Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/checks/accounts_no_empty_passwords.xml | 22 -----
.../input/checks/audit_rules_record_timechange.xml | 65 -------------
.../console_device_restrict_access_desktop.xml | 41 --------
.../checks/file_permissions_ldap_server_bdb.xml | 39 --------
.../ldap_server_config_certificate_usage.xml | 78 ---------------
RHEL6/input/checks/package_certmonger_removed.xml | 25 -----
RHEL6/input/checks/package_irda-utils_removed.xml | 25 -----
RHEL6/input/checks/package_openldap_removed.xml | 25 -----
RHEL6/input/checks/package_rpcbind_removed.xml | 25 -----
RHEL6/input/checks/service_rpcbind_disabled.xml | 99 --------------------
RHEL6/input/checks/templates/packages_removed.csv | 2 -
RHEL6/input/checks/templates/services_disabled.csv | 1 -
RHEL6/input/checks/wireless_disable_drivers.xml | 26 -----
RHEL6/input/profiles/common.xml | 1 -
RHEL6/input/profiles/desktop.xml | 1 -
RHEL6/input/profiles/usgcb-rhel6-server.xml | 1 -
RHEL6/input/system/network/wireless.xml | 19 +----
17 files changed, 1 insertions(+), 494 deletions(-)
delete mode 100644 RHEL6/input/checks/accounts_no_empty_passwords.xml
delete mode 100644 RHEL6/input/checks/audit_rules_record_timechange.xml
delete mode 100644 RHEL6/input/checks/console_device_restrict_access_desktop.xml
delete mode 100644 RHEL6/input/checks/file_permissions_ldap_server_bdb.xml
delete mode 100644 RHEL6/input/checks/ldap_server_config_certificate_usage.xml
delete mode 100644 RHEL6/input/checks/package_certmonger_removed.xml
delete mode 100644 RHEL6/input/checks/package_irda-utils_removed.xml
delete mode 100644 RHEL6/input/checks/package_openldap_removed.xml
delete mode 100644 RHEL6/input/checks/package_rpcbind_removed.xml
delete mode 100644 RHEL6/input/checks/service_rpcbind_disabled.xml
delete mode 100644 RHEL6/input/checks/wireless_disable_drivers.xml
diff --git a/RHEL6/input/checks/accounts_no_empty_passwords.xml
b/RHEL6/input/checks/accounts_no_empty_passwords.xml
deleted file mode 100644
index b79e4ca..0000000
--- a/RHEL6/input/checks/accounts_no_empty_passwords.xml
+++ /dev/null
@@ -1,22 +0,0 @@
-<def-group>
- <definition class="compliance" id="accounts_no_empty_passwords"
version="1">
- <metadata>
- <title>No Accounts With Empty Passwords</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The file /etc/shadow should not contain users that do not have a
password set.</description>
- </metadata>
- <criteria>
- <criterion comment="all accounts in /etc/shadow should be locked or
password protected" test_ref="test_etc_shadow_empty_pass" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
check_existence="none_exist" comment="all accounts in /etc/shadow should be
locked or password protected" id="test_etc_shadow_empty_pass"
version="1">
- <ind:object object_ref="object_etc_shadow_empty_password" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_etc_shadow_empty_password"
version="1">
- <ind:filepath>/etc/shadow</ind:filepath>
- <ind:pattern operation="pattern match">^[-\w]+::</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/audit_rules_record_timechange.xml
b/RHEL6/input/checks/audit_rules_record_timechange.xml
deleted file mode 100644
index bc0a251..0000000
--- a/RHEL6/input/checks/audit_rules_record_timechange.xml
+++ /dev/null
@@ -1,65 +0,0 @@
-<def-group>
- <definition class="compliance"
id="audit_rules_record_timechange" version="1">
- <metadata>
- <title>Records Events that Modify Date and Time Information</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Audit rules about time are enabled</description>
- </metadata>
- <criteria operator="OR">
- <criteria operator="AND">
- <criterion comment="32 bit architecture"
test_ref="test_audit_rules_record_timechange_32_bit" />
- <criterion comment="audit /etc/localtime"
test_ref="test_audit_rules_record_timechange_etc_localtime" />
- <criterion comment="32 bit syscalls"
test_ref="test_audit_rules_record_timechange_32_bit_syscalls" />
- </criteria>
- <criteria operator="AND">
- <criterion comment="64 bit architecture"
test_ref="test_audit_rules_record_timechange_64_bit" />
- <criterion comment="audit /etc/localtime"
test_ref="test_audit_rules_record_timechange_etc_localtime" />
- <criterion comment="64 bit syscalls"
test_ref="test_audit_rules_record_timechange_64_bit_syscalls" />
- </criteria>
- </criteria>
- </definition>
- <unix:uname_test check="all" comment="32 bit architecture"
id="test_audit_rules_record_timechange_32_bit" version="1">
- <unix:object object_ref="object_audit_rules_record_timechange_32_bit"
/>
- <unix:state state_ref="state_audit_rules_record_timechange_32_bit"
/>
- </unix:uname_test>
- <unix:uname_object comment="32 bit architecture"
id="object_audit_rules_record_timechange_32_bit" version="1">
