As requested by Shawn. I hope I understood the request correctly... Chris
Christopher Anderson (1): Add some <fix>s. RHEL6/input/services/avahi.xml | 2 ++ RHEL6/input/services/base.xml | 52 +++++++++++++++++++++++++++++++++ RHEL6/input/services/cron.xml | 2 ++ RHEL6/input/services/dhcp.xml | 2 ++ RHEL6/input/services/dns.xml | 2 ++ RHEL6/input/services/ftp.xml | 2 ++ RHEL6/input/services/http.xml | 2 ++ RHEL6/input/services/imap.xml | 2 ++ RHEL6/input/services/nfs.xml | 14 +++++++++ RHEL6/input/services/obsolete.xml | 14 +++++++++ RHEL6/input/services/printing.xml | 2 ++ RHEL6/input/services/smb.xml | 2 ++ RHEL6/input/services/snmp.xml | 2 ++ RHEL6/input/services/squid.xml | 2 ++ RHEL6/input/services/ssh.xml | 2 ++ RHEL6/input/system/network/network.xml | 2 ++ RHEL6/input/system/network/wireless.xml | 2 ++ RHEL6/input/system/selinux.xml | 2 ++ 18 files changed, 110 insertions(+) -- 1.7.11.7
From b618878b28199fd992630dadf39071e400d6df6a Mon Sep 17 00:00:00 2001 From: Christopher Anderson <[email protected]> Date: Tue, 22 Jan 2013 14:01:50 -0800 Subject: [PATCH] Add some <fix>s. Signed-off-by: Christopher Anderson <[email protected]> --- RHEL6/input/services/avahi.xml | 2 ++ RHEL6/input/services/base.xml | 52 +++++++++++++++++++++++++++++++++ RHEL6/input/services/cron.xml | 2 ++ RHEL6/input/services/dhcp.xml | 2 ++ RHEL6/input/services/dns.xml | 2 ++ RHEL6/input/services/ftp.xml | 2 ++ RHEL6/input/services/http.xml | 2 ++ RHEL6/input/services/imap.xml | 2 ++ RHEL6/input/services/nfs.xml | 14 +++++++++ RHEL6/input/services/obsolete.xml | 14 +++++++++ RHEL6/input/services/printing.xml | 2 ++ RHEL6/input/services/smb.xml | 2 ++ RHEL6/input/services/snmp.xml | 2 ++ RHEL6/input/services/squid.xml | 2 ++ RHEL6/input/services/ssh.xml | 2 ++ RHEL6/input/system/network/network.xml | 2 ++ RHEL6/input/system/network/wireless.xml | 2 ++ RHEL6/input/system/selinux.xml | 2 ++ 18 files changed, 110 insertions(+) diff --git a/RHEL6/input/services/avahi.xml b/RHEL6/input/services/avahi.xml index 2733018..38468e6 100644 --- a/RHEL6/input/services/avahi.xml +++ b/RHEL6/input/services/avahi.xml @@ -17,7 +17,9 @@ Disabling it can reduce the system's vulnerability to such attacks. <Rule id="disable_avahi"> <title>Disable Avahi Server Software</title> <description> +<fix> <service-disable-macro service="avahi-daemon" /> +</fix> </description> <ocil><service-disable-check-macro service="avahi-daemon" /></ocil> <rationale> diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index b0ebf16..4b330b7 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -14,7 +14,9 @@ and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. +<fix> <service-disable-macro service="abrtd" /> +</fix> </description> <ocil><service-disable-check-macro service="abrtd" /></ocil> <rationale> Mishandling crash data could expose sensitive information about @@ -30,7 +32,9 @@ information from within a process's address space or registers.</rationale> <description>The Advanced Configuration and Power Interface Daemon (<tt>acpid</tt>) dispatches ACPI events (such as power/reset button depressed) to userspace programs. +<fix> <service-disable-macro service="acpid" /> +</fix> </description> <ocil><service-disable-check-macro service="acpid" /></ocil> <rationale>ACPI support is highly desirable for systems in some network roles, @@ -49,7 +53,9 @@ schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon <tt>atd</tt> keeps track of tasks scheduled via <tt>at</tt> and <tt>batch</tt>, and executes them at the specified time. +<fix> <service-disable-macro service="atd" /> +</fix> </description> <ocil><service-disable-check-macro service="atd" /></ocil> <rationale> @@ -69,7 +75,9 @@ accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or with certifying authorities on networks which use public-key infrastructure. It is often combined with Red Hat's IPA (Identity Policy Audit) security information management solution to aid in the management of certificates. +<fix> <service-disable-macro service="certmonger" /> +</fix> </description> <ocil><service-disable-check-macro service="certmonger" /></ocil> <rationale>The services provided by certmonger may be essential for systems @@ -85,7 +93,9 @@ for many other use cases.</rationale> <description>Control groups allow an administrator to allocate system resources (such as CPU, memory, network bandwidth, etc) among a defined group (or groups) of processes executing on a system. The <tt>cgconfig</tt> daemon starts at boot and establishes the predefined control groups. +<fix> <service-disable-macro service="cgconfig" /> +</fix> </description> <ocil><service-disable-check-macro service="cgconfig" /></ocil> <rationale>Unless control groups are used to manage system resources, running the cgconfig @@ -100,7 +110,9 @@ service is not necessary. <title>Disable Control Group Rules Engine (cgred)</title> <description>The <tt>cgred</tt> service moves tasks into control groups according to parameters set in the <tt>/etc/cgrules.conf</tt> configuration file. +<fix> <service-disable-macro service="cgred" /> +</fix> </description> <ocil><service-disable-check-macro service="cgred" /></ocil> <rationale>Unless control groups are used to manage system resources, running the cgred service @@ -115,7 +127,9 @@ service is not necessary. <title>Disable CPU Speed (cpuspeed)</title> <description>The <tt>cpuspeed</tt> service can adjust the clock speed of supported CPUs based upon the current processing load thereby conserving power and reducing heat. +<fix> <service-disable-macro service="cpuspeed" /> +</fix> </description> <ocil><service-disable-check-macro service="cpuspeed" /></ocil> <rationale>The <tt>cpuspeed</tt> service is only necessary if adjusting the CPU clock speed @@ -135,7 +149,9 @@ and maintains information about the system's hardware configuration. This service is required on a workstation running a desktop environment, and may be necessary on any system which deals with removable media or devices. +<fix> <service-disable-macro service="haldaemon" /> +</fix> </description> <ocil><service-disable-check-macro service="haldaemon" /></ocil> <rationale>The haldaemon provides essential functionality on systems @@ -167,7 +183,9 @@ provides potential speedups for handling interrupt requests.</rationale> <description>The <tt>kdump</tt> service provides a kernel crash dump analyzer. It uses the <tt>kexec</tt> system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. +<fix> <service-disable-macro service="kdump" /> +</fix> </description> <ocil><service-disable-check-macro service="kdump" /></ocil> <rationale>Unless the system is used for kernel development or testing, there @@ -187,7 +205,9 @@ or snapshot logical volume with dmeventd, if it is installed. If a device used b monitored mirror reports an I/O error, the failure is handled according to "mirror_image_fault_policy" and "mirror_log_fault_policy" set in the /etc/lvm/lvm.conf configuration file. If the system utilizes mirrored or snapshot logical volumes then this service should be configured and enabled. +<fix> <service-disable-macro service="lvm2-monitor" /> +</fix> </description> <rationale>The <tt>lvm2-monitor</tt> service provides services for mirrored or snapshotted volumes. </rationale> @@ -201,7 +221,9 @@ mirrored or snapshot logical volumes then this service should be configured and <title>Disable Software RAID Monitor (mdmonitor)</title> <description>The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). +<fix> <service-disable-macro service="mdmonitor" /> +</fix> </description> <ocil><service-disable-check-macro service="mdmonitor" /></ocil> <rationale>If software RAID monitoring is not required (and it is uncommon), @@ -217,7 +239,9 @@ there is no need to run the service.</rationale> a growing list of programs, such as those used for Gnome, Bluetooth, and Avahi. Due to these dependencies, disabling D-Bus may not be practical for many systems. +<fix> <service-disable-macro service="messagebus" /> +</fix> </description> <ocil><service-disable-check-macro service="messagebus" /></ocil> <rationale>If no services which require D-Bus are needed, then it @@ -237,7 +261,9 @@ a graphical login session. netconsole kernel module, which logs kernel printk messages over UDP to a syslog server. This allows debugging of problems where disk logging fails and serial consoles are impractical. +<fix> <service-disable-macro service="netconsole" /> +</fix> </description> <ocil><service-disable-check-macro service="netconsole" /></ocil> <rationale>The <tt>netconsole</tt> service is not necessary unless there is a need to debug @@ -255,7 +281,9 @@ when the system boots. It synchronizes to the NTP servers listed in <tt>/etc/ntp/step-tickers</tt> or <tt>/etc/ntp.conf</tt> and then sets the local hardware clock to the newly synchronized system time. +<fix> <service-disable-macro service="ntpdate" /> +</fix> </description> <ocil><service-disable-check-macro service="ntpdate" /></ocil> <rationale>The <tt>ntpdate</tt> service may only be suitable for systems which @@ -274,7 +302,9 @@ available in the ntpd program and should be considered deprecated.