>From ad678eae771097b6288ea0fba95dec1740c4de49 Mon Sep 17 00:00:00 2001
From: Shawn Wells <[email protected]>
Date: Wed, 30 Oct 2013 13:21:33 -0400
Subject: [PATCH] Added CCEs to remaining rules
- All XCCDF rules now have CCEs
- Updated verify-cce.py script to reflect which rules do not have CCEs assigned
---
RHEL6/input/auxiliary/srg_support.xml | 11 +++++++++++
RHEL6/input/services/avahi.xml | 5 +++++
RHEL6/input/services/cron.xml | 1 +
RHEL6/input/services/dns.xml | 2 ++
RHEL6/input/services/ftp.xml | 1 +
RHEL6/input/services/http.xml | 20 ++++++++++++++++++++
RHEL6/input/services/mail.xml | 1 +
RHEL6/input/services/nfs.xml | 1 +
RHEL6/input/services/ntp.xml | 2 +-
RHEL6/input/services/smb.xml | 1 +
RHEL6/input/services/ssh.xml | 2 +-
.../system/accounts/restrictions/root_logins.xml | 3 +++
RHEL6/input/system/auditing.xml | 1 +
RHEL6/input/system/logging.xml | 1 +
RHEL6/input/system/network/ipv6.xml | 1 +
RHEL6/input/system/permissions/execution.xml | 1 +
RHEL6/input/system/permissions/mounting.xml | 2 ++
RHEL6/input/system/selinux.xml | 1 +
RHEL6/input/system/software/integrity.xml | 1 +
RHEL6/utils/verify-cce.py | 2 ++
20 files changed, 58 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/auxiliary/srg_support.xml
b/RHEL6/input/auxiliary/srg_support.xml
index dcb697e..a84d348 100644
--- a/RHEL6/input/auxiliary/srg_support.xml
+++ b/RHEL6/input/auxiliary/srg_support.xml
@@ -21,6 +21,8 @@ compliance. This is a permanent not a finding.
<description>
This requirement is a permanent not a finding. No fix is required.
</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
<ref
disa="42,56,206,1084,66,85,86,185,223,171,172,1694,770,804,162,163,164,345,346,1096,1111,1291,386,156,186,1083,1082,1090,804,1127,1128,1129,1248,1265,1314,1362,1368,1310,1311,1328,1399,1400,1427,1499,1632,1693,1665,1674"
/>
</Rule>
@@ -46,6 +48,8 @@ This is a permanent not a finding.
<description>
This requirement is a permanent not a finding. No fix is required.
</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
<ref disa="130,157,131,132,133,134,135,159,174" />
</Rule>
@@ -64,6 +68,8 @@ compliance. This is a permanent not a finding.
<description>
This requirement is a permanent not a finding. No fix is required.
</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
<ref
disa="34,35,99,154,226,802,872,1086,1087,1089,1091,1424,1426,1428,1209,1214,1237,1269,1338,1425,1670"
/>
</Rule>
@@ -91,6 +97,8 @@ application, policy, or service. This requirement is NA.
<description>
This requirement is NA. No fix is required.
</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
<ref
disa="21,25,28,29,30,165,221,354,553,779,780,781,1009,1094,1123,1124,1125,1132,1135,1140,1141,1142,1143,1145,1147,1148,1166,1339,1340,1341,1350,1356,1373,1374,1383,1391,1392,1395,1662"
/>
</Rule>
@@ -134,6 +142,8 @@ application, policy, or service. This requirement is NA.
<description>
This requirement is NA. No fix is required.
</description>
+<!-- Note: This XCCDF rule is used to group DISA requirements. As such,
+ it should not have CCE association -->
<ref
disa="15,27,218,219,371,372,535,537,539,1682,370,37,24,1112,1126,1143,1149,1157,1159,1210,1211,1274,1372,1376,1377,1352,1401,1555,1556,1150"
/>
</Rule>
@@ -157,6 +167,7 @@ process, by running the yum program through a cron job or
by managing the
system and its packages through the Red Hat Network or a Satellite Server.
