>From d3a7e6309bcad3e5e3607eedab0b6dbf67078f7d Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Sat, 28 Sep 2013 14:07:16 -0400
Subject: [PATCH 3/8] Updated kernel_module_disabled OVAL template
- RHEL6 supports *both* /etc/modprobe.conf and /etc/modprob.d, updated check
to scan via OR operator
- Frank Caviggia called out that while prose calls for /bin/false, /bin/true
is equally acceptable. Updated OVAL to pass on either condition, as both meet
the intent of the check. Thanks, Frank!
TESTING:[root@SSG-RHEL6 templates]# cat /etc/modprobe.d/cramfs.conf
install cramfs /bin/tru
[root@SSG-RHEL6 templates]# ../testcheck.py
output/kernel_module_cramfs_disabled.xml
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabled0Zx73B.xml
Writing results to : /tmp/kernel_module_cramfs_disabled0Zx73B.xml-results
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.
[root@SSG-RHEL6 templates]# echo "install cramfs /bin/true" >
/etc/modprobe.d/cramfs.conf ; ../testcheck.py
output/kernel_module_cramfs_disabled.xml
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabledIV6_JJ.xml
Writing results to : /tmp/kernel_module_cramfs_disabledIV6_JJ.xml-results
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
[root@SSG-RHEL6 templates]# echo "install cramfs /bin/false" >
/etc/modprobe.d/cramfs.conf ; ../testcheck.py
output/kernel_module_cramfs_disabled.xml
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabledWfOEk7.xml
Writing results to : /tmp/kernel_module_cramfs_disabledWfOEk7.xml-results
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
[root@SSG-RHEL6 templates]# echo "" > /etc/modprobe.d/cramfs.conf ;
../testcheck.py output/kernel_module_cramfs_disabled.xml
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabledlou7nh.xml
Writing results to : /tmp/kernel_module_cramfs_disabledlou7nh.xml-results
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.
[root@SSG-RHEL6 templates]# vim /etc/modprobe.conf
[root@SSG-RHEL6 templates]# echo "install cramfs /bin/true" >
/etc/modprobe.conf ; ../testcheck.py output/kernel_module_cramfs_disabled.xml
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabled8K27PN.xml
Writing results to : /tmp/kernel_module_cramfs_disabled8K27PN.xml-results
Definition oval:scap-security-guide.testing:def:100: true
Evaluation done.
[root@SSG-RHEL6 templates]# rm /etc/modprobe.conf ; ../testcheck.py
output/kernel_module_cramfs_disabled.xml
rm: remove regular file `/etc/modprobe.conf'? y
Evaluating with OVAL tempfile : /tmp/kernel_module_cramfs_disabledrcM8hz.xml
Writing results to : /tmp/kernel_module_cramfs_disabledrcM8hz.xml-results
Definition oval:scap-security-guide.testing:def:100: false
Evaluation done.
---
.../input/checks/kernel_module_cramfs_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_dccp_disabled.xml | 28 +++++++++++++++-----
.../checks/kernel_module_freevxfs_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_hfs_disabled.xml | 28 +++++++++++++++-----
.../checks/kernel_module_hfsplus_disabled.xml | 28 +++++++++++++++-----
.../input/checks/kernel_module_jffs2_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_rds_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_sctp_disabled.xml | 28 +++++++++++++++-----
.../checks/kernel_module_squashfs_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_tipc_disabled.xml | 28 +++++++++++++++-----
RHEL6/input/checks/kernel_module_udf_disabled.xml | 28 +++++++++++++++-----
.../checks/kernel_module_usb-storage_disabled.xml | 28 +++++++++++++++-----
.../templates/template_kernel_module_disabled | 28 +++++++++++++++-----
13 files changed, 273 insertions(+), 91 deletions(-)
diff --git a/RHEL6/input/checks/kernel_module_cramfs_disabled.xml
b/RHEL6/input/checks/kernel_module_cramfs_disabled.xml
index c157530..cb2b9bf 100644
--- a/RHEL6/input/checks/kernel_module_cramfs_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_cramfs_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module cramfs should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_cramfs_disabled"
- comment="kernel module cramfs disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_cramfs_disabled" comment="kernel
module cramfs disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_cramfs_modprobeconf" comment="kernel
module cramfs disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_cramfs_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_cramfs_disabled" version="1"
check="all"
comment="kernel module cramfs disabled">
<ind:object object_ref="obj_kernmod_cramfs_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_cramfs_modprobeconf"
version="1" check="all"
+ comment="kernel module cramfs disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_cramfs_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_cramfs_disabled"
version="1" comment="kernel module cramfs disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+cramfs\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_cramfs_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
cramfs">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_dccp_disabled.xml
b/RHEL6/input/checks/kernel_module_dccp_disabled.xml
index 25654c5..6a51f2a 100644
--- a/RHEL6/input/checks/kernel_module_dccp_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_dccp_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module dccp should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_dccp_disabled"
- comment="kernel module dccp disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_dccp_disabled" comment="kernel module
dccp disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_dccp_modprobeconf" comment="kernel
module dccp disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_dccp_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_dccp_disabled" version="1"
check="all"
comment="kernel module dccp disabled">
