Changes in the 01/17/2014 release XCCDF - updates: Version number updated to 1.2.5.0 OVAL - changes: 1. Updated OVAL state oval:gov.nist.usgcb.rhel:ste:200842 to fix a false positive on enhanced configuration systems. replaced: operation="equals" with: operation="greater than or equal" ############################################################################### ############################################################################### ############################################################################### Changes in the 12/17/2013 release XCCDF - updates: Version number updated to 1.1.5.0 OVAL - changes: 1. Corrected the path and filename for oval:gov.nist.usgcb.rhel:obj:20056 replaced: /etc/security limits.conf with: /etc sysctl.conf 2. Updated the pattern for oval:gov.nist.usgcb.rhel:obj:20056 to increase flexibility Replace: ^fs.suid_dumpable\s+=\s+1$ With: ^fs\.suid_dumpable\s*=\s*1$ 3. Updated the pattern for oval:gov.nist.usgcb.rhel:obj:20056 to comply with section 2.2.4.2 Disable Core Dumps (RHEL NSA Guide) (also updated the comment for oval:gov.nist.usgcb.rhel:tst:20056) Replace: ^fs\.suid_dumpable\s*=\s*1$ With: ^fs\.suid_dumpable\s*=\s*([1-9]\d*)$ 4. Corrected the child element checked by oval:gov.nist.usgcb.rhel:ste:20085 Replaced: (?:^[:.])|(?:::)|(?::\.:)|(?:[:.]$) with: (?:^[:.])|(?:::)|(?::\.:)|(?:[:.]$) - updated the comment for oval:gov.nist.usgcb.rhel:tst:20085 to match the value checked by the state 5. Updated the pattern match for oval:gov.nist.usgcb.rhel:obj:20070 Replaced: ^(?!root:)[^:]*:[^:]:0 with: ^(?!root:)[^:]*:[^:]*:0 - updated the comment for oval:gov.nist.usgcb.rhel:tst:20070 to match the value checked by the state 6. Updated the pattern match for oval:gov.nist.usgcb.rhel:obj:20053 Replaced: umask[\s]+(.*) with: ^\s*umask\s+(.*) 7. Corrected the pattern match for oval:gov.nist.usgcb.rhel:obj:20104 Replaced: ^\s*kernel\s+[-=\\/\w\s]*(?:(?:selinux)|(?:enforcing))=0\s*[-=\\/\w\s]*$ with: ^\s*kernel\s+[\.\-=\\/\w\s]*(?:(?:selinux)|(?:enforcing))=0\s*[\-=\\/\w\s]*$ - updated the comment for oval:gov.nist.usgcb.rhel:tst:20104 to match the value checked by the state 8. Incorrect path used in oval:gov.nist.usgcb.rhel:obj:36491 Replaced: ind-def:path>etc/sysconfig" With: ind-def:path>/etc/sysconfig" 9. Updated state oval:gov.nist.usgcb.rhel:ste:1000400 to check for suid, sgid, and sticky 10. Enhanced the file permissions tests to work on more secure environments. Affected tests and CCEs: oval:gov.nist.usgcb.rhel:ste:1000644 oval:gov.nist.usgcb.rhel:tst:20043 (CCE-3967-7) oval:gov.nist.usgcb.rhel:tst:20045 (CCE-3566-7) oval:gov.nist.usgcb.rhel:ste:1000600 oval:gov.nist.usgcb.rhel:tst:20094 (CCE-3923-0) oval:gov.nist.usgcb.rhel:tst:20210 (CCE-4388-5) oval:gov.nist.usgcb.rhel:tst:20213 (CCE-4304-2) oval:gov.nist.usgcb.rhel:ste:1000700 oval:gov.nist.usgcb.rhel:tst:20224 (CCE-4106-1) oval:gov.nist.usgcb.rhel:tst:20225 (CCE-4450-3) oval:gov.nist.usgcb.rhel:tst:20226 (CCE-4203-6) oval:gov.nist.usgcb.rhel:tst:20227 (CCE-4251-5) oval:gov.nist.usgcb.rhel:tst:20228 (CCE-4250-7) OVAL states not changed (not in use): oval:gov.nist.usgcb.rhel:ste:20042 oval:gov.nist.usgcb.rhel:ste:20043 oval:gov.nist.usgcb.rhel:ste:20044 oval:gov.nist.usgcb.rhel:ste:20045 oval:gov.nist.usgcb.rhel:ste:20082 oval:gov.nist.usgcb.rhel:ste:20094 oval:gov.nist.usgcb.rhel:ste:20210 oval:gov.nist.usgcb.rhel:ste:20213 oval:gov.nist.usgcb.rhel:ste:20224 oval:gov.nist.usgcb.rhel:ste:20225 oval:gov.nist.usgcb.rhel:ste:20226 oval:gov.nist.usgcb.rhel:ste:20227 oval:gov.nist.usgcb.rhel:ste:20228 oval:gov.nist.usgcb.rhel:ste:20315 oval:gov.nist.usgcb.rhel:ste:20326 oval:gov.nist.usgcb.rhel:ste:20327 oval:gov.nist.usgcb.rhel:ste:20328 oval:gov.nist.usgcb.rhel:ste:20330 oval:gov.nist.usgcb.rhel:ste:10004710 oval:gov.nist.usgcb.rhel:ste:1000701 11. Corrected oval:gov.nist.usgcb.rhel:def:201825 (CCE-4273-9) to fix a false positive when tftp service is installed. 