rpm/openscap
SHA256
1
0
Fork 0
forked from pool/openscap
Code Pull Requests Activity

Accepting request 129599 from security

Browse Source 
- Updated to 0.8.3
  - added XCCDF 1.2 schemas
  - changed XCCDF report format
  - updated schemas for OVAL 5.10
  - added additional OVAL schemas - 5.3, 5.4, 5.5, 5.6, 5.7
  - multi version support for XCCDF and OVAL
  - a schema version of an imported and exported content is same
  - added rpmverifyfile probe
  - results are validated only if an OSCAP_FULL_VALIDATION variable is set
  - bug fixes

- add OVAL/XCCDF content based on yast2-security checks
  and set them as the default content (using symlinks)

- require libnl-devel on older SUSE version

OBS-URL: https://build.opensuse.org/request/show/129599
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openscap?expand=0&rev=5
This commit is contained in:
Stephan Kulow 2012-08-04 07:22:55 +00:00 committed by Git OBS Bridge
commit 4fc01b8bfd
7 changed files with 934 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openscap-0.8.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fe7d6b3f20c08feef5c70ff3a02b752b593a8d8a3b3d1302d8e31fe0c29cce11
size 4524453

3
openscap-0.8.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e00b9ee6741b7ae01f46172c2ed560b38107a1fffdda5bc7c32be4f4a15ef5e4
size 6420923

14
openscap-stdio.h.patch
View File

@ -1,14 +0,0 @@
Index: openscap-0.8.2/lib/stdio.in.h
===================================================================
--- openscap-0.8.2.orig/lib/stdio.in.h
+++ openscap-0.8.2/lib/stdio.in.h
@@ -733,7 +733,9 @@ _GL_CXXALIASWARN (gets);
/* It is very rare that the developer ever has full control of stdin,
so any use of gets warrants an unconditional warning. Assume it is
always declared, since it is required by C89. */
+# if HAVE_RAW_DECL_GETS
_GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
+# endif
#endif

22
openscap.changes
View File

@ -1,3 +1,23 @@
-------------------------------------------------------------------
Wed Aug 1 09:43:28 UTC 2012 - meissner@suse.com
- Updated to 0.8.3
- added XCCDF 1.2 schemas
- changed XCCDF report format
- updated schemas for OVAL 5.10
- added additional OVAL schemas - 5.3, 5.4, 5.5, 5.6, 5.7
- multi version support for XCCDF and OVAL
- a schema version of an imported and exported content is same
- added rpmverifyfile probe
- results are validated only if an OSCAP_FULL_VALIDATION variable is set
- bug fixes
-------------------------------------------------------------------
Wed Aug 1 09:18:06 UTC 2012 - dmacvicar@suse.de
- add OVAL/XCCDF content based on yast2-security checks
and set them as the default content (using symlinks)
-------------------------------------------------------------------
Sat Jul 28 14:24:46 UTC 2012 - aj@suse.de
@ -16,7 +36,7 @@ Fri Mar 30 16:21:21 CEST 2012 - meissner@suse.de
-------------------------------------------------------------------
Sat Mar 24 10:54:22 UTC 2012 - mc@suse.com
- require libnl-devel on older SUSE version
- require libnl-devel on older SUSE version
-------------------------------------------------------------------
Mon Mar 19 15:52:17 UTC 2012 - cfarrell@suse.com

19
openscap.spec
View File

@ -20,12 +20,17 @@
%define with_bindings 0
Name: openscap
Version: 0.8.2
Version: 0.8.3
Release: 1.0
Source: http://www.open-scap.org/download/%name-%version.tar.gz
Source1: oscap-scan.init
Source2: sysconfig.oscap-scan
Patch1: openscap-stdio.h.patch
# SUSE specific profile, based on yast2-security
# checks.
# Generated from http://gitorious.org/test-suite/scap
Source3: scap-yast2sec-xccdf.xml
Source4: scap-yast2sec-oval.xml
#
Url: http://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libacl-devel
@ -139,7 +144,6 @@ commonly used and require additional dependencies.
%prep
%setup -q
%patch1 -p1
%build
@ -162,9 +166,12 @@ install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/oscap-scan
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_datadir}/openscap
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_datadir}/openscap
# create symlinks to default content
ln -s %{_datadir}/openscap/scap-fedora14-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
%post -n libopenscap%{soname} -p /sbin/ldconfig
@ -205,7 +212,7 @@ ln -s %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/
%{_libexecdir}/openscap/probe_process58
%{_libexecdir}/openscap/probe_routingtable
%{_libexecdir}/openscap/probe_rpminfo
%{_libexecdir}/openscap/probe_rpmverify
%{_libexecdir}/openscap/probe_rpmverify*
%{_libexecdir}/openscap/probe_runlevel
%{_libexecdir}/openscap/probe_selinuxboolean
%{_libexecdir}/openscap/probe_selinuxsecuritycontext

