Changes in the 01/17/2014 release
XCCDF - updates:
Version number updated to 1.2.5.0
OVAL - changes:
1. Updated OVAL state oval:gov.nist.usgcb.rhel:ste:200842 to fix a false positive on enhanced configuration systems.
replaced:
operation="equals"
with:
operation="greater than or equal"
###############################################################################
###############################################################################
###############################################################################
Changes in the 12/17/2013 release
XCCDF - updates:
Version number updated to 1.1.5.0
OVAL - changes:
1. Corrected the path and filename for oval:gov.nist.usgcb.rhel:obj:20056
replaced:
/etc/security
limits.conf
with:
/etc
sysctl.conf
2. Updated the pattern for oval:gov.nist.usgcb.rhel:obj:20056 to increase flexibility
Replace: ^fs.suid_dumpable\s+=\s+1$
With: ^fs\.suid_dumpable\s*=\s*1$
3. Updated the pattern for oval:gov.nist.usgcb.rhel:obj:20056 to comply with section 2.2.4.2 Disable Core Dumps (RHEL NSA Guide)
(also updated the comment for oval:gov.nist.usgcb.rhel:tst:20056)
Replace: ^fs\.suid_dumpable\s*=\s*1$
With: ^fs\.suid_dumpable\s*=\s*([1-9]\d*)$
4. Corrected the child element checked by oval:gov.nist.usgcb.rhel:ste:20085
Replaced: (?:^[:.])|(?:::)|(?::\.:)|(?:[:.]$)
with: (?:^[:.])|(?:::)|(?::\.:)|(?:[:.]$)
- updated the comment for oval:gov.nist.usgcb.rhel:tst:20085 to match the value checked by the state
5. Updated the pattern match for oval:gov.nist.usgcb.rhel:obj:20070
Replaced: ^(?!root:)[^:]*:[^:]:0
with: ^(?!root:)[^:]*:[^:]*:0
- updated the comment for oval:gov.nist.usgcb.rhel:tst:20070 to match the value checked by the state
6. Updated the pattern match for oval:gov.nist.usgcb.rhel:obj:20053
Replaced: umask[\s]+(.*)
with: ^\s*umask\s+(.*)
7. Corrected the pattern match for oval:gov.nist.usgcb.rhel:obj:20104
Replaced: ^\s*kernel\s+[-=\\/\w\s]*(?:(?:selinux)|(?:enforcing))=0\s*[-=\\/\w\s]*$
with: ^\s*kernel\s+[\.\-=\\/\w\s]*(?:(?:selinux)|(?:enforcing))=0\s*[\-=\\/\w\s]*$
- updated the comment for oval:gov.nist.usgcb.rhel:tst:20104 to match the value checked by the state
8. Incorrect path used in oval:gov.nist.usgcb.rhel:obj:36491
Replaced: ind-def:path>etc/sysconfig"
With: ind-def:path>/etc/sysconfig"
