This may break some transforms (to tables) which might be expecting that all references from a certain source are in a single reference element. Any other transforms will be fixed up shortly.
As the XCCDF output should be as easy as possible to query, individual items from a particular reference source now appear as separate reference elements. XCCDF input/shorthand, on the other hand, should be as easy as possible to use for data entry.
This patch also included some fixups needed to ensure validation. I usually try to do a "make content; make validate" before committing.
Jeffrey Blank (1): converted all CCIs from idents to refs * also adjusted transform slightly, fixed other typos
rhel6/src/input/services/http.xml | 2 +- rhel6/src/input/services/ssh.xml | 5 +-- rhel6/src/input/system/accounts/accounts.xml | 2 +- rhel6/src/input/system/accounts/pam.xml | 15 ++------ .../accounts/restrictions/password_expiration.xml | 9 ++--- .../accounts/restrictions/password_storage.xml | 3 +- rhel6/src/input/system/auditing.xml | 34 +++---------------- rhel6/src/input/system/network/iptables.xml | 10 ++---- .../input/system/software/disk_partitioning.xml | 11 +++--- rhel6/src/input/system/software/integrity.xml | 3 +- rhel6/src/input/system/software/updating.xml | 6 +-- rhel6/src/transforms/shorthand2xccdf.xslt | 2 +- 12 files changed, 30 insertions(+), 72 deletions(-)
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- rhel6/src/input/services/http.xml | 2 +- rhel6/src/input/services/ssh.xml | 5 +-- rhel6/src/input/system/accounts/accounts.xml | 2 +- rhel6/src/input/system/accounts/pam.xml | 15 ++------ .../accounts/restrictions/password_expiration.xml | 9 ++--- .../accounts/restrictions/password_storage.xml | 3 +- rhel6/src/input/system/auditing.xml | 34 +++---------------- rhel6/src/input/system/network/iptables.xml | 10 ++---- .../input/system/software/disk_partitioning.xml | 11 +++--- rhel6/src/input/system/software/integrity.xml | 3 +- rhel6/src/input/system/software/updating.xml | 6 +-- rhel6/src/transforms/shorthand2xccdf.xslt | 2 +- 12 files changed, 30 insertions(+), 72 deletions(-)
diff --git a/rhel6/src/input/services/http.xml b/rhel6/src/input/services/http.xml index 50af842..4278902 100644 --- a/rhel6/src/input/services/http.xml +++ b/rhel6/src/input/services/http.xml @@ -496,12 +496,12 @@ explicitly including the corresponding configuration file: <pre>Include conf.d/ssl.conf</pre> If PHP is necessary, a similar alteration must be made: <pre>Include conf.d/php.conf</pre> -</description> <!--<rationale>--> Explicitly listing the configuration files to be loaded during web server start-up avoids the possibility of unwanted or malicious configuration files to be automatically included as part of the server's running configuration. <!--</rationale>--> +</description> <!--<ident cce="3756-4" />--> <!--<oval id="httpd_minimize_config_files_included" />--> <!--<ref nist="CM-6, CM-7" />--> diff --git a/rhel6/src/input/services/ssh.xml b/rhel6/src/input/services/ssh.xml index 89fe042..40e7762 100644 --- a/rhel6/src/input/services/ssh.xml +++ b/rhel6/src/input/services/ssh.xml @@ -37,8 +37,7 @@ certain changes should be made to the OpenSSH daemon configuration file <tt>/etc/ssh/sshd_config</tt>. The following recommendations can be applied to this file. See the <tt>sshd_config(5)</tt> man page for more detailed information.</description> -<ident cci="CCI-000888" /> -<ident cci="CCI-000197" /> +<ref disa="197,888" />
<Rule id="sshd_allow_only_protocol2" severity="high"> <title>Allow Only SSH Protocol 2</title> @@ -268,7 +267,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="14491-5" /> <oval id="sshd_use_approved_ciphers" /> -<ident cci="CCI-000803" /> +<ref disa="803" /> </Rule>
