Signed-off-by: Maura Dailey maura@eclipse.ncsc.mil --- RHEL6/input/checks/banner_etc_issue.xml | 1 + .../checks/dovecot_disable_plaintext_auth.xml | 10 ++++--- RHEL6/input/checks/dovecot_enable_ssl.xml | 12 ++++---- .../input/checks/logwatch_configured_hostlimit.xml | 8 ++--- .../checks/logwatch_configured_splithosts.xml | 10 +++---- RHEL6/input/checks/network_sniffer_disabled.xml | 1 + RHEL6/input/checks/ntp_remote_server.xml | 27 +++++++++---------- .../checks/postfix_network_listening_disabled.xml | 26 +++++++++--------- RHEL6/input/checks/postfix_server_banner.xml | 17 ++++-------- RHEL6/input/checks/restrict_serial_port_logins.xml | 7 +++-- .../checks/securetty_root_login_console_only.xml | 5 ++- RHEL6/input/checks/selinux_mode.xml | 9 ++++-- RHEL6/input/checks/selinux_policytype.xml | 18 +++++-------- .../set_password_hashing_algorithm_libuserconf.xml | 3 +- .../set_password_hashing_algorithm_logindefs.xml | 5 ++- RHEL6/input/checks/singleuser_password.xml | 19 ++++++-------- RHEL6/input/checks/smb_client_signing_smb_conf.xml | 23 +++++++++-------- .../sysconfig_networking_bootproto_ifcfg.xml | 20 +++++++------- RHEL6/input/checks/sysconfig_nozeroconf_yes.xml | 22 +++++++--------- .../input/checks/system_info_architecture_x86.xml | 22 ++++++++-------- .../checks/system_info_architecture_x86_64.xml | 22 ++++++++-------- .../input/checks/templates/packages_installed.csv | 3 +- RHEL6/input/checks/tftpd_uses_secure_mode.xml | 3 +- RHEL6/input/checks/xwindows_runlevel_setting.xml | 3 +- 24 files changed, 146 insertions(+), 150 deletions(-)
diff --git a/RHEL6/input/checks/banner_etc_issue.xml b/RHEL6/input/checks/banner_etc_issue.xml index e13bd3a..64c8f30 100644 --- a/RHEL6/input/checks/banner_etc_issue.xml +++ b/RHEL6/input/checks/banner_etc_issue.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The system login banner text should be set correctly.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="/etc/issue is set appropriately" test_ref="test_banner_etc_issue" /> diff --git a/RHEL6/input/checks/dovecot_disable_plaintext_auth.xml b/RHEL6/input/checks/dovecot_disable_plaintext_auth.xml index e16eb75..27b781e 100644 --- a/RHEL6/input/checks/dovecot_disable_plaintext_auth.xml +++ b/RHEL6/input/checks/dovecot_disable_plaintext_auth.xml @@ -1,14 +1,16 @@ <def-group> - <definition class="compliance" - id="dovecot_disable_plaintext_auth" version="1"> + <definition class="compliance" id="dovecot_disable_plaintext_auth" + version="1"> <metadata> <title>Disable Plaintext Authentication in Dovecot</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Plaintext authentication of mail clients should be disabled.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> - <criteria comment="Disable Plaintext Authentication in Dovecot"> + <criteria comment="Disable Plaintext Authentication in Dovecot" operator="OR"> + <extend_definition comment="dovecot service is disabled" definition_ref="service_dovecot_disabled" /> <criterion test_ref="test_dovecot_disable_plaintext_auth" /> </criteria> </definition> @@ -21,7 +23,7 @@ version="1"> ind:path/etc/dovecot/conf.d</ind:path> ind:filename10-auth.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*disable_plaintext_auth[\s]*=[\s]*yes[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/dovecot_enable_ssl.xml b/RHEL6/input/checks/dovecot_enable_ssl.xml index 23d2494..811d7bb 100644 --- a/RHEL6/input/checks/dovecot_enable_ssl.xml +++ b/RHEL6/input/checks/dovecot_enable_ssl.xml @@ -1,14 +1,15 @@ <def-group> - <definition class="compliance" - id="dovecot_enable_ssl" version="1"> + <definition class="compliance" id="dovecot_enable_ssl" version="1"> <metadata> <title>Enable SSL in Dovecot</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>SSL capabilities should be enabled for the mail server.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> - <criteria comment="Enable SSL in Dovecot"> + <criteria comment="Enable SSL in Dovecot" operator="OR"> + <extend_definition comment="dovecot service is disabled" definition_ref="service_dovecot_disabled" /> <criterion test_ref="test_dovecot_enable_ssl" /> </criteria> </definition> @@ -17,11 +18,10 @@ id="test_dovecot_enable_ssl" version="1"> <ind:object object_ref="obj_dovecot_enable_ssl" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_dovecot_enable_ssl" - version="1"> + <ind:textfilecontent54_object id="obj_dovecot_enable_ssl" version="1"> ind:path/etc/dovecot/conf.d</ind:path> ind:filename10-ssl.