9. Updated state oval:gov.nist.usgcb.rhel:ste:1000400 to check for suid, sgid, and sticky
10. Enhanced the file permissions tests to work on more secure environments.
Affected tests and CCEs:
oval:gov.nist.usgcb.rhel:ste:1000644
oval:gov.nist.usgcb.rhel:tst:20043 (CCE-3967-7)
oval:gov.nist.usgcb.rhel:tst:20045 (CCE-3566-7)
oval:gov.nist.usgcb.rhel:ste:1000600
oval:gov.nist.usgcb.rhel:tst:20094 (CCE-3923-0)
oval:gov.nist.usgcb.rhel:tst:20210 (CCE-4388-5)
oval:gov.nist.usgcb.rhel:tst:20213 (CCE-4304-2)
oval:gov.nist.usgcb.rhel:ste:1000700
oval:gov.nist.usgcb.rhel:tst:20224 (CCE-4106-1)
oval:gov.nist.usgcb.rhel:tst:20225 (CCE-4450-3)
oval:gov.nist.usgcb.rhel:tst:20226 (CCE-4203-6)
oval:gov.nist.usgcb.rhel:tst:20227 (CCE-4251-5)
oval:gov.nist.usgcb.rhel:tst:20228 (CCE-4250-7)
OVAL states not changed (not in use):
oval:gov.nist.usgcb.rhel:ste:20042
oval:gov.nist.usgcb.rhel:ste:20043
oval:gov.nist.usgcb.rhel:ste:20044
oval:gov.nist.usgcb.rhel:ste:20045
oval:gov.nist.usgcb.rhel:ste:20082
oval:gov.nist.usgcb.rhel:ste:20094
oval:gov.nist.usgcb.rhel:ste:20210
oval:gov.nist.usgcb.rhel:ste:20213
oval:gov.nist.usgcb.rhel:ste:20224
oval:gov.nist.usgcb.rhel:ste:20225
oval:gov.nist.usgcb.rhel:ste:20226
oval:gov.nist.usgcb.rhel:ste:20227
oval:gov.nist.usgcb.rhel:ste:20228
oval:gov.nist.usgcb.rhel:ste:20315
oval:gov.nist.usgcb.rhel:ste:20326
oval:gov.nist.usgcb.rhel:ste:20327
oval:gov.nist.usgcb.rhel:ste:20328
oval:gov.nist.usgcb.rhel:ste:20330
oval:gov.nist.usgcb.rhel:ste:10004710
oval:gov.nist.usgcb.rhel:ste:1000701
11. Corrected oval:gov.nist.usgcb.rhel:def:201825 (CCE-4273-9) to fix a false positive when tftp service is installed.
12. The check for "CCE-4387-7:Disable root Login via SSH" does not cover the default settings.
Updated criteria for oval:gov.nist.usgcb.rhel:def:20243 to:
13. CCE-4234-1:Disable Inetd: This rule checks run level status for service Inetd, however on system the name of this service is "inet" instead of "inetd".
Updated the following objects to match service_name inet or inetd service name (pattern match value "^inet(d)?$"):
oval:gov.nist.usgcb.rhel:obj:20170, oval:gov.nist.usgcb.rhel:obj:201701, oval:gov.nist.usgcb.rhel:obj:201702, oval:gov.nist.usgcb.rhel:obj:201703, oval:gov.nist.usgcb.rhel:obj:201704, oval:gov.nist.usgcb.rhel:obj:201705, and oval:gov.nist.usgcb.rhel:obj:201706
14. Issue: The result for the usgcb-rhel5desktop-rule-2.2.3.3.a rule is "FAIL" on a compliant system because files in /proc//attr are globally readable and writeable.
Updated oval:gov.nist.usgcb.rhel:obj:20047 to exclude files from /proc//attr:
^/proc/.*$
Reference(s):
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf - 2.2.3.3
https://access.redhat.com/site/solutions/36880
15: Issue: the oval:gov.nist.usgcb.rhel:obj:20090 collects only one instance that matches the pattern
Fix:
- updated oval:gov.nist.usgcb.rhel:obj:20090 to collect all the instances of the pattern
- changed the check_existance from "all_exist" to "at_least_one_exists" for the test oval:gov.nist.usgcb.rhel:tst:20090
16. Corrected oval:gov.nist.usgcb.rhel:ste:201670 to match a 32-bit architecture.
Replaced: "^.*$" with "^i[36]86$"
17. Updated comments for test criterion to match test's comment for oval:gov.nist.usgcb.rhel:def:201575, oval:gov.nist.usgcb.rhel:def:20159, oval:gov.nist.usgcb.rhel:def:20164, oval:gov.nist.usgcb.rhel:def:20166, oval:gov.nist.usgcb.rhel:def:20167
18. Updated the comment for following tests: oval:gov.nist.usgcb.rhel:tst:201660, oval:gov.nist.usgcb.rhel:tst:201661
19. Changed check_existence="all_exist" to check_existence="any_exist" for oval:gov.nist.usgcb.rhel:tst:20046 to fix a false positive when the system is compliant.
