>From 3259031dd3c83a6088c339f1c6e5999f387c4636 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sat, 20 Apr 2013 02:47:07 -0400 Subject: [PATCH] [bugfix] Ticket Rule "disable_at" duplicate "service_atd_disabled" Services/base.xml held service_atd_disabled, while services/cron.xml held disable_atd. Updated everything to use service_atd_disabled.
Thank you to ruchkinalexandr for reporting! --- RHEL6/input/auxiliary/alt-titles-stig.xml | 3 --- RHEL6/input/profiles/common.xml | 1 - RHEL6/input/profiles/nist-CL-IL-AL.xml | 1 - RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/input/services/base.xml | 21 --------------------- RHEL6/input/services/cron.xml | 22 +++++++++++++--------- 7 files changed, 15 insertions(+), 37 deletions(-) diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index d4a9cf0..6f4a59a 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -530,9 +530,6 @@ The sysstat service must not be running. <title rule="enable_cron" shorttitle="Enable cron Service"> The cron service must be running. </title> -<title rule="disable_at" shorttitle="Disable atd Service"> -The atd service must be disabled. -</title> <title rule="sshd_allow_only_protocol2" shorttitle="Allow Only SSH Protocol 2"> The SSH daemon must be configured to use only the SSHv2 protocol. </title> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 2a7565a..2a97ac7 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -161,7 +161,6 @@ <select idref="uninstall_tftp-server" selected="true"/> <select idref="disable_tftp" selected="true"/> <select idref="enable_cron" selected="true"/> -<select idref="disable_at" selected="true"/> <select idref="sshd_allow_only_protocol2" selected="true"/> <select idref="sshd_set_idle_timeout" selected="true"/> <select idref="sshd_set_keepalive" selected="true"/> diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml index e092650..3abc947 100644 --- a/RHEL6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml @@ -350,7 +350,6 @@ assurance."</description> <select idref="disable_avahi" selected="true" \> <select idref="enable_cron" selected="true" \> <select idref="disable_anacron" selected="true" \> -<select idref="disable_at" selected="true" \> <select idref="disable_dns_server" selected="true" \> <select idref="uninstall_bind" selected="true" \> <select idref="package_openldap-servers_removed" selected="true" \> diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index 3650ffc..460143a 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -95,6 +95,6 @@ <!-- from inherited Rule, deny_password_attempts --> <refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3"/> -<select idref="disable_at" selected="false" /> +<select idref="service_atd_disabled" selected="false" /> </Profile> diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index af95ac2..8d89f10 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -217,8 +217,8 @@ <select idref="enable_cron" selected="true" /> <select idref="disable_anacron" selected="true" /> <!-- PLACEHOLDER: cron file perms go here when ready --> -<select idref="disable_at" selected="true" /> <select idref="sshd_allow_only_protocol2" selected="true" /> +<select idref="service_atd_disabled" selected="true" \> <select idref="sshd_set_keepalive" selected="true" /> <select idref="sshd_set_idle_timeout" selected="true" /> <select idref="sshd_disable_rhosts" selected="true" /> diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 3453e9a..9e86170 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -42,27 +42,6 @@ it is appropriate.</rationale> <ref nist="CM-7" /> </Rule> -<Rule id="service_atd_disabled"> -<title>Disable At Service (atd)</title> -<description>The <tt>at</tt> and <tt>batch</tt> commands can be used to -schedule tasks that are meant to be executed only once. This allows delayed -execution in a manner similar to cron, except that it is not -recurring. The daemon <tt>atd</tt> keeps track of tasks scheduled via -<tt>at</tt> and <tt>batch</tt>, and executes them at the specified time. -<service-disable-macro service="atd" /> -</description> -<ocil><service-disable-check-macro service="atd" /></ocil> -<rationale> -The <tt>atd</tt> service could be used by an unsophisticated insider to carry -out activities outside of a normal login session, which could complicate -accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or -<tt>batch</tt> is not common. -</rationale> -<ident cce="27249-2" /> -<oval id="service_atd_disabled" /> -<ref nist="CM-7" disa="381" /> -</Rule> - <Rule id="service_certmonger_disabled"> <title>Disable Certmonger Service (certmonger)</title> <description>Certmonger is a D-Bus based service that attempts to simplify interaction diff --git a/RHEL6/input/services/cron.xml b/RHEL6/input/services/cron.xml index 5972a7f..422d74d 100644 --- a/RHEL6/input/services/cron.xml +++ b/RHEL6/input/services/cron.xml @@ -111,21 +111,25 @@ access to these files should be disabled.</description> --> - -<Rule id="disable_at"> -<title>Disable atd Service</title> -<description> +<Rule id="service_atd_disabled"> +<title>Disable At Service (atd)</title> +<description>The <tt>at</tt> and <tt>batch</tt> commands can be used to +schedule tasks that are meant to be executed only once. This allows delayed +execution in a manner similar to cron, except that it is not +recurring. The daemon <tt>atd</tt> keeps track of tasks scheduled via +<tt>at</tt> and <tt>batch</tt>, and executes them at the specified time. <service-disable-macro service="atd" /> </description> <ocil><service-disable-check-macro service="atd" /></ocil> <rationale> -Many of the periodic or delayed execution features of the at -daemon can be provided through the cron daemon instead. +The <tt>atd</tt> service could be used by an unsophisticated insider to carry +out activities outside of a normal login session, which could complicate +accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or +<tt>batch</tt> is not common. </rationale> -<ident cce="26548-8" /> +<ident cce="27249-2" /> <oval id="service_atd_disabled" /> -<ref nist="CM-7" /> -<tested by="DS" on="20121024"/> +<ref nist="CM-7" disa="381" /> </Rule> <Group id="restrict_at_cron_users"> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
