ACK to all 16 -- looks like a good, long grind towards our common goal.  Thank you David!!

Can't wait to see it pushed, and download it / try it.

MM

On 09/21/2012 03:11 PM, David Smith wrote:
Signed-off-by: David Smith <dsmith@eclipse.ncsc.mil>
---
 RHEL6/input/system/network/iptables.xml |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml
index dc3a584..31237b7 100644
--- a/RHEL6/input/system/network/iptables.xml
+++ b/RHEL6/input/system/network/iptables.xml
@@ -161,7 +161,7 @@ accepted.</rationale>
 <ref nist="AC-4, CM-6" disa="1109" />
 </Rule>
 
-<Rule id="iptables_icmp_disabled">
+<Group id="iptables_icmp_disabled">
 <title>Restrict ICMP Message Types</title>
 <description>In <tt>/etc/sysconfig/iptables</tt>, the accepted ICMP messages types can be restricted. To accept only ICMP echo reply, destination unreachable, and time exceeded messages, remove the line:<br />
 <pre>-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT</pre>
@@ -179,14 +179,14 @@ If you are going to statically configure the machine’s address, it should igno
 could add another IPv6 address to the interface or alter important network settings:
 <pre>-A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</pre>
 </description>
+<ref nist="AC-4, CM-6" />
 <rationale>Restricting other ICMPv6 message types in <tt>/etc/sysconfig/ip6tables</tt> is not recommended because the oper-
 ation of IPv6 depends heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</rationale>
 <!--<ident cce="14264-6" />-->
-<oval id="iptables_icmp_disabled" />
-<ref nist="AC-4, CM-6" />
-</Rule>
+<!--<oval id="iptables_icmp_disabled" />-->
+</Group>
 
-<Rule id="iptables_log_and_drop_suspicious">
+<Group id="iptables_log_and_drop_suspicious">
 <title>Log and Drop Packets with Suspicious Source Addresses</title>
 <description>Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
 modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
@@ -232,7 +232,7 @@ The following rule will log all traffic originating from a site-local address, w
 <!--<ident cce="14264-6" />-->
 <!--MANUAL<oval id="iptables_log_and_drop_suspicious" />-->
 <ref nist="AC-4, AC-17, CM-6" />
-</Rule>
+</Group>
 
 </Group><!--<Group id="ruleset_modifications">-->
 </Group><!--<Group id="network-iptables">-->



_______________________________________________
scap-security-guide mailing list
scap-security-guide@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide