This is largely about deleting vestigial OVAL checks.
Some of the remaining "OVAL Check is not referenced by XCCDF" messages which "make validate" produces call for more investigation.
And of course the OVAL schematron still has problems. But this gets us closer.
Jeffrey Blank (6): removal of packages from check templates removal or correction of misnamed or obsolete OVAL checks removal of comments, reference to nonexistent OVAL refine verify-references to deal only with OVAL compliance checks for OVAL removal of references to nonexistent OVAL for some NFS guidance corrections for typos in OVAL references
.../accounts_no_nis_inclusions_etc_passwd.xml | 23 ------ .../input/checks/audit_rules_dac_modification.xml | 40 ----------- RHEL6/input/checks/cups_limit_web_interface.xml | 30 -------- RHEL6/input/checks/file_mode_etc_crontab.xml | 33 --------- RHEL6/input/checks/file_ownership_etc_skel.xml | 39 ----------- .../file_permissions_boot_grub_grub_conf.xml | 46 ------------- RHEL6/input/checks/file_user_owner_etc_crontab.xml | 25 ------- RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 30 -------- .../input/checks/package_ipsec-tools_installed.xml | 25 ------- RHEL6/input/checks/package_talk-server_removed.xml | 25 ------- RHEL6/input/checks/package_talk_removed.xml | 25 ------- RHEL6/input/checks/service_abrtd_disabled.xml | 3 + RHEL6/input/checks/sysconfig_ipv6_disable.xml | 37 ---------- RHEL6/input/checks/sysconfig_ipv6_networking.xml | 37 ---------- .../checks/sysconfig_networking_ipv6_ifcfg.xml | 37 ---------- ...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 31 --------- RHEL6/input/checks/templates/Makefile | 4 +- .../input/checks/templates/packages_installed.csv | 5 -- RHEL6/input/checks/templates/packages_removed.csv | 3 - RHEL6/input/checks/templates/services_disabled.csv | 2 +- RHEL6/input/checks/xwindows_remote_listening.xml | 30 -------- RHEL6/input/services/http.xml | 72 -------------------- RHEL6/input/services/nfs.xml | 4 - RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/system/permissions/partitions.xml | 2 +- RHEL6/utils/verify-references.py | 5 +- 26 files changed, 11 insertions(+), 604 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml delete mode 100644 RHEL6/input/checks/audit_rules_dac_modification.xml delete mode 100644 RHEL6/input/checks/cups_limit_web_interface.xml delete mode 100644 RHEL6/input/checks/file_mode_etc_crontab.xml delete mode 100644 RHEL6/input/checks/file_ownership_etc_skel.xml delete mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml delete mode 100644 RHEL6/input/checks/file_user_owner_etc_crontab.xml delete mode 100644 RHEL6/input/checks/mount_option_nodev_on_tmp.xml delete mode 100644 RHEL6/input/checks/package_ipsec-tools_installed.xml delete mode 100644 RHEL6/input/checks/package_talk-server_removed.xml delete mode 100644 RHEL6/input/checks/package_talk_removed.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_disable.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_networking.xml delete mode 100644 RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml delete mode 100644 RHEL6/input/checks/xwindows_remote_listening.xml
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/checks/templates/Makefile | 4 ++-- .../input/checks/templates/packages_installed.csv | 5 ----- RHEL6/input/checks/templates/packages_removed.csv | 3 --- RHEL6/input/checks/templates/services_disabled.csv | 2 +- 4 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/checks/templates/Makefile b/RHEL6/input/checks/templates/Makefile index fbc0c34..7c892b9 100644 --- a/RHEL6/input/checks/templates/Makefile +++ b/RHEL6/input/checks/templates/Makefile @@ -28,5 +28,5 @@ find-untemplated: templates ./find_untemplated.py
clean: - rm output/*.xml - rm output/*.sh + rm -f output/*.xml + rm -f output/*.sh diff --git a/RHEL6/input/checks/templates/packages_installed.csv b/RHEL6/input/checks/templates/packages_installed.csv index f0a2960..318ec91 100644 --- a/RHEL6/input/checks/templates/packages_installed.csv +++ b/RHEL6/input/checks/templates/packages_installed.csv @@ -1,18 +1,13 @@ aide audit cronie -ipsec-tools iptables iptables-ipv6 irqbalance -lvm2 -ntpdate ntp -openldap-servers openswan policycoreutils postfix psacct -rsyslog vsftpd screen diff --git a/RHEL6/input/checks/templates/packages_removed.csv b/RHEL6/input/checks/templates/packages_removed.csv index 40e2d89..02d786f 100644 --- a/RHEL6/input/checks/templates/packages_removed.csv +++ b/RHEL6/input/checks/templates/packages_removed.csv @@ -1,7 +1,6 @@ abrt at bind -certmonger cpuspeed cups cyrus-sasl @@ -25,7 +24,6 @@ portreserve qpid-cpp-server quota rhnsd -rpcbind rsh-server samba-common sendmail @@ -33,7 +31,6 @@ smartmontools squid subscription-manager sysstat -talk talk-server telnet-server tftp-server diff --git a/RHEL6/input/checks/templates/services_disabled.csv b/RHEL6/input/checks/templates/services_disabled.csv index 7afc2da..7045072 100644 --- a/RHEL6/input/checks/templates/services_disabled.csv +++ b/RHEL6/input/checks/templates/services_disabled.csv @@ -1,4 +1,4 @@ -abrtd, +abrtd,abrt acpid, autofs, certmonger,
This one failed for me. I got the following error:
error: patch failed: RHEL6/input/checks/templates/packages_removed.csv:1 error: RHEL6/input/checks/templates/packages_removed.csv: patch does not apply
I tracked it back to your May 16th update, which did not get ACKED (third batch of several...) and some other updates that day ("fourth batch of several...", and part of "fifth batch of several"). I don't know if it's just me. I ACKED your third batch email just now.
Here is what is in my packages_removed.csv file for reference:
abrt at autofs bind certmonger cpuspeed cronie-anacron cups cyrus-sasl dbus dhcp dhcpd dovecot hal httpd iputils isdn4k-utils kexec-tools libcgroup mdadm net-snmp nfs-utils oddjob openldap-servers openssh-server pam_ldap portreserve qpid-cpp-server quota rhnsd rpcbind rsh-server samba-common samba sendmail smartmontools squid sssd subscription-manager sysstat talk talk-server telnet-server tftp-server vsftpd xinetd xorg-x11-server-common ypbind ypserv
- Maura Dailey
On 05/20/2013 01:50 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/checks/templates/Makefile | 4 ++-- .../input/checks/templates/packages_installed.csv | 5 ----- RHEL6/input/checks/templates/packages_removed.csv | 3 --- RHEL6/input/checks/templates/services_disabled.csv | 2 +- 4 files changed, 3 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/checks/templates/Makefile b/RHEL6/input/checks/templates/Makefile index fbc0c34..7c892b9 100644 --- a/RHEL6/input/checks/templates/Makefile +++ b/RHEL6/input/checks/templates/Makefile @@ -28,5 +28,5 @@ find-untemplated: templates ./find_untemplated.py
clean:
- rm output/*.xml
- rm output/*.sh
- rm -f output/*.xml
- rm -f output/*.sh
diff --git a/RHEL6/input/checks/templates/packages_installed.csv b/RHEL6/input/checks/templates/packages_installed.csv index f0a2960..318ec91 100644 --- a/RHEL6/input/checks/templates/packages_installed.csv +++ b/RHEL6/input/checks/templates/packages_installed.csv @@ -1,18 +1,13 @@ aide audit cronie -ipsec-tools iptables iptables-ipv6 irqbalance -lvm2 -ntpdate ntp -openldap-servers openswan policycoreutils postfix psacct -rsyslog vsftpd screen diff --git a/RHEL6/input/checks/templates/packages_removed.csv b/RHEL6/input/checks/templates/packages_removed.csv index 40e2d89..02d786f 100644 --- a/RHEL6/input/checks/templates/packages_removed.csv +++ b/RHEL6/input/checks/templates/packages_removed.csv @@ -1,7 +1,6 @@ abrt at bind -certmonger cpuspeed cups cyrus-sasl @@ -25,7 +24,6 @@ portreserve qpid-cpp-server quota rhnsd -rpcbind rsh-server samba-common sendmail @@ -33,7 +31,6 @@ smartmontools squid subscription-manager sysstat -talk talk-server telnet-server tftp-server diff --git a/RHEL6/input/checks/templates/services_disabled.csv b/RHEL6/input/checks/templates/services_disabled.csv index 7afc2da..7045072 100644 --- a/RHEL6/input/checks/templates/services_disabled.csv +++ b/RHEL6/input/checks/templates/services_disabled.csv @@ -1,4 +1,4 @@ -abrtd, +abrtd,abrt acpid, autofs, certmonger,
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- .../accounts_no_nis_inclusions_etc_passwd.xml | 23 ---------- .../input/checks/audit_rules_dac_modification.xml | 40 ----------------- RHEL6/input/checks/cups_limit_web_interface.xml | 30 ------------- RHEL6/input/checks/file_mode_etc_crontab.xml | 33 -------------- RHEL6/input/checks/file_ownership_etc_skel.xml | 39 ----------------- .../file_permissions_boot_grub_grub_conf.xml | 46 -------------------- RHEL6/input/checks/file_user_owner_etc_crontab.xml | 25 ----------- RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 30 ------------- .../input/checks/package_ipsec-tools_installed.xml | 25 ----------- RHEL6/input/checks/package_talk-server_removed.xml | 25 ----------- RHEL6/input/checks/package_talk_removed.xml | 25 ----------- RHEL6/input/checks/service_abrtd_disabled.xml | 3 + RHEL6/input/checks/sysconfig_ipv6_disable.xml | 37 ---------------- RHEL6/input/checks/sysconfig_ipv6_networking.xml | 37 ---------------- .../checks/sysconfig_networking_ipv6_ifcfg.xml | 37 ---------------- ...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 31 ------------- RHEL6/input/checks/xwindows_remote_listening.xml | 30 ------------- 17 files changed, 3 insertions(+), 513 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml delete mode 100644 RHEL6/input/checks/audit_rules_dac_modification.xml delete mode 100644 RHEL6/input/checks/cups_limit_web_interface.xml delete mode 100644 RHEL6/input/checks/file_mode_etc_crontab.xml delete mode 100644 RHEL6/input/checks/file_ownership_etc_skel.xml delete mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml delete mode 100644 RHEL6/input/checks/file_user_owner_etc_crontab.xml delete mode 100644 RHEL6/input/checks/mount_option_nodev_on_tmp.xml delete mode 100644 RHEL6/input/checks/package_ipsec-tools_installed.xml delete mode 100644 RHEL6/input/checks/package_talk-server_removed.xml delete mode 100644 RHEL6/input/checks/package_talk_removed.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_disable.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_networking.xml delete mode 100644 RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml delete mode 100644 RHEL6/input/checks/xwindows_remote_listening.xml
diff --git a/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml b/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml deleted file mode 100644 index 5176fa4..0000000 --- a/RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml +++ /dev/null @@ -1,23 +0,0 @@ -<def-group> - <definition class="compliance" id="accounts_no_nis_inclusions_etc_passwd" version="1"> - <metadata> - <title>Remove Legacy + Entries From /etc/passwd</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>NIS file inclusions should be set appropriately in the /etc/passwd file.</description> - </metadata> - <criteria> - <criterion comment="tests for reg exp '^\+' in /etc/passwd" test_ref="test_accounts_no_nis_inclusions_etc_passwd" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests for reg exp '^+' in /etc/passwd" id="test_accounts_no_nis_inclusions_etc_passwd" version="1"> - <ind:object object_ref="object_accounts_no_nis_inclusions_etc_passwd" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_accounts_no_nis_inclusions_etc_passwd" version="1"> - ind:path/etc</ind:path> - ind:filenamepasswd</ind:filename> - <ind:pattern operation="pattern match">^+</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/audit_rules_dac_modification.xml b/RHEL6/input/checks/audit_rules_dac_modification.xml deleted file mode 100644 index 919eaff..0000000 --- a/RHEL6/input/checks/audit_rules_dac_modification.xml +++ /dev/null @@ -1,40 +0,0 @@ -<def-group> - <definition class="compliance" id="audit_rules_dac_modification" version="1"> - <metadata> - <title>Audit Discretionary Access Control Modification Events</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The changing of file permissions and attributes should be audited.</description> - </metadata> - <criteria operator="AND"> - <!-- <criterion comment="dac modification chmod" test_ref="test_audit_rules_dac_modification_chmod" /> --> - <!-- <criterion comment="dac modification chown" test_ref="test_audit_rules_dac_modification_chown" /> --> - <criterion comment="dac modification attre" test_ref="test_audit_rules_dac_modification_attr" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" comment="dac modification chmod" id="test_audit_rules_dac_modification_chmod" version="1"> - <ind:object object_ref="object_audit_rules_dac_modification_chmod" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_audit_rules_dac_modification_chmod" version="1"> - ind:filepath/etc/audit/audit.rules</ind:filepath> - <ind:pattern operation="pattern match">^-a\s+always,exit\s+(-F\s+arch=(b64|b32)\s+)?-S\s+chmod\s+-S\s+fchmod\s+-S\s+fchmodat\s+-F\s+auid>=500\s+-F\s+auid!=4294967295\s+-k\s+[-\w]+\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - <ind:textfilecontent54_test check="all" comment="dac modification chown" id="test_audit_rules_dac_modification_chown" version="1"> - <ind:object object_ref="object_audit_rules_dac_modification_chown" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_audit_rules_dac_modification_chown" version="1"> - ind:filepath/etc/audit/audit.rules</ind:filepath> - <ind:pattern operation="pattern match">^-a\s+always,exit\s+(-F\s+arch=(b64|b32)\s+)?-S\s+chown\s+-S\s+fchown\s+-S\s+fchownat\s+-S\s+lchown\s+-F\s+auid>=500\s+-F\s+auid!=4294967295\s+-k\s+[-\w]+\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - <ind:textfilecontent54_test check="all" comment="dac modification attr" id="test_audit_rules_dac_modification_attr" version="1"> - <ind:object object_ref="object_audit_rules_dac_modification_attr" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="object_audit_rules_dac_modification_attr" version="1"> - ind:filepath/etc/audit/audit.rules</ind:filepath> - <ind:pattern operation="pattern match">^-a\s+always,exit\s+(-F\s+arch=(b64|b32)\s+)?