rpm/openscap
SHA256
1
0
Fork 0
forked from pool/openscap
Code Pull Requests Activity

Accepting request 129551 from home:dmacvicar:branches:security

Browse Source 
- add OVAL/XCCDF content based on yast2-security checks
  and set them as the default content (using symlinks)

OBS-URL: https://build.opensuse.org/request/show/129551
OBS-URL: https://build.opensuse.org/package/show/security/openscap?expand=0&rev=44
This commit is contained in:
Marcus Meissner 2012-08-01 11:50:20 +00:00 committed by Git OBS Bridge
parent ffaa244002
commit a40bde38a5
4 changed files with 914 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
openscap.changes
View File

@ -12,6 +12,12 @@ Wed Aug 1 09:43:28 UTC 2012 - meissner@suse.com
- results are validated only if an OSCAP_FULL_VALIDATION variable is set
- bug fixes
-------------------------------------------------------------------
Wed Aug 1 09:18:06 UTC 2012 - dmacvicar@suse.de
- add OVAL/XCCDF content based on yast2-security checks
and set them as the default content (using symlinks)
-------------------------------------------------------------------
Sat Jul 28 14:24:46 UTC 2012 - aj@suse.de

13
openscap.spec
View File

@ -25,6 +25,12 @@ Release: 1.0
Source: http://www.open-scap.org/download/%name-%version.tar.gz
Source1: oscap-scan.init
Source2: sysconfig.oscap-scan
# SUSE specific profile, based on yast2-security
# checks.
# Generated from http://gitorious.org/test-suite/scap
Source3: scap-yast2sec-xccdf.xml
Source4: scap-yast2sec-oval.xml
#
Url: http://www.open-scap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libacl-devel
@ -160,9 +166,12 @@ install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_initrddir}/oscap-scan
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_datadir}/openscap
install -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_datadir}/openscap
# create symlinks to default content
ln -s %{_datadir}/openscap/scap-fedora14-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-fedora14-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
ln -s %{_datadir}/openscap/scap-yast2sec-oval.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-oval.xml
ln -s %{_datadir}/openscap/scap-yast2sec-xccdf.xml $RPM_BUILD_ROOT/%{_datadir}/openscap/scap-xccdf.xml
%post -n libopenscap%{soname} -p /sbin/ldconfig

577
scap-yast2sec-oval.xml Normal file
View File

@ -0,0 +1,577 @@
<?xml version="1.0"?>
<oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"
xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
<generator>
<oval:product_name>vim</oval:product_name>
<oval:schema_version>5.9</oval:schema_version>
<oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
</generator>
<definitions>
<!-- @@GENOVAL START DEFINITIONS -->
<definition class="compliance" id="oval:de.suse.suse121:def:2" version="1">
<metadata>
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:2" comment="sysctl net.ipv4.ip_forward must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:3" version="1">
<metadata>
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:3" comment="sysctl net.ipv4.tcp_syncookies must be 1" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:4" version="1">
<metadata>
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:4" comment="sysctl net.ipv6.conf.all.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:5" version="1">
<metadata>
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:5" comment="sysctl net.ipv6.conf.default.forwarding must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:6" version="1">
<metadata>
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:6" comment="kernel config CONFIG_SYN_COOKIES must be y" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:9" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:9" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:10" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:10" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:11" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:11" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:12" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:12" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:13" version="1">
<metadata>
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:13" comment="file /etc/pam.d/common-password must have a line that matches remember=" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:16" version="1">
<metadata>
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:16" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:17" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:17" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:18" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:18" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:19" version="1">
<metadata>
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:19" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:22" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:22" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:23" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:23" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:24" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:24" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:25" version="1">
<metadata>
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:25" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:29" version="1">
<metadata>