- </unix:uname_object>
- <unix:uname_state comment="32 bit architecture"
id="state_audit_rules_record_timechange_32_bit" version="1">
- <unix:processor_type
operation="equals">i686</unix:processor_type>
- </unix:uname_state>
- <unix:uname_test check="all" comment="64 bit architecture"
id="test_audit_rules_record_timechange_64_bit" version="1">
- <unix:object object_ref="object_audit_rules_record_timechange_64_bit"
/>
- <unix:state state_ref="state_audit_rules_record_timechange_64_bit"
/>
- </unix:uname_test>
- <unix:uname_object comment="64 bit architecture"
id="object_audit_rules_record_timechange_64_bit" version="1">
- </unix:uname_object>
- <unix:uname_state comment="64 bit architecture"
id="state_audit_rules_record_timechange_64_bit" version="1">
- <unix:processor_type
operation="equals">x86_64</unix:processor_type>
- </unix:uname_state>
- <ind:textfilecontent54_test check="all" comment="32 bit
syscalls" id="test_audit_rules_record_timechange_32_bit_syscalls"
version="1">
- <ind:object
object_ref="object_audit_rules_record_timechange_32_bit_syscalls" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="object_audit_rules_record_timechange_32_bit_syscalls"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-a\s+always,exit\s+\-F\s+arch=b32\s+\-S\s+adjtimex\s+\-S\s+settimeofday\s+\-S\s+stime\s+\-S\s+clock_settime\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="64 bit
syscalls" id="test_audit_rules_record_timechange_64_bit_syscalls"
version="1">
- <ind:object
object_ref="object_audit_rules_record_timechange_64_bit_syscalls" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="object_audit_rules_record_timechange_64_bit_syscalls"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-a\s+always,exit\s+\-F\s+arch=b64\s+\-S\s+adjtimex\s+\-S\s+settimeofday\s+\-S\s+clock_settime\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
- <ind:textfilecontent54_test check="all" comment="audit
/etc/localtime" id="test_audit_rules_record_timechange_etc_localtime"
version="1">
- <ind:object
object_ref="object_audit_rules_record_timechange_etc_localtime" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="object_audit_rules_record_timechange_etc_localtime"
version="1">
- <ind:filepath>/etc/audit/audit.rules</ind:filepath>
- <ind:pattern operation="pattern
match">^\-w\s+/etc/localtime\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/console_device_restrict_access_desktop.xml
b/RHEL6/input/checks/console_device_restrict_access_desktop.xml
deleted file mode 100644
index b77fa1a..0000000
--- a/RHEL6/input/checks/console_device_restrict_access_desktop.xml
+++ /dev/null
@@ -1,41 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="console_device_restrict_access_desktop" version="1">
- <metadata>
- <title>Restrict Console Device Access - Desktop</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Prevent remote users from gaining access to devices and
restricted applications on the machine.</description>
- </metadata>
- <criteria operator="AND">
- <criterion comment="Restrict access - console"
test_ref="test_console_device_restrict_access_desktop_console" />
- <criterion comment="Restrict access - xconsole"
test_ref="test_console_device_restrict_access_desktop_xconsole" />
- </criteria>
- </definition>
-
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Restrict access to the console, testing that console is set to
tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0"
- id="test_console_device_restrict_access_desktop_console"
version="1">
- <ind:object
object_ref="obj_console_device_restrict_access_desktop_console" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_console_device_restrict_access_desktop_console"
version="1">
- <ind:path>/etc/security</ind:path>
- <ind:filename>console.perms</ind:filename>
- <ind:pattern operation="pattern
match">^.console.=tty\[0-9\]\[0-9\]\*\s+vc\/\[0-9\]\[0-9\]\*\s+:0\\.\[0-9\]\s+:0\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all"
check_existence="all_exist"
- comment="Restrict access - xconsole, testing that xconsole is set to :0\.[0-9]
:0"
- id="test_console_device_restrict_access_desktop_xconsole"
version="1">
- <ind:object
object_ref="obj_console_device_restrict_access_desktop_xconsole" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_object
id="obj_console_device_restrict_access_desktop_xconsole"
version="1">
- <ind:path>/etc/security</ind:path>
- <ind:filename>console.perms</ind:filename>
- <ind:pattern operation="pattern
match">^.xconsole.=:0\\.\[0-9\]\s+:0\s*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
-</def-group>
diff --git a/RHEL6/input/checks/file_permissions_ldap_server_bdb.xml
b/RHEL6/input/checks/file_permissions_ldap_server_bdb.xml
deleted file mode 100644
