From 03e874118dcb54f48f2a92609d091d6650ca671a Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky <[email protected]> Date: Thu, 22 May 2014 18:54:17 +0200 Subject: [PATCH 3/3] [RHEL/6] Fix couple of XML syntax errors in files: * src/input/profiles/nist-CL-IL-AL.xml * RHEL/6/input/auxiliary/nist_support.xml as reported by verify-input-sanity.py script (the other two files currently reported too are red herrings)
Signed-off-by: Jan Lieskovsky <[email protected]> --- RHEL/6/input/auxiliary/nist_support.xml | 10 +- RHEL/6/input/profiles/nist-CL-IL-AL.xml | 467 ++++++++++++++++---------------- 2 files changed, 237 insertions(+), 240 deletions(-) diff --git a/RHEL/6/input/auxiliary/nist_support.xml b/RHEL/6/input/auxiliary/nist_support.xml index c7a4f1c..4c1b700 100644 --- a/RHEL/6/input/auxiliary/nist_support.xml +++ b/RHEL/6/input/auxiliary/nist_support.xml @@ -8,20 +8,19 @@ not clearly relate. <Rule id="nist_procedural_requirement"> <title>Procedural Requirement</title> -<rational>This requirement is procedural, and can not be met through -automated means.</rational> +<rationale>This requirement is procedural, and can not be met through +automated means.</rationale> <ocil>TBD</ocil> <description>This requirement is procedural, and can not be met through automated means.</description> -</description> <ref nist="AC-1,AC-2(a),AC-2(b),AC-2(c),AC-2(d),AC-2(e),AC-2(f),AC-2(g),AC-2(h),AC-2(i),AC-2(j),AC-2(7)(a),AC-5,AC-6(1),AC-8(b),AC-11(b),AC-17(a),AC-17(b),AC-17(4),AC-17(5),AC-17(6),AC-19(b),AC-19(1),AC-19(2),AC-19(3),AC-19(4)(a),AC-19(4)(b),AC-20(a),AC-20(b),AC-20(1)(a),AC-20(1)(b),AC-20(2),AC-21(a),AC-21(b),AC-22(a),AC-22(b),AC-22(c),AC-22(d),AC-22(e),AU-2(b),AU-6(a),AU-6(b),AU-6(3),CA-1(a),CA-1(b),CA-2(a),CA-2(b),CA-2(c),CA-2(d),CA-2(1),CA-2(2),CA-3(a),CA-3(b),CA-3(1),CA-3(2),CA-5(a),CA-5(b),CA-6(a),CA-6(b),CA-6(c),CM-3(a),CM-3(b),CM-3(c),CM-3(d),CM-3(e),CM-3(f),CM-3(4),CM-7(3),IA-1(a),IA-1(b)" /> </Rule> <Rule id="nist_not_OS_applicable"> <title>Not Applicable to Operating System</title> -<rationale>This requirement is not applicable to an operating system.</rational> +<rationale>This requirement is not applicable to an operating system.</rationale> <description>While this requirement is applicable at an information system level, implementation -is not performed within the Operating System.</rational> +is not performed within the Operating System.</description> <ref nist="AC-2(1),AC-7(a),PM-11,PM-10,PM-9,PM-8,PM-7,PM-6,PM-5,PM-4,PM-3,PM-2,PM-1,AC-17(3),AC-18(a),AC-18(b),AC-18(5),AC-21(1),CP-10(2),AT-1(a),AT-1(b),AT-2,AT-3,AT-3(2),AT-4(a),AT-4(b),AT-2,AT-2(1),AT-3,AT-3(1),AT-3(2),AT-5,AU-1(a),AU-1(b),AU-2(3),AU-6(1),AU-6(3),AU-7,AU-7(1),CA-7(a),CA-7(b),CA-7(c),CA-7(d),CA-7(1),CA-7(2),CM-1(a),CM-1(b),CM-2,CM-2(1)(a),CM-2(1)(b),CM-2(1)(c),CM-2(2),CM-2(5)(a),CM-2(5)(b),CM-3(2),CM-4,CM-4(2),CM-5,CM-5(2),CM-5(5)(b),CM-6(a),CM-6(b),CM-6(c),CM-6(1),CM-7(1),CM-8(a),CM-8(b),CM-8(c),CM-8(d),CM-8(e),CM-8(1),CM-8(4),CM-8(5),CM-8(6),CM-9(a),CM-9(b),CM-9(c),CP-1(a),CP-1(b),CP-2(a),CP-2(b),CP-2(c),CP-2(d),CP-2(e),CP-2(f),CP-2(1),CP-2(2),CP-3,CP-4(a),CP-4(b),CP-4(1),CP-6,CP-6(1),CP-6(2),CP-7(a),CP-7(b),CP-7(1),CP-7(2),CP-7(3),CP-7(5),CP-8,CP-(8)(1)(a),CP-8(1)(b),CP-8(2),CP-9(a),CP-9(b),CP-9(c),CP-9(d),CP-9(1),CP-9(3),CP-10,CP-10(2),CP-10(3),IA-4(a),IA-4(b),IA-4(c),IA-4(d),IA-4(e),IA-4(4),IA-5(a),IA-5(d),IA-5(3),IA-5(6),IA-5(7),IR-1(a),IR-1(b),IR-2(a),IR-2(b),IR-3,IR-4(a),IR-4(b),IR-4(c),IR-4(1),IR-6,IR-7,IR-7(1),IR-7(2),IR-8(a),IR-8(b),IR-8(c),IR-8(d),IR-8(e),MA-1(a),MA-2(a),MA-2(b),MA-2(c),MA-2(d),MA-2(e),MA-2(1),MA-3,MA-3(1),MA-3(2),MA-3(3),MA-4(a),MA-4(b),SI-1(a),SI-1(b),SI-2(a),SI-2(b),SI-2(c),SI-3(a),SI-3(b),SI-3(c),SI-3(d),SI-3(1),SI-1(2),SI-1(3),SI-4(a),SI-4(b),SI-4(c),SI-4(d),SI-4(e),SI-4(2),SI-4(4),SI-4(5),SI-4(6),SI-5(a),SI-5(b),SI-5(c),SI-5(d)" /> </Rule> @@ -54,5 +53,6 @@ scope for this guide.</rationale> <description>Implimentation of this requirement is not applicable for a general purpose deployment</description> <ref nist="" /> +</Rule> </Group> diff --git a/RHEL/6/input/profiles/nist-CL-IL-AL.xml b/RHEL/6/input/profiles/nist-CL-IL-AL.xml index 2d1135c..9028d84 100644 --- a/RHEL/6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL/6/input/profiles/nist-CL-IL-AL.xml @@ -5,8 +5,8 @@ Systems" on security controls to meet low confidentiality, low integrity, and low assurance."</description> -<!-- --------------------------------------------------------------------------------- --> -<!