On 11/19/13, 11:21 AM, Maura Dailey wrote:
Signed-off-by: Maura Dailey <maura(a)eclipse.ncsc.mil>
---
RHEL6/input/checks/cups_disable_browsing.xml | 47 ++++++++++++-----------
RHEL6/input/checks/cups_disable_printserver.xml | 32 +++++-----------
2 files changed, 35 insertions(+), 44 deletions(-)
diff --git a/RHEL6/input/checks/cups_disable_browsing.xml
b/RHEL6/input/checks/cups_disable_browsing.xml
index 6b6d54e..cadd68a 100644
--- a/RHEL6/input/checks/cups_disable_browsing.xml
+++ b/RHEL6/input/checks/cups_disable_browsing.xml
@@ -1,42 +1,45 @@
<def-group>
- <definition class="compliance"
- id="cups_disable_browsing" version="1">
+ <definition class="compliance" id="cups_disable_browsing"
version="1">
<metadata>
<title>Disable Printer Browsing Entirely if Possible</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>The CUPS print service can be configured to broadcast a list of
available printers to the network. Other machines on the network, also running the CUPS
print service, can be configured to listen to these broadcasts and add and configure these
printers for immediate use. By disabling this browsing capability, the machine will no
longer generate or receive such broadcasts.</description>
+ <description>The CUPS print service can be configured to broadcast a list
+ of available printers to the network. Other machines on the network, also
+ running the CUPS print service, can be configured to listen to these
+ broadcasts and add and configure these printers for immediate use. By
+ disabling this browsing capability, the machine will no longer generate
+ or receive such broadcasts.</description>
+ <reference source="MED" ref_id="20131119"
ref_url="test_attestation" />
</metadata>
<criteria operator="AND">
- <criterion comment="Protect browsing_off"
test_ref="test_cups_disable_browsing_browsing_off" />
- <criterion comment="Protect browsingallow"
test_ref="test_cups_disable_browsing_browsingallow" />
+ <criterion comment="Ensure remote printer browsing is off"
+ test_ref="test_cups_disable_browsing_browsing_off" />
+ <criterion comment="Ensure no incoming printer information packets are
allowed"
+ test_ref="test_cups_disable_browsing_browseallow"
negate="true" />
</criteria>
</definition>
-
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Disable Browsing"
- id="test_cups_disable_browsing_browsing_off" version="1">
+
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist"
+ comment="Disable Browsing"
id="test_cups_disable_browsing_browsing_off"
+ version="1">
<ind:object object_ref="obj_cups_disable_browsing_browsing_off" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object
id="obj_cups_disable_browsing_browsing_off" version="1">
- <ind:path>/etc/cups</ind:path>
- <ind:filename>cupsd.conf</ind:filename>
- <ind:pattern operation="pattern match">Browsing
Off</ind:pattern>
+ <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">Browsing[\s]+(?:Off|No)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Do not allow for browsing"
- id="test_cups_disable_browsing_browsingallow" version="1">
- <ind:object object_ref="obj_cups_disable_browsing_browsingallow" />
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist"
+ comment="Do not allow incoming printer information packets"
+ id="test_cups_disable_browsing_browseallow" version="1">
+ <ind:object object_ref="obj_cups_disable_browsing_browseallow" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_cups_disable_browsing_browsingallow" version="1">
- <ind:path>/etc/cups</ind:path>
- <ind:filename>cupsd.conf</ind:filename>
- <ind:pattern operation="pattern match">BrowseAllow
none</ind:pattern>
+ <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow"
version="1">
+ <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">BrowseAllow[\s]+(?!none)</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
-
-
</def-group>
diff --git a/RHEL6/input/checks/cups_disable_printserver.xml
b/RHEL6/input/checks/cups_disable_printserver.xml
index 399eafa..e305170 100644
--- a/RHEL6/input/checks/cups_disable_printserver.xml
+++ b/RHEL6/input/checks/cups_disable_printserver.xml
@@ -1,46 +1,34 @@
<def-group>
- <definition class="compliance"
- id="cups_disable_printserver" version="1">
+ <definition class="compliance" id="cups_disable_printserver"
version="1">
<metadata>
<title>Disable Printer Server if Possible</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
- <description>By default, locally configured printers will not be shared over
the network, but if this functionality has somehow
-been enabled, these recommendations will disable it again. Be sure to disable outgoing
printer list broadcasts, or
-remote users will still be able to see the locally configured printers, even if they
cannot actually print to them.
-To limit print serving to a particular set of users, use the Policy directive.
-</description>
+ <description>By default, locally configured printers will not be shared over
the network, but if this functionality has somehow been enabled, these recommendations
will disable it again. Be sure to disable outgoing printer list broadcasts, or remote
users will still be able to see the locally configured printers, even if they cannot
actually print to them. To limit print serving to a particular set of users, use the
Policy directive.</description>
+ <reference source="MED" ref_id="20131119"
ref_url="test_attestation" />
</metadata>
<criteria operator="AND">
- <criterion comment="Don't use port directive"
test_ref="test_cups_disable_printserver_disable_port" />
+ <criterion comment="Don't use port directive"
test_ref="test_cups_disable_printserver_disable_port" />
<criterion comment="Do use the listen directive"
test_ref="test_cups_disable_printserver_use_listen" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all"
check_existence="none_exist"
- comment="Disable the more general port directive"
- id="test_cups_disable_printserver_disable_port" version="1">
+ <ind:textfilecontent54_test check="all"
check_existence="none_exist" comment="Disable the more general port
directive" id="test_cups_disable_printserver_disable_port"
version="1">
<ind:object object_ref="obj_cups_disable_printserver_disable_port"
/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object
id="obj_cups_disable_printserver_disable_port" version="1">
- <ind:path>/etc/cups</ind:path>
- <ind:filename>cupsd.conf</ind:filename>
- <ind:pattern operation="pattern match">^Port
631$</ind:pattern>
+ <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">Port[\s]+(\d)+</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Listen only at the localhost level"
- id="test_cups_disable_printserver_use_listen" version="1">
+ <ind:textfilecontent54_test check="all"
check_existence="all_exist" comment="Listen only at the localhost
level" id="test_cups_disable_printserver_use_listen"
version="1">
<ind:object object_ref="obj_cups_disable_printserver_use_listen"
/>
</ind:textfilecontent54_test>
<ind:textfilecontent54_object
id="obj_cups_disable_printserver_use_listen" version="1">
- <ind:path>/etc/cups</ind:path>
- <ind:filename>cupsd.conf</ind:filename>
- <ind:pattern operation="pattern match">^Listen
localhost:631$</ind:pattern>
+ <ind:filepath>/etc/cups/cupsd.conf</ind:filepath>
+ <ind:pattern operation="pattern
match">Listen[\s]+(?:localhost|127\.0\.0\.1):(\d)+</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
-
-
</def-group>
ack