-S\s+setxattr\s+-S\s+lsetxattr\s+-S\s+fsetxattr\s+-S\s+removexattr\s+-S\s+lremovexattr\s+-S\s+fremovexattr\s+-F\s+auid>=500\s+-F\s+auid!=4294967295\s+-k\s+[-\w]+\s*$</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/cups_limit_web_interface.xml b/RHEL6/input/checks/cups_limit_web_interface.xml deleted file mode 100644 index 4d370c8..0000000 --- a/RHEL6/input/checks/cups_limit_web_interface.xml +++ /dev/null @@ -1,30 +0,0 @@ -<def-group> - <definition class="compliance" - id="cups_limit_web_interface" version="1"> - <metadata> - <title>Limit Access to the Web Administration Interface</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>By default, access to the CUPS web administration interface is limited to the local machine. It is recom- -mended that this not be changed, especially since the authentication mechanisms that CUPS provides are limited in their effectiveness. Host-based authentication has known limitations, especially since IP addresses are easy to spoof. Requiring users to authenticate themselves can alleviate this problem, but it cannot eliminate it. -</description> - </metadata> - <criteria operator="AND"> - <criterion comment="Don't use allow for remote administration" test_ref="test_cups_limit_web_interface_no_allow" /> - </criteria> - </definition> - - <ind:textfilecontent54_test check="all" check_existence="none_exist" - comment="Ensure remote web administration remains disabled" - id="test_cups_limit_web_interface_no_allow" version="1"> - <ind:object object_ref="obj_cups_limit_web_interface_no_allow" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_cups_limit_web_interface_no_allow" version="1"> - ind:path/etc/cups</ind:path> - ind:filenamecupsd.conf</ind:filename> - <ind:pattern operation="pattern match">.*Location /.*[\s\n]+Allow \S+[\s\n]+.*Location /</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> - -</def-group> diff --git a/RHEL6/input/checks/file_mode_etc_crontab.xml b/RHEL6/input/checks/file_mode_etc_crontab.xml deleted file mode 100644 index d8b0a7e..0000000 --- a/RHEL6/input/checks/file_mode_etc_crontab.xml +++ /dev/null @@ -1,33 +0,0 @@ -<def-group> - <definition class="compliance" id="file_mode_etc_crontab" version="1"> - <metadata> - <title>Check Mode /etc/crontab</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The file /etc/crontab should be mode 600.</description> - </metadata> - <criteria> - <criterion test_ref="test_file_mode_etc_crontab" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="mode for /etc/crontab" id="test_file_mode_etc_crontab" version="1"> - <unix:object object_ref="object_mode_file_etc_crontab" /> - <unix:state state_ref="state_etc_crontab_mode_600" /> - </unix:file_test> - <unix:file_object comment="/etc/crontab" id="object_mode_file_etc_crontab" version="1"> - unix:path/etc</unix:path> - unix:filenamecrontab</unix:filename> - </unix:file_object> - <unix:file_state id="state_etc_crontab_mode_600" version="1"> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">true</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> -</def-group> diff --git a/RHEL6/input/checks/file_ownership_etc_skel.xml b/RHEL6/input/checks/file_ownership_etc_skel.xml deleted file mode 100644 index 5559fb1..0000000 --- a/RHEL6/input/checks/file_ownership_etc_skel.xml +++ /dev/null @@ -1,39 +0,0 @@ -<def-group> - <definition class="compliance" id="file_ownership_etc_skel" version="1"> - <metadata> - <title>Verify /etc/skel Ownership</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Checks that all /etc/skel files and directories are owned by the root user and group.</description> - </metadata> - <criteria operator="AND"> - <criterion test_ref="test_ownership_etc_skel_dir" /> - <criterion test_ref="test_ownership_etc_skel_files" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="none_exist" comment="/etc/skel directories uid root gid root" id="test_ownership_etc_skel_dir" version="1"> - <unix:object object_ref="object_etc_skel_dir" /> - <unix:state state_ref="state_owner_not_root_root" /> - </unix:file_test> - <unix:file_test check="all" check_existence="none_exist" comment="/etc/skel files uid root gid root" id="test_ownership_etc_skel_files" version="1"> - <unix:object object_ref="object_ownership_etc_skel_files" /> - <unix:state state_ref="state_owner_not_root_root" /> - </unix:file_test> - <unix:file_object comment="/etc/skel directories" id="object_etc_skel_dir" version="1"> - <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> - <unix:path operation="equals">/etc/skel</unix:path> - <unix:filename xsi:nil="true" /> - <filter action="include">state_owner_not_root_root</filter> - </unix:file_object> - <unix:file_object comment="/etc/skel files" id="object_ownership_etc_skel_files" version="1"> - <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all" /> - <unix:path operation="equals">/etc/skel</unix:path> - <unix:filename operation="pattern match">^.*$</unix:filename> - <filter action="include">state_owner_not_root_root</filter> - </unix:file_object> - <unix:file_state id="state_owner_not_root_root" version="1" operator="OR"> - <unix:group_id datatype="int" operation="not equal">0</unix:group_id> - <unix:user_id datatype="int" operation="not equal">0</unix:user_id> - </unix:file_state> -</def-group> diff --git a/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml b/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml deleted file mode 100644 index b185de9..0000000 --- a/RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml +++ /dev/null @@ -1,46 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="file_permissions_boot_grub_grub_conf" version="1"> - <metadata> - <title>Verify /boot/grub/grub.conf Permissions</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>This test makes sure that /boot/grub/grub.conf is owned by 0, group owned by 0, and has mode 0600. If - the target file or directory has an extended ACL then it will fail the mode check.</description> - </metadata> - <criteria> - <criterion test_ref="test_boot_grub_grub_conf" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="/boot/grub/grub.conf mode and ownership" id="test_boot_grub_grub_conf" version="1"> - <unix:object object_ref="object_boot_grub_grub_conf" /> - <unix:state state_ref="_boot_grub_grub_conf_state_uid_0" /> - <unix:state state_ref="_boot_grub_grub_conf_state_gid_0" /> - <unix:state state_ref="_boot_grub_grub_conf_state_mode_0600" /> - </unix:file_test> - <unix:file_object comment="/boot/grub/grub.conf" id="object_boot_grub_grub_conf" version="1"> - unix:path/boot/grub</unix:path> - unix:filenamegrub.conf</unix:filename> - </unix:file_object> - <unix:file_state id="_boot_grub_grub_conf_state_uid_0" version="1"> - <unix:user_id datatype="int" operation="equals">0</unix:user_id> - </unix:file_state> - <unix:file_state id="_boot_grub_grub_conf_state_gid_0" version="1"> - <unix:group_id datatype="int" operation="equals">0</unix:group_id> - </unix:file_state> - <unix:file_state id="_boot_grub_grub_conf_state_mode_0600" version="1"> - <unix:suid datatype="boolean">false</unix:suid> - <unix:sgid datatype="boolean">false</unix:sgid> - <unix:sticky datatype="boolean">false</unix:sticky> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">true</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> -</def-group> diff --git a/RHEL6/input/checks/file_user_owner_etc_crontab.xml b/RHEL6/input/checks/file_user_owner_etc_crontab.xml deleted file mode 100644 index 80d76a3..0000000 --- a/RHEL6/input/checks/file_user_owner_etc_crontab.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <definition class="compliance" id="file_user_owner_etc_crontab" version="1"> - <metadata> - <title>Check User Ownership /etc/crontab</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The file /etc/crontab should be owned by the root user.</description> - </metadata> - <criteria> - <criterion test_ref="test_file_user_owner_etc_crontab" /> - </criteria> - </definition> - <unix:file_test check="all" check_existence="all_exist" comment="root gid for /etc/crontab" id="test_file_user_owner_etc_crontab" version="1"> - <unix:object object_ref="object_uid_file_etc_crontab" /> - <unix:state state_ref="state_root_uid_etc_crontab" /> - </unix:file_test> - <unix:file_object comment="/etc/crontab" id="object_uid_file_etc_crontab" version="1"> - unix:path/etc</unix:path> - unix:filenamecrontab</unix:filename> - </unix:file_object> - <unix:file_state id="state_root_uid_etc_crontab" version="1"> - <unix:user_id datatype="int">0</unix:user_id> - </unix:file_state> -</def-group> diff --git a/RHEL6/input/checks/mount_option_nodev_on_tmp.xml b/RHEL6/input/checks/mount_option_nodev_on_tmp.xml deleted file mode 100644 index 93c217a..0000000 --- a/RHEL6/input/checks/mount_option_nodev_on_tmp.xml +++ /dev/null @@ -1,30 +0,0 @@ -<def-group> - <definition class="compliance" - id="mount_option_nodev_on_tmp" version="1"> - <metadata> - <title>Add nodev Option to /tmp Partition</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Add nodev Option to /tmp Partition</description> - </metadata> - <criteria> - <criterion comment="test for nodev option on /tmp" - test_ref="test_144120" /> - </criteria> - </definition> - <linux:partition_test check="all" - comment="check for nodev option on /tmp" - id="test_144120" version="1"> - <linux:object object_ref="obj_144120" /> - <linux:state state_ref="state_144120" /> - </linux:partition_test> - <linux:partition_state id="state_144120" - version="1"> - linux:mount_optionsnodev</linux:mount_options> - </linux:partition_state> - <linux:partition_object id="obj_144120" - version="1"> - linux:mount_point/tmp</linux:mount_point> - </linux:partition_object> -</def-group> diff --git a/RHEL6/input/checks/package_ipsec-tools_installed.xml b/RHEL6/input/checks/package_ipsec-tools_installed.xml deleted file mode 100644 index 48221ae..0000000 --- a/RHEL6/input/checks/package_ipsec-tools_installed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_installed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_ipsec-tools_installed" - version="1"> - <metadata> - <title>Package ipsec-tools Installed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package ipsec-tools should be installed.</description> - </metadata> - <criteria> - <criterion comment="package ipsec-tools is installed" - test_ref="test_package_ipsec-tools_installed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="all_exist" - id="test_package_ipsec-tools_installed" version="1" - comment="package ipsec-tools is installed"> - <linux:object object_ref="obj_package_ipsec-tools_installed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_ipsec-tools_installed" version="1"> - linux:nameipsec-tools</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL6/input/checks/package_talk-server_removed.xml b/RHEL6/input/checks/package_talk-server_removed.xml deleted file mode 100644 index 74b1735..0000000 --- a/RHEL6/input/checks/package_talk-server_removed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_talk-server_removed" - version="1"> - <metadata> - <title>Package talk-server Removed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package talk-server should be removed.</description> - </metadata> - <criteria> - <criterion comment="package talk-server is removed" - test_ref="test_package_talk-server_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_talk-server_removed" version="1" - comment="package talk-server is removed"> - <linux:object object_ref="obj_package_talk-server_removed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_talk-server_removed" version="1"> - linux:nametalk-server</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL6/input/checks/package_talk_removed.xml b/RHEL6/input/checks/package_talk_removed.xml deleted file mode 100644 index 4f51b7f..0000000 --- a/RHEL6/input/checks/package_talk_removed.xml +++ /dev/null @@ -1,25 +0,0 @@ -<def-group> - <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. --> - <definition class="compliance" id="package_talk_removed" - version="1"> - <metadata> - <title>Package talk Removed</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The RPM package talk should be removed.</description> - </metadata> - <criteria> - <criterion comment="package talk is removed" - test_ref="test_package_talk_removed" /> - </criteria> - </definition> - <linux:rpminfo_test check="all" check_existence="none_exist" - id="test_package_talk_removed" version="1" - comment="package talk is removed"> - <linux:object object_ref="obj_package_talk_removed" /> - </linux:rpminfo_test> - <linux:rpminfo_object id="obj_package_talk_removed" version="1"> - linux:nametalk</linux:name> - </linux:rpminfo_object> -</def-group> diff --git a/RHEL6/input/checks/service_abrtd_disabled.xml b/RHEL6/input/checks/service_abrtd_disabled.xml index a72eb1b..71c8985 100644 --- a/RHEL6/input/checks/service_abrtd_disabled.xml +++ b/RHEL6/input/checks/service_abrtd_disabled.xml @@ -9,6 +9,8 @@ </affected> <description>The abrtd service should be disabled if possible.</description> </metadata> + <criteria comment="package abrt removed or service abrtd is not configured to start" operator="OR"> + <extend_definition comment="abrt removed" definition_ref="package_abrt_removed" /> <criteria operator="AND" comment="service abrtd is not configured to start"> <criterion comment="abrtd runlevel 0" test_ref="test_runlevel0_abrtd" /> <criterion comment="abrtd runlevel 1" test_ref="test_runlevel1_abrtd" /> @@ -18,6 +20,7 @@ <criterion comment="abrtd runlevel 5" test_ref="test_runlevel5_abrtd" /> <criterion comment="abrtd runlevel 6" test_ref="test_runlevel6_abrtd" /> </criteria> + </criteria> </definition> <unix:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="test_runlevel0_abrtd" diff --git a/RHEL6/input/checks/sysconfig_ipv6_disable.xml b/RHEL6/input/checks/sysconfig_ipv6_disable.xml deleted file mode 100644 index 8dcae22..0000000 --- a/RHEL6/input/checks/sysconfig_ipv6_disable.xml +++ /dev/null @@ -1,37 +0,0 @@ -<def-group> - <definition class="compliance" - id="sysconfig_ipv6_disable" version="1"> - <metadata> - <title>Disable Interface Usage of IPv6</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The default setting for IPv6 configuration - should be disabled for network interfaces.</description> - </metadata> - <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" - operator="OR"> - <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" - definition_ref="kernel_module_ipv6_option_disabled" /> - <criterion test_ref="test_20131" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the ^[\s]*IPV6INIT[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network file" - id="test_20131" version="1"> - <ind:object object_ref="obj_20131" /> - <ind:state state_ref="state_20131" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_20131" - version="1"> - <ind:subexpression operation="equals">no</ind:subexpression> - </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_20131" - version="1"> - ind:path/etc/sysconfig</ind:path> - ind:filenamenetwork</ind:filename> - <ind:pattern operation="pattern match">^[\s]*IPV6INIT[\s]*=[\s]*([^#\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/sysconfig_ipv6_networking.xml b/RHEL6/input/checks/sysconfig_ipv6_networking.xml deleted file mode 100644 index c9e9ac3..0000000 --- a/RHEL6/input/checks/sysconfig_ipv6_networking.xml +++ /dev/null @@ -1,37 +0,0 @@ -<def-group> - <definition class="compliance" - id="sysconfig_ipv6_networking" version="1"> - <metadata> - <title>Disable Interface Usage of IPv6</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Global IPv6 initialization should be - disabled.</description> - </metadata> - <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" - operator="OR"> - <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" - definition_ref="kernel_module_ipv6_option_disabled" /> - <criterion test_ref="test_20132" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network file" - id="test_20132" version="1"> - <ind:object object_ref="obj_20132" /> - <ind:state state_ref="state_20132" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_20132" - version="1"> - <ind:subexpression operation="equals">no</ind:subexpression> - </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_20132" - version="1"> - ind:path/etc/sysconfig</ind:path> - ind:filenamenetwork</ind:filename> - <ind:pattern operation="pattern match">^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml b/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml deleted file mode 100644 index 42075e7..0000000 --- a/RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml +++ /dev/null @@ -1,37 +0,0 @@ -<def-group> - <definition class="compliance" - id="sysconfig_networking_ipv6_ifcfg" version="1"> - <metadata> - <title>Disable Interface Usage of IPv6</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>IPv6 configuration should be disabled for all - interfaces.