</Group> diff --git a/rhel6/src/input/system/accounts/accounts.xml b/rhel6/src/input/system/accounts/accounts.xml index 9c12760..593367a 100644 --- a/rhel6/src/input/system/accounts/accounts.xml +++ b/rhel6/src/input/system/accounts/accounts.xml @@ -8,6 +8,6 @@ access to accounts, particularly to privileged accounts, is a necessary part of securing a system. This section introduces mechanisms for restricting access to accounts under RHEL6.</description> -<ident cci="CCI-000206" /> +<ref disa="206" /> </Group>
diff --git a/rhel6/src/input/system/accounts/pam.xml b/rhel6/src/input/system/accounts/pam.xml index 667a289..fe8b6cb 100644 --- a/rhel6/src/input/system/accounts/pam.xml +++ b/rhel6/src/input/system/accounts/pam.xml @@ -179,8 +179,7 @@ search space. </rationale> <ident cce="14113-5" /> <oval id="accounts_password_pam_cracklib_dcredit" value="var_password_pam_cracklib_dcredit"/> -<ref nist="IA-5" /> -<ident cci="CCI-000194" /> +<ref nist="IA-5,194" disa="194"/> </Rule>
<Rule id="password_require_uppercases"> @@ -243,9 +242,8 @@ Note that passwords which are changed on compromised systems will still be compr </rationale> <ident cce="14701-7" /> <oval id="accounts_password_pam_cracklib_difok" value="var_password_pam_cracklib_difok"/> -<ref nist="IA-5" /> +<ref nist="IA-5" disa="195"/> </Rule> -<ident cci="CCI-000195" /> </Group> </Group>
@@ -364,9 +362,7 @@ frequently.</description>
<Rule id="limit_password_reuse"> <title>Limit Password Reuse</title> -<description> - -The passwords to remember should be set to: +<description>The passwords to remember should be set to: <sub idref="password_history_retain_number" /></description> <rationale> Allowing users to reuse passwords means that a password which was once @@ -374,10 +370,7 @@ compromised could be used yet again by an attacker. </rationale> <ident cce="14939-3" /> <oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> -<ref nist="IA-5" /> -<ident cci="CCI-000200" /> +<ref nist="IA-5" disa="200"/> </Rule> </Group> - </Group> - diff --git a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml index 2e4bb25..81c0d54 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_expiration.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_expiration.xml @@ -85,8 +85,7 @@ behavior that may result. </rationale> <ident cce="4154-1" /> <oval id="accounts_password_minlen_login_defs" value="var_password_min_len"/> -<ref nist="CM-6, CM-7, IA-5, AC-3" /> -<ident cci="CCI-000205" /> +<ref nist="CM-6, CM-7, IA-5, AC-3" disa="205"/> </Rule>
@@ -104,8 +103,7 @@ after satisfying the password reuse requirement. </rationale> <ident cce="4180-6" /> <oval id="accounts_minimum_age_login_defs" /> -<ref nist="CM-6, IA-5" /> -<ident cce="CCI-000198" /> +<ref nist="CM-6, IA-5" disa="198"/> </Rule>
@@ -123,8 +121,7 @@ make the change at a practical time prior to expiration. </rationale> <ident cce="4092-3" /> <oval id="accounts_maximum_age_login_defs" /> -<ref nist="CM-6, CM-7, IA-5, AC-3" /> -<ident cci="CCI-000199" /> +<ref nist="CM-6, CM-7, IA-5, AC-3" disa="199"/> </Rule>
diff --git a/rhel6/src/input/system/accounts/restrictions/password_storage.xml b/rhel6/src/input/system/accounts/restrictions/password_storage.xml index e989bd5..8e1014b 100644 --- a/rhel6/src/input/system/accounts/restrictions/password_storage.xml +++ b/rhel6/src/input/system/accounts/restrictions/password_storage.xml @@ -48,8 +48,7 @@ which is readable by all users. </rationale> <ident cce="14300-8" /> <oval id="accounts_password_all_shadowed" /> -<ref nist="IA-5" /> -<ident cci="CCI-000196" /> +<ref nist="IA-5" disa="196" /> </Rule> </Group>
diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index 7c7f54f..5b0ceb4 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -61,10 +61,7 @@ full. This minimizes the risk of audit data filling its partition and impacting other services. However, it is possible to lose audit data if the system is busy. </description> -<!-- <ident cci="CCI-000120" /> --> -<!-- <ident cci="CCI-000166" /> --> -<!-- <ident cci="CCI-001338" /> --> -<!-- <ident cci="CCI-001339" /> --> +<ref disa="120,166,1338,1339" />
