[PATCH] Fixed a typo in the CS2 profile
by Caleb Cooper
Signed-off-by: Caleb Cooper <coopercd(a)ornl.gov>
---
RHEL6/input/profiles/CS2.xml | 760 +++++++++++++++++++++---------------------
1 files changed, 380 insertions(+), 380 deletions(-)
diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml
index 35b88b5..c6df577 100644
--- a/RHEL6/input/profiles/CS2.xml
+++ b/RHEL6/input/profiles/CS2.xml
@@ -1,380 +1,380 @@
-<Profile id="CS2">
-<title>Example Server Profile</title>
-<description>This profile is an example of a customized server profile.</description>
-
-<select idref="accounts_password_minlen_login_defs" selected="true"/>
-<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/>
-<select idref="accounts_minimum_age_login_defs" selected="true"/>
-<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>
-<select idref="acounts_maximum_age_login_defs" selected="true"/>
-<refine-value idref="var_acounts_maximum_age_login_defs" selector="180"/>
-<select idref="password_require_digits" selected="true"/>
-<select idref="password_require_uppercases" selected="true"/>
-<select idref="password_require_specials" selected="true"/>
-<select idref="password_require_lowercases" selected="true"/>
-<select idref="password_require_diffchars" selected="true"/>
-<select idref="accounts_password_reuse_limit" selected="true"/>
-<refine-value idref="var_password_history_retain_limit" selector="10"/>
-<select idref="accounts_password_warn_age_login_defs" selected="true"/>
-<select idref="account_disable_post_pw_expiration" selected="true" />
-<select idref="deny_password_attempts" selected="true" />
-<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
-<select idref="max_concurrent_login_sessions" selected="true"/>
-<refine-value idref="max_concurrent_login_sessions_value" selector="3"/>
-
-<select idref="partition_for_tmp" selected="true"/>
-<select idref="partition_for_var" selected="true"/>
-<select idref="partition_for_var_log" selected="true"/>
-<select idref="partition_for_var_log_audit" selected="true"/>
-<select idref="partition_for_home" selected="true"/>
-
-<select idref="ensure_redhat_gpgkey_installed" selected="true"/>
-<select idref="ensure_gpgcheck_globally_activated" selected="true"/>
-<select idref="ensure_gpgcheck_never_disabled" selected="true"/>
-<select idref="rpm_verify_hashes" selected="true"/>
-<select idref="rpm_verify_permissions" selected="true"/>
-
-<select idref="package_aide_installed" selected="true"/>
-<select idref="aide_build_database" selected="true"/>
-
-<select idref="mountopt_nodev_on_removable_partitions" selected="true"/>
-<select idref="mountopt_noexec_on_removable_partitions" selected="true"/>
-<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/>
-<select idref="mount_option_tmp_nodev" selected="true"/>
-<select idref="mount_option_tmp_noexec" selected="true"/>
-<select idref="mount_option_tmp_nosuid" selected="true"/>
-<select idref="mount_option_dev_shm_nodev" selected="true"/>
-<select idref="mount_option_dev_shm_noexec" selected="true"/>
-<select idref="mount_option_dev_shm_nosuid" selected="true"/>
-<select idref="mount_option_var_tmp_bind_var" selected="true"/>
-
-<select idref="kernel_module_usb-storage_disabled" selected="true"/>
-<select idref="bootloader_nousb_argument" selected="true"/>
-
-
-<select idref="kernel_module_cramfs_disabled" selected="true" />
-<select idref="kernel_module_freevxfs_disabled" selected="true" />
-<select idref="kernel_module_jffs2_disabled" selected="true" />
-<select idref="kernel_module_hfs_disabled" selected="true" />
-<select idref="kernel_module_hfsplus_disabled" selected="true" />
-<select idref="kernel_module_squashfs_disabled" selected="true" />
-<select idref="kernel_module_udf_disabled" selected="true" />
-
-<select idref="sticky_world_writable_dirs" selected="true" />
-<select idref="world_writeable_files" selected="true" />
-<select idref="no_files_unowned_by_user" selected="true" />
-<select idref="no_files_unowned_by_group" selected="true" />
-<select idref="world_writable_files_system_ownership" selected="true" />
-
-<select idref="umask_for_daemons" selected="true" />
-<refine-value idref="var_umask_for_daemons" selector="027"/>
-
-<select idref="disable_users_coredumps" selected="true"/>
-<select idref="enable_randomize_va_space" selected="true"/>
-<select idref="enable_execshield" selected="true"/>
-<select idref="install_PAE_kernel_on_x86-32" selected="true" />
-<select idref="disable_prelink" selected="true" />
-<select idref="account_unique_name" selected="true"/>
-<select idref="no_hashes_outside_shadow" selected="true"/>
-<select idref="no_uidzero_except_root" selected="true"/>
-
-<select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
-<select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
-<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
-
-<select idref="root_paths" selected="true" />
-<select idref="root_path_no_groupother_writable" selected="true" />
-<select idref="user_umask_bashrc" selected="true" />
-<select idref="user_umask_logindefs" selected="true" />
-<refine-value idref="var_accounts_user_umask" selector="077" />
-<select idref="no_shelllogin_for_systemaccounts" selected="true"/>
-<select idref="root_path_default" selected="true" />
-<select idref="no_empty_passwords" selected="true"/>
-<select idref="user_umask_cshrc" selected="true" />
-<select idref="user_umask_profile" selected="true" />
-
-<select idref="no_netrc_files" selected="true" />
-<select idref="disable_interactive_boot" selected="true"/>
-<select idref="package_screen_installed" selected="true"/>
-
-<select idref="kernel_module_dccp_disabled" selected="true"/>
-<select idref="kernel_module_sctp_disabled" selected="true"/>
-<select idref="kernel_module_rds_disabled" selected="true"/>
-<select idref="kernel_module_tipc_disabled" selected="true"/>
-
-<select idref="package_rsyslog_installed" selected="true"/>
-<select idref="service_rsyslog_enabled" selected="true"/>
-<select idref="rsyslog_send_messages_to_logserver" selected="true"/>
-<select idref="ensure_logrotate_activated" selected="true"/>
-<select idref="disable_logwatch_for_logserver" selected="true" />
-<select idref="userowner_rsyslog_files" selected="true" />
-<select idref="groupowner_rsyslog_files" selected="true" />
-<select idref="rsyslog_file_permissions" selected="true" />
-<select idref="rsyslog_accept_remote_messages_none" selected="true" />
-<select idref="configure_logwatch_splithosts" selected="true" />
-
-<select idref="audit_rules_time_adjtimex" selected="true"/>
-<select idref="audit_rules_time_settimeofday" selected="true"/>
-<select idref="audit_rules_time_stime" selected="true"/>
-<select idref="audit_rules_time_clock_settime" selected="true"/>
-<select idref="audit_rules_time_watch_localtime" selected="true"/>
-<select idref="audit_account_changes" selected="true"/>
-<select idref="audit_network_modifications" selected="true"/>
-<select idref="audit_mac_changes" selected="true"/>
-<select idref="audit_rules_dac_modification_chmod" selected="true"/>
-<select idref="audit_rules_dac_modification_chown" selected="true"/>
-<select idref="audit_rules_dac_modification_fchmod" selected="true"/>
-<select idref="audit_rules_dac_modification_fchmodat" selected="true"/>
-<select idref="audit_rules_dac_modification_fchown" selected="true"/>
-<select idref="audit_rules_dac_modification_fchownat" selected="true"/>
-<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/>
-<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/>
-<select idref="audit_rules_dac_modification_lchown" selected="true"/>
-<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/>
-<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/>
-<select idref="audit_rules_dac_modification_removexattr" selected="true"/>
-<select idref="audit_rules_dac_modification_setxattr" selected="true"/>
-<select idref="audit_kernel_module_loading" selected="true"/>
-<select idref="audit_config_immutable" selected="true" />
-<select idref="audit_logs_permissions" selected="true"/>
-<select idref="audit_logs_rootowner" selected="true" />
-<select idref="audit_manual_logon_edits" selected="true" />
-<select idref="audit_manual_session_edits" selected="true" />
-<select idref="audit_file_access" selected="true"/>
-<select idref="audit_privileged_commands" selected="true"/>
-<select idref="audit_media_exports" selected="true"/>
-<select idref="audit_file_deletions" selected="true"/>
-
-<select idref="securety_root_login_console_only" selected="true" />
-<select idref="no_direct_root_logins" selected="true" />
-
-<select idref="userowner_shadow_file" selected="true"/>
-<select idref="groupowner_shadow_file" selected="true"/>
-<select idref="file_permissions_etc_shadow" selected="true"/>
-<select idref="userowner_gshadow_file" selected="true"/>
-<select idref="groupowner_gshadow_file" selected="true"/>
-<select idref="perms_gshadow_file" selected="true"/>
-<select idref="userowner_passwd_file" selected="true"/>
-<select idref="groupowner_passwd_file" selected="true"/>
-<select idref="file_permissions_etc_passwd" selected="true"/>
-<select idref="userowner_group_file" selected="true" />
-<select idref="groupowner_group_file" selected="true" />
-<select idref="perms_group_file" selected="true" />
-<select idref="file_permissions_library_dirs" selected="true"/>
-<select idref="file_ownership_library_dirs" selected="true"/>
-<select idref="file_permissions_binary_dirs" selected="true"/>
-<select idref="file_ownership_binary_dirs" selected="true"/>
-<select idref="gid_passwd_group_same" selected="true"/>
-<select idref="homedir_perms_no_groupwrite_worldread" selected="true" />
-<select idref="user_owner_grub_conf" selected="true"/>
-<select idref="group_owner_grub_conf" selected="true"/>
-<select idref="permissions_grub_conf" selected="true"/>
-
-<select idref="disable_setuid_coredumps" selected="true" />
-<select idref="service_restorecond_enabled" selected="true" />
-
-<select idref="selinux_confinement_of_daemons" selected="true" />
-<select idref="selinux_all_devicefiles_labeled" selected="true"/>
-<select idref="set_selinux_state" selected="true"/>
-<select idref="set_selinux_policy" selected="true"/>
-
-<select idref="require_singleuser_auth" selected="true"/>
-<select idref="disable_ctrlaltdel_reboot" selected="true"/>
-<select idref="bootloader_password" selected="true" />
-<select idref="set_screensaver_inactivity_timeout" selected="true"/>
-<refine-value idref="inactivity_timeout_value" selector="15_minutes"/>
-<select idref="enable_screensaver_after_idle" selected="true"/>
-<select idref="enable_screensaver_password_lock" selected="true"/>
-<select idref="set_system_login_banner" selected="true"/>
-<select idref="enable_gdm_login_banner" selected="true" />
-<select idref="set_gdm_login_banner_text" selected="true" />