</description> - </metadata> - <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" - operator="OR"> - <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" - definition_ref="kernel_module_ipv6_option_disabled" /> - <criterion test_ref="test_20133" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" - id="test_20133" version="1"> - <ind:object object_ref="obj_20133" /> - <ind:state state_ref="state_20133" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_20133" - version="1"> - <ind:subexpression operation="equals">no</ind:subexpression> - </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_20133" - version="1"> - ind:path/etc/sysconfig/network-scripts</ind:path> - <ind:filename operation="pattern match">ifcfg-.*</ind:filename> - <ind:pattern operation="pattern match">^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#\s]*)</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml b/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml deleted file mode 100644 index f89bb53..0000000 --- a/RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml +++ /dev/null @@ -1,31 +0,0 @@ -<def-group> - <definition class="compliance" id="sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1"> - <metadata> - <title>Kernel Runtime Parameter "net.ipv6.conf.default.accept_ra_rtr_pref" Check</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>The kernel runtime parameter "net.ipv6.conf.default.accept_ra_rtr_pref" should be set to configured.</description> - </metadata> - <criteria operator="OR"> - <extend_definition comment="IPv6 disabled or..." - definition_ref="kernel_module_ipv6_option_disabled" /> - <criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref is set" - test_ref="test_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" /> - </criteria> - </definition> - - <unix:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.default.accept_ra_rtr_pref set" - id="test_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1"> - <unix:object object_ref="object_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" /> - <unix:state state_ref="state_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" /> - </unix:sysctl_test> - - <unix:sysctl_object id="object_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1"> - unix:namenet.ipv6.conf.default.accept_ra_rtr_pref</unix:name> - </unix:sysctl_object> - - <unix:sysctl_state id="state_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref" version="1"> - <unix:value datatype="int" operation="equals">0</unix:value> - </unix:sysctl_state> -</def-group> diff --git a/RHEL6/input/checks/xwindows_remote_listening.xml b/RHEL6/input/checks/xwindows_remote_listening.xml deleted file mode 100644 index 0d5e5c9..0000000 --- a/RHEL6/input/checks/xwindows_remote_listening.xml +++ /dev/null @@ -1,30 +0,0 @@ -<def-group> - <definition class="compliance" - id="xwindows_remote_listening" version="1"> - <metadata> - <title>Disable X Window System Listening</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <description>Disable the ability to provide remote graphical - display</description> - </metadata> - <criteria> - <criterion comment="Check for existence of line exec X :0 -nolisten tcp $@ in file /etc/X11/xinit/xserverrc" - test_ref="test_20248" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Check for existence of line exec X :0 -nolisten tcp $@ in file /etc/X11/xinit/xserverrc" - id="test_20248" version="1"> - <ind:object object_ref="obj_20248" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_20248" - version="1"> - ind:path/etc/X11/xinit</ind:path> - ind:filenamexserverrc</ind:filename> - <ind:pattern operation="pattern match">^[\s]*exec\sX\s:0\s-nolisten\stcp\s$@</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group>
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/http.xml | 72 ----------------------------------------- 1 files changed, 0 insertions(+), 72 deletions(-)
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 3ca959a..1624deb 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -70,9 +70,6 @@ package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required <tt>httpd</tt> package itself. </description> -<!--<ident cce="27078-5" />--> -<!--<oval id="package_httpd_installed" />--> -<!--<ref nist="CM-7" />-->
<Group id="httpd_minimal_modules_installed"> <title>Confirm Minimal Built-in Modules Installed</title> @@ -119,7 +116,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. </rationale> -<oval id="httpd_servertokens_prod" /> <ref nist="CM-7" /> </Rule>
@@ -136,7 +132,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. </rationale> -<oval id="httpd_serversignature_off" /> <ref nist="CM-7" /> </Rule>
@@ -208,13 +203,6 @@ If the above functionality is unnecessary, comment out the related module: #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre> </description> -<!--<rationale> -Minimizing the number of loadable modules available to the web server reduces risk -by limiting the capabilities allowed by the web server. -</rationale>--> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_basic_authentication" />--> -<!--<ref nist="CM-7" />--> </Group>
<Rule id="httpd_digest_authentication"> @@ -228,9 +216,6 @@ If this functionality is unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_digest_authentication" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_mod_rewrite"> @@ -246,9 +231,6 @@ unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mod_rewrite" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_ldap_support"> @@ -264,9 +246,6 @@ If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_ldap_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_side_includes"> @@ -285,9 +264,6 @@ supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_side_includes" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_mime_magic"> @@ -301,9 +277,6 @@ is likely extraneous. If its functionality is unnecessary, comment out the relat Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mime_magic" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_webdav"> @@ -322,9 +295,6 @@ server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_webdav" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_activity_status"> @@ -342,9 +312,6 @@ configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_activity_status" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_configuration_display"> @@ -361,9 +328,6 @@ an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_configuration_display" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_url_correction"> @@ -378,9 +342,6 @@ This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_url_correction" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_proxy_support"> @@ -403,9 +364,6 @@ are a security risk. <tt>mod_proxy_balancer</tt> enables load balancing, but req Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_proxy_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_cache_support"> @@ -424,9 +382,6 @@ If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cache_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_cgi_support"> @@ -450,9 +405,6 @@ CGI scripts to run as a specified user/group instead of as the server's user/gro Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cgi_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Group id="httpd_optional_components"> @@ -478,9 +430,6 @@ are not using these directives), comment out the associated module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_optional_components" />--> -<!--<ref nist="CM-7" />--> </Group>
