November 2013 - scap-security-guide

[PATCH 04/11] Updated OVAL + remediation for accounts_no_uid_except_zero

by Shawn Wells

10 years, 5 months

1
0
0 / 0

[PATCH 03/11] OVAL + remediation for accounts_max_concurrent_login_sessions

by Shawn Wells

10 years, 5 months

1
0
0 / 0

[PATCH 02/11] OVAL rename, accounts_dangerous_path_for_root --> root_path_no_dot

by Shawn Wells

10 years, 5 months

1
0
0 / 0

[PATCH 01/11] Added remediation - account_disable_post_pw_expiration.sh

by Shawn Wells

10 years, 5 months

1
0
0 / 0

[PATCH] Fixed a typo in the CS2 profile

by Caleb Cooper

Signed-off-by: Caleb Cooper <coopercd(a)ornl.gov> --- RHEL6/input/profiles/CS2.xml | 760 +++++++++++++++++++++--------------------- 1 files changed, 380 insertions(+), 380 deletions(-) diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml index 35b88b5..c6df577 100644 --- a/RHEL6/input/profiles/CS2.xml +++ b/RHEL6/input/profiles/CS2.xml @@ -1,380 +1,380 @@ -<Profile id="CS2"> -<title>Example Server Profile</title> -<description>This profile is an example of a customized server profile.</description> - -<select idref="accounts_password_minlen_login_defs" selected="true"/> -<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> -<select idref="accounts_minimum_age_login_defs" selected="true"/> -<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/> -<select idref="acounts_maximum_age_login_defs" selected="true"/> -<refine-value idref="var_acounts_maximum_age_login_defs" selector="180"/> -<select idref="password_require_digits" selected="true"/> -<select idref="password_require_uppercases" selected="true"/> -<select idref="password_require_specials" selected="true"/> -<select idref="password_require_lowercases" selected="true"/> -<select idref="password_require_diffchars" selected="true"/> -<select idref="accounts_password_reuse_limit" selected="true"/> -<refine-value idref="var_password_history_retain_limit" selector="10"/> -<select idref="accounts_password_warn_age_login_defs" selected="true"/> -<select idref="account_disable_post_pw_expiration" selected="true" /> -<select idref="deny_password_attempts" selected="true" /> -<select idref="accounts_password_pam_cracklib_retry" selected="true"/> -<select idref="max_concurrent_login_sessions" selected="true"/> -<refine-value idref="max_concurrent_login_sessions_value" selector="3"/> - -<select idref="partition_for_tmp" selected="true"/> -<select idref="partition_for_var" selected="true"/> -<select idref="partition_for_var_log" selected="true"/> -<select idref="partition_for_var_log_audit" selected="true"/> -<select idref="partition_for_home" selected="true"/> - -<select idref="ensure_redhat_gpgkey_installed" selected="true"/> -<select idref="ensure_gpgcheck_globally_activated" selected="true"/> -<select idref="ensure_gpgcheck_never_disabled" selected="true"/> -<select idref="rpm_verify_hashes" selected="true"/> -<select idref="rpm_verify_permissions" selected="true"/> - -<select idref="package_aide_installed" selected="true"/> -<select idref="aide_build_database" selected="true"/> - -<select idref="mountopt_nodev_on_removable_partitions" selected="true"/> -<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> -<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/> -<select idref="mount_option_tmp_nodev" selected="true"/> -<select idref="mount_option_tmp_noexec" selected="true"/> -<select idref="mount_option_tmp_nosuid" selected="true"/> -<select idref="mount_option_dev_shm_nodev" selected="true"/> -<select idref="mount_option_dev_shm_noexec" selected="true"/> -<select idref="mount_option_dev_shm_nosuid" selected="true"/> -<select idref="mount_option_var_tmp_bind_var" selected="true"/> - -<select idref="kernel_module_usb-storage_disabled" selected="true"/> -<select idref="bootloader_nousb_argument" selected="true"/> - - -<select idref="kernel_module_cramfs_disabled" selected="true" /> -<select idref="kernel_module_freevxfs_disabled" selected="true" /> -<select idref="kernel_module_jffs2_disabled" selected="true" /> -<select idref="kernel_module_hfs_disabled" selected="true" /> -<select idref="kernel_module_hfsplus_disabled" selected="true" /> -<select idref="kernel_module_squashfs_disabled" selected="true" /> -<select idref="kernel_module_udf_disabled" selected="true" /> - -<select idref="sticky_world_writable_dirs" selected="true" /> -<select idref="world_writeable_files" selected="true" /> -<select idref="no_files_unowned_by_user" selected="true" /> -<select idref="no_files_unowned_by_group" selected="true" /> -<select idref="world_writable_files_system_ownership" selected="true" /> - -<select idref="umask_for_daemons" selected="true" /> -<refine-value idref="var_umask_for_daemons" selector="027"/> - -<select idref="disable_users_coredumps" selected="true"/> -<select idref="enable_randomize_va_space" selected="true"/> -<select idref="enable_execshield" selected="true"/> -<select idref="install_PAE_kernel_on_x86-32" selected="true" /> -<select idref="disable_prelink" selected="true" /> -<select idref="account_unique_name" selected="true"/> -<select idref="no_hashes_outside_shadow" selected="true"/> -<select idref="no_uidzero_except_root" selected="true"/> - -<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> -<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> -<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> - -<select idref="root_paths" selected="true" /> -<select idref="root_path_no_groupother_writable" selected="true" /> -<select idref="user_umask_bashrc" selected="true" /> -<select idref="user_umask_logindefs" selected="true" /> -<refine-value idref="var_accounts_user_umask" selector="077" /> -<select idref="no_shelllogin_for_systemaccounts" selected="true"/> -<select idref="root_path_default" selected="true" /> -<select idref="no_empty_passwords" selected="true"/> -<select