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*ssl[\s]*=[\s]*yes\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*ssl[\s]*=[\s]*yes[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/logwatch_configured_hostlimit.xml b/RHEL6/input/checks/logwatch_configured_hostlimit.xml index 9c701b9..953fa59 100644 --- a/RHEL6/input/checks/logwatch_configured_hostlimit.xml +++ b/RHEL6/input/checks/logwatch_configured_hostlimit.xml @@ -6,22 +6,20 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Test if HostLimit line in logwatch.conf is set appropriately.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> - <criterion comment="hostlimit" test_ref="test_logwatch_configured_hostlimit" /> + <criterion comment="Test value of HostLimit" test_ref="test_logwatch_configured_hostlimit" /> </criteria> </definition>
<ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test HostLimit" id="test_logwatch_configured_hostlimit" version="1"> <ind:object object_ref="object_logwatch_configured_hostlimit" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_logwatch_configured_hostlimit" version="1"> - <ind:subexpression operation="equals">no</ind:subexpression> - </ind:textfilecontent54_state> <ind:textfilecontent54_object id="object_logwatch_configured_hostlimit" version="1"> ind:path/etc/logwatch/conf</ind:path> ind:filenamelogwatch.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]HostLimit[\s]*=[\s]*[\w]+\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]HostLimit[\s]*=[\s]*no[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL6/input/checks/logwatch_configured_splithosts.xml b/RHEL6/input/checks/logwatch_configured_splithosts.xml index 8143317..c399617 100644 --- a/RHEL6/input/checks/logwatch_configured_splithosts.xml +++ b/RHEL6/input/checks/logwatch_configured_splithosts.xml @@ -5,22 +5,20 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Check if splithosts line in logwatch.conf is set appropriately.</description> + <description>Check if SplitHosts line in logwatch.conf is set appropriately.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> - <criterion comment="splithosts" test_ref="test_logwatch_configured_splithosts" /> + <criterion comment="Test value of SplitHosts" test_ref="test_logwatch_configured_splithosts" /> </criteria> </definition> <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Test SplitHosts" id="test_logwatch_configured_splithosts" version="1"> <ind:object object_ref="object_logwatch_configured_splithosts" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_logwatch_configured_splithosts" version="1"> - <ind:subexpression operation="equals">yes</ind:subexpression> - </ind:textfilecontent54_state> <ind:textfilecontent54_object id="object_logwatch_configured_splithosts" version="1"> ind:path/etc/logwatch/conf</ind:path> ind:filenamelogwatch.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]SplitHosts[\s]*=[\s]*[\w]+\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]SplitHosts[\s]*=[\s]*yes[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/network_sniffer_disabled.xml b/RHEL6/input/checks/network_sniffer_disabled.xml index 4075e84..59360ad 100644 --- a/RHEL6/input/checks/network_sniffer_disabled.xml +++ b/RHEL6/input/checks/network_sniffer_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Disable the network sniffer</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="promisc interfaces" test_ref="test_promisc_interfaces" negate="true" /> diff --git a/RHEL6/input/checks/ntp_remote_server.xml b/RHEL6/input/checks/ntp_remote_server.xml index b5eae21..b630ae4 100644 --- a/RHEL6/input/checks/ntp_remote_server.xml +++ b/RHEL6/input/checks/ntp_remote_server.xml @@ -1,31 +1,30 @@ <def-group> - <definition class="compliance" - id="ntp_remote_server" version="1"> + <definition class="compliance" id="ntp_remote_server" version="1"> <metadata> <title>Specify a Remote NTP Server for Time Data</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>A remote NTP Server for time synchronization - should be specified (and dependencies are met)</description> + <description>A remote NTP Server for time synchronization should be + specified (and dependencies are met)</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> - <criteria comment="ntpd is enabled and conditions are met" - operator="AND"> + <criteria comment="ntpd is enabled and conditions are met" operator="AND"> <extend_definition comment="ntpd is enabled" definition_ref="service_ntpd_enabled" /> - <criterion test_ref="test_43850" /> + <criterion test_ref="test_ntp_remote_server" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="at_least_one_exists" comment="TODO::INSERT" - id="test_43850" version="1"> - <ind:object object_ref="obj_43850" /> + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" + comment="Ensure at least one NTP server is set" id="test_ntp_remote_server" + version="1"> + <ind:object object_ref="obj_ntp_remote_server" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object comment="TODO::INSERT" - id="obj_43850" version="1"> + <ind:textfilecontent54_object comment="Ensure at least one NTP server is set" + id="obj_ntp_remote_server" version="1"> ind:path/etc</ind:path> ind:filenamentp.conf</ind:filename> - <ind:pattern operation="pattern match">^server\s+.+$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/postfix_network_listening_disabled.xml b/RHEL6/input/checks/postfix_network_listening_disabled.xml index 3a66118..7b29afd 100644 --- a/RHEL6/input/checks/postfix_network_listening_disabled.xml +++ b/RHEL6/input/checks/postfix_network_listening_disabled.xml @@ -1,29 +1,29 @@ <def-group> - <definition class="compliance" - id="postfix_network_listening_disabled" version="1"> + <definition class="compliance" id="postfix_network_listening_disabled" + version="1"> <metadata> <title>Postfix network listening should be disabled</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Postfix network listening should be - disabled</description> + <description>Postfix network listening should be disabled</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> - <criterion comment="Unknown test stub" - test_ref="test_150180" /> + <criterion comment="Check inet_interfaces in /etc/postfix/main.cf" + test_ref="test_postfix_network_listening_disabled" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="at_least_one_exists" comment="TODO::INSERT" - id="test_150180" version="1"> - <ind:object object_ref="obj_150180" /> + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" + comment="inet_interfaces in /etc/postfix/main.cf should be set correctly" + id="test_postfix_network_listening_disabled" version="1"> + <ind:object object_ref="obj_postfix_network_listening_disabled" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object comment="TODO::INSERT" - id="obj_150180" version="1"> + <ind:textfilecontent54_object comment="inet_interfaces in /etc/postfix/main.cf should be set correctly" + id="obj_postfix_network_listening_disabled" version="1"> ind:path/etc/postfix</ind:path> ind:filenamemain.cf</ind:filename> - <ind:pattern operation="pattern match">^inet_interfaces = localhost$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/postfix_server_banner.xml b/RHEL6/input/checks/postfix_server_banner.xml index d13d8c2..b95256b 100644 --- a/RHEL6/input/checks/postfix_server_banner.xml +++ b/RHEL6/input/checks/postfix_server_banner.xml @@ -1,31 +1,26 @@ <def-group> - <definition class="compliance" - id="postfix_server_banner" version="1"> + <definition class="compliance" id="postfix_server_banner" version="1"> <metadata> <title>Configure Postfix Against Unnecessary Release of Information</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Protect against unnecessary release of information.