[PATCH 2/8] adjusting DISA CCI references in system config items

Monday, 17 December 2012

Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil&gt;
---
 RHEL6/input/system/auditing.xml                   |    6 ++--
 RHEL6/input/system/network/ipsec.xml              |    2 +-
 RHEL6/input/system/network/iptables.xml           |    4 +-
 RHEL6/input/system/network/ssl.xml                |    2 +-
 RHEL6/input/system/software/disk_partitioning.xml |   34 +++++++++++----------
 RHEL6/input/system/software/integrity.xml         |    2 +-
 6 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml
index 9c254a0..e6ab516 100644
--- a/RHEL6/input/system/auditing.xml
+++ b/RHEL6/input/system/auditing.xml
@@ -93,7 +93,7 @@ actions will be taken if other obstacles exist.
 </rationale>
 <ident cce="4292-9" />
 <oval id="service_auditd_enabled" />
-<ref nist="CM-6, CM-7"
disa="169,157,172,174,1353,1462,1487,1115,1454,067,158,831,1123,1190,1312,1263,130,120"
/>
+<ref nist="CM-6, CM-7"
disa="169,157,172,174,1353,1462,1487,1115,1454,067,158,831,1190,1312,1263,130,120"
/>
 <tested by="DS" on="20121024"/>
 </Rule>
 
@@ -459,7 +459,7 @@ After reviewing all the rules, reading the following sections, and
 editing as needed, the new rules can be activated as follows:
 <pre># service auditd restart</pre>
 </description>
-<ref disa="171,172,1115,1454,1487,1571,1589,880,347,85,1274,1356,374,130"
/>
+<ref disa="171,172,1115,1454,1487,1571,1589,880,347,85,1356,374,130" />
 
 <Group id="audit_time_rules">
 <title>Records Events that Modify Date and Time Information</title>
@@ -672,7 +672,7 @@ Audit logs must be mode 0640 or less permissive.
 If users can write to audit logs, audit trails can be modified or destroyed.
 </rationale>
 <oval id="file_permissions_var_log_audit" />
-<ref disa="166,1338" />
+<ref disa="166" />
 <tested by="DS" on="20121024"/>
 </Rule> 
 
diff --git a/RHEL6/input/system/network/ipsec.xml b/RHEL6/input/system/network/ipsec.xml
index 02c5bde..f73e493 100644
--- a/RHEL6/input/system/network/ipsec.xml
+++ b/RHEL6/input/system/network/ipsec.xml
@@ -19,7 +19,7 @@ transmitted over a wide area network.
 </rationale>
 <!--<ident cce="TODO" />-->
 <oval id="package_openswan_installed" />
-<ref nist="AC-17, MA-4, SC-9" disa="1130,1131,1135" />
+<ref nist="AC-17, MA-4, SC-9" disa="1130,1131" />
 </Rule>
 </Group>
 
diff --git a/RHEL6/input/system/network/iptables.xml
b/RHEL6/input/system/network/iptables.xml
index 40f1746..d63b99f 100644
--- a/RHEL6/input/system/network/iptables.xml
+++ b/RHEL6/input/system/network/iptables.xml
@@ -60,7 +60,7 @@ capability for IPv6 and ICMPv6.
 </rationale>
 <ident cce="4167-3" />
 <oval id="service_ip6tables_enabled" />
-<ref nist="CM-6, CM-7"
disa="66,1115,1118,1092,1117,1098,1100,1097,1123,1124,1414"/>
+<ref nist="CM-6, CM-7"
disa="66,1115,1118,1092,1117,1098,1100,1097,1414"/>
 <tested by="DS" on="20121024"/>
 </Rule>
 
@@ -76,7 +76,7 @@ capability for IPv4 and ICMP.
 </rationale>
 <ident cce="4189-7" />
 <oval id="service_iptables_enabled" />
-<ref nist="CM-6, CM-7"
disa="66,1115,1118,1092,27,1117,1098,1100,1097,1123,1124,1414" />
+<ref nist="CM-6, CM-7"
disa="66,1115,1118,1092,27,1117,1098,1100,1097,1414" />
 <tested by="DS" on="20121024"/>
 </Rule>
 </Group><!--<Group id="iptables_activation">-->
diff --git a/RHEL6/input/system/network/ssl.xml b/RHEL6/input/system/network/ssl.xml
index 77f3ecb..0c35dc7 100644
--- a/RHEL6/input/system/network/ssl.xml
+++ b/RHEL6/input/system/network/ssl.xml
@@ -50,7 +50,7 @@ process are:
 </description>
 
