Signed-off-by: Jeffrey Blank <[email protected]>
---
.../accounts_no_nis_inclusions_etc_passwd.xml | 23 ----------
.../input/checks/audit_rules_dac_modification.xml | 40 -----------------
RHEL6/input/checks/cups_limit_web_interface.xml | 30 -------------
RHEL6/input/checks/file_mode_etc_crontab.xml | 33 --------------
RHEL6/input/checks/file_ownership_etc_skel.xml | 39 -----------------
.../file_permissions_boot_grub_grub_conf.xml | 46 --------------------
RHEL6/input/checks/file_user_owner_etc_crontab.xml | 25 -----------
RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 30 -------------
.../input/checks/package_ipsec-tools_installed.xml | 25 -----------
RHEL6/input/checks/package_talk-server_removed.xml | 25 -----------
RHEL6/input/checks/package_talk_removed.xml | 25 -----------
RHEL6/input/checks/service_abrtd_disabled.xml | 3 +
RHEL6/input/checks/sysconfig_ipv6_disable.xml | 37 ----------------
RHEL6/input/checks/sysconfig_ipv6_networking.xml | 37 ----------------
.../checks/sysconfig_networking_ipv6_ifcfg.xml | 37 ----------------
...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 31 -------------
RHEL6/input/checks/xwindows_remote_listening.xml | 30 -------------
17 files changed, 3 insertions(+), 513 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml
delete mode 100644 RHEL6/input/checks/audit_rules_dac_modification.xml
delete mode 100644 RHEL6/input/checks/cups_limit_web_interface.xml
delete mode 100644 RHEL6/input/checks/file_mode_etc_crontab.xml
delete mode 100644 RHEL6/input/checks/file_ownership_etc_skel.xml
delete mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml
delete mode 100644 RHEL6/input/checks/file_user_owner_etc_crontab.xml
delete mode 100644 RHEL6/input/checks/mount_option_nodev_on_tmp.xml
delete mode 100644 RHEL6/input/checks/package_ipsec-tools_installed.xml
delete mode 100644 RHEL6/input/checks/package_talk-server_removed.xml
delete mode 100644 RHEL6/input/checks/package_talk_removed.xml
delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_disable.xml
delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_networking.xml
delete mode 100644 RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml
delete mode 100644
RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml
delete mode 100644 RHEL6/input/checks/xwindows_remote_listening.xml
diff --git a/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml
b/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml
deleted file mode 100644
index 5176fa4..0000000
--- a/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_no_nis_inclusions_etc_passwd"
version="1">
- <metadata>
- <title>Remove Legacy + Entries From /etc/passwd</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>NIS file inclusions should be set appropriately in the
/etc/passwd file.</description>
- </metadata>
- <criteria>
- <criterion comment="tests for reg exp '^\+' in /etc/passwd"
test_ref="test_accounts_no_nis_inclusions_etc_passwd" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="tests for reg exp '^\+' in /etc/passwd"
id="test_accounts_no_nis_inclusions_etc_passwd" version="1">
- <ind:object object_ref="object_accounts_no_nis_inclusions_etc_passwd" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="object_accounts_no_nis_inclusions_etc_passwd" version="1">
- <ind:path>/etc</ind:path>
- <ind:filename>passwd</ind:filename>
- <ind:pattern operation="pattern match">^\+</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/audit_rules_dac_modification.xml
b/RHEL6/input/checks/audit_rules_dac_modification.xml
deleted file mode 100644
index 919eaff..0000000
--- a/RHEL6/input/checks/audit_rules_dac_modification.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<def-group>
- <definition class="compliance" id="audit_rules_dac_modification" version="1">
- <metadata>
- <title>Audit Discretionary Access Control Modification Events</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The changing of file permissions and attributes should be
audited.</description>
- </metadata>
- <criteria operator="AND">
- <!-- <criterion comment="dac modification chmod"
test_ref="test_audit_rules_dac_modification_chmod" /> -->
- <!-- <criterion comment="dac modification chown"
test_ref="test_audit_rules_dac_modification_chown" /> -->
- <criterion comment="dac modification attre"
test_ref="test_audit_rules_dac_modification_attr" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all" comment="dac modification chmod"
id="test_audit_rules_dac_modification_chmod" version="1">
- <ind:object object_ref="object_audit_rules_dac_modification_chmod" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_dac_modification_chmod"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+chmod\s+\-S\s+fchmod\s+\-S\s+fchmodat\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="dac modification chown"
id="test_audit_rules_dac_modification_chown" version="1">
