>From 673263473b1ee0dacd6a50bd2301e425374d74d6 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 11 Sep 2013 19:56:42 -0400 Subject: [PATCH 09/22] OVAL signoff + remediation: disable_interactive_boot - Updated OVAL namings to match XCCDF - OVAL signoff (the old regex was broke) - Added remediation
TESTING: [root@SSG-RHEL6 checks]# ./testcheck.py disable_interactive_boot.xml Evaluating with OVAL tempfile : /tmp/disable_interactive_bootG_DyZK.xml Writing results to : /tmp/disable_interactive_bootG_DyZK.xml-results Definition oval:scap-security-guide.testing:def:146: false Evaluation done. [root@SSG-RHEL6 checks]# bash ../fixes/bash/disable_interactive_boot.sh [root@SSG-RHEL6 checks]# ./testcheck.py disable_interactive_boot.xml Evaluating with OVAL tempfile : /tmp/disable_interactive_boot6iRseC.xml Writing results to : /tmp/disable_interactive_boot6iRseC.xml-results Definition oval:scap-security-guide.testing:def:146: true Evaluation done. --- RHEL6/input/checks/disable_interactive_boot.xml | 30 ++++++++++++++++++++ RHEL6/input/checks/interactive_boot_disable.xml | 28 ------------------ RHEL6/input/fixes/bash/disable_interactive_boot.sh | 5 +++ RHEL6/input/system/accounts/physical.xml | 2 +- 4 files changed, 36 insertions(+), 29 deletions(-) create mode 100644 RHEL6/input/checks/disable_interactive_boot.xml delete mode 100644 RHEL6/input/checks/interactive_boot_disable.xml create mode 100644 RHEL6/input/fixes/bash/disable_interactive_boot.sh diff --git a/RHEL6/input/checks/disable_interactive_boot.xml b/RHEL6/input/checks/disable_interactive_boot.xml new file mode 100644 index 0000000..1a4f55b --- /dev/null +++ b/RHEL6/input/checks/disable_interactive_boot.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="compliance" id="disable_interactive_boot" version="1"> + <metadata> + <title>Disable Interactive Boot</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The ability for users to perform interactive startups should + be disabled.</description> + <reference source="swells" ref_id="20130914" ref_url="test_attestation" /> + </metadata> + <criteria> + <criterion test_ref="test_disable_interactive_boot" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests that PROMPT=no in /etc/sysconfig/init" + id="test_disable_interactive_boot" version="1"> + <ind:object object_ref="object_disable_interactive_boot" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_disable_interactive_boot" + version="1"> + <ind:filepath>/etc/sysconfig/init</ind:filepath> + <ind:pattern operation="pattern match">^[\s]*PROMPT[\s]*=[\s]*no[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/RHEL6/input/checks/interactive_boot_disable.xml b/RHEL6/input/checks/interactive_boot_disable.xml deleted file mode 100644 index 0f694ea..0000000 --- a/RHEL6/input/checks/interactive_boot_disable.xml +++ /dev/null @@ -1,28 +0,0 @@ -<def-group> - <definition class="compliance" id="interactive_boot_disable" version="1"> - <metadata> - <title>Disable Interactive Boot</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The ability for users to perform interactive startups should - be disabled.</description> - </metadata> - <criteria> - <criterion test_ref="test_interactive_boot_disable" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Tests the value of the PROMPT[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/init file" - id="test_interactive_boot_disable" version="1"> - <ind:object object_ref="object_interactive_boot_disable" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_interactive_boot_disable" - version="1"> - <ind:path>/etc/sysconfig</ind:path> - <ind:filename>init</ind:filename> - <ind:pattern operation="pattern match"> - PROMPT[\s]*=[\s]*no\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/fixes/bash/disable_interactive_boot.sh b/RHEL6/input/fixes/bash/disable_interactive_boot.sh new file mode 100644 index 0000000..f95ace8 --- /dev/null +++ b/RHEL6/input/fixes/bash/disable_interactive_boot.sh @@ -0,0 +1,5 @@ +grep -q ^PROMPT /etc/sysconfig/init && \ + sed -i "s/PROMPT.*/PROMPT=no/g" /etc/sysconfig/init +if ! [ $? -eq 0 ]; then + echo "PROMPT=no" >> /etc/sysconfig/init +fi diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index e4863c1..390a953 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -191,7 +191,7 @@ the console user could disable auditing, firewalls, or other services, weakening system security. </rationale> <ident cce="27043-9" /> -<oval id="interactive_boot_disable" /> +<oval id="disable_interactive_boot" /> <ref nist="SC-2" disa="213"/> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