idref="user_umask_cshrc" selected="true" /> -<select idref="user_umask_profile" selected="true" /> - -<select idref="no_netrc_files" selected="true" /> -<select idref="disable_interactive_boot" selected="true"/> -<select idref="package_screen_installed" selected="true"/> - -<select idref="kernel_module_dccp_disabled" selected="true"/> -<select idref="kernel_module_sctp_disabled" selected="true"/> -<select idref="kernel_module_rds_disabled" selected="true"/> -<select idref="kernel_module_tipc_disabled" selected="true"/> - -<select idref="package_rsyslog_installed" selected="true"/> -<select idref="service_rsyslog_enabled" selected="true"/> -<select idref="rsyslog_send_messages_to_logserver" selected="true"/> -<select idref="ensure_logrotate_activated" selected="true"/> -<select idref="disable_logwatch_for_logserver" selected="true" /> -<select idref="userowner_rsyslog_files" selected="true" /> -<select idref="groupowner_rsyslog_files" selected="true" /> -<select idref="rsyslog_file_permissions" selected="true" /> -<select idref="rsyslog_accept_remote_messages_none" selected="true" /> -<select idref="configure_logwatch_splithosts" selected="true" /> - -<select idref="audit_rules_time_adjtimex" selected="true"/> -<select idref="audit_rules_time_settimeofday" selected="true"/> -<select idref="audit_rules_time_stime" selected="true"/> -<select idref="audit_rules_time_clock_settime" selected="true"/> -<select idref="audit_rules_time_watch_localtime" selected="true"/> -<select idref="audit_account_changes" selected="true"/> -<select idref="audit_network_modifications" selected="true"/> -<select idref="audit_mac_changes" selected="true"/> -<select idref="audit_rules_dac_modification_chmod" selected="true"/> -<select idref="audit_rules_dac_modification_chown" selected="true"/> -<select idref="audit_rules_dac_modification_fchmod" selected="true"/> -<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> -<select idref="audit_rules_dac_modification_fchown" selected="true"/> -<select idref="audit_rules_dac_modification_fchownat" selected="true"/> -<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> -<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> -<select idref="audit_rules_dac_modification_lchown" selected="true"/> -<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> -<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> -<select idref="audit_rules_dac_modification_removexattr" selected="true"/> -<select idref="audit_rules_dac_modification_setxattr" selected="true"/> -<select idref="audit_kernel_module_loading" selected="true"/> -<select idref="audit_config_immutable" selected="true" /> -<select idref="audit_logs_permissions" selected="true"/> -<select idref="audit_logs_rootowner" selected="true" /> -<select idref="audit_manual_logon_edits" selected="true" /> -<select idref="audit_manual_session_edits" selected="true" /> -<select idref="audit_file_access" selected="true"/> -<select idref="audit_privileged_commands" selected="true"/> -<select idref="audit_media_exports" selected="true"/> -<select idref="audit_file_deletions" selected="true"/> - -<select idref="securety_root_login_console_only" selected="true" /> -<select idref="no_direct_root_logins" selected="true" /> - -<select idref="userowner_shadow_file" selected="true"/> -<select idref="groupowner_shadow_file" selected="true"/> -<select idref="file_permissions_etc_shadow" selected="true"/> -<select idref="userowner_gshadow_file" selected="true"/> -<select idref="groupowner_gshadow_file" selected="true"/> -<select idref="perms_gshadow_file" selected="true"/> -<select idref="userowner_passwd_file" selected="true"/> -<select idref="groupowner_passwd_file" selected="true"/> -<select idref="file_permissions_etc_passwd" selected="true"/> -<select idref="userowner_group_file" selected="true" /> -<select idref="groupowner_group_file" selected="true" /> -<select idref="perms_group_file" selected="true" /> -<select idref="file_permissions_library_dirs" selected="true"/> -<select idref="file_ownership_library_dirs" selected="true"/> -<select idref="file_permissions_binary_dirs" selected="true"/> -<select idref="file_ownership_binary_dirs" selected="true"/> -<select idref="gid_passwd_group_same" selected="true"/> -<select idref="homedir_perms_no_groupwrite_worldread" selected="true" /> -<select idref="user_owner_grub_conf" selected="true"/> -<select idref="group_owner_grub_conf" selected="true"/> -<select idref="permissions_grub_conf" selected="true"/> - -<select idref="disable_setuid_coredumps" selected="true" /> -<select idref="service_restorecond_enabled" selected="true" /> - -<select idref="selinux_confinement_of_daemons" selected="true" /> -<select idref="selinux_all_devicefiles_labeled" selected="true"/> -<select idref="set_selinux_state" selected="true"/> -<select idref="set_selinux_policy" selected="true"/> - -<select idref="require_singleuser_auth" selected="true"/> -<select idref="disable_ctrlaltdel_reboot" selected="true"/> -<select idref="bootloader_password" selected="true" /> -<select idref="set_screensaver_inactivity_timeout" selected="true"/> -<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> -<select idref="enable_screensaver_after_idle" selected="true"/> -<select idref="enable_screensaver_password_lock" selected="true"/> -<select idref="set_system_login_banner" selected="true"/> -<select idref="enable_gdm_login_banner" selected="true" /> -<select idref="set_gdm_login_banner_text" selected="true" /> -<refine-value idref="login_banner_text" selector="dod_default"/> -<select idref="disable_user_list" selected="true" /> -<select idref="disable_gnome_thumbnailers" selected="true" /> -<select idref="gconf_gnome_disable_automount" selected="true"/> - -<select idref="network_disable_zeroconf" selected="true" /> -<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/> -<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/> -<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/> -<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> -<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> -<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> -<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> -<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> -<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> -<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> -<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> -<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> -<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> -<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> -<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> - -<select idref="kernel_module_ipv6_option_disabled" selected="true"/> -<select idref="network_ipv6_disable_interfaces" selected="true"/> -<select idref="network_ipv6_disable_rpc" selected="true" /> -<select idref="network_ipv6_static_address" selected="true" /> -<select idref="network_ipv6_privacy_extensions" selected="true" /> -<select idref="network_ipv6_default_gateway" selected="true" /> -<select idref="network_ipv6_limit_requests" selected="true" /> -<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" /> -<select idref="sysctl_ipv6_default_accept_redirects" selected="true" /> - -<select idref="network_sniffer_disabled" selected="true" /> -<select idref="wireless_disable_in_bios" selected="true" /> -<select idref="deactivate_wireless_interfaces" selected="true" /> -<select idref="service_bluetooth_disabled" selected="true" /> -<select idref="kernel_module_bluetooth_disabled" selected="true"/> - -<select idref="service_crond_enabled" selected="true"/> -<select idref="disable_anacron" selected="true" /> - -<select idref="service_abrtd_disabled" selected="true"/> -<select idref="service_acpid_disabled" selected="true" /> -<select idref="service_atd_disabled" selected="true" /> -<select idref="service_autofs_disabled" selected="true"/> -<select idref="service_certmonger_disabled" selected="true" /> -<select idref="service_cgconfig_disabled" selected="true" /> -<select idref="service_cgred_disabled" selected="true" /> -<select idref="service_cpuspeed_disabled" selected="true" /> -<select idref="service_haldaemon_disabled" selected="true" /> -<select idref="service_irqbalance_enabled" selected="true" /> -<select idref="service_kdump_disabled" selected="true" /> -<select idref="service_mdmonitor_disabled" selected="true" /> -<select idref="service_messagebus_disabled" selected="true" /> -<select idref="service_netconsole_disabled" selected="true"/> -<select idref="service_ntpdate_disabled" selected="true"/> -<select idref="service_oddjobd_disabled" selected="true"/> -<select idref="service_portreserve_disabled" selected="true" /> -<select idref="service_qpidd_disabled" selected="true" /> -<select idref="service_rdisc_disabled" selected="true" /> -<select idref="service_rhnsd_disabled" selected="true" /> -<select idref="service_saslauthd_disabled" selected="true" /> -<select idref="service_rhsmcertd_disabled" selected="true" /> -<select idref="service_smartd_disabled" selected="true" /> -<select idref="service_sysstat_disabled" selected="true" /> - -<select idref="disable_xinetd" selected="true"/> -<select idref="uninstall_xinetd" selected="true"/> - -<select idref="uninstall_telnet_server" selected="true"/> -<select idref="disable_telnet_service" selected="true"/> - -<select idref="uninstall_rsh-server" selected="true"/> -<select idref="disable_rsh" selected="true"/> - -<select idref="uninstall_ypserv" selected="true"/> -<select idref="disable_ypbind" selected="true"/> - -<select idref="ssh_server_disabled" selected="true" /> -<select idref="sshd_allow_only_protocol2" selected="true"/> -<select idref="sshd_set_idle_timeout" selected="true"/> -<select idref="sshd_set_keepalive" selected="true"/> -<select idref="sshd_disable_rhosts" selected="true"/> -<select idref="sshd_disable_root_login" selected="true"/> -<select idref="sshd_disable_empty_passwords" selected="true"/> -<select idref="sshd_enable_warning_banner" selected="true"/> -<select idref="sshd_do_not_permit_user_env" selected="true"/> -<select idref="sshd_limit_user_access" selected="true" /> -<select idref="sshd_use_approved_ciphers" selected="true"/> - -<select idref="disable_xwindows_with_runlevel" selected="true"/> -<select idref="packagegroup_xwindows_remove" selected="true"/> - -<select idref="service_cups_disabled" selected="true" /> -<select idref="cups_disable_browsing" selected="true" /> - -<select idref="disable_dhcp_client" selected="true"/> - -<select idref="dhcp_server_disable_ddns" selected="true" /> -<select idref="dhcp_server_deny_decline" selected="true" /> -<select idref="dhcp_server_deny_bootp" selected="true" /> -<select idref="dhcp_server_minimize_served_info" selected="true" /> -<select idref="dhcp_server_configure_logging" selected="true" /> - -<select idref="service_ntpd_enabled" selected="true"/> -<select idref="ntpd_specify_remote_server" selected="true"/> - -<select idref="service_postfix_enabled" selected="true"/> -<select idref="package_sendmail_removed" selected="true"/> - -<select idref="ldap_client_start_tls" selected="true"/> - -<select idref="service_nfslock_disabled" selected="true"/> -<select idref="service_rpcgssd_disabled" selected="true"/> -<select idref="service_rpcidmapd_disabled" selected="true"/> -<select idref="service_netfs_disabled" selected="true"/> -<select idref="nfs_fixed_lockd_tcp_port" selected="true" /> -<select idref="nfs_fixed_lockd_udp_port" selected="true" /> -<select idref="nfs_fixed_statd_port" selected="true" /> -<select idref="nfs_fixed_mountd_port" selected="true" /> -<select idref="service_nfs_disabled" selected="true"/> -<select