577
scap-yast2sec-oval.xml Normal file
View File

@ -0,0 +1,577 @@
<?xml version="1.0"?>
<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<generator>
<oval:product_name>vim</oval:product_name>
<oval:schema_version>5.9</oval:schema_version>
<oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
</generator>
<definitions>
<!-- @@GENOVAL START DEFINITIONS -->
<definition class="compliance" id="oval:de.suse.suse121:def:2" version="1">
<metadata>
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:3" version="1">
<metadata>
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:3" comment="sysctl net.ipv4.tcp_syncookies must be 1" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:4" version="1">
<metadata>
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:4" comment="sysctl net.ipv6.conf.all.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:5" version="1">
<metadata>
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:5" comment="sysctl net.ipv6.conf.default.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:6" version="1">
<metadata>
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:6" comment="kernel config CONFIG_SYN_COOKIES must be y" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:9" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:9" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:10" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:10" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:11" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:11" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:12" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:12" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:13" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:13" comment="file /etc/pam.d/common-password must have a line that matches remember=" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:16" version="1">
<metadata>
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:16" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:17" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:17" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:18" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:18" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:19" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:19" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:22" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:22" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:23" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:23" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:24" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:24" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:25" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:25" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:29" version="1">
<metadata>
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:29" comment="sysctl kernel.sysrq must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:30" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:30" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:31" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:31" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:32" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:32" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:33" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:33" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:38" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:38" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:39" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:39" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:40" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:40" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:41" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:41" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:42" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:42" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:43" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:43" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" />
</criteria>
</definition>
<!-- @@GENOVAL END DEFINITIONS -->
</definitions>
<tests>
<!-- @@GENOVAL START TESTS -->
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:1" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:3" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:2" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:2" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:4" version="1" check="at least one" comment="sysctl net.ipv6.conf.all.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:4" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:5" version="1" check="at least one" comment="sysctl net.ipv6.conf.default.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:5" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:6" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:3" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:3" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:9" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:4" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:10" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:5" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:11" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:6" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:12" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:17" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:13" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches remember=" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:18" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:16" version="1" check="none satisfy" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:9" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:17" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:10" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:18" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:23" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:19" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:24" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:22" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:11" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:23" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:12" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:24" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:13" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:25" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:14" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:29" version="1" check="at least one" comment="sysctl kernel.sysrq must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:6" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:30" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:15" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:31" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:16" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:32" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:25" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:33" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:26" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:38" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:19" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:39" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:20" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:40" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:21" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:41" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:22" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:42" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:27" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:43" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:28" />
