From e7a1c407a07e21dc1f47d089d825518f14582826 Mon Sep 17 00:00:00 2001
From: rbernardino <[email protected]>
Date: Mon, 30 Sep 2013 12:00:16 +0100
Subject: [PATCH] Use variables in XCCDF texts to match profile values.
Signed-off-by: rbernardino <[email protected]>
---
RHEL6/input/services/ssh.xml | 4 +-
RHEL6/input/system/accounts/banners.xml | 30 +++--------------
RHEL6/input/system/accounts/pam.xml | 34 ++++++++++----------
RHEL6/input/system/accounts/physical.xml | 4 +-
.../accounts/restrictions/account_expiration.xml | 8 ++---
.../accounts/restrictions/password_expiration.xml | 17 ++++++----
RHEL6/input/system/accounts/session.xml | 20 ++++++------
RHEL6/input/system/auditing.xml | 23 ++++++-------
RHEL6/input/system/permissions/execution.xml | 7 ++--
RHEL6/input/system/selinux.xml | 12 +++---
10 files changed, 68 insertions(+), 91 deletions(-)
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml
index d010c7b..1d3dad4 100644
--- a/RHEL6/input/services/ssh.xml
+++ b/RHEL6/input/services/ssh.xml
@@ -147,7 +147,7 @@ automatically logged out.
<br /><br />
To set an idle timeout interval, edit the following line in
<tt>/etc/ssh/sshd_config</tt> as
follows:
-<pre>ClientAliveInterval <b>interval</b></pre>
+<pre>ClientAliveInterval <b><sub idref="sshd_idle_timeout_value"/></b></pre>
The timeout <b>interval</b> is given in seconds. To have a timeout
of 15 minutes, set <b>interval</b> to 900.
<br /><br />
@@ -160,7 +160,7 @@ from correctly detecting that the user is idle.
Run the following command to see what the timeout interval is:
<pre># grep ClientAliveInterval /etc/ssh/sshd_config</pre>
If properly configured, the output should be:
-<pre>ClientAliveInterval 900</pre>
+<pre>ClientAliveInterval <sub idref="sshd_idle_timeout_value"/></pre>
</ocil>
<rationale>
Causing idle users to be automatically logged out
diff --git a/RHEL6/input/system/accounts/banners.xml
b/RHEL6/input/system/accounts/banners.xml
index 0b8dc83..6024f72 100644
--- a/RHEL6/input/system/accounts/banners.xml
+++ b/RHEL6/input/system/accounts/banners.xml
@@ -35,31 +35,10 @@ To configure the system login banner:
<br /><br />
Edit <tt>/etc/issue</tt>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.
+<pre>
+<sub idref="login_banner_text"/>
+</pre>
-The DoD required text is either:
-<br /><br />
-<tt>You are accessing a U.S. Government (USG) Information System (IS) that is
-provided for USG-authorized use only. By using this IS (which includes any
-device attached to this IS), you consent to the following conditions:
-<br />-The USG routinely intercepts and monitors communications on this IS for
purposes
-including, but not limited to, penetration testing, COMSEC monitoring, network
-operations and defense, personnel misconduct (PM), law enforcement (LE), and
-counterintelligence (CI) investigations.
-<br />-At any time, the USG may inspect and seize data stored on this IS.
-<br />-Communications using, or data stored on, this IS are not private, are
subject
-to routine monitoring, interception, and search, and may be disclosed or used
-for any USG-authorized purpose.
-<br />-This IS includes security measures (e.g., authentication and access
controls)
-to protect USG interests -- not for your personal benefit or privacy.
-<br />-Notwithstanding the above, using this IS does not constitute consent to
PM, LE or CI investigative
-searching or monitoring of the content of privileged communications, or work
-product, related to personal representation or services by attorneys,
-psychotherapists, or clergy, and their assistants. Such communications and work
-product are private and confidential. See User Agreement for details.</tt>
-<br /><br />
-OR:
-<br /><br />
-<tt>I've read & consent to terms in IS user agreem't.</tt>
</description>
<ocil clause="it does not display the required banner">
To check if the system login banner is compliant,
@@ -120,7 +99,7 @@ in the login screen, run the following command:
<pre>sudo -u gdm gconftool-2 \
--type string \
--set /apps/gdm/simple-greeter/banner_message_text \
- "Text of the warning banner here"</pre>
+ "<sub idref="login_banner_text"/>"</pre>
When entering a warning banner that spans several lines, remember
to begin and end the string with <tt>"</tt>. This command writes
directly to the file
<tt>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</tt>,
@@ -136,6 +115,7 @@ An appropriate warning message reinforces policy awareness
during the logon
process and facilitates possible legal action against attackers.
