8:54 p.m.
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
rhel6/src/input/profiles/common.xml | 22 ++++++++++++++--------
rhel6/src/input/profiles/test.xml | 20 +++++++++++++++++++-
2 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml
index 07799c7..ba6add5 100644
--- a/rhel6/src/input/profiles/common.xml
+++ b/rhel6/src/input/profiles/common.xml
@@ -12,7 +12,7 @@
<select idref="ensure_gpgcheck_globally_activated"
selected="true"/>
<select idref="ensure_gpgcheck_never_disabled"
selected="true"/>
<select idref="install_aide" selected="true"/>
-<select idref="rpm_verify_permissions" selected="true"/>
+<!--<select idref="rpm_verify_permissions"
selected="true"/>-->
<select idref="enable_selinux_bootloader" selected="true"/>
<select idref="no_rsh_trust_files" selected="true"/>
<select idref="set_selinux_state" selected="true"/>
@@ -83,11 +83,10 @@
<select idref="enable_auditd_service" selected="true"/>
<select idref="enable_auditd_bootloader" selected="true"/>
-<select idref="configure_auditd_max_log_size"
selected="true"/>
-<select idref="configure_auditd_action_mail_acct"
selected="true"/>
-<select idref="configure_auditd_space_left_action"
selected="true"/>
-<select idref="configure_auditd_admin_space_left_action"
selected="true"/>
+<select idref="configure_auditd_num_logs" selected="true"/>
+<select idref="configure_auditd_max_log_file"
selected="true"/>
<select idref="configure_auditd_max_log_file_action"
selected="true"/>
+<select idref="configure_auditd_admin_space_left_action"
selected="true"/>
<select idref="audit_time_rules" selected="true"/>
<select idref="audit_account_changes" selected="true"/>
@@ -98,10 +97,9 @@
<select idref="audit_privileged_commands" selected="true"/>
<select idref="audit_media_exports" selected="true"/>
<select idref="audit_file_deletions" selected="true"/>
-
<select idref="audit_sysadmin_actions" selected="true"/>
<select idref="audit_kernel_module_loading" selected="true"/>
-<select idref="audit_config_immutable" selected="true"/>
+
<select idref="disable_xinetd" selected="true"/>
<select idref="uninstall_xinetd" selected="true"/>
<select idref="uninstall_telnet_server" selected="true"/>
@@ -134,11 +132,13 @@
<select idref="postfix_network_listening" selected="true"/>
<select idref="ldap_client_tls_checkpeer" selected="true"/>
<select idref="package_openldap-servers_removed"
selected="true"/>
+<!-- acting as an NFS client is normal for many roles.
+these should likely be moved out of common.
<select idref="service_nfslock_disabled" selected="true"/>
<select idref="service_rpcgssd_disabled" selected="true"/>
<select idref="service_rpcidmapd_disabled" selected="true"/>
<select idref="service_netfs_disabled" selected="true"/>
-<select idref="service_rpcbind_disabled" selected="true"/>
+<select idref="service_rpcbind_disabled"
selected="true"/>-->
<select idref="service_nfs_disabled" selected="true"/>
<select idref="service_rpcsvcgssd_disabled" selected="true"/>
<select idref="use_nodev_option_on_nfs_mounts"
selected="true"/>
@@ -194,6 +194,12 @@
<!-- SELinux state -->
<refine-value idref="var_selinux_policy_name"
selector="targeted"/>
<!-- SELinux policy -->
+
+<refine-value idref="var_auditd_num_logs" selector="5"/>
+<refine-value idref="var_auditd_max_log_file" selector="6"/>
+<refine-value idref="var_auditd_max_log_file_action"
selector="rotate"/>
+<refine-value idref="var_auditd_admin_space_left_action"
selector="single"/>
+
<refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value"
selector="disabled"/>
<!-- net.ipv4.conf.all.accept_source_route -->
<refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value"
selector="disabled"/>
diff --git a/rhel6/src/input/profiles/test.xml b/rhel6/src/input/profiles/test.xml
index 87ad1c3..8d3761a 100644
--- a/rhel6/src/input/profiles/test.xml
+++ b/rhel6/src/input/profiles/test.xml
@@ -1,7 +1,7 @@
<Profile id="test" xmlns="http://checklists.nist.gov/xccdf/1.1"
>
<title>test</title>
<description>This profile is for testing.</description>
-
+<!--
<select idref="password_min_len" selected="true"/>
<select idref="password_min_age" selected="true"/>
<select idref="password_max_age" selected="true"/>
@@ -26,6 +26,24 @@
<refine-value idref="var_selinux_state_name"
selector="enforcing"/>
<refine-value idref="var_password_pam_cracklib_dcredit"
selector="1"/>
<refine-value idref="inactivity_timeout_value"
selector="10_minutes"/>
+-->
+
+
+
+<select idref="configure_auditd_num_logs" selected="true"/>
+<select idref="configure_auditd_max_log_file"
selected="true"/>
+<select idref="configure_auditd_action_mail_acct"
selected="true"/>
+<select idref="configure_auditd_space_left_action"
selected="true"/>
+<select idref="configure_auditd_admin_space_left_action"
selected="true"/>
+<select idref="configure_auditd_max_log_file_action"
selected="true"/>
+
+<refine-value idref="var_auditd_num_logs" selector="5"/>
+<refine-value idref="var_auditd_max_log_file" selector="6"/>
+<refine-value idref="var_auditd_max_log_file_action"
selector="rotate"/>
+<refine-value idref="var_auditd_space_left_action"
selector="syslog"/>
+<refine-value idref="var_auditd_admin_space_left_action"
selector="single"/>
+<refine-value idref="var_auditd_action_mail_acct"
selector="root"/>
+
<refine-value idref="var_password_min_len" selector="12"/>
--
1.7.1