October 2013 - scap-security-guide - Fedora Mailing-Lists

by Kordell, Luke T

Hello, I thought it would be useful to generate an "all_rules" profile to help us in the requirements-gathering phase of a profile development. To create this profile I grepped the .xml files contained in the system and services directories for "Rule id=" and used the output to create an all_rules profile. The all_rules profile and CS2 profile list 388 rules while the STIG lists 389. I expected the all_rules profile to have more rules than either since it should contain at least all the rules called by both CS2 and the STIG. Are there rules in other directories, or am I missing something else? I have been comparing SECSCN output to the STIG and CS2 profiles and thus-far it has raised a couple questions. First SECSCN lists the bash commands it uses to gather its results and lists the exact reasons for a failed test. Are there plans to include this capability in the future or would this be handled by a scanning automation tool like oscap? What component of SCAP and/or OVAL is linked to bash? Is it possible to get access to this underlying source-code for modification purposes? Luke K

10 years, 5 months

3
10
0 / 0

Fwd: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example.

by Matthew Mariani

As recommended, moving this thread to the SSG mailing list. Background: We are working on developing an SSG profile definition for RH certified cloud providers. In addition to these XCCDF-based checks, I need to also detect any non-RedHat packages installed on the system. The question to the group is: are there any recommendations or examples on how this may have been done previously. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. An OVAL path was suggested below. Does anyone have additional guidance on how/if I can do this with SCAP-related tools? Thanks, -Matt Matthew Mariani Partner Solution Architect M: +1-717-756-6834 mmariani(a)redhat.com ----- Original Message ----- From: "Shawn Wells" <shawn(a)redhat.com> To: open-scap-list(a)redhat.com Sent: Sunday, October 13, 2013 11:30:26 PM Subject: Re: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example. On 10/10/13 4:44 PM, Matthew Mariani wrote: Danny, Thanks, very helpful. -Matt ----- Original Message ----- From: "Dan Haynes" <dhaynes(a)mitre.org> To: "Matthew Mariani" <mmariani(a)redhat.com> , open-scap-list(a)redhat.com Sent: Wednesday, October 9, 2013 2:45:35 PM Subject: RE: SCAP Newbie Questions for simple RHEL6 XCCDF example. Hi Matthew, Comments inline below. Hope this helps. Thanks, Danny From: open-scap-list-bounces(a)redhat.com [ mailto:open-scap-list-bounces@redhat.com ] On Behalf Of Matthew Mariani Sent: Wednesday, October 09, 2013 1:11 PM To: open-scap-list(a)redhat.com Subject: [Open-scap] SCAP Newbie Questions for simple RHEL6 XCCDF example. Hi list, 'SCAP newbie here. I'm working with the attached XCCDF profile definition to be used with a RHEL6 system. The end goal is to define a standard RHEL cloud image security profile. I have two questions: 1. I believe I need additional XML syntax in the file to have valid XCCDF content. When I try both testing with the 'info' function and running an 'eval', I get an Unknown document type error. [root@rhel6client ~]# oscap info rht-ccp.xml OpenSCAP Error: Unknown document type: 'rht-ccp.xml' [oscapxml.c:554] [root@rhel6client ~]# oscap xccdf eval --profile rht-ccp --results /root/rht-ccp.results.xml --report /root/rht-ccp.report.html rht-ccp.xml Profile "rht-ccp" was not found. Looking at some of the xccdf examples referenced here http://www.open-scap.org/page/Documentation , I'm thinking I need a <Benchmark> wrapper around my profile. Am I on the right track, and if so is there a basic <Benchmark> syntax example available? I'm finding it difficult to id what's required and what's not in examples referenced on the Documentation page. [Danny]: Yes, you will need to include the <Benchmark> component. You may want to look at the RHEL6 STIG SCAP content being developed in the scap-security-guide project ( https://fedorahosted.org/scap-security-guide/ ). It should serve as a good example and you may be able to reuse some of the content. They also have some tools that you could leverage to help generate the content. Matt pinged me offline re: the Red Hat CCP profile. I've now merged it into SSG: https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=3633... You should now be able to clone the source and run a scan: https://fedorahosted.org/scap-security-guide/wiki/downloads aka $ sudo yum install git openscap-utils python-lxml $ cd /tmp ; git clone git://git.fedorahosted.org/git/scap-security-guide.git ; cd scap-security-guide/RHEL6 $ make content $ sudo oscap xccdf eval --profile rht-ccp \ --results /root/ssg-results-`date`.xml \ --report /root/ssg-results-`date`.html \ --cpe output/ssg-rhel6-cpe-dictionary.xml \ output/ssg-rhel6-xccdf.xml <blockquote> 2. Looking forward, in addition to these XCCDF checks, I have the need to detect non-RedHat signed packaged installed on the system. Does anyone have guidance on how/if I can do that with SCAP tools. As example, suppose a cloud image has a monitoring package or hypervisor para-virt rpms install, I want to be made aware and have those reported by the check. [Danny]: Yes, you should be able to check for any non-Red Hat signed packages using OVAL which is an language for checking the state of an endpoint. There is the linux-def:rpminfo_test ( http://oval.mitre.org/language/version5.10.1/ovaldefinition/complete/linu... ) which you can use to check various metadata about the packages installed on the system including the signature key ID. With that in mind, you should be able to collect all RPMs on the system and filter out any RPMs that are signed by Red Hat leaving only those that haven’t been signed by Red Hat. I have attached an OVAL definition which shows how you might do this. Of course, you may need to modify it to include the appropriate signature key IDs. Any help is appreciated. Thanks, -Matt </blockquote> Since this is largely content related, feel free to kick over the conversation to the SSG mailing list: https://fedorahosted.org/scap-security-guide/ https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Our friends and allies within the OpenSCAP tooling community let us content guys play here, but content questions (for SSG) should be kicked over to the SSG community list :) _______________________________________________ Open-scap-list mailing list Open-scap-list(a)redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list