-- --------------------------------------------------------------------------------- --> +<!-- --> +<!-- --> <!-- The following variables must be configured against organization-defined settings --> <!-- AC-2(2): The information system automatically terminates temporary and emergency @@ -17,26 +17,26 @@ assurance."</description> [Assignment: organization-defined time period] --> <!-- sdw --> -<refine-value idref="var_account_disable_post_pw_expiration" selector="40" \> +<refine-value idref="var_account_disable_post_pw_expiration" selector="40" /> <!-- AC-3: "Access control policies... and access control mechanisms... are employed by organizations to control access between users... and objects. To meet this, SELinux *must* be enabled and configured against either "targeted" or "mls" mode --> -<refine-value idref="var_selinux_state" selector="enforcing" \> -<refine-value idref="var_selinux_policy_name" selector="targeted" \> +<refine-value idref="var_selinux_state" selector="enforcing" /> +<refine-value idref="var_selinux_policy_name" selector="targeted" /> <!-- AC-4: TBD --> -<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="1" \> +<refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="1" /> <!-- AC-6: Least privilege Optional values for the umask are "022" or "027" --> -<refine-value idref="var_umask_for_daemons" selector="022" \> +<refine-value idref="var_umask_for_daemons" selector="022" /> <!-- AC-7(a): Enforces a limit of [Assignment: organization-defined number] consecutive invalid login attempts by a user during a [Assignment: organization- @@ -52,8 +52,8 @@ assurance."</description> - 3600 (1 hour) - 86400 (1 day) - 100000000 (3.1 years) --> -<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3" \> -<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900" \> +<refine-value idref="var_accounts_passwords_pam_faillock_deny" selector="3" /> +<refine-value idref="var_accounts_passwords_pam_faillock_fail_interval" selector="900" /> <!-- AC-7(b): Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an @@ -70,7 +70,7 @@ assurance."</description> - 3600 (1 hour) - 86400 (1 day) - 604800 (7 days) --> -<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="900" \> +<refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="900" /> <!-- AC-11(a): Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon @@ -81,20 +81,17 @@ assurance."</description> - 5 (minutes) - 10 (minutes) - 15 (minutes) --> -<refine-value idref="inactivity_timeout_value" selector="15" \> +<refine-value idref="inactivity_timeout_value" selector="15" /> -<!-- --------------------------------------------------------------------------------- --> <!-- STATIC VARIABLES: DO NOT ALTER --> -<refine-value idref="login_banner_text" selector="usgcb_default" \> -<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="0" \> -<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="0" \> -<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="1" \> -<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="1" \> -<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="1" \> -<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" selector="1" \> - -<!-- --------------------------------------------------------------------------------- --> +<refine-value idref="login_banner_text" selector="usgcb_default" /> +<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="0" /> +<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="0" /> +<refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="1" /> +<refine-value idref="sysctl_net_ipv4_conf_default_secure_redirects_value" selector="1" /> +<refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="1" /> +<refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" selector="1" /> <!-- MAYBE @@ -102,191 +99,191 @@ assurance."</description> <!-- AC-2(2), AC-2(3) --> <select idref="account_temp_expire_date" selected="true" /> -<select id=ref"account_disable_post_pw_expiration" selected="true" \> +<select idref="account_disable_post_pw_expiration" selected="true" /> <!-- AC-2(4) --> -<select idref="audit_account_changes" selected="true" \> +<select idref="audit_account_changes" selected="true" /> <!-- AC-2(7)(b) --> -<select idref="audit_sysadmin_action" selected="true" \> +<select idref="audit_sysadmin_action" selected="true" /> <!