ssg-nondebian 0.1.31-5 / usr / share / scap-security-guide / ssg-rhel5-xccdf.xml

<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="RHEL-5" resolved="1" xml:lang="en-US" style="SCAP_1.1">
  <status date="2017-08-11">draft</status>
  <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 5</title>
  <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant
configuration settings for Red Hat Enterprise Linux 5. It is a rendering of
content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
in order to support security automation.  The SCAP content is
is available in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">scap-security-guide</html:code> package which is developed at
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Providing system administrators with such guidance informs them how to securely
configure systems under their control in a variety of network roles. Policy
makers and baseline creators can use this catalog of settings, with its
associated references to higher-level security control catalogs, in order to
assist them in security baseline creation. This guide is a <html:i xmlns:html="http://www.w3.org/1999/xhtml">catalog, not a
checklist,</html:i> and satisfaction of every item is not likely to be possible or
sensible in many operational scenarios. However, the XCCDF format enables
granular selection and adjustment of settings, and their association with OVAL
and OCIL content provides an automated checking capability. Transformations of
this document, and its associated automated checking content, are capable of
providing baselines that meet a diverse set of policy objectives. Some example
XCCDF <html:i xmlns:html="http://www.w3.org/1999/xhtml">Profiles</html:i>, which are selections of items that form checklists and
can be used as baselines, are available with this guide. They can be
processed, in an automated fashion, with tools that support the Security
Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 5,
which provides required settings for US Department of Defense systems, is
one example of a baseline created from this guidance.
</description>
  <notice xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in
this guide without first testing them in a non-operational environment. The
creators of this guidance assume no responsibility whatsoever for its use by
other parties, and makes no guarantees, expressed or implied, about its
quality, reliability, or any other characteristic.</notice>
  <front-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SCAP Security Guide Project<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a></front-matter>
  <rear-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Red Hat and Red Hat Enterprise Linux are either registered
trademarks or trademarks of Red Hat, Inc. in the United States and other
countries. All other names are registered trademarks or trademarks of their
respective companies.</rear-matter>
  <platform idref="cpe:/o:redhat:enterprise_linux:4"/>
  <platform idref="cpe:/o:redhat:enterprise_linux:5"/>
  <version update="https://github.com/OpenSCAP/scap-security-guide/releases/latest">0.1.31</version>
  <metadata xmlns:xhtml="http://www.w3.org/1999/xhtml">
    <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:publisher>
    <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:creator>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gabe Alford &lt;redhatrises@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Christopher Anderson &lt;cba@fedoraproject.org&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chuck Atkins &lt;chuck.atkins@kitware.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Molly Jo Bault &lt;Molly.Jo.Bault@ballardtech.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joseph Bisch &lt;joseph.bisch@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeffrey Blank &lt;blank@eclipse.ncsc.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Blake Burkhart &lt;blake.burkhart@us.af.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Patrick Callahan &lt;pmc@patrickcallahan.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Nick Carboni &lt;ncarboni@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Caviggia &lt;fcaviggi@ra.iad.redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Eric Christensen &lt;echriste@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Caleb Cooper &lt;coopercd@ornl.gov&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Maura Dailey &lt;maura@eclipse.ncsc.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Klaas Demter &lt;demter@atix.de&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jean-Baptiste Donnette &lt;jean-baptiste.donnette@epita.fr&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">drax &lt;applezip@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Greg Elin &lt;gregelin@gitmachines.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Andrew Gilmore &lt;agilmore2@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Glemza &lt;jglemza@nasa.gov&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Steve Grubb &lt;sgrubb@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Trey Henefield &lt;thenefield@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Robin Price II &lt;robin@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeremiah Jahn &lt;jeremiah@goodinassociates.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Stephan Joerrens &lt;Stephan.Joerrens@fiduciagad.de&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Yuli Khodorkovskiy &lt;ykhodorkovskiy@tresys.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Luke Kordell &lt;luke.t.kordell@lmco.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">kspargur &lt;kspargur@kspargur.csb&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Fen Labalme &lt;fen@civicactions.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan Lieskovsky &lt;jlieskov@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">&#352;imon Luka&#353;&#237;k &lt;slukasik@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jamie Lorwey Martin &lt;jlmartin@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael McConachie &lt;michael@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rodney Mercer &lt;rmercer@harris.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Brian Millett &lt;bmillett@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">mmosel &lt;mmosel@kde.example.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Zbynek Moravec &lt;zmoravec@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kazuo Moriwaka &lt;moriwaka@users.noreply.github.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Moseley &lt;michael@eclipse.ncsc.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joe Nall &lt;joe@nall.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michele Newman &lt;mnewman@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kaustubh Padegaonkar &lt;theTuxRacer@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Palmiotto &lt;mpalmiotto@tresys.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">pcactr &lt;paul.c.arnold4.ctr@mail.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Peeples &lt;kennethwpeeples@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Lin PIAT &lt;fpiat@klabs.be&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Martin Preisler &lt;mpreisle@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">T.O. Radzy Radzykewycz &lt;radzy@windriver.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rick Renshaw &lt;Richard_Renshaw@xtoenergy.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chris Reynolds &lt;c.reynolds82@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Pat Riehecky &lt;riehecky@fnal.gov&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Roys &lt;roysjosh@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">rrenshaw &lt;bofh69@yahoo.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ray Shaw (Cont ARL/CISD) rvshaw &lt;rvshaw@esme.arl.army.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Willy Santos &lt;wsantos@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gautam Satish &lt;gautams@hpe.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Watson Sato &lt;wsato@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Satoru SATOH &lt;satoru.satoh@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Spencer Shimko &lt;sshimko@tresys.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Francisco Slavin &lt;fslavin@tresys.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">David Smith &lt;dsmith@eclipse.ncsc.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Spargur &lt;kspargur@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Stailey &lt;kstailey.lists@gmail.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Leland Steinke &lt;leland.j.steinke.ctr@mail.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Philippe Thierry &lt;phil@reseau-libre.net&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Paul Tittle &lt;ptittle@cmf.nrl.navy.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeb Trayer &lt;jeb.d.trayer@uscg.mil&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Shawn Wells &lt;shawn@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rob Wilmoth &lt;rwilmoth@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Lucas Yamanishi &lt;lucas.yamanishi@onyxpoint.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Zimmerman &lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan &#268;ern&#253; &lt;jcerny@redhat.com&gt;</dc:contributor>
    <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michal &#352;ruba&#345; &lt;msrubar@redhat.com&gt;</dc:contributor>
    <dc:source xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
  </metadata>
  <model system="urn:xccdf:scoring:default"/>
  <Profile id="stig-rhel5-server-upstream">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Upstream STIG for Red Hat Enterprise Linux 5 Server</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description>
    <select idref="accounts_cracklib_present" selected="true"/>
    <select idref="accounts_disable_post_pw_expiration" selected="true"/>
    <select idref="accounts_executable_dangerous_path_for_root" selected="true"/>
    <select idref="accounts_fail_delay" selected="true"/>
    <select idref="accounts_global_setting" selected="true"/>
    <select idref="accounts_library_dangerous_path_for_root" selected="true"/>
    <select idref="accounts_max_concurrent_login_sessions" selected="true"/>
    <select idref="accounts_maximum_age_login_defs" selected="true"/>
    <select idref="accounts_minimum_age_login_defs" selected="true"/>
    <select idref="accounts_no_uid_except_zero" selected="true"/>
    <select idref="accounts_password_all_shadowed" selected="true"/>
    <select idref="accounts_password_pam_cracklib_dcredit" selected="true"/>
    <select idref="accounts_password_pam_cracklib_difok" selected="true"/>
    <select idref="accounts_password_pam_cracklib_lcredit" selected="true"/>
    <select idref="accounts_password_pam_cracklib_maxrepeat" selected="true"/>
    <select idref="accounts_password_pam_cracklib_minlen" selected="true"/>
    <select idref="accounts_password_pam_cracklib_ocredit" selected="true"/>
    <select idref="accounts_password_pam_cracklib_ucredit" selected="true"/>
    <select idref="accounts_password_pam_tally_deny" selected="true"/>
    <select idref="accounts_password_pam_unix_remember" selected="true"/>
    <select idref="accounts_root_path_dirs_no_write" selected="true"/>
    <select idref="accounts_umask" selected="true"/>
    <select idref="accounts_unique_name" selected="true"/>
    <select idref="aide_build_database" selected="true"/>
    <select idref="aide_periodic_cron_checking" selected="true"/>
    <select idref="at_access_controlled" selected="true"/>
    <select idref="at_deny_nonempty" selected="true"/>
    <select idref="at_system_accounts" selected="true"/>
    <select idref="audit_rules_audit_rules" selected="true"/>
    <select idref="audit_rules_dac_modification_chmod" selected="true"/>
    <select idref="audit_rules_dac_modification_chown" selected="true"/>
    <select idref="audit_rules_dac_modification_fchmod" selected="true"/>
    <select idref="audit_rules_dac_modification_fchmodat" selected="true"/>
    <select idref="audit_rules_dac_modification_fchown" selected="true"/>
    <select idref="audit_rules_dac_modification_fchownat" selected="true"/>
    <select idref="audit_rules_dac_modification_fremovexattr" selected="true"/>
    <select idref="audit_rules_dac_modification_fsetxattr" selected="true"/>
    <select idref="audit_rules_dac_modification_lchown" selected="true"/>
    <select idref="audit_rules_dac_modification_lremovexattr" selected="true"/>
    <select idref="audit_rules_dac_modification_lsetxattr" selected="true"/>
    <select idref="audit_rules_dac_modification_removexattr" selected="true"/>
    <select idref="audit_rules_dac_modification_setxattr" selected="true"/>
    <select idref="audit_rules_file_deletion_events" selected="true"/>
    <select idref="audit_rules_file_deletion_events_rmdir" selected="true"/>
    <select idref="audit_rules_kernel_module_loading" selected="true"/>
    <select idref="audit_rules_login_events" selected="true"/>
    <select idref="audit_rules_sched_setparam" selected="true"/>
    <select idref="audit_rules_sched_setscheduler" selected="true"/>
    <select idref="audit_rules_setdomainname" selected="true"/>
    <select idref="audit_rules_sethostname" selected="true"/>
    <select idref="audit_rules_time_adjtimex" selected="true"/>
    <select idref="audit_rules_time_clock_settime" selected="true"/>
    <select idref="audit_rules_time_settimeofday" selected="true"/>
    <select idref="audit_rules_time_stime" selected="true"/>
    <select idref="audit_rules_unsuccessful_file_creat" selected="true"/>
    <select idref="audit_rules_unsuccessful_file_ftruncate" selected="true"/>
    <select idref="audit_rules_unsuccessful_file_open" selected="true"/>
    <select idref="audit_rules_unsuccessful_file_openat" selected="true"/>
    <select idref="audit_rules_unsuccessful_file_truncate" selected="true"/>
    <select idref="audit_rules_usergroup_creation" selected="true"/>
    <select idref="audit_rules_usergroup_disabling" selected="true"/>
    <select idref="audit_rules_usergroup_modification" selected="true"/>
    <select idref="audit_rules_usergroup_termination" selected="true"/>
    <select idref="auditd_data_retention_audit_processing_failure" selected="true"/>
    <select idref="auditd_data_retention_audit_storage_failure" selected="true"/>
    <select idref="banner_etc_issue" selected="true"/>
    <select idref="banner_gui_enabled" selected="true"/>
    <select idref="baseline_device_files" selected="true"/>
    <select idref="baseline_sgid_files" selected="true"/>
    <select idref="baseline_suid_files" selected="true"/>
    <select idref="bootloader_audit_argument" selected="true"/>
    <select idref="bootloader_exists" selected="true"/>
    <select idref="bootloader_nousb_argument" selected="true"/>
    <select idref="bootloader_password" selected="true"/>
    <select idref="bootloader_password_hash" selected="true"/>
    <select idref="auditd_audispd_syslog_plugin_activated" selected="true"/>
    <select idref="cron_access_controlled" selected="true"/>
    <select idref="cron_system_accounts" selected="true"/>
    <select idref="dir_perms_world_writable_sticky_bits" selected="true"/>
    <select idref="dir_perms_world_writable_system_owned" selected="true"/>
    <select idref="disable_ctrlaltdel_reboot" selected="true"/>
    <select idref="disable_users_coredumps" selected="true"/>
    <select idref="dhcp_client_disable_ddns" selected="true"/>
    <select idref="ensure_gpgcheck_never_disabled" selected="true"/>
    <select idref="file_groupowner_aliases" selected="true"/>
    <select idref="file_groupowner_aliases_files" selected="true"/>
    <select idref="file_groupowner_audio_devices" selected="true"/>
    <select idref="file_groupowner_audit_log" selected="true"/>
    <select idref="file_groupowner_audit_tools" selected="true"/>
    <select idref="file_groupowner_bin_traceroute" selected="true"/>
    <select idref="file_groupowner_binary_dirs" selected="true"/>
    <select idref="file_groupowner_core_dump_dir" selected="true"/>
    <select idref="file_groupowner_crontab_dirs" selected="true"/>
    <select idref="file_groupowner_crontab_files" selected="true"/>
    <select idref="file_groupowner_etc_at_allow" selected="true"/>
    <select idref="file_groupowner_etc_at_deny" selected="true"/>
    <select idref="file_groupowner_etc_cron_allow" selected="true"/>
    <select idref="file_groupowner_etc_cron_deny" selected="true"/>
    <select idref="file_groupowner_etc_cups_printers_conf" selected="true"/>
    <select idref="file_groupowner_etc_exports" selected="true"/>
    <select idref="file_groupowner_etc_group" selected="true"/>
    <select idref="file_groupowner_etc_gshadow" selected="true"/>
    <select idref="file_groupowner_etc_hosts" selected="true"/>
    <select idref="file_groupowner_etc_ldap_conf" selected="true"/>
    <select idref="file_groupowner_etc_nsswitch_conf" selected="true"/>
    <select idref="file_groupowner_etc_ntp_conf" selected="true"/>
    <select idref="file_groupowner_etc_passwd" selected="true"/>
    <select idref="file_groupowner_etc_resolv_conf" selected="true"/>
    <select idref="file_groupowner_etc_samba_smb_conf" selected="true"/>
    <select idref="file_groupowner_etc_samba_tdb" selected="true"/>
    <select idref="file_groupowner_etc_security_access_conf" selected="true"/>
    <select idref="file_groupowner_etc_securetty" selected="true"/>
    <select idref="file_groupowner_etc_services" selected="true"/>
    <select idref="file_groupowner_etc_skel" selected="true"/>
    <select idref="file_groupowner_etc_sysctl_conf" selected="true"/>
    <select idref="file_groupowner_etc_syslog_conf" selected="true"/>
    <select idref="file_groupowner_etc_xinetd_conf" selected="true"/>
    <select idref="file_groupowner_exports_dirs" selected="true"/>
    <select idref="file_groupowner_ftpusers" selected="true"/>
    <select idref="file_groupowner_global_initialization_files" selected="true"/>
    <select idref="file_groupowner_grub_conf" selected="true"/>
    <select idref="file_groupowner_home_dirs" selected="true"/>
    <select idref="file_groupowner_home_files" selected="true"/>
    <select idref="file_groupowner_ldap_cacerts" selected="true"/>
    <select idref="file_groupowner_ldap_certs" selected="true"/>
    <select idref="file_groupowner_ldap_keys" selected="true"/>
    <select idref="file_groupowner_local_initialization_files" selected="true"/>
    <select idref="file_groupowner_run_control_scripts" selected="true"/>
    <select idref="file_groupowner_shell_files" selected="true"/>
    <select idref="file_groupowner_snmpd_conf" selected="true"/>
    <select idref="file_groupowner_var_spool_at" selected="true"/>
    <select idref="file_groupowner_var_yp" selected="true"/>
    <select idref="file_owner_aliases" selected="true"/>
    <select idref="file_owner_aliases_files" selected="true"/>
    <select idref="file_owner_audio_devices" selected="true"/>
    <select idref="file_owner_audit_log" selected="true"/>
    <select idref="file_owner_audit_tools" selected="true"/>
    <select idref="file_owner_bin_traceroute" selected="true"/>
    <select idref="file_ownership_binary_dirs" selected="true"/>
    <select idref="file_owner_core_dump_dir" selected="true"/>
    <select idref="file_owner_crontab_dirs" selected="true"/>
    <select idref="file_owner_crontab_files" selected="true"/>
    <select idref="file_owner_etc_at_allow" selected="true"/>
    <select idref="file_owner_etc_at_deny" selected="true"/>
    <select idref="file_owner_etc_cron_allow" selected="true"/>
    <select idref="file_owner_etc_cron_deny" selected="true"/>
    <select idref="file_owner_etc_cups_printers_conf" selected="true"/>
    <select idref="file_owner_etc_exports" selected="true"/>
    <select idref="file_owner_etc_group" selected="true"/>
    <select idref="file_owner_etc_gshadow" selected="true"/>
    <select idref="file_owner_etc_hosts" selected="true"/>
    <select idref="file_owner_etc_ldap_conf" selected="true"/>
    <select idref="file_owner_etc_nsswitch_conf" selected="true"/>
    <select idref="file_owner_etc_ntp_conf" selected="true"/>
    <select idref="file_owner_etc_passwd" selected="true"/>
    <select idref="file_owner_etc_resolv_conf" selected="true"/>
    <select idref="file_owner_etc_samba_smb_conf" selected="true"/>
    <select idref="file_owner_etc_samba_tdb" selected="true"/>
    <select idref="file_owner_etc_securetty" selected="true"/>
    <select idref="file_owner_etc_security_access_conf" selected="true"/>
    <select idref="file_owner_etc_services" selected="true"/>
    <select idref="file_owner_etc_shadow" selected="true"/>
    <select idref="file_owner_etc_skel" selected="true"/>
    <select idref="file_owner_etc_sysctl_conf" selected="true"/>
    <select idref="file_owner_etc_syslog_conf" selected="true"/>
    <select idref="file_owner_etc_xinetd_conf" selected="true"/>
    <select idref="file_owner_exports_dirs" selected="true"/>
    <select idref="file_owner_ftpusers" selected="true"/>
    <select idref="file_owner_global_initialization_files" selected="true"/>
    <select idref="file_owner_grub_conf" selected="true"/>
    <select idref="file_owner_home_dirs" selected="true"/>
    <select idref="file_owner_home_files" selected="true"/>
    <select idref="file_owner_ldap_cacerts" selected="true"/>
    <select idref="file_owner_ldap_certs" selected="true"/>
    <select idref="file_owner_ldap_keys" selected="true"/>
    <select idref="file_owner_local_initialization_files" selected="true"/>
    <select idref="file_owner_run_control_scripts" selected="true"/>
    <select idref="file_owner_shell_files" selected="true"/>
    <select idref="file_owner_smtp_logs" selected="true"/>
    <select idref="file_owner_snmpd_conf" selected="true"/>
    <select idref="file_owner_var_spool_at" selected="true"/>
    <select idref="file_owner_var_yp" selected="true"/>
    <select idref="file_permissions_aliases" selected="true"/>
    <select idref="file_permissions_aliases_files" selected="true"/>
    <select idref="file_permissions_audio_devices" selected="true"/>
    <select idref="file_permissions_audit_log" selected="true"/>
    <select idref="file_permissions_audit_tools" selected="true"/>
    <select idref="file_permissions_bin_traceroute" selected="true"/>
    <select idref="file_permissions_binary_dirs" selected="true"/>
    <select idref="file_permissions_core_dump_dir" selected="true"/>
    <select idref="file_permissions_cron_files" selected="true"/>
    <select idref="file_permissions_cron_log_files" selected="true"/>
    <select idref="file_permissions_crontab_dirs" selected="true"/>
    <select idref="file_permissions_crontab_files" selected="true"/>
    <select idref="file_permissions_etc_at_allow" selected="true"/>
    <select idref="file_permissions_etc_at_deny" selected="true"/>
    <select idref="file_permissions_etc_cron_allow" selected="true"/>
    <select idref="file_permissions_etc_cron_deny" selected="true"/>
    <select idref="file_permissions_etc_cups_printers_conf" selected="true"/>
    <select idref="file_permissions_etc_exports" selected="true"/>
    <select idref="file_permissions_etc_group" selected="true"/>
    <select idref="file_permissions_etc_gshadow" selected="true"/>
    <select idref="file_permissions_etc_hosts" selected="true"/>
    <select idref="file_permissions_etc_ldap_conf" selected="true"/>
    <select idref="file_permissions_etc_news_infeed_conf" selected="true"/>
    <select idref="file_permissions_etc_news_incoming_conf" selected="true"/>
    <select idref="file_permissions_etc_news_passwd_nntp" selected="true"/>
    <select idref="file_permissions_etc_nsswitch_conf" selected="true"/>
    <select idref="file_permissions_etc_ntp_conf" selected="true"/>
    <select idref="file_permissions_etc_passwd" selected="true"/>
    <select idref="file_permissions_etc_resolv_conf" selected="true"/>
    <select idref="file_permissions_etc_samba_smb_conf" selected="true"/>
    <select idref="file_permissions_etc_samba_tdb" selected="true"/>
    <select idref="file_permissions_etc_securetty" selected="true"/>
    <select idref="file_permissions_etc_security_access_conf" selected="true"/>
    <select idref="file_permissions_etc_services" selected="true"/>
    <select idref="file_permissions_etc_shadow" selected="true"/>
    <select idref="file_permissions_etc_skel" selected="true"/>
    <select idref="file_permissions_etc_sysctl_conf" selected="true"/>
    <select idref="file_permissions_etc_syslog_conf" selected="true"/>
    <select idref="file_permissions_etc_xinetd_conf" selected="true"/>
    <select idref="file_permissions_etc_xinetd_dir" selected="true"/>
    <select idref="file_permissions_extended_aliases" selected="true"/>
    <select idref="file_permissions_extended_aliases_files" selected="true"/>
    <select idref="file_permissions_extended_audio_devices" selected="true"/>
    <select idref="file_permissions_extended_audit_log" selected="true"/>
    <select idref="file_permissions_extended_audit_tools" selected="true"/>
    <select idref="file_permissions_extended_bin_traceroute" selected="true"/>
    <select idref="file_permissions_extended_binary_dirs" selected="true"/>
    <select idref="file_permissions_extended_core_dump_dir" selected="true"/>
    <select idref="file_permissions_extended_cron_log_files" selected="true"/>
    <select idref="file_permissions_extended_crontab_dirs" selected="true"/>
    <select idref="file_permissions_extended_crontab_files" selected="true"/>
    <select idref="file_permissions_extended_etc_at_allow" selected="true"/>
    <select idref="file_permissions_extended_etc_at_deny" selected="true"/>
    <select idref="file_permissions_extended_etc_cron_allow" selected="true"/>
    <select idref="file_permissions_extended_etc_cron_deny" selected="true"/>
    <select idref="file_permissions_extended_etc_cups_printers_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_exports" selected="true"/>
    <select idref="file_permissions_extended_etc_group" selected="true"/>
    <select idref="file_permissions_extended_etc_gshadow" selected="true"/>
    <select idref="file_permissions_extended_etc_hosts" selected="true"/>
    <select idref="file_permissions_extended_etc_ldap_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_news_infeed_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_news_incoming_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_news_nnrp_access" selected="true"/>
    <select idref="file_permissions_extended_etc_news_passwd_nntp" selected="true"/>
    <select idref="file_permissions_extended_etc_nsswitch_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_ntp_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_passwd" selected="true"/>
    <select idref="file_permissions_extended_etc_resolv_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_samba_smb_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_samba_tdb" selected="true"/>
    <select idref="file_permissions_extended_etc_security_access_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_services" selected="true"/>
    <select idref="file_permissions_extended_etc_shadow" selected="true"/>
    <select idref="file_permissions_extended_etc_skel" selected="true"/>
    <select idref="file_permissions_extended_etc_sysctl_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_syslog_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_xinetd_conf" selected="true"/>
    <select idref="file_permissions_extended_etc_xinetd_dir" selected="true"/>
    <select idref="file_permissions_extended_ftpusers" selected="true"/>
    <select idref="file_permissions_extended_global_initialization_files" selected="true"/>
    <select idref="file_permissions_extended_grub_conf" selected="true"/>
    <select idref="file_permissions_extended_home_dirs" selected="true"/>
    <select idref="file_permissions_extended_home_files" selected="true"/>
    <select idref="file_permissions_extended_ldap_cacerts" selected="true"/>
    <select idref="file_permissions_extended_ldap_certs" selected="true"/>
    <select idref="file_permissions_extended_ldap_keys" selected="true"/>
    <select idref="file_permissions_extended_library_dirs" selected="true"/>
    <select idref="file_permissions_extended_local_initialization_files" selected="true"/>
    <select idref="file_permissions_extended_man_pages" selected="true"/>
    <select idref="file_permissions_extended_mib_files" selected="true"/>
    <select idref="file_permissions_extended_root_dir" selected="true"/>
    <select idref="file_permissions_extended_run_control_scripts" selected="true"/>
    <select idref="file_permissions_extended_shell_files" selected="true"/>
    <select idref="file_permissions_extended_smtp_logs" selected="true"/>
    <select idref="file_permissions_extended_snmpd_conf" selected="true"/>
    <select idref="file_permissions_extended_usr_sbin_dir" selected="true"/>
    <select idref="file_permissions_extended_var_log" selected="true"/>
    <select idref="file_permissions_extended_var_spool_at" selected="true"/>
    <select idref="file_permissions_extended_var_yp" selected="true"/>
    <select idref="file_permissions_extended_xauthority_files" selected="true"/>
    <select idref="file_permissions_ftpusers" selected="true"/>
    <select idref="file_permissions_global_initialization_files" selected="true"/>
    <select idref="file_permissions_grub_conf" selected="true"/>
    <select idref="file_permissions_home_dirs" selected="true"/>
    <select idref="file_permissions_home_files" selected="true"/>
    <select idref="file_permissions_ldap_cacerts" selected="true"/>
    <select idref="file_permissions_ldap_certs" selected="true"/>
    <select idref="file_permissions_ldap_keys" selected="true"/>
    <select idref="file_permissions_library_dirs" selected="true"/>
    <select idref="file_permissions_local_initialization_files" selected="true"/>
    <select idref="file_permissions_man_pages" selected="true"/>
    <select idref="file_permissions_mib_files" selected="true"/>
    <select idref="file_permissions_root_dir" selected="true"/>
    <select idref="file_permissions_run_control_scripts" selected="true"/>
    <select idref="file_permissions_shell_files" selected="true"/>
    <select idref="file_permissions_smtp_logs" selected="true"/>
    <select idref="file_permissions_snmpd_conf" selected="true"/>
    <select idref="file_permissions_ssh_private_host_keys" selected="true"/>
    <select idref="file_permissions_ssh_public_host_keys" selected="true"/>
    <select idref="file_permissions_tftp_binary" selected="true"/>
    <select idref="file_permissions_unauthorized_world_writable" selected="true"/>
    <select idref="file_permissions_ungroupowned" selected="true"/>
    <select idref="file_permissions_usr_bin_ldd" selected="true"/>
    <select idref="file_permissions_usr_sbin_dir" selected="true"/>
    <select idref="file_permissions_var_log" selected="true"/>
    <select idref="file_permissions_var_spool_at" selected="true"/>
    <select idref="file_permissions_var_yp" selected="true"/>
    <select idref="file_permissions_xauthority_files" selected="true"/>
    <select idref="ftp_anonymous_shell" selected="true"/>
    <select idref="ftp_default_umask" selected="true"/>
    <select idref="ftp_enable_warning_banner" selected="true"/>
    <select idref="ftp_ftpusers_file_empty" selected="true"/>
    <select idref="ftp_ftpusers_file_exists" selected="true"/>
    <select idref="ftp_log_transactions" selected="true"/>
    <select idref="gconf_gnome_screensaver_idle_activation_enabled" selected="true"/>
    <select idref="gconf_gnome_screensaver_idle_delay" selected="true"/>
    <select idref="gconf_gnome_screensaver_lock_enabled" selected="true"/>
    <select idref="gid_passwd_group_same" selected="true"/>
    <select idref="global_initialization_files_mesg" selected="true"/>
    <select idref="iptables_input_reject_rule" selected="true"/>
    <select idref="iptables_timestamp_reject_rule" selected="true"/>
    <select idref="ip6tables_input_icmpv6_broadcast" selected="true"/>
    <select idref="ip_6to4_tunnels" selected="true"/>
    <select idref="ip_teredo" selected="true"/>
    <select idref="ip_tunnels" selected="true"/>
    <select idref="kernel_module_appletalk_disabled" selected="true"/>
    <select idref="kernel_module_bluetooth_disabled" selected="true"/>
    <select idref="kernel_module_bridge_disabled" selected="true"/>
    <select idref="kernel_module_dccp_disabled" selected="true"/>
    <select idref="kernel_module_ieee1394_disabled" selected="true"/>
    <select idref="kernel_module_ipv6_option_disabled" selected="true"/>
    <select idref="kernel_module_rds_disabled" selected="true"/>
    <select idref="kernel_module_sctp_disabled" selected="true"/>
    <select idref="kernel_module_tipc_disabled" selected="true"/>
    <select idref="kernel_module_usb-storage_disabled" selected="true"/>
    <select idref="ldap_client_bindpw" selected="true"/>
    <select idref="ldap_client_start_tls" selected="true"/>
    <select idref="ldap_client_tls_cert" selected="true"/>
    <select idref="ldap_client_tls_checkpeer" selected="true"/>
    <select idref="ldap_client_tls_crlcheck" selected="true"/>
    <select idref="logrotate_rotate_all_files" selected="true"/>
    <select idref="mail_debug_enabled" selected="true"/>
    <select idref="mail_decode_active" selected="true"/>
    <select idref="mail_expn_active" selected="true"/>
    <select idref="mail_forward_files" selected="true"/>
    <select idref="mail_help_command" selected="true"/>
    <select idref="mail_log_level" selected="true"/>
    <select idref="mail_log_enabled" selected="true"/>
    <select idref="mail_relaying_disabled" selected="true"/>
    <select idref="mail_up_to_date" selected="true"/>
    <select idref="mail_version_info" selected="true"/>
    <select idref="mail_vrfy_active" selected="true"/>
    <select idref="mail_wiz_active" selected="true"/>
    <select idref="mount_option_nodev_removable_filesystems" selected="true"/>
    <select idref="mount_option_nosuid_removable_filesystems" selected="true"/>
    <select idref="network_ipv6_default_gateway" selected="true"/>
    <select idref="network_ipv6_disable_interfaces" selected="true"/>
    <select idref="nfs_enforce_host_access" selected="true"/>
    <select idref="nfs_mount_option_nosuid_remote_filesystems" selected="true"/>
    <select idref="nfs_no_anonymous" selected="true"/>
    <select idref="nfs_no_insecure_locks_exports" selected="true"/>
    <select idref="nfs_use_root_squashing_all_exports" selected="true"/>
    <select idref="no_empty_passwords" selected="true"/>
    <select idref="no_files_unowned_by_user" selected="true"/>
    <select idref="no_netrc_files" selected="true"/>
    <select idref="no_root_webbrowsing" selected="true"/>
    <select idref="no_rsh_trust_files" selected="true"/>
    <select idref="ntp_multiple_remote_servers" selected="true"/>
    <select idref="ntp_remote_server" selected="true"/>
    <select idref="package_av_installed" selected="true"/>
    <select idref="package_hids_installed" selected="true"/>
    <select idref="package_rpc_removed" selected="true"/>
    <select idref="package_rsh-server_removed" selected="true"/>
    <select idref="package_samba_removed" selected="true"/>
    <select idref="partition_for_home" selected="true"/>
    <select idref="partition_for_tmp" selected="true"/>
    <select idref="partition_for_var" selected="true"/>
    <select idref="partition_for_var_log_audit" selected="true"/>
    <select idref="require_singleuser_auth" selected="true"/>
    <select idref="restricted_accounts" selected="true"/>
    <select idref="restricted_accounts_ftp" selected="true"/>
    <select idref="restricted_accounts_games" selected="true"/>
    <select idref="restricted_accounts_gopher" selected="true"/>
    <select idref="restricted_accounts_news" selected="true"/>
    <select idref="rhosts_auth_pam_files" selected="true"/>
    <select idref="samba_encrypt_passwords_option" selected="true"/>
    <select idref="samba_guest_ok_option" selected="true"/>
    <select idref="samba_hosts_option" selected="true"/>
    <select idref="samba_security_option" selected="true"/>
    <select idref="samba-swat_restricted" selected="true"/>
    <select idref="securetty_root_login_console_only" selected="true"/>
    <select idref="selinux_enforcing" selected="true"/>
    <select idref="service_auditd_enabled" selected="true"/>
    <select idref="service_autofs_disabled" selected="true"/>
    <select idref="service_kdump_disabled" selected="true"/>
    <select idref="service_iptables_enabled" selected="true"/>
    <select idref="service_ntpd_enabled" selected="true"/>
    <select idref="service_rexec_disabled" selected="true"/>
    <select idref="service_rlogin_disabled" selected="true"/>
    <select idref="service_rpc_disabled" selected="true"/>
    <select idref="service_rsh_disabled" selected="true"/>
    <select idref="service_telnetd_disabled" selected="true"/>
    <select idref="service_tftp_disabled" selected="true"/>
    <select idref="service_unencrypted_ftp_disabled" selected="true"/>
    <select idref="service_yum-updatesd_disabled" selected="true"/>
    <select idref="service_xinetd_disabled" selected="true"/>
    <select idref="service_ypbind_disabled" selected="true"/>
    <select idref="set_password_hashing_algorithm_systemauth" selected="true"/>
    <select idref="snmpd_not_default_password" selected="true"/>
    <select idref="snmpd_use_approved_hash" selected="true"/>
    <select idref="snmpd_use_approved_encryption" selected="true"/>
    <select idref="snmpd_use_newer_protocol" selected="true"/>
    <select idref="ssh_gssapiauthentication" selected="true"/>
    <select idref="ssh_no_cbc" selected="true"/>
    <select idref="ssh_protocol_2" selected="true"/>
    <select idref="ssh_use_approved_ciphers" selected="true"/>
    <select idref="ssh_use_approved_macs" selected="true"/>
    <select idref="sshd_compression" selected="true"/>
    <select idref="sshd_disable_root_login" selected="true"/>
    <select idref="sshd_enable_warning_banner" selected="true"/>
    <select idref="sshd_gssapiauthentication" selected="true"/>
    <select idref="sshd_ipfiltering" selected="true"/>
    <select idref="sshd_kerberosauthentication" selected="true"/>
    <select idref="sshd_listen_addresses" selected="true"/>
    <select idref="sshd_no_cbc" selected="true"/>
    <select idref="sshd_printlastlog" selected="true"/>
    <select idref="sshd_privilegeseparation" selected="true"/>
    <select idref="sshd_protocol_2" selected="true"/>
    <select idref="sshd_rhostsrsaauthentication" selected="true"/>
    <select idref="sshd_strictmodes" selected="true"/>
    <select idref="sshd_use_approved_ciphers" selected="true"/>
    <select idref="sshd_use_approved_macs" selected="true"/>
    <select idref="sshd_users_groups" selected="true"/>
    <select idref="sudo_wheel" selected="true"/>
    <select idref="sysconfig_networking_bootproto_ifcfg" selected="true"/>
    <select idref="sysctl_kernel_execshield" selected="true"/>
    <select idref="sysctl_kernel_nonexec_stack" selected="true"/>
    <select idref="sysctl_net_ipv4_conf_accept_redirects" selected="true"/>
    <select idref="sysctl_net_ipv4_conf_accept_source_route" selected="true"/>
    <select idref="sysctl_net_ipv4_conf_log_martians" selected="true"/>
    <select idref="sysctl_net_ipv4_conf_send_redirects" selected="true"/>
    <select idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
    <select idref="sysctl_net_ipv4_ip_forward" selected="true"/>
    <select idref="sysctl_net_ipv4_tcp_syncookies" selected="true"/>
    <select idref="sysctl_net_ipv4_tcp_max_syn_backlog" selected="true"/>
    <select idref="sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
    <select idref="sysctl_net_ipv6_conf_forwarding" selected="true"/>
    <select idref="syslog_nolisten" selected="true"/>
    <select idref="syslog_remote_loghost" selected="true"/>
    <select idref="system_access_control" selected="true"/>
    <select idref="tftpd_user_shell" selected="true"/>
    <select idref="tftpd_uses_secure_mode" selected="true"/>
    <select idref="xwindows_runlevel_setting" selected="true"/>
    <select idref="remediation_functions" selected="false"/>
    <select idref="intro" selected="false"/>
    <select idref="general-principles" selected="false"/>
    <select idref="principle-encrypt-transmitted-data" selected="false"/>
    <select idref="principle-minimize-software" selected="false"/>
    <select idref="principle-separate-servers" selected="false"/>
    <select idref="principle-use-security-tools" selected="false"/>
    <select idref="principle-least-privilege" selected="false"/>
    <select idref="how-to-use" selected="false"/>
    <select idref="intro-read-sections-completely" selected="false"/>
    <select idref="intro-test-non-production" selected="false"/>
    <select idref="intro-root-shell-assumed" selected="false"/>
    <select idref="intro-formatting-conventions" selected="false"/>
    <select idref="intro-reboot-required" selected="false"/>
    <select idref="rpm_verification" selected="false"/>
    <select idref="console_screen_locking" selected="false"/>
    <select idref="smart_card_login" selected="false"/>
    <select idref="network_disable_unused_interfaces" selected="false"/>
    <select idref="network_restrict_access" selected="false"/>
    <select idref="network_ssl" selected="false"/>
    <select idref="srg_support" selected="false"/>
    <refine-value idref="ftp_login_banner_text" selector="dod_default"/>
    <refine-value idref="gui_login_banner_text" selector="dod_default"/>
    <refine-value idref="inactivity_timeout_value" selector="15_minutes"/>
    <refine-value idref="max_concurrent_login_sessions_value" selector="10"/>
    <refine-value idref="password_history_retain_number" selector="5"/>
    <refine-value idref="sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/>
    <refine-value idref="sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/>
    <refine-value idref="sysctl_net_ipv4_conf_all_log_martians_value" selector="enabled"/>
    <refine-value idref="sysctl_net_ipv4_conf_all_rp_filter_value" selector="enabled"/>
    <refine-value idref="sysctl_net_ipv4_conf_all_secure_redirects_value" selector="disabled"/>
    <refine-value idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/>
    <refine-value idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" selector="enabled"/>
    <refine-value idref="sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/>
    <refine-value idref="sysctl_net_ipv4_tcp_max_syn_backlog_value" selector="recommended"/>
    <refine-value idref="system_login_banner_text" selector="dod_default"/>
    <refine-value idref="var_accounts_maximum_age_login_defs" selector="60"/>
    <refine-value idref="var_accounts_minimum_age_login_defs" selector="1"/>
    <refine-value idref="var_accounts_password_pam_tally_deny" selector="3"/>
    <refine-value idref="var_accounts_user_umask" selector="077"/>
    <refine-value idref="var_auditd_admin_space_left_action" selector="single"/>
    <refine-value idref="var_auditd_disk_error_action" selector="syslog"/>
    <refine-value idref="var_auditd_disk_full_action" selector="syslog"/>
    <refine-value idref="var_auditd_max_log_file" selector="6"/>
    <refine-value idref="var_auditd_max_log_file_action" selector="rotate"/>
    <refine-value idref="var_auditd_num_logs" selector="5"/>
    <refine-value idref="var_password_pam_cracklib_dcredit" selector="1"/>
    <refine-value idref="var_password_pam_cracklib_difok" selector="4"/>
    <refine-value idref="var_password_pam_cracklib_lcredit" selector="1"/>
    <refine-value idref="var_password_pam_cracklib_maxrepeat" selector="3"/>
    <refine-value idref="var_password_pam_cracklib_minlen" selector="14"/>
    <refine-value idref="var_password_pam_cracklib_ocredit" selector="1"/>
    <refine-value idref="var_password_pam_cracklib_retry" selector="3"/>
    <refine-value idref="var_password_pam_cracklib_ucredit" selector="1"/>
    <refine-value idref="var_selinux_policy_name" selector="targeted"/>
  </Profile>
  <Group id="remediation_functions">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation functions used by the SCAP Security Guide Project</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">XCCDF form of the various remediation functions as used by
remediation scripts from the SCAP Security Guide Project</description>
    <Value id="function_fix_audit_syscall_rule" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to fix syscall audit rule for given system call</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to fix syscall audit rule for given system call. It is
based on example audit syscall rule definitions as outlined in
/usr/share/doc/audit-2.3.7/stig.rules file provided with the audit package. It
will combine multiple system calls belonging to the same syscall group into one
audit rule (rather than to create audit rule per different system call) to
avoid audit infrastructure performance penalty in the case of
'one-audit-rule-definition-per-one-system-call'. See:

	https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html

for further details.

Expects five arguments (each of them is required) in the form of:
  * audit tool                          tool used to load audit rules,
                                        either 'auditctl', or 'augenrules
  * audit rules' pattern                audit rule skeleton for same syscall
  * syscall group                       greatest common string this rule shares
                                        with other rules from the same group
  * architecture                        architecture this rule is intended for
  * full form of new rule to add        expected full form of audit rule as to
                                        be added into audit.rules file

Note: The 2-th up to 4-th arguments are used to determine how many existing
audit rules will be inspected for resemblance with the new audit rule
(5-th argument) the function is going to add. The rule's similarity check
is performed to optimize audit.rules definition (merge syscalls of the same
group into one rule) to avoid the "single-syscall-per-audit-rule" performance
penalty.

Example call:

  PATTERN="-a always,exit -F arch=$ARCH -S .* -F auid&gt;=500 -F auid!=4294967295 -k delete"
  # Use escaped BRE regex to specify rule group
  GROUP="\(rmdir\|unlink\|rename\)"
  FULL_RULE="-a always,exit -F arch=$ARCH -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete"
  fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
</description>
      <value>
function fix_audit_syscall_rule {

# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"

# Check sanity of the input
if [ $# -ne "5" ]
then
        echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
        echo "Aborting."
        exit 1
fi

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect

# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] &amp;&amp; [ "$tool" != 'augenrules' ]
then
        echo "Unknown audit rules loading tool: $1. Aborting."
        echo "Use either 'auditctl' or 'augenrules'!"
        exit 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
        files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
        # Extract audit $key from audit rule so we can use it later
        key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)')
        # Check if particular audit rule is already defined
        IFS=$'\n' matches=($(sed -s -n -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules))
        # Reset IFS back to default
        unset $IFS
        for match in "${matches[@]}"
        do
                files_to_inspect=("${files_to_inspect[@]}" "${match}")
        done
        # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
        if [ ${#files_to_inspect[@]} -eq "0" ]
        then
                files_to_inspect="/etc/audit/rules.d/$key.rules"
                if [ ! -e "$files_to_inspect" ]
                then
                        touch "$files_to_inspect"
                        chmod 0640 "$files_to_inspect"
                fi
        fi
fi

#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0

for audit_file in "${files_to_inspect[@]}"
do

        # Filter existing $audit_file rules' definitions to select those that:
        # * follow the rule pattern, and
        # * meet the hardware architecture requirement, and
        # * are current syscall group specific
        IFS=$'\n' existing_rules=($(sed -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d"  "$audit_file"))
        # Reset IFS back to default
        unset $IFS

        # Process rules found case-by-case
        for rule in "${existing_rules[@]}"
        do
                # Found rule is for same arch &amp; key, but differs (e.g. in count of -S arguments)
                if [ "${rule}" != "${full_rule}" ]
                then
                        # If so, isolate just '(-S \w)+' substring of that rule
                        rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+')
                        # Check if list of '-S syscall' arguments of that rule is subset
                        # of '-S syscall' list of expected $full_rule
                        if grep -q -- "$rule_syscalls" &lt;&lt;&lt; "$full_rule"
                        then
                                # Rule is covered (i.e. the list of -S syscalls for this rule is
                                # subset of -S syscalls of $full_rule =&gt; existing rule can be deleted
                                # Thus delete the rule from audit.rules &amp; our array
                                sed -i -e "/$rule/d" "$audit_file"
                                existing_rules=("${existing_rules[@]//$rule/}")
                        else
                                # Rule isn't covered by $full_rule - it besides -S syscall arguments
                                # for this group contains also -S syscall arguments for other syscall
                                # group. Example: '-S lchown -S fchmod -S fchownat' =&gt; group='chown'
                                # since 'lchown' &amp; 'fchownat' share 'chown' substring
                                # Therefore:
                                # * 1) delete the original rule from audit.rules
                                # (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
                                # * 2) delete the -S syscall arguments for this syscall group, but
                                # keep those not belonging to this syscall group
                                # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
                                # * 3) append the modified (filtered) rule again into audit.rules
                                # if the same rule not already present
                                #
                                # 1) Delete the original rule
                                sed -i -e "/$rule/d" "$audit_file"
                                # 2) Delete syscalls for this group, but keep those from other groups
                                # Convert current rule syscall's string into array splitting by '-S' delimiter
                                IFS=$'-S' read -a rule_syscalls_as_array &lt;&lt;&lt; "$rule_syscalls"
                                # Reset IFS back to default
                                unset $IFS
                                # Declare new empty string to hold '-S syscall' arguments from other groups
                                new_syscalls_for_rule=''
                                # Walk through existing '-S syscall' arguments
                                for syscall_arg in "${rule_syscalls_as_array[@]}"
                                do
                                        # Skip empty $syscall_arg values
                                        if [ "$syscall_arg" == '' ]
                                        then
                                                continue
                                        fi
                                        # If the '-S syscall' doesn't belong to current group add it to the new list
                                        # (together with adding '-S' delimiter back for each of such item found)
                                        if grep -q -v -- "$group" &lt;&lt;&lt; "$syscall_arg"
                                        then
                                                new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
                                        fi
                                done
                                # Replace original '-S syscall' list with the new one for this rule
                                updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
                                # Squeeze repeated whitespace characters in rule definition (if any) into one
                                updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
                                # 3) Append the modified / filtered rule again into audit.rules
                                #    (but only in case it's not present yet to prevent duplicate definitions)
                                if ! grep -q -- "$updated_rule" "$audit_file"
                                then
                                        echo "$updated_rule" &gt;&gt; "$audit_file"
                                fi
                        fi
                else
                        # $audit_file already contains the expected rule form for this
                        # architecture &amp; key =&gt; don't insert it second time
                        append_expected_rule=1
                fi
        done