idref="service_rpcsvcgssd_disabled" selected="true"/> -<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> -<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> -<select idref="use_root_squashing_all_exports" selected="true" /> -<select idref="restrict_nfs_clients_to_privileged_ports" selected="true" /> -<select idref="no_insecure_locks_exports" selected="true" /> -<select idref="nfs_no_anonymous" selected="true"/> - -<select idref="disable_dns_server" selected="true"/> -<select idref="uninstall_bind" selected="true"/> -<select idref="dns_server_disable_dynamic_updates" selected="true" /> - -<select idref="uninstall_tftp-server" selected="true"/> -<select idref="disable_tftp" selected="true"/> -<select idref="disable_vsftpd" selected="true"/> -<select idref="uninstall_vsftpd" selected="true"/> -<select idref="ftp_log_transactions" selected="true" /> -<select idref="ftp_present_banner" selected="true" /> - -<select idref="uninstall_httpd" selected="true" /> -<select idref="httpd_servertokens_prod" selected="true" /> -<select idref="httpd_mod_rewrite" selected="true" /> -<select idref="httpd_server_side_includes" selected="true" /> -<select idref="httpd_webdav" selected="true" /> -<select idref="httpd_server_activity_status" selected="true" /> -<select idref="httpd_server_configuration_display" selected="true" /> -<select idref="httpd_url_correction" selected="true" /> -<select idref="httpd_proxy_support" selected="true" /> -<select idref="httpd_cache_support" selected="true" /> -<select idref="httpd_cgi_support" selected="true" /> -<select idref="httpd_digest_authentication" selected="true" /> -<select idref="httpd_ldap_support" selected="true" /> -<select idref="httpd_mime_magic" selected="true" /> -<select idref="httpd_restrict_root_directory" selected="true" /> -<select idref="httpd_restrict_web_directory" selected="true" /> -<select idref="httpd_restrict_critical_directories" selected="true" /> -<select idref="httpd_limit_available_methods" selected="true" /> -<select idref="httpd_install_mod_ssl" selected="true" /> -<select idref="httpd_install_mod_security" selected="true" /> -<select idref="httpd_conf_dir_permissions" selected="true" /> -<select idref="httpd_conf_files_permissions" selected="true" /> - -<select idref="disable_dovecot" selected="true"/> -<select idref="uninstall_dovecot" selected="true"/> -<select idref="dovecot_enable_ssl" selected="true" /> -<select idref="dovecot_configure_ssl_cert" selected="true" /> -<select idref="dovecot_configure_ssl_key" selected="true" /> - -<select idref="disable_smb_server" selected="true"/> -<select idref="require_smb_client_signing" selected="true"/> -<select idref="require_smb_client_signing_mount.cifs" selected="true"/> -<select idref="smb_server_disable_root" selected="true" /> - -<select idref="disable_squid" selected="true"/> -<select idref="uninstall_squid" selected="true"/> -<select idref="disable_snmpd" selected="true"/> -<select idref="uninstall_net-snmp" selected="true"/> - -<select idref="install_openswan" selected="true" /> -<select idref="no_rsh_trust_files" selected="true"/> -<select idref="tftpd_uses_secure_mode" selected="true" /> - -<select idref="disable_avahi" selected="true"/> -<select idref="avahi_ip_only" selected="true" /> -<select idref="avahi_check_ttl" selected="true" /> -<select idref="avahi_prevent_port_sharing" selected="true" /> -<select idref="avahi_disable_publishing" selected="true" /> - -</Profile> +<Profile id="CS2"> +<title>Example Server Profile</title> +<description>This profile is an example of a customized server profile.</description> + +<select idref="accounts_password_minlen_login_defs" selected="true"/> +<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/> +<select idref="accounts_minimum_age_login_defs" selected="true"/> +<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/> +<select idref="accounts_maximum_age_login_defs" selected="true"/> +<refine-value idref="var_accounts_maximum_age_login_defs" selector="180"/> +<select idref="password_require_digits" selected="true"/> +<select idref="password_require_uppercases" selected="true"/> +<select idref="password_require_specials" selected="true"/> +<select idref="password_require_lowercases" selected="true"/> +<select idref="password_require_diffchars" selected="true"/> +<select idref="accounts_password_reuse_limit" selected="true"/> +<refine-value idref="var_password_history_retain_limit" selector="10"/> +<select idref="accounts_password_warn_age_login_defs" selected="true"/> +<select idref="account_disable_post_pw_expiration" selected="true" /> +<select idref="deny_password_attempts" selected="true" /> +<select idref="accounts_password_pam_cracklib_retry" selected="true"/> +<select idref="max_concurrent_login_sessions" selected="true"/> +<refine-value idref="max_concurrent_login_sessions_value" selector="3"/> + +<select idref="partition_for_tmp" selected="true"/> +<select idref="partition_for_var" selected="true"/> +<select idref="partition_for_var_log" selected="true"/> +<select idref="partition_for_var_log_audit" selected="true"/> +<select idref="partition_for_home" selected="true"/> + +<select idref="ensure_redhat_gpgkey_installed" selected="true"/> +<select idref="ensure_gpgcheck_globally_activated" selected="true"/> +<select idref="ensure_gpgcheck_never_disabled" selected="true"/> +<select idref="rpm_verify_hashes" selected="true"/> +<select idref="rpm_verify_permissions" selected="true"/> + +<select idref="package_aide_installed" selected="true"/> +<select idref="aide_build_database" selected="true"/> + +<select idref="mountopt_nodev_on_removable_partitions" selected="true"/> +<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> +<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/> +<select idref="mount_option_tmp_nodev" selected="true"/> +<select idref="mount_option_tmp_noexec" selected="true"/> +<select idref="mount_option_tmp_nosuid" selected="true"/> +<select