This batch of commits adds rule references to CCI numbers.
Willy Santos (13): Mapped CCI-000199 to password_max_age Mapped CCI-000200 to limit_password_reuse Mapped CCI-000205 to password_min_len Mapped CCI-000206 to acccounts group. Mapped CCI-000352 to ensure_gpgcheck_globally_activated and ensure_gpgcheck_never_disabled Mapped CCI-000416 to aide_periodic_cron_checking Mapped CCI-000803 to sshd_use_approved_ciphers Mapped CCI-000888 to ssh_server group. Mapped CCI-000195 to password_require_diffchars Mapped CCI-000196 to no_hashes_outside_shadow Mapped CCI-000197 to ssh_server group Mapped CCI-000198 to password_min_age Mapped CCI-001118 to enable_iptables and enable_ip6tables rules
rhel6/src/input/services/ssh.xml | 3 +++ rhel6/src/input/system/accounts/accounts.xml | 1 + rhel6/src/input/system/accounts/pam.xml | 2 ++ .../accounts/restrictions/password_expiration.xml | 3 +++ .../accounts/restrictions/password_storage.xml | 1 + rhel6/src/input/system/network/iptables.xml | 2 ++ rhel6/src/input/system/software/integrity.xml | 1 + rhel6/src/input/system/software/updating.xml | 2 ++ 8 files changed, 15 insertions(+), 0 deletions(-)
CCI-000199 requires the enforcement of max password lifetime restrictions this is met by the password_max_age rule.
Signed-off-by: Willy Santos wsantos@redhat.com --- .../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index ad67fdb..7af1a0d 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -122,6 +122,7 @@ make the change at a practical time prior to expiration. <ident cce="4092-3" /> <oval id="accounts_maximum_age_login_defs" /> <ref nist="CM-6, CM-7, IA-5, AC-3" /> +<ident cci="CCI-000199" /> </Rule>
On 4/26/12 8:05 PM, Willy Santos wrote:
CCI-000199 requires the enforcement of max password lifetime restrictions this is met by the password_max_age rule.
Signed-off-by: Willy Santoswsantos@redhat.com
.../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index ad67fdb..7af1a0d 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -122,6 +122,7 @@ make the change at a practical time prior to expiration.
<ident cce="4092-3" /> <oval id="accounts_maximum_age_login_defs" /> <ref nist="CM-6, CM-7, IA-5, AC-3" /> +<ident cci="CCI-000199" /> </Rule>
Ack
CCI-000200 requires the OS to prohibit password reuse for an organization-defined number of generations. This is met by the limit_password_reuse rule and enforced by PAM.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/accounts/pam.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index bc91277..0bf95ff 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -373,6 +373,7 @@ compromised could be used yet again by an attacker. <ident cce="14939-3" /> <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> <ref nist="IA-5" /> +<ident cci="CCI-000200" /> </Rule> </Group>
On 4/26/12 8:05 PM, Willy Santos wrote:
CCI-000200 requires the OS to prohibit password reuse for an organization-defined number of generations. This is met by the limit_password_reuse rule and enforced by PAM.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/accounts/pam.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index bc91277..0bf95ff 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -373,6 +373,7 @@ compromised could be used yet again by an attacker.
<ident cce="14939-3" /> <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> <ref nist="IA-5" /> +<ident cci="CCI-000200" /> </Rule> </Group>
Ack
CCI-000205 requires the enforcement of minimum password lengths. This is met by password_min_len rule.
Signed-off-by: Willy Santos wsantos@redhat.com --- .../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index 7af1a0d..f017c4c 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -86,6 +86,7 @@ behavior that may result. <ident cce="4154-1" /> <oval id="accounts_password_minlen_login_defs" value="var_password_min_len"/> <ref nist="CM-6, CM-7, IA-5, AC-3" /> +<ident cci="CCI-000205" /> </Rule>
On 4/26/12 8:05 PM, Willy Santos wrote:
CCI-000205 requires the enforcement of minimum password lengths. This is met by password_min_len rule.
Signed-off-by: Willy Santoswsantos@redhat.com
.../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index 7af1a0d..f017c4c 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -86,6 +86,7 @@ behavior that may result.
<ident cce="4154-1" /> <oval id="accounts_password_minlen_login_defs" value="var_password_min_len"/> <ref nist="CM-6, CM-7, IA-5, AC-3" /> +<ident cci="CCI-000205" /> </Rule>
Ack
CCI-000206 requires obscure feedback of authentication information durint the authentication process (i.e. using asterisks when passwords are being typed) which is default behavior for RHEL authentication mechanisms.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/accounts/accounts.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/accounts.xml b/rhel6/src/input/system/accounts/accounts.xml index fbdeb39..84bdc99 100644 --- a/rhel6/src/input/system/accounts/accounts.xml +++ b/rhel6/src/input/system/accounts/accounts.xml @@ -9,3 +9,4 @@ necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under RHEL6.</description> </Group> +<ident cci="CCI-000206" />
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000206 requires obscure feedback of authentication information durint the authentication process (i.e. using asterisks when passwords are being typed) which is default behavior for RHEL authentication mechanisms.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/accounts/accounts.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/accounts.xml b/rhel6/src/input/system/accounts/accounts.xml index fbdeb39..84bdc99 100644 --- a/rhel6/src/input/system/accounts/accounts.xml +++ b/rhel6/src/input/system/accounts/accounts.xml @@ -9,3 +9,4 @@ necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under RHEL6.</description>
</Group> +<ident cci="CCI-000206" />
I think it was Jeff who mentioned we may create something that says "these are all met by the OS by default," so this may end up moving. But this does seem the best place for this for now. Ack.
CCI-000352 requires the OS to prevent the installation of sofware not signed with an approved certificate. This is met by ensure_gpgcheck_globally_activated and ensure_gpgcheck_never_disabled.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/software/updating.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/software/updating.xml b/rhel6/src/input/system/software/updating.xml index 7718b37..33b50db 100644 --- a/rhel6/src/input/system/software/updating.xml +++ b/rhel6/src/input/system/software/updating.xml @@ -94,6 +94,7 @@ protects against malicious tampering. <ident cce="14914-6" /> <oval id="yum_gpgcheck_global_activation" /> <ref nist="SI-2"/> +<ident cci="CCI-000352" /> </Rule>
<Rule id="ensure_gpgcheck_never_disabled"> @@ -111,5 +112,6 @@ protects against malicious tampering. <ident cce="14813-0" /> <oval id="yum_gpgcheck_never_disabled" /> <ref nist="SI-2"/> +<ident cci="CCI-000352" /> </Rule> </Group>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000352 requires the OS to prevent the installation of sofware not signed with an approved certificate. This is met by ensure_gpgcheck_globally_activated and ensure_gpgcheck_never_disabled.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/software/updating.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/software/updating.xml b/rhel6/src/input/system/software/updating.xml index 7718b37..33b50db 100644 --- a/rhel6/src/input/system/software/updating.xml +++ b/rhel6/src/input/system/software/updating.xml @@ -94,6 +94,7 @@ protects against malicious tampering.
<ident cce="14914-6" /> <oval id="yum_gpgcheck_global_activation" /> <ref nist="SI-2"/> +<ident cci="CCI-000352" /> </Rule>
<Rule id="ensure_gpgcheck_never_disabled"> @@ -111,5 +112,6 @@ protects against malicious tampering. <ident cce="14813-0" /> <oval id="yum_gpgcheck_never_disabled" /> <ref nist="SI-2"/> +<ident cci="CCI-000352" /> </Rule> </Group>
Ack
Sidenote: If the requirement is to use signed packages we can set yum to always check for that. However users could always do a rpm -ivh and get around this. I think we should add prose stating specifically to only install signed packages, regardless of how they're installed. I created ticket #44 to track this.