</ind-def:textfilecontent54_test>
<!-- @@GENOVAL END TESTS -->
</tests>
<objects>
<!-- @@GENOVAL START OBJECTS -->
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward">
<ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies">
<ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:3" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES">
<ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
<ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/all/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/all/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/default/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/default/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:6" version="1" comment="Non-comment lines in /proc/sys/kernel/sysrq">
<ind-def:filepath>/proc/sys/kernel/sysrq</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:7" version="1" comment="Non-comment lines in /etc/login.defs">
<ind-def:filepath>/etc/login.defs</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:8" version="1" comment="Non-comment lines in /etc/pam.d/common-passwd">
<ind-def:filepath>/etc/pam.d/common-passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:9" version="1" comment="Non-comment lines in /etc/default/passwd">
<ind-def:filepath>/etc/default/passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:10" version="1" comment="Non-comment lines in /etc/pam.d/common-password">
<ind-def:filepath>/etc/pam.d/common-password</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:11" version="1" comment="Non-comment lines in /etc/sysconfig/dhcpd">
<ind-def:filepath>/etc/sysconfig/dhcpd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:12" version="1" comment="Non-comment lines in /etc/sysconfig/displaymanager">
<ind-def:filepath>/etc/sysconfig/displaymanager</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:13" version="1" comment="Non-comment lines in /etc/sysconfig/security">
<ind-def:filepath>/etc/sysconfig/security</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:14" version="1" comment="Non-comment lines in /etc/sysconfig/services">
<ind-def:filepath>/etc/sysconfig/services</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<!-- @@GENOVAL END OBJECTS -->
</objects>
<states>
<!-- @@GENOVAL START STATES -->
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:1" version="1" comment="The match of 0">
<ind-def:subexpression operation="pattern match">0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:2" version="1" comment="The match of 1">
<ind-def:subexpression operation="pattern match">1</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:3" version="1" comment="The match of CONFIG_SYN_COOKIES=y">
<ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:4" version="1" comment="The match of ^PASS_MAX_DAYS.*99999">
<ind-def:subexpression operation="pattern match">^PASS_MAX_DAYS.*99999</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:5" version="1" comment="The match of ^PASS_MIN_DAYS.*0">
<ind-def:subexpression operation="pattern match">^PASS_MIN_DAYS.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:6" version="1" comment="The match of ^PASS_WARN_AGE.*7">
<ind-def:subexpression operation="pattern match">^PASS_WARN_AGE.*7</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:7" version="1" comment="The match of ^minlen=6">
<ind-def:subexpression operation="pattern match">^minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:8" version="1" comment="The match of ^remember=">
<ind-def:subexpression operation="pattern match">^remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:9" version="1" comment="The match of ^FAIL_DELAY.*0">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:10" version="1" comment="The match of ^FAIL_DELAY">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:11" version="1" comment="The match of ^UID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^UID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:12" version="1" comment="The match of ^UID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^UID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:13" version="1" comment="The match of ^GID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^GID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:14" version="1" comment="The match of ^GID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^GID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:15" version="1" comment="The match of ^CRYPT_FILES=md5">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=md5</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:16" version="1" comment="The match of ^CRYPT_FILES=des">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=des</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:17" version="1" comment="The match of minlen=6">
<ind-def:subexpression operation="pattern match">minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:18" version="1" comment="The match of remember=">
<ind-def:subexpression operation="pattern match">remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:19" version="1" comment="The match of ^DHCPD_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:20" version="1" comment="The match of ^DHCPD_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:21" version="1" comment="The match of ^DHCPD6_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:22" version="1" comment="The match of ^DHCPD6_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:23" version="1" comment="The match of ^DISPLAYMANAGER_REMOTE_ACCESS.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_REMOTE_ACCESS.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:24" version="1" comment="The match of ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:25" version="1" comment="The match of ^CHECK_PERMISSIONS.*set">
<ind-def:subexpression operation="pattern match">^CHECK_PERMISSIONS.*set</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:26" version="1" comment="The match of ^CHECK_SIGNATURES.*yes">
<ind-def:subexpression operation="pattern match">^CHECK_SIGNATURES.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:27" version="1" comment="The match of ^DISABLE_RESTART_ON_UPDATE.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_RESTART_ON_UPDATE.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:28" version="1" comment="The match of ^DISABLE_STOP_ON_REMOVAL.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_STOP_ON_REMOVAL.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<!-- @@GENOVAL END STATES -->
</states>
<!--
<variables>
-->
<!-- @@GENOVAL START VARIABLES -->
<!-- @@GENOVAL END VARIABLES -->
<!--
<local_variable id="oval:de.suse.suse121.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored">
<object_component item_field="value" object_ref="oval:de.suse.suse121.genoval:obj:1"/>
</local_variable>
</variables>
-->
</oval_definitions>