index bfa837e..0000000
--- a/RHEL6/input/checks/file_permissions_ldap_server_bdb.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="file_permissions_ldap_server_bdb" version="1">
- <metadata>
- <title>Verify Permissions on LDAP Server Configuration Files</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>File permissions for
/etc/openldap/slapd.d/cn=config/olcDatabase=*bdb.ldif should be set
- correctly.</description>
- </metadata>
- <criteria>
- <criterion test_ref="test_20139" />
- </criteria>
- </definition>
- <unix:file_test check="all" check_existence="all_exist"
- comment="Testing /etc/openldap/slapd.d/cn=config/olcDatabase=*bdb.ldif
permissions"
- id="test_20139" version="1">
- <unix:object object_ref="obj_20139" />
- <unix:state state_ref="state_20139" />
- </unix:file_test>
- <unix:file_state id="state_20139"
- version="1">
- <unix:uread datatype="boolean">true</unix:uread>
- <unix:uwrite datatype="boolean">true</unix:uwrite>
- <unix:uexec datatype="boolean">false</unix:uexec>
- <unix:gread datatype="boolean">true</unix:gread>
- <unix:gwrite datatype="boolean">false</unix:gwrite>
- <unix:gexec datatype="boolean">false</unix:gexec>
- <unix:oread datatype="boolean">false</unix:oread>
- <unix:owrite datatype="boolean">false</unix:owrite>
- <unix:oexec datatype="boolean">false</unix:oexec>
- </unix:file_state>
- <unix:file_object
comment="/etc/openldap/slapd.d/cn=config/olcDatabase=*bdb.ldif"
- id="obj_20139" version="1">
- <unix:path>/etc/openldap/slapd.d/cn=config</unix:path>
- <unix:filename operation="pattern
match">olcDatabase=.*bdb.ldif</unix:filename>
- </unix:file_object>
-</def-group>
diff --git a/RHEL6/input/checks/ldap_server_config_certificate_usage.xml
b/RHEL6/input/checks/ldap_server_config_certificate_usage.xml
deleted file mode 100644
index 8ec7659..0000000
--- a/RHEL6/input/checks/ldap_server_config_certificate_usage.xml
+++ /dev/null
@@ -1,78 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="ldap_server_config_certificate_usage" version="1">
- <metadata>
- <title>LDAP Server Should Use Strong Encryption</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>If installed, LDAP server should be configured use strong
certificate based encryption using a CA Cert, Private Key, and Public
Cert.</description>
- </metadata>
- <criteria comment="If installed, LDAP server should be configured to use
strong encryption"
- operator="AND">
- <extend_definition comment="openldap server should only be present if it
fulfills an operational requirement"
- definition_ref="package_openldap-servers_installed" />
- <criterion test_ref="test_ldap_server_config_certificate_usage_ca"
/>
- <criterion test_ref="test_ldap_server_config_certificate_usage_cert"
/>
- <criterion test_ref="test_ldap_server_config_certificate_usage_key"
/>
- </criteria>
- </definition>
-
-
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*olcTLSCACertificateFile[\s]*:[\s]*(.*)$
expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
- id="test_ldap_server_config_certificate_usage_ca" version="1">
- <ind:object object_ref="obj_ldap_server_config_certificate_usage_ca"
/>
- <ind:state state_ref="state_ldap_server_config_certificate_usage_ca"
/>
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state
id="state_ldap_server_config_certificate_usage_ca"
- version="1">
- <ind:subexpression
operation="equals">/etc/pki/tls/CA/cacert.pem</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object
id="obj_ldap_server_config_certificate_usage_ca"
- version="1">
- <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
- <ind:filename operation="pattern
match">olcDatabase.*bdb.ldif</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*olcTLSCACertificateFile[\s]*:[\s]*(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*olcTLSCertificateFile[\s]*:[\s]*(.*)$
expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
- id="test_ldap_server_config_certificate_usage_cert"
version="1">
- <ind:object object_ref="obj_ldap_server_config_certificate_usage_cert"
/>
- <ind:state state_ref="state_ldap_server_config_certificate_usage_cert"
/>
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state
id="state_ldap_server_config_certificate_usage_cert"
- version="1">
- <ind:subexpression
operation="equals">/etc/pki/tls/ldap/servercert.pem</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object
id="obj_ldap_server_config_certificate_usage_cert"
- version="1">
- <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
- <ind:filename operation="pattern
match">olcDatabase.*bdb.ldif</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*olcTLSCertificateFile[\s]*:[\s]*(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*olcTLSCertificateKeyFile[\s]*:[\s]*(.*)$
expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
- id="test_ldap_server_config_certificate_usage_key" version="1">
- <ind:object object_ref="obj_ldap_server_config_certificate_usage_key"
/>
- <ind:state state_ref="state_ldap_server_config_certificate_usage_key"
/>
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state
id="state_ldap_server_config_certificate_usage_key"
- version="1">
- <ind:subexpression
operation="equals">/etc/pki/tls/ldap/serverkey.pem</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object
id="obj_ldap_server_config_certificate_usage_key"
- version="1">
- <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
- <ind:filename operation="pattern
match">olcDatabase.*bdb.ldif</ind:filename>
- <ind:pattern operation="pattern
match">^[\s]*olcTLSCertificateKeyFile[\s]*:[\s]*(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_certmonger_removed.xml
b/RHEL6/input/checks/package_certmonger_removed.xml
deleted file mode 100644
index 4c3e0ff..0000000
--- a/RHEL6/input/checks/package_certmonger_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_certmonger_removed"
- version="1">
- <metadata>
- <title>Package certmonger Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package certmonger should be
removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package certmonger is removed"
- test_ref="test_package_certmonger_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_certmonger_removed" version="1"
- comment="package certmonger is removed">
- <linux:object object_ref="obj_package_certmonger_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_certmonger_removed"
version="1">
- <linux:name>certmonger</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_irda-utils_removed.xml
b/RHEL6/input/checks/package_irda-utils_removed.xml
deleted file mode 100644
index 5312e55..0000000
--- a/RHEL6/input/checks/package_irda-utils_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_irda-utils_removed"
- version="1">
- <metadata>
- <title>Package irda-utils Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package irda-utils should be
removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package irda-utils is removed"
- test_ref="test_package_irda-utils_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_irda-utils_removed" version="1"
- comment="package irda-utils is removed">
- <linux:object object_ref="obj_package_irda-utils_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_irda-utils_removed"
version="1">
- <linux:name>irda-utils</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_openldap_removed.xml
b/RHEL6/input/checks/package_openldap_removed.xml
deleted file mode 100644
index 187c747..0000000
--- a/RHEL6/input/checks/package_openldap_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_openldap_removed"
- version="1">
- <metadata>
- <title>Package openldap Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package openldap should be removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package openldap is removed"
- test_ref="test_package_openldap_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_openldap_removed" version="1"
- comment="package openldap is removed">
- <linux:object object_ref="obj_package_openldap_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_openldap_removed"
version="1">
- <linux:name>openldap</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/package_rpcbind_removed.xml
b/RHEL6/input/checks/package_rpcbind_removed.xml
deleted file mode 100644
index 97d6731..0000000
--- a/RHEL6/input/checks/package_rpcbind_removed.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_package_removed.py. DO NOT EDIT. -->
- <definition class="compliance" id="package_rpcbind_removed"
- version="1">
- <metadata>
- <title>Package rpcbind Removed</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The RPM package rpcbind should be removed.</description>
- </metadata>
- <criteria>
- <criterion comment="package rpcbind is removed"
- test_ref="test_package_rpcbind_removed" />
- </criteria>
- </definition>
- <linux:rpminfo_test check="all" check_existence="none_exist"
- id="test_package_rpcbind_removed" version="1"
- comment="package rpcbind is removed">
- <linux:object object_ref="obj_package_rpcbind_removed" />
- </linux:rpminfo_test>
- <linux:rpminfo_object id="obj_package_rpcbind_removed"
version="1">
- <linux:name>rpcbind</linux:name>
- </linux:rpminfo_object>
-</def-group>
diff --git a/RHEL6/input/checks/service_rpcbind_disabled.xml
b/RHEL6/input/checks/service_rpcbind_disabled.xml
deleted file mode 100644
index 5ccb0af..0000000
--- a/RHEL6/input/checks/service_rpcbind_disabled.xml
+++ /dev/null
@@ -1,99 +0,0 @@
-<def-group>
- <!-- THIS FILE IS GENERATED by create_services_disabled.py. DO NOT EDIT. -->