CCI-000416 requires the use of automated mechanisms, at organization-defined frequency, to detect the addition of unauthorized components into the OS, which is met by aide_periodic_cron_checking.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/software/integrity.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/software/integrity.xml b/rhel6/src/input/system/software/integrity.xml index dea8b37..157152e 100644 --- a/rhel6/src/input/system/software/integrity.xml +++ b/rhel6/src/input/system/software/integrity.xml @@ -93,6 +93,7 @@ By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. </rationale> <ref nist="CM-6, SC-28, SI-7" /> +<ident cci="CCI-000416" /> </Rule>
<Rule id="aide_verify_integrity_manually">
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000416 requires the use of automated mechanisms, at organization-defined frequency, to detect the addition of unauthorized components into the OS, which is met by aide_periodic_cron_checking.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/software/integrity.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/software/integrity.xml b/rhel6/src/input/system/software/integrity.xml index dea8b37..157152e 100644 --- a/rhel6/src/input/system/software/integrity.xml +++ b/rhel6/src/input/system/software/integrity.xml @@ -93,6 +93,7 @@ By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files.
</rationale> <ref nist="CM-6, SC-28, SI-7" /> +<ident cci="CCI-000416" /> </Rule>
<Rule id="aide_verify_integrity_manually">
Ack
CCI-000803 requires the use of mechanisms for authentication to a cryptographic module meeting the FIPS 140-2 standards, sshd_use_approved_ciphers meets this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index bd78626..8c93dec 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -303,6 +303,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> +<ident cci="CCI-000803" /> </Rule>
<Rule id="sshd_strengthen_firewall">
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000803 requires the use of mechanisms for authentication to a cryptographic module meeting the FIPS 140-2 standards, sshd_use_approved_ciphers meets this requirement.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index bd78626..8c93dec 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -303,6 +303,7 @@ implementation. These are also required for compliance.
</rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> +<ident cci="CCI-000803" /> </Rule>
<Rule id="sshd_strengthen_firewall">
Ack
CCI-000888 requires the use of cryptographic mechanisms for non-local maintenance and diagnostic communications, the use of SSH for such "non-local" connections meets this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 8c93dec..3216a79 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -57,6 +57,7 @@ certain changes should be made to the OpenSSH daemon configuration file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the <tt>sshd_config(5)</tt> man page for more detailed information.</description> +<ident cci="CCI-000888" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000888 requires the use of cryptographic mechanisms for non-local maintenance and diagnostic communications, the use of SSH for such "non-local" connections meets this requirement.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 8c93dec..3216a79 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -57,6 +57,7 @@ certain changes should be made to the OpenSSH daemon configuration file<tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the<tt>sshd_config(5)</tt> man page for more detailed information.</description> +<ident cci="CCI-000888" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title>
Ack
CCI-000195 requires enforcing of the number of the characters changed when passwords are changed, password_require_diffchars rule meets this requirement
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/accounts/pam.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index 0bf95ff..8236e6f 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -244,6 +244,7 @@ Note that passwords which are changed on compromised systems will still be compr <oval id="accounts_password_pam_cracklib_difok" value="var_password_pam_cracklib_difok"/> <ref nist="IA-5" /> </Rule> +<ident cci="CCI-000195" /> </Group> </Group>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000195 requires enforcing of the number of the characters changed when passwords are changed, password_require_diffchars rule meets this requirement
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/accounts/pam.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index 0bf95ff..8236e6f 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -244,6 +244,7 @@ Note that passwords which are changed on compromised systems will still be compr
<oval id="accounts_password_pam_cracklib_difok" value="var_password_pam_cracklib_difok"/> <ref nist="IA-5" /> </Rule> +<ident cci="CCI-000195" /> </Group> </Group>
Ack
CCI-000196 requires enforcing password encryption for storage. no_hashes_outside_shadow meets this requirement.
Signed-off-by: Willy Santos wsantos@redhat.com --- .../accounts/restrictions/password_storage.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_storage.xml b/rhel6/src/input/system/accounts/restrictions/password_storage.xml index 30a6f52..e989bd5 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_storage.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_storage.xml @@ -49,6 +49,7 @@ which is readable by all users. <ident cce="14300-8" /> <oval id="accounts_password_all_shadowed" /> <ref nist="IA-5" /> +<ident cci="CCI-000196" /> </Rule> </Group>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000196 requires enforcing password encryption for storage. no_hashes_outside_shadow meets this requirement.