12. The check for "CCE-4387-7:Disable root Login via SSH" does not cover the default settings. Updated criteria for oval:gov.nist.usgcb.rhel:def:20243 to: 13. CCE-4234-1:Disable Inetd: This rule checks run level status for service Inetd, however on system the name of this service is "inet" instead of "inetd". Updated the following objects to match service_name inet or inetd service name (pattern match value "^inet(d)?$"): oval:gov.nist.usgcb.rhel:obj:20170, oval:gov.nist.usgcb.rhel:obj:201701, oval:gov.nist.usgcb.rhel:obj:201702, oval:gov.nist.usgcb.rhel:obj:201703, oval:gov.nist.usgcb.rhel:obj:201704, oval:gov.nist.usgcb.rhel:obj:201705, and oval:gov.nist.usgcb.rhel:obj:201706 14. Issue: The result for the usgcb-rhel5desktop-rule-2.2.3.3.a rule is "FAIL" on a compliant system because files in /proc//attr are globally readable and writeable. Updated oval:gov.nist.usgcb.rhel:obj:20047 to exclude files from /proc//attr: ^/proc/.*$ Reference(s): http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf - 2.2.3.3 https://access.redhat.com/site/solutions/36880 15: Issue: the oval:gov.nist.usgcb.rhel:obj:20090 collects only one instance that matches the pattern Fix: - updated oval:gov.nist.usgcb.rhel:obj:20090 to collect all the instances of the pattern - changed the check_existance from "all_exist" to "at_least_one_exists" for the test oval:gov.nist.usgcb.rhel:tst:20090 16. Corrected oval:gov.nist.usgcb.rhel:ste:201670 to match a 32-bit architecture. Replaced: "^.*$" with "^i[36]86$" 17. Updated comments for test criterion to match test's comment for oval:gov.nist.usgcb.rhel:def:201575, oval:gov.nist.usgcb.rhel:def:20159, oval:gov.nist.usgcb.rhel:def:20164, oval:gov.nist.usgcb.rhel:def:20166, oval:gov.nist.usgcb.rhel:def:20167 18. Updated the comment for following tests: oval:gov.nist.usgcb.rhel:tst:201660, oval:gov.nist.usgcb.rhel:tst:201661 19. Changed check_existence="all_exist" to check_existence="any_exist" for oval:gov.nist.usgcb.rhel:tst:20046 to fix a false positive when the system is compliant. 20. Enabled the group id="usgcb-rhel5desktop-group-2.1.1.1". 21. Updated the following OVAL definitions to use a partition_test instead textfilecontent54_test: oval:gov.nist.usgcb.rhel:def:20000 oval:gov.nist.usgcb.rhel:def:20002 oval:gov.nist.usgcb.rhel:def:20004 oval:gov.nist.usgcb.rhel:def:20005 oval:gov.nist.usgcb.rhel:def:20006 Affected Rules-CCEs: usgcb-rhel5desktop-rule-2.1.1.1.1.a - CCE-14161-4:Ensure that /tmp has its own partition or logical volume usgcb-rhel5desktop-rule-2.1.1.1.2.a - CCE-14777-7:Ensure that /var has its own partition or logical volume usgcb-rhel5desktop-rule-2.1.1.1.3.a - CCE-14011-1:Ensure that /var/log has its own partition or logical volume usgcb-rhel5desktop-rule-2.1.1.1.4.a - CCE-14171-3:Ensure that /var/log/audit has its own partition or logical volume usgcb-rhel5desktop-rule-2.1.1.1.5.a - CCE-14559-9:Ensure that /home has its own partition or logical volume ############################################################################### ############################################################################### ############################################################################### Changes