Mapped CCI 382 which requires "The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services" to all the disable service xyz rules in base. Then make validate was making me sad with the following errors so I cleaned it up.
oscap xccdf validate-xml output/rhel6-xccdf-scap-security-guide.xml 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 237: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['var_umask_for_daemons'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 261: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['password_history_retain_number'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 3212: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ). oscap was unable to validate the XML document you provided.
Kevin Spargur (3): Removed duplicate entries causing make validate to fail Added some spacing to remove a make validate error Mapped CCI382 to several disable service xyz rules
RHEL6/input/profiles/common.xml | 4 --- RHEL6/input/services/base.xml | 46 +++++++++++++++++----------------- RHEL6/input/system/accounts/pam.xml | 4 +- 3 files changed, 25 insertions(+), 29 deletions(-)
On 7/25/12 7:52 PM, Kevin Spargur wrote:
Mapped CCI 382 which requires "The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services" to all the disable service xyz rules in base. Then make validate was making me sad with the following errors so I cleaned it up.
oscap xccdf validate-xml output/rhel6-xccdf-scap-security-guide.xml 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 237: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['var_umask_for_daemons'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 261: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['password_history_retain_number'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 3212: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ). oscap was unable to validate the XML document you provided.
Kevin Spargur (3): Removed duplicate entries causing make validate to fail Added some spacing to remove a make validate error Mapped CCI382 to several disable service xyz rules
RHEL6/input/profiles/common.xml | 4 --- RHEL6/input/services/base.xml | 46 +++++++++++++++++----------------- RHEL6/input/system/accounts/pam.xml | 4 +- 3 files changed, 25 insertions(+), 29 deletions(-)
Ack to the set
--- RHEL6/input/profiles/common.xml | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 0d2b80d..d1cf426 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -167,10 +167,6 @@ these should likely be moved out of common. <select idref="uninstall_net-snmp" selected="true"/> <select idref="limiting_password_reuse" selected="true"/> <!-- Refine Values --> -<!-- Password history --> -<refine-value idref="password_history_retain_number" selector="5"/> -<!-- Permissions for passwd --> -<refine-value idref="var_umask_for_daemons" selector="027"/> <refine-value idref="var_umask_for_daemons" selector="027"/> <!-- daemon umask --> <refine-value idref="var_password_min_len" selector="14"/>
--- RHEL6/input/system/accounts/pam.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 69d7c90..d95385d 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -363,8 +363,8 @@ the password line which uses the <tt>pam_unix</tt> module in the file Old (and thus no longer valid) passwords are stored in the file <tt>/etc/security/opasswd</tt>.</description> <ident cce="14939-3" /> -<oval id="accounts_password_reuse_limit" value="password_history_retain_number"/> -<ref nist="IA-5" disa="200"/> +<oval id="accounts_password_reuse_limit" value="password_history_retain_number" /> +<ref nist="IA-5" disa="200" /> </Group>
</Group>
--- RHEL6/input/services/base.xml | 46 ++++++++++++++++++++-------------------- 1 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 8d72299..037f7b7 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -21,7 +21,7 @@ vulnerablities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</rationale> <ident cce="TODO" /> <oval id="service_abrtd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -38,7 +38,7 @@ accidental or trivially achievable denial of service situations and disabling it may be prudent.</rationale> <ident cce="4298-6" /> <oval id="service_acpid_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -59,7 +59,7 @@ accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or </rationale> <ident cce="TODO" /> <oval id="service_atd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -76,7 +76,7 @@ fulfilling some roles a PKI infrastructure, but its functionality is not necesss for many other use cases.</rationale> <ident cce="TODO" /> <oval id="service_certmonger_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -92,7 +92,7 @@ service is not necessary. </rationale> <ident cce="TODO" /> <oval id="service_cgconfig_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<Rule id="service_cgred_disabled"> @@ -106,7 +106,7 @@ service is not necessary. </rationale> <ident cce="TODO" /> <oval id="service_cgred_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<Rule id="service_cpuspeed_disabled"> @@ -122,7 +122,7 @@ highly desirable or necessary. </rationale> <ident cce="4051-9" /> <oval id="service_cpuspeed_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -141,7 +141,7 @@ that do not require these. </rationale> <ident cce="4364-6" /> <oval id="service_haldaemon_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -170,7 +170,7 @@ crash, which can load information from the crashed kernel for analysis. is little need to run the kdump service.</rationale> <ident cce="3425-6" /> <oval id="service_kdump_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!-- @@ -203,7 +203,7 @@ RAID setups do not use this service). there is no need to run the service.</rationale> <ident cce="3854-7" /> <oval id="service_mdmonitor_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -223,7 +223,7 @@ a graphical login session. </rationale> <ident cce="3822-4" /> <oval id="service_messagebus_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<Rule id="service_netconsole_disabled"> @@ -239,7 +239,7 @@ kernel panics, which is not common. </rationale> <ident cce="TODO" /> <oval id="service_netconsole_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -258,7 +258,7 @@ reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> <ident cce="TODO" /> <!--<oval id="service_ntpdate_disabled" /> --> -<ref nist="AU-8, CM-6" /> +<ref nist="AU-8, CM-6" disa="382" /> </Rule>
<Rule id="service_oddjobd_disabled"> @@ -275,7 +275,7 @@ tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</rationale> <ident cce="TODO" /> <oval id="service_oddjobd_disabled" /> -<ref nist="AC-6, CM-6, CM-7" /> +<ref nist="AC-6, CM-6, CM-7" disa="382" /> </Rule>
@@ -291,7 +291,7 @@ preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.</rationale> <ident cce="TODO" /> <oval id="service_portreserve_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -346,7 +346,7 @@ disk quota violation is not desired then there is no need to run this service.</rationale> <ident cce="TODO" /> <oval id="service_quota_nld_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -364,7 +364,7 @@ some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</rationale> <ident cce="TODO" /> <oval id="service_rdisc_disabled" /> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="AC-4, CM-6, CM-7" disa="382" /> </Rule>
@@ -381,7 +381,7 @@ system security, management by a system outside the enterprise enclave is not desirable for some environments.</rationale> <ident cce="3416-5" /> <oval id="service_rhnsd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -399,7 +399,7 @@ expected to require remote changes to their subscription status, it is unnecessary and can be disabled.</rationale> <ident cce="TODO" /> <oval id="service_rhsmcertd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -418,7 +418,7 @@ use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.</rationale> <ident cce="TODO" /> <oval id="service_saslauthd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -435,7 +435,7 @@ system's drives are not SMART-capable (such as solid state drives), it can be disabled.</rationale> <ident cce="3455-3" /> <oval id="service_smartd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!-- @@ -455,7 +455,7 @@ authentication is only necessary against local account databases (such as passwd and shadow), it is not needed. </rationale> <ident cce="TODO" /> <oval id="service_sssd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule> -->
@@ -472,7 +472,7 @@ boot to reset the statistics, which can be retrieved using programs such as operation, but unless used this service can be disabled.</rationale> <ident cce="TODO" /> <oval id="service_sysstat_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!--
I just realized what a mistake this commit is. Please call me.
I had issued an ACK earlier because this patchset also included fixes to an error.
In general, if there is a validation/execution problem that can be fixed with a small correction, please notify the list and push immediately. Quick minor _bugfixes_ is one of the very few exceptions to our model for committing.
On 07/25/2012 07:52 PM, Kevin Spargur wrote:
RHEL6/input/services/base.xml | 46 ++++++++++++++++++++-------------------- 1 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 8d72299..037f7b7 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -21,7 +21,7 @@ vulnerablities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</rationale>
<ident cce="TODO" /> <oval id="service_abrtd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -38,7 +38,7 @@ accidental or trivially achievable denial of service situations and disabling it may be prudent.</rationale>
<ident cce="4298-6" /> <oval id="service_acpid_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -59,7 +59,7 @@ accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or
</rationale> <ident cce="TODO" /> <oval id="service_atd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -76,7 +76,7 @@ fulfilling some roles a PKI infrastructure, but its functionality is not necesss for many other use cases.</rationale>
<ident cce="TODO" /> <oval id="service_certmonger_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -92,7 +92,7 @@ service is not necessary.
</rationale> <ident cce="TODO" /> <oval id="service_cgconfig_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<Rule id="service_cgred_disabled"> @@ -106,7 +106,7 @@ service is not necessary. </rationale> <ident cce="TODO" /> <oval id="service_cgred_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<Rule id="service_cpuspeed_disabled"> @@ -122,7 +122,7 @@ highly desirable or necessary. </rationale> <ident cce="4051-9" /> <oval id="service_cpuspeed_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -141,7 +141,7 @@ that do not require these.
</rationale> <ident cce="4364-6" /> <oval id="service_haldaemon_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -170,7 +170,7 @@ crash, which can load information from the crashed kernel for analysis. is little need to run the kdump service.</rationale>
<ident cce="3425-6" /> <oval id="service_kdump_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!-- @@ -203,7 +203,7 @@ RAID setups do not use this service). there is no need to run the service.</rationale> <ident cce="3854-7" /> <oval id="service_mdmonitor_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule> @@ -223,7 +223,7 @@ a graphical login session. </rationale> <ident cce="3822-4" /> <oval id="service_messagebus_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule> <Rule id="service_netconsole_disabled"> @@ -239,7 +239,7 @@ kernel panics, which is not common. </rationale> <ident cce="TODO" /> <oval id="service_netconsole_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule> @@ -258,7 +258,7 @@ reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> <ident cce="TODO" /> <!--<oval id="service_ntpdate_disabled" /> -->
-<ref nist="AU-8, CM-6" /> +<ref nist="AU-8, CM-6" disa="382" />
</Rule>
<Rule id="service_oddjobd_disabled"> @@ -275,7 +275,7 @@ tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</rationale> <ident cce="TODO" /> <oval id="service_oddjobd_disabled" /> -<ref nist="AC-6, CM-6, CM-7" /> +<ref nist="AC-6, CM-6, CM-7" disa="382" /> </Rule>
@@ -291,7 +291,7 @@ preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.</rationale>
<ident cce="TODO" /> <oval id="service_portreserve_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -346,7 +346,7 @@ disk quota violation is not desired then there is no need to run this service.</rationale>
<ident cce="TODO" /> <oval id="service_quota_nld_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -364,7 +364,7 @@ some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</rationale>
<ident cce="TODO" /> <oval id="service_rdisc_disabled" /> -<ref nist="AC-4, CM-6, CM-7" /> +<ref nist="AC-4, CM-6, CM-7" disa="382" /> </Rule>
@@ -381,7 +381,7 @@ system security, management by a system outside the enterprise enclave is not desirable for some environments.</rationale>
<ident cce="3416-5" /> <oval id="service_rhnsd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -399,7 +399,7 @@ expected to require remote changes to their subscription status, it is unnecessary and can be disabled.</rationale>
<ident cce="TODO" /> <oval id="service_rhsmcertd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -418,7 +418,7 @@ use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.</rationale>
<ident cce="TODO" /> <oval id="service_saslauthd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
@@ -435,7 +435,7 @@ system's drives are not SMART-capable (such as solid state drives), it can be disabled.</rationale>
<ident cce="3455-3" /> <oval id="service_smartd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!-- @@ -455,7 +455,7 @@ authentication is only necessary against local account databases (such as passwd and shadow), it is not needed. </rationale> <ident cce="TODO" /> <oval id="service_sssd_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule> -->
@@ -472,7 +472,7 @@ boot to reset the statistics, which can be retrieved using programs such as operation, but unless used this service can be disabled.</rationale>
<ident cce="TODO" /> <oval id="service_sysstat_disabled" /> -<ref nist="CM-6, CM-7" /> +<ref nist="CM-6, CM-7" disa="382" /> </Rule>
<!--
ACK, please push ASAP.
Thanks!
On 07/25/2012 07:52 PM, Kevin Spargur wrote:
Mapped CCI 382 which requires "The operating system must configure the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services" to all the disable service xyz rules in base. Then make validate was making me sad with the following errors so I cleaned it up.
oscap xccdf validate-xml output/rhel6-xccdf-scap-security-guide.xml 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 237: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['var_umask_for_daemons'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1877 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 261: Element '{http://checklists.nist.gov/xccdf/1.1%7Drefine-value': Duplicate key-sequence ['password_history_retain_number'] in unique identity-constraint '{http://checklists.nist.gov/xccdf/1.1%7DrefineValueKey'. 1 1871 In file 'output/rhel6-xccdf-scap-security-guide.xml' on line 3212: Element '{http://checklists.nist.gov/xccdf/1.1%7DValue': This element is not expected. Expected is ( {http://checklists.nist.gov/xccdf/1.1%7Dsignature ). oscap was unable to validate the XML document you provided.
Kevin Spargur (3): Removed duplicate entries causing make validate to fail Added some spacing to remove a make validate error Mapped CCI382 to several disable service xyz rules
RHEL6/input/profiles/common.xml | 4 --- RHEL6/input/services/base.xml | 46 +++++++++++++++++----------------- RHEL6/input/system/accounts/pam.xml | 4 +- 3 files changed, 25 insertions(+), 29 deletions(-)
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Kevin Spargur -
Shawn Wells