1) there were two Rules in mounting.xml which didn't belong there, and appeared elsewhere -- those were removed 2) a number of additional CCEs have been assigned 3) some minor cosmetic changes to session.xml
David Smith (4): added CCE IDs removed duplicate Rules minor touchups added CCE IDs
RHEL6/input/services/http.xml | 4 +- RHEL6/input/services/imap.xml | 6 ++-- RHEL6/input/services/mail.xml | 1 + RHEL6/input/system/accounts/session.xml | 4 +- RHEL6/input/system/network/ipsec.xml | 2 +- RHEL6/input/system/permissions/mounting.xml | 39 --------------------------- 6 files changed, 9 insertions(+), 47 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/imap.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/imap.xml b/RHEL6/input/services/imap.xml index bbd7666..9731443 100644 --- a/RHEL6/input/services/imap.xml +++ b/RHEL6/input/services/imap.xml @@ -106,7 +106,7 @@ protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server. </rationale> -<!-- <ident cce="27039-7" /> --> +<ident cce="27571-9" /> <oval id="dovecot_enable_ssl" /> </Rule>
@@ -127,7 +127,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. </rationale> -<!-- <ident cce="CCD:TODO" /> --> +<ident cce="27459-7" /> <!-- <oval id="dovecot_configure_ssl_cert" /> --> </Rule>
@@ -148,7 +148,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network. </rationale> -<!-- <ident cce="CCE:TODO" /> --> +<ident cce="27633-7" /> <!-- <oval id="dovecot_configure_ssl_key" /> --> </Rule>
looks good.
these are fine as a Rules though two are howto-ish; i suppose any automated check would simply see that the file used as a cert actually exists.
On 04/30/2013 04:21 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/imap.xml | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/imap.xml b/RHEL6/input/services/imap.xml index bbd7666..9731443 100644 --- a/RHEL6/input/services/imap.xml +++ b/RHEL6/input/services/imap.xml @@ -106,7 +106,7 @@ protecting user credentials, mail as it is downloaded, and clients may use SSL certificates to authenticate the server, preventing another system from impersonating the server.
</rationale> -<!-- <ident cce="27039-7" /> --> +<ident cce="27571-9" /> <oval id="dovecot_enable_ssl" /> </Rule>
@@ -127,7 +127,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network.
</rationale> -<!-- <ident cce="CCD:TODO" /> --> +<ident cce="27459-7" /> <!-- <oval id="dovecot_configure_ssl_cert" /> --> </Rule>
@@ -148,7 +148,7 @@ Not using SSL to encrypt mail server traffic could allow unauthorized access to credentials and mail messages since they are sent in plain text over the network.
</rationale> -<!-- <ident cce="CCE:TODO" /> --> +<ident cce="27633-7" /> <!-- <oval id="dovecot_configure_ssl_key" /> --> </Rule>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/permissions/mounting.xml | 39 --------------------------- 1 files changed, 0 insertions(+), 39 deletions(-)
diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index 683a2f6..60ff0a3 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -19,45 +19,6 @@ Use caution when enabling any such facility, and find out whether better configuration management or user education might solve the same problem with less risk.</description>
-<Rule id="console_device_restrict_access_desktop"> -<title>Restrict Console Device Access to Desktop Workstations</title> -<description>If the display manager has been altered to allow remote users to -log in and the host is configured to run at runlevel 5, change console as well -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to the -following: -<pre><console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0.[0-9] :0 -<xconsole>=:0.[0-9] :0</pre></description> -<rationale>When a user logs in, the module pam_console.so called via the -command login, or by some of the graphics program of logging, such as gdm, kdm, -and xdm. If this user is the first to log into the physical console -- called the console user - the user module assures the mastery of a wide -variety of devices normally belong to root. Administrative privileges should be -limited for non-root users. Review the man page for <tt>pam_console</tt> for -more information</rationale> -<ident cce="27192-4" /> -<oval id="console_device_restrict_access_desktop" /> -<ref nist="" /> -</Rule> - -<Rule id="console_device_restrict_access_server"> -<title>Restrict Console Device Access to Servers</title> -<description>If the display manager has been altered to allow remote users to -log in and the host is configured to run at runlevel 5, change console as well -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to the -following: -<pre><console>=tty[0-9][0-9]* vc/[0-9][0-9]*</pre></description> -<rationale>When a user logs in, the module pam_console.so called via the -command login, or by some of the graphics program of logging, such as gdm, kdm, -and xdm. If this user is the first to log into the physical console -- called the console user - the user module assures the mastery of a wide -variety of devices normally belong to root. Administrative privileges should be -limited for non-root users. Review the man page for <tt>pam_console</tt> for -more information</rationale> -<ident cce="26892-0" /> -<oval id="console_device_restrict_access_server" /> -<ref nist="" /> -</Rule> - <Rule id="kernel_module_usb-storage_disabled"> <title>Disable Modprobe Loading of USB Storage Driver</title> <description>
great, please push.