</rationale>
<ident cce="27017-3" />
+<oval id="banner_gui_text_set" value="login_banner_text" />
<ref nist="AC-8(a),AC-8(b),AC-8(c)" disa="48,1384,1385,1386,1387,1388" />
</Rule>
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml
index 4bfb0c2..989ec3b 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -225,7 +225,7 @@ operator="equals" interactive="0">
<description>To configure the number of retry prompts that are permitted
per-session:
<br /><br />
Edit the <tt>pam_cracklib.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt> to
-show <tt>retry=3</tt>, or a lower value if site policy is more restrictive.
+show <tt>retry=<sub idref="var_password_pam_cracklib_retry"/></tt>, or a lower
value if site policy is more restrictive.
<br /><br />
The DoD requirement is a maximum of 3 prompts per session.
</description>
@@ -273,14 +273,14 @@ Passwords with excessive repeating characters may be more
vulnerable to password
usage of digits in a password. When set to a negative number, any password
will be required to
contain that many digits. When set to a positive number, pam_cracklib will
grant +1 additional
length credit for each digit.
-Add <tt>dcredit=-1</tt> after pam_cracklib.so to require use of a digit in
passwords.
+Add <tt>dcredit=<sub idref="var_password_pam_cracklib_dcredit"/></tt> after
pam_cracklib.so to require use of a digit in passwords.
</description>
<ocil clause="dcredit is not found or not set to the required value">
To check how many digits are required in a password, run the following
command:
<pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre>
The <tt>dcredit</tt> parameter (as a negative number) will indicate how many
digits are required.
The DoD requires at least one digit in a password.
-This would appear as <tt>dcredit=-1</tt>.
+This would appear as <tt>dcredit=<sub
idref="var_password_pam_cracklib_dcredit"/></tt>.
</ocil>
<rationale>
Requiring digits makes password guessing attacks more difficult by ensuring a
larger
@@ -298,7 +298,7 @@ search space.
usage of uppercase letters in a password. When set to a negative number, any
password will be required to
contain that many uppercase characters. When set to a positive number,
pam_cracklib will grant +1 additional
length credit for each uppercase character.
-Add <tt>ucredit=-1</tt> after pam_cracklib.so to require use of an upper case
character in passwords.
+Add <tt>ucredit=<sub idref="var_password_pam_cracklib_ucredit"/></tt> after
pam_cracklib.so to require use of an upper case character in passwords.
</description>
<ocil clause="ucredit is not found or not set to the required value">
To check how many uppercase characters are required in a password, run the
following command:
@@ -323,7 +323,7 @@ more difficult by ensuring a larger search space.
usage of special (or ``other'') characters in a password. When set to a
negative number, any password will be required to
contain that many special characters. When set to a positive number,
pam_cracklib will grant +1 additional
length credit for each special character.
-Add <tt>ocredit=-1</tt> after pam_cracklib.so to require use of a special
character in passwords.
+Add <tt>ocredit=<sub idref="var_password_pam_cracklib_ocredit"/></tt> after
pam_cracklib.so to require use of a special character in passwords.
</description>
<ocil clause="ocredit is not found or not set to the required value">
To check how many special characters are required in a password, run the
following command:
@@ -348,7 +348,7 @@ more difficult by ensuring a larger search space.
usage of lowercase letters in a password. When set to a negative number, any
password will be required to
contain that many lowercase characters. When set to a positive number,
pam_cracklib will grant +1 additional
length credit for each lowercase character.
-Add <tt>lcredit=-1</tt> after pam_cracklib.so to require use of a lowercase
character in passwords.
+Add <tt>lcredit=<sub idref="var_password_pam_cracklib_lcredit"/></tt> after
pam_cracklib.so to require use of a lowercase character in passwords.
</description>
<ocil clause="lcredit is not found or not set to the required value">
To check how many lowercase characters are required in a password, run the
following command:
@@ -371,8 +371,8 @@ more difficult by ensuring a larger search space.
<title>Set Password Strength Minimum Different Characters</title>
<description>The pam_cracklib module's <tt>difok</tt> parameter controls
requirements for
usage of different characters during a password change.
-Add <tt>difok=<i>NUM</i></tt> after pam_cracklib.so to require differing
-characters when changing passwords, substituting <i>NUM</i> appropriately.