<Group id="httpd_minimize_config_files_included"> @@ -504,9 +453,6 @@ the possibility of unwanted or malicious configuration files to be automatically part of the server's running configuration. <!--</rationale>--> </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_minimize_config_files_included" />--> -<!--<ref nist="CM-7" />--> </Group>
</Group> <!-- <Group id="httpd_core_modules"> --> @@ -535,9 +481,6 @@ The <tt>httpd</tt> root directory should always have the most restrictive config The Web Server's root directory content should be protected from unauthorized access by web clients. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_root_directory" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_restrict_web_directory"> @@ -561,9 +504,6 @@ Ensure that this policy is adhered to by altering the related section of the con Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_web_directory" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_restrict_critical_directories"> @@ -578,9 +518,6 @@ should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_critical_directories" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_limit_available_methods"> @@ -605,9 +542,6 @@ are limited to the WebDAV protocol. Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_limit_available_methods" />--> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_directory_restrictions"> --> @@ -646,8 +580,6 @@ content is transmitted in plain text which could be passively monitored and acce unauthorized parties. </rationale> <ident cce="27403-5" /> -<oval id="package_mod_ssl_installed" /> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_deploy_mod_ssl"> --> @@ -677,8 +609,6 @@ enabling the administrator to implement content access policies and filters at t application layer. </rationale> <ident cce="27525-5" /> -<oval id="package_mod_security_installed" /> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_deploy_mod_security"> --> @@ -784,9 +714,7 @@ Set permissions on the web server configuration directory to 750: Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. </rationale> -<!-- <ident cce="27150-2" /> --> <oval id="dir_perms_etc_httpd_conf" /> -<!-- <ref nist="CM-7" /> --> </Rule>
<Rule id="httpd_conf_files_permissions">
I was about to submit checks for the packages mod_ssl and mod_security. Should I discard them?
- Maura
On 05/20/2013 01:50 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/services/http.xml | 72 ----------------------------------------- 1 files changed, 0 insertions(+), 72 deletions(-)
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 3ca959a..1624deb 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -70,9 +70,6 @@ package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required <tt>httpd</tt> package itself.
</description> -<!--<ident cce="27078-5" />--> -<!--<oval id="package_httpd_installed" />--> -<!--<ref nist="CM-7" />-->
<Group id="httpd_minimal_modules_installed"> <title>Confirm Minimal Built-in Modules Installed</title> @@ -119,7 +116,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. </rationale> -<oval id="httpd_servertokens_prod" /> <ref nist="CM-7" /> </Rule>
@@ -136,7 +132,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum.
</rationale> -<oval id="httpd_serversignature_off" /> <ref nist="CM-7" /> </Rule>
@@ -208,13 +203,6 @@ If the above functionality is unnecessary, comment out the related module: #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre>
</description> -<!--<rationale> -Minimizing the number of loadable modules available to the web server reduces risk -by limiting the capabilities allowed by the web server. -</rationale>--> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_basic_authentication" />--> -<!--<ref nist="CM-7" />--> </Group>
<Rule id="httpd_digest_authentication"> @@ -228,9 +216,6 @@ If this functionality is unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_digest_authentication" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_mod_rewrite"> @@ -246,9 +231,6 @@ unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mod_rewrite" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_ldap_support"> @@ -264,9 +246,6 @@ If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_ldap_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_side_includes"> @@ -285,9 +264,6 @@ supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_side_includes" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_mime_magic"> @@ -301,9 +277,6 @@ is likely extraneous. If its functionality is unnecessary, comment out the relat Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mime_magic" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_webdav"> @@ -322,9 +295,6 @@ server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_webdav" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_activity_status"> @@ -342,9 +312,6 @@ configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_activity_status" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_server_configuration_display"> @@ -361,9 +328,6 @@ an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_configuration_display" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_url_correction"> @@ -378,9 +342,6 @@ This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_url_correction" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_proxy_support"> @@ -403,9 +364,6 @@ are a security risk. <tt>mod_proxy_balancer</tt> enables load balancing, but req Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_proxy_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_cache_support"> @@ -424,9 +382,6 @@ If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cache_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_cgi_support"> @@ -450,9 +405,6 @@ CGI scripts to run as a specified user/group instead of as the server's user/gro Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cgi_support" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Group id="httpd_optional_components"> @@ -478,9 +430,6 @@ are not using these directives), comment out the associated module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_optional_components" />--> -<!--<ref nist="CM-7" />--> </Group>
<Group id="httpd_minimize_config_files_included"> @@ -504,9 +453,6 @@ the possibility of unwanted or malicious configuration files to be automatically part of the server's running configuration. <!--</rationale>--> </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_minimize_config_files_included" />--> -<!--<ref nist="CM-7" />--> </Group>
</Group> <!-- <Group id="httpd_core_modules"> --> @@ -535,9 +481,6 @@ The <tt>httpd</tt> root directory should always have the most restrictive config The Web Server's root directory content should be protected from unauthorized access by web clients.
</rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_root_directory" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_restrict_web_directory"> @@ -561,9 +504,6 @@ Ensure that this policy is adhered to by altering the related section of the con Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_web_directory" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_restrict_critical_directories"> @@ -578,9 +518,6 @@ should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_critical_directories" />--> -<!--<ref nist="CM-7" />--> </Rule>
<Rule id="httpd_limit_available_methods"> @@ -605,9 +542,6 @@ are limited to the WebDAV protocol. Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_limit_available_methods" />--> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_directory_restrictions"> --> @@ -646,8 +580,6 @@ content is transmitted in plain text which could be passively monitored and acce unauthorized parties.
</rationale> <ident cce="27403-5" /> -<oval id="package_mod_ssl_installed" /> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_deploy_mod_ssl"> --> @@ -677,8 +609,6 @@ enabling the administrator to implement content access policies and filters at t application layer.
</rationale> <ident cce="27525-5" /> -<oval id="package_mod_security_installed" /> -<!--<ref nist="CM-7" />--> </Rule>
</Group> <!-- <Group id="httpd_deploy_mod_security"> --> @@ -784,9 +714,7 @@ Set permissions on the web server configuration directory to 750: Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files.