in the Update 11/7/2011: XCCDF - Corrections Status updated to accepted Final Release date updated to 2011-9-30 Version number updated to 1.0.5.0 Changes in the Final Release 9/30/2011: OVAL - The following are implemented. CCE-14027-7 Disable or enable support for RDS as appropriate. CCE-14088-9 The 'wheel' group should exist or not as appropriate CCE-14089-7 Enable/Disable Mounting of cramfs CCE-14093-9 Enable/Disable Mounting of hfsplus CCE-14107-7 The default umask for all users should be set correctly in login.defs CCE-14118-4 Enable/Disable Mounting of squashfs CCE-14132-5 Disable or enable support for SCTP as appropriate. CCE-14268-7 Disable or enable support for DCCP as appropriate. CCE-14457-6 Enable/Disable Mounting of freevxfs CCE-14853-6 Enable/Disable Mounting of jffs2 CCE-14871-8 Enable/Disable Mounting of udf CCE-14911-2 Disable or enable support for TIPC as appropriate. CCE-15087-0 Enable/Disable Mounting of hfs CCE-18037-2 The firewall should allow or reject access to the avahi service. CCE-3301-9 The PATH variable for root should be set correctly. CCE-3315-9 The allowed period of inactivity gnome desktop lockout should be configured correctly. CCE-3410-8 The "account lockout threshold" policy should meet minimum requirements. CCE-3624-4 The SELinux policy should be set appropriately. CCE-3649-1 Firewall access to printing service should be enabled or disabled as appropriate CCE-3844-8 The default umask for all users should be set correctly for the bash shell CCE-3977-6 SELinux should be enabled or disabled as appropriate. CCE-4146-7 ExecShield randomized placement of virtual memory regions should be enabled or disabled as appropriate CCE-4168-1 ExecShield should be enabled or disabled as appropriate CCE-4227-5 The default umask for all users should be set correctly for the csh shell CCE-4276-2 All wireless interfaces should be enabled or disabled as appropriate. CCE-4292-9 The auditd service should be enabled or disabled as appropriate CCE-14412-1 The nodev option should be enabled or disabled as appropriate for /tmp. ############################################################################### ############################################################################### ############################################################################### Changes in the Beta Candidate Release 3/28/2011: OVAL CCE-4133-5 net.ipv4.icmp_ignore_bogus_error_messages replaced with net.ipv4.icmp_ignore_bogus_error_responses CCE-14089-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14457-6 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-15087-0 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14093-9 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14853-6 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14118-4 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14871-8 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14268-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14132-5 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14027-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist CCE-14911-2 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist All runlevel_test were updated to accommodate checking for state This affects CCE-4238-2, CCE-4009-7, CCE-14071-5, CCE-14675-3, CCE-4114-5, CCE-4189-7, CCE-4292-9, CCE-4475-0, CCE-4387-7, CCE-4376-0. CCE-14412-1 Added partition_test