disable-macro"> To configure the system to prevent the <xhtml:code><xsl:value-of select="@module"/></xhtml:code> kernel module from being loaded, add the following line to a file in the directory <xhtml:code>/etc/modprobe.d</xhtml:code>: <xhtml:pre xml:space="preserve">install <xsl:value-of select="@module"/> /bin/true</xhtml:pre> </xsl:template> From: [email protected] [mailto:[email protected]] On Behalf Of Shawn Wells Sent: Friday, February 01, 2013 9:31 PM To: [email protected] Subject: Re: Inconsistent guidance and tests for disabling kernel modules (e.g. disable_protocol_dccp) On 2/2/13 12:04 AM, Philip Shuman wrote: A number of the kernel modules that need to be disabled have inconsistent guidance and tests. The guidance says to add a file in /etc/modprobe.d/ with the content: "install <module> /bin/true" However, the actual check in the scan tests for: "install <module> /bin/false" This is a list of the ones I found: $ cd scap-security-guide/RHEL6/dist/content $ grep -h install * | grep -E "rds|ticp|usb-storage|cramfs|freevsfs|jffs2|hfs|hfsplus|squashfs|udf|dccp|sctp" | grep -E "true|false" <ind:pattern operation="pattern match">^\s*install\s+hfs\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+sctp\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+rds\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+jffs2\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+dccp\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+udf\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+squashfs\s+/bin/false$</ind:pattern> <ind:pattern operation="pattern match">^\s*install\s+usb-storage\s+/bin/false$</ind:pattern> <xhtml:pre xml:space="preserve">install usb-storage /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install cramfs /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install freevsfs /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install jffs2 /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install hfs /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install hfsplus /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install squashfs /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install udf /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install dccp /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install sctp /bin/true</xhtml:pre> <xhtml:pre xml:space="preserve">install rds /bin/true</xhtml:pre> Either /bin/true or /bin/false should work to disable the modules. Setting our files to /bin/false causes the scans to pass right now. There was a patch to clean this up a few weeks ago: https://lists.fedorahosted.org/pipermail/scap-security-guide/2013-January/002568.html I updated the macro which was generating the XCCDF content, pull the latest and you'll see it.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