</rationale> -<!-- <ident cce="27150-2" /> --> <oval id="dir_perms_etc_httpd_conf" /> -<!-- <ref nist="CM-7" /> --> </Rule>
<Rule id="httpd_conf_files_permissions">
Yes.
On 05/20/2013 11:23 AM, Maura Dailey wrote:
I was about to submit checks for the packages mod_ssl and mod_security. Should I discard them?
- Maura
On 05/20/2013 01:50 AM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/services/http.xml | 72
1 files changed, 0 insertions(+), 72 deletions(-)
diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 3ca959a..1624deb 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -70,9 +70,6 @@ package group during the system installation process. The Web Server package group includes many packages which are likely extraneous, while the command-line method installs only the required <tt>httpd</tt> package itself.
</description> -<!--<ident cce="27078-5" />--> -<!--<oval id="package_httpd_installed" />--> -<!--<ref nist="CM-7" />--> <Group id="httpd_minimal_modules_installed"> <title>Confirm Minimal Built-in Modules Installed</title> @@ -119,7 +116,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. </rationale> -<oval id="httpd_servertokens_prod" /> <ref nist="CM-7" /> </Rule> @@ -136,7 +132,6 @@ Add or correct the following directive in <tt>/etc/httpd/conf/httpd.conf</tt>: Information disclosed to clients about the configuration of the web server and system could be used to plan an attack on the given system. This information disclosure should be restricted to a minimum. </rationale> -<oval id="httpd_serversignature_off" /> <ref nist="CM-7" /> </Rule> @@ -208,13 +203,6 @@ If the above functionality is unnecessary, comment out the related module: #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbm_module modules/mod_authz_dbm.so</pre> </description> -<!--<rationale> -Minimizing the number of loadable modules available to the web server reduces risk -by limiting the capabilities allowed by the web server. -</rationale>--> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_basic_authentication" />--> -<!--<ref nist="CM-7" />--> </Group> <Rule id="httpd_digest_authentication"> @@ -228,9 +216,6 @@ If this functionality is unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_digest_authentication" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_mod_rewrite"> @@ -246,9 +231,6 @@ unnecessary, comment out the related module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mod_rewrite" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_ldap_support"> @@ -264,9 +246,6 @@ If LDAP is to be used, SSL encryption should be used as well. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_ldap_support" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_server_side_includes"> @@ -285,9 +264,6 @@ supplied data should be encoded to prevent cross-site scripting vulnerabilities. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_side_includes" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_mime_magic"> @@ -301,9 +277,6 @@ is likely extraneous. If its functionality is unnecessary, comment out the relat Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_mime_magic" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_webdav"> @@ -322,9 +295,6 @@ server that is DAV enabled should be protected by access controls. Minimizing the number of loadable modules available to the web server, reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_webdav" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_server_activity_status"> @@ -342,9 +312,6 @@ configuration. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_activity_status" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_server_configuration_display"> @@ -361,9 +328,6 @@ an access control list to restrict access to the information. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_server_configuration_display" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_url_correction"> @@ -378,9 +342,6 @@ This functionality weakens server security by making site enumeration easier. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_url_correction" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_proxy_support"> @@ -403,9 +364,6 @@ are a security risk. <tt>mod_proxy_balancer</tt> enables load balancing, but req Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_proxy_support" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_cache_support"> @@ -424,9 +382,6 @@ If caching is required, it should not be enabled for any limited-access content. Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cache_support" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_cgi_support"> @@ -450,9 +405,6 @@ CGI scripts to run as a specified user/group instead of as the server's user/gro Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_cgi_support" />--> -<!--<ref nist="CM-7" />--> </Rule> <Group id="httpd_optional_components"> @@ -478,9 +430,6 @@ are not using these directives), comment out the associated module: Minimizing the number of loadable modules available to the web server reduces risk by limiting the capabilities allowed by the web server. </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_optional_components" />--> -<!--<ref nist="CM-7" />--> </Group> <Group id="httpd_minimize_config_files_included"> @@ -504,9 +453,6 @@ the possibility of unwanted or malicious configuration files to be automatically part of the server's running configuration. <!--</rationale>--> </description> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_minimize_config_files_included" />--> -<!--<ref nist="CM-7" />--> </Group> </Group> <!-- <Group id="httpd_core_modules"> --> @@ -535,9 +481,6 @@ The <tt>httpd</tt> root directory should always have the most restrictive config The Web Server's root directory content should be protected from unauthorized access by web clients. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_root_directory" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_restrict_web_directory"> @@ -561,9 +504,6 @@ Ensure that this policy is adhered to by altering the related section of the con Access to the web server's directory hierarchy could allow access to unauthorized files by web clients. Following symbolic links could also allow such access. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_web_directory" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_restrict_critical_directories"> @@ -578,9 +518,6 @@ should be used to deny access by default, allowing access only where necessary. Directories accessible from a web client should be configured with the least amount of access possible in order to avoid unauthorized access to restricted content or server information. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_restrict_critical_directories" />--> -<!--<ref nist="CM-7" />--> </Rule> <Rule id="httpd_limit_available_methods"> @@ -605,9 +542,6 @@ are limited to the WebDAV protocol. Minimizing the number of available methods to the web client reduces risk by limiting the capabilities allowed by the web server. </rationale> -<!--<ident cce="26900-1" />--> -<!--<oval id="httpd_limit_available_methods" />--> -<!--<ref nist="CM-7" />--> </Rule> </Group> <!-- <Group id="httpd_directory_restrictions"> --> @@ -646,8 +580,6 @@ content is transmitted in plain text which could be passively monitored and acce unauthorized parties. </rationale> <ident cce="27403-5" /> -<oval id="package_mod_ssl_installed" /> -<!--<ref nist="CM-7" />--> </Rule> </Group> <!-- <Group id="httpd_deploy_mod_ssl"> --> @@ -677,8 +609,6 @@ enabling the administrator to implement content access policies and filters at t application layer. </rationale> <ident cce="27525-5" /> -<oval id="package_mod_security_installed" /> -<!--<ref nist="CM-7" />--> </Rule> </Group> <!-- <Group id="httpd_deploy_mod_security"> --> @@ -784,9 +714,7 @@ Set permissions on the web server configuration directory to 750: Access to the web server's configuration files may allow an unauthorized user or attacker to access information about the web server or alter the server's configuration files. </rationale> -<!-- <ident cce="27150-2" /> --> <oval id="dir_perms_etc_httpd_conf" /> -<!-- <ref nist="CM-7" /> --> </Rule> <Rule id="httpd_conf_files_permissions">
