--- .../checks/kernel_module_ipv6_option_disabled.xml | 1 + RHEL6/input/checks/ldap_client_start_tls.xml | 1 + RHEL6/input/checks/service_rexec_disabled.xml | 1 + RHEL6/input/checks/service_rlogin_disabled.xml | 1 + RHEL6/input/checks/service_rsh_disabled.xml | 1 + RHEL6/input/checks/service_telnetd_disabled.xml | 1 + RHEL6/input/checks/service_xinetd_disabled.xml | 1 + RHEL6/input/services/obsolete.xml | 8 ++++---- 8 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml index a1203bf..cb61e74 100644 --- a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml +++ b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_kernel_module_ipv6_option_disabled" comment="ipv6 disabled any modprobe conf file"/> diff --git a/RHEL6/input/checks/ldap_client_start_tls.xml b/RHEL6/input/checks/ldap_client_start_tls.xml index 75f636d..184b9c2 100644 --- a/RHEL6/input/checks/ldap_client_start_tls.xml +++ b/RHEL6/input/checks/ldap_client_start_tls.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Require the use of TLS for ldap clients.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package pam_ldap is not present" operator="OR"> <extend_definition comment="pam_ldap not present or not in use" diff --git a/RHEL6/input/checks/service_rexec_disabled.xml b/RHEL6/input/checks/service_rexec_disabled.xml index 9e1ee78..205b567 100644 --- a/RHEL6/input/checks/service_rexec_disabled.xml +++ b/RHEL6/input/checks/service_rexec_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rexec service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rexec is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rlogin_disabled.xml b/RHEL6/input/checks/service_rlogin_disabled.xml index 6318c9a..ed95c27 100644 --- a/RHEL6/input/checks/service_rlogin_disabled.xml +++ b/RHEL6/input/checks/service_rlogin_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rlogin service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rlogin is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_rsh_disabled.xml b/RHEL6/input/checks/service_rsh_disabled.xml index 71bc9ff..54e9136 100644 --- a/RHEL6/input/checks/service_rsh_disabled.xml +++ b/RHEL6/input/checks/service_rsh_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rsh service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rsh is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" /> diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml b/RHEL6/input/checks/service_telnetd_disabled.xml index b02fe67..095f7ad 100644 --- a/RHEL6/input/checks/service_telnetd_disabled.xml +++ b/RHEL6/input/checks/service_telnetd_disabled.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Disable telnet Service</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package telnet-server removed or service telnetd is not configured to start" operator="OR"> <extend_definition comment="rpm package telnet-server removed" definition_ref="package_telnet-server_removed" /> diff --git a/RHEL6/input/checks/service_xinetd_disabled.xml b/RHEL6/input/checks/service_xinetd_disabled.xml index 24ad0ef..c162e23 100644 --- a/RHEL6/input/checks/service_xinetd_disabled.xml +++ b/RHEL6/input/checks/service_xinetd_disabled.xml @@ -8,6 +8,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The xinetd service should be disabled if possible.</description> + <reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package xinetd removed or service xinetd is not configured to start" operator="OR"> <extend_definition comment="xinetd removed" definition_ref="package_xinetd_removed" /> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 41ee480..1792120 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -77,7 +77,7 @@ actively working to migrate to a more secure protocol.</description> <description> <service-disable-macro service="telnet" /> </description> -<ocil><service-disable-check-macro service="telnet" /></ocil> +<ocil><xinetd-service-disable-check-macro service="telnet" /></ocil> <rationale> The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and @@ -139,7 +139,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rexec" /> </description> -<ocil><service-disable-check-macro service="rexec" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rexec" /></ocil> <rationale>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -158,7 +158,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rsh" /> </description> -<ocil><service-disable-check-macro service="rsh" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rsh" /></ocil> <rationale>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -177,7 +177,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rlogin" /> </description> -<ocil><service-disable-check-macro service="rlogin" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rlogin" /></ocil> <rationale>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be
On 10/26/13, 1:49 PM, David Smith wrote:
.../checks/kernel_module_ipv6_option_disabled.xml | 1 + RHEL6/input/checks/ldap_client_start_tls.xml | 1 + RHEL6/input/checks/service_rexec_disabled.xml | 1 + RHEL6/input/checks/service_rlogin_disabled.xml | 1 + RHEL6/input/checks/service_rsh_disabled.xml | 1 + RHEL6/input/checks/service_telnetd_disabled.xml | 1 + RHEL6/input/checks/service_xinetd_disabled.xml | 1 + RHEL6/input/services/obsolete.xml | 8 ++++---- 8 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml index a1203bf..cb61e74 100644 --- a/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml +++ b/RHEL6/input/checks/kernel_module_ipv6_option_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria> <criterion test_ref="test_kernel_module_ipv6_option_disabled" comment="ipv6 disabled any modprobe conf file"/>diff --git a/RHEL6/input/checks/ldap_client_start_tls.xml b/RHEL6/input/checks/ldap_client_start_tls.xml index 75f636d..184b9c2 100644 --- a/RHEL6/input/checks/ldap_client_start_tls.xml +++ b/RHEL6/input/checks/ldap_client_start_tls.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Require the use of TLS for ldap clients.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package pam_ldap is not present" operator="OR"> <extend_definition comment="pam_ldap not present or not in use"diff --git a/RHEL6/input/checks/service_rexec_disabled.xml b/RHEL6/input/checks/service_rexec_disabled.xml index 9e1ee78..205b567 100644 --- a/RHEL6/input/checks/service_rexec_disabled.xml +++ b/RHEL6/input/checks/service_rexec_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rexec service should be disabled if possible.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rexec is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" />diff --git a/RHEL6/input/checks/service_rlogin_disabled.xml b/RHEL6/input/checks/service_rlogin_disabled.xml index 6318c9a..ed95c27 100644 --- a/RHEL6/input/checks/service_rlogin_disabled.xml +++ b/RHEL6/input/checks/service_rlogin_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rlogin service should be disabled if possible.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rlogin is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" />diff --git a/RHEL6/input/checks/service_rsh_disabled.xml b/RHEL6/input/checks/service_rsh_disabled.xml index 71bc9ff..54e9136 100644 --- a/RHEL6/input/checks/service_rsh_disabled.xml +++ b/RHEL6/input/checks/service_rsh_disabled.xml @@ -6,6 +6,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The rsh service should be disabled if possible.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package rsh-server removed or service rsh is not configured to start" operator="OR"> <extend_definition comment="rpm package rsh-server removed" definition_ref="package_rsh-server_removed" />diff --git a/RHEL6/input/checks/service_telnetd_disabled.xml b/RHEL6/input/checks/service_telnetd_disabled.xml index b02fe67..095f7ad 100644 --- a/RHEL6/input/checks/service_telnetd_disabled.xml +++ b/RHEL6/input/checks/service_telnetd_disabled.xml @@ -7,6 +7,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>Disable telnet Service</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata> <criteria comment="package telnet-server removed or service telnetd is not configured to start" operator="OR"> <extend_definition comment="rpm package telnet-server removed" definition_ref="package_telnet-server_removed" />diff --git a/RHEL6/input/checks/service_xinetd_disabled.xml b/RHEL6/input/checks/service_xinetd_disabled.xml index 24ad0ef..c162e23 100644 --- a/RHEL6/input/checks/service_xinetd_disabled.xml +++ b/RHEL6/input/checks/service_xinetd_disabled.xml @@ -8,6 +8,7 @@ <platform>Red Hat Enterprise Linux 6</platform> </affected> <description>The xinetd service should be disabled if possible.</description>
<reference source="DS" ref_id="20131018" ref_url="test_attestation" /> </metadata><criteria comment="package xinetd removed or service xinetd is not configured to start" operator="OR"> <extend_definition comment="xinetd removed" definition_ref="package_xinetd_removed" />
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 41ee480..1792120 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -77,7 +77,7 @@ actively working to migrate to a more secure protocol.</description>
<description> <service-disable-macro service="telnet" /> </description> -<ocil><service-disable-check-macro service="telnet" /></ocil> +<ocil><xinetd-service-disable-check-macro service="telnet" /></ocil> <rationale> The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and @@ -139,7 +139,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rexec" /> </description> -<ocil><service-disable-check-macro service="rexec" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rexec" /></ocil> <rationale>The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -158,7 +158,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rsh" /> </description> -<ocil><service-disable-check-macro service="rsh" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rsh" /></ocil> <rationale>The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be @@ -177,7 +177,7 @@ the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. <service-disable-macro service="rlogin" /> </description> -<ocil><service-disable-check-macro service="rlogin" /></ocil> +<ocil><xinetd-service-disable-check-macro service="rlogin" /></ocil> <rationale>The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be
ack, noting that patch 2 is now irrelevant (good find)
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Shawn Wells