-- AC-3 --> -<select idref="sshd_use_approved_ciphers" selected="true" \> -<select idref="enable_selinux_bootloader" selected="true" \> -<select idref="selinux_state" selected="true" \> -<select idref="selinux_policytype" selected="true" \> -<select idref="service_restorecond_enabled" selected="true" \> +<select idref="sshd_use_approved_ciphers" selected="true" /> +<select idref="enable_selinux_bootloader" selected="true" /> +<select idref="selinux_state" selected="true" /> +<select idref="selinux_policytype" selected="true" /> +<select idref="service_restorecond_enabled" selected="true" /> <!-- AC-4 --> -<select idref="service_rdisc_disabled" selected="true" \> -<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true" \> -<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true" \> -<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true" \> -<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true" \> -<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true" \> -<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true" \> -<select idref"sysctl_net_ipv4_conf_default_rp_filter" selected="true" \> -<select idref="service_ip6tables_enabled" selected="true" \> -<select idref="service_iptables_enabled" selected="true" \> +<select idref="service_rdisc_disabled" selected="true" /> +<select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true" /> +<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true" /> +<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true" /> +<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true" /> +<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true" /> +<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true" /> +<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true" /> +<select idref="service_ip6tables_enabled" selected="true" /> +<select idref="service_iptables_enabled" selected="true" /> <!-- AC-6 --> -<select idref="audit_config_immutable" selected="true" \> -<select idref="service_oddjobd_disabled" selected="true" \> -<select idref="rpm_verify_permissions" selected="true" \> -<select idref="file_permissions_var_log_audit" selected="true" \> -<select idref="audit_logs_rootowner" selected="true" \> -<select idref="userowner_shadow_file" selected="true" \> -<select idref="groupowner_shadow_file" selected="true" \> -<select idref="file_permissions_etc_shadow" selected="true" \> -<select idref="file_owner_etc_group" selected="true" \> -<select idref="file_groupowner_etc_group" selected="true" \> -<select idref="file_permissions_etc_group" selected="true" \> -<select idref="file_owner_etc_gshadow" selected="true" \> -<select idref="file_groupowner_etc_gshadow" selected="true" \> -<select idref="file_permissions_etc_gshadow" selected="true" \> -<select idref="file_owner_etc_passwd" selected="true" \> -<select idref="file_groupowner_etc_passwd" selected="true" \> -<select idref="file_permissions_etc_passwd" selected="true" \> -<select idref="selinux_confinement_of_daemons" selected="true" \> -<select idref="permissions_within_important_dirs" selected="true" \> -<select idref="file_ownership_library_dirs" selected="true" \> -<select idref="file_permissions_binary_dirs" selected="true" \> -<select idref="file_ownership_binary_dirs" selected="true" \> -<select idref="sticky_world_writable_dirs" selected="true" \> -<select idref="world_writeable_files" selected="true" \> -<select idref="no_files_unowned_by_user" selected="true" \> -<select idref="no_files_unowned_by_group" selected="true" \> -<select idref="world_writable_files_system_ownership" selected="true" \> -<select idref="umask_for_daemons" selected="true" \> -<select idref="accounts_no_uid_except_zero" selected="true" \> -<select idref="userowner_rsyslog_files" selected="true" \> -<select idref="groupowner_rsyslog_files" selected="true" \> +<select idref="audit_config_immutable" selected="true" /> +<select idref="service_oddjobd_disabled" selected="true" /> +<select idref="rpm_verify_permissions" selected="true" /> +<select idref="file_permissions_var_log_audit" selected="true" /> +<select idref="audit_logs_rootowner" selected="true" /> +<select idref="userowner_shadow_file" selected="true" /> +<select idref="groupowner_shadow_file" selected="true" /> +<select idref="file_permissions_etc_shadow" selected="true" /> +<select idref="file_owner_etc_group" selected="true" /> +<select idref="file_groupowner_etc_group" selected="true" /> +<select idref="file_permissions_etc_group" selected="true" /> +<select idref="file_owner_etc_gshadow" selected="true" /> +<select idref="file_groupowner_etc_gshadow" selected="true" /> +<select idref="file_permissions_etc_gshadow" selected="true" /> +<select