</rationale> access control mechanism through which specified privileged tasks can run tasks for unprivileged client applications. Communication with <tt>oddjobd</tt> through the system message bus. +<fix> <service-disable-macro service="oddjobd" /> +</fix> </description> <ocil><service-disable-check-macro service="oddjobd" /></ocil> <rationale>The <tt>oddjobd</tt> service may provide necessary functionality in @@ -292,7 +322,9 @@ been a source of privilege escalation security issues.</rationale> <description>The <tt>portreserve</tt> service is a TCP port reservation utility that can be used to prevent portmap from binding to well known TCP ports that are required for other services. +<fix> <service-disable-macro service="portreserve" /> +</fix> </description> <ocil><service-disable-check-macro service="portreserve" /></ocil> <rationale>The <tt>portreserve</tt> service provides helpful functionality by @@ -328,7 +360,9 @@ records.</rationale> guaranteed delivery services. It is an implementation of the Advanced Message Queuing Protocol. By default the qpidd service will bind to port 5672 and listen for connection attempts. +<fix> <service-disable-macro service="qpidd" /> +</fix> </description> <ocil><service-disable-check-macro service="qpidd" /></ocil> <rationale>The qpidd service is automatically installed when the "base" @@ -348,7 +382,9 @@ users of disk space quota violations. It listens to the kernel via a netlink socket for disk quota violations and notifies the appropriate user of the violation using D-Bus or by sending a message to the terminal that the user has last accessed. +<fix> <service-disable-macro service="quota_nld" /> +</fix> </description> <ocil><service-disable-check-macro service="quota_nld" /></ocil> <rationale>If disk quotas are enforced on the local system, then the @@ -368,7 +404,9 @@ service.</rationale> Internet Router Discovery Protocol (IRDP), which allows discovery of routers on the local subnet. If a router is discovered then the local routing table is updated with a corresponding default route. By default this daemon is disabled. +<fix> <service-disable-macro service="rdisc" /> +</fix> </description> <ocil><service-disable-check-macro service="rdisc" /></ocil> <rationale>General-purpose systems typically have their network and routing @@ -387,7 +425,9 @@ dynamic network configuration information.</rationale> servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. +<fix> <service-disable-macro service="rhnsd" /> +</fix> </description> <ocil><service-disable-check-macro service="rhnsd" /></ocil> <rationale>Although systems management and patching is extremely important to @@ -405,7 +445,9 @@ desirable for some environments. However, if the system is being managed by RHN <description>The Red Hat Subscription Manager (rhsmcertd) periodically checks for changes in the entitlement certificates for a registered system and updates it accordingly. +<fix> <service-disable-macro service="rhsmcertd" /> +</fix> </description> <ocil><service-disable-check-macro service="rhsmcertd" /></ocil> <rationale>The <tt>rhsmcertd</tt> service can provide administrators with some @@ -426,7 +468,9 @@ behalf of the SASL library. The service isolates all code requiring superuser privileges for SASL authentication into a single process, and can also be used to provide proxy authentication services to clients that do not understand SASL based authentication. +<fix> <service-disable-macro service="saslauthd" /> +</fix> </description> <ocil><service-disable-check-macro service="saslauthd" /></ocil> <rationale>The <tt>saslauthd</tt> service provides essential functionality for @@ -444,7 +488,9 @@ consulted, it is not necessary and should be disabled.