--- RHEL6/input/services/base.xml | 30 ++++++++++---------- RHEL6/input/services/nfs.xml | 2 +- RHEL6/input/services/obsolete.xml | 4 +- RHEL6/input/system/accounts/banners.xml | 2 +- RHEL6/input/system/accounts/pam.xml | 6 ++-- .../accounts/restrictions/password_storage.xml | 2 +- RHEL6/input/system/auditing.xml | 12 ++++---- RHEL6/input/system/logging.xml | 4 +- RHEL6/input/system/network/ipv6.xml | 8 ++-- RHEL6/input/system/permissions/mounting.xml | 2 +- RHEL6/input/system/software/integrity.xml | 6 ++-- 11 files changed, 39 insertions(+), 39 deletions(-)
diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index b0ebf16..5b1aae4 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -20,7 +20,7 @@ system such as RHTSupport. <rationale> Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</rationale> -<ident cce="TODO" /> +<ident cce="27247-6" /> <oval id="service_abrtd_disabled" /> <ref nist="AC-17(8),CM-7" disa="381" /> </Rule> @@ -58,7 +58,7 @@ out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with <tt>at</tt> or <tt>batch</tt> is not common. </rationale> -<ident cce="TODO" /> +<ident cce="27249-2" /> <oval id="service_atd_disabled" /> <ref nist="CM-7" disa="381" /> </Rule> @@ -75,7 +75,7 @@ solution to aid in the management of certificates. <rationale>The services provided by certmonger may be essential for systems fulfilling some roles a PKI infrastructure, but its functionality is not necessary for many other use cases.</rationale> -<ident cce="TODO" /> +<ident cce="27267-4" /> <oval id="service_certmonger_disabled" /> <ref nist="CM-7" /> </Rule> @@ -91,7 +91,7 @@ a system. The <tt>cgconfig</tt> daemon starts at boot and establishes the predef <rationale>Unless control groups are used to manage system resources, running the cgconfig service is not necessary. </rationale> -<ident cce="TODO" /> +<ident cce="27250-0" /> <oval id="service_cgconfig_disabled" /> <ref nist="CM-7" /> </Rule> @@ -106,7 +106,7 @@ parameters set in the <tt>/etc/cgrules.conf</tt> configuration file. <rationale>Unless control groups are used to manage system resources, running the cgred service service is not necessary. </rationale> -<ident cce="TODO" /> +<ident cce="27252-6" /> <oval id="service_cgred_disabled" /> <ref nist="CM-7" /> </Rule> @@ -243,7 +243,7 @@ serial consoles are impractical. <rationale>The <tt>netconsole</tt> service is not necessary unless there is a need to debug kernel panics, which is not common. </rationale> -<ident cce="TODO" /> +<ident cce="27254-2" /> <oval id="service_netconsole_disabled" /> <ref nist="AC-17(8),CM-7" disa="381" /> </Rule> @@ -262,7 +262,7 @@ system time. are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> -<ident cce="TODO" /> +<ident cce="27256-7" /> <!--<oval id="service_ntpdate_disabled" /> --> <ref nist="AC-17(8),AU-8,CM-7" disa="382" /> <tested by="DS" on="20121024"/> @@ -281,7 +281,7 @@ applications. Communication with <tt>oddjobd</tt> through the system message bus some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</rationale> -<ident cce="TODO" /> +<ident cce="27257-5" /> <oval id="service_oddjobd_disabled" /> <ref nist="CM-7" disa="381" /> <tested by="DS" on="20121024"/> @@ -298,7 +298,7 @@ required for other services. <rationale>The <tt>portreserve</tt> service provides helpful functionality by preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.</rationale> -<ident cce="TODO" /> +<ident cce="27258-3" /> <oval id="service_portreserve_disabled" /> <ref nist="AC-17(8),CM-7" /> <tested by="DS" on="20121024"/> @@ -316,7 +316,7 @@ user activity, such as commands issued by users of the system. view into some user activities. However, it should be noted that the auditing system and its audit records provide more authoritative and comprehensive records.</rationale> -<ident cce="TODO" /> +<ident cce="27259-1" /> <oval id="service_psacct_enabled" /> <ref nist="AU-12,CM-7" /> <tested by="DS" on="20121024"/> @@ -356,7 +356,7 @@ last accessed. remain enabled. However, if disk quotas are not used or user notification of disk quota violation is not desired then there is no need to run this service.</rationale> -<ident cce="TODO" /> +<ident cce="27260-9" /> <oval id="service_quota_nld_disabled" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> @@ -375,7 +375,7 @@ updated with a corresponding default route. By default this daemon is disabled. information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</rationale> -<ident cce="TODO" /> +<ident cce="27261-7" /> <oval id="service_rdisc_disabled" /> <ref nist="AC-17(8),AC-4,CM-7" disa="382" /> <tested by="DS" on="20121024"/> @@ -413,7 +413,7 @@ additional control over which of their systems are entitled to particular subscriptions. However, for systems that are managed locally or which are not expected to require remote changes to their subscription status, it is unnecessary and can be disabled.