idref="mount_option_dev_shm_nodev" selected="true"/> +<select idref="mount_option_dev_shm_noexec" selected="true"/> +<select idref="mount_option_dev_shm_nosuid" selected="true"/> +<select idref="mount_option_var_tmp_bind_var" selected="true"/> + +<select idref="kernel_module_usb-storage_disabled" selected="true"/> +<select idref="bootloader_nousb_argument" selected="true"/> + + +<select idref="kernel_module_cramfs_disabled" selected="true" /> +<select idref="kernel_module_freevxfs_disabled" selected="true" /> +<select idref="kernel_module_jffs2_disabled" selected="true" /> +<select idref="kernel_module_hfs_disabled" selected="true" /> +<select idref="kernel_module_hfsplus_disabled" selected="true" /> +<select idref="kernel_module_squashfs_disabled" selected="true" /> +<select idref="kernel_module_udf_disabled" selected="true" /> + +<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writeable_files" selected="true" /> +<select idref="no_files_unowned_by_user" selected="true" /> +<select idref="no_files_unowned_by_group" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> + +<select idref="umask_for_daemons" selected="true" /> +<refine-value idref="var_umask_for_daemons" selector="027"/> + +<select idref="disable_users_coredumps" selected="true"/> +<select idref="enable_randomize_va_space" selected="true"/> +<select idref="enable_execshield" selected="true"/> +<select idref="install_PAE_kernel_on_x86-32" selected="true" /> +<select idref="disable_prelink" selected="true" /> +<select idref="account_unique_name" selected="true"/> +<select idref="no_hashes_outside_shadow" selected="true"/> +<select idref="no_uidzero_except_root" selected="true"/> + +<select idref="set_password_hashing_algorithm_systemauth" selected="true"/> +<select idref="set_password_hashing_algorithm_logindefs" selected="true"/> +<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/> + +<select idref="root_paths" selected="true" /> +<select idref="root_path_no_groupother_writable" selected="true" /> +<select idref="user_umask_bashrc" selected="true" /> +<select idref="user_umask_logindefs" selected="true" /> +<refine-value idref="var_accounts_user_umask" selector="077" /> +<select idref="no_shelllogin_for_systemaccounts" selected="true"/> +<select idref="root_path_default" selected="true" /> +<select idref="no_empty_passwords" selected="true"/> +<select idref="user_umask_cshrc" selected="true" /> +<select idref="user_umask_profile" selected="true" /> + +<select idref="no_netrc_files" selected="true" /> +<select idref="disable_interactive_boot" selected="true"/> +<select idref="package_screen_installed" selected="true"/> + +<select idref="kernel_module_dccp_disabled" selected="true"/> +<select idref="kernel_module_sctp_disabled" selected="true"/> +<select idref="kernel_module_rds_disabled" selected="true"/> +<select idref="kernel_module_tipc_disabled" selected="true"/> + +<select idref="package_rsyslog_installed" selected="true"/> +<select idref="service_rsyslog_enabled" selected="true"/> +<select idref="rsyslog_send_messages_to_logserver" selected="true"/> +<select idref="ensure_logrotate_activated" selected="true"/> +<select idref="disable_logwatch_for_logserver" selected="true" /> +<select idref="userowner_rsyslog_files" selected="true" /> +<select idref="groupowner_rsyslog_files" selected="true" /> +<select idref="rsyslog_file_permissions" selected="true" /> +<select idref="rsyslog_accept_remote_messages_none" selected="true" /> +<select idref="configure_logwatch_splithosts" selected="true" /> + +<select idref="audit_rules_time_adjtimex" selected="true"/> +<select idref="audit_rules_time_settimeofday" selected="true"/> +<select idref="audit_rules_time_stime" selected="true"/> +<select idref="audit_rules_time_clock_settime" selected="true"/> +<select idref="audit_rules_time_watch_localtime" selected="true"/> +<select idref="audit_account_changes" selected="true"/> +<select idref="audit_network_modifications" selected="true"/> +<select idref="audit_mac_changes" selected="true"/> +<select idref="audit_rules_dac_modification_chmod" selected="true"/> +<select idref="audit_rules_dac_modification_chown" selected="true"/> +<select idref="audit_rules_dac_modification_fchmod" selected="true"/> +<select idref="audit_rules_dac_modification_fchmodat" selected="true"/> +<select idref="audit_rules_dac_modification_fchown" selected="true"/> +<select idref="audit_rules_dac_modification_fchownat" selected="true"/> +<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/> +<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/> +<select idref="audit_rules_dac_modification_lchown" selected="true"/> +<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/> +<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/> +<select idref="audit_rules_dac_modification_removexattr" selected="true"/> +<select idref="audit_rules_dac_modification_setxattr" selected="true"/> +<select idref="audit_kernel_module_loading" selected="true"/> +<select idref="audit_config_immutable" selected="true" /> +<select idref="audit_logs_permissions" selected="true"/> +<select idref="audit_logs_rootowner" selected="true" /> +<select idref="audit_manual_logon_edits" selected="true" /> +<select idref="audit_manual_session_edits" selected="true" /> +<select idref="audit_file_access" selected="true"/> +<select idref="audit_privileged_commands" selected="true"/> +<select idref="audit_media_exports" selected="true"/> +<select idref="audit_file_deletions" selected="true"/> + +<select idref="securety_root_login_console_only" selected="true" /> +<select idref="no_direct_root_logins" selected="true" /> + +<select idref="userowner_shadow_file" selected="true"/> +<select idref="groupowner_shadow_file" selected="true"/> +<select idref="file_permissions_etc_shadow" selected="true"/> +<select idref="userowner_gshadow_file" selected="true"/> +<select