<ind:object object_ref="obj_kernmod_dccp_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_dccp_modprobeconf" version="1"
check="all"
+ comment="kernel module dccp disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_dccp_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_dccp_disabled"
version="1" comment="kernel module dccp disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+dccp\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+dccp\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_dccp_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
dccp">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+dccp\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_freevxfs_disabled.xml
b/RHEL6/input/checks/kernel_module_freevxfs_disabled.xml
index b87b271..d1e623a 100644
--- a/RHEL6/input/checks/kernel_module_freevxfs_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_freevxfs_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module freevxfs should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_freevxfs_disabled"
- comment="kernel module freevxfs disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_freevxfs_disabled" comment="kernel
module freevxfs disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_freevxfs_modprobeconf" comment="kernel
module freevxfs disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_freevxfs_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_freevxfs_disabled" version="1"
check="all"
comment="kernel module freevxfs disabled">
<ind:object object_ref="obj_kernmod_freevxfs_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_freevxfs_modprobeconf"
version="1" check="all"
+ comment="kernel module freevxfs disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_freevxfs_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_freevxfs_disabled"
version="1" comment="kernel module freevxfs disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+freevxfs\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_freevxfs_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
freevxfs">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_hfs_disabled.xml
b/RHEL6/input/checks/kernel_module_hfs_disabled.xml
index 5bd3fc9..ae90879 100644
--- a/RHEL6/input/checks/kernel_module_hfs_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_hfs_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module hfs should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_hfs_disabled"
- comment="kernel module hfs disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_hfs_disabled" comment="kernel module
hfs disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_hfs_modprobeconf" comment="kernel
module hfs disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_hfs_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_hfs_disabled" version="1"
check="all"
comment="kernel module hfs disabled">
<ind:object object_ref="obj_kernmod_hfs_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_hfs_modprobeconf" version="1"
check="all"
+ comment="kernel module hfs disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_hfs_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_hfs_disabled"
version="1" comment="kernel module hfs disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+hfs\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_hfs_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
hfs">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_hfsplus_disabled.xml
b/RHEL6/input/checks/kernel_module_hfsplus_disabled.xml
index e541a5c..2d021e6 100644
--- a/RHEL6/input/checks/kernel_module_hfsplus_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_hfsplus_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module hfsplus should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_hfsplus_disabled"
- comment="kernel module hfsplus disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_hfsplus_disabled" comment="kernel
module hfsplus disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_hfsplus_modprobeconf" comment="kernel
module hfsplus disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_hfsplus_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_hfsplus_disabled" version="1"
check="all"
comment="kernel module hfsplus disabled">
<ind:object object_ref="obj_kernmod_hfsplus_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_hfsplus_modprobeconf"
version="1" check="all"
+ comment="kernel module hfsplus disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_hfsplus_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_hfsplus_disabled"
version="1" comment="kernel module hfsplus disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+hfsplus\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_hfsplus_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
hfsplus">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_jffs2_disabled.xml
b/RHEL6/input/checks/kernel_module_jffs2_disabled.xml
index 402c527..1150239 100644
--- a/RHEL6/input/checks/kernel_module_jffs2_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_jffs2_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module jffs2 should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_jffs2_disabled"
- comment="kernel module jffs2 disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_jffs2_disabled" comment="kernel module
jffs2 disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_jffs2_modprobeconf" comment="kernel
module jffs2 disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_jffs2_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_jffs2_disabled" version="1"
check="all"
comment="kernel module jffs2 disabled">
<ind:object object_ref="obj_kernmod_jffs2_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_jffs2_modprobeconf" version="1"
check="all"
+ comment="kernel module jffs2 disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_jffs2_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_jffs2_disabled"
