From ef47e8e213acb0f72830096d01d48db93d125573 Mon Sep 17 00:00:00 2001
From: lukek1 <luke.t.kordell@lmco.com>
Date: Thu, 27 Mar 2014 13:19:21 -0400
Subject: [PATCH] MLS_CSCF-profile

---
 RHEL/6/input/profiles/MLS_CSCF.xml |   32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/RHEL/6/input/profiles/MLS_CSCF.xml b/RHEL/6/input/profiles/MLS_CSCF.xml
index 1a1c321..9819835 100644
--- a/RHEL/6/input/profiles/MLS_CSCF.xml
+++ b/RHEL/6/input/profiles/MLS_CSCF.xml
@@ -1,5 +1,5 @@
-<Profile id="cscf-baseline"> 
-<title>CSCF baseline-launchpoint</title> 
+<Profile id="MLS_CSCF"> 
+<title>CSCF baseline general use</title> 
 <description> this is an incomplete profile </description>
 
 <select idref="account_disable_post_pw_expiration" selected="true" />
@@ -46,6 +46,7 @@
 <select idref="configure_auditd_audispd" selected="true" />
 <select idref="configure_auditd_max_log_file" selected="true" />
 <select idref="configure_auditd_max_log_file_action" selected="true" />
+<refine-value idref="var_auditd_max_log_file_action"  selector="keep_logs" />
 <select idref="configure_auditd_num_logs" selected="true" />
 <select idref="auditd_data_retention_space_left_action" selected="true" />
 <select idref="cups_disable_browsing" selected="true" />
@@ -63,7 +64,7 @@
 <select idref="disable_dhcp_server" selected="true" />
 <select idref="disable_dns_server" selected="true" />
 <select idref="disable_gnome_thumbnailers" selected="true" />
-<!-- <select idref="disable_httpd" selected="true" /> Only for UV -->
+<select idref="disable_httpd" selected="true" /> 
 <select idref="kernel_module_ipv6_option_disabled" selected="true" />
 <select idref="kernel_module_cramfs_disabled" selected="true" />
 <select idref="kernel_module_freevxfs_disabled" selected="true" />
@@ -83,11 +84,12 @@
 <select idref="sysctl_net_ipv4_conf_default_send_redirects" selected="true" />
 <select idref="sysctl_ipv4_all_send_redirects" selected="true" />
 <select idref="sysctl_net_ipv4_conf_all_accept_source_route" selected="true" />
+<select idref="sysctl_net_ipv4_conf_all_accept_redirects" selected="true" />
+<select idref="sysctl_net_ipv4_conf_all_secure_redirects" selected="true" />
 <select idref="sysctl_ipv4_ip_forward" selected="true" />
 <select idref="disable_telnet_service" selected="true" />
 <select idref="disable_tftp" selected="true" />
 <select idref="disable_vsftpd" selected="true" />
-<select idref="disable_xinetd" selected="true" />
 <select idref="disable_ypbind" selected="true" />
 <select idref="dns_server_authenticate_zone_transfers" selected="true" />
 <select idref="enable_auditd_bootloader" selected="true" />
@@ -124,23 +126,22 @@
 <select idref="mount_option_var_tmp_bind_var" selected="true" />
 <select idref="mountopt_nodev_on_nonroot_partitions" selected="true" />
 <!-- we do not have any removable media that has a mount point defined in fstab <select idref="mountopt_nodev_on_removable_partitions" selected="true" /> --> 
-<!--<select idref="mountopt_noexec_on_removable_partitions" selected="true" /> -->
-<!-- <select idref="mountopt_nosuid_on_removable_partitions" selected="true" />-->
+<select idref="mountopt_noexec_on_removable_partitions" selected="true" />
+<select idref="mountopt_nosuid_on_removable_partitions" selected="true" />
 <select idref="accounts_max_concurrent_login_sessions" selected="true" /> 
-<!-- need to refince from 10 to 3 -->
+<refine-value idref="var_accounts_max_concurrent_login_sessions" selector="3" />
 <select idref="network_disable_zeroconf" selected="true" />
 <select idref="network_ipv6_disable_rpc" selected="true" />
 <select idref="network_sniffer_disabled" selected="true" />
 <select idref="no_empty_passwords" selected="true" />
 <select idref="no_files_unowned_by_group" selected="true" />
-<select idref="no_files_unowned_by_user" selected="true" />
+ <select idref="no_files_unowned_by_user" selected="true" /> 
