>From f372647cd1d517656514bb54c703ec5e5e4b9653 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Fri, 25 Oct 2013 21:26:15 -0400 Subject: [PATCH 1/8] OVAL/XCCDF naming update: accounts_disable_post_pw_expiration.xml
Updated accounts_disable_post_pw_expiration.xml ==> account_disable_post_pw_expiration.xml OVAL now matches XCCDF name --- .../checks/account_disable_post_pw_expiration.xml | 39 ++++++++++++++++++++ .../checks/accounts_disable_post_pw_expiration.xml | 39 -------------------- .../accounts/restrictions/account_expiration.xml | 2 +- 3 files changed, 40 insertions(+), 40 deletions(-) create mode 100644 RHEL6/input/checks/account_disable_post_pw_expiration.xml delete mode 100644 RHEL6/input/checks/accounts_disable_post_pw_expiration.xml diff --git a/RHEL6/input/checks/account_disable_post_pw_expiration.xml b/RHEL6/input/checks/account_disable_post_pw_expiration.xml new file mode 100644 index 0000000..4e8188c --- /dev/null +++ b/RHEL6/input/checks/account_disable_post_pw_expiration.xml @@ -0,0 +1,39 @@ +<def-group> + <definition class="compliance" id="account_disable_post_pw_expiration" version="1"> + <metadata> + <title>Set Accounts to Expire Following Password Expiration</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The accounts should be configured to expire automatically following password expiration.</description> + <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> + </metadata> + <criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd"> + <criterion test_ref="test_etc_default_useradd_inactive" /> + </criteria> + </definition> + + <ind:textfilecontent54_test check="all" comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd" + id="test_etc_default_useradd_inactive" version="1"> + <ind:object object_ref="object_etc_default_useradd_inactive" /> + <ind:state state_ref="state_etc_default_useradd_inactive" /> + <ind:state state_ref="state_etc_default_useradd_inactive_nonnegative" /> + </ind:textfilecontent54_test> + + <ind:textfilecontent54_object id="object_etc_default_useradd_inactive" version="1"> + <ind:filepath>/etc/default/useradd</ind:filepath> + <ind:pattern operation="pattern match">^\s*INACTIVE\s*=\s*(\d+)\s*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_state id="state_etc_default_useradd_inactive" version="1"> + <ind:subexpression operation="less than or equal" var_ref="var_account_disable_post_pw_expiration" datatype="int" /> + </ind:textfilecontent54_state> + + <ind:textfilecontent54_state id="state_etc_default_useradd_inactive_nonnegative" version="1"> + <ind:subexpression operation="greater than" datatype="int">-1</ind:subexpression> + </ind:textfilecontent54_state> + + <external_variable comment="inactive days expiration" datatype="int" id="var_account_disable_post_pw_expiration" version="1" /> + +</def-group> diff --git a/RHEL6/input/checks/accounts_disable_post_pw_expiration.xml b/RHEL6/input/checks/accounts_disable_post_pw_expiration.xml deleted file mode 100644 index 16e95e1..0000000 --- a/RHEL6/input/checks/accounts_disable_post_pw_expiration.xml +++ /dev/null @@ -1,39 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_disable_post_pw_expiration" version="1"> - <metadata> - <title>Set Accounts to Expire Following Password Expiration</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The accounts should be configured to expire automatically following password expiration.</description> - <reference source="MED" ref_id="20130807" ref_url="test_attestation" /> - </metadata> - <criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd"> - <criterion test_ref="test_etc_default_useradd_inactive" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd" - id="test_etc_default_useradd_inactive" version="1"> - <ind:object object_ref="object_etc_default_useradd_inactive" /> - <ind:state state_ref="state_etc_default_useradd_inactive" /> - <ind:state state_ref="state_etc_default_useradd_inactive_nonnegative" /> - </ind:textfilecontent54_test> - - <ind:textfilecontent54_object id="object_etc_default_useradd_inactive" version="1"> - <ind:filepath>/etc/default/useradd</ind:filepath> - <ind:pattern operation="pattern match">^\s*INACTIVE\s*=\s*(\d+)\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - - <ind:textfilecontent54_state id="state_etc_default_useradd_inactive" version="1"> - <ind:subexpression operation="less than or equal" var_ref="var_account_disable_post_pw_expiration" datatype="int" /> - </ind:textfilecontent54_state> - - <ind:textfilecontent54_state id="state_etc_default_useradd_inactive_nonnegative" version="1"> - <ind:subexpression operation="greater than" datatype="int">-1</ind:subexpression> - </ind:textfilecontent54_state> - - <external_variable comment="inactive days expiration" datatype="int" id="var_account_disable_post_pw_expiration" version="1" /> - -</def-group> diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 18b2396..0d92037 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -59,7 +59,7 @@ have been responsibly removed are not available to attackers who may have compromised their credentials. </rationale> <ident cce="27283-1"/> -<oval id="accounts_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> +<oval id="account_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> <ref nist="AC-2(2), AC-2(3)" disa="16,17,795"/> </Rule> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
