On 11/19/13, 11:21 AM, Maura Dailey wrote:
Signed-off-by: Maura Dailey <[email protected]> --- RHEL6/input/checks/cups_disable_browsing.xml | 47 ++++++++++++----------- RHEL6/input/checks/cups_disable_printserver.xml | 32 +++++----------- 2 files changed, 35 insertions(+), 44 deletions(-)diff --git a/RHEL6/input/checks/cups_disable_browsing.xml b/RHEL6/input/checks/cups_disable_browsing.xml index 6b6d54e..cadd68a 100644 --- a/RHEL6/input/checks/cups_disable_browsing.xml +++ b/RHEL6/input/checks/cups_disable_browsing.xml @@ -1,42 +1,45 @@ <def-group> - <definition class="compliance" - id="cups_disable_browsing" version="1"> + <definition class="compliance" id="cups_disable_browsing" version="1"> <metadata> <title>Disable Printer Browsing Entirely if Possible</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>The CUPS print service can be configured to broadcast a list of available printers to the network. Other machines on the network, also running the CUPS print service, can be configured to listen to these broadcasts and add and configure these printers for immediate use. By disabling this browsing capability, the machine will no longer generate or receive such broadcasts.</description> + <description>The CUPS print service can be configured to broadcast a list + of available printers to the network. Other machines on the network, also + running the CUPS print service, can be configured to listen to these + broadcasts and add and configure these printers for immediate use. By + disabling this browsing capability, the machine will no longer generate + or receive such broadcasts.</description> + <reference source="MED" ref_id="20131119" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> - <criterion comment="Protect browsing_off" test_ref="test_cups_disable_browsing_browsing_off" /> - <criterion comment="Protect browsingallow" test_ref="test_cups_disable_browsing_browsingallow" /> + <criterion comment="Ensure remote printer browsing is off" + test_ref="test_cups_disable_browsing_browsing_off" /> + <criterion comment="Ensure no incoming printer information packets are allowed" + test_ref="test_cups_disable_browsing_browseallow" negate="true" /> </criteria> </definition> - - <ind:textfilecontent54_test check="all" check_existence="all_exist" - comment="Disable Browsing" - id="test_cups_disable_browsing_browsing_off" version="1"> + + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Disable Browsing" id="test_cups_disable_browsing_browsing_off" + version="1"> <ind:object object_ref="obj_cups_disable_browsing_browsing_off" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsing_off" version="1"> - <ind:path>/etc/cups</ind:path> - <ind:filename>cupsd.conf</ind:filename> - <ind:pattern operation="pattern match">Browsing Off</ind:pattern> + <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> + <ind:pattern operation="pattern match">Browsing[\s]+(?:Off|No)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>- <ind:textfilecontent54_test check="all" check_existence="all_exist"- comment="Do not allow for browsing" - id="test_cups_disable_browsing_browsingallow" version="1"> - <ind:object object_ref="obj_cups_disable_browsing_browsingallow" /> + <ind:textfilecontent54_test check="all" check_existence="all_exist" + comment="Do not allow incoming printer information packets" + id="test_cups_disable_browsing_browseallow" version="1"> + <ind:object object_ref="obj_cups_disable_browsing_browseallow" /> </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_cups_disable_browsing_browsingallow" version="1"> - <ind:path>/etc/cups</ind:path> - <ind:filename>cupsd.conf</ind:filename> - <ind:pattern operation="pattern match">BrowseAllow none</ind:pattern> + <ind:textfilecontent54_object id="obj_cups_disable_browsing_browseallow" version="1"> + <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> + <ind:pattern operation="pattern match">BrowseAllow[\s]+(?!none)</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> - - </def-group> diff --git a/RHEL6/input/checks/cups_disable_printserver.xml b/RHEL6/input/checks/cups_disable_printserver.xml index 399eafa..e305170 100644 --- a/RHEL6/input/checks/cups_disable_printserver.xml +++ b/RHEL6/input/checks/cups_disable_printserver.xml @@ -1,46 +1,34 @@ <def-group> - <definition class="compliance" - id="cups_disable_printserver" version="1"> + <definition class="compliance" id="cups_disable_printserver" version="1"> <metadata> <title>Disable Printer Server if Possible</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>By default, locally configured printers will not be shared over the network, but if this functionality has somehow -been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or -remote users will still be able to see the locally configured printers, even if they cannot actually print to them. -To limit print serving to a particular set of users, use the Policy directive. -</description> + <description>By default, locally configured printers will not be shared over the network, but if this functionality has somehow been enabled, these recommendations will disable it again. Be sure to disable outgoing printer list broadcasts, or remote users will still be able to see the locally configured printers, even if they cannot actually print to them. To limit print serving to a particular set of users, use the Policy directive.</description> + <reference source="MED" ref_id="20131119" ref_url="test_attestation" /> </metadata> <criteria operator="AND"> - <criterion comment="Don't use port directive" test_ref="test_cups_disable_printserver_disable_port" /> + <criterion comment="Don't use port directive" test_ref="test_cups_disable_printserver_disable_port" /> <criterion comment="Do use the listen directive" test_ref="test_cups_disable_printserver_use_listen" /> </criteria> </definition>- <ind:textfilecontent54_test check="all" check_existence="none_exist"- comment="Disable the more general port directive" - id="test_cups_disable_printserver_disable_port" version="1"> + <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Disable the more general port directive" id="test_cups_disable_printserver_disable_port" version="1"> <ind:object object_ref="obj_cups_disable_printserver_disable_port" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_cups_disable_printserver_disable_port" version="1"> - <ind:path>/etc/cups</ind:path> - <ind:filename>cupsd.conf</ind:filename> - <ind:pattern operation="pattern match">^Port 631$</ind:pattern> + <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> + <ind:pattern operation="pattern match">Port[\s]+(\d)+</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object>- <ind:textfilecontent54_test check="all" check_existence="all_exist"- comment="Listen only at the localhost level" - id="test_cups_disable_printserver_use_listen" version="1"> + <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Listen only at the localhost level" id="test_cups_disable_printserver_use_listen" version="1"> <ind:object object_ref="obj_cups_disable_printserver_use_listen" /> </ind:textfilecontent54_test> <ind:textfilecontent54_object id="obj_cups_disable_printserver_use_listen" version="1"> - <ind:path>/etc/cups</ind:path> - <ind:filename>cupsd.conf</ind:filename> - <ind:pattern operation="pattern match">^Listen localhost:631$</ind:pattern> + <ind:filepath>/etc/cups/cupsd.conf</ind:filepath> + <ind:pattern operation="pattern match">Listen[\s]+(?:localhost|127\.0\.0\.1):(\d)+</ind:pattern> <ind:instance datatype="int">1</ind:instance> </ind:textfilecontent54_object> - - </def-group>
ack _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
