On 11/12/13, 1:19 PM, Steinke, Leland J Sr CTR DISA FSO (US) wrote:
This is mostly updates to RHEL6/input/auxiliary/stig_overlay.xml.
Many thanks go to Robert Burns of BAE for providing his suggestions for sanity checks.
Thanks,
Leland
--
Leland Steinke, Security+
DISA FSO Technical Support Contractor
tapestry technologies, Inc
717-267-5797 (DSN 570)
leland.j.steinke.ctr(a)mail.mil (gov't)
lsteinke(a)tapestrytech.com (com'l)
0001-partial-remap-of-STIG-to-SSG-IDs-and-two-typo-fixes.patch
From 63959eea88d5bae8c212b3bd4c9d5b50ed8180ef Mon Sep 17 00:00:00 2001
From: steinkel<leland.j.steinke.ctr(a)mail.mil>
Date: Tue, 12 Nov 2013 13:05:54 -0500
Subject: [PATCH] partial remap of STIG to SSG IDs and two typo fixes
---
RHEL6/input/auxiliary/stig_overlay.xml | 196 +++++++++++++++--------------
RHEL6/input/system/permissions/files.xml | 2 +-
RHEL6/input/system/software/integrity.xml | 2 +-
3 files changed, 103 insertions(+), 97 deletions(-)
diff --git a/RHEL6/input/auxiliary/stig_overlay.xml
b/RHEL6/input/auxiliary/stig_overlay.xml
index d322169..ec19058 100644
--- a/RHEL6/input/auxiliary/stig_overlay.xml
+++ b/RHEL6/input/auxiliary/stig_overlay.xml
@@ -12,13 +12,13 @@
<overlay owner="disastig" ruleid="partition_for_var_log_audit"
ownerid="RHEL-06-000004" disa="137" severity="low">
<title>The system must use a separate file system for the system audit data
path.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000005" disa="138" severity="medium">
+ <overlay owner="disastig"
ruleid="auditd_data_retention_space_left_action"
ownerid="RHEL-06-000005" disa="138" severity="medium">
<title>The audit system must alert designated staff members when the audit
storage volume approaches capacity.</title>
</overlay>
<overlay owner="disastig" ruleid="partition_for_home"
ownerid="RHEL-06-000007" disa="366" severity="low">
<title>The system must use a separate file system for user home
directories.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000008" disa="352" severity="high">
+ <overlay owner="disastig"
ruleid="ensure_redhat_gpgkey_installed" ownerid="RHEL-06-000008"
disa="352" severity="high">
<title>Vendor-provided cryptographic certificates must be installed to verify
the integrity of system software.</title>
</overlay>
<overlay owner="disastig" ruleid="service_rhnsd_disabled"
ownerid="RHEL-06-000009" disa="382" severity="low">
@@ -33,7 +33,7 @@
<overlay owner="disastig"
ruleid="ensure_gpgcheck_never_disabled" ownerid="RHEL-06-000015"
disa="663" severity="low">
<title>The system package management tool must cryptographically verify the
authenticity of all software packages during installation.</title>
</overlay>
- <overlay owner="disastig" ruleid="install_aide"
ownerid="RHEL-06-000016" disa="1069" severity="medium">
+ <overlay owner="disastig" ruleid="package_aide_installed"
ownerid="RHEL-06-000016" disa="1069" severity="medium">
<title>A file integrity tool must be installed.</title>
</overlay>
<overlay owner="disastig" ruleid="enable_selinux_bootloader"
ownerid="RHEL-06-000017" disa="22" severity="medium">
@@ -51,58 +51,58 @@
<overlay owner="disastig"
ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-06-000025"
disa="22" severity="low">
<title>All device files must be monitored by the system Linux Security
Module.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000027" disa="770" severity="medium">
+ <overlay owner="disastig"
ruleid="securetty_root_login_console_only" ownerid="RHEL-06-000027"
disa="770" severity="medium">
<title>The system must prevent the root account from logging in from virtual
consoles.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000028" disa="770" severity="low">
+ <overlay owner="disastig" ruleid="restrict_serial_port_logins"
ownerid="RHEL-06-000028" disa="770" severity="low">
<title>The system must prevent the root account from logging in from serial
consoles.</title>
</overlay>
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000029" disa="366" severity="medium">
<title>Default system accounts, other than root, must be locked.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000030" disa="366" severity="high">
+ <overlay owner="disastig" ruleid="no_empty_passwords"
ownerid="RHEL-06-000030" disa="366" severity="high">
<title>The system must not have accounts configured with blank or null
passwords.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000031" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="no_hashes_outside_shadow"
ownerid="RHEL-06-000031" disa="366" severity="medium">
<title>The /etc/passwd file must not contain password hashes.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000032" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="no_uidzero_except_root"
ownerid="RHEL-06-000032" disa="366" severity="medium">
<title>The root account must be the only account having a UID of
0.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000033" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="userowner_shadow_file"
ownerid="RHEL-06-000033" disa="366" severity="medium">
<title>The /etc/shadow file must be owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000034" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="groupowner_shadow_file"
ownerid="RHEL-06-000034" disa="366" severity="medium">