Signed-off-by: Willy Santoswsantos@redhat.com
.../accounts/restrictions/password_storage.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_storage.xml b/rhel6/src/input/system/accounts/restrictions/password_storage.xml index 30a6f52..e989bd5 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_storage.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_storage.xml @@ -49,6 +49,7 @@ which is readable by all users.
<ident cce="14300-8" /> <oval id="accounts_password_all_shadowed" /> <ref nist="IA-5" /> +<ident cci="CCI-000196" /> </Rule> </Group>
Ack
Note that DISA's description of CCI-000196 only says passwords must be encrypted in storage (aka /etc/shadow), however the NIST IA-5 (1)(c) control this maps back to also specifically adds passwords must be encrypted in /transmission/ as well. I'd like to map this back to the requirement to disable telnet too. I created ticket #45 to remind us to do that.
CCI-000197 requires that passwords be encrypted for transmission. This is met by use of SSH.
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 3216a79..416e584 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -58,6 +58,7 @@ file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the <tt>sshd_config(5)</tt> man page for more detailed information.</description> <ident cci="CCI-000888" /> +<ident cci="CCI-000197" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000197 requires that passwords be encrypted for transmission. This is met by use of SSH.
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/services/ssh.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 3216a79..416e584 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -58,6 +58,7 @@ file<tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the<tt>sshd_config(5)</tt> man page for more detailed information.</description>
<ident cci="CCI-000888" /> +<ident cci="CCI-000197" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title>
Ack
I added this to be mapped to the requirement to disable telnet as well in ticket #45
CCI-000198 requires enforcing minimum password lifetime restriction, which is met by password_min_age
Signed-off-by: Willy Santos wsantos@redhat.com --- .../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index f017c4c..2e4bb25 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -105,6 +105,7 @@ after satisfying the password reuse requirement. <ident cce="4180-6" /> <oval id="accounts_minimum_age_login_defs" /> <ref nist="CM-6, IA-5" /> +<ident cce="CCI-000198" /> </Rule>
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-000198 requires enforcing minimum password lifetime restriction, which is met by password_min_age
Signed-off-by: Willy Santoswsantos@redhat.com
.../accounts/restrictions/password_expiration.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index f017c4c..2e4bb25 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -105,6 +105,7 @@ after satisfying the password reuse requirement.
<ident cce="4180-6" /> <oval id="accounts_minimum_age_login_defs" /> <ref nist="CM-6, IA-5" /> +<ident cce="CCI-000198" /> </Rule>
Ack
CCI-001118 requires the use of host-based boundary protection mechanisms, enable_iptables and enable_ip6tables rules meet this requirement
Signed-off-by: Willy Santos wsantos@redhat.com --- rhel6/src/input/system/network/iptables.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index cdbf89a..eb53327 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -78,6 +78,7 @@ capability for IPv6 and ICMPv6. <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> <ref nist="CM-6, CM-7" /> +<ident cci="CCI-001118" /> </Rule>
<Rule id="enable_iptables"> @@ -95,6 +96,7 @@ capability for IPv4 and ICMP. <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> <ref nist="CM-6, CM-7" /> +<ident cci="CCI-001118" /> </Rule> </Group><!--<Group id="iptables_activation">-->
On 4/26/12 8:06 PM, Willy Santos wrote:
CCI-001118 requires the use of host-based boundary protection mechanisms, enable_iptables and enable_ip6tables rules meet this requirement
Signed-off-by: Willy Santoswsantos@redhat.com
rhel6/src/input/system/network/iptables.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index cdbf89a..eb53327 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -78,6 +78,7 @@ capability for IPv6 and ICMPv6.
<ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> <ref nist="CM-6, CM-7" /> +<ident cci="CCI-001118" /> </Rule>
<Rule id="enable_iptables"> @@ -95,6 +96,7 @@ capability for IPv4 and ICMP. <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> <ref nist="CM-6, CM-7" /> +<ident cci="CCI-001118" /> </Rule> </Group><!--<Group id="iptables_activation">-->
Ack
scap-security-guide@lists.fedorahosted.org