idref="groupowner_gshadow_file" selected="true"/> +<select idref="perms_gshadow_file" selected="true"/> +<select idref="userowner_passwd_file" selected="true"/> +<select idref="groupowner_passwd_file" selected="true"/> +<select idref="file_permissions_etc_passwd" selected="true"/> +<select idref="userowner_group_file" selected="true" /> +<select idref="groupowner_group_file" selected="true" /> +<select idref="perms_group_file" selected="true" /> +<select idref="file_permissions_library_dirs" selected="true"/> +<select idref="file_ownership_library_dirs" selected="true"/> +<select idref="file_permissions_binary_dirs" selected="true"/> +<select idref="file_ownership_binary_dirs" selected="true"/> +<select idref="gid_passwd_group_same" selected="true"/> +<select idref="homedir_perms_no_groupwrite_worldread" selected="true" /> +<select idref="user_owner_grub_conf" selected="true"/> +<select idref="group_owner_grub_conf" selected="true"/> +<select idref="permissions_grub_conf" selected="true"/> + +<select idref="disable_setuid_coredumps" selected="true" /> +<select idref="service_restorecond_enabled" selected="true" /> + +<select idref="selinux_confinement_of_daemons" selected="true" /> +<select idref="selinux_all_devicefiles_labeled" selected="true"/> +<select idref="set_selinux_state" selected="true"/> +<select idref="set_selinux_policy" selected="true"/> + +<select idref="require_singleuser_auth" selected="true"/> +<select idref="disable_ctrlaltdel_reboot" selected="true"/> +<select idref="bootloader_password" selected="true" /> +<select idref="set_screensaver_inactivity_timeout" selected="true"/> +<refine-value idref="inactivity_timeout_value" selector="15_minutes"/> +<select idref="enable_screensaver_after_idle" selected="true"/> +<select idref="enable_screensaver_password_lock" selected="true"/> +<select idref="set_system_login_banner" selected="true"/> +<select idref="enable_gdm_login_banner" selected="true" /> +<select idref="set_gdm_login_banner_text" selected="true" /> +<refine-value idref="login_banner_text" selector="dod_default"/> +<select idref="disable_user_list" selected="true" /> +<select idref="disable_gnome_thumbnailers" selected="true" /> +<select idref="gconf_gnome_disable_automount" selected="true"/> + +<select idref="network_disable_zeroconf" selected="true" /> +<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/> +<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/> +<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/> +<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> +<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> +<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> +<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/> +<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> +<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> +<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> +<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> +<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> +<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/> +<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> +<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> + +<select idref="kernel_module_ipv6_option_disabled" selected="true"/> +<select idref="network_ipv6_disable_interfaces" selected="true"/> +<select idref="network_ipv6_disable_rpc" selected="true" /> +<select idref="network_ipv6_static_address" selected="true" /> +<select idref="network_ipv6_privacy_extensions" selected="true" /> +<select idref="network_ipv6_default_gateway" selected="true" /> +<select idref="network_ipv6_limit_requests" selected="true" /> +<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" /> +<select idref="sysctl_ipv6_default_accept_redirects" selected="true" /> + +<select idref="network_sniffer_disabled" selected="true" /> +<select idref="wireless_disable_in_bios" selected="true" /> +<select idref="deactivate_wireless_interfaces" selected="true" /> +<select idref="service_bluetooth_disabled" selected="true" /> +<select idref="kernel_module_bluetooth_disabled" selected="true"/> + +<select idref="service_crond_enabled" selected="true"/> +<select idref="disable_anacron" selected="true" /> + +<select idref="service_abrtd_disabled" selected="true"/> +<select idref="service_acpid_disabled" selected="true" /> +<select idref="service_atd_disabled" selected="true" /> +<select idref="service_autofs_disabled" selected="true"/> +<select idref="service_certmonger_disabled" selected="true" /> +<select idref="service_cgconfig_disabled" selected="true" /> +<select idref="service_cgred_disabled" selected="true" /> +<select idref="service_cpuspeed_disabled" selected="true" /> +<select idref="service_haldaemon_disabled" selected="true" /> +<select idref="service_irqbalance_enabled" selected="true" /> +<select idref="service_kdump_disabled" selected="true" /> +<select idref="service_mdmonitor_disabled" selected="true" /> +<select idref="service_messagebus_disabled" selected="true" /> +<select idref="service_netconsole_disabled" selected="true"/> +<select idref="service_ntpdate_disabled" selected="true"/> +<select idref="service_oddjobd_disabled" selected="true"/> +<select idref="service_portreserve_disabled" selected="true" /> +<select idref="service_qpidd_disabled" selected="true" /> +<select idref="service_rdisc_disabled" selected="true" /> +<select idref="service_rhnsd_disabled" selected="true" /> +<select idref="service_saslauthd_disabled" selected="true" /> +<select idref="service_rhsmcertd_disabled" selected="true" /> +<select idref="service_smartd_disabled" selected="true" /> +<select idref="service_sysstat_disabled" selected="true" /> + +<select idref="disable_xinetd" selected="true"/> +<select idref="uninstall_xinetd" selected="true"/> + +<select idref="uninstall_telnet_server" selected="true"/> +<select