DISA FSO has provided the following patches based on end-user feedback and updates done amongst the DISA FSO staff. Submitting to list on their behalf.
-shawn
Leland Steinke (21): Update aide_build_database Add VMS/DPMS mappings in stig_overlay Update VRelease attributes for DISA FSO VMS tags Add set_ip6tables_default_rule to common, map to STIG RHEL-06-000523 Update VRelease attribute for RHEL-06-000008 (ensure_redhat_gpgkey_installed) Add reload to set_ip6tables_default_rule [bugfix] modify file_permissions_library_dirs to follow symlinks [bugfix] Modify file_permissions_binary_dirs to follow symlinks Increment VRelease for sysctl_ipv6_default_accept_redirects/RHEL-06-000099 Check syscall audits explicitly to avoid partial matches Add applicability statement to audit_rules_time_stime/RHEL-06-000169 Give SELinux precedence over HBSS in install_hids/RHEL-06-000285 Update install_antivirus/RHEL-06-000284 from uvscan to VSEL/nails Remove display_login_attempts/RHEL-06-000506 from RHEL 6 STIG Add display_login_attempts/RHEL-06-000372 to STIG [bugfix] Update selinux_all_devicefiles to "any_exist" Increment OVAL version for selinux_all_devicefiles_labeled Update OVAL version for sysctl_net_ipv6_conf_default_accept_redirects Fix lowercase in system/auditing.xml Update severity of aide_build_database in stig_overlay.xml [bugfix] Correct static sysctl.conf check regex and increment versions
RHEL/6/input/auxiliary/stig_overlay.xml | 87 +++++++++++--------- .../checks/selinux_all_devicefiles_labeled.xml | 2 +- RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml | 2 +- .../input/checks/sysctl_kernel_dmesg_restrict.xml | 2 +- RHEL/6/input/checks/sysctl_kernel_exec_shield.xml | 2 +- .../checks/sysctl_kernel_randomize_va_space.xml | 2 +- .../sysctl_net_ipv4_conf_all_accept_redirects.xml | 2 +- ...ysctl_net_ipv4_conf_all_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_all_log_martians.xml | 2 +- .../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 2 +- .../sysctl_net_ipv4_conf_all_secure_redirects.xml | 2 +- .../sysctl_net_ipv4_conf_all_send_redirects.xml | 2 +- ...sctl_net_ipv4_conf_default_accept_redirects.xml | 2 +- ...l_net_ipv4_conf_default_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_default_rp_filter.xml | 2 +- ...sctl_net_ipv4_conf_default_secure_redirects.xml | 2 +- ...sysctl_net_ipv4_conf_default_send_redirects.xml | 2 +- ...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 2 +- ..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 2 +- RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml | 2 +- .../checks/sysctl_net_ipv4_tcp_syncookies.xml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra.xml | 2 +- ...sctl_net_ipv6_conf_default_accept_redirects.xml | 2 +- RHEL/6/input/checks/templates/template_sysctl | 2 +- RHEL/6/input/profiles/common.xml | 1 + RHEL/6/input/system/accounts/pam.xml | 2 +- RHEL/6/input/system/auditing.xml | 3 + RHEL/6/input/system/network/iptables.xml | 2 + RHEL/6/input/system/permissions/files.xml | 4 +- RHEL/6/input/system/software/integrity.xml | 27 ++++-- 30 files changed, 97 insertions(+), 75 deletions(-)
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Assign rule a severity - Create OCIL text - Update CCI mappings
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/system/software/integrity.xml | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 943140d..73a0629 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -64,7 +64,7 @@ of AIDE, because it changes binaries. <ref nist="CM-6(d),SC-28, SI-7" /> </Rule>
-<Rule id="aide_build_database"> +<Rule id="aide_build_database" severity="medium"> <title>Build and Test AIDE Database</title> <description>Run the following command to generate a new database: <pre># /usr/sbin/aide --init</pre> @@ -77,12 +77,16 @@ To initiate a manual check, run the following command: <pre># /usr/sbin/aide --check</pre> If this check produces any unexpected output, investigate. </description> +<ocil clause="there is no database file"> +To find the location of the AIDE databse file, run the following command: +<pre># ls -l <i>DBDIR</i>/<i>databse_file_name</i></pre> +</ocil> <rationale> For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. </rationale> <ident cce="27135-3" /> -<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" /> +<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" disa="374,416,1069,1263,1297,1589" /> </Rule>
<Rule id="aide_periodic_cron_checking" severity="medium">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Assign rule a severity
- Create OCIL text
- Update CCI mappings
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil
RHEL/6/input/system/software/integrity.xml | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 943140d..73a0629 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -64,7 +64,7 @@ of AIDE, because it changes binaries.
<ref nist="CM-6(d),SC-28, SI-7" /> </Rule>
-<Rule id="aide_build_database"> +<Rule id="aide_build_database" severity="medium">
<title>Build and Test AIDE Database</title> <description>Run the following command to generate a new database: <pre># /usr/sbin/aide --init</pre> @@ -77,12 +77,16 @@ To initiate a manual check, run the following command: <pre># /usr/sbin/aide --check</pre> If this check produces any unexpected output, investigate. </description> +<ocil clause="there is no database file"> +To find the location of the AIDE databse file, run the following command: +<pre># ls -l <i>DBDIR</i>/<i>databse_file_name</i></pre> +</ocil> <rationale> For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. </rationale> <ident cce="27135-3" /> -<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" /> +<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" disa="374,416,1069,1263,1297,1589" /> </Rule>
<Rule id="aide_periodic_cron_checking" severity="medium">
ack
On 7/27/14, 11:30 PM, Shawn Wells wrote:
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Assign rule a severity
- Create OCIL text
- Update CCI mappings
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil
RHEL/6/input/system/software/integrity.xml | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 943140d..73a0629 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -64,7 +64,7 @@ of AIDE, because it changes binaries.
<ref nist="CM-6(d),SC-28, SI-7" /> </Rule> -<Rule id="aide_build_database"> +<Rule id="aide_build_database" severity="medium"> <title>Build and Test AIDE Database</title> <description>Run the following command to generate a new database: <pre># /usr/sbin/aide --init</pre> @@ -77,12 +77,16 @@ To initiate a manual check, run the following command: <pre># /usr/sbin/aide --check</pre> If this check produces any unexpected output, investigate. </description> +<ocil clause="there is no database file"> +To find the location of the AIDE databse file, run the following command: +<pre># ls -l <i>DBDIR</i>/<i>databse_file_name</i></pre>
Just noticed the "databse" typo. I will fix when I push for FSO.
+</ocil>
<rationale> For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. </rationale> <ident cce="27135-3" /> -<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" /> +<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" disa="374,416,1069,1263,1297,1589" /> </Rule> <Rule id="aide_periodic_cron_checking" severity="medium">
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Adds various VMS tags to XCCDF rules
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 16 ++++++++++++---- 1 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index d6139ac..8e9845a 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -48,20 +48,28 @@ <VMSinfo VKey="38489" SVKey="50290" VRelease="1" /> <title>A file integrity tool must be installed.</title> </overlay> - <overlay owner="disastig" ruleid="enable_selinux_bootloader" ownerid="RHEL-06-000017" disa="22" severity="medium"> + <overlay owner="disastig" ruleid="enable_selinux_bootloader" ownerid="RHEL-06-000017" disa="366" severity="medium"> + <VMSinfo VKey="51337" SVKey="65547" VRelease="1" /> <title>The system must use a Linux Security Module at boot time.</title> </overlay> + <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="low"> + <VMSinfo VKey="51391" SVKey="65601" VRelease="1" /> + <title>A file integrity baseline must be created.</title> + </overlay> <overlay owner="disastig" ruleid="no_rsh_trust_files" ownerid="RHEL-06-000019" disa="1436" severity="high"> <VMSinfo VKey="38491" SVKey="50292" VRelease="1" /> <title>There must be no .rhosts or hosts.equiv files on the system.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-06-000020" disa="22" severity="medium"> + <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-06-000020" disa="366" severity="medium"> + <VMSinfo VKey="51363" SVKey="65573" VRelease="1" /> <title>The system must use a Linux Security Module configured to enforce limits on system services.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-06-000023" disa="22" severity="low"> + <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-06-000023" disa="366" severity="low"> + <VMSinfo VKey="51369" SVKey="65579" VRelease="1" /> <title>The system must use a Linux Security Module configured to limit the privileges of system services.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-06-000025" disa="22" severity="low"> + <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-06-000025" disa="366" severity="low"> + <VMSinfo VKey="51379" SVKey="65589" VRelease="1" /> <title>All device files must be monitored by the system Linux Security Module.</title> </overlay> <overlay owner="disastig" ruleid="securetty_root_login_console_only" ownerid="RHEL-06-000027" disa="770" severity="medium">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Adds various VMS tags to XCCDF rules