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> - <criterion comment="Limit release of information" test_ref="test_postfix_server_banner" /> + <criterion comment="Limit release of information" test_ref="test_postfix_server_banner" /> </criteria> </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Set banner" - id="test_postfix_server_banner" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Set banner" id="test_postfix_server_banner" version="1"> <ind:object object_ref="obj_postfix_server_banner" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_postfix_server_banner" - version="1"> - <ind:subexpression operation="equals">$myhostname ESMTP</ind:subexpression> - </ind:textfilecontent54_state> <ind:textfilecontent54_object id="obj_postfix_server_banner" version="1"> ind:path/etc/postfix</ind:path> ind:filenamemain.cf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*smtpd_banner[\s]*=[\s]*(.+)[\s]*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*smtpd_banner[\s]*=[\s]*$myhostname[\s]+ESMTP[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL6/input/checks/restrict_serial_port_logins.xml b/RHEL6/input/checks/restrict_serial_port_logins.xml index 9cc7641..c25d3dc 100644 --- a/RHEL6/input/checks/restrict_serial_port_logins.xml +++ b/RHEL6/input/checks/restrict_serial_port_logins.xml @@ -5,9 +5,10 @@ <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Preventing direct root login to serial port interfaces - helps ensure accountability for actions taken on the system - using the root account.</description> + <description>Preventing direct root login to serial port interfaces helps + ensure accountability for actions taken on the system using the root + account.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="serial ports /etc/securetty" test_ref="test_serial_ports_etc_securetty" negate="true" /> diff --git a/RHEL6/input/checks/securetty_root_login_console_only.xml b/RHEL6/input/checks/securetty_root_login_console_only.xml index 18cdca5..7a686ec 100644 --- a/RHEL6/input/checks/securetty_root_login_console_only.xml +++ b/RHEL6/input/checks/securetty_root_login_console_only.xml @@ -6,8 +6,9 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Preventing direct root login to virtual console devices - helps ensure accountability for actions taken on the system - using the root account.</description> + helps ensure accountability for actions taken on the system using the + root account.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="virtual consoles /etc/securetty" test_ref="test_virtual_consoles_etc_securetty" /> diff --git a/RHEL6/input/checks/selinux_mode.xml b/RHEL6/input/checks/selinux_mode.xml index 2a1c4ca..affd4ca 100644 --- a/RHEL6/input/checks/selinux_mode.xml +++ b/RHEL6/input/checks/selinux_mode.xml @@ -6,13 +6,15 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The SELinux state should be enforcing the local policy.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> <criterion comment="enforce is disabled" test_ref="test_etc_selinux_config" /> </criteria> </definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="/selinux/enforce is 1" id="test_etc_selinux_config" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="/selinux/enforce is 1" id="test_etc_selinux_config" version="1"> <ind:object object_ref="object_etc_selinux_config" /> <ind:state state_ref="state_etc_selinux_config" /> </ind:textfilecontent54_test> @@ -20,7 +22,7 @@ <ind:textfilecontent54_object id="object_etc_selinux_config" version="1"> ind:path/etc/selinux</ind:path> ind:filenameconfig</ind:filename> - <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
@@ -28,5 +30,6 @@ <ind:subexpression datatype="string" operation="equals" var_check="all" var_ref="var_selinux_state_name" /> </ind:textfilecontent54_state>
- <external_variable comment="external variable for selinux state" datatype="string" id="var_selinux_state_name" version="1" /> + <external_variable comment="external variable for selinux state" + datatype="string" id="var_selinux_state_name" version="1" /> </def-group> diff --git a/RHEL6/input/checks/selinux_policytype.xml b/RHEL6/input/checks/selinux_policytype.xml index 43f7e3f..a694b9e 100644 --- a/RHEL6/input/checks/selinux_policytype.xml +++ b/RHEL6/input/checks/selinux_policytype.xml @@ -1,21 +1,19 @@ <def-group> - <definition class="compliance" - id="selinux_policytype" version="1"> + <definition class="compliance" id="selinux_policytype" version="1"> <metadata> <title>Enable SELinux</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The SELinux policy should be set - appropriately.</description> + <description>The SELinux policy should be set appropriately.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_selinux_policy" /> </criteria> </definition>