</description>
<ref disa="1232" />
+<!-- Note: This is a process, as such, will not receive a CCE -->
</Rule>
</Group>
diff --git a/RHEL6/input/services/avahi.xml b/RHEL6/input/services/avahi.xml
index acdc23a..f462149 100644
--- a/RHEL6/input/services/avahi.xml
+++ b/RHEL6/input/services/avahi.xml
@@ -53,6 +53,7 @@ Similarly, if you are using only IPv6, disable IPv4 sockets
with the line:
<pre>use-ipv4=no</pre>
</description>
<ref nist="CM-7" />
+<ident cce="27590-9" />
</Rule>
<Rule id="avahi_check_ttl">
@@ -72,6 +73,7 @@ the local network at all, this option provides another check
to ensure they
are not permitted.
</rationale>
<ref nist="CM-7" />
+<ident cce="27340-9" />
</Rule>
<Rule id="avahi_prevent_port_sharing">
@@ -85,6 +87,7 @@ and ensure the following line appears in the
<tt>[server]</tt> section:
This helps ensure that only Avahi is responsible for mDNS traffic coming from
that port on the system.
</rationale>
+<ident cce="27308-6" />
<ref nist="CM-7" />
</Rule>
@@ -100,6 +103,7 @@ This helps ensure that only Avahi is responsible for mDNS
traffic coming from
that port on the system.
</rationale>
<ref nist="CM-7" />
+<ident cce="27526-3" />
</Rule>
<Rule id="avahi_restrict_published_information">
@@ -128,6 +132,7 @@ disable-publishing. Alternatively, these can be used to
restrict
the types of published information in the event that some information
must be published.
</rationale>
+<ident cce="27300-3" />
<ref nist="CM-7" />
</Rule>
</Group>
diff --git a/RHEL6/input/services/cron.xml b/RHEL6/input/services/cron.xml
index 1f50d93..983d9ed 100644
--- a/RHEL6/input/services/cron.xml
+++ b/RHEL6/input/services/cron.xml
@@ -36,6 +36,7 @@ that <tt>cron</tt> jobs are scheduled to run. On systems
which do not require th
additional functionality, <tt>anacron</tt> could needlessly increase the
possible
attack surface for an intruder.</description>
<ref nist="CM-7" />
+<ident cce="27158-5" />
</Rule>
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml
index 3e10347..cee3ee1 100644
--- a/RHEL6/input/services/dns.xml
+++ b/RHEL6/input/services/dns.xml
@@ -218,6 +218,7 @@ or if you have only one nameserver, it may be possible to
use an external
configuration management mechanism to distribute zone updates. In that case, it
is not necessary to allow zone transfers within BIND itself, so they should be
disabled to avoid the potential for abuse.</rationale>
+<ident cce="27528-9" />
</Rule>
<Rule id="dns_server_authenticate_zone_transfers">
@@ -273,6 +274,7 @@ obtained and inserted into named.conf on the primary and
secondary servers, the
key files Kdns.example.com .+NNN +MMMMM .key and Kdns.example.com .+NNN +MMMMM
.private are no longer needed, and may safely be deleted.</warning>
<ref nist="CM-7" />
+<ident cce="27496-9" />
</Rule>
<Rule id="dns_server_disable_dynamic_updates">
diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml
index 361f7dc..ef3ad28 100644
--- a/RHEL6/input/services/ftp.xml
+++ b/RHEL6/input/services/ftp.xml
@@ -189,6 +189,7 @@ be used to verify that this directory is on its own
partition.</description>
these users from filling a disk used by other services.</rationale>
<!--<oval id="ftp_home_partition" />-->
<!--<ref nist="CM-7" /> -->
+<ident cce="27411-8" />
</Rule>
<Group id="ftp_configure_firewall">
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml
index 1624deb..c6861c0 100644
--- a/RHEL6/input/services/http.xml
+++ b/RHEL6/input/services/http.xml
@@ -117,6 +117,7 @@ Information disclosed to clients about the configuration of
the web server and s
to plan an attack on the given system. This information disclosure should be
restricted to a minimum.
</rationale>
<ref nist="CM-7" />
+<ident cce="27425-8" />
</Rule>
<Rule id="httpd_serversignature_off">
@@ -132,6 +133,7 @@ Add or correct the following directive in
<tt>/etc/httpd/conf/httpd.conf</tt>:
Information disclosed to clients about the configuration of the web server and
system could be used
to plan an attack on the given system. This information disclosure should be
restricted to a minimum.
