On 10/26/13, 1:49 PM, David Smith wrote:
---
.../checks/kernel_module_ipv6_option_disabled.xml | 1 +
RHEL6/input/checks/ldap_client_start_tls.xml | 1 +
RHEL6/input/checks/service_rexec_disabled.xml | 1 +
RHEL6/input/checks/service_rlogin_disabled.xml | 1 +
RHEL6/input/checks/service_rsh_disabled.xml | 1 +
RHEL6/input/checks/service_telnetd_disabled.xml | 1 +
RHEL6/input/checks/service_xinetd_disabled.xml | 1 +
RHEL6/input/services/obsolete.xml | 8 ++++----
8 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml
b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml
index a1203bf..cb61e74 100644
--- a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml
+++ b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The disable option will allow the IPv6 module to be inserted,
but prevent address assignment and activation of the network stack.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria>
<criterion test_ref="test_kernel_module_ipv6_option_disabled"
comment="ipv6 disabled any modprobe conf file"/>
diff --git a/RHEL6/input/checks/ldap_client_start_tls.xml
b/RHEL6/input/checks/ldap_client_start_tls.xml
index 75f636d..184b9c2 100644
--- a/RHEL6/input/checks/ldap_client_start_tls.xml
+++ b/RHEL6/input/checks/ldap_client_start_tls.xml
@@ -7,6 +7,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Require the use of TLS for ldap clients.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package pam_ldap is not present"
operator="OR">
<extend_definition comment="pam_ldap not present or not in use"
diff --git a/RHEL6/input/checks/service_rexec_disabled.xml
b/RHEL6/input/checks/service_rexec_disabled.xml
index 9e1ee78..205b567 100644
--- a/RHEL6/input/checks/service_rexec_disabled.xml
+++ b/RHEL6/input/checks/service_rexec_disabled.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The rexec service should be disabled if
possible.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package rsh-server removed or service rexec is not
configured to start" operator="OR">
<extend_definition comment="rpm package rsh-server removed"
definition_ref="package_rsh-server_removed" />
diff --git a/RHEL6/input/checks/service_rlogin_disabled.xml
b/RHEL6/input/checks/service_rlogin_disabled.xml
index 6318c9a..ed95c27 100644
--- a/RHEL6/input/checks/service_rlogin_disabled.xml
+++ b/RHEL6/input/checks/service_rlogin_disabled.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The rlogin service should be disabled if
possible.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package rsh-server removed or service rlogin is not
configured to start" operator="OR">
<extend_definition comment="rpm package rsh-server removed"
definition_ref="package_rsh-server_removed" />
diff --git a/RHEL6/input/checks/service_rsh_disabled.xml
b/RHEL6/input/checks/service_rsh_disabled.xml
index 71bc9ff..54e9136 100644
--- a/RHEL6/input/checks/service_rsh_disabled.xml
+++ b/RHEL6/input/checks/service_rsh_disabled.xml
@@ -6,6 +6,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The rsh service should be disabled if
possible.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package rsh-server removed or service rsh is not
configured to start" operator="OR">
<extend_definition comment="rpm package rsh-server removed"
definition_ref="package_rsh-server_removed" />
diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml
b/RHEL6/input/checks/service_telnetd_disabled.xml
index b02fe67..095f7ad 100644
--- a/RHEL6/input/checks/service_telnetd_disabled.xml
+++ b/RHEL6/input/checks/service_telnetd_disabled.xml
@@ -7,6 +7,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>Disable telnet Service</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package telnet-server removed or service telnetd is not
configured to start" operator="OR">
<extend_definition comment="rpm package telnet-server removed"
definition_ref="package_telnet-server_removed" />
diff --git a/RHEL6/input/checks/service_xinetd_disabled.xml
b/RHEL6/input/checks/service_xinetd_disabled.xml
index 24ad0ef..c162e23 100644
--- a/RHEL6/input/checks/service_xinetd_disabled.xml
+++ b/RHEL6/input/checks/service_xinetd_disabled.xml
@@ -8,6 +8,7 @@
<platform>Red Hat Enterprise Linux 6</platform>
</affected>
<description>The xinetd service should be disabled if
possible.</description>
+ <reference source="DS" ref_id="20131018"
ref_url="test_attestation" />
</metadata>
<criteria comment="package xinetd removed or service xinetd is not
configured to start" operator="OR">
<extend_definition comment="xinetd removed"
definition_ref="package_xinetd_removed" />
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml
index 41ee480..1792120 100644
--- a/RHEL6/input/services/obsolete.xml
+++ b/RHEL6/input/services/obsolete.xml
@@ -77,7 +77,7 @@ actively working to migrate to a more secure
protocol.</description>
<description>
<service-disable-macro service="telnet" />
</description>
-<ocil><service-disable-check-macro service="telnet"
/></ocil>
+<ocil><xinetd-service-disable-check-macro service="telnet"
/></ocil>
<rationale>
The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
@@ -139,7 +139,7 @@ the <tt>rsh-server</tt> package and runs as a service
through xinetd,
should be disabled.
<service-disable-macro service="rexec" />
</description>
-<ocil><service-disable-check-macro service="rexec"
/></ocil>
+<ocil><xinetd-service-disable-check-macro service="rexec"
/></ocil>
<rationale>The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
@@ -158,7 +158,7 @@ the <tt>rsh-server</tt> package and runs as a service
through xinetd,
should be disabled.
<service-disable-macro service="rsh" />
</description>
-<ocil><service-disable-check-macro service="rsh" /></ocil>
+<ocil><xinetd-service-disable-check-macro service="rsh"
/></ocil>
<rationale>The rsh service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
@@ -177,7 +177,7 @@ the <tt>rsh-server</tt> package and runs as a service
through xinetd,
should be disabled.
<service-disable-macro service="rlogin" />
</description>
-<ocil><service-disable-check-macro service="rlogin"
/></ocil>
+<ocil><xinetd-service-disable-check-macro service="rlogin"
/></ocil>
<rationale>The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
ack, noting that patch 2 is now irrelevant (good find)