>From b270790a27858efcd198d7099c2acc52796b34d8 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 25 Oct 2013 23:21:04 -0400 Subject: [PATCH 6/8] Added CCEs to remaining XCCDF rules - All rules now have CCE values
--- RHEL6/input/services/snmp.xml | 2 ++ RHEL6/input/system/accounts/physical.xml | 2 ++ .../accounts/restrictions/account_expiration.xml | 1 + .../accounts/restrictions/password_storage.xml | 1 + RHEL6/input/system/auditing.xml | 2 ++ RHEL6/input/system/permissions/files.xml | 5 ++++- RHEL6/input/system/software/disk_partitioning.xml | 1 + RHEL6/input/system/software/integrity.xml | 2 ++ RHEL6/input/system/software/updating.xml | 1 + 9 files changed, 16 insertions(+), 1 deletions(-) diff --git a/RHEL6/input/services/snmp.xml b/RHEL6/input/services/snmp.xml index ec22a42..0e4f8b3 100644 --- a/RHEL6/input/services/snmp.xml +++ b/RHEL6/input/services/snmp.xml @@ -83,6 +83,7 @@ There should be no output. Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. </rationale> +<ident cce="27365-6"/> </Rule> <Rule id="snmpd_not_default_password" severity="medium"> @@ -101,6 +102,7 @@ There should be no output. Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system. </rationale> +<ident cce="27593-3"/> <tested by="MAN" on="20121214"/> </Rule> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 1631797..ead411a 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -166,6 +166,7 @@ In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Del sequence is reduced because the user will be prompted before any action is taken. </rationale> +<ident cce="27567-7"/> </Rule> <Rule id="disable_interactive_boot" severity="medium"> @@ -417,6 +418,7 @@ smart card (CAC) authentication: that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials. </rationale> +<ident cce="27440-7"/> <ref disa="765,766,767,768,771,772,884" /> </Rule> diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 0d92037..58e9191 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -102,6 +102,7 @@ remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked. <br/> </rationale> +<ident cce="27474-6"/> <ref nist="AC-2(2),AC-2(3)" disa="16,1682"/> </Rule> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index fb2efc0..9720505 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -82,6 +82,7 @@ There should be no output. <rationale> Inconsistency in GIDs between <tt>/etc/passwd</tt> and <tt>/etc/group</tt> could lead to a user having unintended rights. </rationale> +<ident cce="27379-7"/> <ref disa="366" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 16585ba..e1bd4dc 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -245,6 +245,7 @@ determine how many logs the system is configured to retain after rotation: <rationale>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</rationale> +<ident cce="27522-2"/> <oval id="auditd_data_retention_num_logs" value="var_auditd_num_logs" /> <ref nist="AU-1(b),AU-11,IR-5" /> <tested by="DS" on="20121024"/> @@ -269,6 +270,7 @@ determine how much data the system will retain in each audit log file: <rationale>The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.</rationale> +<ident cce="27550-3"/> <oval id="auditd_data_retention_max_log_file" value="var_auditd_max_log_file" /> <ref nist="AU-1(b),AU-11,IR-5" /> <tested by="DS" on="20121024"/> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 7d4add9..16b7618 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -214,6 +214,7 @@ run the following command for each directory <i>DIR</i> which contains shared li space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. </rationale> +<ident cce="27381-3"/> <ref nist="AC-6" disa="1499"/> <tested by="DS" on="20121026"/> <oval id="file_permissions_library_dirs" /> @@ -252,6 +253,7 @@ owned by root: space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. </rationale> +<ident cce="27424-1"/> <ref nist="AC-6" disa="1499"/> <oval id="file_ownership_library_dirs" /> <tested by="swells" on="20130914"/> @@ -290,6 +292,7 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. </rationale> +<ident cce="27289-8"/> <ref nist="AC-6" disa="1499"/> <oval id="file_permissions_binary_dirs" /> </Rule> @@ -326,10 +329,10 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. </rationale> +<ident cce="27623-8"/> <ref nist="AC-6" disa="1499"/> </Rule> - </Group> <Rule id="sticky_world_writable_dirs"> diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index a94943b..54b45ae 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -158,6 +158,7 @@ The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. </rationale> +<ident cce="27596-6"/> <ref nist="SC-13, SC-28" disa="1019,1199,1200" /> </Rule> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index b706f90..c7879ae 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -200,6 +200,7 @@ McAfee HBSS, which is available through Cybercom. Host-based intrusion detection tools provide a system-level defense when an intruder gains access to a system or network. </rationale> +<ident cce="27409-2"/> <ref nist="SC-7" disa="1263"/> </Rule> @@ -239,6 +240,7 @@ To check on the age of uvscan virus definition files, run the following command: Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. </rationale> +<ident cce="27529-7"/> <ref nist="SC-28, SI-3" disa="1239,1668"/> </Rule> diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index cccf5c2..aef22ec 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -123,6 +123,7 @@ to determine if the system is missing applicable updates. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. </rationale> +<ident cce="27635-2"/> <ref nist="SI-2,MA-1(b)" disa="1227,1233"/> <tested by="MM" on="20120928"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
