(like c20e0403 from David Smith<[email protected]>, but applied to
RHEL7 content)
Signed-off-by: Jared Jennings<[email protected]>
---
RHEL/7/input/system/auditing.xml | 58 ++++++++++++++--------------
RHEL/7/input/system/network/ipsec.xml | 2 +-
RHEL/7/input/system/network/kernel.xml | 2 +-
RHEL/7/input/system/network/wireless.xml | 8 ++--
RHEL/7/input/system/software/integrity.xml | 12 +++---
5 files changed, 41 insertions(+), 41 deletions(-)
diff --git a/RHEL/7/input/system/auditing.xml b/RHEL/7/input/system/auditing.xml
index 9711628..aedab59 100644
--- a/RHEL/7/input/system/auditing.xml
+++ b/RHEL/7/input/system/auditing.xml
@@ -510,7 +510,7 @@ are highly dependent upon an accurate system time (such as
sshd). All changes
to the system time should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_time_adjtimex" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
<ref disa="1487,169" />
</Rule>
@@ -538,7 +538,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_time_settimeofday" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
<ref disa="1487,169" />
</Rule>
@@ -564,7 +564,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_time_stime" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
<ref disa="1487,169" />
</Rule>
@@ -592,7 +592,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_time_clock_settime" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
<ref disa="1487,169" />
</Rule>
@@ -617,7 +617,7 @@ are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_time_watch_localtime" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
<ref disa="1487,169" />
</Rule>
</Group><!--End <Group id="audit_time_rules"> -->
@@ -646,7 +646,7 @@ unexpected users, groups, or modifications should be
investigated for
legitimacy.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_usergroup_modification" />
-<ref nist="AC-2(4),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5"
disa="18,1403,1404,1405,1684,1683,1685,1686"/>
+<ref nist="AC-2(4),AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5"
disa="18,1403,1404,1405,1684,1683,1685,1686"/>
</Rule>
<Rule id="audit_network_modifications">
@@ -672,7 +672,7 @@ than administrator action. Any change to network parameters
should be
audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_networkconfig_modification" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
</Rule>
<Rule id="file_permissions_var_log_audit">
@@ -729,7 +729,7 @@ arbitrarily changed by anything other than administrator
action. All changes to
MAC policy should be audited.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_mac_modification" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
</Rule>
<Group id="audit_dac_actions">
@@ -779,7 +779,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_chmod" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_chown">
@@ -805,7 +805,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_chown" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fchmod">
@@ -831,7 +831,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fchmod" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fchmodat">
@@ -857,7 +857,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fchmodat" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fchown">
@@ -883,7 +883,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fchown" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fchownat">
@@ -909,7 +909,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fchownat" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fremovexattr">
@@ -935,7 +935,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fremovexattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_fsetxattr">
@@ -961,7 +961,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_fsetxattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_lchown">
@@ -987,7 +987,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_lchown" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_lremovexattr">
@@ -1013,7 +1013,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_lremovexattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_lsetxattr">
@@ -1039,7 +1039,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_lsetxattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_removexattr">
@@ -1065,7 +1065,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_removexattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_rules_dac_modification_setxattr">
@@ -1091,7 +1091,7 @@ calls with others as identifying earlier in this guide is
more efficient.
</warning>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_dac_modification_setxattr" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
</Group> <!-- <Group id="audit_dac_actions"> -->
@@ -1108,7 +1108,7 @@ files involved in storing logon events, add the following to
<tt>/etc/audit/audi
as an attacker attempting to remove evidence of an intrusion.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_login_events" />
-<ref nist="AC-17(7),AU-1(b),IR-5" />
+<ref nist="AC-3(10),AU-1(b),IR-5" />
</Rule>
<Rule id="audit_manual_session_edits">
@@ -1125,7 +1125,7 @@ storing such process information, add the following to
as an attacker attempting to remove evidence of an intrusion.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_session_events" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" />
</Rule>
<Rule id="audit_file_access">
@@ -1146,7 +1146,7 @@ To verify that the audit system collects unauthorized
file accesses, run the fol
these events could serve as evidence of potential system
compromise.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_unsuccessful_file_modification" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126" />
</Rule>
<Rule id="audit_privileged_commands">
@@ -1174,7 +1174,7 @@ unusual activity.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_privileged_commands" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AU-2(4),IR-5" disa="40" />
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),AC-6(9),IR-5" disa="40" />
<tested by="DS" on="20121024"/>
</Rule>
@@ -1196,7 +1196,7 @@ trail should be created each time a filesystem is mounted to help identify and g
loss.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_media_export" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
<tested by="DS" on="20121024"/>
</Rule>
@@ -1217,7 +1217,7 @@ from the system. The audit trail could aid in system troubleshooting, as well as
malicious processes that attempt to delete log files to conceal their
presence.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_file_deletion_events" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_sysadmin_actions">
@@ -1235,7 +1235,7 @@ To verify that auditing is configured for system
administrator actions, run the
of what was executed on the system, as well as, for accountability
purposes.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_sysadmin_actions" />
-<ref nist="AC-2(7)(b),AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5"
disa="126"/>
+<ref nist="AC-2(7)(b),AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5"
disa="126"/>
<tested by="DS" on="20121024"/>
</Rule>
@@ -1257,7 +1257,7 @@ the kernel and potentially introduce malicious code into kernel space. It is imp
to have an audit trail of modules that have been introduced into the
kernel.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="audit_rules_kernel_module_loading" />
-<ref nist="AC-17(7),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
+<ref nist="AC-3(10),AU-1(b),AU-2(a),AU-2(c),AU-2(d),IR-5" disa="126"/>
</Rule>
<Rule id="audit_config_immutable">
diff --git a/RHEL/7/input/system/network/ipsec.xml
b/RHEL/7/input/system/network/ipsec.xml
index b05ed1a..4e8186d 100644
--- a/RHEL/7/input/system/network/ipsec.xml
+++ b/RHEL/7/input/system/network/ipsec.xml
@@ -19,7 +19,7 @@ transmitted over a wide area network.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_openswan_installed" />
-<ref nist="AC-17, MA-4, SC-9" disa="1130,1131" />
+<ref nist="AC-17, MA-4, SC-8" disa="1130,1131" />
</Rule>
</Group>
diff --git a/RHEL/7/input/system/network/kernel.xml b/RHEL/7/input/system/network/kernel.xml
index 3c8b75f..fe7505f 100644
--- a/RHEL/7/input/system/network/kernel.xml
+++ b/RHEL/7/input/system/network/kernel.xml
@@ -262,7 +262,7 @@ sign of nefarious network activity. Logging these packets
enables this activity
to be detected.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="sysctl_net_ipv4_conf_all_log_martians"
value="sysctl_net_ipv4_conf_all_log_martians_value" />
-<ref nist="AC-17(7),CM-7" disa="126"/>
+<ref nist="AC-3(10),CM-7" disa="126"/>
<tested by="DS" on="20121024"/>
</Rule>
diff --git a/RHEL/7/input/system/network/wireless.xml b/RHEL/7/input/system/network/wireless.xml
index 19b84be..869dc55 100644
--- a/RHEL/7/input/system/network/wireless.xml
+++ b/RHEL/7/input/system/network/wireless.xml
@@ -35,7 +35,7 @@ to reboot the system first.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<!--TODO:OCIL <oval id="wireless_disable_in_bios" />-->
-<ref nist="AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85" />
+<ref nist="AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85" />
</Rule>
<Rule id="deactivate_wireless_interfaces">
@@ -65,7 +65,7 @@ protocols which were not designed with security in mind.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="wireless_disable_interfaces" />
-<ref nist="AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85" />
+<ref nist="AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85" />
<tested by="DS" on="20121025"/>
</Rule>
@@ -84,7 +84,7 @@ Nevertheless, variation in this risk decision may be expected due to the
utility of Bluetooth connectivity and its limited range.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="service_bluetooth_disabled" />
-<ref nist="AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85,1551" />
+<ref nist="AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85,1551" />
<tested by="DS" on="20121025"/>
</Rule>
@@ -106,7 +106,7 @@ from loading the kernel module provides an additional safeguard against its
activation.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="kernel_module_bluetooth_disabled" />
-<ref nist="AC-17(8),AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85,1551" />
+<ref nist="AC-18(a),AC-18(d),AC-18(3),CM-7" disa="85,1551" />
<tested by="DS" on="20121025"/>
</Rule>
diff --git a/RHEL/7/input/system/software/integrity.xml b/RHEL/7/input/system/software/integrity.xml
index a2a6921..b250460 100644
--- a/RHEL/7/input/system/software/integrity.xml
+++ b/RHEL/7/input/system/software/integrity.xml
@@ -41,7 +41,7 @@ The AIDE package must be installed if it is to be available
for integrity checki
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="package_aide_installed" />
-<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28, SI-7" disa="1069"/>
+<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28, SI-7" disa="1069"/>
<tested by="DS" on="20121024"/>
</Rule>
@@ -61,7 +61,7 @@ of AIDE, because it changes binaries.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="disable_prelink" />
-<ref nist="CM-6(d),CM-6(3),SC-28, SI-7" />
+<ref nist="CM-6(d),SC-28, SI-7" />
</Rule>
<Rule id="aide_build_database">
@@ -82,7 +82,7 @@ For AIDE to be effective, an initial database of "known-good"
information about
must be captured and it should be able to be verified against the installed
files.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
-<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7" />
+<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7" />
</Rule>
<Rule id="aide_periodic_cron_checking" severity="medium">
@@ -101,7 +101,7 @@ By default, AIDE does not install itself for periodic
execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
</rationale>
<ident cce="RHEL7-CCE-TBD" />
-<ref nist="CM-3(d),CM-3(e),CM-6(d),CM-6(3),SC-28,SI-7"
disa="374,416,1069,1263,1297,1589"/>
+<ref nist="CM-3(d),CM-3(e),CM-6(d),SC-28,SI-7"
disa="374,416,1069,1263,1297,1589"/>
</Rule>
</Group>
@@ -142,7 +142,7 @@ The permissions set by the vendor should be maintained. Any deviations from
this baseline should be investigated.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="rpm_verify_permissions" />
-<ref nist="AC-6,CM-6(d),CM-6(3)" disa="1493,1494,1495" />
+<ref nist="AC-6,CM-6(d),SI-7" disa="1493,1494,1495" />
</Rule>
<Rule id="rpm_verify_hashes">
@@ -173,7 +173,7 @@ information given by the RPM database. Executables with
erroneous hashes could
be a sign of nefarious activity on the system.</rationale>
<ident cce="RHEL7-CCE-TBD" />
<oval id="rpm_verify_hashes" />
-<ref nist="CM-6(d),CM-6(3),SI-7" disa="1496" />
+<ref nist="CM-6(d),SI-7" disa="1496" />
</Rule>
</Group>
-- 1.7.1