<Rule id="enable_auditd_service"> <title>Enable auditd Service</title> @@ -76,16 +73,7 @@ default): </rationale> <ident cce="4292-9" /> <oval id="service_auditd_enabled" /> -<ref nist="CM-6, CM-7" /> -<ident cci="CCI-000169" /> -<ident cci="CCI-000172" /> -<ident cci="CCI-000174" /> -<ident cci="CCI-001353" /> -<ident cci="CCI-001462" /> -<ident cci="CCI-001487" /> -<ident cci="CCI-001115" /> -<ident cci="CCI-001454" /> -<ident cci="CCI-000154" /> +<ref nist="CM-6, CM-7" disa="169,172,174,1353,1462,1487,1115,1454,154" /> </Rule>
<Rule id="enable_auditd_bootloader"> @@ -104,8 +92,7 @@ process during boot. </rationale> <ident cce="15026-8" /> <oval id="bootloader_audit_argument" /> -<ref nist="AU-2" /> -<ident cci="CCI-001464" /> +<ref nist="AU-2" disa="1464" /> </Rule>
<Group id="auditd_configure_rules"> @@ -146,12 +133,7 @@ After reviewing all the rules, reading the following sections, and editing as needed, activate the new rules: <pre># service auditd restart</pre> </description> -<ident cci="CCI-000171" /> -<ident cci="CCI-000172" /> -<ident cci="CCI-001571" /> -<ident cci="CCI-001487" /> -<ident cci="CCI-001115" /> -<ident cci="CCI-001454" /> +<ref disa="171,172,1115,1454,1487,1571" />
<Rule id="audit_time_rules"> <title>Records Events that Modify Date and Time Information</title> @@ -187,11 +169,7 @@ to capture events that modify account changes: <rationale>In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. It is recommended that any unexpected users, groups, or modifications be investigated for legitimacy.</rationale> <ident cce="14829-6" /> <oval id="audit_rules_usergroup_modification" /> -<ref nist="AU-2(a)" /> -<ident cci="CCI-001403" /> -<ident cci="CCI-001404" /> -<ident cci="CCI-001405" /> -<ident cci="CCI-000018" /> +<ref nist="AU-2(a)" disa="18,1403,1404,1405"/> </Rule>
@@ -278,7 +256,6 @@ execution of privileged commands for all users and root. Add the following to <tt>/etc/audit/audit.rules</tt>: <pre>-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged</pre> </description> - <ident cce="14296-8" /> <oval id="audit_rules_privileged_commands" /> <ref nist="AU-2" /> @@ -365,4 +342,5 @@ well as malicious modification of the audit rules.</rationale> <ref nist="AU-2" /> </Rule> </Group> + </Group> diff --git a/rhel6/src/input/system/network/iptables.xml b/rhel6/src/input/system/network/iptables.xml index 120f676..a539501 100644 --- a/rhel6/src/input/system/network/iptables.xml +++ b/rhel6/src/input/system/network/iptables.xml @@ -77,9 +77,7 @@ capability for IPv6 and ICMPv6. </rationale> <ident cce="4167-3" /> <oval id="service_ip6tables_enabled" /> -<ref nist="CM-6, CM-7" /> -<ident cci="CCI-001115" /> -<ident cci="CCI-001118" /> +<ref nist="CM-6, CM-7" disa="1115,1118"/> </Rule>
<Rule id="enable_iptables"> @@ -96,9 +94,7 @@ capability for IPv4 and ICMP. </rationale> <ident cce="4189-7" /> <oval id="service_iptables_enabled" /> -<ref nist="CM-6, CM-7" /> -<ident cci="CCI-001115" /> -<ident cci="CCI-001118" /> +<ref nist="CM-6, CM-7" disa="1115,1118" /> </Rule> </Group><!--<Group id="iptables_activation">-->
@@ -226,7 +222,7 @@ The following rule will log all traffic originating from a site-local address, w </description> <!--<ident cce="14264-6" />--> <!--MANUAL<oval id="iptables_log_and_drop_suspicious" />--> -<ref nist="AC-4, AC-17, CM-6" />--> +<ref nist="AC-4, AC-17, CM-6" /> </Rule>
</Group><!--<Group id="ruleset_modifications">--> diff --git a/rhel6/src/input/system/software/disk_partitioning.xml b/rhel6/src/input/system/software/disk_partitioning.xml index 11c303c..cad0658 100644 --- a/rhel6/src/input/system/software/disk_partitioning.xml +++ b/rhel6/src/input/system/software/disk_partitioning.xml @@ -38,9 +38,9 @@ The <tt>/tmp</tt> partition is used as temporary storage by many programs. Placing <tt>/tmp</tt> in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. </rationale> -<ident cce="14161-4" cci="1234"/> +<ident cce="14161-4"/> <oval id="mount_tmp_own_partition" /> -<ref nist="CM-6" cnss="CNSSexample1.2.3" dcid="DCIDexample1.2.3" /> +<ref nist="CM-6" /> </Rule>