idref="disable_telnet_service" selected="true"/> + +<select idref="uninstall_rsh-server" selected="true"/> +<select idref="disable_rsh" selected="true"/> + +<select idref="uninstall_ypserv" selected="true"/> +<select idref="disable_ypbind" selected="true"/> + +<select idref="ssh_server_disabled" selected="true" /> +<select idref="sshd_allow_only_protocol2" selected="true"/> +<select idref="sshd_set_idle_timeout" selected="true"/> +<select idref="sshd_set_keepalive" selected="true"/> +<select idref="sshd_disable_rhosts" selected="true"/> +<select idref="sshd_disable_root_login" selected="true"/> +<select idref="sshd_disable_empty_passwords" selected="true"/> +<select idref="sshd_enable_warning_banner" selected="true"/> +<select idref="sshd_do_not_permit_user_env" selected="true"/> +<select idref="sshd_limit_user_access" selected="true" /> +<select idref="sshd_use_approved_ciphers" selected="true"/> + +<select idref="disable_xwindows_with_runlevel" selected="true"/> +<select idref="packagegroup_xwindows_remove" selected="true"/> + +<select idref="service_cups_disabled" selected="true" /> +<select idref="cups_disable_browsing" selected="true" /> + +<select idref="disable_dhcp_client" selected="true"/> + +<select idref="dhcp_server_disable_ddns" selected="true" /> +<select idref="dhcp_server_deny_decline" selected="true" /> +<select idref="dhcp_server_deny_bootp" selected="true" /> +<select idref="dhcp_server_minimize_served_info" selected="true" /> +<select idref="dhcp_server_configure_logging" selected="true" /> + +<select idref="service_ntpd_enabled" selected="true"/> +<select idref="ntpd_specify_remote_server" selected="true"/> + +<select idref="service_postfix_enabled" selected="true"/> +<select idref="package_sendmail_removed" selected="true"/> + +<select idref="ldap_client_start_tls" selected="true"/> + +<select idref="service_nfslock_disabled" selected="true"/> +<select idref="service_rpcgssd_disabled" selected="true"/> +<select idref="service_rpcidmapd_disabled" selected="true"/> +<select idref="service_netfs_disabled" selected="true"/> +<select idref="nfs_fixed_lockd_tcp_port" selected="true" /> +<select idref="nfs_fixed_lockd_udp_port" selected="true" /> +<select idref="nfs_fixed_statd_port" selected="true" /> +<select idref="nfs_fixed_mountd_port" selected="true" /> +<select idref="service_nfs_disabled" selected="true"/> +<select idref="service_rpcsvcgssd_disabled" selected="true"/> +<select idref="use_nodev_option_on_nfs_mounts" selected="true"/> +<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> +<select idref="use_root_squashing_all_exports" selected="true" /> +<select idref="restrict_nfs_clients_to_privileged_ports" selected="true" /> +<select idref="no_insecure_locks_exports" selected="true" /> +<select idref="nfs_no_anonymous" selected="true"/> + +<select idref="disable_dns_server" selected="true"/> +<select idref="uninstall_bind" selected="true"/> +<select idref="dns_server_disable_dynamic_updates" selected="true" /> + +<select idref="uninstall_tftp-server" selected="true"/> +<select idref="disable_tftp" selected="true"/> +<select idref="disable_vsftpd" selected="true"/> +<select idref="uninstall_vsftpd" selected="true"/> +<select idref="ftp_log_transactions" selected="true" /> +<select idref="ftp_present_banner" selected="true" /> + +<select idref="uninstall_httpd" selected="true" /> +<select idref="httpd_servertokens_prod" selected="true" /> +<select idref="httpd_mod_rewrite" selected="true" /> +<select idref="httpd_server_side_includes" selected="true" /> +<select idref="httpd_webdav" selected="true" /> +<select idref="httpd_server_activity_status" selected="true" /> +<select idref="httpd_server_configuration_display" selected="true" /> +<select idref="httpd_url_correction" selected="true" /> +<select idref="httpd_proxy_support" selected="true" /> +<select idref="httpd_cache_support" selected="true" /> +<select idref="httpd_cgi_support" selected="true" /> +<select idref="httpd_digest_authentication" selected="true" /> +<select idref="httpd_ldap_support" selected="true" /> +<select idref="httpd_mime_magic" selected="true" /> +<select idref="httpd_restrict_root_directory" selected="true" /> +<select idref="httpd_restrict_web_directory" selected="true" /> +<select idref="httpd_restrict_critical_directories" selected="true" /> +<select idref="httpd_limit_available_methods" selected="true" /> +<select idref="httpd_install_mod_ssl" selected="true" /> +<select idref="httpd_install_mod_security" selected="true" /> +<select idref="httpd_conf_dir_permissions" selected="true" /> +<select idref="httpd_conf_files_permissions" selected="true" /> + +<select idref="disable_dovecot" selected="true"/> +<select idref="uninstall_dovecot" selected="true"/> +<select idref="dovecot_enable_ssl" selected="true" /> +<select idref="dovecot_configure_ssl_cert" selected="true" /> +<select idref="dovecot_configure_ssl_key" selected="true" /> + +<select idref="disable_smb_server" selected="true"/> +<select idref="require_smb_client_signing" selected="true"/> +<select idref="require_smb_client_signing_mount.cifs" selected="true"/> +<select idref="smb_server_disable_root" selected="true" /> + +<select idref="disable_squid" selected="true"/> +<select idref="uninstall_squid" selected="true"/> +<select idref="disable_snmpd" selected="true"/> +<select idref="uninstall_net-snmp" selected="true"/> + +<select idref="install_openswan" selected="true" /> +<select idref="no_rsh_trust_files" selected="true"/> +<select idref="tftpd_uses_secure_mode" selected="true" /> + +<select idref="disable_avahi" selected="true"/> +<select idref="avahi_ip_only" selected="true" /> +<select idref="avahi_check_ttl" selected="true" /> +<select idref="avahi_prevent_port_sharing" selected="true" /> +<select idref="avahi_disable_publishing" selected="true" /> + +</Profile> -- 1.7.1