 
-<ref disa="1141,1148,1130,1131,1127,1128,1135,1129,1132,1142,1147,187"
/>
+<ref disa="1130,1131,1127,1128,1129,187" />
 
 <Group id="network_ssl_create_ca">
 <title>Create a CA to Sign Certificates</title>
diff --git a/RHEL6/input/system/software/disk_partitioning.xml
b/RHEL6/input/system/software/disk_partitioning.xml
index ac3ccc9..484117b 100644
--- a/RHEL6/input/system/software/disk_partitioning.xml
+++ b/RHEL6/input/system/software/disk_partitioning.xml
@@ -125,33 +125,35 @@ users cannot trivially fill partitions used for log or audit data
storage.
 <tested by="MM" on="20120928"/>
 </Rule>
 
-<Group id="partition_encryption" >
-<title>Encrypting Partitions</title>
+<Rule id="encrypt_partitions" >
+<title>Encrypt Partitions</title>
 <description>
 Red Hat Enterprise Linux 6 natively supports partition encryption through the
 Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to 
-encrypt a partition is during install time.
+encrypt a partition is during installation time.
 <br /><br />
-For manual installations, selecting the <tt>Encrypt</tt> checkbox during
-partition creation is all that is needed to encrypt the partition. When this
+For manual installations, select the <tt>Encrypt</tt> checkbox during
+partition creation to encrypt the partition. When this
 option is selected the system will prompt for a passphrase to use in
-decrypting the partition. The passphrase will need to be entered manually
+decrypting the partition. The passphrase will subsequently need to be entered manually
 every time the system boots.
 <br /><br />
-For automated/unattended installations using Kickstart add the
<tt>--encrypted</tt>
-and <tt>--passphrase=</tt> options to the definition of each partition you
want
-encrypted. For example:
-<pre>part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted
--passphrase=<i>yourpassphrase</i></pre>
-Where <i>yourpassphrase</i> is a passphrase of your choosing. The passphrase
is
-stored in the Kickstart file in clear-text. If that is of concern, leaving the
-<tt>--passphrase=</tt> option off the partition definition will cause the
-installer to pause and interactively ask for the passphrase during the install.
+For automated/unattended installations, it is possible to use Kickstart by adding
+the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to
the definition of each partition to be
+encrypted. For example, the following line would encrypt the root partition:
+<pre>part / --fstype=ext3 --size=100 --onpart=hda1 --encrypted
--passphrase=<i>PASSPHRASE</i></pre>
+Any <i>PASSPHRASE</i> is stored in the Kickstart in plaintext, and the
Kickstart must then be protected accordingly.
+Omitting the <tt>--passphrase=</tt> option from the partition definition will
cause the
+installer to pause and interactively ask for the passphrase during installation.
 <br /><br />
 Detailed information on encrypting partitions using LUKS can be found on
 the Red Had Documentation web site:<br />

https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Securi...
 </description>
-<ref disa="1199,1350,1200" />
-</Group>
+<ocil clause="encryption must be used and is not employed">
+Determine if encryption must be used to protect data on the system. 
+</ocil>
+<ref disa="1019,1199,1200" />
+</Rule>
 
 </Group>
diff --git a/RHEL6/input/system/software/integrity.xml
b/RHEL6/input/system/software/integrity.xml
index 2aa54a2..fe548f3 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -97,7 +97,7 @@ To determine that periodic AIDE execution has been scheduled, run the
following
 By default, AIDE does not install itself for periodic execution. Periodically
 running AIDE may reveal unexpected changes in installed files.
 </rationale>
-<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1166,1263"/>
+<ref nist="CM-6, SC-28, SI-7" disa="416,1069,1263"/>
 </Rule>
 <!--
 <Group id="aide_verify_integrity_manually">
-- 
1.7.1


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[PATCH 2/8] adjusting DISA CCI references in system config items