idref="file_owner_etc_passwd" selected="true" /> +<select idref="file_groupowner_etc_passwd" selected="true" /> +<select idref="file_permissions_etc_passwd" selected="true" /> +<select idref="selinux_confinement_of_daemons" selected="true" /> +<select idref="permissions_within_important_dirs" selected="true" /> +<select idref="file_ownership_library_dirs" selected="true" /> +<select idref="file_permissions_binary_dirs" selected="true" /> +<select idref="file_ownership_binary_dirs" selected="true" /> +<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writeable_files" selected="true" /> +<select idref="no_files_unowned_by_user" selected="true" /> +<select idref="no_files_unowned_by_group" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> +<select idref="umask_for_daemons" selected="true" /> +<select idref="accounts_no_uid_except_zero" selected="true" /> +<select idref="userowner_rsyslog_files" selected="true" /> +<select idref="groupowner_rsyslog_files" selected="true" /> <!-- AC-6(2) --> -<select idref="securetty_root_login_console_only" selected="true" \> -<select idref="restrict_serial_port_logins" selected="true" \> -<select idref="sshd_disable_root_login" selected="true" \> +<select idref="securetty_root_login_console_only" selected="true" /> +<select idref="restrict_serial_port_logins" selected="true" /> +<select idref="sshd_disable_root_login" selected="true" /> <!-- AC-7(a) --> -<select idref="accounts_passwords_pam_faillock_deny" selected="true" \> -<select idref="accounts_passwords_pam_fail_interval" selected="true" \> +<select idref="accounts_passwords_pam_faillock_deny" selected="true" /> +<select idref="accounts_passwords_pam_fail_interval" selected="true" /> <!-- AC-7(b) --> -<select idref="deny_password_attempts_unlock_time" selected="true" \> +<select idref="deny_password_attempts_unlock_time" selected="true" /> <!-- AC-8(a), AC-8(c) --> -<select idref="set_system_login_banner" selected="true" \> -<select idref="enable_gdm_login_banner" selected="true" \> -<select idref="set_gdm_login_banner_text" selected="true" \> +<select idref="set_system_login_banner" selected="true" /> +<select idref="enable_gdm_login_banner" selected="true" /> +<select idref="set_gdm_login_banner_text" selected="true" /> <!-- AC-11(a) --> -<select idref="set_screensaver_inactivity_timeout" selected="true" \> -<select idref="enable_screensaver_after_idle" selected="true" \> -<select idref="enable_screensaver_password_lock" selected="true" \> +<select idref="set_screensaver_inactivity_timeout" selected="true" /> +<select idref="enable_screensaver_after_idle" selected="true" /> +<select idref="enable_screensaver_password_lock" selected="true" /> <!-- AC-11(1) --> -<select idref="set_blank_screensaver" selected="true" \> +<select idref="set_blank_screensaver" selected="true" /> <!-- AC-17(1) --> -<select idref="service_auditd_enabled" selected="true" \> -<select idref="enable_auditd_bootloader" selected="true" \> +<select idref="service_auditd_enabled" selected="true" /> +<select idref="enable_auditd_bootloader" selected="true" /> <!-- AC-17(7) --> -<select idref="audit_rules_time_adjtimex" selected="true" \> -<select idref="audit_rules_time_settimeofday" selected="true" \> -<select idref="audit_rules_time_stime" selected="true" \> -<select idref="audit_rules_time_clock_settime" selected="true" \> -<select idref="audit_rules_time_watch_localtime" selected="true" \> -<select idref="audit_account_changes" selected="true" \> -<select idref="audit_network_modifications" selected="true" \> -<select idref="audit_mac_changes" selected="true" \> -<select idref="audit_rules_dac_modification_chmod" selected="true" \> -<select idref="audit_rules_dac_modification_chown" selected="true" \> -<select idref="audit_rules_dac_modification_fchmod" selected="true" \> -<select idref="audit_rules_dac_modification_fchmodat" selected="true" \> -<select idref="audit_rules_dac_modification_fchown" selected="true" \> -<select idref="audit_rules_dac_modification_fchownat" selected="true" \> -<select idref="audit_rules_dac_modification_fremovexattr" selected="true" \> -<select idref="audit_rules_dac_modification_fsetxattr" selected="true" \> -<select idref="audit_rules_dac_modification_lchown" selected="true" \> -<select idref="audit_rules_dac_modification_lremovexattr" selected="true" \> -<select idref="audit_rules_dac_modification_lsetxattr" selected="true" \> -<select