-<refine-value idref="login_banner_text" selector="dod_default"/>
-<select idref="disable_user_list" selected="true" />
-<select idref="disable_gnome_thumbnailers" selected="true" />
-<select idref="gconf_gnome_disable_automount" selected="true"/>
-
-<select idref="network_disable_zeroconf" selected="true" />
-<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/>
-<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
-<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-
-<select idref="kernel_module_ipv6_option_disabled" selected="true"/>
-<select idref="network_ipv6_disable_interfaces" selected="true"/>
-<select idref="network_ipv6_disable_rpc" selected="true" />
-<select idref="network_ipv6_static_address" selected="true" />
-<select idref="network_ipv6_privacy_extensions" selected="true" />
-<select idref="network_ipv6_default_gateway" selected="true" />
-<select idref="network_ipv6_limit_requests" selected="true" />
-<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" />
-<select idref="sysctl_ipv6_default_accept_redirects" selected="true" />
-
-<select idref="network_sniffer_disabled" selected="true" />
-<select idref="wireless_disable_in_bios" selected="true" />
-<select idref="deactivate_wireless_interfaces" selected="true" />
-<select idref="service_bluetooth_disabled" selected="true" />
-<select idref="kernel_module_bluetooth_disabled" selected="true"/>
-
-<select idref="service_crond_enabled" selected="true"/>
-<select idref="disable_anacron" selected="true" />
-
-<select idref="service_abrtd_disabled" selected="true"/>
-<select idref="service_acpid_disabled" selected="true" />
-<select idref="service_atd_disabled" selected="true" />
-<select idref="service_autofs_disabled" selected="true"/>
-<select idref="service_certmonger_disabled" selected="true" />
-<select idref="service_cgconfig_disabled" selected="true" />
-<select idref="service_cgred_disabled" selected="true" />
-<select idref="service_cpuspeed_disabled" selected="true" />
-<select idref="service_haldaemon_disabled" selected="true" />
-<select idref="service_irqbalance_enabled" selected="true" />
-<select idref="service_kdump_disabled" selected="true" />
-<select idref="service_mdmonitor_disabled" selected="true" />
-<select idref="service_messagebus_disabled" selected="true" />
-<select idref="service_netconsole_disabled" selected="true"/>
-<select idref="service_ntpdate_disabled" selected="true"/>
-<select idref="service_oddjobd_disabled" selected="true"/>
-<select idref="service_portreserve_disabled" selected="true" />
-<select idref="service_qpidd_disabled" selected="true" />
-<select idref="service_rdisc_disabled" selected="true" />
-<select idref="service_rhnsd_disabled" selected="true" />
-<select idref="service_saslauthd_disabled" selected="true" />
-<select idref="service_rhsmcertd_disabled" selected="true" />
-<select idref="service_smartd_disabled" selected="true" />
-<select idref="service_sysstat_disabled" selected="true" />
-
-<select idref="disable_xinetd" selected="true"/>
-<select idref="uninstall_xinetd" selected="true"/>
-
-<select idref="uninstall_telnet_server" selected="true"/>
-<select idref="disable_telnet_service" selected="true"/>
-
-<select idref="uninstall_rsh-server" selected="true"/>
-<select idref="disable_rsh" selected="true"/>
-
-<select idref="uninstall_ypserv" selected="true"/>
-<select idref="disable_ypbind" selected="true"/>
-
-<select idref="ssh_server_disabled" selected="true" />
-<select idref="sshd_allow_only_protocol2" selected="true"/>
-<select idref="sshd_set_idle_timeout" selected="true"/>
-<select idref="sshd_set_keepalive" selected="true"/>
-<select idref="sshd_disable_rhosts" selected="true"/>
-<select idref="sshd_disable_root_login" selected="true"/>
-<select idref="sshd_disable_empty_passwords" selected="true"/>
-<select idref="sshd_enable_warning_banner" selected="true"/>
-<select idref="sshd_do_not_permit_user_env" selected="true"/>
-<select idref="sshd_limit_user_access" selected="true" />
-<select idref="sshd_use_approved_ciphers" selected="true"/>
-
-<select idref="disable_xwindows_with_runlevel" selected="true"/>
-<select idref="packagegroup_xwindows_remove" selected="true"/>
-
-<select idref="service_cups_disabled" selected="true" />
-<select idref="cups_disable_browsing" selected="true" />
-
-<select idref="disable_dhcp_client" selected="true"/>
-
-<select idref="dhcp_server_disable_ddns" selected="true" />
-<select idref="dhcp_server_deny_decline" selected="true" />
-<select idref="dhcp_server_deny_bootp" selected="true" />
-<select idref="dhcp_server_minimize_served_info" selected="true" />
-<select idref="dhcp_server_configure_logging" selected="true" />
-
-<select idref="service_ntpd_enabled" selected="true"/>
-<select idref="ntpd_specify_remote_server" selected="true"/>
-
-<select idref="service_postfix_enabled" selected="true"/>
-<select idref="package_sendmail_removed" selected="true"/>
-
-<select idref="ldap_client_start_tls" selected="true"/>
-
-<select idref="service_nfslock_disabled" selected="true"/>
-<select idref="service_rpcgssd_disabled" selected="true"/>
-<select idref="service_rpcidmapd_disabled" selected="true"/>
-<select idref="service_netfs_disabled" selected="true"/>
-<select idref="nfs_fixed_lockd_tcp_port" selected="true" />
-<select idref="nfs_fixed_lockd_udp_port" selected="true" />
-<select idref="nfs_fixed_statd_port" selected="true" />