<title>The /etc/shadow file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000035" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_etc_shadow"
ownerid="RHEL-06-000035" disa="366" severity="medium">
<title>The /etc/shadow file must have mode 0000.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000036" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="userowner_gshadow_file"
ownerid="RHEL-06-000036" disa="366" severity="medium">
<title>The /etc/gshadow file must be owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000037" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="groupowner_gshadow_file"
ownerid="RHEL-06-000037" disa="366" severity="medium">
<title>The /etc/gshadow file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000038" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="perms_gshadow_file"
ownerid="RHEL-06-000038" disa="366" severity="medium">
<title>The /etc/gshadow file must have mode 0000.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000039" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="userowner_passwd_file"
ownerid="RHEL-06-000039" disa="366" severity="medium">
<title>The /etc/passwd file must be owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000040" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="groupowner_passwd_file"
ownerid="RHEL-06-000040" disa="366" severity="medium">
<title>The /etc/passwd file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000041" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="file_permissions_etc_passwd"
ownerid="RHEL-06-000041" disa="366" severity="medium">
<title>The /etc/passwd file must have mode 0644 or less
permissive.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000042" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="userowner_group_file"
ownerid="RHEL-06-000042" disa="366" severity="medium">
<title>The /etc/group file must be owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000043" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="groupowner_group_file"
ownerid="RHEL-06-000043" disa="366" severity="medium">
<title>The /etc/group file must be group-owned by root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000044" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="perms_group_file"
ownerid="RHEL-06-000044" disa="366" severity="medium">
<title>The /etc/group file must have mode 0644 or less
permissive.</title>
</overlay>
<overlay owner="disastig"
ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045"
disa="1499" severity="medium">
@@ -126,7 +126,7 @@
<overlay owner="disastig"
ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-06-000053"
disa="199" severity="medium">
<title>User passwords must be changed at least every 60 days.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000054" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="accounts_password_warn_age_login_defs"
ownerid="RHEL-06-000054" disa="366" severity="low">
<title>Users must be warned 7 days in advance of password
expiration.</title>
</overlay>
<overlay owner="disastig" ruleid="password_require_digits"
ownerid="RHEL-06-000056" disa="194" severity="low">
@@ -156,13 +156,13 @@
<overlay owner="disastig"
ruleid="set_password_hashing_algorithm_libuserconf"
ownerid="RHEL-06-000064" disa="803" severity="medium">
<title>The system must use a FIPS 140-2 approved cryptographic hashing
algorithm for generating account password hashes (libuser.conf).</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000065" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="user_owner_grub_conf"
ownerid="RHEL-06-000065" disa="366" severity="medium">
<title>The system boot loader configuration file(s) must be owned by
root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000066" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="group_owner_grub_conf"
ownerid="RHEL-06-000066" disa="366" severity="medium">
<title>The system boot loader configuration file(s) must be group-owned by
root.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000067" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="permissions_grub_conf"
ownerid="RHEL-06-000067" disa="366" severity="medium">
<title>The system boot loader configuration file(s) must have mode 0600 or less
permissive.</title>
</overlay>
<overlay owner="disastig" ruleid="bootloader_password"
ownerid="RHEL-06-000068" disa="213" severity="medium">
@@ -174,67 +174,67 @@
<overlay owner="disastig" ruleid="disable_interactive_boot"
ownerid="RHEL-06-000070" disa="213" severity="medium">
<title>The system must not permit interactive boot.</title>
</overlay>
- <overlay owner="disastig" ruleid="install_screen_package"
ownerid="RHEL-06-000071" disa="58" severity="low">
+ <overlay owner="disastig" ruleid="package_screen_installed"
ownerid="RHEL-06-000071" disa="58" severity="low">
<title>The system must allow locking of the console screen.</title>
</overlay>
<overlay owner="disastig" ruleid="set_system_login_banner"
ownerid="RHEL-06-000073" disa="1384, 1385, 1386, 1387, 1388"
severity="medium">
<title>The Department of Defense (DoD) login banner must be displayed
immediately prior to, or as part of, console login prompts.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000078" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="enable_randomize_va_space"