- <ind:object object_ref="object_audit_rules_dac_modification_chown" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_dac_modification_chown"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+chown\s+\-S\s+fchown\s+\-S\s+fchownat\s+\-S\s+lchown\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="dac modification attr"
id="test_audit_rules_dac_modification_attr" version="1">
- <ind:object object_ref="object_audit_rules_dac_modification_attr" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_audit_rules_dac_modification_attr"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-a\s+always,exit\s+(\-F\s+arch=(b64|b32)\s+)?\-S\s+setxattr\s+\-S\s+lsetxattr\s+\-S\s+fsetxattr\s+\-S\s+removexattr\s+\-S\s+lremovexattr\s+\-S\s+fremovexattr\s+\-F\s+auid>=500\s+\-F\s+auid!=4294967295\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/cups_limit_web_interface.xml
b/RHEL6/input/checks/cups_limit_web_interface.xml
deleted file mode 100644
index 4d370c8..0000000
--- a/RHEL6/input/checks/cups_limit_web_interface.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="cups_limit_web_interface" version="1">
- <metadata>
- <title>Limit Access to the Web Administration Interface</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>By default, access to the CUPS web administration interface
is limited to the local machine. It is recom-
-mended that this not be changed, especially since the authentication
mechanisms that CUPS provides are limited in their effectiveness. Host-based
authentication has known limitations, especially since IP addresses are easy to
spoof. Requiring users to authenticate themselves can alleviate this problem,
but it cannot eliminate it.
-</description>
- </metadata>
- <criteria operator="AND">
- <criterion comment="Don't use allow for remote administration"
test_ref="test_cups_limit_web_interface_no_allow" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all" check_existence="none_exist"
- comment="Ensure remote web administration remains disabled"
- id="test_cups_limit_web_interface_no_allow" version="1">
- <ind:object object_ref="obj_cups_limit_web_interface_no_allow" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_cups_limit_web_interface_no_allow"
version="1">
- <ind:path>/etc/cups</ind:path>
- <ind:filename>cupsd.conf</ind:filename>
- <ind:pattern operation="pattern match">.*Location \/.*[\s\n]+Allow
\S+[\s\n]+.*Location \/</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/RHEL6/input/checks/file_mode_etc_crontab.xml
b/RHEL6/input/checks/file_mode_etc_crontab.xml
deleted file mode 100644
index d8b0a7e..0000000
--- a/RHEL6/input/checks/file_mode_etc_crontab.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_mode_etc_crontab" version="1">
- <metadata>
- <title>Check Mode /etc/crontab</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The file /etc/crontab should be mode 600.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_file_mode_etc_crontab" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist" comment="mode for
/etc/crontab" id="test_file_mode_etc_crontab" version="1">
- <unix:object object_ref="object_mode_file_etc_crontab" />
- <unix:state state_ref="state_etc_crontab_mode_600" />
- </unix:file_test>
- <unix:file_object comment="/etc/crontab" id="object_mode_file_etc_crontab"
version="1">
- <unix:path>/etc</unix:path>
- <unix:filename>crontab</unix:filename>
- </unix:file_object>
- <unix:file_state id="state_etc_crontab_mode_600" version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">false</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
-</def-group>
diff --git a/RHEL6/input/checks/file_ownership_etc_skel.xml
b/RHEL6/input/checks/file_ownership_etc_skel.xml
deleted file mode 100644
index 5559fb1..0000000
--- a/RHEL6/input/checks/file_ownership_etc_skel.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_ownership_etc_skel" version="1">
- <metadata>
- <title>Verify /etc/skel Ownership</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Checks that all /etc/skel files and directories are owned
by the root user and group.</description>
- </metadata>
- <criteria operator="AND">
- <criterion test_ref="test_ownership_etc_skel_dir" />
- <criterion test_ref="test_ownership_etc_skel_files" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="none_exist" comment="/etc/skel
directories uid root gid root" id="test_ownership_etc_skel_dir" version="1">
- <unix:object object_ref="object_etc_skel_dir" />
- <unix:state state_ref="state_owner_not_root_root" />
- </unix:file_test>
- <unix:file_test check="all" check_existence="none_exist" comment="/etc/skel
files uid root gid root" id="test_ownership_etc_skel_files" version="1">
- <unix:object object_ref="object_ownership_etc_skel_files" />
- <unix:state state_ref="state_owner_not_root_root" />
- </unix:file_test>
- <unix:file_object comment="/etc/skel directories" id="object_etc_skel_dir"
version="1">
- <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/etc/skel</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_not_root_root</filter>
- </unix:file_object>
- <unix:file_object comment="/etc/skel files"
id="object_ownership_etc_skel_files" version="1">
- <unix:behaviors recurse="directories" recurse_direction="down"