</rationale> <description>SMART (Self-Monitoring, Analysis, and Reporting Technology) is a feature of hard drives that allows them to detect symptoms of disk failure and relay an appropriate warning. +<fix> <service-disable-macro service="smartd" /> +</fix> </description> <ocil><service-disable-check-macro service="smartd" /></ocil> <rationale>SMART can help protect against denial of @@ -466,7 +512,9 @@ More research needed. and authentication mechanisms. It provides an NSS and PAM interface for the system and a pluggable backend system to connect to multiple different account sources. It is also the basis to provide client auditing and policy services for projects like FreeIPA. +<fix> <service-disable-macro service="sssd" /> +</fix> </description> <rationale>The sssd service provides essential functionality for systems which use different backend identity and authentication providers. However, if @@ -483,7 +531,9 @@ passwd and shadow), it is not needed. </rationale> <description>The <tt>sysstat</tt> service resets various I/O and CPU performance statistics to zero in order to begin counting from a fresh state at boot time. +<fix> <service-disable-macro service="sysstat" /> +</fix> </description> <ocil><service-disable-check-macro service="sysstat" /></ocil> <rationale>By default the <tt>sysstat</tt> service merely runs a program at @@ -502,7 +552,9 @@ operation, but unless used this service can be disabled.</rationale> <description>The udev service serves as the device manager. It maintains a set of devices that are normally located in the /dev directory. This service should be disabled. +<fix> <service-disable-macro service="udev-post" /> +</fix> </description> <ident cce="TODO" /> <oval id="service_udev-post_disabled" /> diff --git a/RHEL6/input/services/cron.xml b/RHEL6/input/services/cron.xml index 5972a7f..9101937 100644 --- a/RHEL6/input/services/cron.xml +++ b/RHEL6/input/services/cron.xml @@ -115,7 +115,9 @@ access to these files should be disabled.</description> <Rule id="disable_at"> <title>Disable atd Service</title> <description> +<fix> <service-disable-macro service="atd" /> +</fix> </description> <ocil><service-disable-check-macro service="atd" /></ocil> <rationale> diff --git a/RHEL6/input/services/dhcp.xml b/RHEL6/input/services/dhcp.xml index 7a8d199..8ffe638 100644 --- a/RHEL6/input/services/dhcp.xml +++ b/RHEL6/input/services/dhcp.xml @@ -37,7 +37,9 @@ and removed. <title>Disable DHCP Service</title> <description>The <tt>dhcpd</tt> service should be disabled on any system that does not need to act as a DHCP server. +<fix> <service-disable-macro service="dhcpd" /> +</fix> </description> <ocil><service-disable-check-macro service="dhcpd" /></ocil> <rationale> diff --git a/RHEL6/input/services/dns.xml b/RHEL6/input/services/dns.xml index 579520a..a725ddf 100644 --- a/RHEL6/input/services/dns.xml +++ b/RHEL6/input/services/dns.xml @@ -19,7 +19,9 @@ nameservers. <Rule id="disable_dns_server"> <title>Disable DNS Server</title> <description> +<fix> <service-disable-macro service="named" /> +</fix> </description> <ocil><service-disable-check-macro service="named" /></ocil> <rationale> diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index 95892f1..0ce63da 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -17,7 +17,9 @@ data available to the public.</description> <Rule id="disable_vsftpd"> <title>Disable vsftpd Service</title> <description> +<fix> <service-disable-macro service="vsftpd" /> +</fix> </description> <ocil> <service-disable-check-macro service="vsftpd" /> diff --git a/RHEL6/input/services/http.xml b/RHEL6/input/services/http.xml index 0a2934d..e46096d 100644 --- a/RHEL6/input/services/http.xml +++ b/RHEL6/input/services/http.xml @@ -25,7 +25,9 @@ and removed from the system. <Rule id="disable_httpd"> <title>Disable httpd Service</title> <description> +<fix> <service-disable-macro service="httpd" /> +</fix> </description> <ocil> <service-disable-check-macro service="httpd" /> diff --git a/RHEL6/input/services/imap.xml b/RHEL6/input/services/imap.xml index bbd7666..f181205 100644 --- a/RHEL6/input/services/imap.xml +++ b/RHEL6/input/services/imap.xml @@ -15,7 +15,9 @@ POP3 server, the dovecot software should be disabled and removed. <Rule id="disable_dovecot"> <title>Disable Dovecot Service</title> <description> +<fix> <service-disable-macro service="dovecot" /> +</fix> </description> <ocil> <service-disable-check-macro service="dovecot" /> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 0b3c139..ce98009 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -35,7 +35,9 @@ security posture.