ownerid="RHEL-06-000078" disa="366" severity="medium">
<title>The system must implement virtual address space
randomization.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000079" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="enable_execshield"
ownerid="RHEL-06-000079" disa="366" severity="medium">
<title>The system must limit the ability of processes to have simultaneous
write and execute access to memory.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000080" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_default_send_redirects"
ownerid="RHEL-06-000080" disa="366" severity="medium">
<title>The system must not send ICMPv4 redirects by default.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000081" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_ipv4_all_send_redirects" ownerid="RHEL-06-000081"
disa="366" severity="medium">
<title>The system must not send ICMPv4 redirects from any
interface.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000082" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="sysctl_ipv4_ip_forward"
ownerid="RHEL-06-000082" disa="366" severity="medium">
<title>IP forwarding for IPv4 must not be enabled, unless the system is a
router.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000083" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_all_accept_source_route"
ownerid="RHEL-06-000083" disa="366" severity="medium">
<title>The system must not accept IPv4 source-routed packets on any
interface.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000084" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_all_accept_redirects"
ownerid="RHEL-06-000084" disa="366" severity="medium">
<title>The system must not accept ICMPv4 redirect packets on any
interface.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000086" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_all_secure_redirects"
ownerid="RHEL-06-000086" disa="366" severity="medium">
<title>The system must not accept ICMPv4 secure redirect packets on any
interface.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000088" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_all_log_martians"
ownerid="RHEL-06-000088" disa="366" severity="low">
<title>The system must log Martian packets.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000089" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_default_accept_source_route"
ownerid="RHEL-06-000089" disa="366" severity="medium">
<title>The system must not accept IPv4 source-routed packets by
default.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000090" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_default_secure_redirects"
ownerid="RHEL-06-000090" disa="366" severity="medium">
<title>The system must not accept ICMPv4 secure redirect packets by
default.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000091" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_default_accept_redirects"
ownerid="RHEL-06-000091" disa="366" severity="low">
<title>The system must ignore IPv4 ICMP redirect messages.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000092" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"
ownerid="RHEL-06-000092" disa="366" severity="low">
<title>The system must not respond to ICMPv4 sent to a broadcast
address.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000093" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"
ownerid="RHEL-06-000093" disa="366" severity="low">
<title>The system must ignore ICMPv4 bogus error responses.</title>
</overlay>
<overlay owner="disastig"
ruleid="sysctl_net_ipv4_tcp_syncookies" ownerid="RHEL-06-000095"
disa="1095" severity="medium">
<title>The system must be configured to use TCP syncookies when experiencing a
TCP SYN flood.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000096" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-06-000096"
disa="366" severity="medium">
<title>The system must use a reverse-path filter for IPv4 network traffic when
possible on all interfaces.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000097" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv4_conf_default_rp_filter"
ownerid="RHEL-06-000097" disa="366" severity="medium">
<title>The system must use a reverse-path filter for IPv4 network traffic when
possible by default.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000098" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="kernel_module_ipv6_option_disabled" ownerid="RHEL-06-000098"
disa="366" severity="medium">
<title>The IPv6 protocol handler must not be bound to the network stack unless
needed.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000099" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="sysctl_net_ipv6_conf_default_accept_redirects_value"
ownerid="RHEL-06-000099" disa="366" severity="medium">
<title>The system must ignore ICMPv6 redirects by default.</title>
</overlay>
<overlay owner="disastig" ruleid="service_ip6tables_enabled"
ownerid="RHEL-06-000103" disa="1118" severity="medium">
@@ -306,10 +306,10 @@
<overlay owner="disastig"
ruleid="rsyslog_send_messages_to_logserver" ownerid="RHEL-06-000136"
disa="1348" severity="medium">
<title>The operating system must back up audit records on an organization
defined frequency onto a different system or media than the system being audited.