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:29" comment="sysctl kernel.sysrq must be 0" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:30" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:30" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:31" version="1">
<metadata>
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:31" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:32" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:32" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:33" version="1">
<metadata>
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:33" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:38" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:38" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:39" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:39" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:40" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:40" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:41" version="1">
<metadata>
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:41" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:42" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:42" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" />
</criteria>
</definition>
<definition class="compliance" id="oval:de.suse.suse121:def:43" version="1">
<metadata>
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
</metadata>
<criteria>
<criterion test_ref="oval:de.suse.suse121:tst:43" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" />
</criteria>
</definition>
<!-- @@GENOVAL END DEFINITIONS -->
</definitions>
<tests>
<!-- @@GENOVAL START TESTS -->
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:2" version="1" check="at least one" comment="sysctl net.ipv4.ip_forward must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:1" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:3" version="1" check="at least one" comment="sysctl net.ipv4.tcp_syncookies must be 1" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:2" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:2" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:4" version="1" check="at least one" comment="sysctl net.ipv6.conf.all.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:4" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:5" version="1" check="at least one" comment="sysctl net.ipv6.conf.default.forwarding must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:5" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:6" version="1" check="at least one" comment="kernel config CONFIG_SYN_COOKIES must be y" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:3" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:3" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:9" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:4" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:10" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:5" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:11" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:6" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:12" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches minlen=6" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:17" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:13" version="1" check="at least one" comment="file /etc/pam.d/common-password must have a line that matches remember=" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:10" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:18" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:16" version="1" check="none satisfy" comment="file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:9" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:17" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^FAIL_DELAY" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:10" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:18" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:23" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:19" version="1" check="at least one" comment="file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:12" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:24" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:22" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:11" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:23" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^UID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:12" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:24" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MIN.*1000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:13" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:25" version="1" check="at least one" comment="file /etc/login.defs must have a line that matches ^GID_MAX.