version="1" comment="kernel module jffs2 disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+jffs2\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+jffs2\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_jffs2_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
jffs2">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+jffs2\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_rds_disabled.xml
b/RHEL6/input/checks/kernel_module_rds_disabled.xml
index 27294a7..7e7f354 100644
--- a/RHEL6/input/checks/kernel_module_rds_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_rds_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module rds should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_rds_disabled"
- comment="kernel module rds disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_rds_disabled" comment="kernel module
rds disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_rds_modprobeconf" comment="kernel
module rds disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_rds_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_rds_disabled" version="1"
check="all"
comment="kernel module rds disabled">
<ind:object object_ref="obj_kernmod_rds_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_rds_modprobeconf" version="1"
check="all"
+ comment="kernel module rds disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_rds_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_rds_disabled"
version="1" comment="kernel module rds disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+rds\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+rds\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_rds_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
rds">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+rds\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_sctp_disabled.xml
b/RHEL6/input/checks/kernel_module_sctp_disabled.xml
index 91652ec..8102fde 100644
--- a/RHEL6/input/checks/kernel_module_sctp_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_sctp_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module sctp should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_sctp_disabled"
- comment="kernel module sctp disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_sctp_disabled" comment="kernel module
sctp disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_sctp_modprobeconf" comment="kernel
module sctp disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_sctp_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_sctp_disabled" version="1"
check="all"
comment="kernel module sctp disabled">
<ind:object object_ref="obj_kernmod_sctp_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_sctp_modprobeconf" version="1"
check="all"
+ comment="kernel module sctp disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_sctp_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_sctp_disabled"
version="1" comment="kernel module sctp disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+sctp\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+sctp\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_sctp_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
sctp">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+sctp\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_squashfs_disabled.xml
b/RHEL6/input/checks/kernel_module_squashfs_disabled.xml
index c45d710..fe44fa4 100644
--- a/RHEL6/input/checks/kernel_module_squashfs_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_squashfs_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module squashfs should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_squashfs_disabled"
- comment="kernel module squashfs disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_squashfs_disabled" comment="kernel
module squashfs disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_squashfs_modprobeconf" comment="kernel
module squashfs disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_squashfs_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_squashfs_disabled" version="1"
check="all"
comment="kernel module squashfs disabled">
<ind:object object_ref="obj_kernmod_squashfs_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_squashfs_modprobeconf"
version="1" check="all"
+ comment="kernel module squashfs disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_squashfs_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_squashfs_disabled"
version="1" comment="kernel module squashfs disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+squashfs\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+squashfs\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_squashfs_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
squashfs">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+squashfs\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_tipc_disabled.xml
b/RHEL6/input/checks/kernel_module_tipc_disabled.xml
index 23c07e0..2b658c2 100644
--- a/RHEL6/input/checks/kernel_module_tipc_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_tipc_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module tipc should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_tipc_disabled"
- comment="kernel module tipc disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_tipc_disabled" comment="kernel module
tipc disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_tipc_modprobeconf" comment="kernel
module tipc disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_tipc_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_tipc_disabled" version="1"
check="all"
comment="kernel module tipc disabled">
<ind:object object_ref="obj_kernmod_tipc_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_tipc_modprobeconf" version="1"
check="all"
+ comment="kernel module tipc disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_tipc_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_tipc_disabled"