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 16 ++++++++++++---- 1 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index d6139ac..8e9845a 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -48,20 +48,28 @@ <VMSinfo VKey="38489" SVKey="50290" VRelease="1" /> <title>A file integrity tool must be installed.</title>
</overlay> - <overlay owner="disastig" ruleid="enable_selinux_bootloader" ownerid="RHEL-06-000017" disa="22" severity="medium"> + <overlay owner="disastig" ruleid="enable_selinux_bootloader" ownerid="RHEL-06-000017" disa="366" severity="medium"> + <VMSinfo VKey="51337" SVKey="65547" VRelease="1" /> <title>The system must use a Linux Security Module at boot time.</title> </overlay> + <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="low"> + <VMSinfo VKey="51391" SVKey="65601" VRelease="1" /> + <title>A file integrity baseline must be created.</title> + </overlay> <overlay owner="disastig" ruleid="no_rsh_trust_files" ownerid="RHEL-06-000019" disa="1436" severity="high"> <VMSinfo VKey="38491" SVKey="50292" VRelease="1" /> <title>There must be no .rhosts or hosts.equiv files on the system.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-06-000020" disa="22" severity="medium"> + <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-06-000020" disa="366" severity="medium"> + <VMSinfo VKey="51363" SVKey="65573" VRelease="1" /> <title>The system must use a Linux Security Module configured to enforce limits on system services.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-06-000023" disa="22" severity="low"> + <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-06-000023" disa="366" severity="low"> + <VMSinfo VKey="51369" SVKey="65579" VRelease="1" /> <title>The system must use a Linux Security Module configured to limit the privileges of system services.</title> </overlay> - <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-06-000025" disa="22" severity="low"> + <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-06-000025" disa="366" severity="low"> + <VMSinfo VKey="51379" SVKey="65589" VRelease="1" /> <title>All device files must be monitored by the system Linux Security Module.</title> </overlay> <overlay owner="disastig" ruleid="securetty_root_login_console_only" ownerid="RHEL-06-000027" disa="770" severity="medium">
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 50 +++++++++++++++--------------- 1 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 8e9845a..e75aeaf 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -81,7 +81,7 @@ <title>The system must prevent the root account from logging in from serial consoles.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000029" disa="366" severity="medium"> - <VMSinfo VKey="38496" SVKey="50297" VRelease="1" /> + <VMSinfo VKey="38496" SVKey="50297" VRelease="2" /> <title>Default system accounts, other than root, must be locked.</title> </overlay> <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-06-000030" disa="366" severity="high"> @@ -145,7 +145,7 @@ <title>The /etc/group file must have mode 0644 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045" disa="1499" severity="medium"> - <VMSinfo VKey="38465" SVKey="50265" VRelease="1" /> + <VMSinfo VKey="38465" SVKey="50265" VRelease="2" /> <title>Library files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-06-000046" disa="1499" severity="medium"> @@ -197,7 +197,7 @@ <title>The system must require at least four characters be changed between the old and new passwords during a password change.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-06-000061" disa="44" severity="medium"> - <VMSinfo VKey="38573" SVKey="50374" VRelease="1" /> + <VMSinfo VKey="38573" SVKey="50374" VRelease="2" /> <title>The system must disable accounts after three consecutive unsuccessful login attempts.</title> </overlay> <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-06-000062" disa="803" severity="medium"> @@ -245,11 +245,11 @@ <title>The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-06-000078" disa="366" severity="medium"> - <VMSinfo VKey="38596" SVKey="50397" VRelease="1" /> + <VMSinfo VKey="38596" SVKey="50397" VRelease="2" /> <title>The system must implement virtual address space randomization.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_kernel_exec_shield" ownerid="RHEL-06-000079" disa="366" severity="medium"> - <VMSinfo VKey="38597" SVKey="50398" VRelease="1" /> + <VMSinfo VKey="38597" SVKey="50398" VRelease="2" /> <title>The system must limit the ability of processes to have simultaneous write and execute access to memory.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-06-000080" disa="366" severity="medium"> @@ -289,7 +289,7 @@ <title>The system must not accept ICMPv4 secure redirect packets by default.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-06-000091" disa="366" severity="low"> - <VMSinfo VKey="38533" SVKey="50334" VRelease="1" /> + <VMSinfo VKey="38533" SVKey="50334" VRelease="2" /> <title>The system must ignore IPv4 ICMP redirect messages.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-06-000092" disa="366" severity="low"> @@ -373,19 +373,19 @@ <title>The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-06-000124" disa="382" severity="medium"> - <VMSinfo VKey="38514" SVKey="50315" VRelease="1" /> + <VMSinfo VKey="38514" SVKey="50315" VRelease="2" /> <title>The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_sctp_disabled" ownerid="RHEL-06-000125" disa="382" severity="medium"> - <VMSinfo VKey="38515" SVKey="50316" VRelease="1" /> + <VMSinfo VKey="38515" SVKey="50316" VRelease="2" /> <title>The Stream Control Transmission Protocol (SCTP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_rds_disabled" ownerid="RHEL-06-000126" disa="382" severity="low"> - <VMSinfo VKey="38516" SVKey="50317" VRelease="1" /> + <VMSinfo VKey="38516" SVKey="50317" VRelease="2" /> <title>The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-06-000127" disa="382" severity="medium"> - <VMSinfo VKey="38517" SVKey="50318" VRelease="1" /> + <VMSinfo VKey="38517" SVKey="50318" VRelease="2" /> <title>The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="userowner_rsyslog_files" ownerid="RHEL-06-000133" disa="1314" severity="medium"> @@ -461,19 +461,19 @@ <title>The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_adjtimex" ownerid="RHEL-06-000165" disa="169" severity="low"> - <VMSinfo VKey="38635" SVKey="50436" VRelease="1" /> + <VMSinfo VKey="38635" SVKey="50436" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through adjtimex.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_settimeofday" ownerid="RHEL-06-000167" disa="169" severity="low"> - <VMSinfo VKey="38522" SVKey="50323" VRelease="1" /> + <VMSinfo VKey="38522" SVKey="50323" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through settimeofday.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_stime" ownerid="RHEL-06-000169" disa="169" severity="low"> - <VMSinfo VKey="38525" SVKey="50326" VRelease="1" /> + <VMSinfo VKey="38525" SVKey="50326" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through stime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_clock_settime" ownerid="RHEL-06-000171" disa="169" severity="low"> - <VMSinfo VKey="38527" SVKey="50328" VRelease="1" /> + <VMSinfo VKey="38527" SVKey="50328" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through clock_settime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_watch_localtime" ownerid="RHEL-06-000173" disa="169" severity="low"> @@ -497,7 +497,7 @@ <title>The operating system must automatically audit account termination.</title> </overlay> <overlay owner="disastig" ruleid="audit_network_modifications" ownerid="RHEL-06-000182" disa="366" severity="low"> - <VMSinfo VKey="38540" SVKey="50341" VRelease="1" /> + <VMSinfo VKey="38540" SVKey="50341" VRelease="2" /> <title>The audit system must be configured to audit modifications to the systems network configuration.</title> </overlay> <overlay owner="disastig" ruleid="audit_mac_changes" ownerid="RHEL-06-000183" disa="366" severity="low"> @@ -756,11 +756,11 @@ <title>The rdisc service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="use_nodev_option_on_nfs_mounts" ownerid="RHEL-06-000269" disa="366" severity="medium"> - <VMSinfo VKey="38652" SVKey="50453" VRelease="1" /> + <VMSinfo VKey="38652" SVKey="50453" VRelease="2" /> <title>Remote file systems must be mounted with the "nodev" option.</title> </overlay> <overlay owner="disastig" ruleid="use_nosuid_option_on_nfs_mounts" ownerid="RHEL-06-000270" disa="366" severity="medium"> - <VMSinfo VKey="38654" SVKey="50455" VRelease="1" /> + <VMSinfo VKey="38654" SVKey="50455" VRelease="2" /> <title>Remote file systems must be mounted with the "nosuid" option.</title> </overlay> <overlay owner="disastig" ruleid="mount_option_noexec_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> @@ -772,7 +772,7 @@ <title>The system must use SMB client signing for connecting to samba servers using smbclient.</title> </overlay> <overlay owner="disastig" ruleid="require_smb_client_signing_mount.cifs" ownerid="RHEL-06-000273" disa="366" severity="low"> - <VMSinfo VKey="38657" SVKey="50458" VRelease="1" /> + <VMSinfo VKey="38657" SVKey="50458" VRelease="2" /> <title>The system must use SMB client signing for connecting to samba servers using mount.cifs.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_reuse_limit" ownerid="RHEL-06-000274" disa="200" severity="medium"> @@ -844,11 +844,11 @@ <title>The xorg-x11-server-common (X Windows) package must not be installed, unless required.