-<select idref="nfs_fixed_mountd_port" selected="true" />
-<select idref="service_nfs_disabled" selected="true"/>
-<select idref="service_rpcsvcgssd_disabled" selected="true"/>
-<select idref="use_nodev_option_on_nfs_mounts" selected="true"/>
-<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/>
-<select idref="use_root_squashing_all_exports" selected="true" />
-<select idref="restrict_nfs_clients_to_privileged_ports" selected="true" />
-<select idref="no_insecure_locks_exports" selected="true" />
-<select idref="nfs_no_anonymous" selected="true"/>
-
-<select idref="disable_dns_server" selected="true"/>
-<select idref="uninstall_bind" selected="true"/>
-<select idref="dns_server_disable_dynamic_updates" selected="true" />
-
-<select idref="uninstall_tftp-server" selected="true"/>
-<select idref="disable_tftp" selected="true"/>
-<select idref="disable_vsftpd" selected="true"/>
-<select idref="uninstall_vsftpd" selected="true"/>
-<select idref="ftp_log_transactions" selected="true" />
-<select idref="ftp_present_banner" selected="true" />
-
-<select idref="uninstall_httpd" selected="true" />
-<select idref="httpd_servertokens_prod" selected="true" />
-<select idref="httpd_mod_rewrite" selected="true" />
-<select idref="httpd_server_side_includes" selected="true" />
-<select idref="httpd_webdav" selected="true" />
-<select idref="httpd_server_activity_status" selected="true" />
-<select idref="httpd_server_configuration_display" selected="true" />
-<select idref="httpd_url_correction" selected="true" />
-<select idref="httpd_proxy_support" selected="true" />
-<select idref="httpd_cache_support" selected="true" />
-<select idref="httpd_cgi_support" selected="true" />
-<select idref="httpd_digest_authentication" selected="true" />
-<select idref="httpd_ldap_support" selected="true" />
-<select idref="httpd_mime_magic" selected="true" />
-<select idref="httpd_restrict_root_directory" selected="true" />
-<select idref="httpd_restrict_web_directory" selected="true" />
-<select idref="httpd_restrict_critical_directories" selected="true" />
-<select idref="httpd_limit_available_methods" selected="true" />
-<select idref="httpd_install_mod_ssl" selected="true" />
-<select idref="httpd_install_mod_security" selected="true" />
-<select idref="httpd_conf_dir_permissions" selected="true" />
-<select idref="httpd_conf_files_permissions" selected="true" />
-
-<select idref="disable_dovecot" selected="true"/>
-<select idref="uninstall_dovecot" selected="true"/>
-<select idref="dovecot_enable_ssl" selected="true" />
-<select idref="dovecot_configure_ssl_cert" selected="true" />
-<select idref="dovecot_configure_ssl_key" selected="true" />
-
-<select idref="disable_smb_server" selected="true"/>
-<select idref="require_smb_client_signing" selected="true"/>
-<select idref="require_smb_client_signing_mount.cifs" selected="true"/>
-<select idref="smb_server_disable_root" selected="true" />
-
-<select idref="disable_squid" selected="true"/>
-<select idref="uninstall_squid" selected="true"/>
-<select idref="disable_snmpd" selected="true"/>
-<select idref="uninstall_net-snmp" selected="true"/>
-
-<select idref="install_openswan" selected="true" />
-<select idref="no_rsh_trust_files" selected="true"/>
-<select idref="tftpd_uses_secure_mode" selected="true" />
-
-<select idref="disable_avahi" selected="true"/>
-<select idref="avahi_ip_only" selected="true" />
-<select idref="avahi_check_ttl" selected="true" />
-<select idref="avahi_prevent_port_sharing" selected="true" />
-<select idref="avahi_disable_publishing" selected="true" />
-
-</Profile>
+<Profile id="CS2">
+<title>Example Server Profile</title>
+<description>This profile is an example of a customized server profile.</description>
+
+<select idref="accounts_password_minlen_login_defs" selected="true"/>
+<refine-value idref="var_accounts_password_minlen_login_defs" selector="14"/>
+<select idref="accounts_minimum_age_login_defs" selected="true"/>
+<refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>
+<select idref="accounts_maximum_age_login_defs" selected="true"/>
+<refine-value idref="var_accounts_maximum_age_login_defs" selector="180"/>
+<select idref="password_require_digits" selected="true"/>
+<select idref="password_require_uppercases" selected="true"/>
+<select idref="password_require_specials" selected="true"/>
+<select idref="password_require_lowercases" selected="true"/>
+<select idref="password_require_diffchars" selected="true"/>
+<select idref="accounts_password_reuse_limit" selected="true"/>
+<refine-value idref="var_password_history_retain_limit" selector="10"/>
+<select idref="accounts_password_warn_age_login_defs" selected="true"/>
+<select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="deny_password_attempts" selected="true" />
+<select idref="accounts_password_pam_cracklib_retry" selected="true"/>
+<select idref="max_concurrent_login_sessions" selected="true"/>
+<refine-value idref="max_concurrent_login_sessions_value" selector="3"/>
+
+<select idref="partition_for_tmp" selected="true"/>
+<select idref="partition_for_var" selected="true"/>
+<select idref="partition_for_var_log" selected="true"/>
+<select idref="partition_for_var_log_audit" selected="true"/>
+<select idref="partition_for_home" selected="true"/>
+
+<select idref="ensure_redhat_gpgkey_installed" selected="true"/>
+<select idref="ensure_gpgcheck_globally_activated" selected="true"/>