- <ind:textfilecontent54_test check="all" - check_existence="all_exist" + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" id="test_selinux_policy" version="1"> <ind:object object_ref="obj_selinux_policy" /> @@ -28,14 +26,12 @@ </ind:textfilecontent54_state>
<external_variable comment="External variable: name of selinux policy in /etc/selinux/config" - datatype="string" id="var_selinux_policy_name" - version="1" /> + datatype="string" id="var_selinux_policy_name" version="1" />
- <ind:textfilecontent54_object id="obj_selinux_policy" - version="1"> + <ind:textfilecontent54_object id="obj_selinux_policy" version="1"> ind:path/etc/selinux</ind:path> ind:filenameconfig</ind:filename> - <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^#\s]*)</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml b/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml index f8a55b9..ff0dfd2 100644 --- a/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml +++ b/RHEL6/input/checks/set_password_hashing_algorithm_libuserconf.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The password hashing algorithm should be set correctly in /etc/libuser.conf.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> <criterion test_ref="test_etc_libuser_conf_cryptstyle" /> @@ -21,7 +22,7 @@ <ind:textfilecontent54_object comment="The password hashing algorithm should be set correctly in /etc/libuser.conf" id="object_etc_libuser_conf_cryptstyle" version="1"> ind:filepath/etc/libuser.conf</ind:filepath> - <ind:pattern operation="pattern match">^\s*crypt_style\s=\ssha512\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/set_password_hashing_algorithm_logindefs.xml b/RHEL6/input/checks/set_password_hashing_algorithm_logindefs.xml index bec9337..6ff2ce7 100644 --- a/RHEL6/input/checks/set_password_hashing_algorithm_logindefs.xml +++ b/RHEL6/input/checks/set_password_hashing_algorithm_logindefs.xml @@ -1,11 +1,12 @@ <def-group> <definition class="compliance" id="set_password_hashing_algorithm_logindefs" version="1"> <metadata> - <title>Set SHA512 Password Hashing Algorithm In /etc/login.defs</title> + <title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The password hashing algorithm should be set correctly in /etc/login.defs.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> <criterion test_ref="test_etc_logins_defs_encrypt_method" /> @@ -18,7 +19,7 @@
<ind:textfilecontent54_object comment="check ENCRYPT_METHOD in /etc/login.defs" id="object_etc_logins_defs_encrypt_method" version="1"> ind:filepath/etc/login.defs</ind:filepath> - <ind:pattern operation="pattern match">^\s*ENCRYPT_METHOD\s+SHA512\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*ENCRYPT_METHOD[\s]+SHA512[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/singleuser_password.xml b/RHEL6/input/checks/singleuser_password.xml index c405bec..31441ee 100644 --- a/RHEL6/input/checks/singleuser_password.xml +++ b/RHEL6/input/checks/singleuser_password.xml @@ -1,31 +1,28 @@ <def-group> - <definition class="compliance" - id="singleuser_password" version="1"> + <definition class="compliance" id="singleuser_password" version="1"> <metadata> <title>Require Authentication for Single-User Mode</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The requirement for a password to boot into - single-user mode should be configured - correctly.</description> + <description>The requirement for a password to boot into single-user mode + should be configured correctly.