David Smith (2): added OCIL checks commented out vestige of variable display
RHEL6/input/services/ftp.xml | 6 +++- RHEL6/input/services/ldap.xml | 4 +++ RHEL6/input/services/mail.xml | 5 ++++ RHEL6/input/services/ssh.xml | 23 ++++++++++++++++++++++ RHEL6/transforms/xccdf2table-profileccirefs.xslt | 5 +-- 5 files changed, 38 insertions(+), 5 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/ftp.xml | 6 ++++-- RHEL6/input/services/ldap.xml | 4 ++++ RHEL6/input/services/mail.xml | 5 +++++ RHEL6/input/services/ssh.xml | 23 +++++++++++++++++++++++ 4 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index 7d62c2c..b6a8f65 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -99,12 +99,14 @@ by default. Add or correct the following configuration options: <ref disa="48" /> <!--<oval id="ftp_present_banner" />--> <!--<ref nist="CM-6, CM-7" /> --> -<ocil>To verify this configuration, run the following command: +<ocil clause="it does not"> +To verify this configuration, run the following command: <pre>grep "banner_file" /etc/vsftpd/vsftpd.conf</pre>
The output should show the value of <tt>banner_file</tt> is set to <tt>/etc/issue</tt>, an example of which is shown below: <pre># grep "banner_file" /etc/issue -banner_file=/etc/issue"</pre></ocil> +banner_file=/etc/issue"</pre> +</ocil> </Rule>
<Group id="ftp_restrict_users"> diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 3ee8b64..de3a552 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -32,6 +32,10 @@ network.</warning> <pre>ssl start_tls</pre> Then review the LDAP server and ensure TLS has been configured. </description> +<ocil clause="no lines are returned"> +To ensure LDAP is configured to use TLS for all transactions, run the following command: +<pre>$ grep start_tls /etc/pam_ldap.conf</pre> +</ocil> <rationale>The ssl directive specifies whether to use ssl or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.</rationale> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index d0016bc..e30d011 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -69,6 +69,11 @@ Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following <tt>inet_interfaces</tt> line appears: <pre>inet_interfaces = localhost</pre> </description> +<ocil clause="it does not"> +Run the following command to ensure postfix accepts mail messages from only the local system: +<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre> +If properly configured, the output should show only <tt>localhost</tt>. +</ocil> <rationale> This ensures that <tt>postfix</tt> accepts mail messages (such as cron job reports) from the local system only, diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 19c17f0..d60e499 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -69,6 +69,11 @@ verified by ensuring that the following line appears: <pre>Protocol 2</pre> </description> +<ocil clause="it is not"> +To check which SSH protocol version is allowed, run the following command: +<pre># grep Protocol /etc/ssh/sshd_config</pre> +If configured properly, output should be <pre>Protocol 2</pre> +</ocil> <rationale> SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and @@ -151,6 +156,12 @@ shell, that value will preempt any SSH setting made here. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle. </description> +<ocil clause="it is not"> +Run the following command to see what the timeout interval is: +<pre># grep ClientAliveInterval /etc/ssh/sshd_config</pre> +If properly configured, the output should be: +<pre>ClientAliveInterval 900</pre> +</ocil> <rationale> Causing idle users to be automatically logged out guards against compromises one system leading trivially @@ -169,6 +180,12 @@ edit <tt>/etc/ssh/sshd_config</tt> as follows: <pre>ClientAliveCountMax 0</pre> </description> +<ocil clause="it is not"> +To ensure the SSH idle timeout will occur when the <tt>ClientAliveInterval</tt> is set, run the following command: +<pre># grep ClientAliveCountMax /etc/ssh/sshd_config</pre> +If properly configured, output should be: +<pre>ClientAliveCountMax 0</pre> +</ocil> <rationale> This ensures that a user login will be terminated as soon as the <tt>ClientAliveInternal</tt> is reached. @@ -281,6 +298,12 @@ environment options to the SSH daemon, add or correct the following line in <tt>/etc/ssh/sshd_config</tt>: <pre>PermitUserEnvironment no</pre> </description> +<ocil clause="it is not"> +To ensure users are not able to present environment daemons, run the following command: +<pre># grep PermitUserEnvironment /etc/ssh/sshd_config</pre> +If properly configured, output should be: +<pre>PermitUserEnvironment no</pre> +</ocil> <rationale> SSH environment options potentially allow users to bypass access restriction in some configurations.
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/transforms/xccdf2table-profileccirefs.xslt | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index dfa0c80..f09cc86 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -154,17 +154,16 @@ <br/>If <xsl:value-of select="cdf:check-export/@export-name" />, this is a finding. </xsl:if> </xsl:if> - <xsl:if test="@system=$ovaluri"> +<!-- <xsl:if test="@system=$ovaluri"> <xsl:for-each select="cdf:check-export"> <xsl:variable name="rulevar" select="@value-id" /> - <!--<xsl:value-of select="$rulevar" />:--> <xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:refine-value"> <xsl:if test="@idref=$rulevar"> <xsl:value-of select="@selector" /> </xsl:if> </xsl:for-each> </xsl:for-each> - </xsl:if> + </xsl:if> --> </xsl:template>
@Dave -- ACK on all three.
Please push
Thanks,
MM
On 09/25/2012 04:00 PM, David Smith wrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/transforms/xccdf2table-profileccirefs.xslt | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/RHEL6/transforms/xccdf2table-profileccirefs.xslt b/RHEL6/transforms/xccdf2table-profileccirefs.xslt index dfa0c80..f09cc86 100644 --- a/RHEL6/transforms/xccdf2table-profileccirefs.xslt +++ b/RHEL6/transforms/xccdf2table-profileccirefs.xslt @@ -154,17 +154,16 @@ <br/>If <xsl:value-of select="cdf:check-export/@export-name" />, this is a finding. </xsl:if> </xsl:if>
<xsl:if test="@system=$ovaluri">+<!-- <xsl:if test="@system=$ovaluri"> <xsl:for-each select="cdf:check-export"> <xsl:variable name="rulevar" select="@value-id" />
<!--<xsl:value-of select="$rulevar" />:--> <xsl:for-each select="/cdf:Benchmark/cdf:Profile[@id=$profile]/cdf:refine-value"> <xsl:if test="@idref=$rulevar"> <xsl:value-of select="@selector" /> </xsl:if> </xsl:for-each></xsl:if>
</xsl:if> -->
Looks good, please push. thanks!
On 09/25/2012 04:00 PM, David Smith wrote:
David Smith (2): added OCIL checks commented out vestige of variable display
RHEL6/input/services/ftp.xml | 6 +++- RHEL6/input/services/ldap.xml | 4 +++ RHEL6/input/services/mail.xml | 5 ++++ RHEL6/input/services/ssh.xml | 23 ++++++++++++++++++++++ RHEL6/transforms/xccdf2table-profileccirefs.xslt | 5 +-- 5 files changed, 38 insertions(+), 5 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank -
Michael J. McConachie