10 years, 5 months

4
9
0 / 0

(no subject)

by Kordell, Luke T

Hello, I thought it would be useful to generate an "all_rules" profile to help us in the requirements-gathering phase of a profile development. To create this profile I grepped the .xml files contained in the system and services directories for "Rule id=" and used the output to create an all_rules profile. The all_rules profile and CS2 profile list 388 rules while the STIG lists 389. I expected the all_rules profile to have more rules than either since it should contain at least all the rules called by both CS2 and the STIG. Are there rules in other directories, or am I missing something else? I have been comparing SECSCN output to the STIG and CS2 profiles and thus-far it has raised a couple questions. First SECSCN lists the bash commands it uses to gather its results and lists the exact reasons for a failed test. Are there plans to include this capability in the future or would this be handled by a scanning automation tool like oscap? What component of SCAP and/or OVAL is linked to bash? Is it possible to get access to this underlying source-code for modification purposes? .Luke K

10 years, 5 months

1
0
0 / 0

five stig-rhel6-server failures question

by Mercer, Rodney

I have questions about the five checks shown below, are these known false positives? Thanks, Rodney ---- Rodney Mercer Systems Administrator. -------------------------------------------------------------------- Add noexec Option to Removable Media Partitions I don't know how to satisfy this to get a "pass" I have no removable media listed in /etc/fstab -------------------------------------------------------------------- Ensure No Device Files are Unlabeled by SELinux shows: error I found a fix by substituting input/checks/selinux_all_devicefiles_labeled.xml with: http://oss.tresys.com/projects/clip/browser/packages/scap-security-guide/... Not sure if this is the correct fix? -------------------------------------------------------------------- Implement Blank Screen Saver The Fix SAYS to do this: # gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only The check: gconf_gnome_screensaver_mode_blank.xml requires that you would do this: gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults \ --type string \ --set /apps/gnome-screensaver/mode blank-only I believe that ALL of the gnome-screensaver checks should be against the gconf.xml.mandatory tree so that a user cannot change his individual settings. -------------------------------------------------------------------- Enable GUI Warning Banner fails #gconftool-2 \ --config-source xml:readwrite:/etc/gconf/gconf.xml.defaults \ --get /apps/gdm/simple-greeter/banner_message_enable true # sudo -u gdm gconftool-2 \ --get /apps/gdm/simple-greeter/banner_message_enable true # ./testcheck.py banner_gui_enabled.xml Evaluating with OVAL tempfile : /tmp/banner_gui_enabledkXi0PJ.xml Writing results to : /tmp/banner_gui_enabledkXi0PJ.xml-results Definition oval:scap-security-guide.testing:def:121: false Evaluation done. -------------------------------------------------------------------- Disable Accepting IPv6 Redirects CCE-27166-8 fails # sysctl -w net.ipv6.conf.default.accept_redirects=0 error: "net.ipv6.conf.default.accept_redirects" is an unknown key The rule just above this CCE-27153-6 disables the IPV6 stack and causes this to fail. Both rules cannot co-exist and pass.

