>From 42e2a004b34fb41f47c4b38d7859b9191553794a Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sun, 14 Apr 2013 03:56:09 -0400 Subject: [PATCH 5/5] Enabled OVAL for service_ntpdate_disabled - Uncommented OVAL rule in XCCDF - Created OVAL for ntpdate via checks/templates/ process. Had to create OVAL for package & service checks for everything to work.
--- RHEL6/input/checks/package_ntpdate_removed.xml | 25 ++++++ RHEL6/input/checks/service_ntpdate_disabled.xml | 99 +++++++++++++++++++++++ RHEL6/input/services/base.xml | 2 +- 3 files changed, 125 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/checks/package_ntpdate_removed.xml create mode 100644 RHEL6/input/checks/service_ntpdate_disabled.xml diff --git a/RHEL6/input/checks/package_ntpdate_removed.xml b/RHEL6/input/checks/package_ntpdate_removed.xml new file mode 100644 index 0000000..a78fb82 --- /dev/null +++ b/RHEL6/input/checks/package_ntpdate_removed.xml @@ -0,0 +1,25 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_ntpdate_removed" + version="1"> + <metadata> + <title>Package ntpdate Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The RPM package ntpdate should be removed.</description> + </metadata> + <criteria> + <criterion comment="package ntpdate is removed" + test_ref="test_package_ntpdate_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_ntpdate_removed" version="1" + comment="package ntpdate is removed"> + <linux:object object_ref="obj_package_ntpdate" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_ntpdate" version="1"> + <linux:name>ntpdate</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/RHEL6/input/checks/service_ntpdate_disabled.xml b/RHEL6/input/checks/service_ntpdate_disabled.xml new file mode 100644 index 0000000..67fcbbd --- /dev/null +++ b/RHEL6/input/checks/service_ntpdate_disabled.xml @@ -0,0 +1,99 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_services_disabled.py. DO NOT EDIT. --> + <definition class="compliance" id="service_ntpdate_disabled" + version="1"> + <metadata> + <title>Service ntpdate Disabled</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The ntpdate service should be disabled if possible.</description> + </metadata> + <criteria comment="package ntpdate removed or service ntpdate is not configured to start" operator="OR"> + <extend_definition comment="ntpdate removed" definition_ref="package_ntpdate_removed" /> + <criteria operator="AND" comment="service ntpdate is not configured to start"> + <criterion comment="ntpdate runlevel 0" test_ref="test_runlevel0_ntpdate" /> + <criterion comment="ntpdate runlevel 1" test_ref="test_runlevel1_ntpdate" /> + <criterion comment="ntpdate runlevel 2" test_ref="test_runlevel2_ntpdate" /> + <criterion comment="ntpdate runlevel 3" test_ref="test_runlevel3_ntpdate" /> + <criterion comment="ntpdate runlevel 4" test_ref="test_runlevel4_ntpdate" /> + <criterion comment="ntpdate runlevel 5" test_ref="test_runlevel5_ntpdate" /> + <criterion comment="ntpdate runlevel 6" test_ref="test_runlevel6_ntpdate" /> + </criteria> + </criteria> + </definition> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel0_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel0_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel1_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel1_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel2_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel2_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel3_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel3_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel4_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel4_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel5_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel5_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_test check="all" check_existence="any_exist" + comment="Runlevel test" id="test_runlevel6_ntpdate" + version="2"> + <unix:object object_ref="obj_runlevel6_ntpdate" /> + <unix:state state_ref="state_service_ntpdate_off" /> + </unix:runlevel_test> + <unix:runlevel_object id="obj_runlevel0_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">0</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel1_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">1</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel2_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">2</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel3_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">3</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel4_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">4</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel5_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">5</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_object id="obj_runlevel6_ntpdate" version="1"> + <unix:service_name>ntpdate</unix:service_name> + <unix:runlevel operation="equals">6</unix:runlevel> + </unix:runlevel_object> + <unix:runlevel_state comment="not configured to start" id="state_service_ntpdate_off" version="1"> + <unix:start datatype="boolean">false</unix:start> + <unix:kill datatype="boolean">true</unix:kill> + </unix:runlevel_state> +</def-group> diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 5b1aae4..3453e9a 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -263,7 +263,7 @@ are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> <ident cce="27256-7" /> -<!--<oval id="service_ntpdate_disabled" /> --> +<oval id="service_ntpdate_disabled" /> <ref nist="AC-17(8),AU-8,CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