On 04/30/2013 04:21 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/system/permissions/mounting.xml | 39 --------------------------- 1 files changed, 0 insertions(+), 39 deletions(-)
diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index 683a2f6..60ff0a3 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -19,45 +19,6 @@ Use caution when enabling any such facility, and find out whether better configuration management or user education might solve the same problem with less risk.</description>
-<Rule id="console_device_restrict_access_desktop"> -<title>Restrict Console Device Access to Desktop Workstations</title> -<description>If the display manager has been altered to allow remote users to -log in and the host is configured to run at runlevel 5, change console as well -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to the -following: -<pre><console>=tty[0-9][0-9]* vc/[0-9][0-9]* :0.[0-9] :0 -<xconsole>=:0.[0-9] :0</pre></description> -<rationale>When a user logs in, the module pam_console.so called via the -command login, or by some of the graphics program of logging, such as gdm, kdm, -and xdm. If this user is the first to log into the physical console -- called the console user - the user module assures the mastery of a wide -variety of devices normally belong to root. Administrative privileges should be -limited for non-root users. Review the man page for <tt>pam_console</tt> for -more information</rationale> -<ident cce="27192-4" /> -<oval id="console_device_restrict_access_desktop" /> -<ref nist="" /> -</Rule>
-<Rule id="console_device_restrict_access_server"> -<title>Restrict Console Device Access to Servers</title> -<description>If the display manager has been altered to allow remote users to -log in and the host is configured to run at runlevel 5, change console as well -as the xconsole directive in the <tt>/etc/security/console.perms</tt> to the -following: -<pre><console>=tty[0-9][0-9]* vc/[0-9][0-9]*</pre></description> -<rationale>When a user logs in, the module pam_console.so called via the -command login, or by some of the graphics program of logging, such as gdm, kdm, -and xdm. If this user is the first to log into the physical console -- called the console user - the user module assures the mastery of a wide -variety of devices normally belong to root. Administrative privileges should be -limited for non-root users. Review the man page for <tt>pam_console</tt> for -more information</rationale> -<ident cce="26892-0" /> -<oval id="console_device_restrict_access_server" /> -<ref nist="" /> -</Rule>
<Rule id="kernel_module_usb-storage_disabled"> <title>Disable Modprobe Loading of USB Storage Driver</title> <description>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/accounts/session.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index a56a99c..7f6d287 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -103,7 +103,7 @@ other. <ocil clause="group or other write permissions exist"> To ensure write permissions are disabled for group and other for each element in root's path, run the following command: -<pre># ls -ld DIR</pre> +<pre># ls -ld <i>DIR</i></pre> </ocil> <rationale> Such entries increase the risk that root could @@ -118,7 +118,7 @@ and potentially malicious code.
<Rule id="homedir_perms_no_groupwrite_worldread"> <title>Ensure that User Home Directories are not Group-Writable or World-Readable</title> -<description>For each human user USER of the system, view the +<description>For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i></pre> Ensure that the directory is not group-writable and that it
well, okay. the second one is actually preferred style, however.