        # We deleted all rules that were subset of the expected one for this arch &amp; key.
        # Also isolated rules containing system calls not from this system calls group.
        # Now append the expected rule if it's not present in $audit_file yet
        if [[ ${append_expected_rule} -eq "0" ]]
        then
                echo "$full_rule" &gt;&gt; "$audit_file"
        fi
done

}
</value>
    </Value>
    <Value id="function_fix_audit_watch_rule" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to fix audit file system object watch rule for given path</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to fix audit file system object watch rule for given path:
  * if rule exists, also verifies the -w bits match the requirements
  * if rule doesn't exist yet, appends expected rule form to $files_to_inspect
    audit rules file, depending on the tool which was used to load audit rules

Expects four arguments (each of them is required) in the form of:
  * audit tool                          tool used to load audit rules,
                                        either 'auditctl', or 'augenrules'
  * path                                value of -w audit rule's argument
  * required access bits                value of -p audit rule's argument
  * key                                 value of -k audit rule's argument

Example call:

  fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules"
</description>
      <value>
function fix_audit_watch_rule {

# Load function arguments into local variables
local tool="$1"
local path="$2"
local required_access_bits="$3"
local key="$4"

# Check sanity of the input
if [ $# -ne "4" ]
then
        echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'"
        echo "Aborting."
        exit 1
fi

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
#
# -----------------------------------------------------------------------------------------
# Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#       auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#       augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#       augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
declare -a files_to_inspect

# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] &amp;&amp; [ "$tool" != 'augenrules' ]
then
        echo "Unknown audit rules loading tool: $1. Aborting."
        echo "Use either 'auditctl' or 'augenrules'!"
        exit 1
# If the audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# into the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
        files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules')
# If the audit is 'augenrules', then check if rule is already defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection.
# If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection.
elif [ "$tool" == 'augenrules' ]
then
        # Case when particular audit rule is already defined in some of /etc/audit/rules.d/*.rules file
        # Get pair -- filepath : matching_row into @matches array
        IFS=$'\n' matches=($(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules))
        # Reset IFS back to default
        unset $IFS
        # For each of the matched entries
        for match in "${matches[@]}"
        do
                # Extract filepath from the match
                rulesd_audit_file=$(echo $match | cut -f1 -d ':')
                # Append that path into list of files for inspection
                files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file")
        done
        # Case when particular audit rule isn't defined yet
        if [ ${#files_to_inspect[@]} -eq "0" ]
        then
                # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection
                files_to_inspect="/etc/audit/rules.d/$key.rules"
                # If the $key.rules file doesn't exist yet, create it with correct permissions
                if [ ! -e "$files_to_inspect" ]
                then
                        touch "$files_to_inspect"
                        chmod 0640 "$files_to_inspect"
                fi
        fi
fi

# Finally perform the inspection and possible subsequent audit rule
# correction for each of the files previously identified for inspection
for audit_rules_file in "${files_to_inspect[@]}"
do

        # Check if audit watch file system object rule for given path already present
        if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file"
        then
                # Rule is found =&gt; verify yet if existing rule definition contains
                # all of the required access type bits

                # Escape slashes in path for use in sed pattern below
                local esc_path=${path//$'/'/$'\/'}
                # Define BRE whitespace class shortcut
                local sp="[[:space:]]"
                # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule
                current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file")
                # Split required access bits string into characters array
                # (to check bit's presence for one bit at a time)
                for access_bit in $(echo "$required_access_bits" | grep -o .)
                do
                        # For each from the required access bits (e.g. 'w', 'a') check
                        # if they are already present in current access bits for rule.
                        # If not, append that bit at the end
                        if ! grep -q "$access_bit" &lt;&lt;&lt; "$current_access_bits"
                        then
                                # Concatenate the existing mask with the missing bit
                                current_access_bits="$current_access_bits$access_bit"
                        fi
                done
                # Propagate the updated rule's access bits (original + the required
                # ones) back into the /etc/audit/audit.rules file for that rule
                sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file"
        else
                # Rule isn't present yet. Append it at the end of $audit_rules_file file
                # with proper key

                echo "-w $path -p $required_access_bits -k $key" &gt;&gt; "$audit_rules_file"
        fi
done
}
</value>
    </Value>
    <Value id="function_package_command" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to to install or uninstall packages on RHEL and Fedora systems</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to install or uninstall packages on RHEL and Fedora systems.

Example Call(s):

  package_command install aide
  package_command remove telnet-server
</description>
      <value>
function package_command {

# Load function arguments into local variables
local package_operation=$1
local package=$2

# Check sanity of the input
if [ $# -ne "2" ]
then
  echo "Usage: package_command 'install/uninstall' 'rpm_package_name"
  echo "Aborting."
  exit 1
fi

# If dnf is installed, use dnf; otherwise, use yum
if [ -f "/usr/bin/dnf" ] ; then
  install_util="/usr/bin/dnf"
else
  install_util="/usr/bin/yum"
fi

if [ "$package_operation" != 'remove' ] ; then
  # If the rpm is not installed, install the rpm
  if ! /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
else
  # If the rpm is installed, uninstall the rpm
  if /bin/rpm -q --quiet $package; then
    $install_util -y $package_operation $package
  fi
fi

}
</value>
    </Value>
    <Value id="function_service_command" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to enable/disable and start/stop services on RHEL
and Fedora systems</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to enable/disable and start/stop services on RHEL and
Fedora systems.

Example Call(s):

  service_command enable bluetooth
  service_command disable bluetooth.service

  Using xinetd:
  service_command disable rsh.socket xinetd=rsh
</description>
      <value>
function service_command {

# Load function arguments into local variables
local service_state=$1
local service=$2
local xinetd=$(echo $3 | cut -d'=' -f2)

# Check sanity of the input
if [ $# -lt "2" ]
then
  echo "Usage: service_command 'enable/disable' 'service_name.service'"
  echo
  echo "To enable or disable xinetd services add \'xinetd=service_name\'"
  echo "as the last argument"
  echo "Aborting."
  exit 1
fi

# If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands
if [ -f "/usr/bin/systemctl" ] ; then
  service_util="/usr/bin/systemctl"
else
  service_util="/sbin/service"
  chkconfig_util="/sbin/chkconfig"
fi

# If disable is not specified in arg1, set variables to enable services.
# Otherwise, variables are to be set to disable services.
if [ "$service_state" != 'disable' ] ; then
  service_state="enable"
  service_operation="start"
  chkconfig_state="on"
else
  service_state="disable"
  service_operation="stop"
  chkconfig_state="off"
fi

# If chkconfig_util is not empty, use chkconfig/service commands.
if ! [ "x$chkconfig_util" = x ] ; then
  $service_util $service $service_operation
  $chkconfig_util --level 0123456 $service $chkconfig_state
else
  $service_util $service_operation $service
  $service_util $service_state $service
fi

# Test if local variable xinetd is empty using non-bashism.
# If empty, then xinetd is not being used.
if ! [ "x$xinetd" = x ] ; then
  grep -qi disable /etc/xinetd.d/$xinetd &amp;&amp; \

  if ! [ "$service_operation" != 'disable' ] ; then
    sed -i "s/disable.*/disable         = no/gI" /etc/xinetd.d/$xinetd
  else
    sed -i "s/disable.*/disable         = yes/gI" /etc/xinetd.d/$xinetd
  fi
fi

}
</value>
    </Value>
    <Value id="function_perform_audit_rules_privileged_commands_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to perform remediation for 'audit_rules_privileged_commands' rule</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to perform remediation for 'audit_rules_privileged_commands' rule

Expects two arguments:

  audit_tool            tool used to load audit rules
                        One of 'auditctl' or 'augenrules'

  min_auid              Minimum original ID the user logged in with
                        '500' for RHEL-6 and before, '1000' for RHEL-7 and after.

Example Call(s):

  perform_audit_rules_privileged_commands_remediation "auditctl" "500"
  perform_audit_rules_privileged_commands_remediation "augenrules" "1000"
</description>
      <value>
function perform_audit_rules_privileged_commands_remediation {
#
# Load function arguments into local variables
local tool="$1"
local min_auid="$2"

# Check sanity of the input
if [ $# -ne "2" ]
then
        echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'"
        echo "Aborting."
        exit 1
fi

declare -a files_to_inspect=()

# Check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] &amp;&amp; [ "$tool" != 'augenrules' ]
then
        echo "Unknown audit rules loading tool: $1. Aborting."
        echo "Use either 'auditctl' or 'augenrules'!"
        exit 1
# If the audit tool is 'auditctl', then:
# * add '/etc/audit/audit.rules'to the list of files to be inspected,
# * specify '/etc/audit/audit.rules' as the output audit file, where
#   missing rules should be inserted
elif [ "$tool" == 'auditctl' ]
then
        files_to_inspect=("/etc/audit/audit.rules")
        output_audit_file="/etc/audit/audit.rules"
#
# If the audit tool is 'augenrules', then:
# * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected
#   (split by newline),
# * specify /etc/audit/rules.d/privileged.rules' as the output file, where
#   missing rules should be inserted
elif [ "$tool" == 'augenrules' ]
then
        IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name *.rules -print))
        output_audit_file="/etc/audit/rules.d/privileged.rules"
fi

# Obtain the list of SUID/SGID binaries on the particular system (split by newline)
# into privileged_binaries array
IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null))

# Keep list of SUID/SGID binaries that have been already handled within some previous iteration
declare -a sbinaries_to_skip=()

# For each found sbinary in privileged_binaries list
for sbinary in "${privileged_binaries[@]}"
do

        # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below
        sbinary_esc=${sbinary//$'/'/$'\/'}
        # Check if this sbinary wasn't already handled in some of the previous iterations
        # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!)
        if [[ $(sed -ne "/${sbinary_esc}$/p" &lt;&lt;&lt; ${sbinaries_to_skip[@]}) ]]
        then
                # If so, don't process it second time &amp; go to process next sbinary
                continue
        fi

        # Reset the counter of inspected files when starting to check
        # presence of existing audit rule for new sbinary
        local count_of_inspected_files=0

        # For each audit rules file from the list of files to be inspected
        for afile in "${files_to_inspect[@]}"
        do

                # Search current audit rules file's content for match. Match criteria:
                # * existing rule is for the same SUID/SGID binary we are currently processing (but
                #   can contain multiple -F path= elements covering multiple SUID/SGID binaries)
                # * existing rule contains all arguments from expected rule form (though can contain
                #   them in arbitrary order)

                base_search=$(sed -e "/-a always,exit/!d" -e "/-F path=${sbinary_esc}$/!d"   \
                                  -e "/-F path=[^[:space:]]\+/!d" -e "/-F perm=.*/!d"       \
                                  -e "/-F auid&gt;=${min_auid}/!d" -e "/-F auid!=4294967295/!d"  \
                                  -e "/-k privileged/!d" $afile)

                # Increase the count of inspected files for this sbinary
                count_of_inspected_files=$((count_of_inspected_files + 1))

                # Define expected rule form for this binary
                expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid&gt;=${min_auid} -F auid!=4294967295 -k privileged"

                # Require execute access type to be set for existing audit rule
                exec_access='x'

                # Search current audit rules file's content for presence of rule pattern for this sbinary
                if [[ $base_search ]]
                then

                        # Current audit rules file already contains rule for this binary =&gt;
                        # Store the exact form of found rule for this binary for further processing
                        concrete_rule=$base_search

                        # Select all other SUID/SGID binaries possibly also present in the found rule
                        IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" &lt;&lt;&lt; $concrete_rule))
                        IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/})

                        # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
                        sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo $i; done | sort -du))

                        # Separate concrete_rule into three sections using hash '#'
                        # sign as a delimiter around rule's permission section borders
                        concrete_rule=$(echo $concrete_rule | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")

                        # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
                        IFS=$'#' read rule_head rule_perm rule_tail &lt;&lt;&lt;  "$concrete_rule"

                        # Extract already present exact access type [r|w|x|a] from rule's permission section
                        access_type=${rule_perm//-F perm=/}

                        # Verify current permission access type(s) for rule contain 'x' (execute) permission
                        if ! grep -q "$exec_access" &lt;&lt;&lt; "$access_type"
                        then

                                # If not, append the 'x' (execute) permission to the existing access type bits
                                access_type="$access_type$exec_access"
                                # Reconstruct the permissions section for the rule
                                new_rule_perm="-F perm=$access_type"
                                # Update existing rule in current audit rules file with the new permission section
                                sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" $afile

                        fi

                # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
                #
                # * in the "auditctl" mode of operation insert particular rule each time
                #   (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule),
                #
                # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already
                #   searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined
                #   in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file)
                #
                elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" &amp;&amp; $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]]
                then

                        # Current audit rules file's content doesn't contain expected rule for this
                        # SUID/SGID binary yet =&gt; append it
                        echo $expected_rule &gt;&gt; $output_audit_file
                fi

        done

done

}
</value>
    </Value>
    <Value id="function_populate" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to populate environment variables needed for unit testing</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The populate function isn't directly used by SSG at the moment but it can
ba used for testing purposes (to verify proper work of the remediation script directly
from the shell).</description>
      <value>
function populate {
# Code to populate environment variables needed (for unit testing)
if [ -z "${!1}" ]; then
	echo "$1 is not defined. Exiting."
	exit
fi
}
</value>
    </Value>
    <Value id="function_rhel6_perform_audit_adjtimex_settimeofday_stime_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function for the 'adjtimex', 'settimeofday', and 'stime'
audit system calls on Red Hat Enterprise Linux 6</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on Red Hat Enterprise Linux 6 OS</description>
      <value>
function fix_audit_syscall_rule {

# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"

# Check sanity of the input
if [ $# -ne "5" ]
then
        echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
        echo "Aborting."
        exit 1
fi

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
# 
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect

# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] &amp;&amp; [ "$tool" != 'augenrules' ]
then
        echo "Unknown audit rules loading tool: $1. Aborting."
        echo "Use either 'auditctl' or 'augenrules'!"
        exit 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
        files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
        # Extract audit $key from audit rule so we can use it later
        key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)')
        # Check if particular audit rule is already defined
        IFS=$'\n' matches=($(sed -s -n -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules))
        # Reset IFS back to default
        unset $IFS
        for match in "${matches[@]}"
        do
                files_to_inspect=("${files_to_inspect[@]}" "${match}")
        done
        # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
        if [ ${#files_to_inspect[@]} -eq "0" ]
        then
                files_to_inspect="/etc/audit/rules.d/$key.rules"
                if [ ! -e "$files_to_inspect" ]
                then
                        touch "$files_to_inspect"
                        chmod 0640 "$files_to_inspect"
                fi
        fi
fi

#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0

for audit_file in "${files_to_inspect[@]}"
do

        # Filter existing $audit_file rules' definitions to select those that:
        # * follow the rule pattern, and
        # * meet the hardware architecture requirement, and
        # * are current syscall group specific
        IFS=$'\n' existing_rules=($(sed -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d"  "$audit_file"))
        # Reset IFS back to default
        unset $IFS

        # Process rules found case-by-case
        for rule in "${existing_rules[@]}"
        do
                # Found rule is for same arch &amp; key, but differs (e.g. in count of -S arguments)
                if [ "${rule}" != "${full_rule}" ]
                then
                        # If so, isolate just '(-S \w)+' substring of that rule
                        rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+')
                        # Check if list of '-S syscall' arguments of that rule is subset
                        # of '-S syscall' list of expected $full_rule
                        if grep -q -- "$rule_syscalls" &lt;&lt;&lt; "$full_rule"
                        then
                                # Rule is covered (i.e. the list of -S syscalls for this rule is
                                # subset of -S syscalls of $full_rule =&gt; existing rule can be deleted
                                # Thus delete the rule from audit.rules &amp; our array
                                sed -i -e "/$rule/d" "$audit_file"
                                existing_rules=("${existing_rules[@]//$rule/}")
                        else
                                # Rule isn't covered by $full_rule - it besides -S syscall arguments
                                # for this group contains also -S syscall arguments for other syscall
                                # group. Example: '-S lchown -S fchmod -S fchownat' =&gt; group='chown'
                                # since 'lchown' &amp; 'fchownat' share 'chown' substring
                                # Therefore:
                                # * 1) delete the original rule from audit.rules
                                # (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
                                # * 2) delete the -S syscall arguments for this syscall group, but
                                # keep those not belonging to this syscall group
                                # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
                                # * 3) append the modified (filtered) rule again into audit.rules
                                # if the same rule not already present
                                #
                                # 1) Delete the original rule
                                sed -i -e "/$rule/d" "$audit_file"
                                # 2) Delete syscalls for this group, but keep those from other groups
                                # Convert current rule syscall's string into array splitting by '-S' delimiter
                                IFS=$'-S' read -a rule_syscalls_as_array &lt;&lt;&lt; "$rule_syscalls"
                                # Reset IFS back to default
                                unset $IFS
                                # Declare new empty string to hold '-S syscall' arguments from other groups
                                new_syscalls_for_rule=''
                                # Walk through existing '-S syscall' arguments
                                for syscall_arg in "${rule_syscalls_as_array[@]}"
                                do
                                        # Skip empty $syscall_arg values
                                        if [ "$syscall_arg" == '' ]
                                        then
                                                continue
                                        fi
                                        # If the '-S syscall' doesn't belong to current group add it to the new list
                                        # (together with adding '-S' delimiter back for each of such item found)
                                        if grep -q -v -- "$group" &lt;&lt;&lt; "$syscall_arg"
                                        then
                                                new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
                                        fi
                                done
                                # Replace original '-S syscall' list with the new one for this rule
                                updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
                                # Squeeze repeated whitespace characters in rule definition (if any) into one
                                updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
                                # 3) Append the modified / filtered rule again into audit.rules
                                #    (but only in case it's not present yet to prevent duplicate definitions)
                                if ! grep -q -- "$updated_rule" "$audit_file"
                                then
                                        echo "$updated_rule" &gt;&gt; "$audit_file"
                                fi
                        fi
                else
                        # $audit_file already contains the expected rule form for this
                        # architecture &amp; key =&gt; don't insert it second time
                        append_expected_rule=1
                fi
        done

        # We deleted all rules that were subset of the expected one for this arch &amp; key.
        # Also isolated rules containing system calls not from this system calls group.
        # Now append the expected rule if it's not present in $audit_file yet
        if [[ ${append_expected_rule} -eq "0" ]]
        then
                echo "$full_rule" &gt;&gt; "$audit_file"
        fi
done

}

function rhel6_perform_audit_adjtimex_settimeofday_stime_remediation {

# Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on Red Hat Enterprise Linux 6 OS
#
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do
        PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
        # Create expected audit group and audit rule form for particular system call &amp; architecture
        if [ ${ARCH} = "b32" ]
        then
                # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
                # so append it to the list of time group system calls to be audited
                GROUP="\(adjtimex\|settimeofday\|stime\)"
                FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
        elif [ ${ARCH} = "b64" ]
        then
                # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
                # therefore don't add it to the list of time group system calls to be audited
                GROUP="\(adjtimex\|settimeofday\)"
                FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
        fi
        # Perform the remediation itself
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

}
</value>
    </Value>
    <Value id="function_rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function for the 'adjtimex', 'settimeofday', and 'stime'
audit system calls on Red Hat Enterprise Linux 7 or Fedora</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Perform the remediation for the 'adjtimex', 'settimeofday', and
'stime' audit system calls on Red Hat Enterprise Linux 7 or Fedora OSes</description>
      <value>
function fix_audit_syscall_rule {

# Load function arguments into local variables
local tool="$1"
local pattern="$2"
local group="$3"
local arch="$4"
local full_rule="$5"

# Check sanity of the input
if [ $# -ne "5" ]
then
        echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'"
        echo "Aborting."
        exit 1
fi

# Create a list of audit *.rules files that should be inspected for presence and correctness
# of a particular audit rule. The scheme is as follows:
# 
# -----------------------------------------------------------------------------------------
#  Tool used to load audit rules | Rule already defined  |  Audit rules file to inspect    |
# -----------------------------------------------------------------------------------------
#        auditctl                |     Doesn't matter    |  /etc/audit/audit.rules         |
# -----------------------------------------------------------------------------------------
#        augenrules              |          Yes          |  /etc/audit/rules.d/*.rules     |
#        augenrules              |          No           |  /etc/audit/rules.d/$key.rules  |
# -----------------------------------------------------------------------------------------
#
declare -a files_to_inspect

# First check sanity of the specified audit tool
if [ "$tool" != 'auditctl' ] &amp;&amp; [ "$tool" != 'augenrules' ]
then
        echo "Unknown audit rules loading tool: $1. Aborting."
        echo "Use either 'auditctl' or 'augenrules'!"
        exit 1
# If audit tool is 'auditctl', then add '/etc/audit/audit.rules'
# file to the list of files to be inspected
elif [ "$tool" == 'auditctl' ]
then
        files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' )
# If audit tool is 'augenrules', then check if the audit rule is defined
# If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection
# If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection
elif [ "$tool" == 'augenrules' ]
then
        # Extract audit $key from audit rule so we can use it later
        key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)')
        # Check if particular audit rule is already defined
        IFS=$'\n' matches=($(sed -s -n -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules))
        # Reset IFS back to default
        unset $IFS
        for match in "${matches[@]}"
        do
                files_to_inspect=("${files_to_inspect[@]}" "${match}")
        done
        # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet
        if [ ${#files_to_inspect[@]} -eq "0" ]
        then
                files_to_inspect="/etc/audit/rules.d/$key.rules"
                if [ ! -e "$files_to_inspect" ]
                then
                        touch "$files_to_inspect"
                        chmod 0640 "$files_to_inspect"
                fi
        fi
fi

#
# Indicator that we want to append $full_rule into $audit_file by default
local append_expected_rule=0

for audit_file in "${files_to_inspect[@]}"
do

        # Filter existing $audit_file rules' definitions to select those that:
        # * follow the rule pattern, and
        # * meet the hardware architecture requirement, and
        # * are current syscall group specific
        IFS=$'\n' existing_rules=($(sed -e "/${pattern}/!d" -e "/${arch}/!d" -e "/${group}/!d"  "$audit_file"))
        # Reset IFS back to default
        unset $IFS

        # Process rules found case-by-case
        for rule in "${existing_rules[@]}"
        do
                # Found rule is for same arch &amp; key, but differs (e.g. in count of -S arguments)
                if [ "${rule}" != "${full_rule}" ]
                then
                        # If so, isolate just '(-S \w)+' substring of that rule
                        rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+')
                        # Check if list of '-S syscall' arguments of that rule is subset
                        # of '-S syscall' list of expected $full_rule
                        if grep -q -- "$rule_syscalls" &lt;&lt;&lt; "$full_rule"
                        then
                                # Rule is covered (i.e. the list of -S syscalls for this rule is
                                # subset of -S syscalls of $full_rule =&gt; existing rule can be deleted
                                # Thus delete the rule from audit.rules &amp; our array
                                sed -i -e "/$rule/d" "$audit_file"
                                existing_rules=("${existing_rules[@]//$rule/}")
                        else
                                # Rule isn't covered by $full_rule - it besides -S syscall arguments
                                # for this group contains also -S syscall arguments for other syscall
                                # group. Example: '-S lchown -S fchmod -S fchownat' =&gt; group='chown'
                                # since 'lchown' &amp; 'fchownat' share 'chown' substring
                                # Therefore:
                                # * 1) delete the original rule from audit.rules
                                # (original '-S lchown -S fchmod -S fchownat' rule would be deleted)
                                # * 2) delete the -S syscall arguments for this syscall group, but
                                # keep those not belonging to this syscall group
                                # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod'
                                # * 3) append the modified (filtered) rule again into audit.rules
                                # if the same rule not already present
                                #
                                # 1) Delete the original rule
                                sed -i -e "/$rule/d" "$audit_file"
                                # 2) Delete syscalls for this group, but keep those from other groups
                                # Convert current rule syscall's string into array splitting by '-S' delimiter
                                IFS=$'-S' read -a rule_syscalls_as_array &lt;&lt;&lt; "$rule_syscalls"
                                # Reset IFS back to default
                                unset $IFS
                                # Declare new empty string to hold '-S syscall' arguments from other groups
                                new_syscalls_for_rule=''
                                # Walk through existing '-S syscall' arguments
                                for syscall_arg in "${rule_syscalls_as_array[@]}"
                                do
                                        # Skip empty $syscall_arg values
                                        if [ "$syscall_arg" == '' ]
                                        then
                                                continue
                                        fi
                                        # If the '-S syscall' doesn't belong to current group add it to the new list
                                        # (together with adding '-S' delimiter back for each of such item found)
                                        if grep -q -v -- "$group" &lt;&lt;&lt; "$syscall_arg"
                                        then
                                                new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg"
                                        fi
                                done
                                # Replace original '-S syscall' list with the new one for this rule
                                updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule}
                                # Squeeze repeated whitespace characters in rule definition (if any) into one
                                updated_rule=$(echo "$updated_rule" | tr -s '[:space:]')
                                # 3) Append the modified / filtered rule again into audit.rules
                                #    (but only in case it's not present yet to prevent duplicate definitions)
                                if ! grep -q -- "$updated_rule" "$audit_file"
                                then
                                        echo "$updated_rule" &gt;&gt; "$audit_file"
                                fi
                        fi
                else
                        # $audit_file already contains the expected rule form for this
                        # architecture &amp; key =&gt; don't insert it second time
                        append_expected_rule=1
                fi
        done

        # We deleted all rules that were subset of the expected one for this arch &amp; key.
        # Also isolated rules containing system calls not from this system calls group.
        # Now append the expected rule if it's not present in $audit_file yet
        if [[ ${append_expected_rule} -eq "0" ]]
        then
                echo "$full_rule" &gt;&gt; "$audit_file"
        fi
done

}

function rhel7_fedora_perform_audit_adjtimex_settimeofday_stime_remediation {

# Perform the remediation for the 'adjtimex', 'settimeofday', and 'stime' audit
# system calls on Red Hat Enterprise Linux 7 or Fedora OSes
#
# Retrieve hardware architecture of the underlying system
[ $(getconf LONG_BIT) = "32" ] &amp;&amp; RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64")

for ARCH in "${RULE_ARCHS[@]}"
do

        PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *"
        # Create expected audit group and audit rule form for particular system call &amp; architecture
        if [ ${ARCH} = "b32" ]
        then
                # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output)
                # so append it to the list of time group system calls to be audited
                GROUP="\(adjtimex\|settimeofday\|stime\)"
                FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules"
        elif [ ${ARCH} = "b64" ]
        then
                # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output)
                # therefore don't add it to the list of time group system calls to be audited
                GROUP="\(adjtimex\|settimeofday\)"
                FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules"
        fi
        # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
        fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
        fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE"
done

}
</value>
    </Value>
    <Value id="function_replace_or_append" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to replace configuration setting in config file or
add the configuration setting if it does not exist yet</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to replace configuration setting in config file or add
the configuration setting if it does not exist.