10 years, 5 months

2
3
0 / 0

[PATCH] Remediation for Password Reuse

by Frank Caviggia

All, Here is a remediation fix for account password reuse in SSG. Updated to use the '/etc/pam.d/system-auth' file. Regards, Frank Caviggia -- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com

10 years, 5 months

1
0
0 / 0

[PATCH] accounts_password_reuse_limit.sh remediation

by Frank Caviggia

All, Here is a remediation fix for account password reuse in SSG. Regards, Frank Caviggia -- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com

10 years, 5 months

1
1
0 / 0

[PATCH] Remediation for Password Reuse

by Frank Caviggia

All, Here is a remediation fix for account password reuse in SSG. Regards, Frank Caviggia -- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com

10 years, 5 months

1
0
0 / 0

Introducing JBoss Fuse 6 SCAP Content

by Shawn Wells

Members of Red Hat's consulting organization have been silently working on SCAP content for JBoss Fuse 6, which combines Apache Camel, Apache CXF, Apache ActiveMQ, Apache Karaf and Fuse Fabric in a single integrated distribution. Core messaging is provided by Apache ActiveMQ, services framework (SOAP, XML/HTTP, RESTful HTTP) is provided by Apache CXF and integration framework is provided by Apache Camel. Apache Karaf provides a lightweight OSGI-based runtime container. The JBoss Fuse 6 SCAP content provides guidance for RHEL6-based deployments. At this time only XCCDF is provided, primarily tested against the XCCDFExec interpreter. The content will slowly be converted to 'SSG style' XCCDF/OVAL chunks to ease multi-author editing, and relevant metadata tags against DISA SRG's will be added to form a JBoss Fuse 6 STIG submission. The Fuse content has not yet been incorporated into the RPM build system. The initial patch has been committed to the repo [1] and will show up once developers rebase / git pull. Congrats to Bryan Saunders, Jason Wong and Kenny Peeples for this initial code! [1] https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=0a8b...

10 years, 5 months

1
0
0 / 0

[PATCH] Created a check to ensure prelinking has been disabled and added the oval id to the disable_prelink rule inside the integrity.xml file.

by Caleb Cooper

Signed-off-by: Caleb Cooper <coopercd(a)ornl.gov> --- RHEL6/input/checks/disable_prelink.xml | 24 ++++++++++++++++++++++++ RHEL6/input/system/software/integrity.xml | 1 + 2 files changed, 25 insertions(+), 0 deletions(-) create mode 100644 RHEL6/input/checks/disable_prelink.xml diff --git a/RHEL6/input/checks/disable_prelink.xml b/RHEL6/input/checks/disable_prelink.xml new file mode 100644 index 0000000..5bebdc0 --- /dev/null +++ b/RHEL6/input/checks/disable_prelink.xml @@ -0,0 +1,24 @@ +<def-group> + <definition class="compliance" id="disable_prelink" version="1"> + <metadata> + <title>Disable Prelinking</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </description> + </metadata> + <criteria> + <criterion comment="Ensure prelinking is diabled" test_ref="test_prelinking_no" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Tests whether prelinking is disabled" + id="test_prelinking_no" version="1"> + <ind:object object_ref="obj_prelinking_no" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_prelinking_no" version="1"> + <ind:filepath>/etc/sysconfig/prelink</ind:filepath> + <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index b180f3a..4807009 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -60,6 +60,7 @@ The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </rationale> <ident cce="27221-1" /> +<oval id="disable_prelink" /> <ref nist="CM-6(d),CM-6(3),SC-28, SI-7" /> </Rule> -- 1.7.1

10 years, 5 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

scap-security-guide November 2013