+<select idref="ensure_gpgcheck_never_disabled" selected="true"/>
+<select idref="rpm_verify_hashes" selected="true"/>
+<select idref="rpm_verify_permissions" selected="true"/>
+
+<select idref="package_aide_installed" selected="true"/>
+<select idref="aide_build_database" selected="true"/>
+
+<select idref="mountopt_nodev_on_removable_partitions" selected="true"/>
+<select idref="mountopt_noexec_on_removable_partitions" selected="true"/>
+<select idref="mountopt_nosuid_on_removable_partitions" selected="true"/>
+<select idref="mount_option_tmp_nodev" selected="true"/>
+<select idref="mount_option_tmp_noexec" selected="true"/>
+<select idref="mount_option_tmp_nosuid" selected="true"/>
+<select idref="mount_option_dev_shm_nodev" selected="true"/>
+<select idref="mount_option_dev_shm_noexec" selected="true"/>
+<select idref="mount_option_dev_shm_nosuid" selected="true"/>
+<select idref="mount_option_var_tmp_bind_var" selected="true"/>
+
+<select idref="kernel_module_usb-storage_disabled" selected="true"/>
+<select idref="bootloader_nousb_argument" selected="true"/>
+
+
+<select idref="kernel_module_cramfs_disabled" selected="true" />
+<select idref="kernel_module_freevxfs_disabled" selected="true" />
+<select idref="kernel_module_jffs2_disabled" selected="true" />
+<select idref="kernel_module_hfs_disabled" selected="true" />
+<select idref="kernel_module_hfsplus_disabled" selected="true" />
+<select idref="kernel_module_squashfs_disabled" selected="true" />
+<select idref="kernel_module_udf_disabled" selected="true" />
+
+<select idref="sticky_world_writable_dirs" selected="true" />
+<select idref="world_writeable_files" selected="true" />
+<select idref="no_files_unowned_by_user" selected="true" />
+<select idref="no_files_unowned_by_group" selected="true" />
+<select idref="world_writable_files_system_ownership" selected="true" />
+
+<select idref="umask_for_daemons" selected="true" />
+<refine-value idref="var_umask_for_daemons" selector="027"/>
+
+<select idref="disable_users_coredumps" selected="true"/>
+<select idref="enable_randomize_va_space" selected="true"/>
+<select idref="enable_execshield" selected="true"/>
+<select idref="install_PAE_kernel_on_x86-32" selected="true" />
+<select idref="disable_prelink" selected="true" />
+<select idref="account_unique_name" selected="true"/>
+<select idref="no_hashes_outside_shadow" selected="true"/>
+<select idref="no_uidzero_except_root" selected="true"/>
+
+<select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
+<select idref="set_password_hashing_algorithm_logindefs" selected="true"/>
+<select idref="set_password_hashing_algorithm_libuserconf" selected="true"/>
+
+<select idref="root_paths" selected="true" />
+<select idref="root_path_no_groupother_writable" selected="true" />
+<select idref="user_umask_bashrc" selected="true" />
+<select idref="user_umask_logindefs" selected="true" />
+<refine-value idref="var_accounts_user_umask" selector="077" />
+<select idref="no_shelllogin_for_systemaccounts" selected="true"/>
+<select idref="root_path_default" selected="true" />
+<select idref="no_empty_passwords" selected="true"/>
+<select idref="user_umask_cshrc" selected="true" />
+<select idref="user_umask_profile" selected="true" />
+
+<select idref="no_netrc_files" selected="true" />
+<select idref="disable_interactive_boot" selected="true"/>
+<select idref="package_screen_installed" selected="true"/>
+
+<select idref="kernel_module_dccp_disabled" selected="true"/>
+<select idref="kernel_module_sctp_disabled" selected="true"/>
+<select idref="kernel_module_rds_disabled" selected="true"/>
+<select idref="kernel_module_tipc_disabled" selected="true"/>
+
+<select idref="package_rsyslog_installed" selected="true"/>
+<select idref="service_rsyslog_enabled" selected="true"/>
+<select idref="rsyslog_send_messages_to_logserver" selected="true"/>
+<select idref="ensure_logrotate_activated" selected="true"/>
+<select idref="disable_logwatch_for_logserver" selected="true" />
+<select idref="userowner_rsyslog_files" selected="true" />
+<select idref="groupowner_rsyslog_files" selected="true" />
+<select idref="rsyslog_file_permissions" selected="true" />
+<select idref="rsyslog_accept_remote_messages_none" selected="true" />
+<select idref="configure_logwatch_splithosts" selected="true" />
+
+<select idref="audit_rules_time_adjtimex" selected="true"/>
+<select idref="audit_rules_time_settimeofday" selected="true"/>
+<select idref="audit_rules_time_stime" selected="true"/>
+<select idref="audit_rules_time_clock_settime" selected="true"/>
+<select idref="audit_rules_time_watch_localtime" selected="true"/>
+<select idref="audit_account_changes" selected="true"/>
+<select idref="audit_network_modifications" selected="true"/>
+<select idref="audit_mac_changes" selected="true"/>
+<select idref="audit_rules_dac_modification_chmod" selected="true"/>
+<select idref="audit_rules_dac_modification_chown" selected="true"/>
+<select idref="audit_rules_dac_modification_fchmod" selected="true"/>
+<select idref="audit_rules_dac_modification_fchmodat" selected="true"/>
+<select idref="audit_rules_dac_modification_fchown" selected="true"/>
+<select idref="audit_rules_dac_modification_fchownat" selected="true"/>
+<select idref="audit_rules_dac_modification_fremovexattr" selected="true"/>
+<select idref="audit_rules_dac_modification_fsetxattr" selected="true"/>