+Add <tt>difok=<i><sub idref="var_password_pam_cracklib_difok"/></i></tt> after
pam_cracklib.so to require differing
+characters when changing passwords.
The DoD requirement is <tt>4</tt>.
</description>
<ocil clause="difok is not found or not set to the required value">
@@ -422,13 +422,13 @@ attempts using <tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_unix.so</tt> statement in
<tt>AUTH</tt> section of
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
+<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
<pre># grep pam_faillock /etc/pam.d/system-auth</pre>
-The output should show <tt>deny=3</tt>.
+The output should show <tt>deny=<sub
idref="var_accounts_passwords_pam_faillock_deny"/></tt>.
</ocil>
<rationale>
Locking out user accounts after a number of incorrect attempts
@@ -446,8 +446,8 @@ To configure the system to lock out accounts after a number
of incorrect login
attempts and require an administrator to unlock the account using
<tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_env.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
+<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
@@ -472,8 +472,8 @@ To configure the system to lock out accounts after a number
of incorrect login
attempts within a 15 minute interval using <tt>pam_faillock.so</tt>:
<br /><br />
Add the following lines immediately below the <tt>pam_env.so</tt> statement in
<tt>/etc/pam.d/system-auth</tt>:
-<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800
fail_interval=900</pre>
-<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800
fail_interval=900</pre>
+<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
+<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/>
unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub
idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre>
</description>
<ocil clause="that is not the case">
To ensure the failed password attempt policy is configured correctly, run the
following command:
@@ -493,9 +493,9 @@ specific period of time prevents direct password guessing
attacks.
<title>Limit Password Reuse</title>
<description>Do not allow users to reuse recent passwords. This can
be accomplished by using the <tt>remember</tt> option for the
<tt>pam_unix</tt> PAM
-module. In the file <tt>/etc/pam.d/system-auth</tt>, append
<tt>remember=24</tt> to the
+module. In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub
idref="password_history_retain_number" /></tt> to the
line which refers to the <tt>pam_unix.so</tt> module, as shown:
-<pre>password sufficient pam_unix.so <i>existing_options</i> remember=24</pre>
+<pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub
idref="password_history_retain_number" /></pre>
The DoD and FISMA requirement is 24 passwords.</description>
<ocil clause="it does not">
To verify the password reuse setting is compliant, run the following command:
diff --git a/RHEL6/input/system/accounts/physical.xml
b/RHEL6/input/system/accounts/physical.xml
index 1631797..c7b6c96 100644
--- a/RHEL6/input/system/accounts/physical.xml
+++ b/RHEL6/input/system/accounts/physical.xml
@@ -250,12 +250,12 @@ the man page <tt>gconftool-2(1)</tt>.</description>
<title>Set GNOME Login Inactivity Timeout</title>
<description>
Run the following command to set the idle time-out value for
-inactivity in the GNOME desktop to 15 minutes:
+inactivity in the GNOME desktop to <sub idref="inactivity_timeout_value" />
minutes:
<pre># gconftool-2 \
--direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
- --set /apps/gnome-screensaver/idle_delay 15</pre>
+ --set /apps/gnome-screensaver/idle_delay <sub idref="inactivity_timeout_value"
/></pre>
</description>
<ocil clause="it is not">
To check the current idle time-out value, run the following command:
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml
b/RHEL6/input/system/accounts/restrictions/account_expiration.xml
index 18b2396..9d14001 100644
--- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml
+++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml
@@ -32,12 +32,10 @@ normal command line utilities.
<title>Set Account Expiration Following Inactivity</title>
<description>To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
-the following lines in <tt>/etc/default/useradd</tt>, substituting
-<tt><i>NUM_DAYS</i></tt> appropriately:
-<pre>INACTIVE=<i>NUM_DAYS</i></pre>
-A value of 35 is recommended.
+the following lines in <tt>/etc/default/useradd</tt>, to match:
+<pre>INACTIVE=<i><sub
idref="var_account_disable_post_pw_expiration"/></i></pre>
If a password is currently on the
-verge of expiration, then 35 days remain until the account is automatically
+verge of expiration, then <sub
idref="var_account_disable_post_pw_expiration"/> days remain until the account is
automatically
disabled. However, if the password will not expire for another 60 days, then
95
days could elapse until the account would be automatically disabled. See the
<tt>useradd</tt> man page for more information. Determining the inactivity
diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml
b/RHEL6/input/system/accounts/restrictions/password_expiration.xml
index ce8a082..db7a035 100644
--- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml
+++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml
@@ -81,7 +81,10 @@ age, and 7 day warning period with the following command:
<description>To specify password length requirements for new accounts,
edit the file <tt>/etc/login.defs</tt> and add or correct the following
lines:
-<pre>PASS_MIN_LEN 14<!-- <sub idref="var_accounts_password_minlen_login_defs">
--></pre>
+<pre>PASS_MIN_LEN <sub idref="var_accounts_password_minlen_login_defs"/> </pre>
+Also edit <tt>/etc/pam.d/system-auth</tt> and add <tt>minlen=<sub
idref="var_accounts_password_minlen_login_defs"/></tt> to <tt>pam_cracklib.so</tt> entry, like:
+<pre>password required pam_cracklib.so try_first_pass <i>existing_content</i> minlen=<sub
idref="var_accounts_password_minlen_login_defs"/></pre>
+
<br/><br/>
The DoD requirement is <tt>14</tt>.
The FISMA requirement is <tt>12</tt>.
@@ -113,8 +116,8 @@ behavior that may result.
<title>Set Password Minimum Age</title>
<description>To specify password minimum age for new accounts,
edit the file <tt>/etc/login.defs</tt>
-and add or correct the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_MIN_DAYS <i>DAYS</i></pre>
+and add or correct the following line to match:
+<pre>PASS_MIN_DAYS <sub idref="var_accounts_minimum_age_login_defs"/></pre>
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1.
@@ -140,8 +143,8 @@ after satisfying the password reuse requirement.
<title>Set Password Maximum Age</title>
<description>To specify password maximum age for new accounts,
edit the file <tt>/etc/login.defs</tt>
-and add or correct the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_MAX_DAYS <i>DAYS</i></pre>
+and add or correct the following line to match:
+<pre>PASS_MAX_DAYS <sub idref="var_accounts_maximum_age_login_defs"/></pre>
A value of 180 days is sufficient for many environments.
The DoD requirement is 60.
</description>
@@ -168,8 +171,8 @@ location subject to physical compromise.</rationale>
<description>To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file <tt>/etc/login.defs</tt> and add or correct
- the following line, replacing <i>DAYS</i> appropriately:
-<pre>PASS_WARN_AGE <i>DAYS</i></pre>
+ the following line to match:
+<pre>PASS_WARN_AGE <sub
idref="var_accounts_password_warn_age_login_defs"/></pre>
The DoD requirement is 7.
<!-- <sub idref="accounts_password_warn_age_login_defs_login_defs_value" />
-->
</description>
diff --git a/RHEL6/input/system/accounts/session.xml
b/RHEL6/input/system/accounts/session.xml
index ae71777..1f72f5a 100644
--- a/RHEL6/input/system/accounts/session.xml
+++ b/RHEL6/input/system/accounts/session.xml
@@ -31,7 +31,7 @@ Limiting the number of allowed users and sessions per user
can limit risks relat
Service attacks. This addresses concurrent sessions for a single account and
does not address
concurrent sessions by a single user via multiple accounts. The DoD
requirement is 10. To set the number of concurrent
sessions per user add the following line in
<tt>/etc/security/limits.conf</tt>:
-<pre>* hard maxlogins 10</pre>
+<pre>* hard maxlogins <sub idref="max_concurrent_login_sessions_value" /></pre>
</description>
<rationale>Limiting simultaneous user logins can insulate the system from
denial of service
problems caused by excessive logins. Automated login processes operating
improperly or
@@ -42,7 +42,7 @@ Run the following command to ensure the <tt>maxlogins</tt>
value is configured f
on the system:
<pre># grep "maxlogins" /etc/security/limits.conf</pre>
You should receive output similar to the following:
-<pre>* hard maxlogins 10</pre>
+<pre>* hard maxlogins <sub
idref="max_concurrent_login_sessions_value" /></pre>
</ocil>
<oval id="accounts_max_concurrent_login_sessions"
value="max_concurrent_login_sessions_value" />
<ident cce="27457-1" />
@@ -211,7 +211,7 @@ operator="equals" interactive="0">
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask <sub idref="umask_user_value" /></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when
they are created.
A misconfigured umask value could result in files with excessive permissions
that can be read or
@@ -222,8 +222,8 @@ running the following command:
<pre># grep "umask" /etc/bashrc</pre>
All output must show the value of <tt>umask</tt> set to 077, as shown below:
<pre># grep "umask" /etc/bashrc
-umask 077
-umask 077</pre>
+umask <sub idref="var_accounts_user_umask"/>
+umask <sub idref="var_accounts_user_umask"/></pre>
</ocil>
<ident cce="26917-5" />
@@ -237,7 +237,7 @@ umask 077</pre>
<description>
To ensure the default umask for users of the C shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read
as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask <sub idref="umask_user_value" /></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when
they are created.