idref="audit_rules_dac_modification_removexattr" selected="true" \> -<select idref="audit_rules_dac_modification_setxattr" selected="true" \> -<select idref="audit_manual_logon_edits" selected="true" \> -<select idref="audit_manual_session_edits" selected="true" \> -<select idref="audit_file_access" selected="true" \> -<select idref="audit_privileged_commands" selected="true" \> -<select idref="audit_media_exports" selected="true" \> -<select idref="audit_rules_file_deletion_events" selected="true" \> -<select idref="audit_sysadmin_actions" selected="true" \> -<select idref="audit_kernel_module_loading" selected="true" \> -<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" \> +<select idref="audit_rules_time_adjtimex" selected="true" /> +<select idref="audit_rules_time_settimeofday" selected="true" /> +<select idref="audit_rules_time_stime" selected="true" /> +<select idref="audit_rules_time_clock_settime" selected="true" /> +<select idref="audit_rules_time_watch_localtime" selected="true" /> +<select idref="audit_account_changes" selected="true" /> +<select idref="audit_network_modifications" selected="true" /> +<select idref="audit_mac_changes" selected="true" /> +<select idref="audit_rules_dac_modification_chmod" selected="true" /> +<select idref="audit_rules_dac_modification_chown" selected="true" /> +<select idref="audit_rules_dac_modification_fchmod" selected="true" /> +<select idref="audit_rules_dac_modification_fchmodat" selected="true" /> +<select idref="audit_rules_dac_modification_fchown" selected="true" /> +<select idref="audit_rules_dac_modification_fchownat" selected="true" /> +<select idref="audit_rules_dac_modification_fremovexattr" selected="true" /> +<select idref="audit_rules_dac_modification_fsetxattr" selected="true" /> +<select idref="audit_rules_dac_modification_lchown" selected="true" /> +<select idref="audit_rules_dac_modification_lremovexattr" selected="true" /> +<select idref="audit_rules_dac_modification_lsetxattr" selected="true" /> +<select idref="audit_rules_dac_modification_removexattr" selected="true" /> +<select idref="audit_rules_dac_modification_setxattr" selected="true" /> +<select idref="audit_manual_logon_edits" selected="true" /> +<select idref="audit_manual_session_edits" selected="true" /> +<select idref="audit_file_access" selected="true" /> +<select idref="audit_privileged_commands" selected="true" /> +<select idref="audit_media_exports" selected="true" /> +<select idref="audit_rules_file_deletion_events" selected="true" /> +<select idref="audit_sysadmin_actions" selected="true" /> +<select idref="audit_kernel_module_loading" selected="true" /> +<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" /> <!-- AC-17(8) --> -<select idref="disable_xinetd" selected="true" \> -<select idref="uninstall_xinetd" selected="true" \> -<select idref="disable_telnet_service" selected="true" \> -<select idref="uninstall_telnet_server" selected="true" \> -<select idref="uninstall_rsh" selected="true" \> -<select idref="disable_rexec" selected="true" \> -<select idref="disable_rsh" selected="true" \> -<select idref="disable_rlogin" selected="true" \> -<select idref="no_rsh_trust_files" selected="true" \> -<select idref="uninstall_ypserv" selected="true" \> -<select idref="disable_ypbind" selected="true" \> -<select idref="disable_tftp" selected="true" \> -<select idref="uninstall_tftp" selected="true" \> -<select idref="tftpd_uses_secure_mode" selected="true" \> -<select idref="service_abrtd_disabled" selected="true" \> -<select idref="service_kdump_disabled" selected="true" \> -<select idref="service_netconsole_disabled" selected="true" \> -<select idref="service_ntpdate_disabled" selected="true" \> -<select idref="service_portreserve_disabled" selected="true" \> -<select idref="service_qpidd_disabled" selected="true" \> -<select idref="service_rdisc_disabled" selected="true" \> -<select idref="service_rhnsd_disabled" selected="true" \> -<select idref="service_saslauthd_disabled" selected="true" \> -<select idref="sshd_allow_only_protocol2" selected="true" \> +<select idref="disable_xinetd" selected="true" /> +<select idref="uninstall_xinetd" selected="true" /> +<select idref="disable_telnet_service" selected="true" /> +<select idref="uninstall_telnet_server" selected="true" /> +<select idref="uninstall_rsh" selected="true" /> +<select idref="disable_rexec" selected="true" /> +<select idref="disable_rsh" selected="true" /> +<select idref="disable_rlogin" selected="true" /> +<select