This patchset is working toward the goal of having CCE identifiers assigned to all Rules which involve adjustment of a specific, granular "control knob" on the RHEL platform. (And a few that may involve a specific quality, such as lacking any world-writable files.)
Jeffrey Blank (2): added block of available CCE numbers to references * this will help us manage our assignment of them to Rules minor fixups of CCE ids
.../accounts/restrictions/account_expiration.xml | 2 + RHEL6/input/system/accounts/session.xml | 1 + RHEL6/input/system/permissions/execution.xml | 1 - RHEL6/input/system/permissions/mounting.xml | 2 - RHEL6/references/cce-rhel6-avail.txt | 550 ++++++++++++++++++++ 5 files changed, 553 insertions(+), 3 deletions(-) create mode 100644 RHEL6/references/cce-rhel6-avail.txt
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/references/cce-rhel6-avail.txt | 550 ++++++++++++++++++++++++++++++++++ 1 files changed, 550 insertions(+), 0 deletions(-) create mode 100644 RHEL6/references/cce-rhel6-avail.txt
diff --git a/RHEL6/references/cce-rhel6-avail.txt b/RHEL6/references/cce-rhel6-avail.txt new file mode 100644 index 0000000..d7dcb0e --- /dev/null +++ b/RHEL6/references/cce-rhel6-avail.txt @@ -0,0 +1,550 @@ +CCE-27115-5 +CCE-27173-4 +CCE-26404-4 +CCE-26967-0 +CCE-26971-2 +CCE-26800-3 +CCE-27135-3 +CCE-26957-1 +CCE-26853-2 +CCE-26995-1 +CCE-26915-9 +CCE-26741-9 +CCE-26923-3 +CCE-26448-1 +CCE-27010-8 +CCE-27144-5 +CCE-27175-9 +CCE-27123-9 +CCE-27002-5 +CCE-26486-1 +CCE-27131-2 +CCE-27163-5 +CCE-26988-6 +CCE-27151-0 +CCE-27111-4 +CCE-26631-2 +CCE-26891-2 +CCE-27104-9 +CCE-27124-7 +CCE-27053-8 +CCE-27170-0 +CCE-26795-5 +CCE-27125-4 +CCE-27100-7 +CCE-27161-9 +CCE-26840-9 +CCE-27162-7 +CCE-27138-7 +CCE-26639-5 +CCE-26887-0 +CCE-26933-2 +CCE-27037-1 +CCE-26949-8 +CCE-26966-2 +CCE-26648-6 +CCE-27075-1 +CCE-27119-7 +CCE-27004-1 +CCE-26860-7 +CCE-26812-8 +CCE-27054-6 +CCE-26809-4 +CCE-26828-4 +CCE-27106-4 +CCE-26872-2 +CCE-27158-5 +CCE-27039-7 +CCE-27165-0 +CCE-27038-9 +CCE-26611-4 +CCE-27066-0 +CCE-27035-5 +CCE-26870-6 +CCE-26946-4 +CCE-26864-9 +CCE-26435-8 +CCE-26974-6 +CCE-27051-2 +CCE-26615-5 +CCE-26763-3 +CCE-26436-6 +CCE-26989-4 +CCE-26992-8 +CCE-27110-6 +CCE-26215-4 +CCE-26894-6 +CCE-27032-2 +CCE-26910-0 +CCE-26969-6 +CCE-27086-8 +CCE-27027-2 +CCE-26892-0 +CCE-26973-8 +CCE-26876-3 +CCE-27081-9 +CCE-27206-2 +CCE-26690-8 +CCE-26930-8 +CCE-26854-0 +CCE-27049-6 +CCE-27103-1 +CCE-27198-1 +CCE-26940-7 +CCE-26769-0 +CCE-26898-7 +CCE-27129-6 +CCE-26444-0 +CCE-26662-7 +CCE-27197-3 +CCE-26780-7 +CCE-26762-5 +CCE-27177-5 +CCE-26573-6 +CCE-27187-4 +CCE-26328-5 +CCE-26831-8 +CCE-27192-4 +CCE-26972-0 +CCE-27208-8 +CCE-27145-2 +CCE-26239-4 +CCE-27186-6 +CCE-26865-6 +CCE-26670-0 +CCE-26768-2 +CCE-26497-8 +CCE-26899-5 +CCE-26977-9 +CCE-27166-8 +CCE-26235-2 +CCE-26371-5 +CCE-27215-3 +CCE-27021-5 +CCE-26778-1 +CCE-26970-4 +CCE-26657-7 +CCE-26895-3 +CCE-27174-2 +CCE-26325-1 +CCE-27096-7 +CCE-27078-5 +CCE-27062-9 +CCE-26922-5 +CCE-27093-4 +CCE-26951-4 +CCE-27060-3 +CCE-26911-8 +CCE-27097-5 +CCE-27005-8 +CCE-27026-4 +CCE-26242-8 +CCE-26846-6 +CCE-27220-3 +CCE-27143-7 +CCE-27121-3 +CCE-26557-9 +CCE-26952-2 +CCE-27013-2 +CCE-27184-1 +CCE-27209-6 +CCE-27057-9 +CCE-26826-8 +CCE-27241-9 +CCE-27157-7 +CCE-26818-5 +CCE-27001-7 +CCE-26844-1 +CCE-27230-2 +CCE-26691-6 +CCE-26280-8 +CCE-27122-1 +CCE-27065-2 +CCE-26917-5 +CCE-26953-0 +CCE-27247-6 +CCE-27073-6 +CCE-27237-7 +CCE-27260-9 +CCE-27190-8 +CCE-27120-5 +CCE-26821-9 +CCE-26506-6 +CCE-27128-8 +CCE-27018-1 +CCE-27140-3 +CCE-27014-0 +CCE-27033-0 +CCE-27262-5 +CCE-26582-7 +CCE-26948-0 +CCE-27277-3 +CCE-27090-0 +CCE-26875-5 +CCE-26858-1 +CCE-26282-4 +CCE-27064-5 +CCE-27196-5 +CCE-26994-4 +CCE-26664-3 +CCE-27034-8 +CCE-27225-2 +CCE-26548-8 +CCE-26960-5 +CCE-27227-8 +CCE-27235-1 +CCE-27194-0 +CCE-27068-6 +CCE-26669-2 +CCE-26900-1 +CCE-26822-7 +CCE-27204-7 +CCE-26303-8 +CCE-27016-5 +CCE-26785-6 +CCE-27301-1 +CCE-27164-3 +CCE-26638-7 +CCE-26906-8 +CCE-26884-7 +CCE-26991-0 +CCE-27169-2 +CCE-27244-3 +CCE-27046-2 +CCE-26868-0 +CCE-27211-2 +CCE-27291-4 +CCE-27127-0 +CCE-26555-3 +CCE-26677-5 +CCE-26709-6 +CCE-26499-4 +CCE-26332-7 +CCE-27199-9 +CCE-27063-7 +CCE-27303-7 +CCE-26774-0 +CCE-27116-3 +CCE-27099-1 +CCE-27050-4 +CCE-26856-5 +CCE-26340-0 +CCE-27133-8 +CCE-27178-3 +CCE-26361-6 +CCE-26961-3 +CCE-27193-2 +CCE-26883-9 +CCE-27008-2 +CCE-27334-2 +CCE-26897-9 +CCE-27254-2 +CCE-27279-9 +CCE-27195-7 +CCE-27288-0 +CCE-27061-1 +CCE-27243-5 +CCE-27228-6 +CCE-26544-7 +CCE-26712-0 +CCE-27030-6 +CCE-27283-1 +CCE-27091-8 +CCE-27267-4 +CCE-26457-2 +CCE-27326-8 +CCE-27045-4 +CCE-27203-9 +CCE-26803-7 +CCE-27294-8 +CCE-27318-5 +CCE-27137-9 +CCE-27268-2 +CCE-27286-4 +CCE-27024-9 +CCE-27352-4 +CCE-27275-7 +CCE-26731-0 +CCE-27107-2 +CCE-27160-1 +CCE-27112-2 +CCE-27214-6 +CCE-26374-9 +CCE-27293-0 +CCE-26913-4 +CCE-27249-2 +CCE-26928-2 +CCE-26873-0 +CCE-27200-5 +CCE-27181-7 +CCE-26696-5 +CCE-27360-7 +CCE-26642-9 +CCE-27345-8 +CCE-27350-8 +CCE-27297-1 +CCE-27072-8 +CCE-27309-4 +CCE-26878-9 +CCE-27263-3 +CCE-27287-2 +CCE-27056-1 +CCE-26836-7 +CCE-27335-9 +CCE-27047-0 +CCE-27098-3 +CCE-26600-7 +CCE-27250-0 +CCE-27069-4 +CCE-27223-7 +CCE-27351-6 +CCE-27114-8 +CCE-26409-3 +CCE-27153-6 +CCE-27397-9 +CCE-26990-2 +CCE-27074-4 +CCE-27117-1 +CCE-27358-1 +CCE-26687-4 +CCE-27167-6 +CCE-27328-4 +CCE-27252-6 +CCE-27179-1 +CCE-27327-6 +CCE-27361-5 +CCE-27154-4 +CCE-27349-0 +CCE-27238-5 +CCE-27221-1 +CCE-26410-1 +CCE-27343-3 +CCE-27407-6 +CCE-27212-0 +CCE-27015-7 +CCE-27201-3 +CCE-27265-8 +CCE-27348-2 +CCE-27182-5 +CCE-27042-1 +CCE-27319-3 +CCE-27007-4 +CCE-27172-6 +CCE-26975-3 +CCE-27232-8 +CCE-27231-0 +CCE-27375-5 +CCE-27370-6 +CCE-27233-6 +CCE-26622-1 +CCE-27394-6 +CCE-27331-8 +CCE-26954-8 +CCE-27341-7 +CCE-27152-8 +CCE-27290-6 +CCE-27216-1 +CCE-27043-9 +CCE-27236-9 +CCE-26981-1 +CCE-27299-7 +CCE-27219-5 +CCE-27310-2 +CCE-27076-9 +CCE-27234-4 +CCE-27205-4 +CCE-27031-4 +CCE-27108-0 +CCE-27168-4 +CCE-27189-0 +CCE-27339-1 +CCE-27364-9 +CCE-27146-0 +CCE-27077-7 +CCE-27393-8 +CCE-27388-8 +CCE-27270-8 +CCE-27356-5 +CCE-26855-7 +CCE-27387-0 +CCE-26947-2 +CCE-27353-2 +CCE-27389-6 +CCE-27083-5 +CCE-27410-0 +CCE-26919-1 +CCE-27079-3 +CCE-26983-7 +CCE-26850-8 +CCE-27222-9 +CCE-27022-3 +CCE-27280-7 +CCE-27272-4 +CCE-26610-6 +CCE-27367-2 +CCE-26476-2 +CCE-27006-6 +CCE-27213-8 +CCE-27347-4 +CCE-27437-3 +CCE-27259-1 +CCE-27447-2 +CCE-27461-3 +CCE-27443-1 +CCE-27354-0 +CCE-27401-9 +CCE-27305-2 +CCE-27342-5 +CCE-27408-4 +CCE-26889-6 +CCE-26993-6 +CCE-27337-5 +CCE-27274-0 +CCE-26999-3 +CCE-26943-1 +CCE-27011-6 +CCE-27336-7 +CCE-27406-8 +CCE-27149-4 +CCE-27229-4 +CCE-27399-5 +CCE-27385-4 +CCE-27396-1 +CCE-27185-8 +CCE-27210-4 +CCE-27432-4 +CCE-27323-5 +CCE-27320-1 +CCE-27433-2 +CCE-27082-7 +CCE-27183-3 +CCE-26720-3 +CCE-27377-1 +CCE-27224-5 +CCE-27413-4 +CCE-27040-5 +CCE-27445-6 +CCE-27471-2 +CCE-27363-1 +CCE-27295-5 +CCE-27455-5 +CCE-27444-9 +CCE-27044-7 +CCE-26979-5 +CCE-27278-1 +CCE-27012-4 +CCE-27421-7 +CCE-26612-2 +CCE-27404-3 +CCE-26807-8 +CCE-27087-6 +CCE-27428-2 +CCE-27359-9 +CCE-26956-3 +CCE-27372-2 +CCE-27448-0 +CCE-27317-7 +CCE-27427-4 +CCE-27373-0 +CCE-27430-8 +CCE-27102-3 +CCE-27333-4 +CCE-26601-5 +CCE-27533-9 +CCE-27070-2 +CCE-27316-9 +CCE-27257-5 +CCE-27487-8 +CCE-27581-8 +CCE-27565-1 +CCE-26866-4 +CCE-27574-3 +CCE-27009-0 +CCE-27362-3 +CCE-26859-9 +CCE-27442-3 +CCE-27276-5 +CCE-27507-3 +CCE-26792-2 +CCE-27468-8 +CCE-27329-2 +CCE-27541-2 +CCE-27558-6 +CCE-27395-3 +CCE-27570-1 +CCE-27553-7 +CCE-27586-7 +CCE-27425-8 +CCE-27411-8 +CCE-27496-9 +CCE-27528-9 +CCE-27414-2 +CCE-27105-6 +CCE-27508-1 +CCE-27058-7 +CCE-26958-9 +CCE-27300-3 +CCE-27055-3 +CCE-27526-3 +CCE-27308-6 +CCE-27340-9 +CCE-27590-9 +CCE-26976-1 +CCE-27512-3 +CCE-27557-8 +CCE-27386-2 +CCE-27355-7 +CCE-27180-9 +CCE-27503-2 +CCE-27285-6 +CCE-27218-7 +CCE-27594-1 +CCE-27191-6 +CCE-26985-2 +CCE-27464-7 +CCE-27457-1 +CCE-27366-4 +CCE-27458-9 +CCE-27311-0 +CCE-27485-2 +CCE-27434-0 +CCE-27511-5 +CCE-27314-4 +CCE-27239-3 +CCE-27258-3 +CCE-27556-0 +CCE-27498-5 +CCE-26647-8 +CCE-27495-1 +CCE-27446-4 +CCE-27593-3 +CCE-27365-6 +CCE-27256-7 +CCE-27550-3 +CCE-27522-2 +CCE-27440-7 +CCE-27567-7 +CCE-27474-6 +CCE-27379-7 +CCE-27623-8 +CCE-27289-8 +CCE-27424-1 +CCE-27381-3 +CCE-27609-7 +CCE-27529-7 +CCE-27409-2 +CCE-27403-5 +CCE-27142-9 +CCE-27150-2 +CCE-27525-5 +CCE-27635-2 +CCE-26651-0 +CCE-27626-1 +CCE-27515-6 +CCE-27596-6 +CCE-27261-7 +CCE-27633-7 +CCE-27459-7 +CCE-27017-3 +CCE-26801-1 +CCE-27571-9