max_depth="-1" recurse_file_system="all" />
- <unix:path operation="equals">/etc/skel</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_not_root_root</filter>
- </unix:file_object>
- <unix:file_state id="state_owner_not_root_root" version="1" operator="OR">
- <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
-</def-group>
diff --git a/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml
b/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml
deleted file mode 100644
index b185de9..0000000
--- a/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. -->
- <definition class="compliance" id="file_permissions_boot_grub_grub_conf"
version="1">
- <metadata>
- <title>Verify /boot/grub/grub.conf Permissions</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>This test makes sure that /boot/grub/grub.conf is owned by
0, group owned by 0, and has mode 0600. If
- the target file or directory has an extended ACL then it will fail the
mode check.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_boot_grub_grub_conf" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist"
comment="/boot/grub/grub.conf mode and ownership" id="test_boot_grub_grub_conf"
version="1">
- <unix:object object_ref="object_boot_grub_grub_conf" />
- <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" />
- <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" />
- </unix:file_test>
- <unix:file_object comment="/boot/grub/grub.conf"
id="object_boot_grub_grub_conf" version="1">
- <unix:path>/boot/grub</unix:path>
- <unix:filename>grub.conf</unix:filename>
- </unix:file_object>
- <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1">
- <unix:user_id datatype="int" operation="equals">0</unix:user_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1">
- <unix:group_id datatype="int" operation="equals">0</unix:group_id>
- </unix:file_state>
- <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1">
- <unix:suid datatype="boolean">false</unix:suid>
- <unix:sgid datatype="boolean">false</unix:sgid>
- <unix:sticky datatype="boolean">false</unix:sticky>
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">false</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
-</def-group>
diff --git a/RHEL6/input/checks/file_user_owner_etc_crontab.xml
b/RHEL6/input/checks/file_user_owner_etc_crontab.xml
deleted file mode 100644
index 80d76a3..0000000
--- a/RHEL6/input/checks/file_user_owner_etc_crontab.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_user_owner_etc_crontab" version="1">
- <metadata>
- <title>Check User Ownership /etc/crontab</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The file /etc/crontab should be owned by the root
user.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_file_user_owner_etc_crontab" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist" comment="root gid
for /etc/crontab" id="test_file_user_owner_etc_crontab" version="1">
- <unix:object object_ref="object_uid_file_etc_crontab" />
- <unix:state state_ref="state_root_uid_etc_crontab" />
- </unix:file_test>
- <unix:file_object comment="/etc/crontab" id="object_uid_file_etc_crontab"
version="1">
- <unix:path>/etc</unix:path>
- <unix:filename>crontab</unix:filename>
- </unix:file_object>
- <unix:file_state id="state_root_uid_etc_crontab" version="1">
- <unix:user_id datatype="int">0</unix:user_id>
- </unix:file_state>
-</def-group>
diff --git a/RHEL6/input/checks/mount_option_nodev_on_tmp.xml
b/RHEL6/input/checks/mount_option_nodev_on_tmp.xml
deleted file mode 100644
index 93c217a..0000000
--- a/RHEL6/input/checks/mount_option_nodev_on_tmp.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="mount_option_nodev_on_tmp" version="1">
- <metadata>
- <title>Add nodev Option to /tmp Partition</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Add nodev Option to /tmp Partition</description>
- </metadata>
- <criteria>
- <criterion comment="test for nodev option on /tmp"
- test_ref="test_144120" />
- </criteria>
- </definition>
- <linux:partition_test check="all"
- comment="check for nodev option on /tmp"
- id="test_144120" version="1">
- <linux:object object_ref="obj_144120" />
- <linux:state state_ref="state_144120" />
- </linux:partition_test>
- <linux:partition_state id="state_144120"
- version="1">
- <linux:mount_options>nodev</linux:mount_options>
- </linux:partition_state>
- <linux:partition_object id="obj_144120"
- version="1">
- <linux:mount_point>/tmp</linux:mount_point>
- </linux:partition_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_ipsec-tools_installed.xml
b/RHEL6/input/checks/package_ipsec-tools_installed.xml
deleted file mode 100644
index 48221ae..0000000
--- a/RHEL6/input/checks/package_ipsec-tools_installed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_ipsec-tools_installed"
- version="1">
- <metadata>
- <title>Package ipsec-tools Installed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package ipsec-tools should be
installed.</description>
- </metadata>
- <criteria>
- <criterion comment="package ipsec-tools is installed"