version="1" comment="kernel module tipc disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+tipc\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+tipc\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_tipc_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
tipc">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+tipc\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_udf_disabled.xml
b/RHEL6/input/checks/kernel_module_udf_disabled.xml
index bbc717d..796eef6 100644
--- a/RHEL6/input/checks/kernel_module_udf_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_udf_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module udf should be disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_udf_disabled"
- comment="kernel module udf disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_udf_disabled" comment="kernel module
udf disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_udf_modprobeconf" comment="kernel
module udf disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_udf_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_udf_disabled" version="1"
check="all"
comment="kernel module udf disabled">
<ind:object object_ref="obj_kernmod_udf_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_udf_modprobeconf" version="1"
check="all"
+ comment="kernel module udf disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_udf_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_udf_disabled"
version="1" comment="kernel module udf disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+udf\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+udf\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_udf_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
udf">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+udf\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/kernel_module_usb-storage_disabled.xml
b/RHEL6/input/checks/kernel_module_usb-storage_disabled.xml
index 46e0c32..a6a87d7 100644
--- a/RHEL6/input/checks/kernel_module_usb-storage_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_usb-storage_disabled.xml
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module usb-storage should be
disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_usb-storage_disabled"
- comment="kernel module usb-storage disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_usb-storage_disabled" comment="kernel
module usb-storage disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_usb-storage_modprobeconf"
comment="kernel module usb-storage disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_usb-storage_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_usb-storage_disabled"
version="1" check="all"
comment="kernel module usb-storage disabled">
<ind:object object_ref="obj_kernmod_usb-storage_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_usb-storage_modprobeconf"
version="1" check="all"
+ comment="kernel module usb-storage disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_usb-storage_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_usb-storage_disabled"
version="1" comment="kernel module usb-storage disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+usb-storage\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_usb-storage_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
usb-storage">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
diff --git a/RHEL6/input/checks/templates/template_kernel_module_disabled
b/RHEL6/input/checks/templates/template_kernel_module_disabled
index b183174..084f25a 100644
--- a/RHEL6/input/checks/templates/template_kernel_module_disabled
+++ b/RHEL6/input/checks/templates/template_kernel_module_disabled
@@ -8,23 +8,37 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The kernel module KERNMODULE should be
disabled.</description>
- <reference source="swells" ref_id="20130829" ref_url="test_attestation"/>
+ <reference source="swells" ref_id="20130928" ref_url="test_attestation"/>
</metadata>
- <criteria>
- <criterion test_ref="test_kernmod_KERNMODULE_disabled"
- comment="kernel module KERNMODULE disabled" />
+ <criteria operator="OR">
+ <criterion test_ref="test_kernmod_KERNMODULE_disabled" comment="kernel
module KERNMODULE disabled in /etc/modprob.d" />
+ <criterion test_ref="test_kernmod_KERNMODULE_modprobeconf"
comment="kernel module KERNMODULE disabled in /etc/modprobe.conf" />
</criteria>
</definition>
- <ind:textfilecontent54_test id="test_kernmod_KERNMODULE_disabled"
- version="1" check="all"
+
+ <ind:textfilecontent54_test id="test_kernmod_KERNMODULE_disabled"
version="1" check="all"
comment="kernel module KERNMODULE disabled">
<ind:object object_ref="obj_kernmod_KERNMODULE_disabled" />
</ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_test id="test_kernmod_KERNMODULE_modprobeconf"
version="1" check="all"
+ comment="kernel module KERNMODULE disabled in /etc/modprobe.conf">
+ <ind:object object_ref="obj_kernmod_KERNMODULE_modprobeconf" />
+ </ind:textfilecontent54_test>
+
<ind:textfilecontent54_object id="obj_kernmod_KERNMODULE_disabled"
version="1" comment="kernel module KERNMODULE disabled">
<ind:path>/etc/modprobe.d</ind:path>
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
- <ind:pattern operation="pattern
match">^\s*install\s+KERNMODULE\s+/bin/false$</ind:pattern>
+ <ind:pattern operation="pattern
match">^\s*install\s+KERNMODULE\s+(/bin/false|/bin/true)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_object id="obj_kernmod_KERNMODULE_modprobeconf"
+ version="1" comment="Check depricated /etc/modprobe.conf for disablement of
KERNMODULE">
+ <ind:filepath>/etc/modprobe.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">^\s*install\s+KERNMODULE\s+(/bin/false|/bin/true)$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+
</def-group>
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