+<select idref="audit_rules_dac_modification_lchown" selected="true"/>
+<select idref="audit_rules_dac_modification_lremovexattr" selected="true"/>
+<select idref="audit_rules_dac_modification_lsetxattr" selected="true"/>
+<select idref="audit_rules_dac_modification_removexattr" selected="true"/>
+<select idref="audit_rules_dac_modification_setxattr" selected="true"/>
+<select idref="audit_kernel_module_loading" selected="true"/>
+<select idref="audit_config_immutable" selected="true" />
+<select idref="audit_logs_permissions" selected="true"/>
+<select idref="audit_logs_rootowner" selected="true" />
+<select idref="audit_manual_logon_edits" selected="true" />
+<select idref="audit_manual_session_edits" selected="true" />
+<select idref="audit_file_access" selected="true"/>
+<select idref="audit_privileged_commands" selected="true"/>
+<select idref="audit_media_exports" selected="true"/>
+<select idref="audit_file_deletions" selected="true"/>
+
+<select idref="securety_root_login_console_only" selected="true" />
+<select idref="no_direct_root_logins" selected="true" />
+
+<select idref="userowner_shadow_file" selected="true"/>
+<select idref="groupowner_shadow_file" selected="true"/>
+<select idref="file_permissions_etc_shadow" selected="true"/>
+<select idref="userowner_gshadow_file" selected="true"/>
+<select idref="groupowner_gshadow_file" selected="true"/>
+<select idref="perms_gshadow_file" selected="true"/>
+<select idref="userowner_passwd_file" selected="true"/>
+<select idref="groupowner_passwd_file" selected="true"/>
+<select idref="file_permissions_etc_passwd" selected="true"/>
+<select idref="userowner_group_file" selected="true" />
+<select idref="groupowner_group_file" selected="true" />
+<select idref="perms_group_file" selected="true" />
+<select idref="file_permissions_library_dirs" selected="true"/>
+<select idref="file_ownership_library_dirs" selected="true"/>
+<select idref="file_permissions_binary_dirs" selected="true"/>
+<select idref="file_ownership_binary_dirs" selected="true"/>
+<select idref="gid_passwd_group_same" selected="true"/>
+<select idref="homedir_perms_no_groupwrite_worldread" selected="true" />
+<select idref="user_owner_grub_conf" selected="true"/>
+<select idref="group_owner_grub_conf" selected="true"/>
+<select idref="permissions_grub_conf" selected="true"/>
+
+<select idref="disable_setuid_coredumps" selected="true" />
+<select idref="service_restorecond_enabled" selected="true" />
+
+<select idref="selinux_confinement_of_daemons" selected="true" />
+<select idref="selinux_all_devicefiles_labeled" selected="true"/>
+<select idref="set_selinux_state" selected="true"/>
+<select idref="set_selinux_policy" selected="true"/>
+
+<select idref="require_singleuser_auth" selected="true"/>
+<select idref="disable_ctrlaltdel_reboot" selected="true"/>
+<select idref="bootloader_password" selected="true" />
+<select idref="set_screensaver_inactivity_timeout" selected="true"/>
+<refine-value idref="inactivity_timeout_value" selector="15_minutes"/>
+<select idref="enable_screensaver_after_idle" selected="true"/>
+<select idref="enable_screensaver_password_lock" selected="true"/>
+<select idref="set_system_login_banner" selected="true"/>
+<select idref="enable_gdm_login_banner" selected="true" />
+<select idref="set_gdm_login_banner_text" selected="true" />
+<refine-value idref="login_banner_text" selector="dod_default"/>
+<select idref="disable_user_list" selected="true" />
+<select idref="disable_gnome_thumbnailers" selected="true" />
+<select idref="gconf_gnome_disable_automount" selected="true"/>
+
+<select idref="network_disable_zeroconf" selected="true" />
+<select idref="disable_sysctl_ipv4_default_send_redirects" selected="true"/>
+<select idref="disable_sysctl_ipv4_all_send_redirects" selected="true"/>
+<select idref="disable_sysctl_ipv4_ip_forward" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
+<select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
+<select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
+<select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
+<select idref="sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
+
+<select idref="kernel_module_ipv6_option_disabled" selected="true"/>
+<select idref="network_ipv6_disable_interfaces" selected="true"/>
+<select idref="network_ipv6_disable_rpc" selected="true" />
+<select idref="network_ipv6_static_address" selected="true" />
+<select idref="network_ipv6_privacy_extensions" selected="true" />
+<select idref="network_ipv6_default_gateway" selected="true" />
+<select idref="network_ipv6_limit_requests" selected="true" />
+<select idref="sysctl_net_ipv6_conf_default_accept_ra" selected="true" />
+<select idref="sysctl_ipv6_default_accept_redirects" selected="true" />
+
+<select idref="network_sniffer_disabled" selected="true" />
+<select idref="wireless_disable_in_bios" selected="true" />
+<select idref="deactivate_wireless_interfaces" selected="true" />
+<select idref="service_bluetooth_disabled" selected="true" />
+<select idref="kernel_module_bluetooth_disabled" selected="true"/>
+
+<select idref="service_crond_enabled" selected="true"/>
+<select idref="disable_anacron" selected="true" />
+
+<select idref="service_abrtd_disabled" selected="true"/>
+<select idref="service_acpid_disabled" selected="true" />
+<select idref="service_atd_disabled" selected="true" />
+<select idref="service_autofs_disabled" selected="true"/>
