Hi Jeff, ACK.
This is EXACTLY what I was talking to Shawn about a few weeks ago - great job!
Looks good.
Thanks,
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/services/dns.xml | 1 + RHEL6/input/services/obsolete.xml | 5 +++++ RHEL6/input/system/software/integrity.xml | 1 + 3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 717c3b7..4ee17bb 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible. run the following command:
<pre># yum erase bind</pre>
</description> +<ocil><package-remove-macro package="package_bind_removed" /> </ocil> <rationale> If there is no need to make DNS server software available, removing it provides a safeguard against its activation. diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 91d7884..874d27e 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -45,6 +45,7 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> +<ocil><package-remove-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. @@ -84,6 +85,7 @@ subject to man-in-the-middle attacks. <description>The <tt>telnet-server</tt> package can be uninstalled with the following command: <pre># yum erase telnet-server</pre></description> +<ocil><package-remove-macro package="telnet-server" /> </ocil> <rationale> Removing the <tt>telnet-server</tt> package decreases the risk of the telnet service's accidental (or intentional) activation. @@ -107,6 +109,7 @@ model.</description> the following command: <pre># yum erase rsh-server</pre> </description> +<ocil><package-remove-macro package="rsh-server" /> </ocil> <rationale>The <tt>rsh-server</tt> package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) @@ -197,6 +200,7 @@ important authentication information.</description> the following command: <pre># yum erase ypserv</pre> </description> +<ocil><package-remove-macro package="ypserv" /> </ocil> <rationale>Removing the <tt>ypserv</tt> package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services. </rationale> @@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or authentication. command: <pre># yum erase tftp-server</pre> </description> +<ocil><package-remove-macro package="tftp-server" /> </ocil> <rationale> Removing the <tt>tftp-server</tt> package decreases the risk of the accidental (or intentional) activation of tftp services. diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index c31087d..6c24ce9 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -31,6 +31,7 @@ configurable, with further configuration information located in Install the AIDE package with the command: <pre># yum install aide</pre> </description> +<ocil><package-check-macro package="aide"/></ocil> <rationale> The AIDE package must be installed if it is to be available for integrity checking. </rationale>