</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000137" disa="136" severity="medium">
+ <overlay owner="disastig"
ruleid="rsyslog_send_messages_to_logserver" ownerid="RHEL-06-000137"
disa="136" severity="medium">
<title>The operating system must support the requirement to centrally manage
the content of audit records generated by organization defined information system
components.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000138" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="ensure_logrotate_activated"
ownerid="RHEL-06-000138" disa="366" severity="low">
<title>System logs must be rotated daily.</title>
</overlay>
<overlay owner="disastig" ruleid="service_auditd_enabled"
ownerid="RHEL-06-000139" disa="347" severity="medium">
@@ -342,13 +342,13 @@
<overlay owner="disastig" ruleid="enable_auditd_bootloader"
ownerid="RHEL-06-000157" disa="1464" severity="low">
<title>Auditing must be enabled at boot by setting a kernel
parameter.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000159" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="configure_auditd_num_logs"
ownerid="RHEL-06-000159" disa="366" severity="medium">
<title>The system must retain enough rotated audit logs to cover the required
log retention period.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000160" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="configure_auditd_max_log_file"
ownerid="RHEL-06-000160" disa="366" severity="medium">
<title>The system must set a maximum audit log file size.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000161" disa="366" severity="medium">
+ <overlay owner="disastig"
ruleid="configure_auditd_max_log_file_action" ownerid="RHEL-06-000161"
disa="366" severity="medium">
<title>The system must rotate audit log files that reach the maximum file
size.</title>
</overlay>
<overlay owner="disastig"
ruleid="configure_auditd_admin_space_left_action"
ownerid="RHEL-06-000163" disa="1343" severity="medium">
@@ -381,10 +381,10 @@
<overlay owner="disastig" ruleid="audit_account_changes"
ownerid="RHEL-06-000177" disa="1405" severity="low">
<title>The operating system must automatically audit account
termination.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000182" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="audit_network_modifications"
ownerid="RHEL-06-000182" disa="366" severity="low">
<title>The audit system must be configured to audit modifications to the
systems network configuration.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000183" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="audit_mac_changes"
ownerid="RHEL-06-000183" disa="366" severity="low">
<title>The audit system must be configured to audit modifications to the
system's Mandatory Access Control (MAC) configuration (SELinux).</title>
</overlay>
<overlay owner="disastig"
ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-06-000184"
disa="172" severity="low">
@@ -459,7 +459,7 @@
<overlay owner="disastig" ruleid="uninstall_rsh-server"
ownerid="RHEL-06-000213" disa="381" severity="high">
<title>The rsh-server package must not be installed.</title>
</overlay>
- <overlay owner="disastig" ruleid=""
ownerid="RHEL-06-000214" disa="68" severity="high">
+ <overlay owner="disastig" ruleid="disable_rsh"
ownerid="RHEL-06-000214" disa="68" severity="high">
<title>The rshd service must not be running.</title>
</overlay>
<overlay owner="disastig" ruleid="disable_rexec"
ownerid="RHEL-06-000216" disa="68" severity="high">
@@ -522,7 +522,7 @@
<overlay owner="disastig" ruleid="sshd_use_approved_ciphers"
ownerid="RHEL-06-000245" disa="1146" severity="medium">
<title>The operating system must employ NSA-approved cryptography to protect
classified information.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000246" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="disable_avahi"
ownerid="RHEL-06-000246" disa="366" severity="low">
<title>The avahi service must be disabled.</title>
</overlay>
<overlay owner="disastig" ruleid="service_ntpd_enabled"
ownerid="RHEL-06-000247" disa="160" severity="medium">
@@ -534,16 +534,16 @@
<overlay owner="disastig" ruleid="postfix_network_listening"
ownerid="RHEL-06-000249" disa="382" severity="medium">
<title>Mail relaying must be restricted.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000251" disa="778" severity="medium">
+ <overlay owner="disastig" ruleid="nonselected"
ownerid="RHEL-06-000251" disa="778" severity="medium">
<title>The operating system must uniquely identify and authenticate an
organization defined list of specific devices and/or types of devices before establishing
a connection.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000252" disa="1453" severity="medium">
+ <overlay owner="disastig" ruleid="ldap_client_start_tls"