- test_ref="test_package_ipsec-tools_installed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="all_exist"
- id="test_package_ipsec-tools_installed" version="1"
- comment="package ipsec-tools is installed">
- <linux:object object_ref="obj_package_ipsec-tools_installed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_ipsec-tools_installed" version="1">
- <linux:name>ipsec-tools</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_talk-server_removed.xml
b/RHEL6/input/checks/package_talk-server_removed.xml
deleted file mode 100644
index 74b1735..0000000
--- a/RHEL6/input/checks/package_talk-server_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_talk-server_removed"
- version="1">
- <metadata>
- <title>Package talk-server Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package talk-server should be removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package talk-server is removed"
- test_ref="test_package_talk-server_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_talk-server_removed" version="1"
- comment="package talk-server is removed">
- <linux:object object_ref="obj_package_talk-server_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_talk-server_removed" version="1">
- <linux:name>talk-server</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_talk_removed.xml
b/RHEL6/input/checks/package_talk_removed.xml
deleted file mode 100644
index 4f51b7f..0000000
--- a/RHEL6/input/checks/package_talk_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_talk_removed"
- version="1">
- <metadata>
- <title>Package talk Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package talk should be removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package talk is removed"
- test_ref="test_package_talk_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_talk_removed" version="1"
- comment="package talk is removed">
- <linux:object object_ref="obj_package_talk_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_talk_removed" version="1">
- <linux:name>talk</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/service_abrtd_disabled.xml
b/RHEL6/input/checks/service_abrtd_disabled.xml
index a72eb1b..71c8985 100644
--- a/RHEL6/input/checks/service_abrtd_disabled.xml
+++ b/RHEL6/input/checks/service_abrtd_disabled.xml
@@ -9,6 +9,8 @@
</affected>
<description>The abrtd service should be disabled if
possible.</description>
</metadata>
+ <criteria comment="package abrt removed or service abrtd is not configured
to start" operator="OR">
+ <extend_definition comment="abrt removed"
definition_ref="package_abrt_removed" />
<criteria operator="AND" comment="service abrtd is not configured to
start">
<criterion comment="abrtd runlevel 0" test_ref="test_runlevel0_abrtd" />
<criterion comment="abrtd runlevel 1" test_ref="test_runlevel1_abrtd" />
@@ -18,6 +20,7 @@
<criterion comment="abrtd runlevel 5" test_ref="test_runlevel5_abrtd" />
<criterion comment="abrtd runlevel 6" test_ref="test_runlevel6_abrtd" />
</criteria>
+ </criteria>
</definition>
<unix:runlevel_test check="all" check_existence="any_exist"
comment="Runlevel test" id="test_runlevel0_abrtd"
diff --git a/RHEL6/input/checks/sysconfig_ipv6_disable.xml
b/RHEL6/input/checks/sysconfig_ipv6_disable.xml
deleted file mode 100644
index 8dcae22..0000000
--- a/RHEL6/input/checks/sysconfig_ipv6_disable.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="sysconfig_ipv6_disable" version="1">
- <metadata>
- <title>Disable Interface Usage of IPv6</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The default setting for IPv6 configuration
- should be disabled for network interfaces.</description>
- </metadata>
- <criteria comment="Either IPv6 kernel module is not loaded or this feature
should be disabled"
- operator="OR">
- <extend_definition comment="Automatic loading of the IPv6 kernel module
should be disabled"
- definition_ref="kernel_module_ipv6_option_disabled" />
- <criterion test_ref="test_20131" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*IPV6INIT[\s]*=[\s]*([^#]*) expression
in the /etc/sysconfig/network file"
- id="test_20131" version="1">
- <ind:object object_ref="obj_20131" />
- <ind:state state_ref="state_20131" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20131"
- version="1">
- <ind:subexpression operation="equals">no</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_20131"
- version="1">
- <ind:path>/etc/sysconfig</ind:path>
- <ind:filename>network</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*IPV6INIT[\s]*=[\s]*([^#\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/sysconfig_ipv6_networking.xml
b/RHEL6/input/checks/sysconfig_ipv6_networking.xml
deleted file mode 100644
index c9e9ac3..0000000
--- a/RHEL6/input/checks/sysconfig_ipv6_networking.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="sysconfig_ipv6_networking" version="1">
- <metadata>
- <title>Disable Interface Usage of IPv6</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Global IPv6 initialization should be
- disabled.</description>
- </metadata>