*60000" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:7" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:14" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:29" version="1" check="at least one" comment="sysctl kernel.sysrq must be 0" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:6" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:1" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:30" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:15" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:31" version="1" check="none satisfy" comment="file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:9" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:16" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:32" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:25" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:33" version="1" check="at least one" comment="file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:13" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:26" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:38" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:19" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:39" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:20" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:40" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:21" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:41" version="1" check="at least one" comment="file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:11" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:22" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:42" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:27" />
</ind-def:textfilecontent54_test>
<ind-def:textfilecontent54_test id="oval:de.suse.suse121:tst:43" version="1" check="at least one" comment="file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes" check_existence="at_least_one_exists">
<ind-def:object object_ref="oval:de.suse.suse121:obj:14" />
<ind-def:state state_ref="oval:de.suse.suse121:ste:28" />
</ind-def:textfilecontent54_test>
<!-- @@GENOVAL END TESTS -->
</tests>
<objects>
<!-- @@GENOVAL START OBJECTS -->
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:1" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/ip_forward">
<ind-def:filepath>/proc/sys/net/ipv4/ip_forward</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:2" version="1" comment="Non-comment lines in /proc/sys/net/ipv4/tcp_syncookies">
<ind-def:filepath>/proc/sys/net/ipv4/tcp_syncookies</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:3" version="1" comment="Kernel configuration entry CONFIG_SYN_COOKIES">
<ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
<ind-def:pattern operation="pattern match">(CONFIG_SYN_COOKIES.*)</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:4" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/all/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/all/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:5" version="1" comment="Non-comment lines in /proc/sys/net/ipv6/conf/default/forwarding">
<ind-def:filepath>/proc/sys/net/ipv6/conf/default/forwarding</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:6" version="1" comment="Non-comment lines in /proc/sys/kernel/sysrq">
<ind-def:filepath>/proc/sys/kernel/sysrq</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:7" version="1" comment="Non-comment lines in /etc/login.defs">
<ind-def:filepath>/etc/login.defs</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:8" version="1" comment="Non-comment lines in /etc/pam.d/common-passwd">
<ind-def:filepath>/etc/pam.d/common-passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:9" version="1" comment="Non-comment lines in /etc/default/passwd">
<ind-def:filepath>/etc/default/passwd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:10" version="1" comment="Non-comment lines in /etc/pam.d/common-password">
<ind-def:filepath>/etc/pam.d/common-password</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:11" version="1" comment="Non-comment lines in /etc/sysconfig/dhcpd">
<ind-def:filepath>/etc/sysconfig/dhcpd</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:12" version="1" comment="Non-comment lines in /etc/sysconfig/displaymanager">
<ind-def:filepath>/etc/sysconfig/displaymanager</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:13" version="1" comment="Non-comment lines in /etc/sysconfig/security">
<ind-def:filepath>/etc/sysconfig/security</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<ind-def:textfilecontent54_object id="oval:de.suse.suse121:obj:14" version="1" comment="Non-comment lines in /etc/sysconfig/services">
<ind-def:filepath>/etc/sysconfig/services</ind-def:filepath>
<ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
<ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
</ind-def:textfilecontent54_object>
<!-- @@GENOVAL END OBJECTS -->
</objects>
<states>
<!-- @@GENOVAL START STATES -->
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:1" version="1" comment="The match of 0">
<ind-def:subexpression operation="pattern match">0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:2" version="1" comment="The match of 1">
<ind-def:subexpression operation="pattern match">1</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:3" version="1" comment="The match of CONFIG_SYN_COOKIES=y">
<ind-def:subexpression operation="pattern match">CONFIG_SYN_COOKIES=y</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:4" version="1" comment="The match of ^PASS_MAX_DAYS.*99999">
<ind-def:subexpression operation="pattern match">^PASS_MAX_DAYS.*99999</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:5" version="1" comment="The match of ^PASS_MIN_DAYS.*0">
<ind-def:subexpression operation="pattern match">^PASS_MIN_DAYS.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:6" version="1" comment="The match of ^PASS_WARN_AGE.*7">
<ind-def:subexpression operation="pattern match">^PASS_WARN_AGE.*7</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:7" version="1" comment="The match of ^minlen=6">
<ind-def:subexpression operation="pattern match">^minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:8" version="1" comment="The match of ^remember=">
<ind-def:subexpression operation="pattern match">^remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:9" version="1" comment="The match of ^FAIL_DELAY.*0">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY.*0</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:10" version="1" comment="The match of ^FAIL_DELAY">
<ind-def:subexpression operation="pattern match">^FAIL_DELAY</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:11" version="1" comment="The match of ^UID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^UID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:12" version="1" comment="The match of ^UID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^UID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:13" version="1" comment="The match of ^GID_MIN.*1000">
<ind-def:subexpression operation="pattern match">^GID_MIN.*1000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:14" version="1" comment="The match of ^GID_MAX.*60000">
<ind-def:subexpression operation="pattern match">^GID_MAX.*60000</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:15" version="1" comment="The match of ^CRYPT_FILES=md5">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=md5</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:16" version="1" comment="The match of ^CRYPT_FILES=des">
<ind-def:subexpression operation="pattern match">^CRYPT_FILES=des</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:17" version="1" comment="The match of minlen=6">
<ind-def:subexpression operation="pattern match">minlen=6</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:18" version="1" comment="The match of remember=">
<ind-def:subexpression operation="pattern match">remember=</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:19" version="1" comment="The match of ^DHCPD_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:20" version="1" comment="The match of ^DHCPD_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:21" version="1" comment="The match of ^DHCPD6_RUN_CHROOTED.*yes">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_CHROOTED.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:22" version="1" comment="The match of ^DHCPD6_RUN_AS.*dhcpd">
<ind-def:subexpression operation="pattern match">^DHCPD6_RUN_AS.*dhcpd</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:23" version="1" comment="The match of ^DISPLAYMANAGER_REMOTE_ACCESS.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_REMOTE_ACCESS.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:24" version="1" comment="The match of ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no">
<ind-def:subexpression operation="pattern match">^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:25" version="1" comment="The match of ^CHECK_PERMISSIONS.*set">
<ind-def:subexpression operation="pattern match">^CHECK_PERMISSIONS.*set</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:26" version="1" comment="The match of ^CHECK_SIGNATURES.*yes">
<ind-def:subexpression operation="pattern match">^CHECK_SIGNATURES.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:27" version="1" comment="The match of ^DISABLE_RESTART_ON_UPDATE.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_RESTART_ON_UPDATE.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<ind-def:textfilecontent54_state id="oval:de.suse.suse121:ste:28" version="1" comment="The match of ^DISABLE_STOP_ON_REMOVAL.*yes">
<ind-def:subexpression operation="pattern match">^DISABLE_STOP_ON_REMOVAL.*yes</ind-def:subexpression>
</ind-def:textfilecontent54_state>
<!-- @@GENOVAL END STATES -->
</states>
<!--
<variables>
-->
<!-- @@GENOVAL START VARIABLES -->
<!-- @@GENOVAL END VARIABLES -->
<!--
<local_variable id="oval:de.suse.suse121.genoval:var:1" version="1" datatype="string" comment="Location where the helper scripts output is stored">
<object_component item_field="value" object_ref="oval:de.suse.suse121.genoval:obj:1"/>
</local_variable>
</variables>
-->
</oval_definitions>

320
scap-yast2sec-xccdf.xml Normal file
View File

@ -0,0 +1,320 @@
<?xml version="1.0" encoding="UTF-8"?>
<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="SUSE-Security-Benchmark-YaST2" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" resolved="0">
<status date="2012-07-24">draft</status>
<title>Hardening Linux Kernel</title>
<description>
The Linux kernel is at the heart of every Linux system. With its extensive configuration
options, it comes to no surprise that specific settings can be enabled to further harden
your system.
<h:br />
<h:br />
In this guide, we focus on Linux kernel configuration entries that support additional
hardening of your system, as well as the configuration through the <h:em>syctl</h:em>
settings.
</description>
<platform idref="cpe:/o:suse:linux"/>
<version>1</version>
<model system="urn:xccdf:scoring:default"/>
<model system="urn:xccdf:scoring:flat"/>
<Profile id="Default">
<title>Default vanilla kernel hardening</title>
<description>
Profile matching all standard (vanilla-kernel) hardening rules
</description>
<select idref="rule-sysctl-ipv4-forward" selected="true" />
<select idref="rule-sysctl-ipv4-tcpsyncookies" selected="true" />
<select idref="rule-sysctl-ipv6-all-forward" selected="true" />
<select idref="rule-sysctl-ipv6-default-forward" selected="true" />
