(like 62466610 from David Smith<[email protected]>, but applied to
RHEL7 content)
Signed-off-by: Jared Jennings<[email protected]>
---
RHEL/7/input/services/base.xml | 18 +++++++++---------
RHEL/7/input/services/obsolete.xml | 28 ++++++++++++++--------------
RHEL/7/input/services/ssh.xml | 4 ++--
3 files changed, 25 insertions(+), 25 deletions(-)
diff --git a/RHEL/7/input/services/base.xml b/RHEL/7/input/services/base.xml
index 4f2c05a..61c4ac0 100644
--- a/RHEL/7/input/services/base.xml
+++ b/RHEL/7/input/services/base.xml
@@ -22,7 +22,7 @@ vulnerabilities in software executing on the local machine,
as well as sensitive
information from within a process's address space or registers.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_abrtd_disabled" />
-<ref nist="AC-17(8),CM-7" disa="381" />
+<ref nist="CM-7" disa="381" />
</Rule>
<Rule id="service_acpid_disabled">
@@ -153,7 +153,7 @@ crash, which can load information from the crashed kernel
for analysis.
is little need to run the kdump service.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_kdump_disabled" />
-<ref nist="AC-17(8),CM-7" />
+<ref nist="CM-7" />
</Rule>
@@ -205,7 +205,7 @@ kernel panics, which is not common.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_netconsole_disabled" />
-<ref nist="AC-17(8),CM-7" disa="381" />
+<ref nist="CM-7" disa="381" />
</Rule>
<Rule id="service_ntpdate_disabled">
@@ -224,7 +224,7 @@ reboots. In any event, the functionality of the ntpdate
service is now
available in the ntpd program and should be considered deprecated.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_ntpdate_disabled" />
-<ref nist="AC-17(8),CM-7" disa="382" />
+<ref nist="CM-7" disa="382" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -260,7 +260,7 @@ preventing conflicting usage of ports in the reserved port range, but it can be
disabled if not needed.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_portreserve_disabled" />
-<ref nist="AC-17(8),CM-7" />
+<ref nist="CM-7" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -298,7 +298,7 @@ the system is not intended to receive AMQP traffic, then the <tt>qpidd</tt>
service is not needed and should be disabled or removed.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_qpidd_disabled" />
-<ref nist="AC-17(8),CM-7" disa="382" />
+<ref nist="CM-7" disa="382" />
</Rule>
<Rule id="service_quota_nld_disabled">
@@ -337,7 +337,7 @@ some special-purpose systems often use DHCP (instead of
IRDP) to retrieve
dynamic network configuration information.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_rdisc_disabled" />
-<ref nist="AC-17(8),AC-4,CM-7" disa="382" />
+<ref nist="AC-4,CM-7" disa="382" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -356,7 +356,7 @@ desirable for some environments. However, if the system is being managed by RHN
RHN Satellite Server the <tt>rhnsd</tt> daemon can remain on. </rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_rhnsd_disabled" />
-<ref nist="AC-17(8),CM-7" disa="382" />
+<ref nist="CM-7" disa="382" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -395,7 +395,7 @@ use Kerberos and LDAP. For others, however, in which only local files may be
consulted, it is not necessary and should be disabled.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_saslauthd_disabled" />
-<ref nist="AC-17(8),CM-7" />
+<ref nist="CM-7" />
<tested by="DS" on="20121024"/>
</Rule>
diff --git a/RHEL/7/input/services/obsolete.xml b/RHEL/7/input/services/obsolete.xml
index c1f594f..5c88422 100644
--- a/RHEL/7/input/services/obsolete.xml
+++ b/RHEL/7/input/services/obsolete.xml
@@ -41,7 +41,7 @@ attacks against xinetd itself.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_xinetd_disabled" />
-<ref nist="AC-17(8),CM-7" disa="305"/>
+<ref nist="CM-7" disa="305"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -60,7 +60,7 @@ xinetd service's accidental (or intentional) activation.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_xinetd_removed" />
-<ref nist="AC-17(8),CM-7" disa="305"/>