</rationale>
+<ident cce="27586-7" />
<ref nist="CM-7" />
</Rule>
@@ -216,6 +218,7 @@ If this functionality is unnecessary, comment out the
related module:
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27553-7" />
</Rule>
<Rule id="httpd_mod_rewrite">
@@ -231,6 +234,7 @@ unnecessary, comment out the related module:
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27570-1" />
</Rule>
<Rule id="httpd_ldap_support">
@@ -246,6 +250,7 @@ If LDAP is to be used, SSL encryption should be used as
well.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27395-3" />
</Rule>
<Rule id="httpd_server_side_includes">
@@ -264,6 +269,7 @@ supplied data should be encoded to prevent cross-site
scripting vulnerabilities.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27558-6" />
</Rule>
<Rule id="httpd_mime_magic">
@@ -277,6 +283,7 @@ is likely extraneous. If its functionality is unnecessary,
comment out the relat
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27541-2" />
</Rule>
<Rule id="httpd_webdav">
@@ -295,6 +302,7 @@ server that is DAV enabled should be protected by access
controls.
Minimizing the number of loadable modules available to the web server, reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27329-2" />
</Rule>
<Rule id="httpd_server_activity_status">
@@ -312,6 +320,7 @@ configuration.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27468-8" />
</Rule>
<Rule id="httpd_server_configuration_display">
@@ -328,6 +337,7 @@ an access control list to restrict access to the
information.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27507-3" />
</Rule>
<Rule id="httpd_url_correction">
@@ -342,6 +352,7 @@ This functionality weakens server security by making site
enumeration easier.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27276-5" />
</Rule>
<Rule id="httpd_proxy_support">
@@ -364,6 +375,7 @@ are a security risk. <tt>mod_proxy_balancer</tt> enables
load balancing, but req
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27442-3" />
</Rule>
<Rule id="httpd_cache_support">
@@ -382,6 +394,7 @@ If caching is required, it should not be enabled for any
limited-access content.
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="26859-9" />
</Rule>
<Rule id="httpd_cgi_support">
@@ -405,6 +418,7 @@ CGI scripts to run as a specified user/group instead of as
the server's user/gro
Minimizing the number of loadable modules available to the web server reduces
risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27362-3" />
</Rule>
<Group id="httpd_optional_components">
@@ -481,6 +495,7 @@ The <tt>httpd</tt> root directory should always have the
most restrictive config
The Web Server's root directory content should be protected from unauthorized
access
by web clients.
</rationale>
+<ident cce="27009-0" />
</Rule>
<Rule id="httpd_restrict_web_directory">
@@ -504,6 +519,7 @@ Ensure that this policy is adhered to by altering the
related section of the con
Access to the web server's directory hierarchy could allow access to
unauthorized files
by web clients. Following symbolic links could also allow such access.
</rationale>
+<ident cce="27574-3" />
</Rule>
<Rule id="httpd_restrict_critical_directories">
@@ -518,6 +534,7 @@ should be used to deny access by default, allowing access
only where necessary.
Directories accessible from a web client should be configured with the least
amount of
access possible in order to avoid unauthorized access to restricted content or
server information.
</rationale>
+<ident cce="27565-1" />
</Rule>
<Rule id="httpd_limit_available_methods">
@@ -542,6 +559,7 @@ are limited to the WebDAV protocol.
Minimizing the number of available methods to the web client reduces risk
by limiting the capabilities allowed by the web server.
</rationale>
+<ident cce="27581-8" />
</Rule>
</Group> <!-- <Group id="httpd_directory_restrictions"> -->
@@ -715,6 +733,7 @@ Access to the web server's configuration files may allow an
unauthorized user or
to access information about the web server or alter the server's configuration
files.
</rationale>
<oval id="dir_perms_etc_httpd_conf" />
+<ident cce="27487-8" />
</Rule>
<Rule id="httpd_conf_files_permissions">
@@ -729,6 +748,7 @@ to access information about the web server or to alter the
server's configuratio
</rationale>
<oval id="file_permissions_httpd_server_conf_files" />
<ref nist="CM-7" />
+<ident cce="27316-9" />
</Rule>
</Group> <!-- <Group id="httpd_restrict_file_dir_access"> -->
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml
index 5f8ee57..9f4864f 100644
--- a/RHEL6/input/services/mail.xml
+++ b/RHEL6/input/services/mail.xml
@@ -161,6 +161,7 @@ variant is supported.