 <select idref="accounts_password_all_shadowed" selected="true" />
 <select idref="no_netrc_files" selected="true" />
-<select idref="no_rsh_trust_files" selected="true" />
 <select idref="accounts_no_uid_except_zero" selected="true" />
 <select idref="no_direct_root_logins" selected="true" />
 <select idref="no_unpackaged_sgid_files" selected="true" />
-<select idref="no_unpackaged_suid_files" selected="true" />
+<select idref="no_unpackaged_suid_files" selected="true" /> 
 <select idref="ntpd_specify_multiple_servers" selected="true" />
 <select idref="ntpd_specify_remote_server" selected="true" />
 <select idref="package_aide_installed" selected="true" />
@@ -150,7 +151,9 @@
 <select idref="partition_for_var_log" selected="true" />
 <select idref="partition_for_var_log_audit" selected="true" />
 <select idref="accounts_maximum_age_login_defs" selected="true" />
+<refine-value idref="var_accounts_maximum_age_login_defs" selector="180" />
 <select idref="accounts_password_minlen_login_defs" selected="true" />
+<refine-value idref="var_accounts_password_minlen_login_defs" selector="12" />
 <select idref="password_require_consecrepeat" selected="true" />
 <select idref="accounts_password_pam_cracklib_difok" selected="true" />
 <select idref="accounts_password_pam_cracklib_dcredit" selected="true" />
@@ -168,8 +171,8 @@
 <select idref="rpm_verify_hashes" selected="true" />
 <select idref="rpm_verify_permissions" selected="true" />
 <select idref="rsyslog_accept_remote_messages_none" selected="true" />
-<!-- may be un-necessary<select idref="rsyslog_accept_remote_messages_tcp" selected="true" /> -->
-<!-- may be un-necessary <select idref="rsyslog_accept_remote_messages_udp" selected="true" /> --> 
+<select idref="rsyslog_accept_remote_messages_tcp" selected="true" />
+<select idref="rsyslog_accept_remote_messages_udp" selected="true" />  
 <select idref="rsyslog_send_messages_to_logserver" selected="true" />
 <select idref="selinux_confinement_of_daemons" selected="true" />
 <select idref="selinux_all_devicefiles_labeled" selected="true" />
@@ -231,7 +234,7 @@
 <select idref="sysctl_net_ipv4_conf_all_log_martians" selected="true" />
 <select idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true" />
 <!-- not necessary if ipv6 is disabled <select idref="set_sysctl_net_ipv6_conf_default_accept_ra" selected="true" /> --> 
-<!-- may need to be refined <select idref="set_system_login_banner" selected="true" /> -->
+<select idref="set_system_login_banner" selected="true" />
 <select idref="sshd_allow_only_protocol2" selected="true" />
 <select idref="sshd_disable_root_login" selected="true" />
 <select idref="sshd_use_approved_ciphers" selected="true" />
@@ -245,7 +248,6 @@
 <select idref="uninstall_telnet_server" selected="true" />
 <select idref="uninstall_tftp-server" selected="true" />
 <select idref="uninstall_vsftpd" selected="true" />
-<select idref="uninstall_xinetd" selected="true" />
 <select idref="uninstall_ypserv" selected="true" />
 <!-- the following may need refinement -->
 <select idref="file_owner_etc_group" selected="true" />
@@ -255,7 +257,6 @@
 <select idref="userowner_shadow_file" selected="true" />
 <select idref="wireless_disable_in_bios" selected="true" />
 <select idref="world_writable_files_system_ownership" selected="true" />
-<select idref="install_openswan" selected="true" />
 <select idref="disable_interactive_boot" selected="true" />
 <select idref="install_hids" selected="true" />
 <select idref="install_antivirus" selected="true" />
@@ -264,6 +265,7 @@
 <select idref="bios_enable_execution_restrictions" selected="true" />
 <select idref="disable_setuid_coredumps" selected="true" />
 <select idref="disable_xwindows_with_runlevel" selected="true" />
+<select idref="world_writeable_files" selected="true" />  
 </Profile>
 
 
-- 
1.7.9.2