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../accounts/restrictions/account_expiration.xml | 2 ++ RHEL6/input/system/accounts/session.xml | 1 + RHEL6/input/system/permissions/execution.xml | 1 - RHEL6/input/system/permissions/mounting.xml | 2 -- 4 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 3d45d55..18b2396 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -58,6 +58,7 @@ Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. </rationale> +<ident cce="27283-1"/> <oval id="accounts_disable_post_pw_expiration" value="var_account_disable_post_pw_expiration"/> <ref nist="AC-2(2), AC-2(3)" disa="16,17,795"/> </Rule> @@ -75,6 +76,7 @@ If there are no duplicate names, no line will be returned. <rationale> Unique usernames allow for accountability on the system. </rationale> +<ident cce="27609-7"/> <ref disa="770,804"/> </Rule>
diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index eeeea6b..c980e45 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -43,6 +43,7 @@ You should receive output similar to the following: <pre>* hard maxlogins 10</pre> </ocil> <!-- <oval id="max_concurrent_login_sessions" value="max_concurrent_login_sessions_value" /> --> +<ident cce="27457-1" /> <ref disa="54"/> </Rule>
diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index 7682d83..d742d60 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -195,7 +195,6 @@ under a Security section. Look for Execute Disable (XD) on Intel-based systems a on AMD-based systems.</description> <rationale>Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will.</rationale> -<ident cce="27012-4" /> <ref nist="" /> </Rule>
diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index 636aee6..683a2f6 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -129,8 +129,6 @@ the section titled "Set BIOS Password" to prevent unauthorized configuration cha <rationale>Booting a system from a USB device would allow an attacker to circumvent any security measures offered by the native OS. Attackers could mount partitions and modify the configuration of the native OS. The BIOS should be configured to disallow booting from USB media.</rationale> -<ident cce="26952-2" /> -<!-- <oval id="bios_disable_usb_boot" /> --> <ref nist="AC-19(a),AC-19(d),AC-19(e)" disa="1250,85" /> </Rule>
On 3/17/13 4:36 PM, Jeffrey Blank wrote:
This patchset is working toward the goal of having CCE identifiers assigned to all Rules which involve adjustment of a specific, granular "control knob" on the RHEL platform. (And a few that may involve a specific quality, such as lacking any world-writable files.)
Jeffrey Blank (2): added block of available CCE numbers to references * this will help us manage our assignment of them to Rules minor fixups of CCE ids
.../accounts/restrictions/account_expiration.xml | 2 + RHEL6/input/system/accounts/session.xml | 1 + RHEL6/input/system/permissions/execution.xml | 1 - RHEL6/input/system/permissions/mounting.xml | 2 - RHEL6/references/cce-rhel6-avail.txt | 550 ++++++++++++++++++++ 5 files changed, 553 insertions(+), 3 deletions(-) create mode 100644 RHEL6/references/cce-rhel6-avail.txt
__
Ack
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Shawn Wells