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Conditions are satisfied" test_ref="test_singleuser_password" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" - comment="Tests the value of the SINGLE variable in the /etc/sysconfig/init file, to ensure that a password must be entered to access single user mode it should be set as 'SINGLE=/sbin/sulogin'. The init file provides further documentation on the configuration of this setting." + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests that the SINGLE variable in the /etc/sysconfig/init file is set to /sbin/sulogin, to ensure that a password must be entered to access single user mode" id="test_singleuser_password" version="1"> <ind:object object_ref="obj_singleuser_password" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_singleuser_password" - version="1"> + <ind:textfilecontent54_object id="obj_singleuser_password" version="1"> ind:path/etc/sysconfig</ind:path> ind:filenameinit</ind:filename> - <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin[\s#]*</ind:pattern> + <ind:pattern operation="pattern match">^SINGLE=/sbin/sulogin[\s]*</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/smb_client_signing_smb_conf.xml b/RHEL6/input/checks/smb_client_signing_smb_conf.xml index 910e493..09604ad 100644 --- a/RHEL6/input/checks/smb_client_signing_smb_conf.xml +++ b/RHEL6/input/checks/smb_client_signing_smb_conf.xml @@ -1,33 +1,34 @@ <def-group> - <definition class="compliance" - id="smb_client_signing_smb_conf" version="1"> + <definition class="compliance" id="smb_client_signing_smb_conf" version="1"> <metadata> <title>Require Client SMB Packet Signing in smb.conf</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Require samba clients which use smb.conf, such as smbclient, to - use packet signing. A Samba client should only communicate with servers who can support SMB packet signing.</description> + <description>Require samba clients which use smb.conf, such as smbclient, + to use packet signing. A Samba client should only communicate with + servers who can support SMB packet signing.</description> + <reference source="MED" ref_id="20130814" ref_url="test_attestation" /> </metadata> <criteria operator="OR"> <extend_definition comment="package samba-common is not installed" definition_ref="package_samba-common_removed" /> <criterion comment="check for client signing = mandatory in /etc/samba/smb.conf" - test_ref="test_2034010" /> + test_ref="test_smb_client_signing_smb_conf" /> </criteria> </definition>
- <ind:textfilecontent54_test check="all" - check_existence="at_least_one_exists" + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for client signing = mandatory in /etc/samba/smb.conf" - id="test_2034010" version="1"> - <ind:object object_ref="obj_2034010" /> + id="test_smb_client_signing_smb_conf" version="1"> + <ind:object object_ref="obj_smb_client_signing_smb_conf" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_2034010" + + <ind:textfilecontent54_object id="obj_smb_client_signing_smb_conf" version="1"> ind:path/etc/samba</ind:path> ind:filenamesmb.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*client[\s]+signing[\s]*=[\s]mandatory</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*client[\s]+signing[\s]*=[\s]*mandatory</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/sysconfig_networking_bootproto_ifcfg.xml b/RHEL6/input/checks/sysconfig_networking_bootproto_ifcfg.xml index 3a9d26d..6d2237e 100644 --- a/RHEL6/input/checks/sysconfig_networking_bootproto_ifcfg.xml +++ b/RHEL6/input/checks/sysconfig_networking_bootproto_ifcfg.xml @@ -1,6 +1,6 @@ <def-group> - <definition class="compliance" - id="sysconfig_networking_bootproto_ifcfg" version="1"> + <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg" + version="1"> <metadata> <title>Disable DHCP Client</title> <affected family="unix"> @@ -8,23 +8,23 @@ </affected> <description>DHCP configuration should be static for all interfaces.</description> + <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> </metadata> <criteria comment="Test for BOOTPROTO=static across all interfaces"> - <criterion test_ref="test_20135" /> + <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="all_exist" + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" - id="test_20135" version="1"> - <ind:object object_ref="obj_20135" /> - <ind:state state_ref="state_20135" /> + id="test_sysconfig_networking_bootproto_ifcfg" version="1"> + <ind:object object_ref="obj_sysconfig_networking_bootproto_ifcfg" /> + <ind:state state_ref="state_sysconfig_networking_bootproto_ifcfg" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_state id="state_20135" + <ind:textfilecontent54_state id="state_sysconfig_networking_bootproto_ifcfg" version="1"> <ind:subexpression operation="equals">static</ind:subexpression> </ind:textfilecontent54_state> - <ind:textfilecontent54_object id="obj_20135" + <ind:textfilecontent54_object id="obj_sysconfig_networking_bootproto_ifcfg" version="1"> ind:path/etc/sysconfig/network-scripts</ind:path> <ind:filename operation="pattern match">ifcfg-.