<select idref="rule-kernel-syncookies" selected="true" />
<select idref="rule-pwd-maxdays" selected="true" />
<select idref="rule-pwd-mindays" selected="true" />
<select idref="rule-pwd-warnage" selected="true" />
<select idref="rule-pwd-minlen" selected="true" />
<select idref="rule-pwd-remember" selected="true" />
<select idref="rule-authc-faildelay" selected="true" />
<select idref="rule-authc-faildelayexist" selected="true" />
<select idref="rule-authc-xdmcp-remote" selected="true" />
<select idref="rule-authc-xdmcp-root" selected="true" />
<select idref="rule-usermgmt-uidmin" selected="true" />
<select idref="rule-usermgmt-uidmax" selected="true" />
<select idref="rule-usermgmt-gidmin" selected="true" />
<select idref="rule-usermgmt-gidmax" selected="true" />
<select idref="rule-misc-sysrq" selected="true" />
<select idref="rule-misc-hashalgo_md5" selected="true" />
<select idref="rule-misc-hashalgo_des" selected="true" />
<select idref="rule-misc-perm-check" selected="true" />
<select idref="rule-misc-sig-check" selected="true" />
<select idref="rule-srvc-dhcpd-chroot" selected="true" />
<select idref="rule-srvc-dhcpd-uid" selected="true" />
<select idref="rule-srvc-dhcpd6-chroot" selected="true" />
<select idref="rule-srvc-dhcpd6-uid" selected="true" />
<select idref="rule-srvc-update-restart" selected="true" />
<select idref="rule-srvc-remove-stop" selected="true" />
</Profile>
<!-- @@GEN START rule-sysctl-ipv4-forward -->
<Rule id="rule-sysctl-ipv4-forward" selected="false">
<title>sysctl net.ipv4.ip_forward must be 0</title>
<description>sysctl net.ipv4.ip_forward must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv4/ip_forward</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:2" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-forward -->
<!-- @@GEN START rule-sysctl-ipv4-tcpsyncookies -->
<Rule id="rule-sysctl-ipv4-tcpsyncookies" selected="false">
<title>sysctl net.ipv4.tcp_syncookies must be 1</title>
<description>sysctl net.ipv4.tcp_syncookies must be 1</description>
<fix>echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:3" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv4-tcpsyncookies -->
<!-- @@GEN START rule-sysctl-ipv6-all-forward -->
<Rule id="rule-sysctl-ipv6-all-forward" selected="false">
<title>sysctl net.ipv6.conf.all.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.all.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/all/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:4" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-all-forward -->
<!-- @@GEN START rule-sysctl-ipv6-default-forward -->
<Rule id="rule-sysctl-ipv6-default-forward" selected="false">
<title>sysctl net.ipv6.conf.default.forwarding must be 0</title>
<description>sysctl net.ipv6.conf.default.forwarding must be 0</description>
<fix>echo 0 &gt; /proc/sys/net/ipv6/conf/default/forwarding</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:5" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-sysctl-ipv6-default-forward -->
<!-- @@GEN START rule-kernel-syncookies -->
<Rule id="rule-kernel-syncookies" selected="false">
<title>kernel config CONFIG_SYN_COOKIES must be y</title>
<description>kernel config CONFIG_SYN_COOKIES must be y</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:6" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-kernel-syncookies -->
<!-- @@GEN START rule-pwd-maxdays -->
<Rule id="rule-pwd-maxdays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MAX_DAYS.*99999</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:9" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-maxdays -->
<!-- @@GEN START rule-pwd-mindays -->
<Rule id="rule-pwd-mindays" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</title>
<description>file /etc/login.defs must have a line that matches ^PASS_MIN_DAYS.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:10" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-mindays -->
<!-- @@GEN START rule-pwd-warnage -->
<Rule id="rule-pwd-warnage" selected="false">
<title>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</title>
<description>file /etc/login.defs must have a line that matches ^PASS_WARN_AGE.*7</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:11" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-warnage -->
<!-- @@GEN START rule-pwd-minlen -->
<Rule id="rule-pwd-minlen" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches minlen=6</title>
<description>file /etc/pam.d/common-password must have a line that matches minlen=6</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:12" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-minlen -->
<!-- @@GEN START rule-pwd-remember -->
<Rule id="rule-pwd-remember" selected="false">
<title>file /etc/pam.d/common-password must have a line that matches remember=</title>
<description>file /etc/pam.d/common-password must have a line that matches remember=</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:13" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-pwd-remember -->
<!-- @@GEN START rule-authc-faildelay -->
<Rule id="rule-authc-faildelay" selected="false">
<title>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</title>
<description>file /etc/login.defs may not have a line that matches ^FAIL_DELAY.*0</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:16" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelay -->
<!-- @@GEN START rule-authc-faildelayexist -->
