(like 62466610 from David Smith <[email protected]>, but applied to RHEL7 content)
Signed-off-by: Jared Jennings <[email protected]> --- RHEL/7/input/services/base.xml | 18 +++++++++--------- RHEL/7/input/services/obsolete.xml | 28 ++++++++++++++-------------- RHEL/7/input/services/ssh.xml | 4 ++-- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml index 4f2c05a..61c4ac0 100644 --- a/RHEL/7/input/services/base.xml +++ b/RHEL/7/input/services/base.xml @@ -22,7 +22,7 @@ vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_abrtd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="381" /> +<ref nist="CM-7" disa="381" /> </Rule> <Rule id="service_acpid_disabled"> @@ -153,7 +153,7 @@ crash, which can load information from the crashed kernel for analysis. is little need to run the kdump service.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_kdump_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> </Rule> @@ -205,7 +205,7 @@ kernel panics, which is not common. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_netconsole_disabled" /> -<ref nist="AC-17(8),CM-7" disa="381" /> +<ref nist="CM-7" disa="381" /> </Rule> <Rule id="service_ntpdate_disabled"> @@ -224,7 +224,7 @@ reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_ntpdate_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -260,7 +260,7 @@ preventing conflicting usage of ports in the reserved port range, but it can be disabled if not needed.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_portreserve_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> @@ -298,7 +298,7 @@ the system is not intended to receive AMQP traffic, then the <tt>qpidd</tt> service is not needed and should be disabled or removed.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_qpidd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> </Rule> <Rule id="service_quota_nld_disabled"> @@ -337,7 +337,7 @@ some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_rdisc_disabled" /> -<ref nist="AC-17(8),AC-4,CM-7" disa="382" /> +<ref nist="AC-4,CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -356,7 +356,7 @@ desirable for some environments. However, if the system is being managed by RHN RHN Satellite Server the <tt>rhnsd</tt> daemon can remain on. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_rhnsd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="382" /> +<ref nist="CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> @@ -395,7 +395,7 @@ use Kerberos and LDAP. For others, however, in which only local files may be consulted, it is not necessary and should be disabled.</rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_saslauthd_disabled" /> -<ref nist="AC-17(8),CM-7" /> +<ref nist="CM-7" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml index c1f594f..5c88422 100644 --- a/RHEL/7/input/services/obsolete.xml +++ b/RHEL/7/input/services/obsolete.xml @@ -41,7 +41,7 @@ attacks against xinetd itself. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_xinetd_disabled" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -60,7 +60,7 @@ xinetd service's accidental (or intentional) activation. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="package_xinetd_removed" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -87,7 +87,7 @@ subject to man-in-the-middle attacks. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_telnetd_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" /> +<ref nist="CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" /> <tested by="DS" on="20121026"/> </Rule> @@ -103,7 +103,7 @@ telnet service's accidental (or intentional) activation. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="package_telnet-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> </Group> @@ -128,7 +128,7 @@ activation. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="package_rsh-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> @@ -147,7 +147,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_rexec_disabled" /> -<ref nist="AC-17(8),CM-7" disa="68,1436"/> +<ref nist="CM-7" disa="68,1436"/> <tested by="DS" on="20121026"/> </Rule> @@ -166,7 +166,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_rsh_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436" /> +<ref nist="CM-7,IA-5(1)(c)" disa="68,1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -202,7 +202,7 @@ stolen by eavesdroppers on the network. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_rlogin_disabled" /> -<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="1436" /> +<ref nist="CM-7,IA-5(1)(c)" disa="1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -225,7 +225,7 @@ of an Rsh trust relationship. used in conjunction with the R-services, they can allow unauthenticated access to a system.</rationale> <ident cce="RHEL7-CCE-TBD" /> -<ref nist="AC-17(8),CM-7" disa="1436" /> +<ref nist="CM-7" disa="1436" /> <oval id="no_rsh_trust_files" /> <tested by="DS" on="20121026"/> </Rule> @@ -252,7 +252,7 @@ accidental (or intentional) activation of NIS or NIS+ services. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="package_ypserv_removed" /> -<ref nist="AC-17(8),CM-7" disa="305,381"/> +<ref nist="CM-7" disa="305,381"/> <tested by="DS" on="20121026"/> </Rule> @@ -269,7 +269,7 @@ as a client in a NIS or NIS+ domain. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_ypbind_disabled" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> </Group> @@ -297,7 +297,7 @@ as a TFTP server, which does not provide encryption or authentication. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="service_tftp_disabled" /> -<ref nist="AC-17(8),CM-7" disa="1436" /> +<ref nist="CM-7" disa="1436" /> <tested by="DS" on="20121026"/> </Rule> @@ -315,7 +315,7 @@ accidental (or intentional) activation of tftp services. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="package_tftp-server_removed" /> -<ref nist="AC-17(8),CM-7" disa="305"/> +<ref nist="CM-7" disa="305"/> <tested by="DS" on="20121026"/> </Rule> @@ -346,7 +346,7 @@ server_args = -s /var/lib/tftpboot</pre> </ocil> <ident cce="RHEL7-CCE-TBD" /> <oval id="tftpd_uses_secure_mode" /> -<ref nist="AC-17(8),CM-7" disa="366"/> +<ref nist="CM-7" disa="366"/> </Rule> </Group> diff --git a/RHEL/7/input/services/ssh.xml b/RHEL/7/input/services/ssh.xml index cf41bc1..9461da5 100644 --- a/RHEL/7/input/services/ssh.xml +++ b/RHEL/7/input/services/ssh.xml @@ -81,7 +81,7 @@ should not be used. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="sshd_allow_only_protocol2" /> -<ref nist="AC-17(7),IA-5(1)(c)" disa="776,774,1436" /> +<ref nist="AC-3(10),IA-5(1)(c)" disa="776,774,1436" /> <tested by="DS" on="20121024"/> </Rule> @@ -363,7 +363,7 @@ implementation. These are also required for compliance. </rationale> <ident cce="RHEL7-CCE-TBD" /> <oval id="sshd_use_approved_ciphers" /> -<ref nist="AC-3,AC-17(2),AU-10(5),IA-5(1)(c),IA-7" disa="803,1144,1145,1146" /> +<ref nist="AC-3,AC-17(2),SI-7,IA-5(1)(c),IA-7" disa="803,1144,1145,1146" /> <tested by="DS" on="20121024"/> </Rule> -- 1.7.1 -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