Expects four arguments:

  config_file:		Configuration file that will be modified
  key:			Configuration option to change
  value:		Value of the configuration option to change
  cce:			The CCE identifier or '$CCENUM' if no CCE identifier exists

Optional arguments:

  format:		Optional argument to specify the format of how key/value should be
			modified/appended in the configuration file. The default is key = value.

Example Call(s):

  With default format of 'key = value':
  replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '$CCENUM'

  With custom key/value format:
  replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '$CCENUM' '%s=%s'

  With a variable:
  replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '$CCENUM' '%s=%s'
</description>
      <value>
function replace_or_append {
  local config_file=$1
  local key=$2
  local value=$3
  local cce=$4
  local format=$5

  # Check sanity of the input
  if [ $# -lt "3" ]
  then
        echo "Usage: replace_or_append 'config_file_location' 'key_to_search' 'new_value'"
        echo
        echo "If symlinks need to be taken into account, add yes/no to the last argument"
        echo "to allow to 'follow_symlinks'."
        echo "Aborting."
        exit 1
  fi

  # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed.
  # Otherwise, regular sed command will do.
  if test -L $config_file; then
    sed_command="sed -i --follow-symlinks"
  else
    sed_command="sed -i"
  fi

  # Test that the cce arg is not empty or does not equal $CCENUM.
  # If $CCENUM exists, it means that there is no CCE assigned.
  if ! [ "x$cce" = x ] &amp;&amp; [ "$cce" != '$CCENUM' ]; then
    cce="CCE-${cce}"
  else
    cce="CCE"
  fi

  # Strip any search characters in the key arg so that the key can be replaced without
  # adding any search characters to the config file.
  stripped_key=$(sed "s/[\^=\$,;+]*//g" &lt;&lt;&lt; $key)

  # If there is no print format specified in the last arg, use the default format.
  if ! [ "x$format" = x ] ; then
    printf -v formatted_output "$format" $stripped_key $value
  else
    formatted_output="$stripped_key = $value"
  fi

  # If the key exists, change it. Otherwise, add it to the config_file.
  if `grep -qi $key $config_file` ; then
    $sed_command "s/$key.*/$formatted_output/g" $config_file
  else
    echo -ne "\n# Per $cce: Set $formatted_output in $config_file" &gt;&gt; $config_file
    echo -ne "\n$formatted_output" &gt;&gt; $config_file
  fi

}
</value>
    </Value>
    <Value id="function_firefox_js_setting" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to replace configuration setting(s) in the Firefox
preferences JavaScript file or add the preference if it does not exist yet</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to replace configuration setting(s) in the Firefox
preferences JavaScript file or add the preference if it does not exist.

Expects three arguments:

  config_file:          Configuration file that will be modified
  key:                  Configuration option to change
  value:                Value of the configuration option to change


Example Call(s):

  Without string or variable:
  firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0"

  With string:
  firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\""

  With a string variable:
  firefox_js_setting "stig_settings.js" "general.config.filename" "\"$var_config_file_name\""
</description>
      <value>
function firefox_js_setting {
  local firefox_js=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"
  local firefox_pref="/defaults/pref"
  local firefox_preferences="/defaults/preferences"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Different versions of Firefox have different preferences directories, check for them and set the right one
      if [ -d "${firefox_dir}/${firefox_pref}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_pref}"
      elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      else
        mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}"
        local firefox_pref_dir="${firefox_dir}/${firefox_preferences}"
      fi

      # Make sure the Firefox .js file exists and has the appropriate permissions
      if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then
        touch "${firefox_pref_dir}/${firefox_js}"
        chmod 644 "${firefox_pref_dir}/${firefox_js}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"` ; then
        sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}"
      else
        echo "pref(\"${key}\", ${value});" &gt;&gt; "${firefox_pref_dir}/${firefox_js}"
      fi
    fi
  done

}
</value>
    </Value>
    <Value id="function_firefox_cfg_setting" hidden="true" prohibitChanges="true" operator="equals" type="string">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function to replace configuration setting(s) in the Firefox
preferences configuration (.cfg) file or add the preference if it does not exist yet</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Function to replace configuration setting(s) in the Firefox
preferences configuration (.cfg) file or add the preference if it does not exist.

Expects three arguments:

  config_file:          Configuration file that will be modified
  key:                  Configuration option to change
  value:                Value of the configuration option to change


Example Call(s):

  Without string or variable:
  firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false"

  With string:
  firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\""

  With a string variable:
  firefox_cfg_setting "stig.cfg" "browser.startup.homepage\" "\"${var_default_home_page}\""
</description>
      <value>
function firefox_cfg_setting {
  local firefox_cfg=$1
  local key=$2
  local value=$3
  local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox"

  # Check sanity of input
  if [ $# -lt "3" ]
  then
        echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'"
        echo
        echo "Aborting."
        exit 1
  fi

  # Check the possible Firefox install directories
  for firefox_dir in ${firefox_dirs}; do
    # If the Firefox directory exists, then Firefox is installed
    if [ -d "${firefox_dir}" ]; then
      # Make sure the Firefox .cfg file exists and has the appropriate permissions
      if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then
        touch "${firefox_dir}/${firefox_cfg}"
        chmod 644 "${firefox_dir}/${firefox_cfg}"
      fi

      # If the key exists, change it. Otherwise, add it to the config_file.
      if `grep -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"` ; then
        sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}"
      else
        echo "lockPref(\"${key}\", ${value});" &gt;&gt; "${firefox_dir}/${firefox_cfg}"
      fi
    fi
  done
}
</value>
    </Value>
  </Group>
  <Group id="intro">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Introduction</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The purpose of this guidance is to provide security configuration
recommendations and baselines for the Red Hat Enterprise Linux 5 operating
system. Recommended settings for the basic operating system are provided,
as well as for many network services that the system can provide to other systems.
The guide is intended for system administrators. Readers are assumed to
possess basic system administration skills for Unix-like systems, as well
as some familiarity with the product's documentation and administration
conventions. Some instructions within this guide are complex.
All directions should be followed completely and with understanding of
their effects in order to avoid serious adverse effects on the system
and its security.
</description>
    <Group id="general-principles">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">General Principles</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The following general principles motivate much of the advice in this
guide and should also influence any configuration decisions that are
not explicitly covered.
</description>
      <Group id="principle-encrypt-transmitted-data">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Data transmitted over a network, whether wired or wireless, is susceptible
to passive monitoring. Whenever practical solutions for encrypting
such data exist, they should be applied. Even if data is expected to
be transmitted only over a local network, it should still be encrypted.
Encrypting authentication data, such as passwords, is particularly
important. Networks of Red Hat Enterprise Linux 5 machines can and should be configured
so that no unencrypted authentication data is ever transmitted between
machines.
</description>
      </Group>
      <Group id="principle-minimize-software">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The simplest way to avoid vulnerabilities in software is to avoid
installing that software. On Red Hat Enterprise Linux 5,
the RPM Package Manager (originally Red Hat
Package Manager, abbreviated RPM)
allows for careful management of
the set of software packages installed on a system. Installed software
contributes to system vulnerability in several ways. Packages that
include setuid programs may provide local attackers a potential path to
privilege escalation. Packages that include network services may give
this opportunity to network-based attackers. Packages that include
programs which are predictably executed by local users (e.g. after
graphical login) may provide opportunities for trojan horses or other
attack code to be run undetected. The number of software packages
installed on a system can almost always be significantly pruned to include
only the software for which there is an environmental or operational need.
</description>
      </Group>
      <Group id="principle-separate-servers">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run Different Network Services on Separate Systems</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Whenever possible, a server should be dedicated to serving exactly one
network service. This limits the number of other services that can
be compromised in the event that an attacker is able to successfully
exploit a software flaw in one network service.
</description>
      </Group>
      <Group id="principle-use-security-tools">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Several tools exist which can be effectively used to improve a system's
resistance to and detection of unknown attacks. These tools can improve
robustness against attack at the cost of relatively little configuration
effort. In particular, this guide recommends and discusses the use of
host-based firewalling, SELinux for protection against
vulnerable services, and a logging and auditing infrastructure for
detection of problems.
</description>
      </Group>
      <Group id="principle-least-privilege">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Least Privilege</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Grant the least privilege necessary for user accounts and software to perform tasks.
For example, <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> can be implemented to limit authorization to super user
accounts on the system only to designated personnel. Another example is to limit
logins on server systems to only those administrators who need to log into them in
order to perform administration tasks. Using SELinux also follows the principle of
least privilege: SELinux policy can confine software to perform only actions on the
system that are specifically allowed. This can be far more restrictive than the
actions permissible by the traditional Unix permissions model.
</description>
      </Group>
    </Group>
    <Group id="how-to-use">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">How to Use This Guide</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Readers should heed the following points when using the guide.
</description>
      <Group id="intro-read-sections-completely">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Read Sections Completely and in Order</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Each section may build on information and recommendations discussed in
prior sections. Each section should be read and understood completely;
instructions should never be blindly applied. Relevant discussion may
occur after instructions for an action. 
</description>
      </Group>
      <Group id="intro-test-non-production">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Test in Non-Production Environment</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
This guidance should always be tested in a non-production environment
before deployment. This test environment should simulate the setup in
which the system will be deployed as closely as possible.
</description>
      </Group>
      <Group id="intro-root-shell-assumed">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Root Shell Environment Assumed</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Most of the actions listed in this document are written with the
assumption that they will be executed by the root user running the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/bash</html:code> shell. Commands preceded with a hash mark (#)
assume that the administrator will execute the commands as root, i.e.
apply the command via <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> whenever possible, or use
<html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code> to gain root privileges if <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> cannot be
used. Commands which can be executed as a non-root user are are preceded
by a dollar sign ($) prompt.
</description>
      </Group>
      <Group id="intro-formatting-conventions">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Formatting Conventions</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Commands intended for shell execution, as well as configuration file text,
are featured in a <html:code xmlns:html="http://www.w3.org/1999/xhtml">monospace font</html:code>. <html:i xmlns:html="http://www.w3.org/1999/xhtml">Italics</html:i> are used
to indicate instances where the system administrator must substitute
the appropriate information into a command or configuration file.
</description>
      </Group>
      <Group id="intro-reboot-required">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Reboot Required</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A system reboot is implicitly required after some actions in order to
complete the reconfiguration of the system. In many cases, the changes
will not take effect until a reboot is performed. In order to ensure
that changes are applied properly and to test functionality, always
reboot the system after applying a set of recommendations from this guide.
</description>
      </Group>
    </Group>
  </Group>
  <Group id="system">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System Settings</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Contains rules that check correct system settings.</description>
    <Group id="software">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Installing and Maintaining Software</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following sections contain information on
security-relevant choices during the initial operating system
installation process and the setup of software
updates.</description>
      <Group id="disk_partitioning">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disk Partitioning</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure separation and protection of data, there
are top-level system directories which should be placed on their
own physical partition or logical volume. The installer's default
partitioning scheme creates separate logical volumes for 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">/boot</html:code>, and <html:code xmlns:html="http://www.w3.org/1999/xhtml">swap</html:code>.
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>If starting with any of the default layouts, check the box to
"Review and modify partitioning." This allows for the easy creation
of additional logical volumes inside the volume group already
created, though it may require making <html:code>/</html:code>'s logical volume smaller to
create space. In general, using logical volumes is preferable to
using partitions because they can be more easily adjusted
later.</html:li><html:li>If creating a custom layout, create the partitions mentioned in
the previous paragraph (which the installer will require anyway),
as well as separate ones described in the following sections.</html:li></html:ul>
If a system has already been installed, and the default
partitioning scheme was used, it is possible but nontrivial to
modify it to create separate logical volumes for the directories
listed above. The Logical Volume Manager (LVM) makes this possible.
See the LVM HOWTO at <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://tldp.org/HOWTO/LVM-HOWTO/">http://tldp.org/HOWTO/LVM-HOWTO/</html:a> for more
detailed information on LVM.</description>
        <Rule id="partition_for_tmp" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure /tmp Located On Separate Partition</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/tmp</html:code> directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1208</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/tmp</html:code> partition is used as temporary storage by many programs.
Placing <html:code xmlns:html="http://www.w3.org/1999/xhtml">/tmp</html:code> in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003624</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-partition_for_tmp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="partition_for_var" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure /var Located On Separate Partition</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var</html:code> directory is used by daemons and other system
services to store frequently-changing data. Ensure that <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var</html:code> has its own partition
or logical volume at installation time, or migrate it using LVM.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1208</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensuring that <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var</html:code> is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var</html:code> directory to contain
world-writable directories, installed by other software packages.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003621</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-partition_for_var:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-partition_for_var_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="partition_for_var_log_audit" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure /var/log/audit Located On Separate Partition</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Audit logs are stored in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit</html:code> directory.  Ensure that it
has its own partition or logical volume at installation time, or migrate it
later using LVM. Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1208</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Placing <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit</html:code> in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003623</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-partition_for_var_log_audit:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="partition_for_home" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure /home Located On Separate Partition</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If user home directories will be stored locally, create a separate partition
for <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home</html:code> at installation time (or migrate it later using LVM). If
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/home</html:code> will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1208</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensuring that <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home</html:code> is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003620</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-partition_for_home:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-partition_for_home_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="updating">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Updating Software</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">yum</html:code> command line tool is used to install and
update software packages. The system also provides a graphical
software update tool in the <html:b xmlns:html="http://www.w3.org/1999/xhtml">System</html:b> menu, in the <html:b xmlns:html="http://www.w3.org/1999/xhtml">Administration</html:b> submenu,
called <html:b xmlns:html="http://www.w3.org/1999/xhtml">Software Update</html:b>.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Red Hat Enterprise Linux systems contain an installed software catalog called
the RPM database, which records metadata of installed packages. Consistently using
<html:code xmlns:html="http://www.w3.org/1999/xhtml">yum</html:code> or the graphical <html:b xmlns:html="http://www.w3.org/1999/xhtml">Software Update</html:b> for all software installation
allows for insight into the current inventory of installed software on the system.
</description>
        <Rule id="ensure_gpgcheck_never_disabled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure gpgcheck Enabled For All Yum Package Repositories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure signature checking is not disabled for
any repos, remove any lines from files in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</html:code> of the form:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">gpgcheck=0</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">351</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the authenticity of the software and
protects against malicious tampering.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ensure_gpgcheck_never_disabled" complexity="low" disruption="low" reboot="false" strategy="disable">grep -R gpgcheck /etc/yum.repos.d/* /etc/yum.conf /root/rpmrc /usr/lib/rpm/redhat/rpmrc /usr/lib/rpm/rpmrc /etc/rpmrc 2&gt;/dev/null | grep -v 'gpgcheck=1' | cut -d: -f1 | sort -u | while read YUM_FILE; do
	sed -i 's/gpgcheck=.*/gpgcheck=1/g' ${YUM_FILE}
done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ensure_gpgcheck_never_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ensure_gpgcheck_never_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="security_patches_up_to_date" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Software Patches Installed</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># yum update</html:pre>
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded from the Red Hat Network and installed using <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpm</html:code>.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">VIVM-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1227</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000120</ident>
          <fix system="urn:xccdf:fix:script:sh" id="security_patches_up_to_date" complexity="low" disruption="low" reboot="false" strategy="disable">yum -y update
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref href="http://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_5.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-security_patches_up_to_date_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="integrity">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Software Integrity Checking</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Both the AIDE (Advanced Intrusion Detection Environment)
software and the RPM package management system provide
mechanisms for verifying the integrity of installed software.
AIDE uses snapshots of file metadata (such as hashes) and compares these
to current system files in order to detect changes.
The RPM package management system can conduct integrity
checks by comparing information in its metadata database with
files installed on the system.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Integrity checking cannot <html:i xmlns:html="http://www.w3.org/1999/xhtml">prevent</html:i> intrusions,
but can detect that they have occurred. Requirements
for software integrity checking may be highly dependent on
the environment in which the system will be used. Snapshot-based
approaches such as AIDE may induce considerable overhead
in the presence of frequent software updates.
</description>
        <Group id="aide">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Integrity with AIDE</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">AIDE conducts integrity checks by comparing information about
files with previously-gathered information. Ideally, the AIDE database is
created immediately after initial system configuration, and then again after any
software update.  AIDE is highly configurable, with further configuration
information located in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/share/doc/aide-<html:i>VERSION</html:i></html:code>.
</description>
          <Rule id="aide_build_database" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Build and Test AIDE Database</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run the following command to generate a new database:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init</html:pre>
By default, the database will be written to the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/lib/aide/aide.db.new.gz</html:code>.
Storing the database, the configuration file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aide.conf</html:code>, and the binary
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/sbin/aide</html:code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</html:pre>
To initiate a manual check, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check</html:pre>
If this check produces any unexpected output, investigate.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSW-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">293</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000140-2</ident>
            <fix system="urn:xccdf:fix:script:sh" id="aide_build_database" complexity="low" disruption="low" reboot="false" strategy="disable">/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-aide_build_database:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="aide_periodic_cron_checking" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Periodic Execution of AIDE</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To implement a daily execution of AIDE at 4:05am using cron, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/crontab</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">05 4 * * * root /usr/sbin/aide --check</html:pre>
AIDE can be executed periodically through other means; this is merely one example.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSL-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1069</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000220</ident>
            <fix system="urn:xccdf:fix:script:sh" id="aide_periodic_cron_checking" complexity="low" disruption="low" reboot="false" strategy="disable">echo "/usr/sbin/aide --config=/etc/aide.conf --check" &gt; /etc/cron.weekly/aide
chmod 700 /etc/cron.weekly/aide
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-aide_periodic_cron_checking:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-aide_periodic_cron_checking_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="rpm_verification">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Integrity with RPM</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The RPM package management system includes the ability
to verify the integrity of installed packages by comparing the
installed files with information about the files taken from the
package metadata stored in the RPM database. Although an attacker
could corrupt the RPM database (analogous to attacking the AIDE
database as described above), this check can still reveal
modification of important files. To list which files on the system differ from what is expected by the RPM database:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rpm -qVa</html:pre>
See the man page for <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpm</html:code> to see a complete explanation of each column.
</description>
          <Rule id="rpm_verify_hashes" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify File Hashes with RPM</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The RPM package management system can check the hashes of
installed software packages, including many that are important to system
security. Run the following command to list which files on the system
have hashes that differ from what is expected by the RPM database:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^..5'</html:pre>
A "c" in the second column indicates that a file is a configuration file, which
may appropriately be expected to change.  If the file was not expected to
change, investigate the cause of the change using audit logs or other means.
The package can then be reinstalled to restore the file.
Run the following command to determine which package owns the file:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rpm -qf <html:i>FILENAME</html:i></html:pre>
The package can be reinstalled from a yum repository using the command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">yum reinstall <html:i>PACKAGENAME</html:i></html:pre>
Alternatively, the package can be reinstalled from trusted media using the command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">rpm -Uvh <html:i>PACKAGENAME</html:i></html:pre> 
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">698</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The hashes of important files like system executables should match the
information given by the RPM database. Executables with erroneous hashes could
be a sign of nefarious activity on the system.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006565</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-rpm_verify_hashes:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-rpm_verify_hashes_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="additional_security_software">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Additional Security Software</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Additional security software that is not provided or supported
by Red Hat can be installed to provide complementary or duplicative
security capabilities to those provided by the base platform.  Add-on
software may not be appropriate for some specialized systems.
</description>
          <Rule id="package_hids_installed" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install Intrusion Detection Software</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Red Hat platform includes a sophisticated auditing system 
and SELinux, which provide host-based intrusion detection capabilities.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECID-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1259</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Host-based intrusion detection tools provide a system-level defense when an
intruder gains access to a system or network.  
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006480</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-package_hids_installed:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-package_hids_installed_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="package_av_installed" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install Virus Scanning Software</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Install virus scanning software, which uses signatures to search for the
presence of viruses on the filesystem. 
The McAfee uvscan virus scanning tool is provided for DoD systems.
Ensure virus definition files are no older than 7 days, or their last release.