A misconfigured umask value could result in files with excessive permissions
that can be read or
@@ -248,7 +248,7 @@ running the following command:
<pre># grep "umask" /etc/csh.cshrc</pre>
All output must show the value of <tt>umask</tt> set to 077, as shown in the
below:
<pre># grep "umask" /etc/csh.cshrc
-umask 077</pre>
+umask <sub idref="var_accounts_user_umask"/></pre>
</ocil>
<ident cce="27034-8" />
<oval id="accounts_umask_cshrc" value="var_accounts_user_umask"/>
@@ -261,7 +261,7 @@ umask 077</pre>
<description>
To ensure the default umask controlled by <tt>/etc/profile</tt> is set
properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as
follows:
-<pre>umask 077<!--<sub idref="umask_user_value" /> --></pre>
+<pre>umask <sub idref="umask_user_value" /></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when
they are created.
A misconfigured umask value could result in files with excessive permissions
that can be read or
@@ -273,7 +273,7 @@ running the following command:
<pre># grep "umask" /etc/profile</pre>
All output must show the value of <tt>umask</tt> set to 077, as shown in the
below:
<pre># grep "umask" /etc/profile
-umask 077</pre>
+umask <sub idref="var_accounts_user_umask"/></pre>
</ocil>
<oval id="accounts_umask_etc_profile" value="var_accounts_user_umask" />
<tested by="swells" on="20120929"/>
@@ -285,7 +285,7 @@ umask 077</pre>
<description>
To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set
properly,
add or correct the <tt>UMASK</tt> setting in <tt>/etc/login.defs</tt> to read
as follows:
-<pre>UMASK 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>UMASK <sub idref="umask_user_value" /></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when
they are created.
A misconfigured umask value could result in files with excessive permissions
that can be read and
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index 16585ba..791ffaf 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -232,9 +232,8 @@ normally.</i>
<description>Determine how many log files
<tt>auditd</tt> should retain when it rotates logs.
Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following
-line, substituting <i>NUMLOGS</i> with the correct value:
-<pre>num_logs = <i>NUMLOGS</i></pre>
-Set the value to 5 for general-purpose systems.
+line to match:
+<pre>num_logs = <i><sub idref="var_auditd_num_logs" /></i></pre>
Note that values less than 2 result in no log rotation.</description>
<ocil clause="the system log file retention has not been properly configured">
Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
@@ -254,10 +253,8 @@ file size and the number of logs retained.</rationale>
<title>Configure auditd Max Log File Size</title>
<description>Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
-<tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting
-the correct value for <i>STOREMB</i>:
-<pre>max_log_file = <i>STOREMB</i></pre>
-Set the value to <tt>6</tt> (MB) or higher for general-purpose systems.
+<tt>/etc/audit/auditd.conf</tt>. Add or modify the following line to match:
+<pre>max_log_file = <i><sub idref="var_auditd_max_log_file" /></i></pre>
Larger values, of course,
support retention of even more audit data.</description>
<ocil clause="the system audit data threshold has not been properly
configured">
@@ -289,8 +286,8 @@ page. These include:
<li><tt>rotate</tt></li>
<li><tt>keep_logs</tt></li>
</ul>
-Set the <tt><i>ACTION</i></tt> to <tt>rotate</tt> to ensure log rotation
-occurs. This is the default. The setting is case-insensitive.
+Set the <tt><i>ACTION</i></tt> to <tt><sub idref="var_auditd_max_log_file_action"
/></tt> to ensure compliance.
+The setting is case-insensitive.
</description>
<ocil clause="the system has not been properly configured to rotate audit
logs">
Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
@@ -342,8 +339,8 @@ These include:
<li><tt>single</tt></li>
<li><tt>halt</tt></li>
</ul>
-Set this to <tt>email</tt> (instead of the default,
-which is <tt>suspend</tt>) as it is more likely to get prompt attention.
Acceptable values
+Set this to <tt><sub idref="var_auditd_space_left_action"/></tt> (instead of the default
which is <tt>suspend</tt>)
+as it is more likely to get prompt attention. Acceptable values
also include <tt>suspend</tt>, <tt>single</tt>, and <tt>halt</tt>.