</title> </overlay> <overlay owner="disastig" ruleid="disable_dhcp_client" ownerid="RHEL-06-000292" disa="366" severity="medium"> - <VMSinfo VKey="38679" SVKey="50480" VRelease="1" /> + <VMSinfo VKey="38679" SVKey="50480" VRelease="2" /> <title>The DHCP client must be disabled if not needed.</title> </overlay> <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-06-000294" disa="366" severity="low"> - <VMSinfo VKey="38681" SVKey="50482" VRelease="1" /> + <VMSinfo VKey="38681" SVKey="50482" VRelease="2" /> <title>All GIDs referenced in /etc/passwd must be defined in /etc/group</title> </overlay> <overlay owner="disastig" ruleid="account_unique_name" ownerid="RHEL-06-000296" disa="804" severity="low"> @@ -906,7 +906,7 @@ <title>The NFS server must not have the insecure file locking option enabled.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-06-000311" disa="143" severity="medium"> - <VMSinfo VKey="38678" SVKey="50479" VRelease="1" /> + <VMSinfo VKey="38678" SVKey="50479" VRelease="2" /> <title>The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-06-000313" disa="139" severity="medium"> @@ -914,7 +914,7 @@ <title>The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled" ownerid="RHEL-06-000315" disa="85" severity="medium"> - <VMSinfo VKey="38682" SVKey="50483" VRelease="1" /> + <VMSinfo VKey="38682" SVKey="50483" VRelease="2" /> <title>The Bluetooth kernel module must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000317" disa="1250" severity="medium"> @@ -1001,7 +1001,7 @@ <title>There must be no .netrc files on the system.</title> </overlay> <overlay owner="disastig" ruleid="ftp_present_banner" ownerid="RHEL-06-000348" disa="48" severity="medium"> - <VMSinfo VKey="38599" SVKey="50400" VRelease="1" /> + <VMSinfo VKey="38599" SVKey="50400" VRelease="2" /> <title>The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.</title> </overlay> <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-06-000349" disa="765" severity="medium"> @@ -1009,7 +1009,7 @@ <title>The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> - <VMSinfo VKey="38592" SVKey="50393" VRelease="1" /> + <VMSinfo VKey="38592" SVKey="50393" VRelease="2" /> <title>The system must require administrator action to unlock an account locked by excessive failed login attempts.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> @@ -1236,7 +1236,7 @@ <title>The operating system must respond to security function anomalies in accordance with organization defined responses and alternative action(s).</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000503" disa="86" severity="medium"> - <VMSinfo VKey="38490" SVKey="50291" VRelease="1" /> + <VMSinfo VKey="38490" SVKey="50291" VRelease="2" /> <title>The system must have USB Mass Storage disabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000504" disa="535" severity="medium">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 50 +++++++++++++++--------------- 1 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 8e9845a..e75aeaf 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -81,7 +81,7 @@ <title>The system must prevent the root account from logging in from serial consoles.</title>
</overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000029" disa="366" severity="medium"> - <VMSinfo VKey="38496" SVKey="50297" VRelease="1" /> + <VMSinfo VKey="38496" SVKey="50297" VRelease="2" /> <title>Default system accounts, other than root, must be locked.</title> </overlay> <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-06-000030" disa="366" severity="high"> @@ -145,7 +145,7 @@ <title>The /etc/group file must have mode 0644 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045" disa="1499" severity="medium"> - <VMSinfo VKey="38465" SVKey="50265" VRelease="1" /> + <VMSinfo VKey="38465" SVKey="50265" VRelease="2" /> <title>Library files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-06-000046" disa="1499" severity="medium"> @@ -197,7 +197,7 @@ <title>The system must require at least four characters be changed between the old and new passwords during a password change.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny" ownerid="RHEL-06-000061" disa="44" severity="medium"> - <VMSinfo VKey="38573" SVKey="50374" VRelease="1" /> + <VMSinfo VKey="38573" SVKey="50374" VRelease="2" /> <title>The system must disable accounts after three consecutive unsuccessful login attempts.</title> </overlay> <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-06-000062" disa="803" severity="medium"> @@ -245,11 +245,11 @@ <title>The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-06-000078" disa="366" severity="medium"> - <VMSinfo VKey="38596" SVKey="50397" VRelease="1" /> + <VMSinfo VKey="38596" SVKey="50397" VRelease="2" /> <title>The system must implement virtual address space randomization.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_kernel_exec_shield" ownerid="RHEL-06-000079" disa="366" severity="medium"> - <VMSinfo VKey="38597" SVKey="50398" VRelease="1" /> + <VMSinfo VKey="38597" SVKey="50398" VRelease="2" /> <title>The system must limit the ability of processes to have simultaneous write and execute access to memory.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-06-000080" disa="366" severity="medium"> @@ -289,7 +289,7 @@ <title>The system must not accept ICMPv4 secure redirect packets by default.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-06-000091" disa="366" severity="low"> - <VMSinfo VKey="38533" SVKey="50334" VRelease="1" /> + <VMSinfo VKey="38533" SVKey="50334" VRelease="2" /> <title>The system must ignore IPv4 ICMP redirect messages.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-06-000092" disa="366" severity="low"> @@ -373,19 +373,19 @@ <title>The system's local firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-06-000124" disa="382" severity="medium"> - <VMSinfo VKey="38514" SVKey="50315" VRelease="1" /> + <VMSinfo VKey="38514" SVKey="50315" VRelease="2" /> <title>The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_sctp_disabled" ownerid="RHEL-06-000125" disa="382" severity="medium"> - <VMSinfo VKey="38515" SVKey="50316" VRelease="1" /> + <VMSinfo VKey="38515" SVKey="50316" VRelease="2" /> <title>The Stream Control Transmission Protocol (SCTP) must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_rds_disabled" ownerid="RHEL-06-000126" disa="382" severity="low"> - <VMSinfo VKey="38516" SVKey="50317" VRelease="1" /> + <VMSinfo VKey="38516" SVKey="50317" VRelease="2" /> <title>The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-06-000127" disa="382" severity="medium"> - <VMSinfo VKey="38517" SVKey="50318" VRelease="1" /> + <VMSinfo VKey="38517" SVKey="50318" VRelease="2" /> <title>The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.</title> </overlay> <overlay owner="disastig" ruleid="userowner_rsyslog_files" ownerid="RHEL-06-000133" disa="1314" severity="medium"> @@ -461,19 +461,19 @@ <title>The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_adjtimex" ownerid="RHEL-06-000165" disa="169" severity="low"> - <VMSinfo VKey="38635" SVKey="50436" VRelease="1" /> + <VMSinfo VKey="38635" SVKey="50436" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through adjtimex.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_settimeofday" ownerid="RHEL-06-000167" disa="169" severity="low"> - <VMSinfo VKey="38522" SVKey="50323" VRelease="1" /> + <VMSinfo VKey="38522" SVKey="50323" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through settimeofday.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_stime" ownerid="RHEL-06-000169" disa="169" severity="low"> - <VMSinfo VKey="38525" SVKey="50326" VRelease="1" /> + <VMSinfo VKey="38525" SVKey="50326" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through stime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_clock_settime" ownerid="RHEL-06-000171" disa="169" severity="low"> - <VMSinfo VKey="38527" SVKey="50328" VRelease="1" /> + <VMSinfo VKey="38527" SVKey="50328" VRelease="2" /> <title>The audit system must be configured to audit all attempts to alter system time through clock_settime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_watch_localtime" ownerid="RHEL-06-000173" disa="169" severity="low"> @@ -497,7 +497,7 @@ <title>The operating system must automatically audit account termination.</title> </overlay> <overlay owner="disastig" ruleid="audit_network_modifications" ownerid="RHEL-06-000182" disa="366" severity="low"> - <VMSinfo VKey="38540" SVKey="50341" VRelease="1" /> + <VMSinfo VKey="38540" SVKey="50341" VRelease="2" /> <title>The audit system must be configured to audit modifications to the systems network configuration.</title> </overlay> <overlay owner="disastig" ruleid="audit_mac_changes" ownerid="RHEL-06-000183" disa="366" severity="low"> @@ -756,11 +756,11 @@ <title>The rdisc service must not be running.</title> </overlay> <overlay owner="disastig" ruleid="use_nodev_option_on_nfs_mounts" ownerid="RHEL-06-000269" disa="366" severity="medium"> - <VMSinfo VKey="38652" SVKey="50453" VRelease="1" /> + <VMSinfo VKey="38652" SVKey="50453" VRelease="2" /> <title>Remote file systems must be mounted with the "nodev" option.</title> </overlay> <overlay owner="disastig" ruleid="use_nosuid_option_on_nfs_mounts" ownerid="RHEL-06-000270" disa="366" severity="medium"> - <VMSinfo VKey="38654" SVKey="50455" VRelease="1" /> + <VMSinfo VKey="38654" SVKey="50455" VRelease="2" /> <title>Remote file systems must be mounted with the "nosuid" option.</title> </overlay> <overlay owner="disastig" ruleid="mount_option_noexec_removable_partitions" ownerid="RHEL-06-000271" disa="87" severity="low"> @@ -772,7 +772,7 @@ <title>The system must use SMB client signing for connecting to samba servers using smbclient.</title> </overlay> <overlay owner="disastig" ruleid="require_smb_client_signing_mount.cifs" ownerid="RHEL-06-000273" disa="366" severity="low"> - <VMSinfo VKey="38657" SVKey="50458" VRelease="1" /> + <VMSinfo VKey="38657" SVKey="50458" VRelease="2" /> <title>The system must use SMB client signing for connecting to samba servers using mount.cifs.</title> </overlay> <overlay owner="disastig" ruleid="accounts_password_reuse_limit" ownerid="RHEL-06-000274" disa="200" severity="medium"> @@ -844,11 +844,11 @@ <title>The xorg-x11-server-common (X Windows) package must not be installed, unless required.</title> </overlay> <overlay owner="disastig" ruleid="disable_dhcp_client" ownerid="RHEL-06-000292" disa="366" severity="medium"> - <VMSinfo VKey="38679" SVKey="50480" VRelease="1" /> + <VMSinfo VKey="38679" SVKey="50480" VRelease="2" /> <title>The DHCP client must be disabled if not needed.</title> </overlay> <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-06-000294" disa="366" severity="low"> - <VMSinfo VKey="38681" SVKey="50482" VRelease="1" /> + <VMSinfo VKey="38681" SVKey="50482" VRelease="2" /> <title>All GIDs referenced in /etc/passwd must be defined in /etc/group</title> </overlay> <overlay owner="disastig" ruleid="account_unique_name" ownerid="RHEL-06-000296" disa="804" severity="low"> @@ -906,7 +906,7 @@ <title>The NFS server must not have the insecure file locking option enabled.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-06-000311" disa="143" severity="medium"> - <VMSinfo VKey="38678" SVKey="50479" VRelease="1" /> + <VMSinfo VKey="38678" SVKey="50479" VRelease="2" /> <title>The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.</title> </overlay> <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-06-000313" disa="139" severity="medium"> @@ -914,7 +914,7 @@ <title>The audit system must identify staff members to receive notifications of audit log storage volume capacity issues.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_bluetooth_disabled" ownerid="RHEL-06-000315" disa="85" severity="medium"> - <VMSinfo VKey="38682" SVKey="50483" VRelease="1" /> + <VMSinfo VKey="38682" SVKey="50483" VRelease="2" /> <title>The Bluetooth kernel module must be disabled.</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000317" disa="1250" severity="medium"> @@ -1001,7 +1001,7 @@ <title>There must be no .netrc files on the system.</title> </overlay> <overlay owner="disastig" ruleid="ftp_present_banner" ownerid="RHEL-06-000348" disa="48" severity="medium"> - <VMSinfo VKey="38599" SVKey="50400" VRelease="1" /> + <VMSinfo VKey="38599" SVKey="50400" VRelease="2" /> <title>The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.</title> </overlay> <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-06-000349" disa="765" severity="medium"> @@ -1009,7 +1009,7 @@ <title>The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-06-000356" disa="47" severity="medium"> - <VMSinfo VKey="38592" SVKey="50393" VRelease="1" /> + <VMSinfo VKey="38592" SVKey="50393" VRelease="2" /> <title>The system must require administrator action to unlock an account locked by excessive failed login attempts.</title> </overlay> <overlay owner="disastig" ruleid="accounts_passwords_pam_fail_interval" ownerid="RHEL-06-000357" disa="1452" severity="medium"> @@ -1236,7 +1236,7 @@ <title>The operating system must respond to security function anomalies in accordance with organization defined responses and alternative action(s).</title> </overlay> <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-06-000503" disa="86" severity="medium"> - <VMSinfo VKey="38490" SVKey="50291" VRelease="1" /> + <VMSinfo VKey="38490" SVKey="50291" VRelease="2" /> <title>The system must have USB Mass Storage disabled unless needed.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000504" disa="535" severity="medium"> -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- For some reason the set_ip6tables_default_rule was not enabled in common (whereas standard ip4 is); - Mapped set_ip6tables_default_rule to RHEL-06-000523
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 4 ++-- RHEL/6/input/profiles/common.xml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index e75aeaf..f78506e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1309,8 +1309,8 @@ <VMSinfo VKey="38445" SVKey="50245" VRelease="1" /> <title>Audit log files must be group-owned by root.</title> </overlay> - <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000523" disa="66" severity="medium"> - <VMSinfo VKey="38444" SVKey="50244" VRelease="1" /> + <overlay owner="disastig" ruleid="set_ip6tables_default_rule" ownerid="RHEL-06-000523" disa="66" severity="medium"> + <VMSinfo VKey="38444" SVKey="50244" VRelease="2" /> <title>The system's local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000524" disa="15" severity="low"> diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml index ba46588..d3ec71b 100644 --- a/RHEL/6/input/profiles/common.xml +++ b/RHEL/6/input/profiles/common.xml @@ -94,6 +94,7 @@ <select idref="service_ip6tables_enabled" selected="true"/> <select idref="service_iptables_enabled" selected="true"/> <select idref="set_iptables_default_rule" selected="true"/> +<select idref="set_ip6tables_default_rule" selected="ture" /> <select idref="kernel_module_dccp_disabled" selected="true"/> <select idref="kernel_module_sctp_disabled" selected="true"/> <select idref="kernel_module_rds_disabled" selected="true"/>
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
- For some reason the set_ip6tables_default_rule was not enabled in common (whereas standard ip4 is);
- Mapped set_ip6tables_default_rule to RHEL-06-000523
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 4 ++-- RHEL/6/input/profiles/common.xml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index e75aeaf..f78506e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1309,8 +1309,8 @@ <VMSinfo VKey="38445" SVKey="50245" VRelease="1" /> <title>Audit log files must be group-owned by root.</title>
</overlay> - <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000523" disa="66" severity="medium"> - <VMSinfo VKey="38444" SVKey="50244" VRelease="1" /> + <overlay owner="disastig" ruleid="set_ip6tables_default_rule" ownerid="RHEL-06-000523" disa="66" severity="medium"> + <VMSinfo VKey="38444" SVKey="50244" VRelease="2" /> <title>The system's local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.</title> </overlay> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000524" disa="15" severity="low"> diff --git a/RHEL/6/input/profiles/common.xml b/RHEL/6/input/profiles/common.xml index ba46588..d3ec71b 100644 --- a/RHEL/6/input/profiles/common.xml +++ b/RHEL/6/input/profiles/common.xml @@ -94,6 +94,7 @@ <select idref="service_ip6tables_enabled" selected="true"/> <select idref="service_iptables_enabled" selected="true"/> <select idref="set_iptables_default_rule" selected="true"/> +<select idref="set_ip6tables_default_rule" selected="ture" /> <select idref="kernel_module_dccp_disabled" selected="true"/> <select idref="kernel_module_sctp_disabled" selected="true"/> <select idref="kernel_module_rds_disabled" selected="true"/> -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index f78506e..7420e5a 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -25,7 +25,7 @@ <title>The system must use a separate file system for user home directories.</title> </overlay> <overlay owner="disastig" ruleid="ensure_redhat_gpgkey_installed" ownerid="RHEL-06-000008" disa="352" severity="high"> - <VMSinfo VKey="38476" SVKey="50276" VRelease="1" /> + <VMSinfo VKey="38476" SVKey="50276" VRelease="2" /> <title>Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.</title> </overlay> <overlay owner="disastig" ruleid="service_rhnsd_disabled" ownerid="RHEL-06-000009" disa="382" severity="low">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index f78506e..7420e5a 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -25,7 +25,7 @@ <title>The system must use a separate file system for user home directories.</title>
</overlay> <overlay owner="disastig" ruleid="ensure_redhat_gpgkey_installed" ownerid="RHEL-06-000008" disa="352" severity="high"> - <VMSinfo VKey="38476" SVKey="50276" VRelease="1" /> + <VMSinfo VKey="38476" SVKey="50276" VRelease="2" /> <title>Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.</title> </overlay> <overlay owner="disastig" ruleid="service_rhnsd_disabled" ownerid="RHEL-06-000009" disa="382" severity="low"> -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Guidance did not remind users to reload firewall rules if a change was required
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/system/network/iptables.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/RHEL/6/input/system/network/iptables.xml b/RHEL/6/input/system/network/iptables.xml index 639b16e..0876645 100644 --- a/RHEL/6/input/system/network/iptables.xml +++ b/RHEL/6/input/system/network/iptables.xml @@ -73,6 +73,8 @@ the built-in INPUT chain which processes incoming packets, add or correct the following line in <tt>/etc/sysconfig/ip6tables</tt>: <pre>:INPUT DROP [0:0]</pre> +If changes were required, reload the ip6tables rules: +<pre>$ sudo service ip6tables reload</pre> </description> <ocil clause="the default policy for the INPUT chain is not set to DROP"> If IPv6 is disabled, this is not applicable.
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Guidance did not remind users to reload firewall rules if a change was required
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/system/network/iptables.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/RHEL/6/input/system/network/iptables.xml b/RHEL/6/input/system/network/iptables.xml index 639b16e..0876645 100644 --- a/RHEL/6/input/system/network/iptables.xml +++ b/RHEL/6/input/system/network/iptables.xml @@ -73,6 +73,8 @@ the built-in INPUT chain which processes incoming packets, add or correct the following line in <tt>/etc/sysconfig/ip6tables</tt>:
<pre>:INPUT DROP [0:0]</pre>
+If changes were required, reload the ip6tables rules: +<pre>$ sudo service ip6tables reload</pre>
</description> <ocil clause="the default policy for the INPUT chain is not set to DROP"> If IPv6 is disabled, this is not applicable. -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/permissions/files.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 7420e5a..84515ab 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -145,7 +145,7 @@ <title>The /etc/group file must have mode 0644 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045" disa="1499" severity="medium"> - <VMSinfo VKey="38465" SVKey="50265" VRelease="2" /> + <VMSinfo VKey="38465" SVKey="50265" VRelease="3" /> <title>Library files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-06-000046" disa="1499" severity="medium"> diff --git a/RHEL/6/input/system/permissions/files.xml b/RHEL/6/input/system/permissions/files.xml index 58f7926..e2883f3 100644 --- a/RHEL/6/input/system/permissions/files.xml +++ b/RHEL/6/input/system/permissions/files.xml @@ -208,7 +208,7 @@ Shared libraries are stored in the following directories: </pre> To find shared libraries that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains shared libraries: -<pre>$ find <i>DIR</i> -perm /022 -type f</pre> +<pre>$ find -L <i>DIR</i> -perm /022 -type f</pre> </ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/permissions/files.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 7420e5a..84515ab 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -145,7 +145,7 @@ <title>The /etc/group file must have mode 0644 or less permissive.</title>
</overlay> <overlay owner="disastig" ruleid="file_permissions_library_dirs" ownerid="RHEL-06-000045" disa="1499" severity="medium"> - <VMSinfo VKey="38465" SVKey="50265" VRelease="2" /> + <VMSinfo VKey="38465" SVKey="50265" VRelease="3" /> <title>Library files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_library_dirs" ownerid="RHEL-06-000046" disa="1499" severity="medium"> diff --git a/RHEL/6/input/system/permissions/files.xml b/RHEL/6/input/system/permissions/files.xml index 58f7926..e2883f3 100644 --- a/RHEL/6/input/system/permissions/files.xml +++ b/RHEL/6/input/system/permissions/files.xml @@ -208,7 +208,7 @@ Shared libraries are stored in the following directories: </pre> To find shared libraries that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains shared libraries: -<pre>$ find <i>DIR</i> -perm /022 -type f</pre> +<pre>$ find -L <i>DIR</i> -perm /022 -type f</pre> </ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/permissions/files.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 84515ab..d9820bc 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -153,7 +153,7 @@ <title>Library files must be owned by root.</title> </overlay> <overlay owner="disastig" ruleid="file_permissions_binary_dirs" ownerid="RHEL-06-000047" disa="1499" severity="medium"> - <VMSinfo VKey="38469" SVKey="50269" VRelease="1" /> + <VMSinfo VKey="38469" SVKey="50269" VRelease="2" /> <title>All system command files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_binary_dirs" ownerid="RHEL-06-000048" disa="1499" severity="medium"> diff --git a/RHEL/6/input/system/permissions/files.xml b/RHEL/6/input/system/permissions/files.xml index e2883f3..5762fd9 100644 --- a/RHEL/6/input/system/permissions/files.xml +++ b/RHEL/6/input/system/permissions/files.xml @@ -285,7 +285,7 @@ System executables are stored in the following directories by default: /usr/local/sbin</pre> To find system executables that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains system executables: -<pre>$ find <i>DIR</i> -perm /022</pre> +<pre>$ find -L <i>DIR</i> -perm /022 -type f</pre> </ocil> <rationale>System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/permissions/files.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 84515ab..d9820bc 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -153,7 +153,7 @@ <title>Library files must be owned by root.</title>
</overlay> <overlay owner="disastig" ruleid="file_permissions_binary_dirs" ownerid="RHEL-06-000047" disa="1499" severity="medium"> - <VMSinfo VKey="38469" SVKey="50269" VRelease="1" /> + <VMSinfo VKey="38469" SVKey="50269" VRelease="2" /> <title>All system command files must have mode 0755 or less permissive.</title> </overlay> <overlay owner="disastig" ruleid="file_ownership_binary_dirs" ownerid="RHEL-06-000048" disa="1499" severity="medium"> diff --git a/RHEL/6/input/system/permissions/files.xml b/RHEL/6/input/system/permissions/files.xml index e2883f3..5762fd9 100644 --- a/RHEL/6/input/system/permissions/files.xml +++ b/RHEL/6/input/system/permissions/files.xml @@ -285,7 +285,7 @@ System executables are stored in the following directories by default: /usr/local/sbin</pre> To find system executables that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains system executables: -<pre>$ find <i>DIR</i> -perm /022</pre> +<pre>$ find -L <i>DIR</i> -perm /022 -type f</pre> </ocil> <rationale>System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index d9820bc..2e922d1 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -317,7 +317,7 @@ <title>The IPv6 protocol handler must not be bound to the network stack unless needed.</title> </overlay> <overlay owner="disastig" ruleid="sysctl_ipv6_default_accept_redirects" ownerid="RHEL-06-000099" disa="366" severity="medium"> - <VMSinfo VKey="38548" SVKey="50349" VRelease="1" /> + <VMSinfo VKey="38548" SVKey="50349" VRelease="2" /> <title>The system must ignore ICMPv6 redirects by default.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000103" disa="1118" severity="medium">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index d9820bc..2e922d1 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -317,7 +317,7 @@ <title>The IPv6 protocol handler must not be bound to the network stack unless needed.</title>
</overlay> <overlay owner="disastig" ruleid="sysctl_ipv6_default_accept_redirects" ownerid="RHEL-06-000099" disa="366" severity="medium"> - <VMSinfo VKey="38548" SVKey="50349" VRelease="1" /> + <VMSinfo VKey="38548" SVKey="50349" VRelease="2" /> <title>The system must ignore ICMPv6 redirects by default.</title> </overlay> <overlay owner="disastig" ruleid="service_ip6tables_enabled" ownerid="RHEL-06-000103" disa="1118" severity="medium"> -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Update VRelease key - Add OCIL for unlinkat, renameat - Update grep regex from 'grep' to 'grep -w'
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 2e922d1..bc540d6 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -569,7 +569,7 @@ <title>The audit system must be configured to audit successful file system mounts.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_file_deletion_events" ownerid="RHEL-06-000200" disa="172" severity="low"> - <VMSinfo VKey="38575" SVKey="50376" VRelease="2" /> + <VMSinfo VKey="38575" SVKey="50376" VRelease="3" /> <title>The audit system must be configured to audit user deletions of files and programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_sysadmin_actions" ownerid="RHEL-06-000201" disa="172" severity="low"> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index e25f890..6c9f696 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1210,7 +1210,9 @@ appropriate for your system: </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> +<audit-syscall-check-macro syscall="unlinkat" /> <audit-syscall-check-macro syscall="rename" /> +<audit-syscall-check-macro syscall="renameat" /> </ocil> <rationale>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
- Update VRelease key
- Add OCIL for unlinkat, renameat
- Update grep regex from 'grep' to 'grep -w'
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/auditing.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 2e922d1..bc540d6 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -569,7 +569,7 @@ <title>The audit system must be configured to audit successful file system mounts.</title>
</overlay> <overlay owner="disastig" ruleid="audit_rules_file_deletion_events" ownerid="RHEL-06-000200" disa="172" severity="low"> - <VMSinfo VKey="38575" SVKey="50376" VRelease="2" /> + <VMSinfo VKey="38575" SVKey="50376" VRelease="3" /> <title>The audit system must be configured to audit user deletions of files and programs.</title> </overlay> <overlay owner="disastig" ruleid="audit_sysadmin_actions" ownerid="RHEL-06-000201" disa="172" severity="low"> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index e25f890..6c9f696 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -1210,7 +1210,9 @@ appropriate for your system: </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> +<audit-syscall-check-macro syscall="unlinkat" /> <audit-syscall-check-macro syscall="rename" /> +<audit-syscall-check-macro syscall="renameat" /> </ocil> <rationale>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Update VRelease key - Add OCIL applicability statement
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/auditing.xml | 1 + 2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index bc540d6..86a5b5e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -469,7 +469,7 @@ <title>The audit system must be configured to audit all attempts to alter system time through settimeofday.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_stime" ownerid="RHEL-06-000169" disa="169" severity="low"> - <VMSinfo VKey="38525" SVKey="50326" VRelease="2" /> + <VMSinfo VKey="38525" SVKey="50326" VRelease="3" /> <title>The audit system must be configured to audit all attempts to alter system time through stime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_clock_settime" ownerid="RHEL-06-000171" disa="169" severity="low"> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index 6c9f696..fbad0a9 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -556,6 +556,7 @@ See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil clause="the system is not configured to audit time changes"> +if the system is 64-bit only, this is not applicable.<br /> <audit-syscall-check-macro syscall="stime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Update VRelease key
- Add OCIL applicability statement
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/auditing.xml | 1 + 2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index bc540d6..86a5b5e 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -469,7 +469,7 @@ <title>The audit system must be configured to audit all attempts to alter system time through settimeofday.</title>
</overlay> <overlay owner="disastig" ruleid="audit_rules_time_stime" ownerid="RHEL-06-000169" disa="169" severity="low"> - <VMSinfo VKey="38525" SVKey="50326" VRelease="2" /> + <VMSinfo VKey="38525" SVKey="50326" VRelease="3" /> <title>The audit system must be configured to audit all attempts to alter system time through stime.</title> </overlay> <overlay owner="disastig" ruleid="audit_rules_time_clock_settime" ownerid="RHEL-06-000171" disa="169" severity="low"> diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index 6c9f696..fbad0a9 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -556,6 +556,7 @@ See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil clause="the system is not configured to audit time changes"> +if the system is 64-bit only, this is not applicable.<br /> <audit-syscall-check-macro syscall="stime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate
I see the case was fixed in patch 19.
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Update VRelease - Provide clarification if users should disable SELinux to enable 3rd party tools (e.g. HBSS)
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/software/integrity.xml | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 86a5b5e..958b119 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -816,7 +816,7 @@ <title>The system must use and update a DoD-approved virus scan program.</title> </overlay> <overlay owner="disastig" ruleid="install_hids" ownerid="RHEL-06-000285" disa="1263" severity="medium"> - <VMSinfo VKey="38667" SVKey="50468" VRelease="1" /> + <VMSinfo VKey="38667" SVKey="50468" VRelease="2" /> <title>The system must have a host-based intrusion detection tool installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-06-000286" disa="366" severity="high"> diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 73a0629..0c14ecc 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -197,7 +197,11 @@ software may not be appropriate for some specialized systems. The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user -sessions which may become compromised. +sessions which may become compromised.<br /> +In DoD environments, supplemental intrusion detection tools, such as, the McAfee +Host-based Security System, are available to integrate with existing infrastructure. +When these supplemental tools interfere with the proper functioning of SELinux, SELinux +takes precedence. <br/> </description> <ocil clause="no host-based intrusion detection tools are installed">
On 7/27/14, 11:26 PM, Shawn Wells wrote:
From: Leland Steinke leland.j.steinke.ctr@mail.mil
- Update VRelease
- Provide clarification if users should disable SELinux to enable 3rd party tools (e.g. HBSS)
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- RHEL/6/input/system/software/integrity.xml | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 86a5b5e..958b119 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -816,7 +816,7 @@ <title>The system must use and update a DoD-approved virus scan program.</title>
</overlay> <overlay owner="disastig" ruleid="install_hids" ownerid="RHEL-06-000285" disa="1263" severity="medium"> - <VMSinfo VKey="38667" SVKey="50468" VRelease="1" /> + <VMSinfo VKey="38667" SVKey="50468" VRelease="2" /> <title>The system must have a host-based intrusion detection tool installed.</title> </overlay> <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-06-000286" disa="366" severity="high"> diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 73a0629..0c14ecc 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -197,7 +197,11 @@ software may not be appropriate for some specialized systems. The base Red Hat platform already includes a sophisticated auditing system that can detect intruder activity, as well as SELinux, which provides host-based intrusion prevention capabilities by confining privileged programs and user -sessions which may become compromised. +sessions which may become compromised.<br /> +In DoD environments, supplemental intrusion detection tools, such as, the McAfee +Host-based Security System, are available to integrate with existing infrastructure. +When these supplemental tools interfere with the proper functioning of SELinux, SELinux +takes precedence. <br/> </description> <ocil clause="no host-based intrusion detection tools are installed">
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/system/software/integrity.xml | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 0c14ecc..eca2b8e 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -221,7 +221,7 @@ intruder gains access to a system or network. <description> Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. -The McAfee uvscan virus scanning tool is provided for DoD systems. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. <!-- need info here on where DoD admins can go to get this --> Configure the virus scanning software to perform scans dynamically on all @@ -234,18 +234,17 @@ to scan all received mail. with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your particular neighborhood) should occur? --> </description> -<ocil clause="virus scanning software does not run daily, or has signatures that are out of date"> +<ocil clause="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date"> Inspect the system for a cron job or system service which executes a virus scanning tool regularly. <br/> <!-- this should be handled as DoD-specific text in a future revision --> -To verify the McAfee command line scan tool (uvscan) is scheduled for -regular execution, run the following command to check for a cron job: -<pre># grep uvscan /etc/cron* /var/spool/cron/*</pre> -This will reveal if and when the uvscan program will be run. +To verify the McAfee VSEL system service is operational, +run the following command: +<pre># /etc/init.d/nails status</pre> <br/> To check on the age of uvscan virus definition files, run the following command: -<pre># cd /usr/local/uvscan +<pre># cd /opt/NAI/LinuxShield/engine/dat # ls -la avvscan.dat avvnames.dat avvclean.dat</pre> </ocil> <rationale>
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/system/software/integrity.xml | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/RHEL/6/input/system/software/integrity.xml b/RHEL/6/input/system/software/integrity.xml index 0c14ecc..eca2b8e 100644 --- a/RHEL/6/input/system/software/integrity.xml +++ b/RHEL/6/input/system/software/integrity.xml @@ -221,7 +221,7 @@ intruder gains access to a system or network.
<description> Install virus scanning software, which uses signatures to search for the presence of viruses on the filesystem. -The McAfee uvscan virus scanning tool is provided for DoD systems. +The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems. Ensure virus definition files are no older than 7 days, or their last release. <!-- need info here on where DoD admins can go to get this --> Configure the virus scanning software to perform scans dynamically on all @@ -234,18 +234,17 @@ to scan all received mail. with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your particular neighborhood) should occur? --> </description> -<ocil clause="virus scanning software does not run daily, or has signatures that are out of date"> +<ocil clause="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date"> Inspect the system for a cron job or system service which executes a virus scanning tool regularly. <br/> <!-- this should be handled as DoD-specific text in a future revision --> -To verify the McAfee command line scan tool (uvscan) is scheduled for -regular execution, run the following command to check for a cron job: -<pre># grep uvscan/etc/cron* /var/spool/cron/*</pre> -This will reveal if and when the uvscan program will be run. +To verify the McAfee VSEL system service is operational, +run the following command: +<pre># /etc/init.d/nails status</pre> <br/> To check on the age of uvscan virus definition files, run the following command: -<pre># cd /usr/local/uvscan +<pre># cd /opt/NAI/LinuxShield/engine/dat # ls -la avvscan.dat avvnames.dat avvclean.dat</pre> </ocil> <rationale> -- 1.7.1
Syntax wise this patch is good. As I don't have a copy of VSEL, I'll have to trust the filepaths are correct.
Question: The OCIL asks for continuously or daily operations, whereas the check text ("nails status") only returns if VSEL is currently running. Should OCIL check text be added to check for cron jobs as well?
I'll go ahead and ack this as-is to keep upstream aligned with FSO content, and we'll patch as needed.
From: Leland Steinke leland.j.steinke.ctr@mail.mil
This is no longer a requirement
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 4 ++-- .../input/profiles/stig-rhel6-server-upstream.xml | 2 -- RHEL/6/input/system/accounts/pam.xml | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 958b119..9d90605 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1247,10 +1247,10 @@ <VMSinfo VKey="38486" SVKey="50287" VRelease="1" /> <title>The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.</title> </overlay> - <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000506" disa="52" severity="medium"> +<!-- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000506" disa="52" severity="medium"> <VMSinfo VKey="38485" SVKey="50286" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty.</title> - </overlay> + </overlay> --> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000507" disa="52" severity="medium"> <VMSinfo VKey="38484" SVKey="50285" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.</title> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index 9b01757..518aa04 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -91,8 +91,6 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
<select idref="smartcard_auth" selected="true" />
-<select idref="display_login_attempts" selected="true" /> - <select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="accounts_passwords_pam_fail_interval" selected="true" /> diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index 66f932d..69721be 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -76,7 +76,7 @@ and gives them an opportunity to notify administrators. </rationale> <ident cce="27291-4" /> <oval id="display_login_attempts" /> -<ref disa="53" /> +<ref disa="" /> </Rule>
<Group id="password_quality">
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
This is no longer a requirement
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 4 ++-- .../input/profiles/stig-rhel6-server-upstream.xml | 2 -- RHEL/6/input/system/accounts/pam.xml | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 958b119..9d90605 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1247,10 +1247,10 @@ <VMSinfo VKey="38486" SVKey="50287" VRelease="1" /> <title>The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.</title>
</overlay> - <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000506" disa="52" severity="medium"> +<!-- <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000506" disa="52" severity="medium"> <VMSinfo VKey="38485" SVKey="50286" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty.</title> - </overlay> + </overlay> --> <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-06-000507" disa="52" severity="medium"> <VMSinfo VKey="38484" SVKey="50285" VRelease="1" /> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.</title> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index 9b01757..518aa04 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -91,8 +91,6 @@ upstream project homepage ishttps://fedorahosted.org/scap-security-guide/.
<select idref="smartcard_auth" selected="true" />
-<select idref="display_login_attempts" selected="true" />
<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="accounts_passwords_pam_fail_interval" selected="true" />
diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index 66f932d..69721be 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -76,7 +76,7 @@ and gives them an opportunity to notify administrators.
</rationale> <ident cce="27291-4" /> <oval id="display_login_attempts" /> -<ref disa="53" /> +<ref disa="" /> </Rule>
<Group id="password_quality"> -- 1.7.1 --
ack (i see this was added back in via patch 15, and the original FSO patch just updated the CCI mapping)
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Remaps to CCI 366
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 3 ++- .../input/profiles/stig-rhel6-server-upstream.xml | 2 ++ RHEL/6/input/system/accounts/pam.xml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 9d90605..53b9687 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1028,7 +1028,8 @@ <overlay owner="disastig" ruleid="unselected" ownerid="RHEL-06-000371" disa="52" severity="medium"> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI.</title> </overlay> - <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-06-000372" disa="53" severity="medium"> + <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-06-000372" disa="366" severity="medium"> + <VMSinfo VKey="51875" SVKey="66089" VRelease="1" /> <title>The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.</title> </overlay> <overlay owner="disastig" ruleid="met_inherently_generic" ownerid="RHEL-06-000373" disa="56" severity="medium"> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index 518aa04..9b01757 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -91,6 +91,8 @@ upstream project homepage is https://fedorahosted.org/scap-security-guide/.
<select idref="smartcard_auth" selected="true" />
+<select idref="display_login_attempts" selected="true" /> + <select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="accounts_passwords_pam_fail_interval" selected="true" /> diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index 69721be..d457e1b 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -76,7 +76,7 @@ and gives them an opportunity to notify administrators. </rationale> <ident cce="27291-4" /> <oval id="display_login_attempts" /> -<ref disa="" /> +<ref disa="366" /> </Rule>
<Group id="password_quality">
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Remaps to CCI 366
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 3 ++- .../input/profiles/stig-rhel6-server-upstream.xml | 2 ++ RHEL/6/input/system/accounts/pam.xml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 9d90605..53b9687 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -1028,7 +1028,8 @@
<overlay owner="disastig" ruleid="unselected" ownerid="RHEL-06-000371" disa="52" severity="medium"> <title>The operating system, upon successful logon, must display to the user the date and time of the last logon (access) via GUI.</title> </overlay> - <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-06-000372" disa="53" severity="medium"> + <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-06-000372" disa="366" severity="medium"> + <VMSinfo VKey="51875" SVKey="66089" VRelease="1" /> <title>The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.</title> </overlay> <overlay owner="disastig" ruleid="met_inherently_generic" ownerid="RHEL-06-000373" disa="56" severity="medium"> diff --git a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml index 518aa04..9b01757 100644 --- a/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml +++ b/RHEL/6/input/profiles/stig-rhel6-server-upstream.xml @@ -91,6 +91,8 @@ upstream project homepage ishttps://fedorahosted.org/scap-security-guide/.
<select idref="smartcard_auth" selected="true" />
+<select idref="display_login_attempts" selected="true" />
<select idref="accounts_passwords_pam_faillock_unlock_time" selected="true" /> <refine-value idref="var_accounts_passwords_pam_faillock_unlock_time" selector="604800"/> <select idref="accounts_passwords_pam_fail_interval" selected="true" />
diff --git a/RHEL/6/input/system/accounts/pam.xml b/RHEL/6/input/system/accounts/pam.xml index 69721be..d457e1b 100644 --- a/RHEL/6/input/system/accounts/pam.xml +++ b/RHEL/6/input/system/accounts/pam.xml @@ -76,7 +76,7 @@ and gives them an opportunity to notify administrators.
</rationale> <ident cce="27291-4" /> <oval id="display_login_attempts" /> -<ref disa="" /> +<ref disa="366" /> </Rule>
<Group id="password_quality"> -- 1.7.1 --
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- .../checks/selinux_all_devicefiles_labeled.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml index fe9f343..b160322 100644 --- a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml +++ b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml @@ -11,7 +11,7 @@ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> </criteria> </definition> - <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="all_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> + <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> </linux:selinuxsecuritycontext_test>
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
.../checks/selinux_all_devicefiles_labeled.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml index fe9f343..b160322 100644 --- a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml +++ b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml @@ -11,7 +11,7 @@ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> </criteria> </definition>
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="all_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1">
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> </linux:selinuxsecuritycontext_test>
-- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- .../checks/selinux_all_devicefiles_labeled.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml index b160322..3e99347 100644 --- a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml +++ b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml @@ -11,7 +11,7 @@ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> </criteria> </definition> - <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1"> + <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2"> <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> </linux:selinuxsecuritycontext_test>
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
.../checks/selinux_all_devicefiles_labeled.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml index b160322..3e99347 100644 --- a/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml +++ b/RHEL/6/input/checks/selinux_all_devicefiles_labeled.xml @@ -11,7 +11,7 @@ <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_all_devicefiles_labeled" /> </criteria> </definition>
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="1">
- <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="unlabeled_t in /dev" id="test_selinux_all_devicefiles_labeled" version="2"> <linux:object object_ref="object_selinux_all_devicefiles_labeled" /> <linux:state state_ref="state_selinux_all_devicefiles_labeled" /> </linux:selinuxsecuritycontext_test>
-- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- ...sctl_net_ipv6_conf_default_accept_redirects.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml index bbd1cbc..34dc00f 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml @@ -1,6 +1,6 @@ <def-group> <!-- THIS FILE IS GENERATED by create_sysctl_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="sysctl_net_ipv6_conf_default_accept_redirects" version="1"> + <definition class="compliance" id="sysctl_net_ipv6_conf_default_accept_redirects" version="2"> <metadata> <title>Kernel Runtime Parameter "net.ipv6.conf.default.accept_redirects" Check</title> <affected family="unix">
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
...sctl_net_ipv6_conf_default_accept_redirects.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml index bbd1cbc..34dc00f 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_redirects.xml @@ -1,6 +1,6 @@
<def-group> <!-- THIS FILE IS GENERATED by create_sysctl_checks.py. DO NOT EDIT. --> - <definition class="compliance" id="sysctl_net_ipv6_conf_default_accept_redirects" version="1"> + <definition class="compliance" id="sysctl_net_ipv6_conf_default_accept_redirects" version="2"> <metadata> <title>Kernel Runtime Parameter "net.ipv6.conf.default.accept_redirects" Check</title> <affected family="unix"> -- 1.7.1
nack - this is a templated file.
i see you updated the template in p21 though.
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/system/auditing.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index fbad0a9..787b255 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -556,7 +556,7 @@ See an example of multiple combined syscalls: -k audit_time_rules</pre> </description> <ocil clause="the system is not configured to audit time changes"> -if the system is 64-bit only, this is not applicable.<br /> +If the system is 64-bit only, this is not applicable.<br /> <audit-syscall-check-macro syscall="stime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/system/auditing.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/system/auditing.xml b/RHEL/6/input/system/auditing.xml index fbad0a9..787b255 100644 --- a/RHEL/6/input/system/auditing.xml +++ b/RHEL/6/input/system/auditing.xml @@ -556,7 +556,7 @@ See an example of multiple combined syscalls: -k audit_time_rules</pre>
</description> <ocil clause="the system is not configured to audit time changes"> -if the system is 64-bit only, this is not applicable.<br /> +If the system is 64-bit only, this is not applicable.<br /> <audit-syscall-check-macro syscall="stime" /> </ocil> <rationale>Arbitrary changes to the system time can be used to obfuscate -- 1.7.1
ack
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 53b9687..2f85362 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -52,7 +52,7 @@ <VMSinfo VKey="51337" SVKey="65547" VRelease="1" /> <title>The system must use a Linux Security Module at boot time.</title> </overlay> - <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="low"> + <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="medium"> <VMSinfo VKey="51391" SVKey="65601" VRelease="1" /> <title>A file integrity baseline must be created.</title> </overlay>
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/auxiliary/stig_overlay.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL/6/input/auxiliary/stig_overlay.xml b/RHEL/6/input/auxiliary/stig_overlay.xml index 53b9687..2f85362 100644 --- a/RHEL/6/input/auxiliary/stig_overlay.xml +++ b/RHEL/6/input/auxiliary/stig_overlay.xml @@ -52,7 +52,7 @@ <VMSinfo VKey="51337" SVKey="65547" VRelease="1" /> <title>The system must use a Linux Security Module at boot time.</title>
</overlay> - <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="low"> + <overlay owner="disastig" ruleid="aide_build_database" ownerid="RHEL-06-000018" disa="1069" severity="medium"> <VMSinfo VKey="51391" SVKey="65601" VRelease="1" /> <title>A file integrity baseline must be created.</title> </overlay> -- 1.7.1
From: Leland Steinke leland.j.steinke.ctr@mail.mil
Individual changes created by:
- <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL[\s]*$</ind:pattern>
And then 'make sysctls' from templates
Signed-off-by: Leland Steinke leland.j.steinke.ctr@mail.mil --- RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml | 2 +- .../input/checks/sysctl_kernel_dmesg_restrict.xml | 2 +- RHEL/6/input/checks/sysctl_kernel_exec_shield.xml | 2 +- .../checks/sysctl_kernel_randomize_va_space.xml | 2 +- .../sysctl_net_ipv4_conf_all_accept_redirects.xml | 2 +- ...ysctl_net_ipv4_conf_all_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_all_log_martians.xml | 2 +- .../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 2 +- .../sysctl_net_ipv4_conf_all_secure_redirects.xml | 2 +- .../sysctl_net_ipv4_conf_all_send_redirects.xml | 2 +- ...sctl_net_ipv4_conf_default_accept_redirects.xml | 2 +- ...l_net_ipv4_conf_default_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_default_rp_filter.xml | 2 +- ...sctl_net_ipv4_conf_default_secure_redirects.xml | 2 +- ...sysctl_net_ipv4_conf_default_send_redirects.xml | 2 +- ...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 2 +- ..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 2 +- RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml | 2 +- .../checks/sysctl_net_ipv4_tcp_syncookies.xml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra.xml | 2 +- RHEL/6/input/checks/templates/template_sysctl | 2 +- 21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml b/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml index 324e98f..96caee5 100644 --- a/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml +++ b/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_fs_suid_dumpable" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml b/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml index f92c343..0b8addf 100644 --- a/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml +++ b/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_dmesg_restrict" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml b/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml index 5567f65..4b6e1a7 100644 --- a/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml +++ b/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_exec_shield" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml b/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml index fc3ad18..0fafa94 100644 --- a/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml +++ b/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_randomize_va_space" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*2*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml index c3f5397..68305b5 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_accept_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml index aa59faf..71c53a0 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_accept_source_route" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml index 2697ef8..e372295 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_log_martians" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml index a88e565..7634cea 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_rp_filter" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml index 216dd9f..9f484c7 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_secure_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml index 99c1482..5ba32e8 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_send_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml index c89b481..e375550 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_accept_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml index 97a270e..88abd9b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_accept_source_route" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml index 9e2f8d1..b8a8cef 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_rp_filter" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml index 83746db..33cb5fc 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_secure_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml index 1fb964c..98fb016 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_send_redirects" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml index bac586d..0cf8a5a 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml index 51e924d..71837d2 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml b/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml index 914e979..ccdc055 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_ip_forward" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml b/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml index 7842f2e..ec8f09b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_tcp_syncookies" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml index 1c7f64c..75e388b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv6_conf_default_accept_ra" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*0*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/templates/template_sysctl b/RHEL/6/input/checks/templates/template_sysctl index be623db..b568a81 100644 --- a/RHEL/6/input/checks/templates/template_sysctl +++ b/RHEL/6/input/checks/templates/template_sysctl @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_SYSCTLID" version="1"> ind:filepath/etc/sysctl.conf</ind:filepath> - <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern> + <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
On 7/27/14, 11:27 PM, Shawn Wells wrote:
From: Leland Steinkeleland.j.steinke.ctr@mail.mil
Individual changes created by:
- <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL[\s]*$</ind:pattern>
And then 'make sysctls' from templates
Signed-off-by: Leland Steinkeleland.j.steinke.ctr@mail.mil
RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml | 2 +- .../input/checks/sysctl_kernel_dmesg_restrict.xml | 2 +- RHEL/6/input/checks/sysctl_kernel_exec_shield.xml | 2 +- .../checks/sysctl_kernel_randomize_va_space.xml | 2 +- .../sysctl_net_ipv4_conf_all_accept_redirects.xml | 2 +- ...ysctl_net_ipv4_conf_all_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_all_log_martians.xml | 2 +- .../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 2 +- .../sysctl_net_ipv4_conf_all_secure_redirects.xml | 2 +- .../sysctl_net_ipv4_conf_all_send_redirects.xml | 2 +- ...sctl_net_ipv4_conf_default_accept_redirects.xml | 2 +- ...l_net_ipv4_conf_default_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_default_rp_filter.xml | 2 +- ...sctl_net_ipv4_conf_default_secure_redirects.xml | 2 +- ...sysctl_net_ipv4_conf_default_send_redirects.xml | 2 +- ...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 2 +- ..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 2 +- RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml | 2 +- .../checks/sysctl_net_ipv4_tcp_syncookies.xml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra.xml | 2 +- RHEL/6/input/checks/templates/template_sysctl | 2 +- 21 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml b/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml index 324e98f..96caee5 100644 --- a/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml +++ b/RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_fs_suid_dumpable" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml b/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml index f92c343..0b8addf 100644 --- a/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml +++ b/RHEL/6/input/checks/sysctl_kernel_dmesg_restrict.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_dmesg_restrict" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml b/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml index 5567f65..4b6e1a7 100644 --- a/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml +++ b/RHEL/6/input/checks/sysctl_kernel_exec_shield.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_exec_shield" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*kernel.exec-shield[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml b/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml index fc3ad18..0fafa94 100644 --- a/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml +++ b/RHEL/6/input/checks/sysctl_kernel_randomize_va_space.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_kernel_randomize_va_space" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*2*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*2[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml index c3f5397..68305b5 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_accept_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml index aa59faf..71c53a0 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_accept_source_route.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_accept_source_route" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml index 2697ef8..e372295 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_log_martians.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_log_martians" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml index a88e565..7634cea 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_rp_filter.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_rp_filter" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml index 216dd9f..9f484c7 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_secure_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_secure_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml index 99c1482..5ba32e8 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_all_send_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_all_send_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml index c89b481..e375550 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_accept_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml index 97a270e..88abd9b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_accept_source_route.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_accept_source_route" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml index 9e2f8d1..b8a8cef 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_rp_filter.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_rp_filter" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml index 83746db..33cb5fc 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_secure_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_secure_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml index 1fb964c..98fb016 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_conf_default_send_redirects.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_conf_default_send_redirects" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml index bac586d..0cf8a5a 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml index 51e924d..71837d2 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_icmp_ignore_bogus_error_responses.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml b/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml index 914e979..ccdc055 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_ip_forward" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml b/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml index 7842f2e..ec8f09b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv4_tcp_syncookies.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv4_tcp_syncookies" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml index 1c7f64c..75e388b 100644 --- a/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml +++ b/RHEL/6/input/checks/sysctl_net_ipv6_conf_default_accept_ra.xml @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_net_ipv6_conf_default_accept_ra" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*0*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*0[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
diff --git a/RHEL/6/input/checks/templates/template_sysctl b/RHEL/6/input/checks/templates/template_sysctl index be623db..b568a81 100644 --- a/RHEL/6/input/checks/templates/template_sysctl +++ b/RHEL/6/input/checks/templates/template_sysctl @@ -26,7 +26,7 @@
<ind:textfilecontent54_object id="object_static_sysctl_SYSCTLID" version="1"> <ind:filepath>/etc/sysctl.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL*$</ind:pattern>
- <ind:pattern operation="pattern match">^[\s]*SYSCTLVAR[\s]*=[\s]*SYSCTLVAL[\s]*$</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>
-- 1.7.1
ack
On 7/27/14, 11:26 PM, Shawn Wells wrote:
DISA FSO has provided the following patches based on end-user feedback and updates done amongst the DISA FSO staff. Submitting to list on their behalf.
-shawn
Leland Steinke (21): Update aide_build_database Add VMS/DPMS mappings in stig_overlay Update VRelease attributes for DISA FSO VMS tags Add set_ip6tables_default_rule to common, map to STIG RHEL-06-000523 Update VRelease attribute for RHEL-06-000008 (ensure_redhat_gpgkey_installed) Add reload to set_ip6tables_default_rule [bugfix] modify file_permissions_library_dirs to follow symlinks [bugfix] Modify file_permissions_binary_dirs to follow symlinks Increment VRelease for sysctl_ipv6_default_accept_redirects/RHEL-06-000099 Check syscall audits explicitly to avoid partial matches Add applicability statement to audit_rules_time_stime/RHEL-06-000169 Give SELinux precedence over HBSS in install_hids/RHEL-06-000285 Update install_antivirus/RHEL-06-000284 from uvscan to VSEL/nails Remove display_login_attempts/RHEL-06-000506 from RHEL 6 STIG Add display_login_attempts/RHEL-06-000372 to STIG [bugfix] Update selinux_all_devicefiles to "any_exist" Increment OVAL version for selinux_all_devicefiles_labeled Update OVAL version for sysctl_net_ipv6_conf_default_accept_redirects Fix lowercase in system/auditing.xml Update severity of aide_build_database in stig_overlay.xml [bugfix] Correct static sysctl.conf check regex and increment versions
RHEL/6/input/auxiliary/stig_overlay.xml | 87 +++++++++++--------- .../checks/selinux_all_devicefiles_labeled.xml | 2 +- RHEL/6/input/checks/sysctl_fs_suid_dumpable.xml | 2 +- .../input/checks/sysctl_kernel_dmesg_restrict.xml | 2 +- RHEL/6/input/checks/sysctl_kernel_exec_shield.xml | 2 +- .../checks/sysctl_kernel_randomize_va_space.xml | 2 +- .../sysctl_net_ipv4_conf_all_accept_redirects.xml | 2 +- ...ysctl_net_ipv4_conf_all_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_all_log_martians.xml | 2 +- .../checks/sysctl_net_ipv4_conf_all_rp_filter.xml | 2 +- .../sysctl_net_ipv4_conf_all_secure_redirects.xml | 2 +- .../sysctl_net_ipv4_conf_all_send_redirects.xml | 2 +- ...sctl_net_ipv4_conf_default_accept_redirects.xml | 2 +- ...l_net_ipv4_conf_default_accept_source_route.xml | 2 +- .../sysctl_net_ipv4_conf_default_rp_filter.xml | 2 +- ...sctl_net_ipv4_conf_default_secure_redirects.xml | 2 +- ...sysctl_net_ipv4_conf_default_send_redirects.xml | 2 +- ...sysctl_net_ipv4_icmp_echo_ignore_broadcasts.xml | 2 +- ..._net_ipv4_icmp_ignore_bogus_error_responses.xml | 2 +- RHEL/6/input/checks/sysctl_net_ipv4_ip_forward.xml | 2 +- .../checks/sysctl_net_ipv4_tcp_syncookies.xml | 2 +- .../sysctl_net_ipv6_conf_default_accept_ra.xml | 2 +- ...sctl_net_ipv6_conf_default_accept_redirects.xml | 2 +- RHEL/6/input/checks/templates/template_sysctl | 2 +- RHEL/6/input/profiles/common.xml | 1 + RHEL/6/input/system/accounts/pam.xml | 2 +- RHEL/6/input/system/auditing.xml | 3 + RHEL/6/input/system/network/iptables.xml | 2 + RHEL/6/input/system/permissions/files.xml | 4 +- RHEL/6/input/system/software/integrity.xml | 27 ++++-- 30 files changed, 97 insertions(+), 75 deletions(-)
went through patches individually - they were OK (once exception, patch 18)
pushing patches on FSO's behalf... $ git push Enter passphrase for key '/home/shawnw/.ssh/id_rsa': Counting objects: 240, done. Delta compression using up to 2 threads. Compressing objects: 100% (202/202), done. Writing objects: 100% (202/202), 17.90 KiB, done. Total 202 (delta 157), reused 0 (delta 0) To ssh://shawndwells@git.fedorahosted.org/git/scap-security-guide.git c20e040..c1c1972 master -> master
scap-security-guide@lists.fedorahosted.org