Configure the virus scanning software to perform scans dynamically on all
accessed files.  If this is not possible, configure the
system to scan all altered files on the system on a daily
basis. If the system processes inbound SMTP mail, configure the virus scanner
to scan all received mail.

</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECVP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1668</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems. 
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006640</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-package_av_installed:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-package_av_installed_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="baseline_device_files" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create a Baseline For Device Files</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A baseline of device files needs to be generated, and verified on at least a weekly basis.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSW-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If an unauthorized device is allowed to exist on the system, there is the possibility the 
system may perform unauthorized operations.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002260</ident>
            <fix system="urn:xccdf:fix:script:sh" id="baseline_device_files" complexity="low" disruption="low" reboot="false" strategy="configure"># Generate a device file baseline
find / -type b -o -type c 2&gt;/dev/null | sort  &gt; /var/log/device-file-list
chmod 640 /var/log/device-file-list
chown root:root /var/log/device-file-list

# Generate a weekly cron job to check the device file baseline and report differences
cat &gt; /etc/cron.weekly/baseline_checker.sh &lt;&lt;'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2&gt;/dev/null | sort &gt; /tmp/suid-file-list.tmp
find / -perm -2000 2&gt;/dev/null | sort &gt; /tmp/sgid-file-list.tmp
find / -type b -o -type c 2&gt;/dev/null | sort  &gt; /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp &gt; /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp &gt; /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp &gt; /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-baseline_device_files:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="baseline_sgid_files" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create a Baseline For SGID Files</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A baseline of sgid files needs to be generated, and verified on at least a weekly basis.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSL-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Files with the setgid bit set will allow anyone running these files to be temporarily 
assigned the group id of the file. While many system files depend on these attributes for 
proper operation, security problems can result if setgid is assigned to programs allowing 
reading and writing of files, or shell escapes.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002460</ident>
            <fix system="urn:xccdf:fix:script:sh" id="baseline_sgid_files" complexity="low" disruption="low" reboot="false" strategy="configure"># Generate a sgid file baseline
find / -perm -2000 -type f  2&gt;/dev/null | sort &gt; /var/log/sgid-file-list
chmod 640 /var/log/sgid-file-list
chown root:root /var/log/sgid-file-list

# Generate a weekly cron job to check the sgid file baseline and report differences
cat &gt; /etc/cron.weekly/baseline_checker.sh &lt;&lt;'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2&gt;/dev/null | sort &gt; /tmp/suid-file-list.tmp
find / -perm -2000 2&gt;/dev/null | sort &gt; /tmp/sgid-file-list.tmp
find / -type b -o -type c 2&gt;/dev/null | sort  &gt; /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp &gt; /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp &gt; /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp &gt; /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-baseline_sgid_files:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="baseline_suid_files" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create a Baseline For SUID Files</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A baseline of suid files needs to be generated, and verified on at least a weekly basis.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSL-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">318</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Files with the setuid bit set will allow anyone running these files to be temporarily 
assigned the UID of the file. While many system files depend on these attributes for 
proper operation, security problems can result if setuid is assigned to programs allowing 
reading and writing of files, or shell escapes.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002400</ident>
            <fix system="urn:xccdf:fix:script:sh" id="baseline_suid_files" complexity="low" disruption="low" reboot="false" strategy="configure"># Generate a suid file baseline
find / -perm -4000 -type f 2&gt;/dev/null | sort &gt; /var/log/suid-file-list
chmod 640 /var/log/suid-file-list
chown root:root /var/log/suid-file-list


# Generate a weekly cron job to check the suid file baseline and report differences
cat &gt; /etc/cron.weekly/baseline_checker.sh &lt;&lt;'STOP_HERE'
#!/bin/sh
echo "Baseline check started on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "Gathering current baseline." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
find / -perm -4000 2&gt;/dev/null | sort &gt; /tmp/suid-file-list.tmp
find / -perm -2000 2&gt;/dev/null | sort &gt; /tmp/sgid-file-list.tmp
find / -type b -o -type c 2&gt;/dev/null | sort  &gt; /tmp/device-file-list.tmp
echo "Comparing the current baseline with the last known good configuration." | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
diff /var/log/suid-file-list /tmp/suid-file-list.tmp &gt; /tmp/SUID_BASELINE.tmp
diff /var/log/sgid-file-list /tmp/sgid-file-list.tmp &gt; /tmp/SGID_BASELINE.tmp
diff /var/log/device-file-list /tmp/device-file-list.tmp &gt; /tmp/DEVICE_BASELINE.tmp
if [ -s /tmp/SUID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SUID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the suid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SUID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/SGID_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/SGID_BASELINE.tmp) != 0 ]; then
		echo "The following files were detected to have the sgid bit removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/SGID_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
if [ -s /tmp/DEVICE_BASELINE.tmp ]; then
   if [ $(grep -c "^&gt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have been added:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&gt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
	if [ $(grep -c "^&lt;" /tmp/DEVICE_BASELINE.tmp) != 0 ]; then
		echo "The following device files were detected to have removed:" | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
		grep "^&lt;" /tmp/DEVICE_BASELINE.tmp | awk '{ print $2 }' | tee -a /var/log/baseline.log
		echo -e \\n | tee -a /var/log/baseline.log
	fi
fi
rm -f /tmp/*BASELINE.tmp /tmp/*list.tmp
echo "Baseline check completed on $(date +"%m-%d-%Y") at $(date +"%H:%M:%S")" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
echo "####################################################################" | tee -a /var/log/baseline.log
echo -e \\n | tee -a /var/log/baseline.log
chmod 640 /var/log/baseline.log
chown root:root /var/log/baseline.log
STOP_HERE
chmod 700 /etc/cron.weekly/baseline_checker.sh
chown root:root /etc/cron.weekly/baseline_checker.sh
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-baseline_suid_files:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="permissions">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">File Permissions and Masks</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Traditional Unix security relies heavily on file and
directory permissions to prevent unauthorized users from reading or
modifying files to which they should not have access. 
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Several of the commands in this section search filesystems
for files or directories with certain characteristics, and are
intended to be run on every local partition on a given system.
When the variable <html:i xmlns:html="http://www.w3.org/1999/xhtml">PART</html:i> appears in one of the commands below,
it means that the command is intended to be run repeatedly, with the
name of each local partition substituted for <html:i xmlns:html="http://www.w3.org/1999/xhtml">PART</html:i> in turn.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The following command prints a list of all xfs partitions on the local
system, which is the default filesystem for Red Hat Enterprise Linux
7 installations:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ mount -t xfs | awk '{print $3}'</html:pre>
For any systems that use a different
local filesystem type, modify this command as appropriate.
</description>
      <Group id="partitions">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Partition Mount Options</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System partitions can be mounted with certain options
that limit what files on those partitions can do. These options
are set in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code> configuration file, and can be
used to make certain types of malicious behavior more difficult.</description>
        <Value id="var_removable_partition" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Removable Partition</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This value is used by the checks mount_option_nodev_removable_partitions, mount_option_noexec_removable_partitions, 
and mount_option_nosuid_removable_partitions to ensure that the correct mount options are set on partitions mounted from
removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
partitions that are required on the local system.</description>
          <value selector="dev_cdrom">/dev/cdrom</value>
        </Value>
        <Rule id="mount_option_nodev_removable_filesystems" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add nodev Option to Removable Media Partitions</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">nodev</html:code> mount option prevents files from being
interpreted as character or block devices. 
Legitimate character and block devices should exist only in
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev</html:code> directory on the root partition or within chroot
jails built for system services. 

	Add the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nodev</html:code> option to the fourth column of
	<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code> for the line which controls mounting of
	any removable media partitions.
	
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> The only legitimate location for device files is the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev</html:code> directory
located on the root partition.  An exception to this is chroot jails, and it is
not advised to set <html:code xmlns:html="http://www.w3.org/1999/xhtml">nodev</html:code> on partitions which contain their root
filesystems.  </rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002430</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-var_removable_partition:var:1" value-id="var_removable_partition"/>
            <check-content-ref name="oval:ssg-mount_option_nodev_removable_filesystems:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mount_option_nosuid_removable_filesystems" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add nosuid Option to Removable Media Partitions</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">nosuid</html:code> mount option prevents set-user-identifier (suid)
and set-group-identifier (sgid) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce suid and guid
files into the system via partitions mounted from removeable media.

	Add the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nosuid</html:code> option to the fourth column of
	<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code> for the line which controls mounting of
	any removable media partitions.
	
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of suid and sgid executables should be tightly controlled. Allowing
users to introduce suid or sgid binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002420</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-var_removable_partition:var:1" value-id="var_removable_partition"/>
            <check-content-ref name="oval:ssg-mount_option_nosuid_removable_filesystems:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="mounting">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Dynamic Mounting and Unmounting of
Filesystems</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Linux includes a number of facilities for the automated addition
and removal of filesystems on a running system.  These facilities may be
necessary in many environments, but this capability also carries some risk -- whether direct
risk from allowing users to introduce arbitrary filesystems,
or risk that software flaws in the automated mount facility itself could
allow an attacker to compromise the system.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
This command can be used to list the types of filesystems that are
available to the currently executing kernel:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</html:pre>
If these filesystems are not required then they can be explicitly disabled
in a configuratio file in  <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>.
</description>
        <Rule id="kernel_module_usb-storage_disabled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Modprobe Loading of USB Storage Driver</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver. 

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">usb-storage</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install usb-storage /bin/true</html:pre>
This will prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">modprobe</html:code> program from loading the <html:code xmlns:html="http://www.w3.org/1999/xhtml">usb-storage</html:code>
module, but will not prevent an administrator (or another program) from using the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">insmod</html:code> program to load the module manually.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">USB storage devices such as thumb drives can be used to introduce
malicious software.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008480</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_usb-storage_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">if [ -d /etc/modprobe.d/ ]; then
	echo "install usb-storage /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install usb-storage /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_usb-storage_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_usb-storage_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="bootloader_nousb_argument" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Support for USB via Bootloader Configuration</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
All USB support can be disabled by adding the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nousb</html:code>
argument to the kernel's boot loader configuration. To do so, 
append "nousb" to the kernel line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code> as shown:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">kernel /vmlinuz-<html:i>VERSION</html:i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</html:pre>
<html:i xmlns:html="http://www.w3.org/1999/xhtml"><html:b>WARNING:</html:b> Disabling all kernel support for USB will cause problems for
systems with USB-based keyboards, mice, or printers. This configuration is
infeasible for systems which require USB devices, which is common.</html:i></description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the USB subsystem within the Linux kernel at system boot will
protect against potentially malicious USB devices, although it is only practical
in specialized systems.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008460</ident>
          <fix system="urn:xccdf:fix:script:sh" id="bootloader_nousb_argument" complexity="low" disruption="low" reboot="false" strategy="configure">USB_KEYBOARD=$(grep 'Product=' /proc/bus/usb/devices 2&gt;/dev/null| egrep -ic '(ps2 to usb adapter|keyboard|kvm|sc reader)')
if [ "${USB_KEYBOARD}" = "0" ]; then
	sed -i '/^[ |\t]*kernel/s/$/ nousb/' /boot/grub/grub.conf
# else
	# A USB keyboard was detected so this fix has been skipped.
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-bootloader_nousb_argument:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="service_autofs_disabled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the Automounter</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">autofs</html:code> daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/misc/cd</html:code>.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code>
rather than relying on the automounter.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">autofs</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig autofs off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disabling the automounter permits the administrator to 
statically control filesystem mounting through <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code>. 
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008440</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_autofs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Disable autofs for all run levels
#
/sbin/chkconfig --level 0123456 autofs off