10 years, 5 months

1
0
0 / 0

CCE-26801-1 - rsyslog suggestion/question

by wm-lists

It appears the requirement check /etc/rsyslog.conf for an entry such as *.* @*loghost.example.com* or *.* @(a)*loghost.example.com* <ind:textfilecontent54_object id="oval:ssg:obj:1907" version="1"> <ind:path>/etc</ind:path> <ind:filename>rsyslog.conf</ind:filename> <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> However in my case, we utilize multiple .conf files under /etc/rsyslog.d for destinations (log aggregators, etc...) I'm guessing the scap software doesn't follow include Directives?

10 years, 6 months

3
4
0 / 0

[PATCH 1/8] OVAL/XCCDF naming update

by Shawn Wells

10 years, 6 months

3
3
0 / 0

Tier 3 content issue

by Steve Grubb

Hello, I would like to point out a concern for any content that is destined to become Tier 3 or 4 at some future point (meaning USGCB). Tier 3 content must be used for the validation of scanner tools. All scanner tools from all vendors. So, this is not a openscap problem. The rules for validation are in NIST IR7511. There is the following requirement: SCAP.R.1700: The product SHALL be able to process the content that is representative of content published at Tier III and the OVAL repository which is associated with the platforms for which validation is being sought. The way that labs test this is to get the official kickstart and modify some settings. They make a VM that is subcompliant and a VM that is supercompliant. For example, if a file's permission is supposed to be 0644, the subcompliant would be 0666 and supercompliant would be 0640. Or perhaps they set the min password length to 8 for subcompliant and 16 for supercompliant. But this is only done for everything that makes sense to change. For example, a setting may say, "IP forwarding should be enabled or disabled as appropriate." This one can be made subcompliant but you can't make it supercompliant because its a boolean test (it is or is not correct). What is expected of scanners is that they find and report all the subcompliant changes and ignore the supercompliant changes. (That is with the exception of the rpmverify file permissions test which is likely to fail.) That means using "greater than or equal" in places where the check is currently "equal" when security can be exceeded. Or perhaps instead of expressing a test for exact file permissions, turn the test upside down and express the bits that shouldn't be present (755 becomes 022). While I don't know of a specific problem in the SSG content, I want everyone to be aware of this so that the content can be used for scanner validation. This might even be good to create a sub/super compliant VM and check as part of the release process. Thanks, -Steve

10 years, 6 months

2
1
0 / 0

[PATCH 2/3] changed appropriate macro references to reflect expected output for xinetd services

by David Smith

--- RHEL6/input/services/obsolete.xml | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 41ee480..1792120 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -77,7 +77,7 @@ actively working to migrate to a more secure protocol.</description> <description> <service-disable-macro service="telnet" /> </description> -<ocil><service-disable-check-macro service="telnet" /></ocil> +<ocil><xinetd-service-disable-check-macro service="telnet" /></ocil> <rationale> The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and @@ -139,7 +139,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rexec" /> </description> -<ocil><service-disable-check-macro service="rexec" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rexec" /></ocil> <rationale>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -158,7 +158,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rsh" /> </description> -<ocil><service-disable-check-macro service="rsh" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rsh" /></ocil> <rationale>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -177,7 +177,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rlogin" /> </description> -<ocil><service-disable-check-macro service="rlogin" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rlogin" /></ocil> <rationale>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be -- 1.7.1