idref="no_rsh_trust_files" selected="true" /> +<select idref="uninstall_ypserv" selected="true" /> +<select idref="disable_ypbind" selected="true" /> +<select idref="disable_tftp" selected="true" /> +<select idref="uninstall_tftp" selected="true" /> +<select idref="tftpd_uses_secure_mode" selected="true" /> +<select idref="service_abrtd_disabled" selected="true" /> +<select idref="service_kdump_disabled" selected="true" /> +<select idref="service_netconsole_disabled" selected="true" /> +<select idref="service_ntpdate_disabled" selected="true" /> +<select idref="service_portreserve_disabled" selected="true" /> +<select idref="service_qpidd_disabled" selected="true" /> +<select idref="service_rdisc_disabled" selected="true" /> +<select idref="service_rhnsd_disabled" selected="true" /> +<select idref="service_saslauthd_disabled" selected="true" /> +<select idref="sshd_allow_only_protocol2" selected="true" /> <!-- AC-18(a) --> -<select idref="wireless_disable_in_bios" selected="true" \> -<select idref="deactivate_wireless_interfaces" selected="true" \> -<select idref="service_bluetooth_disabled" selected="true" \> -<select idref="kernel_module_bluetooth_disabled" selected="true" \> +<select idref="wireless_disable_in_bios" selected="true" /> +<select idref="deactivate_wireless_interfaces" selected="true" /> +<select idref="service_bluetooth_disabled" selected="true" /> +<select idref="kernel_module_bluetooth_disabled" selected="true" /> <!-- AC-19(a), AC-19(d), AC-19(e) --> -<select idref="mountopt_nodev_on_removable_partitions" selected="true" \> -<select idref="mount_option_noexec_removable_partitions" selected="true" \> -<select idref="mountopt_nosuid_on_removable_partitions" selected="true" \> -<select idref="kernel_module_usb-storage_disabled" selected="true" \> -<select idref="bootloader_nousb_argument" selected="true" \> -<select idref="bios_disable_usb_boot" selected="true" \> -<select idref="service_autofs_disabled" selected="true" \> -<select idref="gconf_gnome_disable_automount" selected="true" \> +<select idref="mountopt_nodev_on_removable_partitions" selected="true" /> +<select idref="mount_option_noexec_removable_partitions" selected="true" /> +<select idref="mountopt_nosuid_on_removable_partitions" selected="true" /> +<select idref="kernel_module_usb-storage_disabled" selected="true" /> +<select idref="bootloader_nousb_argument" selected="true" /> +<select idref="bios_disable_usb_boot" selected="true" /> +<select idref="service_autofs_disabled" selected="true" /> +<select idref="gconf_gnome_disable_automount" selected="true" /> <!-- AU-1(b) --> -<select idref="configure_auditd_num_logs" selected="true" \> -<select idref="configure_auditd_max_log_file" selected="true" \> -<select idref="configure_auditd_max_log_file_action" selected="true" \> -<select idref="auditd_data_retention_space_left_action" selected="true" \> -<select idref="auditd_data_retention_admin_space_left_action" selected="true" \> -<select idref="auditd_data_retention_action_mail_acct" selected="true" \> -<select idref="configure_auditd_audispd" selected="true" \> +<select idref="configure_auditd_num_logs" selected="true" /> +<select idref="configure_auditd_max_log_file" selected="true" /> +<select idref="configure_auditd_max_log_file_action" selected="true" /> +<select idref="auditd_data_retention_space_left_action" selected="true" /> +<select idref="auditd_data_retention_admin_space_left_action" selected="true" /> +<select idref="auditd_data_retention_action_mail_acct" selected="true" /> +<select idref="configure_auditd_audispd" selected="true" /> <!-- AU-3(1): THIS NEEDS FURTHER REVIEW ON ADDITIONAL AUDIT RECORD DETAILS --> <!-- AU-3(2) --> -<select idref="rsyslog_send_messages_to_logserver" selected="true" \> +<select idref="rsyslog_send_messages_to_logserver" selected="true" /> <!-- AU-8(1) --> -<select idref="service_ntpd_enabled" selected="true" \> -<select idref="ntpd_specify_remote_server" selected="true" \> -<select idref="ntpd_specify_multiple_servers" selected="true" \> +<select idref="service_ntpd_enabled" selected="true" /> +<select idref="ntpd_specify_remote_server" selected="true" /> +<select idref="ntpd_specify_multiple_servers" selected="true" /> <!-- AU-12 --> -<select idref="service_psacct_enabled" selected="true" \> +<select idref="service_psacct_enabled" selected="true" /> <!-- CM-3 At some point we should look at creating prose for this @@ -294,80 +291,80 @@ assurance."</description> changes to relevant files --> <!