*</ind:filename> diff --git a/RHEL6/input/checks/sysconfig_nozeroconf_yes.xml b/RHEL6/input/checks/sysconfig_nozeroconf_yes.xml index 0d862e7..977f125 100644 --- a/RHEL6/input/checks/sysconfig_nozeroconf_yes.xml +++ b/RHEL6/input/checks/sysconfig_nozeroconf_yes.xml @@ -1,30 +1,28 @@ <def-group> - <definition class="compliance" - id="sysconfig_nozeroconf_yes" version="1"> + <definition class="compliance" id="sysconfig_nozeroconf_yes" version="1"> <metadata> <title>Disable Zeroconf Networking</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>Disable Zeroconf automatic route assignment in - the 169.245.0.0 subnet.</description> + <description>Disable Zeroconf automatic route assignment in the + 169.245.0.0 subnet.</description> + <reference source="MED" ref_id="20130813" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Look for NOZEROCONF=yes in /etc/sysconfig/network" - test_ref="test_20193" /> + test_ref="test_sysconfig_nozeroconf_yes" /> </criteria> </definition> - <ind:textfilecontent54_test check="all" - check_existence="at_least_one_exists" + <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check NOZEROCONF=yes in /etc/sysconfig/network" - id="test_20193" version="1"> - <ind:object object_ref="obj_20193" /> + id="test_sysconfig_nozeroconf_yes" version="1"> + <ind:object object_ref="obj_sysconfig_nozeroconf_yes" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_20193" - version="1"> + <ind:textfilecontent54_object id="obj_sysconfig_nozeroconf_yes" version="1"> ind:path/etc/sysconfig</ind:path> ind:filenamenetwork</ind:filename> - <ind:pattern operation="pattern match">^\s*NOZEROCONF=yes</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*NOZEROCONF[\s]*=[\s]*yes</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/system_info_architecture_x86.xml b/RHEL6/input/checks/system_info_architecture_x86.xml index 2486a2c..f05260a 100644 --- a/RHEL6/input/checks/system_info_architecture_x86.xml +++ b/RHEL6/input/checks/system_info_architecture_x86.xml @@ -1,30 +1,30 @@ <def-group> - <definition class="miscellaneous" - id="system_info_architecture_x86" version="1"> -<!-- Note that this does not meet requirements for class=inventory as that -only tests for patches per 5.10.1 Revision 1 --> + <definition class="miscellaneous" id="system_info_architecture_x86" + version="1"> + <!-- Note that this does not meet requirements for class=inventory as + that only tests for patches per 5.10.1 Revision 1 --> <metadata> <title>Test for x86 Architecture</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Generic test for x86 architecture to be used by other tests</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Generic test for x86 architecture" test_ref="test_system_info_architecture_x86" /> </criteria> </definition> - <unix:uname_test check="all" - comment="32 bit architecture" - id="test_system_info_architecture_x86" - version="1"> + <unix:uname_test check="all" comment="32 bit architecture" + id="test_system_info_architecture_x86" version="1"> <unix:object object_ref="object_system_info_architecture_x86" /> <unix:state state_ref="state_system_info_architecture_x86" /> </unix:uname_test> - <unix:uname_object comment="32 bit architecture" id="object_system_info_architecture_x86" version="1"> - </unix:uname_object> - <unix:uname_state comment="32 bit architecture" id="state_system_info_architecture_x86" version="1"> + <unix:uname_object comment="32 bit architecture" + id="object_system_info_architecture_x86" version="1" /> + <unix:uname_state comment="32 bit architecture" + id="state_system_info_architecture_x86" version="1"> <unix:processor_type operation="equals">i686</unix:processor_type> </unix:uname_state> </def-group> diff --git a/RHEL6/input/checks/system_info_architecture_x86_64.xml b/RHEL6/input/checks/system_info_architecture_x86_64.xml index 0019a49..d4e681f 100644 --- a/RHEL6/input/checks/system_info_architecture_x86_64.xml +++ b/RHEL6/input/checks/system_info_architecture_x86_64.xml @@ -1,30 +1,30 @@ <def-group> - <definition class="miscellaneous" - id="system_info_architecture_x86_64" version="1"> -<!