20. Enabled the group id="usgcb-rhel5desktop-group-2.1.1.1".
21. Updated the following OVAL definitions to use a partition_test instead textfilecontent54_test:
oval:gov.nist.usgcb.rhel:def:20000
oval:gov.nist.usgcb.rhel:def:20002
oval:gov.nist.usgcb.rhel:def:20004
oval:gov.nist.usgcb.rhel:def:20005
oval:gov.nist.usgcb.rhel:def:20006
Affected Rules-CCEs:
usgcb-rhel5desktop-rule-2.1.1.1.1.a - CCE-14161-4:Ensure that /tmp has its own partition or logical volume
usgcb-rhel5desktop-rule-2.1.1.1.2.a - CCE-14777-7:Ensure that /var has its own partition or logical volume
usgcb-rhel5desktop-rule-2.1.1.1.3.a - CCE-14011-1:Ensure that /var/log has its own partition or logical volume
usgcb-rhel5desktop-rule-2.1.1.1.4.a - CCE-14171-3:Ensure that /var/log/audit has its own partition or logical volume
usgcb-rhel5desktop-rule-2.1.1.1.5.a - CCE-14559-9:Ensure that /home has its own partition or logical volume
###############################################################################
###############################################################################
###############################################################################
Changes in the Update 11/7/2011:
XCCDF - Corrections
Status updated to accepted
Final Release date updated to 2011-9-30
Version number updated to 1.0.5.0
Changes in the Final Release 9/30/2011:
OVAL - The following are implemented.
CCE-14027-7 Disable or enable support for RDS as appropriate.
CCE-14088-9 The 'wheel' group should exist or not as appropriate
CCE-14089-7 Enable/Disable Mounting of cramfs
CCE-14093-9 Enable/Disable Mounting of hfsplus
CCE-14107-7 The default umask for all users should be set correctly in login.defs
CCE-14118-4 Enable/Disable Mounting of squashfs
CCE-14132-5 Disable or enable support for SCTP as appropriate.
CCE-14268-7 Disable or enable support for DCCP as appropriate.
CCE-14457-6 Enable/Disable Mounting of freevxfs
CCE-14853-6 Enable/Disable Mounting of jffs2
CCE-14871-8 Enable/Disable Mounting of udf
CCE-14911-2 Disable or enable support for TIPC as appropriate.
CCE-15087-0 Enable/Disable Mounting of hfs
CCE-18037-2 The firewall should allow or reject access to the avahi service.
CCE-3301-9 The PATH variable for root should be set correctly.
CCE-3315-9 The allowed period of inactivity gnome desktop lockout should be configured correctly.
CCE-3410-8 The "account lockout threshold" policy should meet minimum requirements.
CCE-3624-4 The SELinux policy should be set appropriately.
CCE-3649-1 Firewall access to printing service should be enabled or disabled as appropriate
CCE-3844-8 The default umask for all users should be set correctly for the bash shell
CCE-3977-6 SELinux should be enabled or disabled as appropriate.
CCE-4146-7 ExecShield randomized placement of virtual memory regions should be enabled or disabled as appropriate
CCE-4168-1 ExecShield should be enabled or disabled as appropriate
CCE-4227-5 The default umask for all users should be set correctly for the csh shell
CCE-4276-2 All wireless interfaces should be enabled or disabled as appropriate.
CCE-4292-9 The auditd service should be enabled or disabled as appropriate
CCE-14412-1 The nodev option should be enabled or disabled as appropriate for /tmp.
###############################################################################
###############################################################################
###############################################################################
Changes in the Beta Candidate Release 3/28/2011:
OVAL
CCE-4133-5 net.ipv4.icmp_ignore_bogus_error_messages replaced with net.ipv4.icmp_ignore_bogus_error_responses
CCE-14089-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14457-6 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-15087-0 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14093-9 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14853-6 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14118-4 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14871-8 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14268-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14132-5 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14027-7 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
CCE-14911-2 /etc/modprobe.conf replaced with /etc/modprobe.d/usgcb-blacklist
All runlevel_test were updated to accommodate checking for state This affects CCE-4238-2, CCE-4009-7, CCE-14071-5, CCE-14675-3, CCE-4114-5, CCE-4189-7, CCE-4292-9, CCE-4475-0, CCE-4387-7, CCE-4376-0.
CCE-14412-1 Added partition_test