-- CM-6(d) --> -<select idref="package_aide_installed" selected="true" \> -<select idref="disable_prelink" selected="true" \> -<select idref="aide_build_database" selected="true" \> -<select idref="aide_periodic_cron_checking" selected="true" \> -<select idref="rpm_verify_hashes" selected="true" \> +<select idref="package_aide_installed" selected="true" /> +<select idref="disable_prelink" selected="true" /> +<select idref="aide_build_database" selected="true" /> +<select idref="aide_periodic_cron_checking" selected="true" /> +<select idref="rpm_verify_hashes" selected="true" /> <!-- CM-7 --> -<select idref="kernel_module_ipv6_option_disabled" selected="true" \> -<select idref="network_ipv6_disable_rpc" selected="true" \> -<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" \> -<select idref="sysctl_ipv6_default_accept_redirects" selected="true" \> -<select idref="network_disable_unused_interfaces" selected="true" \> -<select idref="network_disable_zeroconf" selected="true" \> -<select idref="network_sniffer_disabled" selected="true" \> -<select idref="kernel_module_dccp_disabled" selected="true" \> -<select idref="kernel_module_sctp_disabled" selected="true" \> -<select idref="kernel_module_rds_disabled" selected="true" \> -<select idref="kernel_module_tipc_disabled" selected="true" \> -<select idref="set_iptables_default_rule" selected="true" \> -<select idref="set_iptables_default_rule_forward" selected="true" \> -<select idref="sysctl_ipv4_all_send_redirects" selected="true" \> -<select idref="sysctl_ipv4_ip_forward" selected="true" \> -<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true" \> -<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true" \> -<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" \> -<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true" \> -<select idref="kernel_module_cramfs_disabled" selected="true" \> -<select idref="kernel_module_freevxfs_disabled" selected="true" \> -<select idref="kernel_module_jffs2_disabled" selected="true" \> -<select idref="kernel_module_hfs_disabled" selected="true" \> -<select idref="kernel_module_hfsplus_disabled" selected="true" \> -<select idref="kernel_module_squashfs_disabled" selected="true" \> -<select idref="kernel_module_udf_disabled" selected="true" \> -<select idref="disable_gnome_thumbnailers" selected="true" \> -<select idref="mountopt_nodev_on_nonroot_partitions" selected="true" \> -<select idref="mount_option_tmp_nodev" selected="true" \> -<select idref="mount_option_tmp_noexec" selected="true" \> -<select idref="mount_option_tmp_nosuid" selected="true" \> -<select idref="mount_option_dev_shm_nodev" selected="true" \> -<select idref="mount_option_dev_shm_noexec" selected="true" \> -<select idref="mount_option_dev_shm_nosuid" selected="true" \> -<select idref="mount_option_var_tmp_bind_var" selected="true" \> -<select idref="service_cups_disabled" selected="true" \> -<select idref="cups_disable_browsing" selected="true" \> -<select idref="cups_disable_printserver" selected="true" \> -<select idref="disable_dhcp_server" selected="true" \> -<select idref="uninstall_dhcp_server" selected="true" \> -<select idref="disable_dhcp_client" selected="true" \> -<select idref="disable_avahi" selected="true" \> -<select idref="service_crond_enabled" selected="true" \> -<select idref="disable_anacron" selected="true" \> -<select idref="disable_dns_server" selected="true" \> -<select idref="uninstall_bind" selected="true" \> -<select idref="package_openldap-servers_removed" selected="true" \> -<select idref="package_sendmail_removed" selected="true" \> -<select idref="service_acpid_disabled" selected="true" \> -<select idref="service_atd_disabled" selected="true" \> -<select idref="service_certmonger_disabled" selected="true" \> -<select idref="service_cgconfig_disabled" selected="true" \> -<select idref="service_cgred_disabled" selected="true" \> -<select idref="service_cpuspeed_disabled" selected="true" \> -<select idref="service_haldaemon_disabled" selected="true" \> -<select idref="service_irqbalance_enabled" selected="true" \> -<select idref="service_mdmonitor_disabled" selected="true" \> -<select idref="service_messagebus_disabled" selected="true" \> -<select idref="service_oddjobd_disabled" selected="true" \> -<select idref="service_quota_nld_disabled" selected="true" \> -<select idref="service_rhsmcertd_disabled" selected="true" \> -<select idref="service_smartd_disabled" selected="true" \> -<select