Signed-off-by: David Smith <[email protected]> --- RHEL/6/input/services/base.xml | 18 +++++++++--------- RHEL/6/input/services/obsolete.xml | 28 ++++++++++++++-------------- RHEL/6/input/services/ssh.xml | 4 ++-- 3 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/RHEL/6/input/services/base.xml b/RHEL/6/input/services/base.xml index 489a4a2..5bb36e0 100644 --- a/RHEL/6/input/services/base.xml +++ b/RHEL/6/input/services/base.xml @@ -22,7 +22,7 @@ vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</rationale> <ident cce="27247-6" /> <oval id="service_abrtd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="381" /> +<ref nist="CM-7" disa="381" /> </Rule> <Rule id="service_acpid_disabled"> @@ -153,7 +153,7 @@ crash, which can load information from the crashed kernel for analysis. is little need to run the kdump service.</rationale> <ident cce="26850-8" /> <oval id="service_kdump_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> </Rule> @@ -205,7 +205,7 @@ kernel panics, which is not common. </rationale> <ident cce="27254-2" /> <oval id="service_netconsole_disabled" /> -<ref nist="AC-17(8),CM-7" disa="381" /> +<ref nist="CM-7" disa="381" /> </Rule> <Rule id="service_ntpdate_disabled"> @@ -224,7 +224,7 @@ reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> <ident cce="27256-7" /> <oval id="service_ntpdate_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -260,7 +260,7 @@ preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.</rationale> <ident cce="27258-3" /> <oval id="service_portreserve_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> @@ -298,7 +298,7 @@ the system is not intended to receive AMQP traffic, then the <tt>qpidd</tt> service is not needed and should be disabled or removed.</rationale> <ident cce="26928-2" /> <oval id="service_qpidd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> </Rule> <Rule id="service_quota_nld_disabled"> @@ -337,7 +337,7 @@ some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</rationale> <ident cce="27261-7" /> <oval id="service_rdisc_disabled" /> -<ref nist="AC-17(8),AC-4,CM-7" disa="382" /> +<ref nist="AC-4,CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -356,7 +356,7 @@ desirable for some environments. However, if the system is being managed by RHN RHN Satellite Server the <tt>rhnsd</tt> daemon can remain on. </rationale> <ident cce="26846-6" /> <oval id="service_rhnsd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -395,7 +395,7 @@ use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.</rationale> <ident cce="27263-3" /> <oval id="service_saslauthd_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL/6/input/services/obsolete.xml b/RHEL/6/input/services/obsolete.xml index 3a2b7c9..82f8a78 100644 --- a/RHEL/6/input/services/obsolete.xml +++ b/RHEL/6/input/services/obsolete.xml @@ -41,7 +41,7 @@ attacks against xinetd itself. </rationale> <ident cce="27046-2" /> <oval id="service_xinetd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -60,7 +60,7 @@ xinetd service's accidental (or intentional) activation. </rationale> <ident cce="27005-8" /> <oval id="package_xinetd_removed" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -87,7 +87,7 @@ subject to man-in-the-middle attacks. </rationale> <ident cce="26836-7" /> <oval id="service_telnetd_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" /> +<ref nist="CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" /> <tested by="DS" on="20121026"/> </Rule> @@ -103,7 +103,7 @@ telnet service's accidental (or intentional) activation. </rationale> <ident cce="27073-6" /> <oval id="package_telnet-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> @@ -143,7 +143,7 @@ activation. </rationale> <ident cce="27062-9" /> <oval id="package_rsh-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> @@ -162,7 +162,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="27208-8" /> <oval id="service_rexec_disabled" /> -<ref nist="AC-17(8),CM-7" disa="68,1436"/> +<ref nist="CM-7" disa="68,1436"/> <tested by="DS" on="20121026"/> </Rule> @@ -181,7 +181,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="26994-4" /> <oval id="service_rsh_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436" /> +<ref nist="CM-7,IA-5(1)(c)" disa="68,1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -217,7 +217,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="26865-6" /> <oval id="service_rlogin_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="1436" /> +<ref nist="CM-7,IA-5(1)(c)" disa="1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -240,7 +240,7 @@ of an Rsh trust relationship. used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> <ident cce="27270-8" /> -<ref nist="AC-17(8),CM-7" disa="1436" /> +<ref nist="CM-7" disa="1436" /> <oval id="no_rsh_trust_files" /> <tested by="DS" on="20121026"/> </Rule> @@ -267,7 +267,7 @@ accidental (or intentional) activation of NIS or NIS+ services. </rationale> <ident cce="27079-3" /> <oval id="package_ypserv_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> @@ -284,7 +284,7 @@ as a client in a NIS or NIS+ domain. </rationale> <ident cce="26894-6" /> <oval id="service_ypbind_disabled" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -328,7 +328,7 @@ as a TFTP server, which does not provide encryption or authentication. </rationale> <ident cce="27055-3" /> <oval id="service_tftp_disabled" /> -<ref nist="AC-17(8),CM-7" disa="1436" /> +<ref nist="CM-7" disa="1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -346,7 +346,7 @@ accidental (or intentional) activation of tftp services. </rationale> <ident cce="26946-4" /> <oval id="package_tftp-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -392,7 +392,7 @@ server_args = -s /var/lib/tftpboot</pre> </ocil> <ident cce="27272-4" /> <oval id="tftpd_uses_secure_mode" /> -<ref nist="AC-17(8),CM-7" disa="366"/> +<ref nist="CM-7" disa="366"/> </Rule> </Group> diff --git a/RHEL/6/input/services/ssh.xml b/RHEL/6/input/services/ssh.xml index 695418a..9464256 100644 --- a/RHEL/6/input/services/ssh.xml +++ b/RHEL/6/input/services/ssh.xml @@ -83,7 +83,7 @@ should not be used. </rationale> <ident cce="27072-8" /> <oval id="sshd_allow_only_protocol2" /> -<ref nist="AC-17(7),IA-5(1)(c)" disa="776,774,1436" /> +<ref nist="AC-3(10),IA-5(1)(c)" disa="776,774,1436" /> <tested by="DS" on="20121024"/> </Rule> @@ -365,7 +365,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="26555-3" /> <oval id="sshd_use_approved_ciphers" /> -<ref nist="AC-3,AC-17(2),AU-10(5),IA-5(1)(c),IA-7" disa="803,1144,1145,1146" /> +<ref nist="AC-3,AC-17(2),SI-7,IA-5(1)(c),IA-7" disa="803,1144,1145,1146" /> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1 -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