-- Note that this does not meet requirements for class=inventory as that - only tests for patches per 5.10.1 Revision 1 --> + <definition class="miscellaneous" id="system_info_architecture_x86_64" + version="1"> + <!-- Note that this does not meet requirements for class=inventory as + that only tests for patches per 5.10.1 Revision 1 --> <metadata> <title>Test for x86_64 Architecture</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Generic test for x86_64 architecture to be used by other tests</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="Generic test for x86_64 architecture" test_ref="test_system_info_architecture_x86_64" /> </criteria> </definition> - <unix:uname_test check="all" - comment="64 bit architecture" - id="test_system_info_architecture_x86_64" - version="1"> + <unix:uname_test check="all" comment="64 bit architecture" + id="test_system_info_architecture_x86_64" version="1"> <unix:object object_ref="object_system_info_architecture_x86_64" /> <unix:state state_ref="state_system_info_architecture_x86_64" /> </unix:uname_test> - <unix:uname_object comment="64 bit architecture" id="object_system_info_architecture_x86_64" version="1"> - </unix:uname_object> - <unix:uname_state comment="64 bit architecture" id="state_system_info_architecture_x86_64" version="1"> + <unix:uname_object comment="64 bit architecture" + id="object_system_info_architecture_x86_64" version="1" /> + <unix:uname_state comment="64 bit architecture" + id="state_system_info_architecture_x86_64" version="1"> <unix:processor_type operation="equals">x86_64</unix:processor_type> </unix:uname_state> </def-group> diff --git a/RHEL6/input/checks/templates/packages_installed.csv b/RHEL6/input/checks/templates/packages_installed.csv index 318ec91..990f332 100644 --- a/RHEL6/input/checks/templates/packages_installed.csv +++ b/RHEL6/input/checks/templates/packages_installed.csv @@ -9,5 +9,6 @@ openswan policycoreutils postfix psacct -vsftpd +rsyslog screen +vsftpd diff --git a/RHEL6/input/checks/tftpd_uses_secure_mode.xml b/RHEL6/input/checks/tftpd_uses_secure_mode.xml index cdb0a6d..0dc15c6 100644 --- a/RHEL6/input/checks/tftpd_uses_secure_mode.xml +++ b/RHEL6/input/checks/tftpd_uses_secure_mode.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The TFTP daemon should use secure mode.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria comment="package tftp-server removed or /etc/xinetd.d/tftp configured correctly" operator="OR"> <extend_definition comment="rpm package tftp-server removed" definition_ref="package_tftp-server_removed" /> @@ -17,7 +18,7 @@ </ind:textfilecontent54_test> <ind:textfilecontent54_object id="object_tftpd_uses_secure_mode" version="1"> ind:filepath/etc/xinetd.d/tftp</ind:filepath> - <ind:pattern operation="pattern match">^\s*server_args\s+=\s+-s\s+.+$$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=[\s]+-s[\s]+.+$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group> diff --git a/RHEL6/input/checks/xwindows_runlevel_setting.xml b/RHEL6/input/checks/xwindows_runlevel_setting.xml index 5aa134b..650c4f2 100644 --- a/RHEL6/input/checks/xwindows_runlevel_setting.xml +++ b/RHEL6/input/checks/xwindows_runlevel_setting.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description> + <reference source="MED" ref_id="20130819" ref_url="test_attestation" /> </metadata> <criteria> <criterion comment="default runlevel is 3" test_ref="test_etc_inittab_default_runlevel" /> @@ -18,7 +19,7 @@
<ind:textfilecontent54_object id="object_etc_inittab_default_runlevel" version="1"> ind:filepath/etc/inittab</ind:filepath> - <ind:pattern operation="pattern match">^\s*id:3:initdefault:\s*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*id:3:initdefault:[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> </def-group>