</description>
<ocil clause="the system is not configured to send an email to the system
administrator when
@@ -369,7 +366,7 @@ allow them to take corrective action prior to any
disruption.</rationale>
when disk space is running low but prior to running out of space completely.
Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following
line,
substituting <i>ACTION</i> appropriately:
-<pre>admin_space_left_action = <i>ACTION</i></pre>
+<pre>admin_space_left_action = <i><sub idref="var_auditd_admin_space_left_action"
/></i></pre>
Set this value to <tt>single</tt> to cause the system to switch to single user
mode for corrective action. Acceptable values also include <tt>suspend</tt>
and
<tt>halt</tt>. For certain systems, the need for availability
@@ -400,7 +397,7 @@ is used, running low on space for audit records should
never occur.
a designated account in certain situations. Add or correct the following line
in <tt>/etc/audit/auditd.conf</tt> to ensure that administrators are notified
via email for those situations:
-<pre>action_mail_acct = root</pre>
+<pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre>
</description>
<ocil clause="auditd is not configured to send emails per identified actions">
Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
diff --git a/RHEL6/input/system/permissions/execution.xml
b/RHEL6/input/system/permissions/execution.xml
index 9ce2f86..c9aa397 100644
--- a/RHEL6/input/system/permissions/execution.xml
+++ b/RHEL6/input/system/permissions/execution.xml
@@ -28,9 +28,8 @@ for system daemons.
<description>The file <tt>/etc/init.d/functions</tt> includes initialization
parameters for most or all daemons started at boot time. The default umask of
022 prevents creation of group- or world-writable files. To set the default
-umask for daemons, edit the following line, inserting 022 or 027 for
-<i>UMASK</i> appropriately:
-<pre>umask <i>UMASK</i></pre>
+umask for daemons, edit the following line to match:
+<pre>umask <i><sub idref="var_umask_for_daemons"/></i></pre>
Setting the umask to too restrictive a setting can cause serious errors at
runtime. Many daemons on the system already individually restrict themselves
to
a umask of 077 in their own init scripts.
@@ -38,7 +37,7 @@ a umask of 077 in their own init scripts.
<ocil clause="it does not">
To check the value of the <tt>umask</tt>, run the following command:
<pre>$ grep umask /etc/init.d/functions</pre>
-The output should show either <tt>022</tt> or <tt>027</tt>.
+The output should show <tt><sub idref="var_umask_for_daemons"/></tt>.
</ocil>
<rationale>The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml
index a424b1a..9c28d21 100644
--- a/RHEL6/input/system/selinux.xml
+++ b/RHEL6/input/system/selinux.xml
@@ -105,14 +105,14 @@ the chances that it will remain off during system
operation.
<Rule id="set_selinux_state" severity="medium">
<title>Ensure SELinux State is Enforcing</title>
-<description>The SELinux state should be set to <tt>enforcing</tt> at
+<description>The SELinux state should be set to <tt><sub
idref="var_selinux_state_name"/></tt> at
system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct
the
following line to configure the system to boot into enforcing mode:
-<pre>SELINUX=enforcing</pre>
+<pre>SELINUX=<sub idref="var_selinux_state_name"/></pre>
</description>
<ocil clause="SELINUX is not set to enforcing">
Check the file <tt>/etc/selinux/config</tt> and ensure the following line
appears:
-<pre>SELINUX=enforcing</pre>
+<pre>SELINUX=<sub idref="var_selinux_state_name"/></pre>
</ocil>
<rationale>
Setting the SELinux state to enforcing ensures SELinux is able to confine
@@ -128,18 +128,18 @@ privileges.
<Rule id="set_selinux_policy">
<title>Configure SELinux Policy</title>
-<description>The SELinux <tt>targeted</tt> policy is appropriate for
+<description>The SELinux <tt><sub idref="var_selinux_policy_name"/></tt>
policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in <tt>/etc/selinux/config</tt>:
-<pre>SELINUXTYPE=targeted</pre>
+<pre>SELINUXTYPE=<sub idref="var_selinux_policy_name"/></pre>
Other policies, such as <tt>mls</tt>, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
</description>
<ocil clause="it does not">
Check the file <tt>/etc/selinux/config</tt> and ensure the following line
appears:
-<pre>SELINUXTYPE=targeted</pre>
+<pre>SELINUXTYPE=<sub idref="var_selinux_policy_name"/></pre>
</ocil>
<rationale>
Setting the SELinux policy to <tt>targeted</tt> or a more specialized policy
--
1.7.1