</rationale> -<ident cce="TODO" /> +<ident cce="27262-5" /> <oval id="service_rhsmcertd_disabled" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> @@ -433,7 +433,7 @@ based authentication. performing authentication in some directory environments, such as those which use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.</rationale> -<ident cce="TODO" /> +<ident cce="27263-3" /> <oval id="service_saslauthd_disabled" /> <ref nist="AC-17(8),CM-7" /> <tested by="DS" on="20121024"/> @@ -490,7 +490,7 @@ at boot time. boot to reset the statistics, which can be retrieved using programs such as <tt>sar</tt> and <tt>sadc</tt>. These may provide useful insight into system operation, but unless used this service can be disabled.</rationale> -<ident cce="TODO" /> +<ident cce="27265-8" /> <oval id="service_sysstat_disabled" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index d9f8d8f..1dec65d 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -125,7 +125,7 @@ communicate with. Unless RPC services are needed on the local system it is recommended to disable this service. <service-disable-macro service="rpcbind" /> </description> -<ident cce="TODO" /> +<ident cce="27268-2" /> <oval id="service_rpcbind_disabled" /> </Rule> diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index c07a15e..9105152 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -201,7 +201,7 @@ of an Rsh trust relationship. <rationale>Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> -<ident cce="TODO" /> +<ident cce="27270-8" /> <ref nist="AC-17(8),CM-7" disa="1436" /> <oval id="no_rsh_trusted_host_files" /> <tested by="DS" on="20121026"/> @@ -316,7 +316,7 @@ flag, matching the example below: <pre> # grep "server_args" /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot</pre> </ocil> -<ident cce="TODO" /> +<ident cce="27272-4" /> <oval id="tftpd_uses_secure_mode" /> <ref nist="AC-17(8),CM-7" disa="366"/> </Rule> diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index 0b22d71..1a441e0 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -168,7 +168,7 @@ The output should be <tt>true</tt>. <rationale>Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in.</rationale> -<ident cce="TODO" /> +<ident cce="27230-2" /> <ref nist="AC-23" /> </Rule> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 9089911..5c8344a 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -238,7 +238,7 @@ Look for the value of the <tt>maxrepeat</tt> parameter. The DoD requirement is <rationale> Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. </rationale> -<ident cce="TODO" /> +<ident cce="27227-8" /> <ref disa="366"/> </Rule> @@ -535,7 +535,7 @@ Inspect <tt>/etc/login.defs</tt> and ensure the following line appears: Using a stronger hashing algorithm makes password cracking attacks more difficult. </rationale> <!-- <oval id="accounts_password_hashing_algorithm" /> --> -<ident cce="TODO" /> +<ident cce="27228-6" /> <ref nist="IA-5" disa="803"/> <tested by="DS" on="20121024"/> </Rule> @@ -557,7 +557,7 @@ in the <tt>[default]</tt> section: Using a stronger hashing algorithm makes password cracking attacks more difficult. </rationale> <!-- <oval id="accounts_password_hashing_algorithm" /> --> -<ident cce="TODO" /> +<ident cce="27229-4" /> <ref nist="IA-5" disa="803"/> <tested by="DS" on="20121026"/> </Rule> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index 53bc053..be8ed82 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -105,7 +105,7 @@ Unencrypted passwords for remote FTP servers may be stored in <tt>.netrc</tt> files. DoD policy requires passwords be encrypted in storage and not used in access scripts. </rationale> -<ident cce="TODO" /> +<ident cce="27225-2" /> <oval id="TODO" /> <ref nist="IA-5" disa="196" /> </Rule> diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 6943c14..2142b44 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -304,7 +304,7 @@ minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, <tt>keep_logs</tt> can be employed.</rationale> -<ident cce="TODO" /> +<ident cce="27237-7" /> <oval id="auditd_data_retention_max_log_file_action" value="var_auditd_max_log_file_action" /> <ref nist="AU-1(b),AU-4,AU-11" /> <tested by="DS" on="20121024"/> @@ -355,7 +355,7 @@ disk space is starting to run low: </ocil> <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> -<ident cce="TODO" /> +<ident cce="27238-5" /> <oval id="auditd_data_retention_space_left_action" value="var_auditd_space_left_action"/> <ref nist="AU-1(b),AU-4" disa="140,143,1339" /> <tested by="DS" on="20121024"/> @@ -396,7 +396,7 @@ when disk space has run low: audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. </rationale> -<ident cce="TODO" /> +<ident cce="27239-3" /> <oval id="auditd_data_retention_admin_space_left_action" value="var_auditd_admin_space_left_action" /> <ref nist="AU-1(b),AU-4" disa="140,1343" /> <tested by="DS" on="20121024"/> @@ -419,7 +419,7 @@ account when it needs to notify an administrator: </ocil> <rationale>Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.