ownerid="RHEL-06-000252" disa="1453" severity="medium">
<title>If the system is using LDAP for authentication or account information,
the system must use a TLS connection using FIPS 140-2 approved cryptographic
algorithms.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000253" disa="776" severity="medium">
+ <overlay owner="disastig" ruleid="ldap_client_tls_cacertpath"
ownerid="RHEL-06-000253" disa="776" severity="medium">
<title>The LDAP client must use a TLS connection using trust certificates
signed by the site CA.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000256" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="package_openldap-servers_removed" ownerid="RHEL-06-000256"
disa="366" severity="low">
<title>The openldap-servers package must not be installed unless
required.</title>
</overlay>
<overlay owner="disastig"
ruleid="set_screensaver_inactivity_timeout" ownerid="RHEL-06-000257"
disa="57" severity="medium">
@@ -564,7 +564,7 @@
<overlay owner="disastig" ruleid="service_atd_disabled"
ownerid="RHEL-06-000262" disa="382" severity="low">
<title>The atd service must be disabled.</title>
</overlay>
- <overlay owner="disastig" ruleid="service_autofs_disabled"
ownerid="RHEL-06-000263" disa="1250" severity="low">
+ <overlay owner="disastig" ruleid="nonselected"
ownerid="RHEL-06-000263" disa="1250" severity="low">
<title>Automated file system mounting tools must not be enabled unless
needed.</title>
</overlay>
<overlay owner="disastig" ruleid="service_ntpdate_disabled"
ownerid="RHEL-06-000265" disa="382" severity="low">
@@ -588,10 +588,10 @@
<overlay owner="disastig"
ruleid="mountopt_noexec_on_removable_partitions"
ownerid="RHEL-06-000271" disa="87" severity="low">
<title>The noexec option must be added to removable media
partitions.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000272" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="require_smb_client_signing"
ownerid="RHEL-06-000272" disa="366" severity="low">
<title>The system must use SMB client signing for connecting to samba servers
using smbclient.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000273" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="require_smb_client_signing_mount.cifs"
ownerid="RHEL-06-000273" disa="366" severity="low">
<title>The system must use SMB client signing for connecting to samba servers
using mount.cifs.</title>
</overlay>
<overlay owner="disastig"
ruleid="accounts_password_reuse_limit" ownerid="RHEL-06-000274"
disa="200" severity="medium">
@@ -618,7 +618,7 @@
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000281" disa="1496" severity="medium">
<title>The system package management tool must verify contents of all files
associated with the audit package.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000282" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="world_writeable_files"
ownerid="RHEL-06-000282" disa="366" severity="medium">
<title>There must be no world-writable files on the system.</title>
</overlay>
<overlay owner="disastig" ruleid="install_antivirus"
ownerid="RHEL-06-000284" disa="1668" severity="high">
@@ -627,28 +627,28 @@
<overlay owner="disastig" ruleid="install_hids"
ownerid="RHEL-06-000285" disa="1263" severity="medium">
<title>The system must have a host-based intrusion detection tool
installed.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000286" disa="366" severity="high">
+ <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot"
ownerid="RHEL-06-000286" disa="366" severity="high">
<title>The x86 Ctrl-Alt-Delete key sequence must be disabled.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000287" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="service_postfix_enabled"
ownerid="RHEL-06-000287" disa="366" severity="low">
<title>The postfix service must be enabled for mail delivery.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000288" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="package_sendmail_removed"
ownerid="RHEL-06-000288" disa="366" severity="medium">
<title>The sendmail package must be removed.</title>
</overlay>
<overlay owner="disastig" ruleid="service_netconsole_disabled"
ownerid="RHEL-06-000289" disa="382" severity="low">
<title>The netconsole service must be disabled unless required.</title>
</overlay>
- <overlay owner="disastig" ruleid="packagegroup_xwindows_remove"
ownerid="RHEL-06-000290" disa="1436" severity="medium">
+ <overlay owner="disastig"
ruleid="disable_xwindows_with_runlevel" ownerid="RHEL-06-000290"
disa="1436" severity="medium">
<title>X Windows must not be enabled unless required.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000291" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="packagegroup_xwindows_remove"
ownerid="RHEL-06-000291" disa="366" severity="low">
<title>The xorg-x11-server-common (X Windows) package must not be installed,