#
# Stop autofs if currently running
#
/sbin/service autofs stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_autofs_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_autofs_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="files">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Important Files and
Directories</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Permissions for many files on a system must be set
restrictively to ensure sensitive information is properly protected.
This section discusses important
permission restrictions which can be verified
to ensure that no harmful discrepancies have
arisen.</description>
        <Group id="permissions_important_account_files">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Files with Local Account Information and Credentials</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default restrictive permissions for files which act as
important security databases such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">passwd</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">shadow</html:code>,
<html:code xmlns:html="http://www.w3.org/1999/xhtml">group</html:code>, and <html:code xmlns:html="http://www.w3.org/1999/xhtml">gshadow</html:code> files must be maintained.  Many utilities
need read access to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">passwd</html:code> file in order to function properly, but
read access to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">shadow</html:code> file allows malicious attacks against system
passwords, and should never be enabled.</description>
          <Rule id="file_owner_etc_shadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns shadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/shadow </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001400</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_shadow" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/shadow</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_owner_etc_shadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="groupowner_shadow_file" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns shadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/shadow </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> file stores password hashes. Protection of this file is
critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001410</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-groupowner_shadow_file:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-groupowner_shadow_file_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_etc_shadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on shadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0400 /etc/shadow</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001420</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_shadow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0400 /etc/shadow
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_etc_shadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_shadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_etc_shadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on shadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001430</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_shadow" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/shadow</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_etc_shadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_shadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_owner_etc_group" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns group File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/group </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001391</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/group
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_owner_etc_group:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_group_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_groupowner_etc_group" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns group File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/group </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001392</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/group
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_groupowner_etc_group:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_group_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_etc_group" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on group File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 644 /etc/group</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code> file contains information regarding groups that are configured
on the system. Protection of this file is important for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001393</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_group" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 0644 /etc/group
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_etc_group:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_group_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_etc_group" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on group File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001394</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_group" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/group</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_etc_group:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_group_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_owner_etc_gshadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns gshadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/gshadow </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code> file contains group password hashes. Protection of this file
is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX001431</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/gshadow
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_owner_etc_gshadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_gshadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_groupowner_etc_gshadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns gshadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/gshadow </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code> file contains group password hashes. Protection of this file
is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX001432</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/gshadow
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_groupowner_etc_gshadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_gshadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_etc_gshadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on gshadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0400 /etc/gshadow</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code> file contains group password hashes. Protection of this file
is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX001433</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 0400 /etc/gshadow
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_etc_gshadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_gshadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_etc_gshadow" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on gshadow File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/gshadow</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX001434</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/gshadow</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_etc_gshadow:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_gshadow_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_owner_etc_passwd" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns passwd File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/passwd </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> file contains information about the users that are configured on
the system. Protection of this file is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001378</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chown root /etc/passwd
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_owner_etc_passwd:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_passwd_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_groupowner_etc_passwd" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns passwd File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/passwd </html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> file contains information about the users that are configured on
the system. Protection of this file is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001379</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chgrp root /etc/passwd
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_groupowner_etc_passwd:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_passwd_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_etc_passwd" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on passwd File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/passwd</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> file is writable by a group-owner or the
world the risk of its compromise is increased. The file contains the list of
accounts on the system and associated information, and protection of this file
is critical for system security.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001380</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="disable">chmod 0644 /etc/passwd
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_etc_passwd:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_passwd_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_etc_passwd" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on passwd File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001390</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/passwd</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_etc_passwd:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_passwd_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Rule id="file_owner_aliases" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/aliases </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004400</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_aliases" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_aliases:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_aliases_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_aliases" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/aliases </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004410</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_aliases" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_aliases:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_aliases_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_aliases" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/aliases</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004420</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_aliases" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 644 /etc/postfix/aliases /etc/postfix/aliases.db /etc/aliases /etc/aliases.db 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_aliases:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_aliases_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_aliases" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Aliases</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004430</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_aliases" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/aliases /etc/aliases.db /etc/postfix/aliases /etc/postfix/aliases.db 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_aliases:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_aliases_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_aliases_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/aliases </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004360</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_aliases_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chown root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_aliases_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_aliases_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_aliases_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/aliases </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004370</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_aliases_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chown :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_aliases_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_aliases_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_aliases_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on aliases File</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /etc/aliases</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004380</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_aliases_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep "/" /etc/aliases /etc/aliases.db | grep -v "#" | grep ^/ | sed 's/.*[\s|\t]\//\//' | xargs chmod 755</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_aliases_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_aliases_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_aliases_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Aliases Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004390</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_aliases_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep / /etc/aliases | grep -v "#" | sed s/^[^\/]*// | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_aliases_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_aliases_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_audio_devices" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Audio Device Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/audio</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /dev/audio </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002340</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_audio_devices" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /dev/audio* /dev/snd/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_audio_devices:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_audio_devices_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_audio_devices" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Audio Device Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/audio</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /dev/audio </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002360</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_audio_devices" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /dev/audio* /dev/snd/*
if [[ "`uname -r`" = "2.6.9"* ]]; then
	sed -i 's/\(^audio\*:[a-z]*:\)[a-z]*:/\1sys:/' /etc/udev/permissions.d/50-udev.permissions
elif [[ "`uname -r`" = "2.6.18"* ]]; then
	sed -i '/^&lt;console&gt;  [0-9]* &lt;sound&gt;/s/&lt;sound&gt;.*/&lt;sound&gt;      0600 root.root/' /etc/security/console.perms.d/50-default.perms
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_audio_devices:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_audio_devices_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_audio_devices" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Audio Device Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/audio</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0660 /dev/audio</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_audio_devices" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 660 /dev/audio* /dev/snd/*
sed -i '/[audio|snd]/s/MODE="[0-9]*"/MODE="660"/' /etc/udev/rules.d/50-udev.rules</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_audio_devices:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_audio_devices_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_audio_devices" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Audio Device Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002330</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_audio_devices" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /dev/audio* /dev/snd/* 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_audio_devices:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_audio_devices_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_audit_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Audit Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit/audit.log</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/log/audit/audit.log </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">162</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002680</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_audit_log" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chown root
if [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chown root
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_audit_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_audit_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_audit_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Audit Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit/audit.log</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /var/log/audit/audit.log </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">162</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002690</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_audit_log" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chown :root
if [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chown :root
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_audit_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_audit_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_audit_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Audit Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
System Audit Log Directory Must Have Mode 0755 or Less Permissive and 
System Audit Logs Must Have Mode 0640 or Less Permissive.
Change the mode of the audit log directory with the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod 0755 <html:i>/var/log/audit/</html:i></html:pre>
Change the mode of the audit log files with the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod 0640 <html:i>audit_file</html:i></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If users can write to audit logs, audit trails can be modified or destroyed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002700</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_audit_log" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/auditd.conf ]; then
	grep ^log_file /etc/audit/auditd.conf | awk '{ print $3 }' | xargs chmod 640
elif [ -e /etc/auditd.conf ]; then
	grep ^log_file /etc/auditd.conf | awk '{ print $3 }' | xargs chmod 640
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_audit_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_audit_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_audit_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Audit Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002710</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_audit_log" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/auditd.conf ]; then
	grep "^log_file" /etc/audit/auditd.conf | sed s/^[^\/]*// | xargs setfacl --remove-all
elif [ -e /etc/auditd.conf ]; then
	grep "^log_file" /etc/auditd.conf | sed s/^[^\/]*// | xargs setfacl --remove-all
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_audit_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_audit_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_audit_tools" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Audit Tool Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/au*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /sbin/au* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002715</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_audit_tools" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_audit_tools:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_audit_tools_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_audit_tools" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Audit Tool Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/au*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /sbin/au* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002716</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_audit_tools" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_audit_tools:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_audit_tools_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_audit_tools" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Audit Tool Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/au*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0750 /sbin/au*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002717</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_audit_tools" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 750 /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_audit_tools:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_audit_tools_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_audit_tools" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Audit Tool Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1493</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002718</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_audit_tools" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /sbin/auditctl /sbin/auditd /sbin/ausearch /sbin/aureport /sbin/autrace /sbin/audispd</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_audit_tools:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_audit_tools_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_bin_traceroute" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Traceroute</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/traceroute</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /bin/traceroute </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003960</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_bin_traceroute" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /bin/traceroute</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_bin_traceroute:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_bin_traceroute_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_bin_traceroute" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Traceroute</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/traceroute</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /bin/traceroute </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003980</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_bin_traceroute" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /bin/traceroute</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_bin_traceroute:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_bin_traceroute_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_bin_traceroute" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Traceroute</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/traceroute</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0700 /bin/traceroute</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004000</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_bin_traceroute" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 700 /bin/traceroute
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_bin_traceroute:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_bin_traceroute_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_bin_traceroute" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Traceroute</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004010</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_bin_traceroute" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /bin/traceroute</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_bin_traceroute:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_bin_traceroute_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_core_dump_dir" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Core Dump Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/crash</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/crash </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003520</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_core_dump_dir" complexity="low" disruption="low" reboot="false" strategy="configure">grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | chown root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_core_dump_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_core_dump_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_core_dump_dir" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Core Dump Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/crash</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /var/crash </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003521</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_core_dump_dir" complexity="low" disruption="low" reboot="false" strategy="configure">grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | xargs chown :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_core_dump_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_core_dump_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_core_dump_dir" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Core Dump Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/crash</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0700 /var/crash</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003522</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_core_dump_dir" complexity="low" disruption="low" reboot="false" strategy="configure">grep path.*/ /etc/kdump.conf | awk '{ print $2 }' | xargs chmod 700</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_core_dump_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_core_dump_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_core_dump_dir" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Core Dump Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003523</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_core_dump_dir" complexity="low" disruption="low" reboot="false" strategy="configure">grep path /etc/kdump.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_core_dump_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_core_dump_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_cron_log_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Cron Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/cron</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /var/log/cron</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003180</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_cron_log_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep ^cron /etc/syslog.conf | awk '{ print $2 }' | xargs chmod 0600
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_cron_log_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_cron_log_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_cron_log_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Cron Log Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003190</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_cron_log_files" complexity="low" disruption="low" reboot="false" strategy="configure">grep cron /etc/syslog.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_cron_log_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_cron_log_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_crontab_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Crontab Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/cron</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/spool/cron </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003120</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_crontab_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_crontab_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_crontab_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_crontab_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Crontab Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/cron</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /var/spool/cron </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003140</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_crontab_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_crontab_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_crontab_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_crontab_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Crontab Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/cron</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /var/spool/cron</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003100</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_crontab_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 755 /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_crontab_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_crontab_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_crontab_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Crontab Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003110</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_crontab_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_crontab_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_crontab_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_crontab_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Crontab Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/cron* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSL-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003040</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_crontab_files" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/crontab /etc/cron.d/* /var/spool/cron/* 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_crontab_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_crontab_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_crontab_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Crontab Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/cron* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003050</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_crontab_files" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/crontab /etc/cron.d/* /var/spool/cron/* 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_crontab_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_crontab_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_crontab_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Crontab Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/cron*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003080</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_crontab_files" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 600 /etc/crontab /etc/cron.d/* /var/spool/cron/* 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_crontab_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_crontab_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_crontab_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Crontab Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003090</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_crontab_files" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc/cron.d /etc/crontab /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly /var/spool/cron  -type f 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_crontab_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_crontab_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_cron_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Cron Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0700 /etc/cron*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003080-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_cron_files" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0700 /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_cron_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_cron_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_at_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns at.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/at.allow </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003460</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_at_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/at.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_at_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_at_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_at_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns at.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/at.allow </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003470</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_at_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/at.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_at_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_at_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_at_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on at.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/at.allow</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003340</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_at_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/at.allow
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_at_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_at_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_at_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on at.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003245</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_at_allow" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/at.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_at_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_at_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_at_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns at.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/at.deny </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003480</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_at_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/at.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_at_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_at_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_at_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns at.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/at.deny </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003490</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_at_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/at.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_at_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_at_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_at_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on at.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/at.deny</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003252</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_at_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/at.deny
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_at_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_at_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_at_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on at.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003255</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_at_deny" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/at.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_at_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_at_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_cron_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns cron.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/cron.allow </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003240</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_cron_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/cron.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_cron_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_cron_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_cron_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns cron.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/cron.allow </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003250</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_cron_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/cron.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_cron_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_cron_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_cron_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on cron.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.allow</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/cron.allow</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002980</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_cron_allow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/cron.allow
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_cron_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_cron_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_cron_allow" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on cron.allow</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002990</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_cron_allow" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/cron.allow</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_cron_allow:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_cron_allow_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_cron_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns cron.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/cron.deny </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_cron_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/cron.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_cron_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_cron_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_cron_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns cron.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/cron.deny </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003270</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_cron_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/cron.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_cron_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_cron_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_cron_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on cron.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.deny</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/cron.deny</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003200</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_cron_deny" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/cron.deny
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_cron_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_cron_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_cron_deny" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on cron.deny</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003210</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_cron_deny" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/cron.deny</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_cron_deny:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_cron_deny_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_cups_printers_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns printers.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cups/printers.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/cups/printers.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003920</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_cups_printers_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/cups/printers.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_cups_printers_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_cups_printers_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_cups_printers_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns printers.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cups/printers.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/cups/printers.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003930</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_cups_printers_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/cups/printers.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_cups_printers_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_cups_printers_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_cups_printers_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on printers.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cups/printers.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/cups/printers.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003940</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_cups_printers_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/cups/printers.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_cups_printers_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_cups_printers_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_cups_printers_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on printers.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003950</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_cups_printers_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/cups/printers.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_cups_printers_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_cups_printers_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_exports" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Exports</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/exports </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005740</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_exports" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/exports</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_exports:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_exports_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_exports" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Exports</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/exports </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005750</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_exports" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/exports</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_exports:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_exports_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_exports" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Exports</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/exports</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005760</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_exports" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/exports
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_exports:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_exports_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_exports" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Exports</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005770</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_exports" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/exports</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_exports:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_exports_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_hosts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Hosts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/hosts </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001366</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_hosts" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/hosts</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_hosts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_hosts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_hosts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Hosts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/hosts </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001367</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_hosts" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/hosts</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_hosts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_hosts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_hosts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Hosts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/hosts</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001368</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_hosts" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/hosts
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_hosts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_hosts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_hosts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Hosts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001369</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_hosts" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/hosts</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_hosts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_hosts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_ldap_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns ldap.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/ldap.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008080</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_ldap_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/ldap.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_ldap_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_ldap_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_ldap_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns ldap.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/ldap.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008100</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_ldap_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/ldap.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_ldap_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_ldap_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_ldap_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on ldap.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/ldap.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008060</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_ldap_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/ldap.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_ldap_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_ldap_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_ldap_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on ldap.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008120</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_ldap_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/ldap.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_ldap_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_ldap_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_news_infeed_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on infeed.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/news/infeed.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/news/infeed.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006280</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_news_infeed_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/news/infeed.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_news_infeed_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_news_infeed_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_news_infeed_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on infeed.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006290</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_news_infeed_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/news/infeed.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_news_infeed_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_news_infeed_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_news_incoming_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on incoming.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/news/incoming.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/news/incoming.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_news_incoming_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/news/incoming.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_news_incoming_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_news_incoming_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_news_incoming_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on incoming.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006270</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_news_incoming_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/news/incoming.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_news_incoming_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_news_incoming_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_news_nnrp_access" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on nnrp.access</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006310</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_news_nnrp_access" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/news/nnrp.access</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_news_nnrp_access:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_news_nnrp_access_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_news_passwd_nntp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on passwd.nntp</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/news/passwd.nntp</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/news/passwd.nntp</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_news_passwd_nntp" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/news/passwd.nntp
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_news_passwd_nntp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_news_passwd_nntp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_news_passwd_nntp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on passwd.nntp</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006330</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_news_passwd_nntp" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/news/passwd.nntp</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_news_passwd_nntp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_news_passwd_nntp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_nsswitch_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns nsswitch.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/nsswitch.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/nsswitch.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001371</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_nsswitch_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/nsswitch.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_nsswitch_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_nsswitch_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_nsswitch_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns nsswitch.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/nsswitch.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/nsswitch.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001372</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_nsswitch_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/nsswitch.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_nsswitch_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_nsswitch_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_nsswitch_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on nsswitch.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/nsswitch.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/nsswitch.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001373</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_nsswitch_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/nsswitch.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_nsswitch_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_nsswitch_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_nsswitch_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on nsswitch.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001374</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_nsswitch_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/nsswitch.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_nsswitch_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_nsswitch_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_ntp_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns ntp.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/ntp.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000250</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_ntp_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/ntp.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_ntp_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_ntp_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_ntp_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns ntp.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/ntp.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000251</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_ntp_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/ntp.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_ntp_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_ntp_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_ntp_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on ntp.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/ntp.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000252</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_ntp_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/ntp.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_ntp_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_ntp_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_ntp_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on ntp.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000253</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_ntp_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/ntp.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_ntp_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_ntp_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_resolv_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns resolv.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/resolv.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/resolv.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001362</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_resolv_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/resolv.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_resolv_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_resolv_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_resolv_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns resolv.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/resolv.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/resolv.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001363</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_resolv_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/resolv.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_resolv_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_resolv_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_resolv_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on resolv.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/resolv.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/resolv.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001364</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_resolv_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/resolv.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_resolv_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_resolv_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_resolv_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on resolv.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001365</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_resolv_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/resolv.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_resolv_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_resolv_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_samba_smb_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns smb.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/samba/smb.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006100</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_samba_smb_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_samba_smb_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_samba_smb_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_samba_smb_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns smb.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/samba/smb.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006120</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_samba_smb_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_samba_smb_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_samba_smb_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_samba_smb_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on smb.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/samba/smb.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006140</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_samba_smb_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_samba_smb_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_samba_smb_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_samba_smb_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on smb.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006150</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_samba_smb_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_samba_smb_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_samba_smb_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_samba_tdb" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Samba Password Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/passdb.tdb</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/samba/passdb.tdb </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006160</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_samba_tdb" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/samba/passdb.tdb /etc/samba/secrets.tdb</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_samba_tdb:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_samba_tdb_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_samba_tdb" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Samba Password Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/passdb.tdb</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/samba/passdb.tdb </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006180</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_samba_tdb" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/samba/passdb.tdb /etc/samba/secrets.tdb</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_samba_tdb:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_samba_tdb_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_samba_tdb" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Samba Password Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/passdb.tdb</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/samba/passdb.tdb</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006200</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_samba_tdb" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/samba/passdb.tdb /etc/samba/secrets.tdb</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_samba_tdb:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_samba_tdb_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_samba_tdb" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Samba Password Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006210</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_samba_tdb" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/samba/passdb.tdb /etc/samba/secrets.tdb</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_samba_tdb:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_samba_tdb_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_securetty" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns securetty</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/securetty </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00640</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_securetty" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/securetty</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_securetty:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_securetty_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_securetty" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns securetty</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/securetty </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00620</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_securetty" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/securetty</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_securetty:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_securetty_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_securetty" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on securetty</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/securetty</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00660</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_securetty" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/securetty
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_securetty:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_securetty_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_security_access_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns access.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/access.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/access.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00400</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_security_access_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/security/access.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_security_access_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_security_access_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_security_access_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns access.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/access.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/access.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00420</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_security_access_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/security/access.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_security_access_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_security_access_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_security_access_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on access.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/access.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/access.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00440</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_security_access_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/security/access.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_security_access_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_security_access_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_security_access_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on access.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00450</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_security_access_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/security/access.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_security_access_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_security_access_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_services" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns services</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/services</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/services </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003760</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_services" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/services</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_services:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_services_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_services" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns services</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/services</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/services </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003770</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_services" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/services</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_services:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_services_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_services" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on services</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/services</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/services</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003780</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_services" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/services
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_services:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_services_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_services" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on services</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003790</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_services" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/services</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_services:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_services_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_skel" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Skeleton Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/skel/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/skel/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001820</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_skel" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/skel/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_skel:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_skel_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_skel" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Skeleton Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/skel/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/skel/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001830</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_skel" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/skel/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_skel:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_skel_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_skel" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Skeleton Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/skel/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/skel/*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_skel" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/skel/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_skel:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_skel_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_skel" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Skeleton Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001810</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_skel" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc/skel 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_skel:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_skel_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_sysctl_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns sysctl.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/sysctl.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00480</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_sysctl_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/sysctl.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_sysctl_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_sysctl_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_sysctl_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns sysctl.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/sysctl.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00500</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_sysctl_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/sysctl.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_sysctl_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_sysctl_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_sysctl_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on sysctl.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/sysctl.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00520</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_sysctl_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/sysctl.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_sysctl_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_sysctl_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_sysctl_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on sysctl.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00530</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_sysctl_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/sysctl.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_sysctl_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_sysctl_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_syslog_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns syslog.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/syslog.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005400</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_syslog_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/syslog.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_syslog_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_syslog_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_syslog_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns syslog.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/syslog.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005420</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_syslog_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/syslog.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_syslog_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_syslog_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_syslog_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on syslog.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/syslog.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005390</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_syslog_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/syslog.conf
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_syslog_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_syslog_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_syslog_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on syslog.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005395</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_syslog_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/syslog.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_syslog_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_syslog_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_etc_xinetd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns xinetd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinetd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/xinetd.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003720</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_etc_xinetd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/xinetd.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_etc_xinetd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_etc_xinetd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_etc_xinetd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns xinetd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinetd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/xinetd.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003730</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_etc_xinetd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/xinetd.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_etc_xinetd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_etc_xinetd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_xinetd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on xinetd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinetd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/xinetd.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003740</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_xinetd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/xinetd.conf /etc/xinetd.d/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_xinetd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_xinetd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_xinetd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on xinetd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003745</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_xinetd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/xinetd.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_xinetd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_xinetd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_etc_xinetd_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on xinet.d Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinet.d/</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/xinet.d/</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003750</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_etc_xinetd_dir" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0755 /etc/xinet.d/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_etc_xinetd_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_etc_xinetd_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_etc_xinetd_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on xinet.d Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003755</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_etc_xinetd_dir" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc/xinetd.d -type f 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_etc_xinetd_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_etc_xinetd_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_exports_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Exports Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/exports </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_exports_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">cat /etc/exports | awk '{ print $1 }' | xargs chown root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_exports_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_exports_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_exports_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Exports Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/exports </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005810</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_exports_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">cat /etc/exports | awk '{ print $1 }' | xargs chown :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_exports_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_exports_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_ftpusers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns ftpusers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ftpusers</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/ftpusers </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004920</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_ftpusers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_ftpusers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_ftpusers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns ftpusers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ftpusers</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/ftpusers </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004930</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_ftpusers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_ftpusers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ftpusers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on ftpusers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ftpusers</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /etc/ftpusers</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004940</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_ftpusers" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/ftpusers /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ftpusers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ftpusers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_ftpusers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on ftpusers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004950</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_ftpusers" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/ftpusers /etc/vsftpd.ftpusers /etc/vsftpd/ftpusers</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_ftpusers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_ftpusers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_global_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Global Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/profile</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/profile </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001740</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_global_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_global_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_global_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Global Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/profile</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/profile </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001760</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_global_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_global_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_global_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Global Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/profile</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/profile</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001720</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_global_initialization_files" complexity="low" disruption="low" reboot="false" strategy="configure">chmod -R 0644 /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_global_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_global_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_global_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Global Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001730</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_global_initialization_files" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_global_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_global_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="global_initialization_files_mesg" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Messaging is Disabled in Global Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No global messaging should be enabled.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001780</ident>
          <fix system="urn:xccdf:fix:script:sh" id="global_initialization_files_mesg" complexity="low" disruption="low" reboot="false" strategy="configure">echo mesg n | tee -a /etc/profile &amp;&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-global_initialization_files_mesg:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-global_initialization_files_mesg_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_home_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Home Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /home/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001500</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_home_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_home_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_home_dirs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Home Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /home/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001520</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_home_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_home_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_home_dirs" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that User Home Directories are not Group-Writable or World-Readable</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">For each human user of the system, view the
permissions of the user's home directory:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -ld /home/<html:i>USER</html:i></html:pre>
Ensure that the directory is not group-writable and that it
is not world-readable. If necessary, repair the permissions:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod g-w /home/<html:i>USER</html:i>
# chmod o-rwx /home/<html:i>USER</html:i></html:pre>
</description>
          <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This action may involve
modifying user home directories. Notify your user community, and
solicit input if appropriate, before making this type of
change.</warning>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
User home directories contain many configuration files which
affect the behavior of a user's account. No user should ever have
write permission to another user's home directory. Group shared
directories can be configured in sub-directories or elsewhere in the
filesystem if they are needed. Typically, user home directories
should not be world-readable, as it would disclose file names
to other users. If a subset of users need read access
to one another's home directories, this can be provided using
groups or ACLs.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001480</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_home_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_home_dirs" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Home Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001490</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_home_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">cut -d: -f6 /etc/passwd | sort -u | xargs setfacl --remove-all 2&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_home_dirs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_home_dirs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_home_files" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Home Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home/*/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /home/*/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001540</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_home_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_home_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_home_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Home Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home/*/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /home/*/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001550</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_home_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_home_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_home_files" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Home Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/home/*/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0750 /home/*/*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001560</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_home_files" complexity="low" disruption="low" reboot="false" strategy="configure">find /root /home/* -perm -1 -o -perm -2 -o -perm -4 -o -perm -20 2&gt;/dev/null | xargs -I entry chmod o-rwx,g-w "entry"
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_home_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_home_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_home_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Home Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001570</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_home_files" complexity="low" disruption="low" reboot="false" strategy="configure">find /home -type f 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_home_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_home_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_ldap_cacerts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns LDAP CA Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cacert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root tls_cacert </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008140</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_ldap_cacerts" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_ldap_cacerts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_ldap_cacerts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_ldap_cacerts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns LDAP CA Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cacert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root tls_cacert </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008160</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_ldap_cacerts" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_ldap_cacerts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_ldap_cacerts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ldap_cacerts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on LDAP CA Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cacert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 tls_cacert</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008180</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_ldap_cacerts" complexity="low" disruption="low" reboot="false" strategy="configure">KEY_PATH="`grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }'`"
if [ -d "${KEY_PATH}" ]; then
	chmod 755 "${KEY_PATH}"
	chmod 644 "${KEY_PATH}"/*
elif [ -e "${KEY_PATH}" ]; then
	chmod 644 "${KEY_PATH}"
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ldap_cacerts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ldap_cacerts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_ldap_cacerts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on LDAP CA Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008200</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_ldap_cacerts" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cacert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_ldap_cacerts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_ldap_cacerts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_ldap_certs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns LDAP Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root tls_cert </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008220</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_ldap_certs" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_ldap_certs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_ldap_certs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_ldap_certs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns LDAP Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root tls_cert </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008240</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_ldap_certs" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_ldap_certs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_ldap_certs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ldap_certs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on LDAP Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_cert</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 tls_cert</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_ldap_certs" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chmod -R 644</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ldap_certs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ldap_certs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_ldap_certs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on LDAP Certificates</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008280</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_ldap_certs" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_cert' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_ldap_certs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_ldap_certs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_ldap_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns LDAP Keys</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_key</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root tls_key </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008300</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_owner_ldap_keys" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_ldap_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_ldap_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_ldap_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns LDAP Keys</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_key</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root tls_key </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_ldap_keys" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chown -R :root</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_ldap_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_ldap_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ldap_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on LDAP Keys</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">tls_key</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 tls_key</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008340</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_ldap_keys" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs chmod -R 600	</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ldap_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ldap_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_ldap_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on LDAP Keys</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008360</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_ldap_keys" complexity="low" disruption="low" reboot="false" strategy="configure">grep -i '^tls_key' /etc/ldap.conf | grep -v "#" | awk '{ print $2 }' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_ldap_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_ldap_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_local_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Local Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">~/.bashrc</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root ~/.bashrc </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001860</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_local_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_local_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_local_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Local Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">~/.bashrc</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root ~/.bashrc </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001870</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_local_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_local_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_local_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Local Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">~/.bashrc</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0740 ~/.bashrc</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001880</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_local_initialization_files" complexity="low" disruption="low" reboot="false" strategy="configure">find /root /home -maxdepth 2 -type f \( -perm -o+r -o -perm -o+w  -o -perm -o+x -o -perm -g+w -o -perm -g+x \) -a \( -name \.bashrc -o -name \.bash_login -o -name \.bash_logout -o -name \.bash_profile -o -name \.cshrc -o -name \.kshrc -o -name \.login -o -name \.logout -o -name \.profile -o -name \.env -o -name \.dtprofile -o -name \.dispatch -o -name \.emacs -o -name \.exrc \) 2&gt;/dev/null | xargs chmod o-rwx,g-wx
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_local_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_local_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_local_initialization_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Local Initialization Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001890</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_local_initialization_files" complexity="low" disruption="low" reboot="false" strategy="configure">cut -d: -f6 /etc/passwd | sort -u | xargs -n1 -IDIR find DIR -maxdepth 1 -name .bashrc -o -name .bash_login -o -name .bash_logout -o -name .bash_profile -o -name .cshrc -o -name .kshrc -o -name .login -o -name .logout -o -name .profile -o -name .env -o -name .dtprofile -o -name .dispatch -o -name .emacs -o -name .exrc 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_local_initialization_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_local_initialization_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_man_pages" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Man Pages</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/share/man</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /usr/share/man</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001280</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_man_pages:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_man_pages_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_man_pages" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Man Pages</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001290</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_man_pages" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /usr/share/man/* /usr/share/info/* /usr/share/infopage/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_man_pages:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_man_pages_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_mib_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on .Mib Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">*.mib</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 *.mib</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005340</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_mib_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_mib_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_mib_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on .Mib Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005350</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_mib_files" complexity="low" disruption="low" reboot="false" strategy="configure">find / -name *.mib 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_mib_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_mib_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_root_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on root Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/root</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0700 /root</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000920</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_root_dir" complexity="low" disruption="low" reboot="false" strategy="configure">grep ^root: /etc/passwd | awk -F: ' { print $6 }' | xargs -I entry chmod g-rwx,o-rwx "entry"
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_root_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_root_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_root_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on root Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000930</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_root_dir" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /root/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_root_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_root_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_run_control_scripts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Run Control Scripts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/rc*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/rc* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001660</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_run_control_scripts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_run_control_scripts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_run_control_scripts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Run Control Scripts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/rc*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/rc* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001680</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_run_control_scripts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_run_control_scripts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_run_control_scripts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Run Control Scripts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/rc*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /etc/rc*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001580</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_run_control_scripts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_run_control_scripts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_run_control_scripts" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Run Control Scripts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001590</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_run_control_scripts" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc/rc* /etc/init.d -type f 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_run_control_scripts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_run_control_scripts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_shell_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns Shell Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shells</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/shells </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002200</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_shell_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_shell_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_shell_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns Shell Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shells</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/shells </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002210</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_shell_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_shell_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_shell_files" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Shell Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shells</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /etc/shells</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002220</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_shell_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_shell_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_shell_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Shell Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002230</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_shell_files" complexity="low" disruption="low" reboot="false" strategy="configure">cat /etc/shells | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_shell_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_shell_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_smtp_logs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns SMTP Logs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/mail.log</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/log/mail.log </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004480</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_smtp_logs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_smtp_logs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_smtp_logs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on SMTP Logs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/mail.log</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /var/log/mail.log</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004500</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_smtp_logs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_smtp_logs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_smtp_logs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on SMTP Logs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004510</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_smtp_logs" complexity="low" disruption="low" reboot="false" strategy="configure">egrep "(\*.crit|mail\.[^n][^/]*)" /etc/syslog.conf | sed 's/^[^/]*//' | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_smtp_logs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_smtp_logs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_snmpd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns snmpd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">snmpd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root snmpd.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005360</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_snmpd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_snmpd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_snmpd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns snmpd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">snmpd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root snmpd.conf </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005365</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_snmpd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_snmpd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_snmpd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on snmpd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">snmpd.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 snmpd.conf</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_snmpd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">find / -name snmpd.conf 2&gt;/dev/null | xargs chmod ugo-x,go-wr</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_snmpd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_snmpd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_snmpd_conf" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on snmpd.conf</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005375</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_snmpd_conf" complexity="low" disruption="low" reboot="false" strategy="configure">find / -name snmpd.conf 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_snmpd_conf:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_snmpd_conf_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ssh_private_host_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on /etc/ssh/*key</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/*key</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 /etc/ssh/*key</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005523</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ssh_private_host_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ssh_private_host_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ssh_public_host_keys" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on /etc/ssh/*key.pub</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/*key.pub</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0644 /etc/ssh/*key.pub</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005522</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ssh_public_host_keys:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ssh_public_host_keys_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_tftp_binary" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on TFTP Binary</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinetd.d/tftp</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /etc/xinetd.d/tftp</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005100</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_tftp_binary:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_tftp_binary_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_usr_bin_ldd" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on /usr/bin/ldd</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/bin/ldd</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0000 /usr/bin/ldd</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007960</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_usr_bin_ldd" complexity="low" disruption="low" reboot="false" strategy="configure">chmod a-x /usr/bin/ldd
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_usr_bin_ldd:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_usr_bin_ldd_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_usr_sbin_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on sbin Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/sbin/</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /usr/sbin/</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001180</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_usr_sbin_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_usr_sbin_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_usr_sbin_dir" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on sbin Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001190</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_usr_sbin_dir" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /usr/sbin/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_usr_sbin_dir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_usr_sbin_dir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_var_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on System Logs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0640 /var/log/*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_var_log" complexity="low" disruption="low" reboot="false" strategy="configure">find /var/log -follow -type f ! -name wtmp 2&gt;/dev/null | xargs chmod o-rwx,g-wx,u-x