</rationale>
<oval id="postfix_server_banner" />
<ref nist="AC-22, AU-13" />
+<ident cce="27508-1" />
</Rule>
<Group id="postfix_server_denial_of_service">
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml
index 9e40e4e..4df7064 100644
--- a/RHEL6/input/services/nfs.xml
+++ b/RHEL6/input/services/nfs.xml
@@ -213,6 +213,7 @@ anongid=-1
</pre>
</description>
<rationale>Specifying the anonymous UID and GID as -1 ensures that the remote
root user is mapped to a local account which has no permissions on the
system.</rationale>
+<ident cce="27414-2" />
</Rule>
<Rule id="service_nfs_disabled">
diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml
index ee6e6c2..d5d0c3b 100644
--- a/RHEL6/input/services/ntp.xml
+++ b/RHEL6/input/services/ntp.xml
@@ -78,7 +78,6 @@ real time events.
<tested by="DS" on="20121024"/>
</Rule>
-
<Rule id="ntpd_specify_multiple_servers">
<title>Specify Additional Remote NTP Servers</title>
<description>Additional NTP servers can be specified for time synchronization
@@ -92,6 +91,7 @@ accurate time data, in the event that one of the specified
servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
</rationale>
+<ident cce="26958-9" />
<ref nist="AU-8(1)" />
</Rule>
diff --git a/RHEL6/input/services/smb.xml b/RHEL6/input/services/smb.xml
index f211170..b6a2a6f 100644
--- a/RHEL6/input/services/smb.xml
+++ b/RHEL6/input/services/smb.xml
@@ -93,6 +93,7 @@ machine accounts and shares. Domain member servers and
standalone servers may
not need administrator access at all. If that is the case, add the invalid
users parameter to <tt>[global]</tt> instead.
</rationale>
+<ident cce="27533-9" />
</Rule>
<Rule id="require_smb_client_signing">
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml
index 07cdee0..69b3f12 100644
--- a/RHEL6/input/services/ssh.xml
+++ b/RHEL6/input/services/ssh.xml
@@ -98,7 +98,7 @@ Where <tt>USER1</tt> and <tt>USER2</tt> are valid user names.
Specifying which accounts are allowed SSH access into the system reduces the
possibility of unauthorized access to the system.
</rationale>
-<!-- <ident cce="27072-8" /> -->
+<ident cce="27556-0" />
<!-- <oval id="sshd_limit_user_access" /> -->
</Rule>
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml
b/RHEL6/input/system/accounts/restrictions/root_logins.xml
index 547c712..b92469f 100644
--- a/RHEL6/input/system/accounts/restrictions/root_logins.xml
+++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml
@@ -51,6 +51,7 @@ authentication to privileged accounts. Users will first
login, then escalate
to privileged (root) access via su / sudo. This is required for FISMA Low
and FISMA Moderate systems.
</rationale>
+<ident cce="26891-2" />
<ref nist="IA-2(1)" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -123,6 +124,7 @@ If a browser vulnerability is exploited while running with
administrative privil
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
</rationale>
+<ident cce="26795-5" />
</Rule>
<Rule id="no_shelllogin_for_systemaccounts" severity="medium">
@@ -210,6 +212,7 @@ other than a slash (/).
The root account's executable search path must be the vendor default, and must
contain only absolute paths.
</rationale>
+<ident cce="27125-4" />
<tested by="DS" on="20121024"/>
</Rule>
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index e1bd4dc..2777db1 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -435,6 +435,7 @@ records to a centralized server for management directly.
