Signed-off-by: David Smith <dsmith(a)eclipse.ncsc.mil>
---
RHEL6/input/services/ldap.xml | 46 ++++++++++++++++++------------------
RHEL6/input/services/mail.xml | 28 +++++++++++-----------
RHEL6/input/services/ntp.xml | 4 +-
RHEL6/input/services/obsolete.xml | 10 ++++----
4 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml
index 81cbddf..5295cdb 100644
--- a/RHEL6/input/services/ldap.xml
+++ b/RHEL6/input/services/ldap.xml
@@ -28,12 +28,12 @@ network.</warning>
<Rule id="ldap_client_start_tls" severity="medium">
<title>Configure LDAP to Use TLS For All Transactions</title>
<description>Configure LDAP to enforce TLS use. First, edit the file
-<tt>/etc/pam_ldap.conf</tt>, and add or correct the following lines.
+<tt>/etc/pam_ldap.conf</tt>, and add or correct the following lines:
<pre>ssl start_tls</pre>
Then review the LDAP server and ensure TLS has been configured.
</description>
<ocil clause="no lines are returned">
-To ensure LDAP is configured to use TLS for all transactions, run the following command.
+To ensure LDAP is configured to use TLS for all transactions, run the following command:
<pre>$ grep start_tls /etc/pam_ldap.conf</pre>
</ocil>
<rationale>The ssl directive specifies whether to use ssl or not. If
@@ -50,14 +50,14 @@ than doing LDAP over SSL.</rationale>
<description>Ensure a copy of the site's CA certificate has been placed in
the file <tt>/etc/pki/tls/CA/cacert.pem</tt>. Configure LDAP to enforce TLS
use and to trust certificates signed by the site's CA. First, edit the file
-<tt>/etc/pam_ldap.conf</tt>, and add or correct either of the following
lines.
+<tt>/etc/pam_ldap.conf</tt>, and add or correct either of the following
lines:
<pre>tls_cacertdir /etc/pki/tls/CA</pre>
or
<pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre>
Then review the LDAP server and ensure TLS has been configured.
</description>
<ocil clause="there is no output, or the lines are commented out">
-To ensure TLS is configured with trust certificates, run the following command.
+To ensure TLS is configured with trust certificates, run the following command:
<pre># grep cert /etc/pam_ldap.conf</pre>
</ocil>
<rationale>The tls_cacertdir or tls_cacertfile directives are required when
@@ -93,7 +93,7 @@ intended for use as an LDAP Server it should be removed.
</description>
<ocil clause="it does not">
To verify the <tt>openldap-servers</tt> package is not installed,
-run the following command.
+run the following command:
<pre>$ rpm -q openldap-servers</pre>
The output should show the following.
<pre>package openldap-servers is not installed</pre>
@@ -130,7 +130,7 @@ ensure that the configuration files are protected from unauthorized
access or modification.
<br /><br />
Edit the ldap configuration file at
<tt>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</tt>.
-Ensure that the configuration file has reasonable permissions.
+Ensure that the configuration file has reasonable permissions:
<pre># chown root:ldap /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif
# chmod 640 /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</pre>
Protect configuration files containing the hashed password the same way you would protect
other files, such as
@@ -146,14 +146,14 @@ Protect configuration files containing the hashed password the same
way you woul
<description>Is this system an OpenLDAP server? If so,
ensure that the RootDN uses a secure password.
<br /><br />
-Generate a hashed password using the slappasswd utility.
+Generate a hashed password using the slappasswd utility:
<pre># slappasswd
New password:
Re-enter new password:</pre>
This will output a hashed password string.
<br /><br />
Edit the file
<tt>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</tt>, and add or
correct
-the line.
+the line:
<pre>olcRootPW: {SSHA}hashed-password-string</pre>
Be sure to select a secure password for the LDAP root user, since this user has
permission to read and write all
LDAP data, so a compromise of the LDAP root password will probably enable a full
compromise of your site.
@@ -171,18 +171,18 @@ In addition, be sure to use a reasonably strong hash function. The
default hash
# chown root:root /etc/pki/tls/ldap
# chmod 755 /etc/pki/tls/ldap</pre>
Using removable media or some other secure transmission format, install the files
generated in the previous
-step onto the LDAP server.
+step onto the LDAP server:
<ul>
<li><tt>/etc/pki/tls/ldap/serverkey.pem</tt>: the private key
<tt>ldapserverkey.pem</tt></li>
<li><tt>/etc/pki/tls/ldap/servercert.pem</tt>: the certificate file
<tt>ldapservercert.pem</tt></li>
</ul>
-Verify the ownership and permissions of these files.
+Verify the ownership and permissions of these files:
<pre># chown root:ldap /etc/pki/tls/ldap/serverkey.pem
# chown root:ldap /etc/pki/tls/ldap/servercert.pem
# chmod 640 /etc/pki/tls/ldap/serverkey.pem
# chmod 640 /etc/pki/tls/ldap/servercert.pem</pre>
Verify that the CA's public certificate file has been installed as
<tt>/etc/pki/tls/CA/cacert.pem</tt>, and has the
-correct permissions.
+correct permissions:
<pre># mkdir /etc/pki/tls/CA
# chown root:root /etc/pki/tls/CA/cacert.pem
# chmod 644 /etc/pki/tls/CA/cacert.pem</pre>
@@ -209,7 +209,7 @@ LDAP server process would need to be restarted manually whenever the
server rebo
<Group id="ldap_server_config_directory_domain">
<title>Create Top-level LDAP Structure for Domain</title>
-<description>Create a structure for the domain itself with at least the following
attributes.
+<description>Create a structure for the domain itself with at least the following
attributes:
<pre>dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
@@ -225,7 +225,7 @@ any other entries for the domain.
<Group id="ldap_server_config_directory_users_groups">
<title>Create LDAP Structures for Users and Groups</title>
-<description>Create LDAP structures for people (users) and for groups with at least
the following attributes.
+<description>Create LDAP structures for people (users) and for groups with at least
the following attributes:
<pre>dn: ou=people,dc=example,dc=com
ou: people
structuralObjectClass: organizationalUnit
@@ -245,7 +245,7 @@ These organizational units are used to identify the two categories
within LDAP.
<Group id="ldap_server_config_directory_accounts">
<title>Create Unix Accounts</title>
<description>For each Unix user, create an LDAP entry with at least the following
attributes (others may be appropriate
-for your site as well), using variable values appropriate to that user.
+for your site as well), using variable values appropriate to that user:
<pre>dn: uid=username ,ou=people,dc=example,dc=com
structuralObjectClass: inetOrgPerson
objectClass: inetOrgPerson
@@ -274,7 +274,7 @@ but only for user accounts which are to be shared across machines, and
which hav
<Group id="ldap_server_config_directory_groups">
<title>Create Unix Groups</title>
-<description>For each Unix group, create an LDAP entry with at least the following
attributes.
+<description>For each Unix group, create an LDAP entry with at least the following
attributes:
<pre>dn: cn=groupname ,ou=groups,dc=example,dc=com
cn: groupname
structuralObjectClass: posixGroup
@@ -298,7 +298,7 @@ or which are shared across systems.
<Group id="ldap_server_config_directory_admin_group">
<title>Create Groups to Administer LDAP</title>
<description>If a group of LDAP administrators is desired, that group must be
created somewhat differently.
-The specification should have these attributes.
+The specification should have these attributes:
<pre>dn: cn=admins ,ou=groups,dc=example,dc=com
cn: admins
structuralObjectClass: groupOfUniqueNames
@@ -320,9 +320,9 @@ auditing and error detection, it is recommended that LDAP
administrators have un
<Rule id="ldap_server_config_olcaccess">
<title>Configure slapd to Protect Authentication Information</title>
-<description>Use ldapmodify to add these entries to the database. Add or correct
the following access specifications.
+<description>Use ldapmodify to add these entries to the database. Add or correct
the following access specifications:
1. Protect the user's password by allowing the user himself or the LDAP
administrators to change it,
-allowing the anonymous user to authenticate against it, and allowing no other access.
+allowing the anonymous user to authenticate against it, and allowing no other access:
<pre>olcAccess: to attrs=userPassword
by self write
by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com
" write
@@ -332,7 +332,7 @@ olcAccess: to attrs=shadowLastChange
by self write
by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com
" write
by * read</pre>
-2. Allow anyone to read other information, and allow the administrators to change it.
+2. Allow anyone to read other information, and allow the administrators to change it:
<pre>olcAccess: to *
by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com
" write
by * read</pre>
@@ -363,7 +363,7 @@ permissions. This will prevent slapd from starting correctly.
<Rule id="iptables_ldap_enabled">
<title>Configure iptables to Allow Access to the LDAP Server</title>
<description>Determine an appropriate network block representing the machines on
-your network which will synchronize to this server.
+your network which will synchronize to this server:
<iptables-desc-macro net="true" proto="tcp" port="389"
/>
<iptables-desc-macro net="true" proto="tcp" port="636"
/>
The default Iptables configuration does not allow inbound access to any
@@ -384,10 +384,10 @@ by connecting to the primary port and issuing the STARTTLS command.
<title>Configure Logging for LDAP</title>
<description>
<ol>
-<li>Add or correct the fillowing line within
<tt>/etc/rsyslog.conf</tt>.
+<li>Add or correct the fillowing line within
<tt>/etc/rsyslog.conf</tt>:
<pre>local4.*</pre>
</li>
-<li>Create the log file with safe permissions.
+<li>Create the log file with safe permissions:
<pre># touch /var/log/ldap.log
# chown root:root /var/log/ldap.log
# chmod 0600 /var/log/ldap.log</pre>
@@ -396,7 +396,7 @@ by connecting to the primary port and issuing the STARTTLS command.
<pre>/var/log/ldap.log</pre>
to the space-separated list in the first line.</li>
<li>Edit the LDAP configuration file /etc/openldap/slapd.conf and set a reasonable
set of default log
-parameters, such as the following.
+parameters, such as the following:
<pre>loglevel stats2</pre>
</li>
</ol>
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml
index 4136da7..b0f2bb8 100644
--- a/RHEL6/input/services/mail.xml
+++ b/RHEL6/input/services/mail.xml
@@ -71,11 +71,11 @@ e-mail configuration.</description>
<title>Disable Postfix Network Listening</title>
<description>
Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the
following
-<tt>inet_interfaces</tt> line appears.
+<tt>inet_interfaces</tt> line appears:
<pre>inet_interfaces = localhost</pre>
</description>
<ocil clause="it does not">
-Run the following command to ensure postfix accepts mail messages from only the local
system.
+Run the following command to ensure postfix accepts mail messages from only the local
system:
<pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
If properly configured, the output should show only <tt>localhost</tt>.
</ocil>
@@ -146,12 +146,12 @@ that access, while keeping other ports on the server in their
default protected
<Rule id="postfix_logging">
<title>Verify System Logging and Log Permissions for Mail</title>
-<description>Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct
the following line if necessary (this is the default).
+<description>Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct
the following line if necessary (this is the default):
<pre>mail.* -/var/log/maillog</pre>
Run the following commands to ensure correct permissions on the mail log:
<pre># chown root:root /var/log/maillog
# chmod 600 /var/log/maillog</pre>
-Ensure log will be rotated as appropriate by adding or correcting the following line if
needed into the list on the first line of <tt>/etc/logrotate.d/syslog</tt>
(this is the default).
+Ensure log will be rotated as appropriate by adding or correcting the following line if
needed into the list on the first line of <tt>/etc/logrotate.d/syslog</tt>
(this is the default):
<pre>/var/log/maillog</pre>
</description>
<!-- <ident cce="TODO:CCE" /> -->
@@ -195,21 +195,21 @@ purpose.</warning>
<Rule id="postfix_install_ssl_cert">
<title>Install the SSL Certificate</title>
-<description>Create the PKI directory for mail certificates, if it does not already
exist.
+<description>Create the PKI directory for mail certificates, if it does not already
exist:
<pre># mkdir /etc/pki/tls/mail
# chown root:root /etc/pki/tls/mail
# chmod 755 /etc/pki/tls/mail</pre>
Using removable media or some other secure transmission format, install the files
generated in the previous
-step onto the mail server.
+step onto the mail server:
<pre>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</pre>
-Verify the ownership and permissions of these files.
+Verify the ownership and permissions of these files:
<pre># chown root:root /etc/pki/tls/mail/serverkey.pem
# chown root:root /etc/pki/tls/mail/servercert.pem
# chmod 600 /etc/pki/tls/mail/serverkey.pem
# chmod 644 /etc/pki/tls/mail/servercert.pem</pre>
Verify that the CA's public certificate file has been installed as
<tt>/etc/pki/tls/CA/cacert.pem</tt>, and has the
-correct permissions.
+correct permissions:
<pre># chown root:root /etc/pki/tls/CA/cacert.pem
# chmod 644 /etc/pki/tls/CA/cacert.pem</pre>
</description>
@@ -229,7 +229,7 @@ correct permissions.
<Rule id="postfix_server_denial_of_service">
<title>Limit Denial of Service Attacks</title>
-<description>Edit <tt>/etc/postfix/main.cf</tt>. Add or correct the
following lines.
+<description>Edit <tt>/etc/postfix/main.cf</tt>. Add or correct the
following lines:
<pre>default_process_limit = 100
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 30
@@ -259,7 +259,7 @@ typical at your site, look in <tt>/var/log/maillog</tt>
for lines with the daemo
<Rule id="postfix_server_banner" severity="medium">
<title>Configure SMTP Greeting Banner</title>
<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the
following line, substituting some other wording for the
-banner information if you prefer.
+banner information if you prefer:
<pre>smtpd_banner = $myhostname ESMTP</pre>
</description>
<rationale>The default greeting banner discloses that the listening mail process is
Postfix.
@@ -287,7 +287,7 @@ with SSL support.
<Rule id="postfix_server_mail_relay_set_trusted_networks">
<title>Configure Trusted Networks and Hosts</title>
<description>Edit <tt>/etc/postfix/main.cf</tt>, and configure the
contents of the <tt>mynetworks</tt> variable in one of the following
-ways.
+ways:
<ul>
<li>If any machine in the subnet containing the MTA may be trusted to relay
messages, add or correct the following line.
<pre>mynetworks_style = subnet</pre></li>
@@ -312,7 +312,7 @@ mail.
<Rule id="postfix_server_mail_relay_for_trusted_networks">
<title>Allow Unlimited Relaying for Trusted Networks Only</title>
<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the
<tt>smtpd_recipient_restrictions</tt> definition so that it
-contains at least.
+contains at least:
<pre>smtpd_recipient_restrictions =
...
permit_mynetworks,
@@ -338,7 +338,7 @@ This section describes how to configure authentication using the
Cyrus-SASL impl
discussion of other options.
<br /><br />
To enable the use of SASL authentication, edit <tt>/etc/postfix/main.cf</tt>
and add or correct the following
-settings.
+settings:
<pre>smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
...
@@ -373,7 +373,7 @@ work via PAM, look at the <tt>saslauthd(8)</tt> manpage to
find out how to confi
<Rule id="postfix_server_mail_relay_require_tls_for_smtp_auth">
<title>Require TLS for SMTP AUTH</title>
-<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the
following lines.
+<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the
following lines:
<pre>smtpd_tls_CApath = /etc/pki/tls/CA
smtpd_tls_CAfile = /etc/pki/tls/CA/cacert.pem
smtpd_tls_cert_file = /etc/pki/tls/mail/servercert.pem
diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml
index 2e593d9..606ad67 100644
--- a/RHEL6/input/services/ntp.xml
+++ b/RHEL6/input/services/ntp.xml
@@ -64,7 +64,7 @@ data.
A remote NTP server should be configured for time synchronization. To verify
one is configured, open the following file.
<pre>/etc/ntp.conf</pre>
-In the file, there should be a section similar to the following.
+In the file, there should be a section similar to the following:
<pre># --- OUR TIMESERVERS -----
server <i>ntpserver</i></pre>
</ocil>
@@ -84,7 +84,7 @@ recommended.</rationale>
<description>Additional NTP servers can be specified for time synchronization
in the file <tt>/etc/ntp.conf</tt>. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
-<em>ntpserver</em>.
+<em>ntpserver</em>:
<pre>server <i>ntpserver</i></pre>
</description>
<rationale>Specifying additional NTP servers increases the availability of
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml
index 4542b52..c7b4431 100644
--- a/RHEL6/input/services/obsolete.xml
+++ b/RHEL6/input/services/obsolete.xml
@@ -44,7 +44,7 @@ attacks against xinetd itself.
<Rule id="uninstall_xinetd">
<title>Uninstall xinetd Package</title>
-<description>The <tt>xinetd</tt> package can be uninstalled with the
following command.
+<description>The <tt>xinetd</tt> package can be uninstalled with the
following command:
<pre># yum erase xinetd</pre>
</description>
<ocil><package-check-macro package="xinetd" /> </ocil>
@@ -88,7 +88,7 @@ subject to man-in-the-middle attacks.
<Rule id="uninstall_telnet_server" severity="high">
<title>Uninstall telnet-server Package</title>
<description>The <tt>telnet-server</tt> package can be uninstalled
with
-the following command.
+the following command:
<pre># yum erase telnet-server</pre></description>
<ocil><package-check-macro package="telnet-server" />
</ocil>
<rationale>
@@ -113,7 +113,7 @@ model.</description>
<Rule id="uninstall_rsh-server" severity="high">
<title>Uninstall rsh-server Package</title>
<description>The <tt>rsh-server</tt> package can be uninstalled with
-the following command.
+the following command:
<pre># yum erase rsh-server</pre>
</description>
<ocil><package-check-macro package="rsh-server" /> </ocil>
@@ -221,7 +221,7 @@ important authentication information.</description>
<Rule id="uninstall_ypserv" severity="medium">
<title>Uninstall ypserv Package</title>
<description>The <tt>ypserv</tt> package can be uninstalled with
-the following command.
+the following command:
<pre># yum erase ypserv</pre>
</description>
<ocil><package-check-macro package="ypserv" /> </ocil>
@@ -302,7 +302,7 @@ accidental (or intentional) activation of tftp services.
<description>If running the <tt>tftp</tt> service is necessary, it
should be configured
to change its root directory at startup. To do so, ensure
<tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command
line argument, as shown in
-the following example (which is also the default).
+the following example (which is also the default):
<pre>server_args = -s /var/lib/tftpboot</pre>
</description>
<rationale>Using the <tt>-s</tt> option causes the TFTP service to only
serve files from the
--
1.7.1