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/utils/verify-references.py | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/RHEL6/utils/verify-references.py b/RHEL6/utils/verify-references.py index 88caf67..bac9723 100755 --- a/RHEL6/utils/verify-references.py +++ b/RHEL6/utils/verify-references.py @@ -101,7 +101,8 @@ def main(): # find important elements within the XCCDF and the OVAL ovalfile = ovalfiles.pop() ovaltree = ET.parse(ovalfile) - ovaldefs = ovaltree.findall(".//{%s}definition" % oval_ns) + # collect all compliance checks (not inventory checks, which are needed by CPE) + ovaldefs = ovaltree.findall(".//{%s}definition[@class='compliance']" % oval_ns) ovaldef_ids = [ovaldef.get("id") for ovaldef in ovaldefs]
oval_extenddefs = ovaltree.findall(".//{%s}extend_definition" % oval_ns) @@ -163,7 +164,7 @@ def main(): print "XCCDF Rule found with DISA CCI reference outside Profile %s: " % options.profile_name + rule.get("id")
if options.ovaldefs_unused or options.all_checks: - # create a list of all of the OVAL checks that are defined in the oval file + # create a list of all of the OVAL compliance check ids that are defined in the oval file oval_checks_list = [ovaldef.get("id") for ovaldef in ovaldefs] # now loop through the xccdf rules; if a rule references an oval check we remove the oval check from our list for check_content in check_content_refs:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/nfs.xml | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index e1428af..c3514dd 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -143,7 +143,6 @@ Restrict service to always use a given port, so that firewalling can be done effectively. </rationale> <ident cce="27149-4" /> -<oval id="nfs_fixed_lockd_tcp_port" /> </Rule>
<Rule id="nfs_fixed_lockd_udp_port"> @@ -160,7 +159,6 @@ your network. to be done more effectively. </rationale> <ident cce="27063-7" /> -<oval id="nfs_fixed_lockd_udp_port" /> </Rule>
<Rule id="nfs_fixed_statd_port"> @@ -175,7 +173,6 @@ Where <tt>statd-port</tt> is a port which is not used by any other service on yo to be done more effectively. </rationale> <ident cce="26889-6" /> -<oval id="nfs_fixed_statd_port" /> </Rule>
<Rule id="nfs_fixed_mountd_port"> @@ -190,7 +187,6 @@ Where <tt>mountd-port</tt> is a port which is not used by any other service on y to be done more effectively. </rationale> <ident cce="27114-8" /> -<oval id="nfs_fixed_mountd_port" /> </Rule>
</Group> <!-- <Group id="nfs_configure_fixed_ports"> -->
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/system/permissions/partitions.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 8883caf..0c28d24 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -209,7 +209,7 @@ used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> <ident cce="27270-8" /> <ref nist="AC-17(8),CM-7" disa="1436" /> -<oval id="no_rsh_trust_files" /> +<oval id="no_rsh_trusted_host_files" /> <tested by="DS" on="20121026"/> </Rule>
diff --git a/RHEL6/input/system/permissions/partitions.xml b/RHEL6/input/system/permissions/partitions.xml index 1026e9b..d5b5da6 100644 --- a/RHEL6/input/system/permissions/partitions.xml +++ b/RHEL6/input/system/permissions/partitions.xml @@ -89,7 +89,7 @@ files into the system via partitions mounted from removeable media. should not be able to execute suid or sgid binaries from partitions mounted off of removable media.</rationale> <ident cce="27056-1" /> -<oval id="mount_option_noexec_removable_partitions" value="var_removable_partition" /> +<oval id="mount_option_nosuid_removable_partitions" value="var_removable_partition" /> <ref nist="AC-19(a),AC-19(d),AC-19(e),CM-7,MP-2"/> </Rule>
On 05/20/2013 01:50 AM, Jeffrey Blank wrote:
This is largely about deleting vestigial OVAL checks.
Some of the remaining "OVAL Check is not referenced by XCCDF" messages which "make validate" produces call for more investigation.
And of course the OVAL schematron still has problems. But this gets us closer.
Jeffrey Blank (6): removal of packages from check templates removal or correction of misnamed or obsolete OVAL checks removal of comments, reference to nonexistent OVAL refine verify-references to deal only with OVAL compliance checks for OVAL removal of references to nonexistent OVAL for some NFS guidance corrections for typos in OVAL references
.../accounts_no_nis_inclusions_etc_passwd.xml | 23 ------ .../input/checks/audit_rules_dac_modification.xml | 40 ----------- RHEL6/input/checks/cups_limit_web_interface.xml | 30 -------- RHEL6/input/checks/file_mode_etc_crontab.xml | 33 --------- RHEL6/input/checks/file_ownership_etc_skel.xml | 39 ----------- .../file_permissions_boot_grub_grub_conf.xml | 46 ------------- RHEL6/input/checks/file_user_owner_etc_crontab.xml | 25 ------- RHEL6/input/checks/mount_option_nodev_on_tmp.xml | 30 -------- .../input/checks/package_ipsec-tools_installed.xml | 25 ------- RHEL6/input/checks/package_talk-server_removed.xml | 25 ------- RHEL6/input/checks/package_talk_removed.xml | 25 ------- RHEL6/input/checks/service_abrtd_disabled.xml | 3 + RHEL6/input/checks/sysconfig_ipv6_disable.xml | 37 ---------- RHEL6/input/checks/sysconfig_ipv6_networking.xml | 37 ---------- .../checks/sysconfig_networking_ipv6_ifcfg.xml | 37 ---------- ...tl_net_ipv6_conf_default_accept_ra_rtr_pref.xml | 31 --------- RHEL6/input/checks/templates/Makefile | 4 +- .../input/checks/templates/packages_installed.csv | 5 -- RHEL6/input/checks/templates/packages_removed.csv | 3 - RHEL6/input/checks/templates/services_disabled.csv | 2 +- RHEL6/input/checks/xwindows_remote_listening.xml | 30 -------- RHEL6/input/services/http.xml | 72 -------------------- RHEL6/input/services/nfs.xml | 4 - RHEL6/input/services/obsolete.xml | 2 +- RHEL6/input/system/permissions/partitions.xml | 2 +- RHEL6/utils/verify-references.py | 5 +- 26 files changed, 11 insertions(+), 604 deletions(-) delete mode 100644 RHEL6/input/checks/accounts_no_nis_inclusions_etc_passwd.xml delete mode 100644 RHEL6/input/checks/audit_rules_dac_modification.xml delete mode 100644 RHEL6/input/checks/cups_limit_web_interface.xml delete mode 100644 RHEL6/input/checks/file_mode_etc_crontab.xml delete mode 100644 RHEL6/input/checks/file_ownership_etc_skel.xml delete mode 100644 RHEL6/input/checks/file_permissions_boot_grub_grub_conf.xml delete mode 100644 RHEL6/input/checks/file_user_owner_etc_crontab.xml delete mode 100644 RHEL6/input/checks/mount_option_nodev_on_tmp.xml delete mode 100644 RHEL6/input/checks/package_ipsec-tools_installed.xml delete mode 100644 RHEL6/input/checks/package_talk-server_removed.xml delete mode 100644 RHEL6/input/checks/package_talk_removed.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_disable.xml delete mode 100644 RHEL6/input/checks/sysconfig_ipv6_networking.xml delete mode 100644 RHEL6/input/checks/sysconfig_networking_ipv6_ifcfg.xml delete mode 100644 RHEL6/input/checks/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref.xml delete mode 100644 RHEL6/input/checks/xwindows_remote_listening.xml
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
ACK to all!
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Maura Dailey