</description> remote procedure call (RPC) processes which allow clients to lock files on the server. If the local machine is not configured to mount NFS filesystems then this service should be disabled. +<fix> <service-disable-macro service="nfslock" /> +</fix> </description> <ident cce="27104-9" /> <oval id="service_nfslock_disabled" /> @@ -48,7 +50,9 @@ The rpcgssd service manages RPCSEC GSS contexts required to secure protocols that use RPC (most often Kerberos and NFS). The rpcgssd service is the client-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. +<fix> <service-disable-macro service="rpcgssd" /> +</fix> </description> <ident cce="26864-9" /> <oval id="service_rpcgssd_disabled" /> @@ -59,7 +63,9 @@ service should be disabled. <description>The rpcidmapd service is used to map user names and groups to UID and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then this service should be disabled. +<fix> <service-disable-macro service="rpcidmapd" /> +</fix> </description> <ident cce="26870-6" /> <oval id="service_rpcidmapd_disabled" /> @@ -80,7 +86,9 @@ of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to <tt>/etc/fstab</tt> and against flaws in the netfs script itself. +<fix> <service-disable-macro service="netfs" /> +</fix> </description> <ident cce="27137-9" /> <oval id="service_netfs_disabled" /> @@ -123,7 +131,9 @@ TCP ports that they listen on. The rpcbind service also directs RPC clients to the proper port number that corresponds to the service the clients wants to communicate with. Unless RPC services are needed on the local system it is recommended to disable this service. +<fix> <service-disable-macro service="rpcbind" /> +</fix> </description> <ident cce="TODO" /> <oval id="service_rpcbind_disabled" /> @@ -283,7 +293,9 @@ clients.</description> <description>The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local machine. If the local machine is not designated as a NFS server then this service should be disabled. +<fix> <service-disable-macro service="nfs" /> +</fix> </description> <ocil clause="it does not"> It is prudent to ensure the <tt>nfs</tt> service is disabled in system boot, as well as @@ -311,7 +323,9 @@ If properly configured, the output should look like: secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd service is the server-side of RPCSEC GSS. If the system does not require secure RPC then this service should be disabled. +<fix> <service-disable-macro service="rpcsvcgssd" /> +</fix> </description> <ocil> <service-disable-check-macro service="rpcsvcgssd" /> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index c07a15e..d86aa18 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -27,7 +27,9 @@ is not even available as part of RHEL 6.</description> <Rule id="disable_xinetd" severity="medium"> <title>Disable xinetd Service</title> <description> +<fix> <service-disable-macro service="xinetd" /> +</fix> </description> <ocil><service-disable-check-macro service="xinetd" /></ocil> <rationale> @@ -69,7 +71,9 @@ actively working to migrate to a more secure protocol.</description> <Rule id="disable_telnet_service" severity="high"> <title>Disable telnet Service</title> <description> +<fix> <service-disable-macro service="telnet" /> +</fix> </description> <ocil><service-disable-check-macro service="telnet" /></ocil> <rationale> @@ -131,7 +135,9 @@ activation. <description>The <tt>rexec</tt> service, which is available with the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. +<fix> <service-disable-macro service="rexec" /> +</fix> </description> <ocil><service-disable-check-macro service="rexec" /></ocil> <rationale>The rexec service uses unencrypted network communications, which @@ -150,7 +156,9 @@ stolen by eavesdroppers on the network. <description>The <tt>rsh</tt> service, which is available with the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. +<fix> <service-disable-macro service="rsh" /> +</fix> </description> <ocil><service-disable-check-macro service="rsh" /></ocil> <rationale>The rsh service uses unencrypted network communications, which @@ -169,7 +177,9 @@ stolen by eavesdroppers on the network. <description>The <tt>rlogin</tt> service, which is available with the <tt>rsh-server</tt> package and runs as a service through xinetd, should be disabled. +<fix> <service-disable-macro service="rlogin" /> +</fix> </description> <ocil><service-disable-check-macro service="rlogin" /></ocil> <rationale>The rlogin service uses unencrypted network communications, which @@ -237,7 +247,9 @@ accidental (or intentional) activation of NIS or NIS+ services. <title>Disable ypbind Service</title> <description>The <tt>ypbind</tt> service, which allows the system to act as a client in a NIS or NIS+ domain, should be disabled. +<fix> <service-disable-macro service="ypbind" /> +</fix> </description> <ocil><service-disable-check-macro service="ypbind" /></ocil> <rationale> @@ -265,7 +277,9 @@ found.