<Rule id="partition_for_var"> @@ -55,9 +55,9 @@ system services such as daemons or other programs which use it. It is not uncommon for the <tt>/var</tt> directory to contain world-writable directories, installed by other software packages. </rationale> -<ident cce="14777-7" cci="5678"/> +<ident cce="14777-7"/> <oval id="mount_var_own_partition" /> -<ref nist="CM-6" cnss="CNSSexample4.5.6" dcid="DCIDexample4.5.6" /> +<ref nist="CM-6" /> </Rule>
<Rule id="partition_for_var_log"> @@ -74,8 +74,7 @@ and other files in <tt>/var/</tt>. </rationale> <ident cce="14011-1" /> <oval id="mount_var_log_own_partition" /> -<ref nist="CM-6, AU-9" cnss="CNSSexample7.8.9" dcid="DCIDexample7.8.9"/> -<ident cci="CCI-000143" /> +<ref nist="CM-6, AU-9" cnss="CNSSexample7.8.9" disa="143"/> </Rule>
<Rule id="partition_for_var_log_audit"> diff --git a/rhel6/src/input/system/software/integrity.xml b/rhel6/src/input/system/software/integrity.xml index 157152e..902ad8f 100644 --- a/rhel6/src/input/system/software/integrity.xml +++ b/rhel6/src/input/system/software/integrity.xml @@ -92,8 +92,7 @@ AIDE can be executed periodically through other means; this is merely one exampl By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. </rationale> -<ref nist="CM-6, SC-28, SI-7" /> -<ident cci="CCI-000416" /> +<ref nist="CM-6, SC-28, SI-7" disa="416"/> </Rule>
<Rule id="aide_verify_integrity_manually"> diff --git a/rhel6/src/input/system/software/updating.xml b/rhel6/src/input/system/software/updating.xml index 33b50db..efc7834 100644 --- a/rhel6/src/input/system/software/updating.xml +++ b/rhel6/src/input/system/software/updating.xml @@ -93,8 +93,7 @@ protects against malicious tampering. </rationale> <ident cce="14914-6" /> <oval id="yum_gpgcheck_global_activation" /> -<ref nist="SI-2"/> -<ident cci="CCI-000352" /> +<ref nist="SI-2" disa="352" /> </Rule>
<Rule id="ensure_gpgcheck_never_disabled"> @@ -111,7 +110,6 @@ protects against malicious tampering. </rationale> <ident cce="14813-0" /> <oval id="yum_gpgcheck_never_disabled" /> -<ref nist="SI-2"/> -<ident cci="CCI-000352" /> +<ref nist="SI-2" disa="352"/> </Rule> </Group> diff --git a/rhel6/src/transforms/shorthand2xccdf.xslt b/rhel6/src/transforms/shorthand2xccdf.xslt index 8cc2b96..0ef3222 100644 --- a/rhel6/src/transforms/shorthand2xccdf.xslt +++ b/rhel6/src/transforms/shorthand2xccdf.xslt @@ -66,7 +66,7 @@ exclude-result-prefixes="xccdf xhtml"> </xsl:template>
<!-- expand ref attributes to reference tags, one item per reference --> - <xsl:template match="Rule/ref"> + <xsl:template match="ref"> <xsl:for-each select="@*"> <xsl:call-template name="ref-info" > <xsl:with-param name="refsource" select="name()" />
On 4/27/12 2:54 PM, Jeffrey Blank wrote:
This may break some transforms (to tables) which might be expecting that all references from a certain source are in a single reference element. Any other transforms will be fixed up shortly.
As the XCCDF output should be as easy as possible to query, individual items from a particular reference source now appear as separate reference elements. XCCDF input/shorthand, on the other hand, should be as easy as possible to use for data entry.
This patch also included some fixups needed to ensure validation. I usually try to do a "make content; make validate" before committing.
Patch applied locally and works with a make all, and you mentioned you were going to fix up the table transforms. Ack.
This allows us to much easier replace the disa= tag with cci= later too, should I win that conversation ;)
scap-security-guide@lists.fedorahosted.org