# The following corrects the permission mask set for /var/log/rpmpkgs.
if [ -e /etc/cron.daily/rpm ]; then
	sed -i '/rpmpkgs/s/0644/0640/' /etc/cron.daily/rpm
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_var_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_var_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_var_log" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on System Logs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001270</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_var_log" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /var/log/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_var_log:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_var_log_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_var_spool_at" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns At Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/at/</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/spool/at/ </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003420</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_var_spool_at:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_var_spool_at_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_var_spool_at" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns At Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/at/</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /var/spool/at/ </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003430</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_var_spool_at:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_var_spool_at_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_var_spool_at" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on At Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/spool/at/</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /var/spool/at/</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003400</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_var_spool_at:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_var_spool_at_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_var_spool_at" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on At Directory</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003410</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_var_spool_at" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /var/spool/at</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_var_spool_at:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_var_spool_at_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_owner_var_yp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify User Who Owns YP Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/yp/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /var/yp/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001320</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_owner_var_yp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_var_yp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_groupowner_var_yp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Group Who Owns YP Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/yp/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /var/yp/* </html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001340</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_groupowner_var_yp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_var_yp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_var_yp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on YP Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/yp/*</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0755 /var/yp/*</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001360</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_var_yp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_var_yp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_var_yp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on YP Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001361</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_var_yp" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /var/yp/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_var_yp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_var_yp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_xauthority_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Permissions on Xauthority Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">.Xauthority</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 0600 .Xauthority</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005180</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_xauthority_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_xauthority_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_extended_xauthority_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Xauthority Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005190</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_xauthority_files" complexity="low" disruption="low" reboot="false" strategy="configure">cut -d: -f6 /etc/passwd | sort -u | xargs -n1 -IDIR find DIR -maxdepth 1 -name .Xauthority -o -name .xauth 2&gt;/dev/null | xargs setfacl --remove-all</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_extended_xauthority_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_xauthority_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="permissions_within_important_dirs">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify File Permissions Within Some Important Directories</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Some directories contain files whose confidentiality or integrity
is notably important and may also be susceptible to misconfiguration over time, particularly if
unpackaged software is installed. As such,
an argument exists to verify that files' permissions within these directories remain
configured correctly and restrictively.   
</description>
          <Rule id="file_permissions_library_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that Shared Library Files Have Restrictive Permissions</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">/lib
/lib64
/usr/lib
/usr/lib64
</html:pre>
Kernel modules, which can be added to the kernel during runtime, are
stored in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/lib/modules</html:code>. All files in these directories
should not be group-writable or world-writable. If any file in these
directories is found to be group-writable or world-writable, correct
its permission with the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod go-w <html:i>FILE</html:i></html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSL-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Restrictive permissions are necessary to protect the integrity of the system.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001300</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_library_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">find /lib /usr/lib -follow -perm -20 -o -perm -2 2&gt;/dev/null | xargs chmod go-w
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_library_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_library_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_library_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Shared Library Files</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001310</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_library_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb --remove-all /usr/lib/* /lib/*
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_library_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_library_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_binary_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that System Executables Have Restrictive Permissions</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
System executables are stored in the following directories by default:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</html:pre>
All files in these directories should not be group-writable or world-writable.
If any file <html:i xmlns:html="http://www.w3.org/1999/xhtml">FILE</html:i> in these directories is found
to be group-writable or world-writable, correct its permission with the
following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod go-w <html:i>FILE</html:i></html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System binaries are executed by privileged users, as well as system services,
and restrictive permissions are necessary to ensure execution of these programs
cannot be co-opted.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001200</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">find /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin -follow -perm -20 -o -perm -2 2&gt;/dev/null | xargs chmod go-w
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_binary_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_binary_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Extended ACLs on Shared Binary Files</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">No extended ACLs should be applied.</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001210</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl -RLb /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin 2&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_binary_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_binary_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_ownership_binary_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that System Executables Have Root User Ownership</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
System executables are stored in the following directories by default:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</html:pre>
All files in these directories should be owned by the <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> user.
If any file <html:i xmlns:html="http://www.w3.org/1999/xhtml">FILE</html:i> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chown root <html:i>FILE</html:i></html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001220</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_ownership_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="disable">find /bin/ \
/usr/bin/ \
/usr/local/bin/ \
/sbin/ \
/usr/sbin/ \
/usr/local/sbin/ \
/usr/libexec \
\! -user root -execdir chown root {} \;
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_ownership_binary_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_ownership_binary_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_groupowner_binary_dirs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that System Executables Have Root Group Ownership</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
System executables are stored in the following directories by default:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin</html:pre>
All files in these directories should be owned by the <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> user.
If any file <html:i xmlns:html="http://www.w3.org/1999/xhtml">FILE</html:i> in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chown root <html:i>FILE</html:i></html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001240</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_binary_dirs" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc /bin /usr/bin /usr/lbin /usr/usb /sbin /usr/sbin -follow -gid +499 2&gt;/dev/null | xargs chown :root
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_groupowner_binary_dirs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_binary_dirs_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Rule id="dir_perms_world_writable_sticky_bits" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify that All World-Writable Directories Have Sticky Bits Set</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To set the sticky bit on a world-writable directory <html:i xmlns:html="http://www.w3.org/1999/xhtml">DIR</html:i>, run the
following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chmod +t <html:i>DIR</html:i></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The only authorized public directories are those temporary directories supplied with the system, 
or those designed to be temporary file repositories.  The setting is normally reserved for directories 
used by the system, by users for temporary file storage (such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/tmp</html:code>), and for directories 
requiring global read/write access.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002500</ident>
          <fix system="urn:xccdf:fix:script:sh" id="dir_perms_world_writable_sticky_bits" complexity="low" disruption="low" reboot="false" strategy="configure">find / /home /var /var/log /var/log/audit -xdev -perm -2 ! -perm -1000 -type d 2&gt;/dev/null | xargs chmod o-w
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-dir_perms_world_writable_sticky_bits:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_unauthorized_world_writable" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure No World-Writable Files Exist</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">It is generally a good idea to remove global (other) write
access to a file when it is discovered. However, check with
documentation for specific applications before making changes.
Also, monitor for recurring world-writable files, as these may be
symptoms of a misconfigured application or user
account.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Data in world-writable files can be modified by any
user on the system. In almost all circumstances, files can be
configured using a combination of user and group permissions to
support whatever legitimate access is needed without the risk
caused by world-writable files.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002480</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_unauthorized_world_writable" complexity="low" disruption="low" reboot="false" strategy="configure">find / /var /home -xdev -follow -type f -perm -002 2&gt;/dev/null | xargs chmod o-w
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_unauthorized_world_writable:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_unauthorized_world_writable_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="no_files_unowned_by_user" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Files Are Owned by a User</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001160</ident>
          <fix system="urn:xccdf:fix:script:sh" id="no_files_unowned_by_user" complexity="low" disruption="low" reboot="false" strategy="configure">find / /home /var /var/log /var/log/audit -xdev -nouser 2&gt;/dev/null | xargs chown root
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-no_files_unowned_by_user:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-no_files_unowned_by_user_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="file_permissions_ungroupowned" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Files Are Owned by a Group</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If any files are not owned by a group, then the
cause of their lack of group-ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001170</ident>
          <fix system="urn:xccdf:fix:script:sh" id="file_permissions_ungroupowned" complexity="low" disruption="low" reboot="false" strategy="configure">find / /home /var /var/log /var/log/audit -xdev -nogroup 2&gt;/dev/null | xargs chown :root
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-file_permissions_ungroupowned:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_ungroupowned_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="dir_perms_world_writable_system_owned" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All World-Writable Directories Are Owned by a System Account</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All directories in local partitions which are
world-writable should be owned by root or another
system account.  If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002520</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-dir_perms_world_writable_system_owned:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-dir_perms_world_writable_system_owned_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="restrictions">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Programs from Dangerous Execution Patterns</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The recommendations in this section are designed to
ensure that the system's features to protect against potentially
dangerous program execution are activated.
These protections are applied at the system initialization or
kernel level, and defend against certain types of badly-configured
or compromised programs.</description>
        <Group id="coredumps">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Core Dumps</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A core dump file is the memory image of an executable
program when it was terminated by the operating system due to
errant behavior. In most cases, only software developers
legitimately need to access these files. The core dump files may
also contain sensitive information, or unnecessarily occupy large
amounts of disk space.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Once a hard limit is set in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</html:code>, a
user cannot increase that limit within his or her own session. If access
to core dumps is required, consider restricting them to only
certain users or groups. See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">limits.conf</html:code> man page for more
information.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The core dumps of setuid programs are further protected. The
<html:code xmlns:html="http://www.w3.org/1999/xhtml">sysctl</html:code> variable <html:code xmlns:html="http://www.w3.org/1999/xhtml">fs.suid_dumpable</html:code> controls whether
the kernel allows core dumps from these programs at all. The default
value of 0 is recommended.</description>
          <Rule id="disable_users_coredumps" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Core Dumps for All Users</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable core dumps for all users, add the following line to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">*     hard   core    0</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003500</ident>
            <fix system="urn:xccdf:fix:script:sh" id="disable_users_coredumps" complexity="low" disruption="low" reboot="false" strategy="configure">echo "*     hard   core    0" &gt;&gt; /etc/security/limits.conf
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-disable_users_coredumps:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="enable_execshield_settings">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable ExecShield</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ExecShield describes kernel features that provide
protection against exploitation of memory corruption errors such as buffer
overflows. These features include random placement of the stack and other
memory regions, prevention of execution in memory that should only hold data,
and special handling of text buffers. These protections are enabled by default and
controlled through <html:code xmlns:html="http://www.w3.org/1999/xhtml">sysctl</html:code> variables <html:code xmlns:html="http://www.w3.org/1999/xhtml">kernel.exec-shield</html:code> and
<html:code xmlns:html="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</html:code>.
</description>
          <Rule id="sysctl_kernel_nonexec_stack" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable ExecShield and Randomized Layout of Virtual Address Space</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">kernel.exec-shield</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w kernel.exec-shield=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.exec-shield = 1</html:pre>
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">kernel.randomize_va_space</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w kernel.randomize_va_space=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.randomize_va_space = 1</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range.
Address space layout randomization (ASLR) makes it more difficult
for an attacker to predict the location of attack code they have introduced
into a process's address space during an attempt at exploitation.  Additionally, ASLR 
makes it more difficult for an attacker to know the location of existing code
in order to re-purpose it using return oriented programming (ROP) techniques.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003540</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_kernel_nonexec_stack" complexity="low" disruption="low" reboot="false" strategy="configure">if [[ "`uname -r`" != "2.6.9"* ]]; then
	/sbin/sysctl -q -n -w kernel.randomize_va_space=1
	if grep --silent ^kernel.randomize_va_space /etc/sysctl.conf ; then
		sed -i 's/^kernel.randomize_va_space.*/kernel.randomize_va_space = 1/g' /etc/sysctl.conf
	else
		echo "" &gt;&gt; /etc/sysctl.conf
		echo "# Set kernel.randomize_va_space to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
		echo "kernel.randomize_va_space = 1" &gt;&gt; /etc/sysctl.conf
	fi
fi

/sbin/sysctl -q -n -w kernel.exec-shield=1
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set kernel.exec-shield to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "kernel.exec-shield = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sysctl_kernel_nonexec_stack:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_kernel_nonexec_stack_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_kernel_execshield" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable ExecShield</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">kernel.exec-shield</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w kernel.exec-shield=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">kernel.exec-shield = 1</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ExecShield uses the segmentation feature on all x86 systems
to prevent execution in memory higher than a certain address. It
writes an address as a limit in the code segment descriptor, to
control where code can be executed, on a per-process basis. When
the kernel places a process's memory regions such as the stack and
heap higher than this address, the hardware prevents execution in that
address range.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008420</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_kernel_execshield" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/sysctl -q -n -w kernel.exec-shield=1&#13;
if grep --silent ^kernel.exec-shield /etc/sysctl.conf ; then&#13;
	sed -i 's/^kernel.exec-shield.*/kernel.exec-shield = 1/g' /etc/sysctl.conf&#13;
else&#13;
	echo "" &gt;&gt; /etc/sysctl.conf&#13;
	echo "# Set kernel.exec-shield to 1 per security requirements" &gt;&gt; /etc/sysctl.conf&#13;
	echo "kernel.exec-shield = 1" &gt;&gt; /etc/sysctl.conf&#13;
fi&#13;
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sysctl_kernel_execshield:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_kernel_execshield_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="selinux">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The default SELinux policy, as configured on Red Hat Enterprise Linux 6, has been
sufficiently developed and debugged that it should be usable on
almost any Red Hat machine with minimal configuration and a small
amount of system administrator training. This policy prevents
system services - including most of the common network-visible
services such as mail servers, FTP servers, and DNS servers - from
accessing files which those services have no valid reason to
access. This action alone prevents a huge amount of possible damage
from network attacks against services, from trojaned software, and
so forth.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
This guide recommends that SELinux be enabled using the
default (targeted) policy on every Red Hat system, unless that
system has requirements which make a stronger policy
appropriate.
</description>
      <Group id="enabling_selinux">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable SELinux</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/selinux/config</html:code>. Add or correct the
following lines:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">SELINUX=enforcing
SELINUXTYPE=targeted</html:pre>
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>. Ensure that the following
arguments DO NOT appear on any kernel command line in the file:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">selinux=0
enforcing=0</html:pre>
The directive <html:code xmlns:html="http://www.w3.org/1999/xhtml">SELINUX=enforcing</html:code> enables SELinux at boot time.
If SELinux is suspected of involvement with boot-time problems
(unlikely), it is possible to boot into the warning-only mode
<html:code xmlns:html="http://www.w3.org/1999/xhtml">SELINUX=permissive</html:code> for debugging purposes. Make certain to change
the mode back to enforcing after debugging, set the filesystems to
be relabeled for consistency using the command <html:code xmlns:html="http://www.w3.org/1999/xhtml">touch
/.autorelabel</html:code>, and reboot.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
However, the Red Hat Enterprise Linux 6 default SELinux configuration should be
sufficiently reasonable that most systems will boot without serious
problems. Some applications that require deep or unusual system
privileges, such as virtual machine software, may not be compatible
with SELinux in its default configuration. However, this should be
uncommon, and SELinux's application support continues to improve.
In other cases, SELinux may reveal unusual or insecure program
behavior by design.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The directive <html:code xmlns:html="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted</html:code> configures SELinux to use
the default targeted policy.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The SELinux boot mode specified in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/selinux/config</html:code> can be
overridden by command-line arguments passed to the kernel. It is
necessary to check <html:code xmlns:html="http://www.w3.org/1999/xhtml">grub.conf</html:code> to ensure that this has not been done
and to protect the boot process.
</description>
        <Value id="var_selinux_state_name" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux state</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">enforcing - SELinux security policy is enforced.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>permissive - SELinux prints warnings instead of enforcing.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>disabled - SELinux is fully disabled.</description>
          <value>enforcing</value>
          <value selector="enforcing">enforcing</value>
          <value selector="permissive">permissive</value>
          <value selector="disabled">disabled</value>
        </Value>
        <Value id="var_selinux_policy_name" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux policy</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Type of policy in use. Possible values are:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>targeted - Only targeted network daemons are protected.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>strict - Full SELinux protection.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>mls - Multiple levels of security</description>
          <value>targeted</value>
          <value selector="targeted">targeted</value>
          <value selector="mls">mls</value>
        </Value>
        <Rule id="selinux_enforcing" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure SELinux State is Enforcing and Policy is Targeted</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SELinux state should be set to <html:code xmlns:html="http://www.w3.org/1999/xhtml">enforcing</html:code> and the 
SELinux policy should be set to <html:code xmlns:html="http://www.w3.org/1999/xhtml">targeted</html:code> at
system boot time.  In the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/selinux/config</html:code>, add or correct the
following lines to configure the system to boot into enforcing mode with the 
targeted policy:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">SELINUX=enforcing</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">SELINUXTYPE=targeted</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Setting the SELinux state to <html:code xmlns:html="http://www.w3.org/1999/xhtml">enforcing</html:code> ensures SELinux is able to confine
potentially compromised processes to the security policy, which is designed to
prevent them from causing damage to the system or further elevating their
privileges.
Setting the SELinux policy to <html:code xmlns:html="http://www.w3.org/1999/xhtml">targeted</html:code> or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="selinux_enforcing" complexity="low" disruption="low" reboot="false" strategy="configure">
var_selinux_policy_name="<sub idref="var_selinux_policy_name"/>"

if [ "`grep -c ^SELINUX= /etc/sysconfig/selinux`" = "0" ]; then
	echo SELINUX=enforcing &gt;&gt; /etc/sysconfig/selinux
else
	sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/sysconfig/selinux
fi

if [ "`grep -c ^SELINUX= /etc/selinux/config`" = "0" ]; then
	echo SELINUX=enforcing &gt;&gt; /etc/selinux/config
else
	sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
fi

if [ "`grep -c ^SELINUXTYPE= /etc/sysconfig/selinux`" = "0" ]; then
	echo SELINUXTYPE=${var_selinux_policy_name} &gt;&gt; /etc/sysconfig/selinux
else
	sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=${var_selinux_policy_name}/" /etc/sysconfig/selinux
fi

if [ "`grep -c ^SELINUXTYPE= /etc/selinux/config`" = "0" ]; then
	echo SELINUXTYPE=${var_selinux_policy_name} &gt;&gt; /etc/selinux/config
else
	sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=${var_selinux_policy_name}/" /etc/selinux/config
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-var_selinux_policy_name:var:1" value-id="var_selinux_policy_name"/>
            <check-content-ref name="oval:ssg-selinux_enforcing:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-selinux_enforcing_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="accounts">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Account and Access Control</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In traditional Unix security, if an attacker gains
shell access to a certain login account, they can perform any action
or access any file to which that account has access. Therefore,
making it more difficult for unauthorized people to gain shell
access to accounts, particularly to privileged accounts, is a
necessary part of securing a system. This section introduces
mechanisms for restricting access to accounts under
Red Hat Enterprise Linux 5.</description>
      <Group id="restricted-accounts">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Special Privileged Accounts Exist</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system must not have special 
privilege accounts, such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">shutdown</html:code>, 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">reboot</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">halt</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftp</html:code>, 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">games</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">gopher</html:code>, and <html:code xmlns:html="http://www.w3.org/1999/xhtml">news</html:code>.</description>
        <Rule id="restricted_accounts" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Special Privileged Accounts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove any special privilege accounts, 
such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">shutdown</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">reboot</html:code>, and 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">halt</html:code>, from the /etc/passwd and /etc/shadow 
files using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">userdel</html:code> or 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-users</html:code> commands.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If special privilege accounts are compromised, 
the accounts could provide privileges to execute 
malicious commands on a system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="restricted_accounts" complexity="low" disruption="low" reboot="false" strategy="configure">/usr/bin/id shutdown &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel shutdown
/usr/bin/id halt &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel halt
/usr/bin/id reboot &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel reboot
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-restricted_accounts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-restricted_accounts_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="restricted_accounts_ftp" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ftp Account</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftp</html:code> account from the /etc/passwd 
and /etc/shadow files using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">userdel</html:code> or 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-users</html:code> commands.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">12</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Accounts that provide no operational purpose provide 
additional opportunities for system compromise. Unnecessary 
accounts include user accounts for individuals not requiring 
access to the system and application accounts for applications 
not installed on the system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000290-4</ident>
          <fix system="urn:xccdf:fix:script:sh" id="restricted_accounts_ftp" complexity="low" disruption="low" reboot="false" strategy="configure">/usr/bin/id ftp &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel ftp
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-restricted_accounts_ftp:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-restricted_accounts_ftp_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="restricted_accounts_games" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Games Account</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove the <html:code xmlns:html="http://www.w3.org/1999/xhtml">games</html:code> account from the /etc/passwd 
and /etc/shadow files using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">userdel</html:code> or 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-users</html:code> commands.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">12</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Accounts that provide no operational purpose provide 
additional opportunities for system compromise. Unnecessary 
accounts include user accounts for individuals not requiring 
access to the system and application accounts for applications 
not installed on the system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000290-1</ident>
          <fix system="urn:xccdf:fix:script:sh" id="restricted_accounts_games" complexity="low" disruption="low" reboot="false" strategy="configure">/usr/bin/id games &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel games
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-restricted_accounts_games:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-restricted_accounts_games_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="restricted_accounts_gopher" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Gopher Account</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove the <html:code xmlns:html="http://www.w3.org/1999/xhtml">gopher</html:code> account from the /etc/passwd 
and /etc/shadow files using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">userdel</html:code> or 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-users</html:code> commands.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">12</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Accounts that provide no operational purpose provide 
additional opportunities for system compromise. Unnecessary 
accounts include user accounts for individuals not requiring 
access to the system and application accounts for applications 
not installed on the system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000290-3</ident>
          <fix system="urn:xccdf:fix:script:sh" id="restricted_accounts_gopher" complexity="low" disruption="low" reboot="false" strategy="configure">/usr/bin/id gopher &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel gopher
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-restricted_accounts_gopher:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-restricted_accounts_gopher_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="restricted_accounts_news" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">News Account</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove the <html:code xmlns:html="http://www.w3.org/1999/xhtml">news</html:code> account from the /etc/passwd 
and /etc/shadow files using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">userdel</html:code> or 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-users</html:code> commands.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">12</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Accounts that provide no operational purpose provide 
additional opportunities for system compromise. Unnecessary 
accounts include user accounts for individuals not requiring 
access to the system and application accounts for applications 
not installed on the system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000290-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="restricted_accounts_news" complexity="low" disruption="low" reboot="false" strategy="configure">/usr/bin/id news &amp;&gt;/dev/null &amp;&amp; /usr/sbin/userdel news
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-restricted_accounts_news:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-restricted_accounts_news_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="accounts-restrictions">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Conventionally, Unix shell accounts are accessed by
providing a username and password to a login program, which tests
these values for correctness using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> and
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> files. Password-based login is vulnerable to
guessing of weak passwords, and to sniffing and man-in-the-middle
attacks against passwords entered over a network or at an insecure
console. Therefore, mechanisms for accessing accounts by entering
usernames and passwords should be restricted to those which are
operationally necessary.</description>
        <Group id="root_logins">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Root Logins</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Direct root logins should be allowed only for emergency use.
In normal situations, the administrator should access the system
via a unique unprivileged account, and then use <html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> to execute
privileged commands. Discouraging administrators from accessing the
root account directly ensures an audit trail in organizations with
multiple administrators. Locking down the channels through which
root can connect directly also reduces opportunities for
password-guessing against the root account. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">login</html:code> program
uses the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code> to determine which interfaces
should allow root logins.

