>From 0b98b486b620c6229f66a74934284b5f47d952c1 Mon Sep 17 00:00:00 2001
From: Shawn Wells <shawn@redhat.com>
Date: Wed, 19 Sep 2012 13:25:16 -0400
Subject: [PATCH 11/14] Updated service-disable-check-macro to check for runtime and config (boottime) settings
 - service-disable-check-macro was checking for a "service disabled," but not checking init
   settings of services. Updated service-disable-check-macro to reflect chkconfig tests
 - Updated bluetooth to use this check
 - Removed my old ocil-disabled, since it clearly isn't needed once content was added
   to service-disable-check-macro

---
 RHEL6/input/services/base.xml           |    1 +
 RHEL6/input/system/network/wireless.xml |    2 +-
 RHEL6/transforms/shorthand2xccdf.xslt   |   32 +++++++++++++++++-------------
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml
index eba13df..1e29627 100644
--- a/RHEL6/input/services/base.xml
+++ b/RHEL6/input/services/base.xml
@@ -400,6 +400,7 @@ RHN server or satellite and managed as such.
 <rationale>Although systems management and patching is extremely important to
 system security, management by a system outside the enterprise enclave is not
 desirable for some environments.</rationale>
+<ocil><service-disable-ocil-macro service="rhnsd" /></ocil>
 <ident cce="3416-5" />
 <oval id="service_rhnsd_disabled" />
 <ref nist="CM-6, CM-7" disa="382" />
diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml
index fcf38d2..7e675fa 100644
--- a/RHEL6/input/system/network/wireless.xml
+++ b/RHEL6/input/system/network/wireless.xml
@@ -94,7 +94,7 @@ the need to install such a driver first.
 connections to to Bluetooth devices, which entails some security risk.
 Nevertheless, variation in this risk decision may be expected due to the
 utility of Bluetooth connectivity and its limited range.</rationale>
-<ocil><service-disable-ocil-macro service="bluetooth" /></ocil>
+<ocil><service-disable-check-macro service="bluetooth" /></ocil>
 <ident cce="4355-4" />
 <oval id="service_bluetooth_disabled" />
 <ref nist="AC-18, CM-6, CM-7" disa="85" />
diff --git a/RHEL6/transforms/shorthand2xccdf.xslt b/RHEL6/transforms/shorthand2xccdf.xslt
index e219c3d..6ddea7b 100644
--- a/RHEL6/transforms/shorthand2xccdf.xslt
+++ b/RHEL6/transforms/shorthand2xccdf.xslt
@@ -220,16 +220,6 @@ exclude-result-prefixes="xccdf xhtml">
     <xhtml:pre># chkconfig <xsl:value-of select="@service"/> off</xhtml:pre>
   </xsl:template>
 
-  <xsl:template match="service-disable-ocil-macro">
-    Run the following command to verify the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service has been
-    disabled:
-   <xhtml:pre># chkconfig <xhtml:code><xsl:value-of select="@service"/></xhtml:code> --list</xhtml:pre>
-   Output should indicate the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service has been disabled at all runlevels,
-   as shown in the example below:
-   <xhtml:pre># chkconfig <xhtml:code><xsl:value-of select="@service"/></xhtml:code> --list
-<xhtml:code><xsl:value-of select="@service"/></xhtml:code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off</xhtml:pre>
-  </xsl:template>
-
   <xsl:template match="service-enable-macro">
     The <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service can be enabled with the following command:
     <xhtml:pre># chkconfig <xsl:value-of select="@service"/> on</xhtml:pre>
@@ -252,10 +242,24 @@ exclude-result-prefixes="xccdf xhtml">
   </xsl:template>
 
   <xsl:template match="service-disable-check-macro">
-    Run the following command to determine the current status of the
-<xhtml:code><xsl:value-of select="@service"/></xhtml:code> service:
-  <xhtml:pre># service <xsl:value-of select="@service"/> status</xhtml:pre>
-    If the service is disabled, it should return: <xhtml:pre><xsl:value-of select="@service"/> is stopped</xhtml:pre>
+    It is prudent to check that the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service is disabled in system boot
+    configuration via <tt>chkconfig</tt> and not currently running on the system (runtime configuration).
+
+    Run the following command to verify <xhtml:code><xsl:value-of select="@service"/></xhtml:code> is disabled through current
+    runtime configuration:
+    <xhtml:pre># service <xsl:value-of select="@service"/> status</xhtml:pre>
+
+    If the service is disabled, the command will return:
+    <xhtml:pre><xsl:value-of select="@service"/> is stopped</xhtml:pre>
+
+    Run the following command to verify <xhtml:code><xsl:value-of select="@service"/></xhtml:code> is disabled through system
+    boot configuration:
+    <xhtml:pre># chkconfig <xhtml:code><xsl:value-of select="@service"/></xhtml:code> --list</xhtml:pre>
+ 
+    Output should indicate the <xhtml:code><xsl:value-of select="@service"/></xhtml:code> service has been disabled at all runlevels,
+    as shown in the example below:
+    <xhtml:pre># chkconfig <xhtml:code><xsl:value-of select="@service"/></xhtml:code> --list
+<xhtml:code><xsl:value-of select="@service"/></xhtml:code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off</xhtml:pre>
   </xsl:template>
 
   <xsl:template match="service-enable-check-macro">
-- 
1.7.1