+<select idref="service_certmonger_disabled" selected="true" />
+<select idref="service_cgconfig_disabled" selected="true" />
+<select idref="service_cgred_disabled" selected="true" />
+<select idref="service_cpuspeed_disabled" selected="true" />
+<select idref="service_haldaemon_disabled" selected="true" />
+<select idref="service_irqbalance_enabled" selected="true" />
+<select idref="service_kdump_disabled" selected="true" />
+<select idref="service_mdmonitor_disabled" selected="true" />
+<select idref="service_messagebus_disabled" selected="true" />
+<select idref="service_netconsole_disabled" selected="true"/>
+<select idref="service_ntpdate_disabled" selected="true"/>
+<select idref="service_oddjobd_disabled" selected="true"/>
+<select idref="service_portreserve_disabled" selected="true" />
+<select idref="service_qpidd_disabled" selected="true" />
+<select idref="service_rdisc_disabled" selected="true" />
+<select idref="service_rhnsd_disabled" selected="true" />
+<select idref="service_saslauthd_disabled" selected="true" />
+<select idref="service_rhsmcertd_disabled" selected="true" />
+<select idref="service_smartd_disabled" selected="true" />
+<select idref="service_sysstat_disabled" selected="true" />
+
+<select idref="disable_xinetd" selected="true"/>
+<select idref="uninstall_xinetd" selected="true"/>
+
+<select idref="uninstall_telnet_server" selected="true"/>
+<select idref="disable_telnet_service" selected="true"/>
+
+<select idref="uninstall_rsh-server" selected="true"/>
+<select idref="disable_rsh" selected="true"/>
+
+<select idref="uninstall_ypserv" selected="true"/>
+<select idref="disable_ypbind" selected="true"/>
+
+<select idref="ssh_server_disabled" selected="true" />
+<select idref="sshd_allow_only_protocol2" selected="true"/>
+<select idref="sshd_set_idle_timeout" selected="true"/>
+<select idref="sshd_set_keepalive" selected="true"/>
+<select idref="sshd_disable_rhosts" selected="true"/>
+<select idref="sshd_disable_root_login" selected="true"/>
+<select idref="sshd_disable_empty_passwords" selected="true"/>
+<select idref="sshd_enable_warning_banner" selected="true"/>
+<select idref="sshd_do_not_permit_user_env" selected="true"/>
+<select idref="sshd_limit_user_access" selected="true" />
+<select idref="sshd_use_approved_ciphers" selected="true"/>
+
+<select idref="disable_xwindows_with_runlevel" selected="true"/>
+<select idref="packagegroup_xwindows_remove" selected="true"/>
+
+<select idref="service_cups_disabled" selected="true" />
+<select idref="cups_disable_browsing" selected="true" />
+
+<select idref="disable_dhcp_client" selected="true"/>
+
+<select idref="dhcp_server_disable_ddns" selected="true" />
+<select idref="dhcp_server_deny_decline" selected="true" />
+<select idref="dhcp_server_deny_bootp" selected="true" />
+<select idref="dhcp_server_minimize_served_info" selected="true" />
+<select idref="dhcp_server_configure_logging" selected="true" />
+
+<select idref="service_ntpd_enabled" selected="true"/>
+<select idref="ntpd_specify_remote_server" selected="true"/>
+
+<select idref="service_postfix_enabled" selected="true"/>
+<select idref="package_sendmail_removed" selected="true"/>
+
+<select idref="ldap_client_start_tls" selected="true"/>
+
+<select idref="service_nfslock_disabled" selected="true"/>
+<select idref="service_rpcgssd_disabled" selected="true"/>
+<select idref="service_rpcidmapd_disabled" selected="true"/>
+<select idref="service_netfs_disabled" selected="true"/>
+<select idref="nfs_fixed_lockd_tcp_port" selected="true" />
+<select idref="nfs_fixed_lockd_udp_port" selected="true" />
+<select idref="nfs_fixed_statd_port" selected="true" />
+<select idref="nfs_fixed_mountd_port" selected="true" />
+<select idref="service_nfs_disabled" selected="true"/>
+<select idref="service_rpcsvcgssd_disabled" selected="true"/>
+<select idref="use_nodev_option_on_nfs_mounts" selected="true"/>
+<select idref="use_nosuid_option_on_nfs_mounts" selected="true"/>
+<select idref="use_root_squashing_all_exports" selected="true" />
+<select idref="restrict_nfs_clients_to_privileged_ports" selected="true" />
+<select idref="no_insecure_locks_exports" selected="true" />
+<select idref="nfs_no_anonymous" selected="true"/>
+
+<select idref="disable_dns_server" selected="true"/>
+<select idref="uninstall_bind" selected="true"/>
+<select idref="dns_server_disable_dynamic_updates" selected="true" />
+
+<select idref="uninstall_tftp-server" selected="true"/>
+<select idref="disable_tftp" selected="true"/>
+<select idref="disable_vsftpd" selected="true"/>
+<select idref="uninstall_vsftpd" selected="true"/>
+<select idref="ftp_log_transactions" selected="true" />
+<select idref="ftp_present_banner" selected="true" />
+
+<select idref="uninstall_httpd" selected="true" />
+<select idref="httpd_servertokens_prod" selected="true" />
+<select idref="httpd_mod_rewrite" selected="true" />
+<select idref="httpd_server_side_includes" selected="true" />
+<select idref="httpd_webdav" selected="true" />
+<select idref="httpd_server_activity_status" selected="true" />
+<select idref="httpd_server_configuration_display" selected="true" />
+<select idref="httpd_url_correction" selected="true" />
+<select idref="httpd_proxy_support" selected="true" />
+<select idref="httpd_cache_support" selected="true" />
+<select idref="httpd_cgi_support" selected="true" />
+<select idref="httpd_digest_authentication" selected="true" />
