>From 93c739986cf96085fabe0a77a8798f06b7aa53e4 Mon Sep 17 00:00:00 2001 From: Shawn Wells <sh...@redhat.com> Date: Sun, 13 Apr 2014 01:21:24 -0400 Subject: [PATCH 07/26] New Rule: package_mcstrans_removed
Added into RHEL6 to provide coverage for CIS/C2S requirements. --- RHEL/6/input/checks/package_mcstrans_removed.xml | 26 ++++++++++++++++++++ RHEL/6/input/checks/templates/packages_removed.csv | 1 + RHEL/6/input/system/selinux.xml | 16 ++++++++++++ 3 files changed, 43 insertions(+), 0 deletions(-) create mode 100644 RHEL/6/input/checks/package_mcstrans_removed.xml diff --git a/RHEL/6/input/checks/package_mcstrans_removed.xml b/RHEL/6/input/checks/package_mcstrans_removed.xml new file mode 100644 index 0000000..42ed538 --- /dev/null +++ b/RHEL/6/input/checks/package_mcstrans_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> + <definition class="compliance" id="package_mcstrans_removed" + version="1"> + <metadata> + <title>Package mcstrans Removed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The RPM package mcstrans should be removed.</description> + <reference source="swells" ref_id="20130829" ref_url="test_attestation"/> + </metadata> + <criteria> + <criterion comment="package mcstrans is removed" + test_ref="test_package_mcstrans_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_mcstrans_removed" version="1" + comment="package mcstrans is removed"> + <linux:object object_ref="obj_package_mcstrans_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_mcstrans_removed" version="1"> + <linux:name>mcstrans</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/RHEL/6/input/checks/templates/packages_removed.csv b/RHEL/6/input/checks/templates/packages_removed.csv index 14aff93..fe2df22 100644 --- a/RHEL/6/input/checks/templates/packages_removed.csv +++ b/RHEL/6/input/checks/templates/packages_removed.csv @@ -13,6 +13,7 @@ httpd iputils kexec-tools libcgroup +mcstrans mdadm net-snmp nfs-utils diff --git a/RHEL/6/input/system/selinux.xml b/RHEL/6/input/system/selinux.xml index dc1205e..9d7ed81 100644 --- a/RHEL/6/input/system/selinux.xml +++ b/RHEL/6/input/system/selinux.xml @@ -147,6 +147,22 @@ have running on a server</rationale> <oval id="package_setroubleshoot_removed" /> </Rule> +<Rule id="package_mcstrans_removed"> +<title>Remove MCS Translation Service (mcstrans)</title> +<description>The <tt>mcstransd</tt> daemon provides category label information +to client processes requesting information. The label translations are defined +in <tt>/etc/selinux/targeted/setrans.conf</tt>. +<package-remove-macro package="mcstrans" /> +</description> +<rationale>Since this service is not used very often, disable it to reduce the +amount of potentially vulnerable code running on the system. + +NOTE: This rule was added in support of the CIS RHEL6 v1.2.0 benchmark. Please +note that Red Hat does not feel this rule is security relevant. +</rationale> +<ident cce="" /> +<oval id="package_mcstrans_removed" /> +</Rule> <Rule id="selinux_confinement_of_daemons" severity="medium"> <title>Ensure No Daemons are Unconfined by SELinux</title> -- 1.7.1
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