</description> <Rule id="disable_tftp" severity="medium"> <title>Disable tftp Service</title> <description>The <tt>tftp</tt> service should be disabled. +<fix> <service-disable-macro service="tftp" /> +</fix> </description> <ocil><service-disable-check-macro service="tftp" /></ocil> <rationale> diff --git a/RHEL6/input/services/printing.xml b/RHEL6/input/services/printing.xml index 4629df5..17c75cb 100644 --- a/RHEL6/input/services/printing.xml +++ b/RHEL6/input/services/printing.xml @@ -11,7 +11,9 @@ homepage and more detailed documentation are available at http://www.cups.org. <Rule id="service_cups_disabled"> <title>Disable the CUPS Service</title> <description> +<fix> <service-disable-macro service="cups" /> +</fix> </description> <ocil><service-disable-check-macro service="cups" /></ocil> <rationale>Turn off unneeded services to reduce attack surface. diff --git a/RHEL6/input/services/smb.xml b/RHEL6/input/services/smb.xml index c844e8b..45377bc 100644 --- a/RHEL6/input/services/smb.xml +++ b/RHEL6/input/services/smb.xml @@ -23,7 +23,9 @@ sharing functionality. <Rule id="disable_smb_server"> <title>Disable Samba</title> <description> +<fix> <service-disable-macro service="smb" /> +</fix> </description> <ocil> <service-disable-check-macro service="smb" /> diff --git a/RHEL6/input/services/snmp.xml b/RHEL6/input/services/snmp.xml index 567abe3..0944ee5 100644 --- a/RHEL6/input/services/snmp.xml +++ b/RHEL6/input/services/snmp.xml @@ -17,7 +17,9 @@ installed and activated, the software should be disabled and removed. <Rule id="disable_snmpd"> <title>Disable <tt>snmpd</tt> Service</title> <description> +<fix> <service-disable-macro service="snmpd" /> +</fix> </description> <ocil> <service-disable-check-macro service="snmpd" /> diff --git a/RHEL6/input/services/squid.xml b/RHEL6/input/services/squid.xml index 388c0e9..b175714 100644 --- a/RHEL6/input/services/squid.xml +++ b/RHEL6/input/services/squid.xml @@ -18,7 +18,9 @@ and removed. <Rule id="disable_squid"> <title>Disable Squid</title> <description> +<fix> <service-disable-macro service="squid" /> +</fix> </description> <ocil> <service-disable-check-macro service="squid" /> diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 32e7598..604db28 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -22,7 +22,9 @@ operator="equals" interactive="0"> <title>Disable SSH Server If Possible (Unusual)</title> <description>The SSH server service, sshd, is commonly needed. However, if it can be disabled, do so. +<fix> <service-disable-macro service="sshd" /> +</fix> This is unusual, as SSH is a common method for encrypted and authenticated remote access. </description> diff --git a/RHEL6/input/system/network/network.xml b/RHEL6/input/system/network/network.xml index ba27915..39f2b5b 100644 --- a/RHEL6/input/system/network/network.xml +++ b/RHEL6/input/system/network/network.xml @@ -27,7 +27,9 @@ needs to use the loopback interface, remove all files of the form <pre># rm /etc/sysconfig/network-scripts/ifcfg-<i>interface</i></pre> If the system is a standalone machine with no need for network access or even communication over the loopback device, then disable this service. +<fix> <service-disable-macro service="network" /> +</fix> </description> </Group> diff --git a/RHEL6/input/system/network/wireless.xml b/RHEL6/input/system/network/wireless.xml index fef9973..be772c4 100644 --- a/RHEL6/input/system/network/wireless.xml +++ b/RHEL6/input/system/network/wireless.xml @@ -89,7 +89,9 @@ the need to install such a driver first. <Rule id="service_bluetooth_disabled" severity="medium"> <title>Disable Bluetooth Service</title> <description> +<fix> <service-disable-macro service="bluetooth" /> +</fix> <pre># service bluetooth stop</pre> </description> <ocil> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index 3678784..393a450 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -185,7 +185,9 @@ Possible</title> <description>Unless there is some overriding need for the convenience of category label translation, disable the MCS translation service. +<fix> <service-disable-macro service="mcstrans" /> +</fix> The <tt>mcstransd</tt> daemon provides the category label translation information defined in <tt>/etc/selinux/targeted/setrans.conf</tt> to client processes which request this information. -- 1.7.11.7
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
