On 9/30/13 7:20 AM, Rui Pedro Bernardino wrote:

From e7a1c407a07e21dc1f47d089d825518f14582826 Mon Sep 17 00:00:00 2001 From: rbernardino rui-p-bernardino@ptinovacao.pt Date: Mon, 30 Sep 2013 12:00:16 +0100 Subject: [PATCH] Use variables in XCCDF texts to match profile values.

Signed-off-by: rbernardino rui-p-bernardino@ptinovacao.pt

RHEL6/input/services/ssh.xml | 4 +- RHEL6/input/system/accounts/banners.xml | 30 +++-------------- RHEL6/input/system/accounts/pam.xml | 34 ++++++++++---------- RHEL6/input/system/accounts/physical.xml | 4 +- .../accounts/restrictions/account_expiration.xml | 8 ++--- .../accounts/restrictions/password_expiration.xml | 17 ++++++---- RHEL6/input/system/accounts/session.xml | 20 ++++++------ RHEL6/input/system/auditing.xml | 23 ++++++------- RHEL6/input/system/permissions/execution.xml | 7 ++-- RHEL6/input/system/selinux.xml | 12 +++--- 10 files changed, 68 insertions(+), 91 deletions(-)

diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index d010c7b..1d3dad4 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -147,7 +147,7 @@ automatically logged out. <br /><br /> To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as follows: -<pre>ClientAliveInterval <b>interval</b></pre> +<pre>ClientAliveInterval <b><sub idref="sshd_idle_timeout_value"/></b></pre> The timeout <b>interval</b> is given in seconds. To have a timeout of 15 minutes, set <b>interval</b> to 900. <br /><br /> @@ -160,7 +160,7 @@ from correctly detecting that the user is idle. Run the following command to see what the timeout interval is:

<pre># grep ClientAliveInterval /etc/ssh/sshd_config</pre>

If properly configured, the output should be: -<pre>ClientAliveInterval 900</pre> +<pre>ClientAliveInterval <sub idref="sshd_idle_timeout_value"/></pre>

</ocil> <rationale> Causing idle users to be automatically logged out diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index 0b8dc83..6024f72 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -35,31 +35,10 @@ To configure the system login banner: <br /><br /> Edit <tt>/etc/issue</tt>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. +<pre> +<sub idref="login_banner_text"/> +</pre>

-The DoD required text is either: -<br /><br /> -<tt>You are accessing a U.S. Government (USG) Information System (IS) that is -provided for USG-authorized use only. By using this IS (which includes any -device attached to this IS), you consent to the following conditions: -<br />-The USG routinely intercepts and monitors communications on this IS for purposes -including, but not limited to, penetration testing, COMSEC monitoring, network -operations and defense, personnel misconduct (PM), law enforcement (LE), and -counterintelligence (CI) investigations. -<br />-At any time, the USG may inspect and seize data stored on this IS. -<br />-Communications using, or data stored on, this IS are not private, are subject -to routine monitoring, interception, and search, and may be disclosed or used -for any USG-authorized purpose. -<br />-This IS includes security measures (e.g., authentication and access controls) -to protect USG interests -- not for your personal benefit or privacy. -<br />-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative -searching or monitoring of the content of privileged communications, or work -product, related to personal representation or services by attorneys, -psychotherapists, or clergy, and their assistants. Such communications and work -product are private and confidential. See User Agreement for details.</tt> -<br /><br /> -OR: -<br /><br /> -<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

</description> <ocil clause="it does not display the required banner"> To check if the system login banner is compliant, @@ -120,7 +99,7 @@ in the login screen, run the following command: <pre>sudo -u gdm gconftool-2 \ --type string \ --set /apps/gdm/simple-greeter/banner_message_text \ - "Text of the warning banner here"</pre> + "<sub idref="login_banner_text"/>"</pre> When entering a warning banner that spans several lines, remember to begin and end the string with <tt>"</tt>. This command writes directly to the file <tt>/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</tt>, @@ -136,6 +115,7 @@ An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. </rationale> <ident cce="27017-3" /> +<oval id="banner_gui_text_set" value="login_banner_text" /> <ref nist="AC-8(a),AC-8(b),AC-8(c)" disa="48,1384,1385,1386,1387,1388" /> </Rule>

diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 4bfb0c2..989ec3b 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -225,7 +225,7 @@ operator="equals" interactive="0"> <description>To configure the number of retry prompts that are permitted per-session: <br /><br /> Edit the <tt>pam_cracklib.so</tt> statement in <tt>/etc/pam.d/system-auth</tt> to -show <tt>retry=3</tt>, or a lower value if site policy is more restrictive. +show <tt>retry=<sub idref="var_password_pam_cracklib_retry"/></tt>, or a lower value if site policy is more restrictive. <br /><br /> The DoD requirement is a maximum of 3 prompts per session.

</description> @@ -273,14 +273,14 @@ Passwords with excessive repeating characters may be more vulnerable to password usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. -Add <tt>dcredit=-1</tt> after pam_cracklib.so to require use of a digit in passwords. +Add <tt>dcredit=<sub idref="var_password_pam_cracklib_dcredit"/></tt> after pam_cracklib.so to require use of a digit in passwords. </description> <ocil clause="dcredit is not found or not set to the required value"> To check how many digits are required in a password, run the following command: <pre>$ grep pam_cracklib /etc/pam.d/system-auth</pre> The <tt>dcredit</tt> parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. -This would appear as <tt>dcredit=-1</tt>. +This would appear as <tt>dcredit=<sub idref="var_password_pam_cracklib_dcredit"/></tt>. </ocil> <rationale> Requiring digits makes password guessing attacks more difficult by ensuring a larger @@ -298,7 +298,7 @@ search space. usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each uppercase character. -Add <tt>ucredit=-1</tt> after pam_cracklib.so to require use of an upper case character in passwords. +Add <tt>ucredit=<sub idref="var_password_pam_cracklib_ucredit"/></tt> after pam_cracklib.so to require use of an upper case character in passwords. </description> <ocil clause="ucredit is not found or not set to the required value"> To check how many uppercase characters are required in a password, run the following command: @@ -323,7 +323,7 @@ more difficult by ensuring a larger search space. usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each special character. -Add <tt>ocredit=-1</tt> after pam_cracklib.so to require use of a special character in passwords. +Add <tt>ocredit=<sub idref="var_password_pam_cracklib_ocredit"/></tt> after pam_cracklib.so to require use of a special character in passwords. </description> <ocil clause="ocredit is not found or not set to the required value"> To check how many special characters are required in a password, run the following command: @@ -348,7 +348,7 @@ more difficult by ensuring a larger search space. usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional length credit for each lowercase character. -Add <tt>lcredit=-1</tt> after pam_cracklib.so to require use of a lowercase character in passwords. +Add <tt>lcredit=<sub idref="var_password_pam_cracklib_lcredit"/></tt> after pam_cracklib.so to require use of a lowercase character in passwords. </description> <ocil clause="lcredit is not found or not set to the required value"> To check how many lowercase characters are required in a password, run the following command: @@ -371,8 +371,8 @@ more difficult by ensuring a larger search space. <title>Set Password Strength Minimum Different Characters</title> <description>The pam_cracklib module's <tt>difok</tt> parameter controls requirements for usage of different characters during a password change. -Add <tt>difok=<i>NUM</i></tt> after pam_cracklib.so to require differing -characters when changing passwords, substituting <i>NUM</i> appropriately. +Add <tt>difok=<i><sub idref="var_password_pam_cracklib_difok"/></i></tt> after pam_cracklib.so to require differing +characters when changing passwords. The DoD requirement is <tt>4</tt>. </description> <ocil clause="difok is not found or not set to the required value"> @@ -422,13 +422,13 @@ attempts using <tt>pam_faillock.so</tt>: <br /><br /> Add the following lines immediately below the <tt>pam_unix.so</tt> statement in <tt>AUTH</tt> section of <tt>/etc/pam.d/system-auth</tt>: -<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> -<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> +<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> +<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> </description> <ocil clause="that is not the case"> To ensure the failed password attempt policy is configured correctly, run the following command: <pre># grep pam_faillock /etc/pam.d/system-auth</pre> -The output should show <tt>deny=3</tt>. +The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/></tt>. </ocil> <rationale> Locking out user accounts after a number of incorrect attempts @@ -446,8 +446,8 @@ To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using <tt>pam_faillock.so</tt>: <br /><br /> Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>: -<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> -<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> +<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> +<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> </description> <ocil clause="that is not the case"> To ensure the failed password attempt policy is configured correctly, run the following command: @@ -472,8 +472,8 @@ To configure the system to lock out accounts after a number of incorrect login attempts within a 15 minute interval using <tt>pam_faillock.so</tt>: <br /><br /> Add the following lines immediately below the <tt>pam_env.so</tt> statement in <tt>/etc/pam.d/system-auth</tt>: -<pre>auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</pre> -<pre>auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</pre> +<pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> +<pre>auth required pam_faillock.so authsucc deny=<sub idref="var_accounts_passwords_pam_faillock_deny"/> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time"/> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval"/></pre> </description> <ocil clause="that is not the case"> To ensure the failed password attempt policy is configured correctly, run the following command: @@ -493,9 +493,9 @@ specific period of time prevents direct password guessing attacks. <title>Limit Password Reuse</title> <description>Do not allow users to reuse recent passwords. This can be accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt> PAM -module. In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=24</tt> to the +module. In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="password_history_retain_number" /></tt> to the line which refers to the <tt>pam_unix.so</tt> module, as shown: -<pre>password sufficient pam_unix.so <i>existing_options</i> remember=24</pre> +<pre>password sufficient pam_unix.so <i>existing_options</i> remember=<sub idref="password_history_retain_number" /></pre> The DoD and FISMA requirement is 24 passwords.</description> <ocil clause="it does not"> To verify the password reuse setting is compliant, run the following command: diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 1631797..c7b6c96 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -250,12 +250,12 @@ the man page <tt>gconftool-2(1)</tt>.</description> <title>Set GNOME Login Inactivity Timeout</title> <description> Run the following command to set the idle time-out value for -inactivity in the GNOME desktop to 15 minutes: +inactivity in the GNOME desktop to <sub idref="inactivity_timeout_value" /> minutes: <pre># gconftool-2 \ --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ - --set /apps/gnome-screensaver/idle_delay 15</pre> + --set /apps/gnome-screensaver/idle_delay <sub idref="inactivity_timeout_value" /></pre> </description> <ocil clause="it is not"> To check the current idle time-out value, run the following command: diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index 18b2396..9d14001 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -32,12 +32,10 @@ normal command line utilities. <title>Set Account Expiration Following Inactivity</title> <description>To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct -the following lines in <tt>/etc/default/useradd</tt>, substituting -<tt><i>NUM_DAYS</i></tt> appropriately: -<pre>INACTIVE=<i>NUM_DAYS</i></pre> -A value of 35 is recommended. +the following lines in <tt>/etc/default/useradd</tt>, to match: +<pre>INACTIVE=<i><sub idref="var_account_disable_post_pw_expiration"/></i></pre> If a password is currently on the -verge of expiration, then 35 days remain until the account is automatically +verge of expiration, then <sub idref="var_account_disable_post_pw_expiration"/> days remain until the account is automatically disabled. However, if the password will not expire for another 60 days, then 95 days could elapse until the account would be automatically disabled. See the <tt>useradd</tt> man page for more information. Determining the inactivity diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index ce8a082..db7a035 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -81,7 +81,10 @@ age, and 7 day warning period with the following command: <description>To specify password length requirements for new accounts, edit the file <tt>/etc/login.defs</tt> and add or correct the following lines: -<pre>PASS_MIN_LEN 14<!-- <sub idref="var_accounts_password_minlen_login_defs"> --></pre> +<pre>PASS_MIN_LEN <sub idref="var_accounts_password_minlen_login_defs"/> </pre> +Also edit <tt>/etc/pam.d/system-auth</tt> and add <tt>minlen=<sub idref="var_accounts_password_minlen_login_defs"/></tt> to <tt>pam_cracklib.so</tt> entry, like: +<pre>password required pam_cracklib.so try_first_pass <i>existing_content</i> minlen=<sub idref="var_accounts_password_minlen_login_defs"/></pre> + <br/><br/> The DoD requirement is <tt>14</tt>. The FISMA requirement is <tt>12</tt>. @@ -113,8 +116,8 @@ behavior that may result. <title>Set Password Minimum Age</title> <description>To specify password minimum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line, replacing <i>DAYS</i> appropriately: -<pre>PASS_MIN_DAYS <i>DAYS</i></pre> +and add or correct the following line to match: +<pre>PASS_MIN_DAYS <sub idref="var_accounts_minimum_age_login_defs"/></pre> A value of 1 day is considered for sufficient for many environments. The DoD requirement is 1. @@ -140,8 +143,8 @@ after satisfying the password reuse requirement. <title>Set Password Maximum Age</title> <description>To specify password maximum age for new accounts, edit the file <tt>/etc/login.defs</tt> -and add or correct the following line, replacing <i>DAYS</i> appropriately: -<pre>PASS_MAX_DAYS <i>DAYS</i></pre> +and add or correct the following line to match: +<pre>PASS_MAX_DAYS <sub idref="var_accounts_maximum_age_login_defs"/></pre> A value of 180 days is sufficient for many environments. The DoD requirement is 60. </description> @@ -168,8 +171,8 @@ location subject to physical compromise.</rationale> <description>To specify how many days prior to password expiration that a warning will be issued to users, edit the file <tt>/etc/login.defs</tt> and add or correct - the following line, replacing <i>DAYS</i> appropriately: -<pre>PASS_WARN_AGE <i>DAYS</i></pre> + the following line to match: +<pre>PASS_WARN_AGE <sub idref="var_accounts_password_warn_age_login_defs"/></pre> The DoD requirement is 7. <!-- <sub idref="accounts_password_warn_age_login_defs_login_defs_value" /> --> </description> diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index ae71777..1f72f5a 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -31,7 +31,7 @@ Limiting the number of allowed users and sessions per user can limit risks relat Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent sessions per user add the following line in <tt>/etc/security/limits.conf</tt>: -<pre>* hard maxlogins 10</pre> +<pre>* hard maxlogins <sub idref="max_concurrent_login_sessions_value" /></pre> </description> <rationale>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or @@ -42,7 +42,7 @@ Run the following command to ensure the <tt>maxlogins</tt> value is configured f on the system: <pre># grep "maxlogins" /etc/security/limits.conf</pre> You should receive output similar to the following: -<pre>* hard maxlogins 10</pre> +<pre>* hard maxlogins <sub idref="max_concurrent_login_sessions_value" /></pre> </ocil> <oval id="accounts_max_concurrent_login_sessions" value="max_concurrent_login_sessions_value" /> <ident cce="27457-1" /> @@ -211,7 +211,7 @@ operator="equals" interactive="0"> To ensure the default umask for users of the Bash shell is set properly, add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read as follows: -<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre> +<pre>umask <sub idref="umask_user_value" /></pre> </description> <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or @@ -222,8 +222,8 @@ running the following command: <pre># grep "umask" /etc/bashrc</pre> All output must show the value of <tt>umask</tt> set to 077, as shown below: <pre># grep "umask" /etc/bashrc -umask 077 -umask 077</pre> +umask <sub idref="var_accounts_user_umask"/> +umask <sub idref="var_accounts_user_umask"/></pre> </ocil>

<ident cce="26917-5" /> @@ -237,7 +237,7 @@ umask 077</pre> <description> To ensure the default umask for users of the C shell is set properly, add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as follows: -<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre> +<pre>umask <sub idref="umask_user_value" /></pre> </description> <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or @@ -248,7 +248,7 @@ running the following command: <pre># grep "umask" /etc/csh.cshrc</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: <pre># grep "umask" /etc/csh.cshrc -umask 077</pre> +umask <sub idref="var_accounts_user_umask"/></pre> </ocil> <ident cce="27034-8" /> <oval id="accounts_umask_cshrc" value="var_accounts_user_umask"/> @@ -261,7 +261,7 @@ umask 077</pre> <description> To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly, add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows: -<pre>umask 077<!--<sub idref="umask_user_value" /> --></pre> +<pre>umask <sub idref="umask_user_value" /></pre> </description> <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or @@ -273,7 +273,7 @@ running the following command: <pre># grep "umask" /etc/profile</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: <pre># grep "umask" /etc/profile -umask 077</pre> +umask <sub idref="var_accounts_user_umask"/></pre> </ocil> <oval id="accounts_umask_etc_profile" value="var_accounts_user_umask" /> <tested by="swells" on="20120929"/> @@ -285,7 +285,7 @@ umask 077</pre> <description> To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set properly, add or correct the <tt>UMASK</tt> setting in <tt>/etc/login.defs</tt> to read as follows: -<pre>UMASK 077<!-- <sub idref="umask_user_value" /> --></pre> +<pre>UMASK <sub idref="umask_user_value" /></pre> </description> <rationale>The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 16585ba..791ffaf 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -232,9 +232,8 @@ normally.</i> <description>Determine how many log files <tt>auditd</tt> should retain when it rotates logs. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following -line, substituting <i>NUMLOGS</i> with the correct value: -<pre>num_logs = <i>NUMLOGS</i></pre> -Set the value to 5 for general-purpose systems. +line to match: +<pre>num_logs = <i><sub idref="var_auditd_num_logs" /></i></pre> Note that values less than 2 result in no log rotation.</description> <ocil clause="the system log file retention has not been properly configured"> Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to @@ -254,10 +253,8 @@ file size and the number of logs retained.</rationale> <title>Configure auditd Max Log File Size</title> <description>Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file -<tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting -the correct value for <i>STOREMB</i>: -<pre>max_log_file = <i>STOREMB</i></pre> -Set the value to <tt>6</tt> (MB) or higher for general-purpose systems. +<tt>/etc/audit/auditd.conf</tt>. Add or modify the following line to match: +<pre>max_log_file = <i><sub idref="var_auditd_max_log_file" /></i></pre> Larger values, of course, support retention of even more audit data.</description> <ocil clause="the system audit data threshold has not been properly configured"> @@ -289,8 +286,8 @@ page. These include: <li><tt>rotate</tt></li> <li><tt>keep_logs</tt></li> </ul> -Set the <tt><i>ACTION</i></tt> to <tt>rotate</tt> to ensure log rotation -occurs. This is the default. The setting is case-insensitive. +Set the <tt><i>ACTION</i></tt> to <tt><sub idref="var_auditd_max_log_file_action" /></tt> to ensure compliance. +The setting is case-insensitive. </description> <ocil clause="the system has not been properly configured to rotate audit logs"> Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to @@ -342,8 +339,8 @@ These include: <li><tt>single</tt></li> <li><tt>halt</tt></li> </ul> -Set this to <tt>email</tt> (instead of the default, -which is <tt>suspend</tt>) as it is more likely to get prompt attention. Acceptable values +Set this to <tt><sub idref="var_auditd_space_left_action"/></tt> (instead of the default which is <tt>suspend</tt>) +as it is more likely to get prompt attention. Acceptable values also include <tt>suspend</tt>, <tt>single</tt>, and <tt>halt</tt>. </description> <ocil clause="the system is not configured to send an email to the system administrator when @@ -369,7 +366,7 @@ allow them to take corrective action prior to any disruption.</rationale> when disk space is running low but prior to running out of space completely. Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting <i>ACTION</i> appropriately: -<pre>admin_space_left_action = <i>ACTION</i></pre> +<pre>admin_space_left_action = <i><sub idref="var_auditd_admin_space_left_action" /></i></pre> Set this value to <tt>single</tt> to cause the system to switch to single user mode for corrective action. Acceptable values also include <tt>suspend</tt> and <tt>halt</tt>. For certain systems, the need for availability @@ -400,7 +397,7 @@ is used, running low on space for audit records should never occur. a designated account in certain situations. Add or correct the following line in <tt>/etc/audit/auditd.conf</tt> to ensure that administrators are notified via email for those situations: -<pre>action_mail_acct = root</pre> +<pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre> </description> <ocil clause="auditd is not configured to send emails per identified actions"> Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index 9ce2f86..c9aa397 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -28,9 +28,8 @@ for system daemons. <description>The file <tt>/etc/init.d/functions</tt> includes initialization parameters for most or all daemons started at boot time. The default umask of 022 prevents creation of group- or world-writable files. To set the default -umask for daemons, edit the following line, inserting 022 or 027 for -<i>UMASK</i> appropriately: -<pre>umask <i>UMASK</i></pre> +umask for daemons, edit the following line to match: +<pre>umask <i><sub idref="var_umask_for_daemons"/></i></pre> Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. @@ -38,7 +37,7 @@ a umask of 077 in their own init scripts. <ocil clause="it does not"> To check the value of the <tt>umask</tt>, run the following command: <pre>$ grep umask /etc/init.d/functions</pre> -The output should show either <tt>022</tt> or <tt>027</tt>. +The output should show <tt><sub idref="var_umask_for_daemons"/></tt>. </ocil> <rationale>The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index a424b1a..9c28d21 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -105,14 +105,14 @@ the chances that it will remain off during system operation.

<Rule id="set_selinux_state" severity="medium"> <title>Ensure SELinux State is Enforcing</title> -<description>The SELinux state should be set to <tt>enforcing</tt> at +<description>The SELinux state should be set to <tt><sub idref="var_selinux_state_name"/></tt> at system boot time. In the file <tt>/etc/selinux/config</tt>, add or correct the following line to configure the system to boot into enforcing mode: -<pre>SELINUX=enforcing</pre> +<pre>SELINUX=<sub idref="var_selinux_state_name"/></pre> </description> <ocil clause="SELINUX is not set to enforcing"> Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears: -<pre>SELINUX=enforcing</pre> +<pre>SELINUX=<sub idref="var_selinux_state_name"/></pre> </ocil> <rationale> Setting the SELinux state to enforcing ensures SELinux is able to confine @@ -128,18 +128,18 @@ privileges.

<Rule id="set_selinux_policy"> <title>Configure SELinux Policy</title> -<description>The SELinux <tt>targeted</tt> policy is appropriate for +<description>The SELinux <tt><sub idref="var_selinux_policy_name"/></tt> policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in <tt>/etc/selinux/config</tt>: -<pre>SELINUXTYPE=targeted</pre> +<pre>SELINUXTYPE=<sub idref="var_selinux_policy_name"/></pre> Other policies, such as <tt>mls</tt>, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases. </description> <ocil clause="it does not"> Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears: -<pre>SELINUXTYPE=targeted</pre> +<pre>SELINUXTYPE=<sub idref="var_selinux_policy_name"/></pre> </ocil> <rationale> Setting the SELinux policy to <tt>targeted</tt> or a more specialized policy -- 1.7.1

While technically the XCCDF spec supports this, does the transforms? Punting to Jeff (who wrote them).