Hi Jeff, ACK.
This is EXACTLY what I was talking to Shawn about a few weeks ago -
great job!
Looks good.
Thanks,
MM
On 09/13/2012 03:54 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/services/dns.xml | 1 +
RHEL6/input/services/obsolete.xml | 5 +++++
RHEL6/input/system/software/integrity.xml | 1 +
3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml
index 717c3b7..4ee17bb 100644
--- a/RHEL6/input/services/dns.xml
+++ b/RHEL6/input/services/dns.xml
@@ -37,6 +37,7 @@ implementation flaws and should be disabled if possible.
run the following command:
<pre># yum erase bind</pre>
</description>
+<ocil><package-remove-macro package="package_bind_removed" />
</ocil>
<rationale>
If there is no need to make DNS server software available,
removing it provides a safeguard against its activation.
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml
index 91d7884..874d27e 100644
--- a/RHEL6/input/services/obsolete.xml
+++ b/RHEL6/input/services/obsolete.xml
@@ -45,6 +45,7 @@ attacks against xinetd itself.
<description>The <tt>xinetd</tt> package can be uninstalled with the
following command:
<pre># yum erase xinetd</pre>
</description>
+<ocil><package-remove-macro package="xinetd" /> </ocil>
<rationale>
Removing the <tt>xinetd</tt> package decreases the risk of the
xinetd service's accidental (or intentional) activation.
@@ -84,6 +85,7 @@ subject to man-in-the-middle attacks.
<description>The <tt>telnet-server</tt> package can be uninstalled
with
the following command:
<pre># yum erase telnet-server</pre></description>
+<ocil><package-remove-macro package="telnet-server" />
</ocil>
<rationale>
Removing the <tt>telnet-server</tt> package decreases the risk of the
telnet service's accidental (or intentional) activation.
@@ -107,6 +109,7 @@ model.</description>
the following command:
<pre># yum erase rsh-server</pre>
</description>
+<ocil><package-remove-macro package="rsh-server" /> </ocil>
<rationale>The <tt>rsh-server</tt> package provides several obsolete
and insecure
network services. Removing it
decreases the risk of those services' accidental (or intentional)
@@ -197,6 +200,7 @@ important authentication information.</description>
the following command:
<pre># yum erase ypserv</pre>
</description>
+<ocil><package-remove-macro package="ypserv" /> </ocil>
<rationale>Removing the <tt>ypserv</tt> package decreases the risk of
the
accidental (or intentional) activation of NIS or NIS+ services.
</rationale>
@@ -252,6 +256,7 @@ as a tftp server, which does not provide encryption or
authentication.
command:
<pre># yum erase tftp-server</pre>
</description>
+<ocil><package-remove-macro package="tftp-server" />
</ocil>
<rationale>
Removing the <tt>tftp-server</tt> package decreases the risk of the
accidental (or intentional) activation of tftp services.
diff --git a/RHEL6/input/system/software/integrity.xml
b/RHEL6/input/system/software/integrity.xml
index c31087d..6c24ce9 100644
--- a/RHEL6/input/system/software/integrity.xml
+++ b/RHEL6/input/system/software/integrity.xml
@@ -31,6 +31,7 @@ configurable, with further configuration information located in
Install the AIDE package with the command:
<pre># yum install aide</pre>
</description>
+<ocil><package-check-macro package="aide"/></ocil>
<rationale>
The AIDE package must be installed if it is to be available for integrity checking.
</rationale>