On 04/30/2013 04:21 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/system/accounts/session.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index a56a99c..7f6d287 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -103,7 +103,7 @@ other.
<ocil clause="group or other write permissions exist"> To ensure write permissions are disabled for group and other for each element in root's path, run the following command: -<pre># ls -ld DIR</pre> +<pre># ls -ld <i>DIR</i></pre> </ocil> <rationale> Such entries increase the risk that root could @@ -118,7 +118,7 @@ and potentially malicious code.
<Rule id="homedir_perms_no_groupwrite_worldread"> <title>Ensure that User Home Directories are not Group-Writable or World-Readable</title> -<description>For each human user USER of the system, view the +<description>For each human user of the system, view the permissions of the user's home directory: <pre># ls -ld /home/<i>USER</i></pre> Ensure that the directory is not group-writable and that it
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/http.xml | 4 ++-- RHEL6/input/services/mail.xml | 1 + RHEL6/input/system/network/ipsec.xml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 0a2934d..3ca959a 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -645,7 +645,7 @@ Install the <tt>mod_ssl</tt> module: content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties. </rationale> -<!--<ident cce="26900-1" />--> +<ident cce="27403-5" /> <oval id="package_mod_ssl_installed" /> <!--<ref nist="CM-7" />--> </Rule> @@ -676,7 +676,7 @@ Install the <tt>security</tt> module: enabling the administrator to implement content access policies and filters at the application layer. </rationale> -<!--<ident cce="26900-1" />--> +<ident cce="27525-5" /> <oval id="package_mod_security_installed" /> <!--<ref nist="CM-7" />--> </Rule> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 6003e62..de938c9 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -56,6 +56,7 @@ not installed by default. its design prevents it from being effectively contained by SELinux. Postfix should be used instead. </rationale> +<ident cce="27515-6" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml index f73e493..e4fffc3 100644 --- a/RHEL6/input/system/network/ipsec.xml +++ b/RHEL6/input/system/network/ipsec.xml @@ -17,7 +17,7 @@ untrusted networks. <package-install-macro package="openswan"/> to initiate a secure VPN connection protects information when it is transmitted over a wide area network. </rationale> -<!--<ident cce="TODO" />--> +<ident cce="27626-1" /> <oval id="package_openswan_installed" /> <ref nist="AC-17, MA-4, SC-9" disa="1130,1131" /> </Rule>
excellent, please push.
On 04/30/2013 04:21 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/services/http.xml | 4 ++-- RHEL6/input/services/mail.xml | 1 + RHEL6/input/system/network/ipsec.xml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 0a2934d..3ca959a 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -645,7 +645,7 @@ Install the <tt>mod_ssl</tt> module: content is transmitted in plain text which could be passively monitored and accessed by unauthorized parties.
</rationale> -<!--<ident cce="26900-1" />--> +<ident cce="27403-5" /> <oval id="package_mod_ssl_installed" /> <!--<ref nist="CM-7" />--> </Rule> @@ -676,7 +676,7 @@ Install the <tt>security</tt> module: enabling the administrator to implement content access policies and filters at the application layer. </rationale> -<!--<ident cce="26900-1" />--> +<ident cce="27525-5" /> <oval id="package_mod_security_installed" /> <!--<ref nist="CM-7" />--> </Rule> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 6003e62..de938c9 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -56,6 +56,7 @@ not installed by default. its design prevents it from being effectively contained by SELinux. Postfix should be used instead. </rationale> +<ident cce="27515-6" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml index f73e493..e4fffc3 100644 --- a/RHEL6/input/system/network/ipsec.xml +++ b/RHEL6/input/system/network/ipsec.xml @@ -17,7 +17,7 @@ untrusted networks. <package-install-macro package="openswan"/> to initiate a secure VPN connection protects information when it is transmitted over a wide area network. </rationale> -<!--<ident cce="TODO" />--> +<ident cce="27626-1" /> <oval id="package_openswan_installed" /> <ref nist="AC-17, MA-4, SC-9" disa="1130,1131" /> </Rule>
--
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank