Please push. Thanks!
On 09/27/2012 06:35 PM, David Smith wrote: > > Signed-off-by: David Smith <[email protected]> > --- > RHEL6/input/services/dhcp.xml | 10 ++++++++++ > RHEL6/input/services/nfs.xml | 12 ++---------- > RHEL6/input/services/smb.xml | 11 +++++++++++ > RHEL6/input/services/xorg.xml | 10 ++++++++++ > RHEL6/input/system/accounts/pam.xml | 8 +++++++- > RHEL6/input/system/network/wireless.xml | 5 ++++- > RHEL6/input/system/permissions/execution.xml | 6 ++++++ > RHEL6/input/system/permissions/mounting.xml | 3 +++ > RHEL6/input/system/software/integrity.xml | 5 +++++ > 9 files changed, 58 insertions(+), 12 deletions(-) > > diff --git a/RHEL6/input/services/dhcp.xml b/RHEL6/input/services/dhcp.xml > index 2c33e4f..a86271b 100644 > --- a/RHEL6/input/services/dhcp.xml > +++ b/RHEL6/input/services/dhcp.xml > @@ -212,6 +212,16 @@ GATEWAY=192.168.1.1</pre> > </li> > </ul> > </description> > +<ocil clause="it does not"> > +To verify that DHCP is not being used, examine the following file for each > interface: > +<pre># /etc/sysconfig/network-scripts/ifcfg-<i>IFACE</i></pre> > +Look for the following: > +<pre>BOOTPROTO=static</pre> > +and the following, substituting the appropriate values based on your site's > addressing scheme: > +<pre>NETMASK=255.255.255.0 > +IPADDR=192.168.1.2 > +GATEWAY=192.168.1.1</pre> > +</ocil> > <rationale> > DHCP relies on trusting the local network. If the local network is not > trusted, > then it should not be used. However, the automatic configuration provided by > diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml > index e72bc71..bfde1a4 100644 > --- a/RHEL6/input/services/nfs.xml > +++ b/RHEL6/input/services/nfs.xml > @@ -226,16 +226,8 @@ If properly configured, the output should look like: > <description>The rpcsvcgssd service manages RPCSEC GSS contexts required to > secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd > service is the server-side of RPCSEC GSS. If the system does not require > secure RPC then this service should be disabled. > <service-disable-macro service="rpcsvcgssd" /> > </description> > -<ocil clause="it does not"> > -It is prudent to ensure the <tt>rpcsvcgssd</tt> service is disabled in > system boot, as well as > -not currently running. First, run the following to verify the service is > stopped: > -<pre>$ service rpcsvcgssd status</pre> > -If the service is stopped or disabled, it will return the following: > -<pre>rpc.svcgssd is stopped</pre> > -To verify that the <tt>rpcsvcgssd</tt> service is disabled, run the > following command: > -<pre>$ chkconfig --list rpcsvcgssd</pre> > -If properly configured, the output should look like: > -<pre>rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off > 6:off</pre> > +<ocil> > +<service-disable-check-macro service="rpcsvcgssd" /> > </ocil> > <ident cce="4491-7" /> > <oval id="service_rpcsvcgssd_disabled" /> > diff --git a/RHEL6/input/services/smb.xml b/RHEL6/input/services/smb.xml > index 1f1e05d..b46720a 100644 > --- a/RHEL6/input/services/smb.xml > +++ b/RHEL6/input/services/smb.xml > @@ -190,6 +190,12 @@ Requiring samba clients such as <tt>smbclient</tt> to > use packet > signing ensures that they can > only communicate with servers that support packet signing. > </description> > +<ocil clause="it is not"> > +To verify that Samba clients running smbclient must use packet signing, run > the following command: > +<pre># grep signing /etc/samba/smb.conf</pre> > +The output should show: > +<pre>client signing = mandatory</pre> > +</ocil> > <rationale> > Packet signing can prevent > man-in-the-middle attacks which modify SMB packets in > @@ -211,6 +217,11 @@ See the <tt>mount.cifs(8)</tt> man page for more > information. A Samba > client should only communicate with servers who can support SMB > packet signing. > </description> > +<ocil clause="it does not"> > +To verify that Samba clients using mount.cifs must use packet signing, run > the following command: > +<pre># grep sec /etc/fstab</pre> > +The output should show either <tt>krb5i</tt> or <tt>ntlmv2i</tt> in use. > +</ocil> > <rationale> > Packet signing can prevent man-in-the-middle > attacks which modify SMB packets in transit. > diff --git a/RHEL6/input/services/xorg.xml b/RHEL6/input/services/xorg.xml > index f55c2fc..3e5211f 100644 > --- a/RHEL6/input/services/xorg.xml > +++ b/RHEL6/input/services/xorg.xml > @@ -20,6 +20,12 @@ of the X server. To do so, ensure that the following line > in <tt>/etc/inittab</t > features a <tt>3</tt> as shown: > <pre>id:3:initdefault:</pre> > </description> > +<ocil clause="it does not"> > +To verify that the default runlevel is 3, run the following command: > +<pre># grep initdefault /etc/inittab</pre> > +The output should show the following: > +<pre>id:3:initdefault:</pre> > +</ocil> > <ident cce="4462-8" /> > <oval id="xwindows_runlevel_setting" /> > </Rule> > @@ -32,6 +38,10 @@ ensures that users or malicious software cannot start X. > To do so, run the following command: > <pre># yum groupremove "X Window System"</pre> > </description> > +<ocil clause="there is output"> > +To ensure the X Windows package group is removed, run the following command: > +<pre>$ rpm -qi xorg-x11-server-common</pre> > +</ocil> > <ident cce="4422-2" /> > <oval id="package_xorg-x11-server-common_removed" /> > </Rule> > diff --git a/RHEL6/input/system/accounts/pam.xml > b/RHEL6/input/system/accounts/pam.xml > index 59df7ed..162da7b 100644 > --- a/RHEL6/input/system/accounts/pam.xml > +++ b/RHEL6/input/system/accounts/pam.xml > @@ -332,7 +332,7 @@ These include > By default, all individual programs' configuration files in > <tt>/etc/pam.d</tt> > include <tt>system-auth</tt> or <tt>password-auth</tt>. > --> > -<description> > +<!-- <description> > To configure > the system to lock out accounts after a number of incorrect login > attempts using > @@ -355,7 +355,13 @@ auth sufficient pam_faillock.so authsucc audit > deny=<sub idref="var_acco > <ul><li>NOTE: The DoD requires accounts be locked out after 3 failed login > attempts, > accomplished by changing the value of the <tt>deny</tt> option to <i>3</i> > in the example > above.</li></ul> > +</description> --> > +<description> > +This requires further investigation. > </description> > +<ocil> > +This requires further investigation. > +</ocil> > <rationale> > Locking out user accounts after a number of incorrect attempts > prevents direct password guessing attacks. > diff --git a/RHEL6/input/system/network/wireless.xml > b/RHEL6/input/system/network/wireless.xml > index 7686390..e76d569 100644 > --- a/RHEL6/input/system/network/wireless.xml > +++ b/RHEL6/input/system/network/wireless.xml > @@ -111,7 +111,10 @@ to prevent the loading of the Bluetooth module: > <pre>install net-pf-31 /bin/true > install bluetooth /bin/true</pre> > </description> > - > +<ocil> > +<module-disable-check-macro module="bluetooth" /> > +<module-disable-check-macro module="net-pf-31" /> > +</ocil> > <rationale>If Bluetooth functionality must be disabled, preventing the kernel > from loading the kernel module provides an additional safeguard against its > activation.</rationale> > diff --git a/RHEL6/input/system/permissions/execution.xml > b/RHEL6/input/system/permissions/execution.xml > index 6d32805..0de5df5 100644 > --- a/RHEL6/input/system/permissions/execution.xml > +++ b/RHEL6/input/system/permissions/execution.xml > @@ -73,6 +73,12 @@ value of 0 is recommended.</description> > <tt>/etc/security/limits.conf</tt>: > <pre>* hard core 0</pre> > </description> > +<ocil clause="it is not"> > +To verify that core dumps are disabled for all users, run the following > command: > +<pre>$ grep core /etc/security/limits.conf</pre> > +The output should be: > +<pre>* hard core 0</pre> > +</ocil> > <rationale>A core dump includes a memory image taken at the time the > operating system > terminates an application. The memory image could contain sensitive data and > is generally useful > only for developers trying to debug problems.</rationale> > diff --git a/RHEL6/input/system/permissions/mounting.xml > b/RHEL6/input/system/permissions/mounting.xml > index a092bb8..a46f735 100644 > --- a/RHEL6/input/system/permissions/mounting.xml > +++ b/RHEL6/input/system/permissions/mounting.xml > @@ -52,6 +52,9 @@ kernel module: > This will prevent the <tt>modprobe</tt> program from loading the > <tt>usb-storage</tt> > module, but will not prevent an administrator (or another program) from > using the > <tt>insmod</tt> program to load the module manually.</description> > +<ocil> > +<module-disable-check-macro module="usb-storage" /> > +</ocil> > <rationale>USB storage devices such as thumb drives can be used to introduce > unauthorized > software and other vulnerabilities. Support for these devices should be > disabled and > the devices themselves should be tightly controlled.</rationale> > diff --git a/RHEL6/input/system/software/integrity.xml > b/RHEL6/input/system/software/integrity.xml > index 6c24ce9..96c2dc6 100644 > --- a/RHEL6/input/system/software/integrity.xml > +++ b/RHEL6/input/system/software/integrity.xml > @@ -144,6 +144,11 @@ files on the system have permissions that are different > from what > is expected by the RPM database: > <pre># rpm -Va | grep '^.M'</pre> > </description> > +<ocil clause="there is output"> > +The following command will list which files on the system have permissions > that are different from what > +is expected by the RPM database: > +<pre># rpm -Va | grep '^.M'</pre> > +</ocil> > <rationale> > Permissions on system binaries and configuration files that are too generous > could allow an unauthorized user to gain privileges that they should not > have. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