<Rule id="rule-authc-faildelayexist" selected="false">
<title>file /etc/login.defs must have a line that matches ^FAIL_DELAY</title>
<description>file /etc/login.defs must have a line that matches ^FAIL_DELAY</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:17" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-faildelayexist -->
<!-- @@GEN START rule-authc-xdmcp-remote -->
<Rule id="rule-authc-xdmcp-remote" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_REMOTE_ACCESS.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:18" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-remote -->
<!-- @@GEN START rule-authc-xdmcp-root -->
<Rule id="rule-authc-xdmcp-root" selected="false">
<title>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</title>
<description>file /etc/sysconfig/displaymanager must have a line that matches ^DISPLAYMANAGER_ROOT_LOGIN_REMOTE.*no</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:19" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-authc-xdmcp-root -->
<!-- @@GEN START rule-usermgmt-uidmin -->
<Rule id="rule-usermgmt-uidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:22" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmin -->
<!-- @@GEN START rule-usermgmt-uidmax -->
<Rule id="rule-usermgmt-uidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^UID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:23" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-uidmax -->
<!-- @@GEN START rule-usermgmt-gidmin -->
<Rule id="rule-usermgmt-gidmin" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MIN.*1000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:24" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmin -->
<!-- @@GEN START rule-usermgmt-gidmax -->
<Rule id="rule-usermgmt-gidmax" selected="false">
<title>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</title>
<description>file /etc/login.defs must have a line that matches ^GID_MAX.*60000</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:25" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-usermgmt-gidmax -->
<!-- @@GEN START rule-misc-sysrq -->
<Rule id="rule-misc-sysrq" selected="false">
<title>sysctl kernel.sysrq must be 0</title>
<description>sysctl kernel.sysrq must be 0</description>
<fix>echo 0 &gt; /proc/sys/kernel/sysrq</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:29" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sysrq -->
<!-- @@GEN START rule-misc-hashalgo_md5 -->
<Rule id="rule-misc-hashalgo_md5" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=md5</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:30" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_md5 -->
<!-- @@GEN START rule-misc-hashalgo_des -->
<Rule id="rule-misc-hashalgo_des" selected="false">
<title>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</title>
<description>file /etc/default/passwd may not have a line that matches ^CRYPT_FILES=des</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:31" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-hashalgo_des -->
<!-- @@GEN START rule-misc-perm-check -->
<Rule id="rule-misc-perm-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_PERMISSIONS.*set</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:32" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-perm-check -->
<!-- @@GEN START rule-misc-sig-check -->
<Rule id="rule-misc-sig-check" selected="false">
<title>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</title>
<description>file /etc/sysconfig/security must have a line that matches ^CHECK_SIGNATURES.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:33" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-misc-sig-check -->
<!-- @@GEN START rule-srvc-dhcpd-chroot -->
<Rule id="rule-srvc-dhcpd-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:38" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-chroot -->
<!-- @@GEN START rule-srvc-dhcpd-uid -->
<Rule id="rule-srvc-dhcpd-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:39" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd-uid -->
<!-- @@GEN START rule-srvc-dhcpd6-chroot -->
<Rule id="rule-srvc-dhcpd6-chroot" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_CHROOTED.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:40" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-chroot -->
<!-- @@GEN START rule-srvc-dhcpd6-uid -->
<Rule id="rule-srvc-dhcpd6-uid" selected="false">
<title>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</title>
<description>file /etc/sysconfig/dhcpd must have a line that matches ^DHCPD6_RUN_AS.*dhcpd</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:41" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-dhcpd6-uid -->
<!-- @@GEN START rule-srvc-update-restart -->
<Rule id="rule-srvc-update-restart" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_RESTART_ON_UPDATE.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:42" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-update-restart -->
<!-- @@GEN START rule-srvc-remove-stop -->
<Rule id="rule-srvc-remove-stop" selected="false">
<title>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</title>
<description>file /etc/sysconfig/services must have a line that matches ^DISABLE_STOP_ON_REMOVAL.*yes</description>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:de.suse.suse121:def:43" href="scap-yast2sec-oval.xml" />
</check>
</Rule>
<!-- @@GEN END rule-srvc-remove-stop -->
</Benchmark>