unless required.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000292" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="disable_dhcp_client"
ownerid="RHEL-06-000292" disa="366" severity="medium">
<title>The DHCP client must be disabled if not needed.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000294" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="gid_passwd_group_same"
ownerid="RHEL-06-000294" disa="366" severity="low">
<title>All GIDs referenced in /etc/passwd must be defined in
/etc/group</title>
</overlay>
<overlay owner="disastig" ruleid="account_unique_name"
ownerid="RHEL-06-000296" disa="804" severity="low">
@@ -660,7 +660,7 @@
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000298" disa="1682" severity="low">
<title>Emergency accounts must be provisioned with an expiration
date.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000299" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="password_require_consecrepeat"
ownerid="RHEL-06-000299" disa="366" severity="low">
<title>The system must require passwords to contain no more than three
consecutive repeating characters.</title>
</overlay>
<overlay owner="disastig" ruleid="no_files_unowned_by_user"
ownerid="RHEL-06-000300" disa="224" severity="low">
@@ -687,13 +687,13 @@
<overlay owner="disastig" ruleid="aide_periodic_cron_checking"
ownerid="RHEL-06-000307" disa="1589" severity="medium">
<title>The operating system must ensure unauthorized, security-relevant
configuration changes detected are tracked.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000308" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="disable_users_coredumps"
ownerid="RHEL-06-000308" disa="366" severity="low">
<title>Process core dumps must be disabled unless needed.</title>
</overlay>
<overlay owner="disastig" ruleid="no_insecure_locks_exports"
ownerid="RHEL-06-000309" disa="764" severity="high">
<title>The NFS server must not have the insecure file locking option
enabled.</title>
</overlay>
- <overlay owner="disastig" ruleid="143"
ownerid="RHEL-06-000311" disa="143" severity="medium">
+ <overlay owner="disastig"
ruleid="auditd_data_retention_space_left_action"
ownerid="RHEL-06-000311" disa="143" severity="medium">
<title>The audit system must provide a warning when allocated audit record
storage volume reaches a documented percentage of maximum audit record storage
capacity.</title>
</overlay>
<overlay owner="disastig"
ruleid="auditd_data_retention_action_mail_acct"
ownerid="RHEL-06-000313" disa="139" severity="medium">
@@ -729,37 +729,37 @@
<overlay owner="disastig"
ruleid="account_disable_post_pw_expiration" ownerid="RHEL-06-000335"
disa="795" severity="low">
<title>The operating system must manage information system identifiers for
users and devices by disabling the user identifier after an organization defined time
period of inactivity.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000336" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="sticky_world_writable_dirs"
ownerid="RHEL-06-000336" disa="366" severity="low">
<title>The sticky bit must be set on all public directories.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000337" disa="366" severity="low">
+ <overlay owner="disastig"
ruleid="world_writable_files_system_ownership"
ownerid="RHEL-06-000337" disa="366" severity="low">
<title>All public directories must be owned by a system account.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000338" disa="366" severity="high">
+ <overlay owner="disastig" ruleid="tftpd_uses_secure_mode"
ownerid="RHEL-06-000338" disa="366" severity="high">
<title>The TFTP daemon must operate in "secure mode" which provides
access only to a single directory on the host file system.</title>
</overlay>
<overlay owner="disastig" ruleid="ftp_log_transactions"
ownerid="RHEL-06-000339" disa="130" severity="low">
<title>The FTP daemon must be configured for logging or verbose
mode.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000340" disa="366" severity="medium">
+ <overlay owner="disastig" ruleid="snmpd_use_newer_protocol"
ownerid="RHEL-06-000340" disa="366" severity="medium">
<title>The snmpd service must use only SNMP protocol version 3 or
newer.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000341" disa="366" severity="high">
+ <overlay owner="disastig" ruleid="snmpd_not_default_password"
ownerid="RHEL-06-000341" disa="366" severity="high">
<title>The snmpd service must not use a default password.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000342" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="user_umask_bashrc"
ownerid="RHEL-06-000342" disa="366" severity="low">
<title>The system default umask for the bash shell must be 077.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000343" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="user_umask_cshrc"