+<select idref="httpd_ldap_support" selected="true" />
+<select idref="httpd_mime_magic" selected="true" />
+<select idref="httpd_restrict_root_directory" selected="true" />
+<select idref="httpd_restrict_web_directory" selected="true" />
+<select idref="httpd_restrict_critical_directories" selected="true" />
+<select idref="httpd_limit_available_methods" selected="true" />
+<select idref="httpd_install_mod_ssl" selected="true" />
+<select idref="httpd_install_mod_security" selected="true" />
+<select idref="httpd_conf_dir_permissions" selected="true" />
+<select idref="httpd_conf_files_permissions" selected="true" />
+
+<select idref="disable_dovecot" selected="true"/>
+<select idref="uninstall_dovecot" selected="true"/>
+<select idref="dovecot_enable_ssl" selected="true" />
+<select idref="dovecot_configure_ssl_cert" selected="true" />
+<select idref="dovecot_configure_ssl_key" selected="true" />
+
+<select idref="disable_smb_server" selected="true"/>
+<select idref="require_smb_client_signing" selected="true"/>
+<select idref="require_smb_client_signing_mount.cifs" selected="true"/>
+<select idref="smb_server_disable_root" selected="true" />
+
+<select idref="disable_squid" selected="true"/>
+<select idref="uninstall_squid" selected="true"/>
+<select idref="disable_snmpd" selected="true"/>
+<select idref="uninstall_net-snmp" selected="true"/>
+
+<select idref="install_openswan" selected="true" />
+<select idref="no_rsh_trust_files" selected="true"/>
+<select idref="tftpd_uses_secure_mode" selected="true" />
+
+<select idref="disable_avahi" selected="true"/>
+<select idref="avahi_ip_only" selected="true" />
+<select idref="avahi_check_ttl" selected="true" />
+<select idref="avahi_prevent_port_sharing" selected="true" />
+<select idref="avahi_disable_publishing" selected="true" />
+
+</Profile>
--
1.7.1
10 years, 5 months
[PATCH] Remediation for Password Reuse
by Frank Caviggia
All,
Here is a remediation fix for account password reuse in SSG. Updated to use the '/etc/pam.d/system-auth' file.
Regards,
Frank Caviggia
-- Frank Caviggia Consultant, Public Sector fcaviggi(a)redhat.com
10 years, 5 months
[PATCH] Remediation for Password Reuse
by Frank Caviggia
All,
Here is a remediation fix for account password reuse in SSG.
Regards,
Frank Caviggia
--
Frank Caviggia
Consultant, Public Sector
fcaviggi(a)redhat.com
10 years, 5 months
Introducing JBoss Fuse 6 SCAP Content
by Shawn Wells
Members of Red Hat's consulting organization have been silently working
on SCAP content for JBoss Fuse 6, which combines Apache Camel, Apache
CXF, Apache ActiveMQ, Apache Karaf and Fuse Fabric in a single
integrated distribution. Core messaging is provided by Apache ActiveMQ,
services framework (SOAP, XML/HTTP, RESTful HTTP) is provided by Apache
CXF and integration framework is provided by Apache Camel. Apache Karaf
provides a lightweight OSGI-based runtime container.
The JBoss Fuse 6 SCAP content provides guidance for RHEL6-based
deployments. At this time only XCCDF is provided, primarily tested
against the XCCDFExec interpreter. The content will slowly be converted
to 'SSG style' XCCDF/OVAL chunks to ease multi-author editing, and
relevant metadata tags against DISA SRG's will be added to form a JBoss
Fuse 6 STIG submission.
The Fuse content has not yet been incorporated into the RPM build
system. The initial patch has been committed to the repo [1] and will
show up once developers rebase / git pull.
Congrats to Bryan Saunders, Jason Wong and Kenny Peeples for this
initial code!
[1]
https://git.fedorahosted.org/cgit/scap-security-guide.git/commit/?id=0a8b...
10 years, 5 months
[PATCH] Created a check to ensure prelinking has been disabled and added the oval id to the disable_prelink rule inside the integrity.xml file.
by Caleb Cooper
Signed-off-by: Caleb Cooper <coopercd(a)ornl.gov>
---
RHEL6/input/checks/disable_prelink.xml | 24 ++++++++++++++++++++++++
RHEL6/input/system/software/integrity.xml | 1 +
2 files changed, 25 insertions(+), 0 deletions(-)
create mode 100644 RHEL6/input/checks/disable_prelink.xml
diff --git a/RHEL6/input/checks/disable_prelink.xml b/RHEL6/input/checks/disable_prelink.xml
new file mode 100644
index 0000000..5bebdc0
--- /dev/null
+++ b/RHEL6/input/checks/disable_prelink.xml
@@ -0,0 +1,24 @@
+<def-group>
+ <definition class="compliance" id="disable_prelink" version="1">
+ <metadata>
+ <title>Disable Prelinking</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <description>The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </description>
+ </metadata>
+ <criteria>
+ <criterion comment="Ensure prelinking is diabled" test_ref="test_prelinking_no" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="Tests whether prelinking is disabled"
+ id="test_prelinking_no" version="1">
+ <ind:object object_ref="obj_prelinking_no" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_prelinking_no" version="1">
+ <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
+ <ind:pattern operation="pattern match">^PRELINKING=no$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml
index b180f3a..4807009 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -60,6 +60,7 @@ The prelinking feature can interfere with the operation
of AIDE, because it changes binaries.
</rationale>
<ident cce="27221-1" />
+<oval id="disable_prelink" />
<ref nist="CM-6(d),CM-6(3),SC-28, SI-7" />
</Rule>
--
1.7.1
10 years, 5 months