320
scap-yast2sec-xccdf.xml Normal file
View File

@ -0,0 +1,320 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SUSE-Security-Benchmark-YaST2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0">
<status date="2012-07-24">draft</status>
<title>Hardening Linux Kernel</title>
<description>
The Linux kernel is at the heart of every Linux system. With its extensive configuration
options, it comes to no surprise that specific settings can be enabled to further harden
your system.
<h:br />
<h:br />
In this guide, we focus on Linux kernel configuration entries that support additional
hardening of your system, as well as the configuration through the <h:em>syctl</h:em>
settings.
</description>
<platform idref="cpe:/o:suse:linux"/>
<version>1</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<Profile id="Default">
<title>Default vanilla kernel hardening</title>
<description>
Profile matching all standard (vanilla-kernel) hardening rules
</description>
<select idref="rule-sysctl-ipv4-forward" selected="true" />
<select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" />
<select idref="rule-sysctl-ipv6-all-forward" selected="true" />
<select idref="rule-sysctl-ipv6-default-forward" selected="true" />
<select idref="rule-kernel-syncookies" selected="true" />
<select idref="rule-pwd-maxdays" selected="true" />
<select idref="rule-pwd-mindays" selected="true" />
<select idref="rule-pwd-warnage" selected="true" />
<select idref="rule-pwd-minlen" selected="true" />
<select idref="rule-pwd-remember" selected="true" />
<select idref="rule-authc-faildelay" selected="true" />
<select idref="rule-authc-faildelayexist" selected="true" />
<select idref="rule-authc-xdmcp-remote" selected="true" />
<select idref="rule-authc-xdmcp-root" selected="true" />
<select idref="rule-usermgmt-uidmin" selected="true" />
<select idref="rule-usermgmt-uidmax" selected="true" />
<select idref="rule-usermgmt-gidmin" selected="true" />
<select idref="rule-usermgmt-gidmax" selected="true" />
<select idref="rule-misc-sysrq" selected="true" />
<select idref="rule-misc-hashalgo_md5" selected="true" />
<select idref="rule-misc-hashalgo_des" selected="true" />
<select idref="rule-misc-perm-check" selected="true" />
<select idref="rule-misc-sig-check" selected="true" />
<select idref="rule-srvc-dhcpd-chroot" selected="true" />
<select idref="rule-srvc-dhcpd-uid" selected="true" />
<select idref="rule-srvc-dhcpd6-chroot" selected="true" />
<select idref="rule-srvc-dhcpd6-uid" selected="true" />
<select idref="rule-srvc-update-restart" selected="true" />
<select idref="rule-srvc-remove-stop" selected="true" />
</Profile>
<!-- @@GEN START rule-sysctl-ipv4-forward -->
<Rule id="rule-sysctl-ipv4-forward" selected="false">
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv4/ip_forward</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:2" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-forward -->
<!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies -->
<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false">
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
<fix>echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:3" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies -->
<!-- @@GEN START rule-sysctl-ipv6-all-forward -->
<Rule id="rule-sysctl-ipv6-all-forward" selected="false">
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/all/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:4" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-all-forward -->
<!-- @@GEN START rule-sysctl-ipv6-default-forward -->
<Rule id="rule-sysctl-ipv6-default-forward" selected="false">
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/default/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:5" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-default-forward -->
<!-- @@GEN START rule-kernel-syncookies -->
<Rule id="rule-kernel-syncookies" selected="false">
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:6" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-kernel-syncookies -->
<!-- @@GEN START rule-pwd-maxdays -->
<Rule id="rule-pwd-maxdays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:9" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-maxdays -->
<!-- @@GEN START rule-pwd-mindays -->
<Rule id="rule-pwd-mindays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:10" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-mindays -->
<!-- @@GEN START rule-pwd-warnage -->
<Rule id="rule-pwd-warnage" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:11" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-warnage -->
<!-- @@GEN START rule-pwd-minlen -->
<Rule id="rule-pwd-minlen" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:12" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-minlen -->
<!-- @@GEN START rule-pwd-remember -->
<Rule id="rule-pwd-remember" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:13" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-remember -->
<!-- @@GEN START rule-authc-faildelay -->
<Rule id="rule-authc-faildelay" selected="false">
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:16" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelay -->
<!-- @@GEN START rule-authc-faildelayexist -->
<Rule id="rule-authc-faildelayexist" selected="false">
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:17" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelayexist -->
<!-- @@GEN START rule-authc-xdmcp-remote -->
<Rule id="rule-authc-xdmcp-remote" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:18" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-remote -->
<!-- @@GEN START rule-authc-xdmcp-root -->
<Rule id="rule-authc-xdmcp-root" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:19" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-root -->
<!-- @@GEN START rule-usermgmt-uidmin -->
<Rule id="rule-usermgmt-uidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:22" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmin -->
<!-- @@GEN START rule-usermgmt-uidmax -->
<Rule id="rule-usermgmt-uidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:23" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmax -->
<!-- @@GEN START rule-usermgmt-gidmin -->
<Rule id="rule-usermgmt-gidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:24" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmin -->
<!-- @@GEN START rule-usermgmt-gidmax -->
<Rule id="rule-usermgmt-gidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:25" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmax -->
<!-- @@GEN START rule-misc-sysrq -->
<Rule id="rule-misc-sysrq" selected="false">
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
<fix>echo 0 &gt; /proc/sys/kernel/sysrq</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:29" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sysrq -->
<!-- @@GEN START rule-misc-hashalgo_md5 -->
<Rule id="rule-misc-hashalgo_md5" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:30" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_md5 -->
<!-- @@GEN START rule-misc-hashalgo_des -->
<Rule id="rule-misc-hashalgo_des" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:31" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_des -->
<!-- @@GEN START rule-misc-perm-check -->
<Rule id="rule-misc-perm-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:32" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-perm-check -->
<!-- @@GEN START rule-misc-sig-check -->
<Rule id="rule-misc-sig-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:33" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sig-check -->
<!-- @@GEN START rule-srvc-dhcpd-chroot -->
<Rule id="rule-srvc-dhcpd-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:38" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-chroot -->
<!-- @@GEN START rule-srvc-dhcpd-uid -->
<Rule id="rule-srvc-dhcpd-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:39" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-uid -->
<!-- @@GEN START rule-srvc-dhcpd6-chroot -->
<Rule id="rule-srvc-dhcpd6-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:40" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-chroot -->
<!-- @@GEN START rule-srvc-dhcpd6-uid -->
<Rule id="rule-srvc-dhcpd6-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:41" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-uid -->
<!-- @@GEN START rule-srvc-update-restart -->
<Rule id="rule-srvc-update-restart" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:42" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-update-restart -->
<!-- @@GEN START rule-srvc-remove-stop -->
<Rule id="rule-srvc-remove-stop" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:43" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-remove-stop -->
</Benchmark>