+<ref nist="CM-7" disa="305"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -87,7 +87,7 @@ subject to man-in-the-middle attacks.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_telnetd_disabled" />
-<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" />
+<ref nist="CM-7,IA-5(1)(c)" disa="68,1436,197,877,888" />
<tested by="DS" on="20121026"/>
</Rule>
@@ -103,7 +103,7 @@ telnet service's accidental (or intentional) activation.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_telnet-server_removed" />
-<ref nist="AC-17(8),CM-7" disa="305,381"/>
+<ref nist="CM-7" disa="305,381"/>
<tested by="DS" on="20121026"/>
</Rule>
</Group>
@@ -128,7 +128,7 @@ activation.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_rsh-server_removed" />
-<ref nist="AC-17(8),CM-7" disa="305,381"/>
+<ref nist="CM-7" disa="305,381"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -147,7 +147,7 @@ stolen by eavesdroppers on the network.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_rexec_disabled" />
-<ref nist="AC-17(8),CM-7" disa="68,1436"/>
+<ref nist="CM-7" disa="68,1436"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -166,7 +166,7 @@ stolen by eavesdroppers on the network.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_rsh_disabled" />
-<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="68,1436" />
+<ref nist="CM-7,IA-5(1)(c)" disa="68,1436" />
<tested by="DS" on="20121026"/>
</Rule>
@@ -202,7 +202,7 @@ stolen by eavesdroppers on the network.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_rlogin_disabled" />
-<ref nist="AC-17(8),CM-7,IA-5(1)(c)" disa="1436" />
+<ref nist="CM-7,IA-5(1)(c)" disa="1436" />
<tested by="DS" on="20121026"/>
</Rule>
@@ -225,7 +225,7 @@ of an Rsh trust relationship.
used in conjunction with the R-services, they can allow
unauthenticated access to a system.</rationale>
<ident cce="RHEL7-CCE-TBD" />
-<ref nist="AC-17(8),CM-7" disa="1436" />
+<ref nist="CM-7" disa="1436" />
<oval id="no_rsh_trust_files" />
<tested by="DS" on="20121026"/>
</Rule>
@@ -252,7 +252,7 @@ accidental (or intentional) activation of NIS or NIS+
services.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_ypserv_removed" />
-<ref nist="AC-17(8),CM-7" disa="305,381"/>
+<ref nist="CM-7" disa="305,381"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -269,7 +269,7 @@ as a client in a NIS or NIS+ domain.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_ypbind_disabled" />
-<ref nist="AC-17(8),CM-7" disa="305"/>
+<ref nist="CM-7" disa="305"/>
<tested by="DS" on="20121026"/>
</Rule>
</Group>
@@ -297,7 +297,7 @@ as a TFTP server, which does not provide encryption or
authentication.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_tftp_disabled" />
-<ref nist="AC-17(8),CM-7" disa="1436" />
+<ref nist="CM-7" disa="1436" />
<tested by="DS" on="20121026"/>
</Rule>
@@ -315,7 +315,7 @@ accidental (or intentional) activation of tftp services.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_tftp-server_removed" />
-<ref nist="AC-17(8),CM-7" disa="305"/>
+<ref nist="CM-7" disa="305"/>
<tested by="DS" on="20121026"/>
</Rule>
@@ -346,7 +346,7 @@ server_args = -s /var/lib/tftpboot</pre>
</ocil>
<ident cce="RHEL7-CCE-TBD" />
<oval id="tftpd_uses_secure_mode" />
-<ref nist="AC-17(8),CM-7" disa="366"/>
+<ref nist="CM-7" disa="366"/>
</Rule>
</Group>
diff --git a/RHEL/7/input/services/ssh.xml b/RHEL/7/input/services/ssh.xml
index cf41bc1..9461da5 100644
--- a/RHEL/7/input/services/ssh.xml
+++ b/RHEL/7/input/services/ssh.xml
@@ -81,7 +81,7 @@ should not be used.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="sshd_allow_only_protocol2" />
-<ref nist="AC-17(7),IA-5(1)(c)" disa="776,774,1436" />
+<ref nist="AC-3(10),IA-5(1)(c)" disa="776,774,1436" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -363,7 +363,7 @@ implementation. These are also required for compliance.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="sshd_use_approved_ciphers" />
-<ref nist="AC-3,AC-17(2),AU-10(5),IA-5(1)(c),IA-7" disa="803,1144,1145,1146" />
+<ref nist="AC-3,AC-17(2),SI-7,IA-5(1)(c),IA-7" disa="803,1144,1145,1146" />
<tested by="DS" on="20121024"/>
</Rule>