- <definition class="compliance" id="service_rpcbind_disabled"
- version="1">
- <metadata>
- <title>Service rpcbind Disabled</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>The rpcbind service should be disabled if
possible.</description>
- </metadata>
- <criteria comment="package rpcbind removed or service rpcbind is not
configured to start" operator="OR">
- <extend_definition comment="rpcbind removed"
definition_ref="package_rpcbind_removed" />
- <criteria operator="AND" comment="service rpcbind is not configured
to start">
- <criterion comment="rpcbind runlevel 0"
test_ref="test_runlevel0_rpcbind" />
- <criterion comment="rpcbind runlevel 1"
test_ref="test_runlevel1_rpcbind" />
- <criterion comment="rpcbind runlevel 2"
test_ref="test_runlevel2_rpcbind" />
- <criterion comment="rpcbind runlevel 3"
test_ref="test_runlevel3_rpcbind" />
- <criterion comment="rpcbind runlevel 4"
test_ref="test_runlevel4_rpcbind" />
- <criterion comment="rpcbind runlevel 5"
test_ref="test_runlevel5_rpcbind" />
- <criterion comment="rpcbind runlevel 6"
test_ref="test_runlevel6_rpcbind" />
- </criteria>
- </criteria>
- </definition>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel0_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel0_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel1_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel1_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel2_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel2_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel3_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel3_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel4_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel4_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel5_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel5_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_test check="all" check_existence="any_exist"
- comment="Runlevel test" id="test_runlevel6_rpcbind"
- version="2">
- <unix:object object_ref="obj_runlevel6_rpcbind" />
- <unix:state state_ref="state_service_rpcbind_off" />
- </unix:runlevel_test>
- <unix:runlevel_object id="obj_runlevel0_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">0</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel1_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">1</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel2_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">2</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel3_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">3</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel4_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">4</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel5_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">5</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_object id="obj_runlevel6_rpcbind"
version="1">
- <unix:service_name>rpcbind</unix:service_name>
- <unix:runlevel operation="equals">6</unix:runlevel>
- </unix:runlevel_object>
- <unix:runlevel_state comment="not configured to start"
id="state_service_rpcbind_off" version="1">
- <unix:start datatype="boolean">false</unix:start>
- <unix:kill datatype="boolean">true</unix:kill>
- </unix:runlevel_state>
-</def-group>
diff --git a/RHEL6/input/checks/templates/packages_removed.csv
b/RHEL6/input/checks/templates/packages_removed.csv
index a454d5e..9f95f6b 100644
--- a/RHEL6/input/checks/templates/packages_removed.csv
+++ b/RHEL6/input/checks/templates/packages_removed.csv
@@ -14,7 +14,6 @@ dovecot
hal
httpd
iputils
-irda-utils
isdn4k-utils
kexec-tools
libcgroup
@@ -22,7 +21,6 @@ mdadm
net-snmp
nfs-utils
oddjob
-openldap
openldap-servers
openssh-server
pam_ldap
diff --git a/RHEL6/input/checks/templates/services_disabled.csv
b/RHEL6/input/checks/templates/services_disabled.csv
index 0c25379..57f6c71 100644
--- a/RHEL6/input/checks/templates/services_disabled.csv
+++ b/RHEL6/input/checks/templates/services_disabled.csv
@@ -30,7 +30,6 @@ quota_nld,quota
rdisc,iputils
rhnsd,rhnsd
rhsmcertd,subscription-manager
-rpcbind,rpcbind
rpcgssd,nfs-utils
rpcidmapd,nfs-utils
rpcsvcgssd,nfs-utils
diff --git a/RHEL6/input/checks/wireless_disable_drivers.xml
b/RHEL6/input/checks/wireless_disable_drivers.xml
deleted file mode 100644
index 15d7ac6..0000000
--- a/RHEL6/input/checks/wireless_disable_drivers.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<def-group>
- <definition class="compliance" id="wireless_disable_drivers"
version="1">
- <metadata>
- <title>Disable Wireless Drivers</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <description>Removing the kernel drivers that provide support for wireless
Ethernet devices will prevent users from easily activating the devices.