It does, however,
include an audit event multiplexor plugin (audispd) to pass audit records
to the local syslog server</rationale>
<ref nist="AU-1(b),AU-3(2),IR-5" disa="136" />
+<ident cce="26933-2" />
</Rule>
</Group>
diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml
index 1f88fa4..0e4dec9 100644
--- a/RHEL6/input/system/logging.xml
+++ b/RHEL6/input/system/logging.xml
@@ -429,5 +429,6 @@ If so:
If no logserver exists, it will be necessary for each machine to run Logwatch
individually. Using a central
logserver provides the security and reliability benefits discussed earlier,
and also makes monitoring logs easier
and less time-intensive for administrators.</description>
+<ident cce="27162-7" />
</Rule>
</Group>
diff --git a/RHEL6/input/system/network/ipv6.xml
b/RHEL6/input/system/network/ipv6.xml
index 8a7a82c..22f496e 100644
--- a/RHEL6/input/system/network/ipv6.xml
+++ b/RHEL6/input/system/network/ipv6.xml
@@ -57,6 +57,7 @@ the vulnerability to exploitation.
<pre>NETWORKING_IPV6=no
IPV6INIT=no</pre>
</description>
+<ident cce="27161-9" />
</Rule>
<Rule id="network_ipv6_disable_rpc">
diff --git a/RHEL6/input/system/permissions/execution.xml
b/RHEL6/input/system/permissions/execution.xml
index 9ce2f86..7e9043b 100644
--- a/RHEL6/input/system/permissions/execution.xml
+++ b/RHEL6/input/system/permissions/execution.xml
@@ -196,6 +196,7 @@ on AMD-based systems.</description>
<rationale>Computers with the ability to prevent this type of code execution
frequently put an option in the BIOS that will
allow users to turn the feature on or off at will.</rationale>
<ref nist="" />
+<ident cce="27163-5" />
</Rule>
</Group> <!--<Group id="enable_nx"> -->
diff --git a/RHEL6/input/system/permissions/mounting.xml
b/RHEL6/input/system/permissions/mounting.xml
index 42c7318..038aab5 100644
--- a/RHEL6/input/system/permissions/mounting.xml
+++ b/RHEL6/input/system/permissions/mounting.xml
@@ -62,6 +62,7 @@ systems) to disallow booting from USB drives.
circumvent any security measures provided by the operating system. Attackers
could mount partitions and modify the configuration of the OS.</rationale>
<ref nist="AC-19(a),AC-19(d),AC-19(e)" disa="1250" />
+<ident cce="26923-3" />
</Rule>
<Rule id="bios_assign_password">
@@ -77,6 +78,7 @@ a data center or Sensitive Compartmented Information Facility
(SCIF), this risk
against the risk of administrative personnel being unable to conduct recovery
operations in
a timely fashion.
</rationale>
+<ident cce="27131-2" />
</Rule>
<Rule id="service_autofs_disabled">
diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml
index a424b1a..d9615a3 100644
--- a/RHEL6/input/system/selinux.xml
+++ b/RHEL6/input/system/selinux.xml
@@ -188,6 +188,7 @@ Daemons which run with the <tt>initrc_t</tt> context may
cause AVC denials,
or allow privileges that the daemon does not require.
</rationale>
<ref nist="AC-6,AU-9,CM-7" />
+<ident cce="27111-4" />
</Rule>
<Rule id="selinux_all_devicefiles_labeled">
diff --git a/RHEL6/input/system/software/integrity.xml
b/RHEL6/input/system/software/integrity.xml
index c7879ae..b180f3a 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -80,6 +80,7 @@ If this check produces any unexpected output, investigate.
For AIDE to be effective, an initial database of "known-good" information
about files
must be captured and it should be able to be verified against the installed
files.
</rationale>
+<ident cce="27135-3" />
<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" />
</Rule>
diff --git a/RHEL6/utils/verify-cce.py b/RHEL6/utils/verify-cce.py
index b43e29b..52b4bc6 100755
--- a/RHEL6/utils/verify-cce.py
+++ b/RHEL6/utils/verify-cce.py
@@ -43,6 +43,8 @@ for rule in tree.findall("//{%s}Rule" % xccdf_ns):
items = rule.findall("{%s}ident[@system='http://cce.mitre.org']" %
xccdf_ns)
if len(items) > 1:
print "Rule with multiple CCEs assigned: %s" % rule.get("id")
+ if len(items) == 0:
+ print "Rule without CCE: %s" % rule.get("id")
for item in items:
if item.text not in granted_ids:
print "Invalid CCE: %s in %s" % (item.text,
rule.get("id"))
--
1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