</rationale> -<ident cce="TODO" /> +<ident cce="27241-9" /> <oval id="auditd_data_retention_action_mail_acct" value="var_auditd_action_mail_acct" /> <ref nist="AU-1(b),AU-4" disa="139,144" /> </Rule> @@ -695,7 +695,7 @@ Audit logs must be mode 0640 or less permissive. <rationale> If users can write to audit logs, audit trails can be modified or destroyed. </rationale> -<ident cce="TODO" /> +<ident cce="27243-5" /> <oval id="file_permissions_var_log_audit" /> <ref nist="AC-6,AU-1(b),AU-9" disa="166" /> <tested by="DS" on="20121024"/> @@ -711,7 +711,7 @@ If users can write to audit logs, audit trails can be modified or destroyed. </ocil> <rationale>Failure to give ownership of the audit log file(s) to root allows the designated owner, and unauthorized users, potential access to sensitive information.</rationale> -<ident cce="TODO" /> +<ident cce="27244-3" /> <oval id="file_ownership_var_log_audit" /> <ref nist="AC-6,AU-1(b),AU-9" disa="166" /> <tested by="DS" on="20121024"/> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 12bf472..9ff9334 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -314,7 +314,7 @@ $InputTCPServerRun 514</pre> If the system needs to act as a log server, this ensures that it can receive messages over a reliable TCP connection. </rationale> -<ident cce="TODO" /> +<ident cce="27235-1" /> <!--<oval id="rsyslog_listen_tcp" />--> <ref nist="AU-9" /> </Rule> @@ -333,7 +333,7 @@ Many devices, such as switches, routers, and other Unix-like systems, may only s the traditional syslog transmission over UDP. If the system must act as a log server, this enables it to receive their messages as well. </rationale> -<ident cce="TODO" /> +<ident cce="27236-9" /> <!--<oval id="rsyslog_listen_udp" />--> <ref nist="AU-9" /> </Rule> diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml index 336e619..f273d0d 100644 --- a/RHEL6/input/system/network/ipv6.xml +++ b/RHEL6/input/system/network/ipv6.xml @@ -60,7 +60,7 @@ For each network interface, add or correct the following lines in prevention mechanism: <pre>IPV6INIT=no</pre> </description> -<ident cce="TODO" /> +<ident cce="27231-0" /> <ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> @@ -75,7 +75,7 @@ following two lines in <tt>/etc/netconfig</tt>: <pre>udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - -</pre> </description> -<ident cce="TODO" /> +<ident cce="27232-8" /> <oval id="network_ipv6_disable_rpc" /> <ref nist="CM-7" /> </Rule> @@ -171,7 +171,7 @@ Manually assigning an IP address is preferable to accepting one from routers or from the network otherwise. The example address here is an IPv6 address reserved for documentation purposes, as defined by RFC3849. </description> -<ident cce="TODO" /> +<ident cce="27233-6" /> <oval id="network_ipv6_static_address" /> <ref nist="" /> </Rule> @@ -202,7 +202,7 @@ the following line (substituting your gateway IP as appropriate): Router addresses should be manually set and not accepted via any auto-configuration or router advertisement. </description> -<ident cce="TODO" /> +<ident cce="27234-4" /> <oval id="network_ipv6_default_gateway" /> <ref nist="" /> </Rule> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index b5a2f22..636aee6 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -302,7 +302,7 @@ file to exploit this flaw. Assuming the attacker could place the malicious file (via a web upload for example) and assuming a user browses the same location using Nautilus, the malicious file would exploit the thumbnailer with the potential for malicious code execution. It is best to disable these thumbnailer applications unless they are explicitly required.</rationale> -<ident cce="TODO" /> +<ident cce="27224-5" /> <oval id="disable_gnome_thumbnailers" /> <ref nist="CM-7" /> </Rule> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index e8a2a19..86fbc66 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -57,7 +57,7 @@ Next, the following command to return binaries to a normal, non-prelinked state The prelinking feature can interfere with the operation of AIDE, because it changes binaries. </rationale> -<ident cce="TODO" /> +<ident cce="27221-1" /> <ref nist="CM-6(d),CM-6(3),SC-28, SI-7" /> </Rule> @@ -97,7 +97,7 @@ To determine that periodic AIDE execution has been scheduled, run the following By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files. </rationale> -<ident cce="TODO" /> +<ident cce="27222-9" /> <ref nist="CM-6(d),CM-6(3),SC-28,SI-7" disa="374,416,1069,1263,1297,1589"/> </Rule> <!-- @@ -188,7 +188,7 @@ have file hashes different from what is expected by the RPM database. The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.</rationale> -<ident cce="TODO" /> +<ident cce="27223-7" /> <oval id="rpm_verify_hashes" /> <ref nist="CM-6(d),CM-6(3),SI-7" disa="1496" /> </Rule> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
