>From 02820ba315e1a947c9a9de6053d294d03bf3e534 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sun, 13 Apr 2014 01:12:31 -0400 Subject: [PATCH 05/15] New RHEL6 Rule: package_setroubleshoot_removed
Added to support CIS baseline requirements. --- .../checks/package_setroubleshoot_removed.xml | 26 ++++++++++++++++++++ RHEL/6/input/checks/templates/packages_removed.csv | 1 + RHEL/6/input/system/selinux.xml | 13 ++++++++++ 3 files changed, 40 insertions(+), 0 deletions(-) create mode 100644 RHEL/6/input/checks/package_setroubleshoot_removed.xml diff --git a/RHEL/6/input/checks/package_setroubleshoot_removed.xml b/RHEL/6/input/checks/package_setroubleshoot_removed.xml new file mode 100644 index 0000000..e3994b5 --- /dev/null +++ b/RHEL/6/input/checks/package_setroubleshoot_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_setroubleshoot_removed" + version="1"> + <metadata> + <title>Package setroubleshoot Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The RPM package setroubleshoot should be removed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package setroubleshoot is removed" + test_ref="test_package_setroubleshoot_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_setroubleshoot_removed" version="1" + comment="package setroubleshoot is removed"> + <linux:object object_ref="obj_package_setroubleshoot_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_setroubleshoot_removed" version="1"> + <linux:name>setroubleshoot</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/RHEL/6/input/checks/templates/packages_removed.csv b/RHEL/6/input/checks/templates/packages_removed.csv index 02d786f..14aff93 100644 --- a/RHEL/6/input/checks/templates/packages_removed.csv +++ b/RHEL/6/input/checks/templates/packages_removed.csv @@ -27,6 +27,7 @@ rhnsd rsh-server samba-common sendmail +setroubleshoot smartmontools squid subscription-manager diff --git a/RHEL/6/input/system/selinux.xml b/RHEL/6/input/system/selinux.xml index e1b6c5d..17a0e79 100644 --- a/RHEL/6/input/system/selinux.xml +++ b/RHEL/6/input/system/selinux.xml @@ -134,6 +134,19 @@ of file contexts created by some programs.</rationale> <ref nist="AC-3,AC-3(3),AC-4,AC-6,AU-9" /> </Rule> +<Rule id="package_setroubleshoot_removed"> +<title>Remove SETroubleshoo</title> +<description>The SETroubleshoot service notifies desktop users of SELinux +denials. The service provides information around configuration errors, +unauthorized intrusions, and other potential errors. +<package-remove-macro package="setroubleshoot" /> +</description> +<rationale>The SETroubleshoot service is an unnecessary daemon to +have running on a server</rationale> +<ident cce="" /> +<oval id="package_setroubleshoot_removed" /> +</Rule> + <Rule id="selinux_confinement_of_daemons" severity="medium"> <title>Ensure No Daemons are Unconfined by SELinux</title> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
