--- RHEL6/input/services/ssh.xml | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 9069e30..576f9ac 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -8,7 +8,6 @@ implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called <tt>sshd</tt> and provided by the RPM package <tt>openssh-server</tt>.</description> -<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0"> @@ -59,7 +58,6 @@ certain changes should be made to the OpenSSH daemon configuration file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the <tt>sshd_config(5)</tt> man page for more detailed information.</description> -<ref disa="68,197,888,1632,779,781" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title> @@ -82,7 +80,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> -<ref disa="776,774,1135,1436" /> +<ref disa="68,776,774,1135,1436" /> <tested by="DS" on="20121024"/> </Rule>
@@ -289,7 +287,7 @@ even in the event of misconfiguration elsewhere. </rationale> <ident cce="3660-8" /> <oval id="sshd_permitemptypasswords_no" /> -<ref disa="765,766"/> +<ref disa="197,765,766,877"/> <tested by="DS" on="20121024"/> </Rule>
@@ -362,7 +360,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ref disa="803,1144,1145,1146,196" /> +<ref disa="779,781,803,888,1144,1145,1146,196,1453,1632" /> <tested by="DS" on="20121024"/> </Rule>
--- RHEL6/input/system/network/iptables.xml | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index 40f1746..f929da9 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -18,7 +18,6 @@ the iptables and ip6tables configurations included with the system. For more complete information that may allow the construction of a sophisticated ruleset tailored to your environment, please consult the references at the end of this section.</description> -<ref disa="66,86" />
<Group id="iptables_activation"> <title>Inspect and Activate Default Rules</title> @@ -60,7 +59,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" disa="66,1115,1118,1092,1117,1098,1100,1097,1123,1124,1414"/> +<ref nist="CM-6, CM-7" disa="66,86,1115,1118,1092,1117,1098,1100,1097,1123,1124,1414"/> <tested by="DS" on="20121024"/> </Rule>
--- .../system/accounts/restrictions/root_logins.xml | 1 - 1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 378fdd9..2d1ea24 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -20,7 +20,6 @@ These are likely to be deprecated in most environments, but may be retained for compatibility. Root should also be prohibited from connecting via network protocols. Other sections of this document include guidance describing how to prevent root from logging in via SSH.</description> -<ref disa="770" />
<!-- Ensure that the file
--- RHEL6/input/system/accounts/pam.xml | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index ba9a285..b5fc78a 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -40,7 +40,6 @@ files, destroying any manually made changes and replacing them with a series of system defaults. One reference to the configuration file syntax can be found at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-fi....</warning> -<ref disa="1391,1392" />
<Value id="password_history_retain_number" type="number" operator="equals" interactive="0"> @@ -198,7 +197,7 @@ is different from account lockout, which is provided by the pam_faillock module. </rationale> <ident cce="15054-0" /> <oval id="accounts_password_pam_cracklib_retry" value="var_password_pam_cracklib_retry"/> -<ref nist="IA-5" disa="1092" /> +<ref nist="IA-5" disa="1092,1391,1392" /> <tested by="DS" on="20121024"/> </Rule>
--- RHEL6/input/system/software/updating.xml | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/software/updating.xml b/RHEL6/input/system/software/updating.xml index 00e44e7..2bd9fa4 100644 --- a/RHEL6/input/system/software/updating.xml +++ b/RHEL6/input/system/software/updating.xml @@ -16,7 +16,6 @@ with the Installed Software Catalog to ensure all system metadata is accurate with regard to installed software and security patches, and for this reason, their use is strongly encouraged. </description> -<ref disa="1233" />
<Rule id="ensure_redhat_gpgkey_installed" severity="high"> <title>Ensure Red Hat GPG Key Installed</title> @@ -124,7 +123,7 @@ to determine if the system is missing applicable updates. Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. </rationale> -<ref nist="SI-2" disa="1227"/> +<ref nist="SI-2" disa="1227,1233"/> <tested by="MM" on="20120928"/> </Rule> </Group>
--- RHEL6/input/system/software/integrity.xml | 7 +++---- 1 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index 2aa54a2..f22ca0b 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -23,7 +23,6 @@ database should be created immediately after your system is built, and before the system is connected to any network. AIDE is highly configurable, with further configuration information located in <tt>/usr/share/doc/aide-<i>VERSION</i></tt></description> -<ref disa="374,1069,1297,1589"/>
<Rule id="install_aide" severity="medium"> @@ -40,7 +39,7 @@ The AIDE package must be installed if it is to be available for integrity checki </rationale> <ident cce="4209-3" /> <oval id="package_aide_installed" /> -<ref nist="CM-6, CM-7, SC-28, SI-7" disa="1069"/> +<ref nist="CM-6, CM-7, SC-28, SI-7" disa="1069,374"/> <tested by="DS" on="20121024"/> </Rule>
@@ -78,7 +77,7 @@ If this check produces any unexpected output, investigate. For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. </rationale> -<ref nist="SC-28, SI-7" /> +<ref nist="SC-28, SI-7" disa="1589"/> </Rule>
<Rule id="aide_periodic_cron_checking" severity="medium"> @@ -189,7 +188,7 @@ by the RPM database. Executables with erroneous hashes could be a sign of nefari on the system.</rationale> <ident cce="TODO" /> <oval id="rpm_verify_hashes" /> -<ref nist="SI-7" disa="1496" /> +<ref nist="SI-7" disa="1297,1496" /> </Rule>
</Group>
Some of the patches in this set may conflict with what I've pushed. If not, feel free to push. If there are conflicts, there may be a need to hand-edit and re-commit.
Also, please use a cover sheet (-s). This is in the wiki with other commit instructions (such as validating before committing).
Let's sync today on some of the remaining TODOs. We'll likely want to focus on providing credible explanations for SRG mapping choices.
Thanks, Jeff
On 12/16/2012 11:38 PM, Michele Newman wrote:
RHEL6/input/services/ssh.xml | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 9069e30..576f9ac 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -8,7 +8,6 @@ implementation included with the system is called OpenSSH, and more detailed documentation is available from its website, http://www.openssh.org. Its server program is called <tt>sshd</tt> and provided by the RPM package <tt>openssh-server</tt>.</description> -<ref disa="1453,877" />
<Value id="sshd_idle_timeout_value" type="number" operator="equals" interactive="0"> @@ -59,7 +58,6 @@ certain changes should be made to the OpenSSH daemon configuration file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the <tt>sshd_config(5)</tt> man page for more detailed information.</description> -<ref disa="68,197,888,1632,779,781" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title> @@ -82,7 +80,7 @@ should not be used. </rationale> <ident cce="4325-7" /> <oval id="sshd_protocol_2" /> -<ref disa="776,774,1135,1436" /> +<ref disa="68,776,774,1135,1436" /> <tested by="DS" on="20121024"/> </Rule>
@@ -289,7 +287,7 @@ even in the event of misconfiguration elsewhere.
</rationale> <ident cce="3660-8" /> <oval id="sshd_permitemptypasswords_no" /> -<ref disa="765,766"/> +<ref disa="197,765,766,877"/> <tested by="DS" on="20121024"/> </Rule>
@@ -362,7 +360,7 @@ implementation. These are also required for compliance.
</rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ref disa="803,1144,1145,1146,196" /> +<ref disa="779,781,803,888,1144,1145,1146,196,1453,1632" /> <tested by="DS" on="20121024"/> </Rule>
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Michele Newman