From shawn at redhat.com Thu Aug 20 11:35:49 2015
Content-Type: multipart/mixed; boundary="===============1732472330657087098=="
MIME-Version: 1.0
From: Shawn Wells <shawn at redhat.com>
To: scap-security-guide at lists.fedorahosted.org
Subject: Re: [PATCH] Loosening up some of the checks to allow for non standard
 ports and equivalent values as allowed by the man page
Date: Tue, 19 Nov 2013 12:58:19 -0700
Message-ID: <528BC2DB.7040104@redhat.com>
In-Reply-To: 1384885262-5602-2-git-send-email-maura@eclipse.ncsc.mil

--===============1732472330657087098==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 11/19/13, 11:21 AM, Maura Dailey wrote:
> Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
> ---
>   RHEL6/input/checks/cups_disable_browsing.xml    |   47 ++++++++++++----=
-------
>   RHEL6/input/checks/cups_disable_printserver.xml |   32 +++++-----------
>   2 files changed, 35 insertions(+), 44 deletions(-)
>
> diff --git a/RHEL6/input/checks/cups_disable_browsing.xml b/RHEL6/input/c=
hecks/cups_disable_browsing.xml
> index 6b6d54e..cadd68a 100644
> --- a/RHEL6/input/checks/cups_disable_browsing.xml
> +++ b/RHEL6/input/checks/cups_disable_browsing.xml
> @@ -1,42 +1,45 @@
>   <def-group>
> -  <definition class=3D"compliance"
> -  id=3D"cups_disable_browsing" version=3D"1">
> +  <definition class=3D"compliance" id=3D"cups_disable_browsing" version=
=3D"1">
>       <metadata>
>         <title>Disable Printer Browsing Entirely if Possible</title>
>         <affected family=3D"unix">
>           <platform>Red Hat Enterprise Linux 6</platform>
>         </affected>
> -      <description>The CUPS print service can be configured to broadcast=
 a list of available printers to the network. Other machines on the network=
, also running the CUPS print service, can be configured to listen to these=
 broadcasts and add and configure these printers for immediate use. By disa=
bling this browsing capability, the machine will no longer generate or rece=
ive such broadcasts.</description>
> +      <description>The CUPS print service can be configured to broadcast=
 a list
> +      of available printers to the network. Other machines on the networ=
k, also
> +      running the CUPS print service, can be configured to listen to the=
se
> +      broadcasts and add and configure these printers for immediate use.=
 By
> +      disabling this browsing capability, the machine will no longer gen=
erate
> +      or receive such broadcasts.</description>
> +      <reference source=3D"MED" ref_id=3D"20131119" ref_url=3D"test_atte=
station" />
>       </metadata>
>       <criteria operator=3D"AND">
> -      <criterion comment=3D"Protect browsing_off"  test_ref=3D"test_cups=
_disable_browsing_browsing_off" />
> -      <criterion comment=3D"Protect browsingallow" test_ref=3D"test_cups=
_disable_browsing_browsingallow" />
> +      <criterion comment=3D"Ensure remote printer browsing is off"
> +      test_ref=3D"test_cups_disable_browsing_browsing_off" />
> +      <criterion comment=3D"Ensure no incoming printer information packe=
ts are allowed"
> +      test_ref=3D"test_cups_disable_browsing_browseallow" negate=3D"true=
" />
>       </criteria>
>     </definition>
> -
> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist"
> -  comment=3D"Disable Browsing"
> -  id=3D"test_cups_disable_browsing_browsing_off" version=3D"1">
> +
> +  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist"
> +  comment=3D"Disable Browsing" id=3D"test_cups_disable_browsing_browsing=
_off"
> +  version=3D"1">
>       <ind:object object_ref=3D"obj_cups_disable_browsing_browsing_off" />
>     </ind:textfilecontent54_test>
>     <ind:textfilecontent54_object id=3D"obj_cups_disable_browsing_browsin=
g_off" version=3D"1">
> -    <ind:path>/etc/cups</ind:path>
> -    <ind:filename>cupsd.conf</ind:filename>
> -    <ind:pattern operation=3D"pattern match">Browsing Off</ind:pattern>
> +    <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
> +    <ind:pattern operation=3D"pattern match">Browsing[\s]+(?:Off|No)</in=
d:pattern>
>       <ind:instance datatype=3D"int">1</ind:instance>
>     </ind:textfilecontent54_object>
>   =

> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist"
> -  comment=3D"Do not allow for browsing"
> -  id=3D"test_cups_disable_browsing_browsingallow" version=3D"1">
> -    <ind:object object_ref=3D"obj_cups_disable_browsing_browsingallow" />
> +  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist"
> +  comment=3D"Do not allow incoming printer information packets"
> +  id=3D"test_cups_disable_browsing_browseallow" version=3D"1">
> +    <ind:object object_ref=3D"obj_cups_disable_browsing_browseallow" />
>     </ind:textfilecontent54_test>
> -  <ind:textfilecontent54_object id=3D"obj_cups_disable_browsing_browsing=
allow" version=3D"1">
> -    <ind:path>/etc/cups</ind:path>
> -    <ind:filename>cupsd.conf</ind:filename>
> -    <ind:pattern operation=3D"pattern match">BrowseAllow none</ind:patte=
rn>
> +  <ind:textfilecontent54_object id=3D"obj_cups_disable_browsing_browseal=
low" version=3D"1">
> +    <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
> +    <ind:pattern operation=3D"pattern match">BrowseAllow[\s]+(?!none)</i=
nd:pattern>
>       <ind:instance datatype=3D"int">1</ind:instance>
>     </ind:textfilecontent54_object>
> -
> -
>   </def-group>
> diff --git a/RHEL6/input/checks/cups_disable_printserver.xml b/RHEL6/inpu=
t/checks/cups_disable_printserver.xml
> index 399eafa..e305170 100644
> --- a/RHEL6/input/checks/cups_disable_printserver.xml
> +++ b/RHEL6/input/checks/cups_disable_printserver.xml
> @@ -1,46 +1,34 @@
>   <def-group>
> -  <definition class=3D"compliance"
> -  id=3D"cups_disable_printserver" version=3D"1">
> +  <definition class=3D"compliance" id=3D"cups_disable_printserver" versi=
on=3D"1">
>       <metadata>
>         <title>Disable Printer Server if Possible</title>
>         <affected family=3D"unix">
>           <platform>Red Hat Enterprise Linux 6</platform>
>         </affected>
> -      <description>By default, locally configured printers will not be s=
hared over the network, but if this functionality has somehow
> -been enabled, these recommendations will disable it again. Be sure to di=
sable outgoing printer list broadcasts, or
> -remote users will still be able to see the locally configured printers, =
even if they cannot actually print to them.
> -To limit print serving to a particular set of users, use the Policy dire=
ctive.
> -</description>
> +      <description>By default, locally configured printers will not be s=
hared over the network, but if this functionality has somehow been enabled,=
 these recommendations will disable it again. Be sure to disable outgoing p=
rinter list broadcasts, or remote users will still be able to see the local=
ly configured printers, even if they cannot actually print to them. To limi=
t print serving to a particular set of users, use the Policy directive.</de=
scription>
> +      <reference source=3D"MED" ref_id=3D"20131119" ref_url=3D"test_atte=
station" />
>       </metadata>
>       <criteria operator=3D"AND">
> -      <criterion comment=3D"Don't use port directive"    test_ref=3D"tes=
t_cups_disable_printserver_disable_port" />
> +      <criterion comment=3D"Don't use port directive" test_ref=3D"test_c=
ups_disable_printserver_disable_port" />
>         <criterion comment=3D"Do use the listen directive" test_ref=3D"te=
st_cups_disable_printserver_use_listen" />
>       </criteria>
>     </definition>
>    =

> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"none_exis=
t"
> -  comment=3D"Disable the more general port directive"
> -  id=3D"test_cups_disable_printserver_disable_port" version=3D"1">
> +  <ind:textfilecontent54_test check=3D"all" check_existence=3D"none_exis=
t" comment=3D"Disable the more general port directive" id=3D"test_cups_disa=
ble_printserver_disable_port" version=3D"1">
>       <ind:object object_ref=3D"obj_cups_disable_printserver_disable_port=
" />
>     </ind:textfilecontent54_test>
>     <ind:textfilecontent54_object id=3D"obj_cups_disable_printserver_disa=
ble_port" version=3D"1">
> -    <ind:path>/etc/cups</ind:path>
> -    <ind:filename>cupsd.conf</ind:filename>
> -    <ind:pattern operation=3D"pattern match">^Port 631$</ind:pattern>
> +    <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
> +    <ind:pattern operation=3D"pattern match">Port[\s]+(\d)+</ind:pattern>
>       <ind:instance datatype=3D"int">1</ind:instance>
>     </ind:textfilecontent54_object>
>   =

> -  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist"
> -  comment=3D"Listen only at the localhost level"
> -  id=3D"test_cups_disable_printserver_use_listen" version=3D"1">
> +  <ind:textfilecontent54_test check=3D"all" check_existence=3D"all_exist=
" comment=3D"Listen only at the localhost level" id=3D"test_cups_disable_pr=
intserver_use_listen" version=3D"1">
>       <ind:object object_ref=3D"obj_cups_disable_printserver_use_listen" =
/>
>     </ind:textfilecontent54_test>
>     <ind:textfilecontent54_object id=3D"obj_cups_disable_printserver_use_=
listen" version=3D"1">
> -    <ind:path>/etc/cups</ind:path>
> -    <ind:filename>cupsd.conf</ind:filename>
> -    <ind:pattern operation=3D"pattern match">^Listen localhost:631$</ind=
:pattern>
> +    <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
> +    <ind:pattern operation=3D"pattern match">Listen[\s]+(?:localhost|127=
\.0\.0\.1):(\d)+</ind:pattern>
>       <ind:instance datatype=3D"int">1</ind:instance>
>     </ind:textfilecontent54_object>
> -
> -
>   </def-group>

ack

--===============1732472330657087098==--