10 years, 6 months

2
2
0 / 0

[PATCH] [corrected] OVAL signoff

by David Smith

--- .../checks/kernel_module_ipv6_option_disabled.xml | 1 + RHEL6/input/checks/ldap_client_start_tls.xml | 1 + RHEL6/input/checks/service_rexec_disabled.xml | 1 + RHEL6/input/checks/service_rlogin_disabled.xml | 1 + RHEL6/input/checks/service_rsh_disabled.xml | 1 + RHEL6/input/checks/service_telnetd_disabled.xml | 1 + RHEL6/input/checks/service_xinetd_disabled.xml | 1 + RHEL6/input/services/obsolete.xml | 8 ++++---- 8 files changed, 11 insertions(+), 4 deletions(-) diff --git a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml index a1203bf..cb61e74 100644 --- a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml +++ b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_kernel_module_ipv6_option_disabled" comment="ipv6 disabled any modprobe conf file"/> diff --git a/RHEL6/input/checks/ldap_client_start_tls.xml b/RHEL6/input/checks/ldap_client_start_tls.xml index 75f636d..184b9c2 100644 --- a/RHEL6/input/checks/ldap_client_start_tls.xml +++ b/RHEL6/input/checks/ldap_client_start_tls.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Require the use of TLS for ldap clients.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package pam_ldap is not present" operator="OR"> <extend_definition comment="pam_ldap not present or not in use" diff --git a/RHEL6/input/checks/service_rexec_disabled.xml b/RHEL6/input/checks/service_rexec_disabled.xml index 9e1ee78..205b567 100644 --- a/RHEL6/input/checks/service_rexec_disabled.xml +++ b/RHEL6/input/checks/service_rexec_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rexec service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rexec is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rlogin_disabled.xml b/RHEL6/input/checks/service_rlogin_disabled.xml index 6318c9a..ed95c27 100644 --- a/RHEL6/input/checks/service_rlogin_disabled.xml +++ b/RHEL6/input/checks/service_rlogin_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rlogin service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rlogin is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rsh_disabled.xml b/RHEL6/input/checks/service_rsh_disabled.xml index 71bc9ff..54e9136 100644 --- a/RHEL6/input/checks/service_rsh_disabled.xml +++ b/RHEL6/input/checks/service_rsh_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rsh service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rsh is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml b/RHEL6/input/checks/service_telnetd_disabled.xml index b02fe67..095f7ad 100644 --- a/RHEL6/input/checks/service_telnetd_disabled.xml +++ b/RHEL6/input/checks/service_telnetd_disabled.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Disable telnet Service</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package telnet-server removed or service telnetd is not configured to start" operator="OR"> <extend_definition comment="rpm package telnet-server removed" definition_ref="package_telnet-server_removed" /> diff --git a/RHEL6/input/checks/service_xinetd_disabled.xml b/RHEL6/input/checks/service_xinetd_disabled.xml index 24ad0ef..c162e23 100644 --- a/RHEL6/input/checks/service_xinetd_disabled.xml +++ b/RHEL6/input/checks/service_xinetd_disabled.xml @@ -8,6 +8,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The xinetd service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package xinetd removed or service xinetd is not configured to start" operator="OR"> <extend_definition comment="xinetd removed" definition_ref="package_xinetd_removed" /> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 41ee480..1792120 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -77,7 +77,7 @@ actively working to migrate to a more secure protocol.</description> <description> <service-disable-macro service="telnet" /> </description> -<ocil><service-disable-check-macro service="telnet" /></ocil> +<ocil><xinetd-service-disable-check-macro service="telnet" /></ocil> <rationale> The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and @@ -139,7 +139,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rexec" /> </description> -<ocil><service-disable-check-macro service="rexec" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rexec" /></ocil> <rationale>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -158,7 +158,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rsh" /> </description> -<ocil><service-disable-check-macro service="rsh" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rsh" /></ocil> <rationale>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -177,7 +177,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rlogin" /> </description> -<ocil><service-disable-check-macro service="rlogin" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rlogin" /></ocil> <rationale>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be -- 1.7.1