ownerid="RHEL-06-000343" disa="366" severity="low">
<title>The system default umask for the csh shell must be 077.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000344" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="user_umask_profile"
ownerid="RHEL-06-000344" disa="366" severity="low">
<title>The system default umask in /etc/profile must be 077.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000345" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="user_umask_logindefs"
ownerid="RHEL-06-000345" disa="366" severity="low">
<title>The system default umask in /etc/login.defs must be 077.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000346" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="umask_for_daemons"
ownerid="RHEL-06-000346" disa="366" severity="low">
<title>The system default umask for daemons must be 027 or 022.</title>
</overlay>
<overlay owner="disastig" ruleid="no_netrc_files"
ownerid="RHEL-06-000347" disa="196" severity="medium">
@@ -777,18 +777,18 @@
<overlay owner="disastig"
ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357"
disa="1452" severity="medium">
<title>The system must disable accounts after excessive login failures within a
15-minute interval.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000359" disa="20" severity="medium">
+ <overlay owner="disastig" ruleid="unselected"
ownerid="RHEL-06-000359" disa="20" severity="medium">
<title>The operating system must dynamically manage user privileges and
associated access authorizations.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000367" disa="31" severity="medium">
+ <overlay owner="disastig" ruleid="unselected"
ownerid="RHEL-06-000367" disa="31" severity="medium">
<title>The operating system must support organization defined one-way flows
using hardware mechanisms.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000368" disa="34" severity="medium">
+ <overlay owner="disastig" ruleid="unselected"
ownerid="RHEL-06-000368" disa="34" severity="medium">
<title>The operating system must provide the capability for a privileged
administrator to enable/disable organization defined security policy
filters.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000371" disa="52" severity="medium">
+ <overlay owner="disastig" ruleid="unselected"
ownerid="RHEL-06-000371" disa="52" severity="medium">
<title>The operating system, upon successful logon, must display to the user
the date and time of the last logon (access) via GUI.</title>
- </overlay>
+ </overlay>
<overlay owner="disastig" ruleid="display_login_attempts"
ownerid="RHEL-06-000372" disa="53" severity="medium">
<title>The operating system, upon successful logon/access, must display to the
user the number of unsuccessful logon/access attempts since the last successful
logon/access.</title>
</overlay>
@@ -816,16 +816,16 @@
<overlay owner="disastig" ruleid="met_inherently_nonselected"
ownerid="RHEL-06-000380" disa="154" severity="medium">
<title>Operating system must support the capability to centralize the review
and analysis of audit records from multiple components within the system.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000381" disa="156" severity="medium">
+ <overlay owner="disastig" ruleid="met_inherently"
ownerid="RHEL-06-000381" disa="156" severity="medium">
<title>The operating system must support an audit reduction
capability.</title>
</overlay>
<overlay owner="disastig" ruleid="met_inherently_auditing"
ownerid="RHEL-06-000382" disa="159" severity="medium">
<title>The operating system must use internal system clocks to generate time
stamps for audit records.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000383" disa="163" severity="medium">
+ <overlay owner="disastig" ruleid="audit_logs_permissions"
ownerid="RHEL-06-000383" disa="163" severity="medium">
<title>Audit log files must have mode 0640 or less permissive.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000384" disa="162" severity="medium">
+ <overlay owner="disastig" ruleid="audit_logs_rootowner"
ownerid="RHEL-06-000384" disa="162" severity="medium">
<title>Audit log files must be owned by root.</title>
</overlay>
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000385" disa="164" severity="medium">
@@ -990,10 +990,10 @@
<overlay owner="disastig" ruleid="met_inherently_nonselected"
ownerid="RHEL-06-000501" disa="1670" severity="medium">
<title>The operating system must take organization defined list of least
disruptive actions to terminate suspicious events.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000502" disa="1674" severity="medium">
+ <overlay owner="disastig" ruleid="unselected"
ownerid="RHEL-06-000502" disa="1674" severity="medium">
<title>The operating system must respond to security function anomalies in