idref="service_sysstat_disabled" selected="true" \> -<select idref="disable_httpd" selected="true" \> -<select idref="uninstall_httpd" selected="true" \> -<select idref="disabling_vsftpd" selected="true" \> -<select idref="uninstall_vsftpd" selected="true" \> +<select idref="kernel_module_ipv6_option_disabled" selected="true" /> +<select idref="network_ipv6_disable_rpc" selected="true" /> +<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" /> +<select idref="sysctl_ipv6_default_accept_redirects" selected="true" /> +<select idref="network_disable_unused_interfaces" selected="true" /> +<select idref="network_disable_zeroconf" selected="true" /> +<select idref="network_sniffer_disabled" selected="true" /> +<select idref="kernel_module_dccp_disabled" selected="true" /> +<select idref="kernel_module_sctp_disabled" selected="true" /> +<select idref="kernel_module_rds_disabled" selected="true" /> +<select idref="kernel_module_tipc_disabled" selected="true" /> +<select idref="set_iptables_default_rule" selected="true" /> +<select idref="set_iptables_default_rule_forward" selected="true" /> +<select idref="sysctl_ipv4_all_send_redirects" selected="true" /> +<select idref="sysctl_ipv4_ip_forward" selected="true" /> +<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true" /> +<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true" /> +<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true" /> +<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true" /> +<select idref="kernel_module_cramfs_disabled" selected="true" /> +<select idref="kernel_module_freevxfs_disabled" selected="true" /> +<select idref="kernel_module_jffs2_disabled" selected="true" /> +<select idref="kernel_module_hfs_disabled" selected="true" /> +<select idref="kernel_module_hfsplus_disabled" selected="true" /> +<select idref="kernel_module_squashfs_disabled" selected="true" /> +<select idref="kernel_module_udf_disabled" selected="true" /> +<select idref="disable_gnome_thumbnailers" selected="true" /> +<select idref="mountopt_nodev_on_nonroot_partitions" selected="true" /> +<select idref="mount_option_tmp_nodev" selected="true" /> +<select idref="mount_option_tmp_noexec" selected="true" /> +<select idref="mount_option_tmp_nosuid" selected="true" /> +<select idref="mount_option_dev_shm_nodev" selected="true" /> +<select idref="mount_option_dev_shm_noexec" selected="true" /> +<select idref="mount_option_dev_shm_nosuid" selected="true" /> +<select idref="mount_option_var_tmp_bind_var" selected="true" /> +<select idref="service_cups_disabled" selected="true" /> +<select idref="cups_disable_browsing" selected="true" /> +<select idref="cups_disable_printserver" selected="true" /> +<select idref="disable_dhcp_server" selected="true" /> +<select idref="uninstall_dhcp_server" selected="true" /> +<select idref="disable_dhcp_client" selected="true" /> +<select idref="disable_avahi" selected="true" /> +<select idref="service_crond_enabled" selected="true" /> +<select idref="disable_anacron" selected="true" /> +<select idref="disable_dns_server" selected="true" /> +<select idref="uninstall_bind" selected="true" /> +<select idref="package_openldap-servers_removed" selected="true" /> +<select idref="package_sendmail_removed" selected="true" /> +<select idref="service_acpid_disabled" selected="true" /> +<select idref="service_atd_disabled" selected="true" /> +<select idref="service_certmonger_disabled" selected="true" /> +<select idref="service_cgconfig_disabled" selected="true" /> +<select idref="service_cgred_disabled" selected="true" /> +<select idref="service_cpuspeed_disabled" selected="true" /> +<select idref="service_haldaemon_disabled" selected="true" /> +<select idref="service_irqbalance_enabled" selected="true" /> +<select idref="service_mdmonitor_disabled" selected="true" /> +<select idref="service_messagebus_disabled" selected="true" /> +<select idref="service_oddjobd_disabled" selected="true" /> +<select idref="service_quota_nld_disabled" selected="true" /> +<select idref="service_rhsmcertd_disabled" selected="true" /> +<select idref="service_smartd_disabled" selected="true" /> +<select idref="service_sysstat_disabled" selected="true" /> +<select idref="disable_httpd" selected="true" /> +<select idref="uninstall_httpd" selected="true" /> +<select idref="disabling_vsftpd" selected="true" /> +<select idref="uninstall_vsftpd" selected="true" /> <!-- REMAINING MAPPINGS -- 1.8.3.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