10 years, 6 months

2
1
0 / 0

[PATCH 1/3] OVAL signoff

by David Smith

--- .../checks/kernel_module_ipv6_option_disabled.xml | 1 - RHEL6/input/checks/ldap_client_start_tls.xml | 1 - RHEL6/input/checks/service_rexec_disabled.xml | 1 - RHEL6/input/checks/service_rlogin_disabled.xml | 1 - RHEL6/input/checks/service_rsh_disabled.xml | 1 - RHEL6/input/checks/service_telnetd_disabled.xml | 1 - RHEL6/input/checks/service_xinetd_disabled.xml | 1 - 7 files changed, 0 insertions(+), 7 deletions(-) diff --git a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml index cb61e74..a1203bf 100644 --- a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml +++ b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml @@ -6,7 +6,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_kernel_module_ipv6_option_disabled" comment="ipv6 disabled any modprobe conf file"/> diff --git a/RHEL6/input/checks/ldap_client_start_tls.xml b/RHEL6/input/checks/ldap_client_start_tls.xml index 184b9c2..75f636d 100644 --- a/RHEL6/input/checks/ldap_client_start_tls.xml +++ b/RHEL6/input/checks/ldap_client_start_tls.xml @@ -7,7 +7,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Require the use of TLS for ldap clients.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package pam_ldap is not present" operator="OR"> <extend_definition comment="pam_ldap not present or not in use" diff --git a/RHEL6/input/checks/service_rexec_disabled.xml b/RHEL6/input/checks/service_rexec_disabled.xml index 205b567..9e1ee78 100644 --- a/RHEL6/input/checks/service_rexec_disabled.xml +++ b/RHEL6/input/checks/service_rexec_disabled.xml @@ -6,7 +6,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rexec service should be disabled if possible.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rexec is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rlogin_disabled.xml b/RHEL6/input/checks/service_rlogin_disabled.xml index ed95c27..6318c9a 100644 --- a/RHEL6/input/checks/service_rlogin_disabled.xml +++ b/RHEL6/input/checks/service_rlogin_disabled.xml @@ -6,7 +6,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rlogin service should be disabled if possible.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rlogin is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rsh_disabled.xml b/RHEL6/input/checks/service_rsh_disabled.xml index 54e9136..71bc9ff 100644 --- a/RHEL6/input/checks/service_rsh_disabled.xml +++ b/RHEL6/input/checks/service_rsh_disabled.xml @@ -6,7 +6,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rsh service should be disabled if possible.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rsh is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml b/RHEL6/input/checks/service_telnetd_disabled.xml index 095f7ad..b02fe67 100644 --- a/RHEL6/input/checks/service_telnetd_disabled.xml +++ b/RHEL6/input/checks/service_telnetd_disabled.xml @@ -7,7 +7,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Disable telnet Service</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package telnet-server removed or service telnetd is not configured to start" operator="OR"> <extend_definition comment="rpm package telnet-server removed" definition_ref="package_telnet-server_removed" /> diff --git a/RHEL6/input/checks/service_xinetd_disabled.xml b/RHEL6/input/checks/service_xinetd_disabled.xml index c162e23..24ad0ef 100644 --- a/RHEL6/input/checks/service_xinetd_disabled.xml +++ b/RHEL6/input/checks/service_xinetd_disabled.xml @@ -8,7 +8,6 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The xinetd service should be disabled if possible.</description> - <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package xinetd removed or service xinetd is not configured to start" operator="OR"> <extend_definition comment="xinetd removed" definition_ref="package_xinetd_removed" /> -- 1.7.1

10 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide October 2013