- <criteria comment="Either IPv6 kernel module is not loaded or this feature
should be disabled"
- operator="OR">
- <extend_definition comment="Automatic loading of the IPv6 kernel module
should be disabled"
- definition_ref="kernel_module_ipv6_option_disabled" />
- <criterion test_ref="test_20132" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*)
expression in the /etc/sysconfig/network file"
- id="test_20132" version="1">
- <ind:object object_ref="obj_20132" />
- <ind:state state_ref="state_20132" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20132"
- version="1">
- <ind:subexpression operation="equals">no</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_20132"
- version="1">
- <ind:path>/etc/sysconfig</ind:path>
- <ind:filename>network</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml
b/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml
deleted file mode 100644
index 42075e7..0000000
--- a/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="sysconfig_networking_ipv6_ifcfg" version="1">
- <metadata>
- <title>Disable Interface Usage of IPv6</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>IPv6 configuration should be disabled for all
- interfaces.</description>
- </metadata>
- <criteria comment="Either IPv6 kernel module is not loaded or this feature
should be disabled"
- operator="OR">
- <extend_definition comment="Automatic loading of the IPv6 kernel module
should be disabled"
- definition_ref="kernel_module_ipv6_option_disabled" />
- <criterion test_ref="test_20133" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*)
expression in the /etc/sysconfig/network-scripts/ifcfg-.* file"
- id="test_20133" version="1">
- <ind:object object_ref="obj_20133" />
- <ind:state state_ref="state_20133" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20133"
- version="1">
- <ind:subexpression operation="equals">no</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_20133"
- version="1">
- <ind:path>/etc/sysconfig/network-scripts</ind:path>
- <ind:filename operation="pattern match">ifcfg-.*</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#\s]*)</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git
a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml
b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml
deleted file mode 100644
index f89bb53..0000000
--- a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<def-group>
- <definition class="compliance"
id="sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1">
- <metadata>
- <title>Kernel Runtime Parameter
"net.ipv6.conf.default.accept_ra_rtr_pref" Check</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The kernel runtime parameter
"net.ipv6.conf.default.accept_ra_rtr_pref" should be set to
configured.</description>
- </metadata>
- <criteria operator="OR">
- <extend_definition comment="IPv6 disabled or..."
- definition_ref="kernel_module_ipv6_option_disabled" />
- <criterion comment="kernel runtime parameter
net.ipv6.conf.default.accept_ra_rtr_pref is set"
- test_ref="test_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" />
- </criteria>
- </definition>
-
- <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel
runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref set"
- id="test_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1">
- <unix:object
object_ref="object_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" />
- <unix:state
state_ref="state_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" />
- </unix:sysctl_test>
-
- <unix:sysctl_object
id="object_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1">
- <unix:name>net.ipv6.conf.default.accept_ra_rtr_pref</unix:name>
- </unix:sysctl_object>
-
- <unix:sysctl_state
id="state_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1">
- <unix:value datatype="int" operation="equals">0</unix:value>
- </unix:sysctl_state>
-</def-group>
diff --git a/RHEL6/input/checks/xwindows_remote_listening.xml
b/RHEL6/input/checks/xwindows_remote_listening.xml
deleted file mode 100644
index 0d5e5c9..0000000
--- a/RHEL6/input/checks/xwindows_remote_listening.xml
+++ /dev/null
@@ -1,30 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="xwindows_remote_listening" version="1">
- <metadata>
- <title>Disable X Window System Listening</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Disable the ability to provide remote graphical
- display</description>
- </metadata>
- <criteria>
- <criterion comment="Check for existence of line exec X :0 -nolisten tcp
$@ in file /etc/X11/xinit/xserverrc"
- test_ref="test_20248" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Check for existence of line exec X :0 -nolisten tcp $@ in file
/etc/X11/xinit/xserverrc"
- id="test_20248" version="1">
- <ind:object object_ref="obj_20248" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="obj_20248"
- version="1">
- <ind:path>/etc/X11/xinit</ind:path>
- <ind:filename>xserverrc</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*exec\sX\s:0\s\-nolisten\stcp\s\$@</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
