On 7/25/12 1:16 PM, Kevin Spargur wrote:
---
.../checks/package_qpid-cpp-server_removed.xml | 26 +++++
RHEL6/input/checks/service_qpidd_disabled.xml | 100 ++++++++++++++++++++
RHEL6/input/services/base.xml | 17 ++++
3 files changed, 143 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/package_qpid-cpp-server_removed.xml
create mode 100644 RHEL6/input/checks/service_qpidd_disabled.xml
diff --git a/RHEL6/input/checks/package_qpid-cpp-server_removed.xml
b/RHEL6/input/checks/package_qpid-cpp-server_removed.xml
new file mode 100644
index 0000000..9cdfe2e
--- /dev/null
+++ b/RHEL6/input/checks/package_qpid-cpp-server_removed.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="inventory"
id="package_qpid-cpp-server_removed"
+ version="1">
+ <metadata>
+ <title>Package qpid-cpp-server Removed</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="4514-6 " source="CCE" />
+ <description>The RPM package qpid-cpp-server should be
removed.</description>
+ <!--This package provides the qpidd service-->
+ </metadata>
+ <criteria>
+ <criterion comment="package qpid-cpp-server is removed"
+ test_ref="test_package_qpid-cpp-server_removed" />
+ </criteria>
+ </definition>
+ <linux:rpminfo_test check="all" check_existence="none_exist"
+ id="test_package_qpid-cpp-server_removed" version="1"
+ comment="package qpid-cpp-server is removed">
+ <linux:object object_ref="obj_package_qpid-cpp-server" />
+ </linux:rpminfo_test>
+ <linux:rpminfo_object id="obj_package_qpid-cpp-server"
version="1">
+ <linux:name>qpid-cpp-server</linux:name>
+ </linux:rpminfo_object>
+</def-group>
diff --git a/RHEL6/input/checks/service_qpidd_disabled.xml
b/RHEL6/input/checks/service_qpidd_disabled.xml
new file mode 100644
index 0000000..fa9004b
--- /dev/null
+++ b/RHEL6/input/checks/service_qpidd_disabled.xml
@@ -0,0 +1,100 @@
+<def-group>
+ <definition class="compliance" id="service_qpidd_disabled"
+ version="1">
+ <metadata>
+ <title>Service qpidd Disabled</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="4338-0" source="CCE" />
+ <description>The qpidd service should be disabled if
possible.</description>
+ <!--qpidd service is installed by the qpid-cpp-server rpm-->
+ </metadata>
+ <criteria comment="package qpidd removed or service qpidd is not configured
to start" operator="OR">
+ <extend_definition comment="qpidd removed"
definition_ref="package_qpid-cpp-server_removed" />
+ <criteria operator="AND" comment="service qpidd is not configured
to start">
+ <criterion comment="qpidd runlevel 0"
test_ref="test_runlevel0_qpidd" />
+ <criterion comment="qpidd runlevel 1"
test_ref="test_runlevel1_qpidd" />
+ <criterion comment="qpidd runlevel 2"
test_ref="test_runlevel2_qpidd" />
+ <criterion comment="qpidd runlevel 3"
test_ref="test_runlevel3_qpidd" />
+ <criterion comment="qpidd runlevel 4"
test_ref="test_runlevel4_qpidd" />
+ <criterion comment="qpidd runlevel 5"
test_ref="test_runlevel5_qpidd" />
+ <criterion comment="qpidd runlevel 6"
test_ref="test_runlevel6_qpidd" />
+ </criteria>
+ </criteria>
+ </definition>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel0_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel0_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel1_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel1_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel2_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel2_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel3_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel3_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel4_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel4_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel5_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel5_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_test check="all" check_existence="any_exist"
+ comment="Runlevel test" id="test_runlevel6_qpidd"
+ version="2">
+ <unix:object object_ref="obj_runlevel6_qpidd" />
+ <unix:state state_ref="state_service_qpidd_off" />
+ </unix:runlevel_test>
+ <unix:runlevel_object id="obj_runlevel0_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">0</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel1_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">1</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel2_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">2</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel3_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">3</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel4_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">4</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel5_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">5</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_object id="obj_runlevel6_qpidd" version="1">
+ <unix:service_name>qpidd</unix:service_name>
+ <unix:runlevel operation="equals">6</unix:runlevel>
+ </unix:runlevel_object>
+ <unix:runlevel_state comment="not configured to start"
id="state_service_qpidd_off" version="1">
+ <unix:start datatype="boolean">false</unix:start>
+ <unix:kill datatype="boolean">true</unix:kill>
+ </unix:runlevel_state>
+</def-group>
diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml
index 38eb46d..4699c2a 100644
--- a/RHEL6/input/services/base.xml
+++ b/RHEL6/input/services/base.xml
@@ -312,6 +312,23 @@ records.</rationale>
<ref nist="AU-12, CM-6" />
</Rule>
+<Rule id="service_qpidd_disabled">
+<title>Disable Apache Qpid (qpidd)</title>
+<description>The <tt>qpidd</tt> service provides high speed, secure,
+guaranteed delivery services. It is an implementation of the Advanced Message
+Queuing Protocol. By default the qpidd service will bind to port 5672 and
+listen for connection attempts.
+<service-disable-macro service="qpidd" />
+</description>
+<rationale>The qpidd service is automatically installed when the "base"
+package selection is selected during installation. The qpidd service listens
+for network connections which increases the attack surface of the system. If
+the system is not intended to receive AMQP traffic then the <tt>qpidd</tt>
+service is not needed and should be disabled or removed.</rationale>
+<ident cce="3854-7" />
+<oval id="service_qpidd_disabled" />
+<ref nist="CM-6, CM-7" disa="384" />
+</Rule>
<Rule id="service_quota_nld_disabled">
<title>Disable Quota Netlink (quota_nld)</title>
Ack. Technically we don't have requirements against CCI384, but the
mapping makes sense.