-</description>
- </metadata>
- <criteria>
- <criterion comment="verify no wireless drivers by testing file
existence" test_ref="test_wireless_disable_drivers" />
- </criteria>
- </definition>
- <unix:file_test
xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix&...
- check="all" check_existence="none_exist"
- comment="verify no wireless drivers"
- id="test_wireless_disable_drivers" version="1">
- <unix:object object_ref="object_wireless_disable_drivers" />
- </unix:file_test>
- <unix:file_object comment="all local files"
- id="object_wireless_disable_drivers" version="1">
- <unix:path operation="pattern
match">^/lib/modules/.*/kernel/drivers/net/wireless</unix:path>
- <unix:filename operation="pattern match">.*</unix:filename>
- </unix:file_object>
-</def-group>
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml
index 2a97ac7..3dc9f95 100644
--- a/RHEL6/input/profiles/common.xml
+++ b/RHEL6/input/profiles/common.xml
@@ -187,7 +187,6 @@ these should likely be moved out of common.
<select idref="service_rpcgssd_disabled" selected="true"/>
<select idref="service_rpcidmapd_disabled" selected="true"/>
<select idref="service_netfs_disabled" selected="true"/>
-<select idref="service_rpcbind_disabled" selected="true"/>
<select idref="service_nfs_disabled" selected="true"/>
<select idref="service_rpcsvcgssd_disabled" selected="true"/>
-->
diff --git a/RHEL6/input/profiles/desktop.xml b/RHEL6/input/profiles/desktop.xml
index e0e8c03..2cc3787 100644
--- a/RHEL6/input/profiles/desktop.xml
+++ b/RHEL6/input/profiles/desktop.xml
@@ -27,7 +27,6 @@
<select idref="service_rpcgssd_disabled" selected="true"/>
<select idref="service_rpcidmapd_disabled" selected="true"/>
<select idref="service_netfs_disabled" selected="true"/>
-<select idref="service_rpcbind_disabled" selected="true"/>
<select idref="disable_dhcp_server" selected="true"/>
<select idref="uninstall_dhcp_server" selected="true"/>
diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml
b/RHEL6/input/profiles/usgcb-rhel6-server.xml
index 8d89f10..dba2c95 100644
--- a/RHEL6/input/profiles/usgcb-rhel6-server.xml
+++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml
@@ -245,7 +245,6 @@
<select idref="service_rpcidmapd_disabled" selected="true" />
<select idref="service_netfs_disabled" selected="true" />
<select idref="service_portreserve_disabled" selected="true"
/>
-<select idref="service_rpcbind_disabled" selected="true" />
<select idref="service_rpcsvcgssd_disabled" selected="true" />
<select idref="use_nodev_option_on_nfs_mounts" selected="true"
/>
<select idref="use_nosuid_option_on_nfs_mounts" selected="true"
/>
diff --git a/RHEL6/input/system/network/wireless.xml
b/RHEL6/input/system/network/wireless.xml
index fb4fc2f..cd16e8c 100644
--- a/RHEL6/input/system/network/wireless.xml
+++ b/RHEL6/input/system/network/wireless.xml
@@ -68,24 +68,7 @@ protocols which were not designed with security in mind.
<ref nist="AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85"
/>
<tested by="DS" on="20121025"/>
</Rule>
-<!--
-<Rule id="wireless_disable_drivers">
-<title>Disable Wireless Network Drivers</title>
-<description>Removing the kernel drivers that provide support for wireless
-Ethernet devices will prevent users from easily activating the devices. To
-remove the wireless drivers from the system:
-<pre># rm -r
/lib/modules/<i>kernelversion(s)</i>/kernel/drivers/net/wireless</pre>
-</description>
-<rationale>Removing the wireless kernel drivers makes it slightly more difficult
for
-an administrator or malware to activate a wireless interface, by introducing
-the need to install such a driver first.
-</rationale>
-<warning category="general">This command must also be repeated every time
the kernel is upgraded.</warning>
-<ident cce="27009-0" />
-<oval id="wireless_disable_drivers" />
-<ref nist="CM-7" disa="85" />
-</Rule>
--->
+
<Rule id="service_bluetooth_disabled" severity="medium">
<title>Disable Bluetooth Service</title>
<description>
--
1.7.1