accordance with organization defined responses and alternative action(s).</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000503" disa="86" severity="medium">
+ <overlay owner="disastig"
ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000503"
disa="86" severity="medium">
<title>The system must have USB Mass Storage disabled unless
needed.</title>
</overlay>
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000504" disa="535" severity="medium">
@@ -1011,7 +1011,7 @@
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000508" disa="58" severity="low">
<title>The system must allow locking of graphical desktop
sessions.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000509" disa="136" severity="low">
+ <overlay owner="disastig" ruleid="configure_auditd_audispd"
ownerid="RHEL-06-000509" disa="136" severity="low">
<title>The system must forward audit records to the syslog
service.</title>
</overlay>
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000510" disa="140" severity="medium">
@@ -1038,10 +1038,10 @@
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000517" disa="366" severity="low">
<title>The system package management tool must verify group-ownership on all
files and directories associated with packages.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000518" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="rpm_verify_permissions"
ownerid="RHEL-06-000518" disa="366" severity="low">
<title>The system package management tool must verify permissions on all files
and directories associated with packages.</title>
</overlay>
- <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000519" disa="366" severity="low">
+ <overlay owner="disastig" ruleid="rpm_verify_hashes"
ownerid="RHEL-06-000519" disa="366" severity="low">
<title>The system package management tool must verify contents of all files
associated with packages.</title>
</overlay>
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000521" disa="366" severity="medium">
@@ -1053,8 +1053,14 @@
<overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000523" disa="66" severity="medium">
<title>The system's local IPv6 firewall must implement a deny-all,
allow-by-exception policy for inbound packets.</title>
</overlay>
- <overlay owner="disastig" ruleid="unmet_nonfinding_scope"
ownerid="SRG-OS-000001-NA" disa="15" severity="medium">
- <title>The operating system must provide automated support for account
management functions.</title>
+ <overlay owner="disastig" ruleid="XXXX"
ownerid="RHEL-06-000524" disa="15" severity="low">
+ <title>The system must provide automated support for account management
functions.</title>
+ </overlay>
+ <overlay owner="disastig" ruleid="enable_auditd_bootloader"
ownerid="RHEL-06-000525" disa="169" severity="low">
+ <title>Auditing must be enabled at boot by setting a kernel
parameter.</title>
+ </overlay>
+ <overlay owner="disastig" ruleid="service_autofs_disabled"
ownerid="RHEL-06-000526" disa="366" severity="low">
+ <title>Automated file system mounting tools must not be enabled unless
needed.</title>
</overlay>
<overlay owner="disastig" ruleid="unmet_nonfinding_scope"
ownerid="SRG-OS-000006-NA" disa="21" severity="medium">
<title>The operating system must enforce dual authorization, based on
organizational policies and procedures for organization defined privileged
commands.</title>
diff --git a/RHEL6/input/system/permissions/files.xml
b/RHEL6/input/system/permissions/files.xml
index a35bf0b..7574f5a 100644
--- a/RHEL6/input/system/permissions/files.xml
+++ b/RHEL6/input/system/permissions/files.xml
@@ -503,7 +503,7 @@ appropriate group.
The following command will discover and print world-writable directories that
are not owned by a system account, given the assumption that only system
accounts have a uid lower than 500. Run it once for each local partition
<i>PART</i>:
-<pre># find <i>PART</i> -xdev -type d -perm 0002 -uid +500
-print</pre>
+<pre># find <i>PART</i> -xdev -type d -perm -0002 -uid +500
-print</pre>
</ocil>
<rationale>
Allowing a user account to own a world-writable directory is
diff --git a/RHEL6/input/system/software/integrity.xml
b/RHEL6/input/system/software/integrity.xml
index 4807009..3d28c78 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -165,7 +165,7 @@ Alternatively, the package can be reinstalled from trusted media
using the comma
</description>
<ocil clause="there is output"> The following command will list which
files on the system
have file hashes different from what is expected by the RPM database.
-<pre># rpm -Va | grep '$1 ~ /..5/ && $2 !=
"c"'</pre>
+<pre># rpm -Va | awk '$1 ~ /..5/ && $2 !=
"c"'</pre>
</ocil>
<rationale>
The hashes of important files like system executables should match the
-- 1.7.1
Ack. Good update on the find command.