The virtual devices <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/console</html:code>
and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/tty*</html:code> represent the system consoles (accessible via
the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
installation). The default securetty file also contains <html:code xmlns:html="http://www.w3.org/1999/xhtml">/dev/vc/*</html:code>.
These are likely to be deprecated in most environments, but may be retained
for compatibility. Root should also be prohibited from connecting
via network protocols. Other sections of this document
include guidance describing how to prevent root from logging in via SSH.
</description>
          <Rule id="securetty_root_login_console_only" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Virtual Console Root Logins</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To restrict root logins through the (deprecated) virtual console devices,
ensure lines of this form do not appear in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/securetty</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">vc/1
vc/2
vc/3
vc/4</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSD-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system
using the root account.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000980</ident>
            <fix system="urn:xccdf:fix:script:sh" id="securetty_root_login_console_only" complexity="low" disruption="low" reboot="false" strategy="disable">echo tty1 &gt; /etc/securetty
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-securetty_root_login_console_only:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="no_root_webbrowsing" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Web Browser Use for Administrative Accounts</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Enforce policy requiring administrative accounts use web browsers only for
local service administration.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If a browser vulnerability is exploited while running with administrative privileges,
the entire system could be compromised. Specific exceptions for local service
administration should be documented in site-defined policy.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004220</ident>
            <fix system="urn:xccdf:fix:script:sh" id="no_root_webbrowsing" complexity="low" disruption="low" reboot="false" strategy="configure">rm -rf `grep ^root: /etc/passwd | awk -F: '{ print $6 }'`/.mozilla</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-no_root_webbrowsing:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-no_root_webbrowsing_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_no_uid_except_zero" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Only Root Has UID 0</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If any account other than root has a UID of 0,
this misconfiguration should be investigated and the
accounts other than root should be removed or have their UID changed.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000880</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_no_uid_except_zero" complexity="low" disruption="low" reboot="false" strategy="configure">for UID0_USER in `cat /etc/passwd | cut -d: -f1,3 | grep :0$ | grep -v ^root: | cut -d: -f1`; do
	userdel -rf ${UID0_USER}
done
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_no_uid_except_zero:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sudo_wheel" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Switching To Root Account Must Require Wheel Membership</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensure that only members of the wheel group are allowed to switch to the root account.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">9</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Configuring a supplemental group for users permitted to switch to the root user prevents 
unauthorized users from accessing the root account, even with knowledge of the root credentials.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000850</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sudo_wheel" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(grep -c '#.*auth.*required.*pam_wheel.so' /etc/pam.d/su)" != "0" ]; then
	sed -i '/auth.*required.*pam_wheel.so/s/#//g' /etc/pam.d/su
else
	sed -i '/auth.*include/iauth\t\trequired\tpam_wheel.so use_uid' /etc/pam.d/su
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sudo_wheel:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="password_storage">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify Proper Storage and Existence of Password
Hashes</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
By default, password hashes for local accounts are stored
in the second field (colon-separated) in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code>. This file should be readable only by
processes running with root credentials, preventing users from
casually accessing others' password hashes and attempting
to crack them.
However, it remains possible to misconfigure the system
and store password hashes
in world-readable files such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>, or
to even store passwords themselves in plaintext on the system.
Using system-provided tools for password change/creation
should allow administrators to avoid such misconfiguration.
</description>
          <Rule id="no_empty_passwords" selected="false" severity="high">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Prevent Log In to Accounts With Empty Password</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nullok</html:code>
option in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> to
prevent logins with empty passwords.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational
environments.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000560</ident>
            <fix system="urn:xccdf:fix:script:sh" id="no_empty_passwords" complexity="low" disruption="low" reboot="false" strategy="disable">sed --follow-symlinks -i 's/\&lt;nullok\&gt;//g' /etc/pam.d/system-auth
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-no_empty_passwords:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-no_empty_passwords_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_password_all_shadowed" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify All Account Password Hashes are Shadowed</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If any password hashes are stored in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> (in the second field,
instead of an <html:code xmlns:html="http://www.w3.org/1999/xhtml">x</html:code>), the cause of this misconfiguration should be
investigated.  The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">201</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The hashes for all user account passwords should be stored in
the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> and never in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code>,
which is readable by all users.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001470</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_password_all_shadowed:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="gid_passwd_group_same" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All GIDs referenced in /etc/passwd must be defined in /etc/group</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Add a group to the system for each GID referenced without a corresponding group.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Inconsistency in GIDs between <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/passwd</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/group</html:code> could lead to a user having unintended rights.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000380</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-gid_passwd_group_same:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="no_netrc_files" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify No netrc Files Exist</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code> files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used.  Any <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code> files should be removed.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Unencrypted passwords for remote FTP servers may be stored in <html:code xmlns:html="http://www.w3.org/1999/xhtml">.netrc</html:code>
files. DoD policy requires passwords be encrypted in storage and not used
in access scripts.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002000</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-no_netrc_files:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-no_netrc_files_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="password_expiration">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Expiration Parameters</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> controls several
password-related settings. Programs such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">passwd</html:code>,
<html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code>, and
<html:code xmlns:html="http://www.w3.org/1999/xhtml">login</html:code> consult <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> to determine
behavior with regard to password aging, expiration warnings,
and length. See the man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">login.defs(5)</html:code> for more information.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Users should be forced to change their passwords, in order to
decrease the utility of compromised passwords. However, the need to
change passwords often should be balanced against the risk that
users will reuse or write down passwords if forced to change them
too often. Forcing password changes every 90-360 days, depending on
the environment, is recommended. Set the appropriate value as
<html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS</html:code> and apply it to existing accounts with the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">-M</html:code> flag.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS</html:code> (<html:code xmlns:html="http://www.w3.org/1999/xhtml">-m</html:code>) setting prevents password
changes for 7 days after the first change, to discourage password
cycling. If you use this setting, train users to contact an administrator
for an emergency password change in case a new password becomes
compromised. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">PASS_WARN_AGE</html:code> (<html:code xmlns:html="http://www.w3.org/1999/xhtml">-W</html:code>) setting gives
users 7 days of warnings at login time that their passwords are about to expire.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
For example, for each existing human user <html:i xmlns:html="http://www.w3.org/1999/xhtml">USER</html:i>, expiration parameters
could be adjusted to a 180 day maximum password age, 7 day minimum password
age, and 7 day warning period with the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER</html:pre>
</description>
          <Value id="var_accounts_maximum_age_login_defs" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">maximum password age</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum age of password in days</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning>
            <value>60</value>
            <value selector="60">60</value>
            <value selector="90">90</value>
            <value selector="120">120</value>
            <value selector="180">180</value>
          </Value>
          <Value id="var_accounts_minimum_age_login_defs" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minimum password age</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum age of password in days</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning>
            <value>7</value>
            <value selector="7">7</value>
            <value selector="5">5</value>
            <value selector="1">1</value>
            <value selector="2">2</value>
            <value selector="0">0</value>
          </Value>
          <Value id="var_accounts_password_warn_age_login_defs" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">warning days before password expires</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days' warning given before a password expires.</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning>
            <value>7</value>
            <value selector="0">0</value>
            <value selector="7">7</value>
            <value selector="14">14</value>
          </Value>
          <Rule id="accounts_minimum_age_login_defs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Age</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password minimum age for new accounts,
edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code>
and add or correct the following line, replacing <html:i xmlns:html="http://www.w3.org/1999/xhtml">DAYS</html:i> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <html:i>DAYS</html:i></html:pre>
A value of 1 day is considered for sufficient for many
environments.
The DoD requirement is 1. 
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">198</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Setting the minimum password age protects against
users cycling back to a favorite password
after satisfying the password reuse requirement.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000540</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_minimum_age_login_defs" complexity="low" disruption="low" reboot="false" strategy="configure">
var_accounts_minimum_age_login_defs="<sub idref="var_accounts_minimum_age_login_defs"/>"

grep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MIN_DAYS      $var_accounts_minimum_age_login_defs" &gt;&gt; /etc/login.defs
fi

USERACCT=$(egrep -v "^\+|^#" /etc/passwd | cut -d":" -f1)
for SYS_USER in ${USERACCT}; do
	if [ $(grep -c ${SYS_USER} /etc/shadow) != 0 ]; then
		passwd -n $var_accounts_minimum_age_login_defs ${SYS_USER} &amp;&gt;/dev/null
	fi
done
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-var_accounts_minimum_age_login_defs:var:1" value-id="var_accounts_minimum_age_login_defs"/>
              <check-content-ref name="oval:ssg-accounts_minimum_age_login_defs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_maximum_age_login_defs" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Maximum Age</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password maximum age for new accounts,
edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code>
and add or correct the following line, replacing <html:i xmlns:html="http://www.w3.org/1999/xhtml">DAYS</html:i> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <html:i>DAYS</html:i></html:pre>
A value of 180 days is sufficient for many environments. 
The DoD requirement is 60.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">180</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Setting the password maximum age ensures users are required to
periodically change their passwords. This could possibly decrease
the utility of a stolen password. Requiring shorter password lifetimes
increases the risk of users writing down the password in a convenient
location subject to physical compromise.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000700</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_maximum_age_login_defs" complexity="low" disruption="low" reboot="false" strategy="configure">
var_accounts_maximum_age_login_defs="<sub idref="var_accounts_maximum_age_login_defs"/>"

grep -q ^PASS_MAX_DAYS /etc/login.defs &amp;&amp; \
  sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
if ! [ $? -eq 0 ]; then
    echo "PASS_MAX_DAYS      $var_accounts_maximum_age_login_defs" &gt;&gt; /etc/login.defs
fi

USERACCT=$(egrep -v "^\+|^#" /etc/passwd | cut -d":" -f1)
for SYS_USER in ${USERACCT}; do
	if [ $(grep -c ${SYS_USER} /etc/shadow) != 0 ]; then
		passwd -x $var_accounts_maximum_age_login_defs ${SYS_USER} &amp;&gt;/dev/null
	fi
done
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-var_accounts_maximum_age_login_defs:var:1" value-id="var_accounts_maximum_age_login_defs"/>
              <check-content-ref name="oval:ssg-accounts_maximum_age_login_defs:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="account_expiration">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Account Expiration Parameters</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accounts can be configured to be automatically disabled
after a certain time period,
meaning that they will require administrator interaction to become usable again.
Expiration of accounts after inactivity can be set for all accounts by default
and also on a per-account basis, such as for accounts that are known to be temporary.
To configure automatic expiration of an account following
the expiration of its password (that is, after the password has expired and not been changed),
run the following command, substituting <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>NUM_DAYS</html:i></html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>USER</html:i></html:code> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># chage -I <html:i>NUM_DAYS USER</html:i></html:pre>
Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">-E</html:code> option.
The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/default/useradd</html:code> controls
default settings for all newly-created accounts created with the system's
normal command line utilities.
</description>
          <Value id="var_account_disable_post_pw_expiration" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">number of days after a password expires until the account is permanently disabled</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The number of days to wait after a password expires, until the account will be permanently disabled.</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">This will only apply to newly created accounts</warning>
            <value>35</value>
            <value selector="30">30</value>
            <value selector="35">35</value>
            <value selector="60">60</value>
            <value selector="90">90</value>
            <value selector="180">180</value>
          </Value>
          <Rule id="accounts_disable_post_pw_expiration" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Account Expiration Following Inactivity</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following lines in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/default/useradd</html:code>, substituting
<html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>NUM_DAYS</html:i></html:code> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">INACTIVE=<html:i>NUM_DAYS</html:i></html:pre>
A value of 35 is recommended.  
If a password is currently on the
verge of expiration, then 35 days remain until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 95
days could elapse until the account would be automatically disabled. See the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">useradd</html:code> man page for more information.  Determining the inactivity
timeout must be done with careful consideration of the length of a "normal"
period of inactivity for users in the particular environment. Setting
the timeout too low incurs support costs and also has the potential to impact
availability of the system to legitimate users.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">17</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling inactive accounts ensures that accounts which may not
have been responsibly removed are not available to attackers
who may have compromised their credentials.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006660</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_disable_post_pw_expiration" complexity="low" disruption="low" reboot="false" strategy="configure">
var_account_disable_post_pw_expiration="<sub idref="var_account_disable_post_pw_expiration"/>"

if [ $(cat /etc/default/useradd | grep -c "^INACTIVE=") != 0 ]; then
	sed -i "s/^INACTIVE=.*/INACTIVE=${var_account_disable_post_pw_expiration}/" /etc/default/useradd
else
	echo INACTIVE=${var_account_disable_post_pw_expiration} &gt;&gt;/etc/default/useradd
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-var_account_disable_post_pw_expiration:var:1" value-id="var_account_disable_post_pw_expiration"/>
              <check-content-ref name="oval:ssg-accounts_disable_post_pw_expiration:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_disable_post_pw_expiration_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_unique_name" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Accounts on the System Have Unique Names</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Change usernames, or delete accounts, so each has a unique name.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Unique usernames allow for accountability on the system. 
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000300</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_unique_name:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_unique_name_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_unique_uid" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Accounts on the System Have Unique User IDs</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Change user ID, or delete accounts, so each has a unique ID.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Unique IDs allow for accountability on the system. 
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000320</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_unique_uid:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_unique_uid_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="accounts-pam">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Accounts by Configuring PAM</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">PAM, or Pluggable Authentication Modules, is a system
which implements modular authentication for Linux programs. PAM provides
a flexible and configurable architecture for authentication, and it should be configured
to minimize exposure to unnecessary risk. This section contains
guidance on how to accomplish that.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
PAM is implemented as a set of shared objects which are
loaded and invoked whenever an application wishes to authenticate a
user. Typically, the application must be running as root in order
to take advantage of PAM, because PAM's modules often need to be able
to access sensitive stores of account information, such as /etc/shadow.
Traditional privileged network listeners
(e.g. sshd) or SUID programs (e.g. sudo) already meet this
requirement. An SUID root application, userhelper, is provided so
that programs which are not SUID or privileged themselves can still
take advantage of PAM.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
PAM looks in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d</html:code> for
application-specific configuration information. For instance, if
the program login attempts to authenticate a user, then PAM's
libraries follow the instructions in the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/login</html:code>
to determine what actions should be taken.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
One very important file in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d</html:code> is
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>. This file, which is included by
many other PAM configuration files, defines 'default' system authentication
measures. Modifying this file is a good way to make far-reaching
authentication changes, for instance when implementing a
centralized authentication service.</description>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Be careful when making changes to PAM's
configuration files. The syntax for these files is complex, and
modifications can have unexpected consequences. The default
configurations shipped with applications should be sufficient for
most users.</warning>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Running <html:code xmlns:html="http://www.w3.org/1999/xhtml">authconfig</html:code> or
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-authentication</html:code> will re-write the PAM configuration
files, destroying any manually made changes and replacing them with
a series of system defaults. One reference to the configuration
file syntax can be found at
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html">http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html</html:a>.</warning>
        <Rule id="accounts_global_setting" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Global Account Settings</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> file must not be  a symbolic link to 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth-ac</html:code>. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code> file must instead 
link to an alternate file, such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth-local</html:code>, which incorporates 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">include</html:code> statements for system-auth-ac. Specifically, the following <html:code xmlns:html="http://www.w3.org/1999/xhtml">include</html:code> 
statements should be present:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">auth include system-auth-ac</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">account include system-auth-ac</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password include system-auth-ac</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">session include system-auth-ac</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">192</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Pam global requirements are generally defined in the /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac 
file. In order for the requirements to be applied the file containing them must be included directly or 
indirectly in each program's definition file in /etc/pam.d.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000600-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="accounts_global_setting" complexity="low" disruption="low" reboot="false" strategy="configure">cat &gt; /etc/pam.d/system-auth-local &lt;&lt;'STOP_HERE'
auth        include      system-auth-ac
account     include      system-auth-ac
password    include      system-auth-ac
session     include      system-auth-ac
STOP_HERE
ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-accounts_global_setting:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="accounts_logins_logged" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Account Logins are Logged</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to 
the system.  Without this logging, the ability to track unauthorized activity to specific user accounts 
may be diminished.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000440</ident>
          <fix system="urn:xccdf:fix:script:sh" id="accounts_logins_logged" complexity="low" disruption="low" reboot="false" strategy="configure">if [ ! -e /var/log/btmp ]; then
	&gt;/var/log/btmp
	chmod 600 /var/log/btmp
	chown root:root /var/log/btmp
fi
if [ ! -e /var/log/wtmp ]; then
	&gt;/var/log/wtmp
	chmod 664 /var/log/wtmp
	chown root:root /var/log/wtmp
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-accounts_logins_logged:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Group id="password_quality">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Quality Requirements</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> PAM module provides strength
checking for passwords. It performs a number of checks, such as
making sure passwords are not similar to dictionary words, are of
at least a certain length, are not the previous password reversed,
and are not simply a change of case from the previous password. It
can also require passwords to be in certain character classes.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib(8)</html:code> provides information on the
capabilities and configuration of each.</description>
          <Group id="password_quality_pamcracklib">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Quality Requirements, if using
pam_cracklib</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> PAM module can be configured to meet
requirements for a variety of policies.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
For example, to configure <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code> to require at least one uppercase
character, lowercase character, digit, and other (special)
character, locate the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password requisite pam_cracklib.so try_first_pass retry=3</html:pre>
and then alter it to read:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</html:pre>
If no such line exists, add one as the first line of the password section in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>.
The arguments can be modified to ensure compliance with
your organization's security policy. Discussion of each parameter follows.
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that the password quality
requirements are not enforced for the root account for some
reason.</warning>
            <Value id="var_password_pam_cracklib_retry" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">retry</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of retry attempts before erroring out</description>
              <value>3</value>
              <value selector="1">1</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
            </Value>
            <Value id="var_password_pam_cracklib_minlen" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minlen</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters in password</description>
              <value>14</value>
              <value selector="6">6</value>
              <value selector="8">8</value>
              <value selector="10">10</value>
              <value selector="12">12</value>
              <value selector="14">14</value>
              <value selector="15">15</value>
            </Value>
            <Value id="var_password_pam_cracklib_dcredit" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dcredit</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of digits in password</description>
              <value>-1</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var_password_pam_cracklib_ocredit" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ocredit</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of other (special characters) in
password</description>
              <value>-1</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var_password_pam_cracklib_lcredit" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">lcredit</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of lower case in password</description>
              <value>-1</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var_password_pam_cracklib_ucredit" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ucredit</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of upper case in password</description>
              <value>-1</value>
              <value selector="2">-2</value>
              <value selector="1">-1</value>
              <value selector="0">0</value>
            </Value>
            <Value id="var_password_pam_cracklib_difok" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">difok</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of characters not present in old
password</description>
              <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Keep this high for short
passwords</warning>
              <value>4</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
              <value selector="4">4</value>
              <value selector="5">5</value>
            </Value>
            <Value id="var_password_pam_cracklib_maxrepeat" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">maxrepeat</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimum number of consecutive repeating characters</description>
              <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Keep this high for short
passwords</warning>
              <value>3</value>
              <value selector="2">2</value>
              <value selector="3">3</value>
              <value selector="4">4</value>
              <value selector="5">5</value>
            </Value>
            <Value id="var_accounts_password_pam_tally_deny" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_deny</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of failed login attempts before account lockout</description>
              <value>3</value>
              <value selector="3">3</value>
              <value selector="5">5</value>
              <value selector="10">10</value>
            </Value>
            <Value id="var_accounts_passwords_pam_faillock_unlock_time" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_unlock_time</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Seconds before automatic unlocking after excessive failed logins</description>
              <value>604800</value>
              <value selector="900">900</value>
              <value selector="1800">1800</value>
              <value selector="3600">3600</value>
              <value selector="86400">86400</value>
              <value selector="604800">604800</value>
            </Value>
            <Value id="var_accounts_passwords_pam_faillock_fail_interval" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fail_interval</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Interval for counting failed login attempts before account lockout</description>
              <value>900</value>
              <value selector="900">900</value>
              <value selector="1800">1800</value>
              <value selector="3600">3600</value>
              <value selector="86400">86400</value>
              <value selector="100000000">100000000</value>
            </Value>
            <Value id="password_history_retain_number" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">remember</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The last n passwords for each user are saved in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/opasswd</html:code> in order to force password change history and
keep the user from alternating between the same password too frequently.</description>
              <value>24</value>
              <value selector="0">0</value>
              <value selector="5">5</value>
              <value selector="10">10</value>
              <value selector="24">24</value>
            </Value>
            <Rule id="accounts_cracklib_present" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Include Cracklib Password Module</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure the cracklib password module is being enforced and its configuration 
is not being overwritten by authconfig, the cracklib module must be defined in /etc/pam.d/system-auth. 
Additionally, the /etc/pam.d/passwd file must ensure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">password include</html:code> statement points to 
system-auth and not system-auth-ac.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">189</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
An easily guessable password provides an open door to any external or internal malicious intruder.  
Many computer compromises occur as the result of account name and password guessing.  
This is generally done by someone with an automated script that uses repeated logon attempts until 
the correct account and password pair is guessed.  Utilities, such as cracklib, can be used to 
validate passwords are not dictionary words and meet other criteria during password changes.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000790</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_cracklib_present" complexity="low" disruption="low" reboot="false" strategy="configure">authconfig --updateall
if [ -e /etc/pam.d/system-auth-ac ]; then
	sed -i '/password.*include.*system-auth-ac/ipassword    required     pam_cracklib.so' /etc/pam.d/system-auth
else
	sed -i '/password.*unix.so/ipassword    required     pam_cracklib.so' /etc/pam.d/system-auth
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:ssg-accounts_cracklib_present:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_cracklib_present_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_minlen" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Minimum Length</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify password length requirements for new accounts,
edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> and add or correct the following
lines:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PASS_MIN_LEN 14</html:pre>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The DoD requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">14</html:code>. 
The FISMA requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">12</html:code>.
If a program consults <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/login.defs</html:code> and also another PAM module
(such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_cracklib</html:code>) during a password change operation,
then the most restrictive must be satisfied. See PAM section
for more information about enforcing password quality requirements.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">205</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000585</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_minlen" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_minlen="<sub idref="var_password_pam_cracklib_minlen"/>"

if [ $(grep -c "minlen=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/minlen=[0-9]*/minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "minlen=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/minlen=[0-9]*/minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ minlen=$var_password_pam_cracklib_minlen/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_minlen:var:1" value-id="var_password_pam_cracklib_minlen"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_minlen:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_minlen_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_maxrepeat" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password to Maximum of Three Consecutive Repeating Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxrepeat</html:code> parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">maxrepeat=3</html:code>
after pam_cracklib.so to prevent a run of four or more identical characters.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000680</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_maxrepeat" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_maxrepeat="<sub idref="var_password_pam_cracklib_maxrepeat"/>"

if [ $(grep -c "maxrepeat=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/maxrepeat=[0-9]*/maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "maxrepeat=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/maxrepeat=[0-9]*/maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ maxrepeat=$var_password_pam_cracklib_maxrepeat/" /etc/pam.d/system-auth-ac
	fi
fi</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_maxrepeat:var:1" value-id="var_password_pam_cracklib_maxrepeat"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_maxrepeat:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_maxrepeat_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_dcredit" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Digit Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit</html:code> parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each digit.  
Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">dcredit=-1</html:code> after pam_cracklib.so to require use of a digit in passwords.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">194</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring digits makes password guessing attacks more difficult by ensuring a larger
search space.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000620</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_dcredit" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_dcredit="<sub idref="var_password_pam_cracklib_dcredit"/>"

if [ $(grep -c "dcredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/dcredit=[0-9]*/dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "dcredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/dcredit=[0-9]*/dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ dcredit=$var_password_pam_cracklib_dcredit/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_dcredit:var:1" value-id="var_password_pam_cracklib_dcredit"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_dcredit:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_dcredit_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_ucredit" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Uppercase Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit=</html:code> parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each uppercase character.
Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">ucredit=-1</html:code> after pam_cracklib.so to require use of an upper case character in passwords.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">192</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring a minimum number of uppercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000600</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_ucredit" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_ucredit="<sub idref="var_password_pam_cracklib_ucredit"/>"

if [ $(grep -c "ucredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/ucredit=[0-9]*/ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "ucredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/ucredit=[0-9]*/ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ ucredit=$var_password_pam_cracklib_ucredit/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_ucredit:var:1" value-id="var_password_pam_cracklib_ucredit"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_ucredit:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_ucredit_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_ocredit" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Special Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">ocredit=</html:code> parameter controls requirements for
usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each special character.
Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">ocredit=-1</html:code> after pam_cracklib.so to require use of a special character in passwords.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1619</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000640</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_ocredit" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_ocredit="<sub idref="var_password_pam_cracklib_ocredit"/>"

if [ $(grep -c "ocredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/ocredit=[0-9]*/ucredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ ocredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "ocredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/ocredit=[0-9]*/ucredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ ocredit=$var_password_pam_cracklib_ocredit/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_ocredit:var:1" value-id="var_password_pam_cracklib_ocredit"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_ocredit:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_ocredit_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_lcredit" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Lowercase Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit=</html:code> parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_cracklib will grant +1 additional
length credit for each lowercase character.
Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">lcredit=-1</html:code> after pam_cracklib.so to require use of a lowercase character in passwords.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">193</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring a minimum number of lowercase characters makes password guessing attacks
more difficult by ensuring a larger search space.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000610</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_lcredit" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_lcredit="<sub idref="var_password_pam_cracklib_lcredit"/>"

if [ $(grep -c "lcredit=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/lcredit=[0-9]*/lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "lcredit=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/lcredit=[0-9]*/lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ lcredit=$var_password_pam_cracklib_lcredit/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_lcredit:var:1" value-id="var_password_pam_cracklib_lcredit"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_lcredit:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_lcredit_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_cracklib_difok" selected="false" severity="low">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Strength Minimum Different Characters</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The pam_cracklib module's <html:code xmlns:html="http://www.w3.org/1999/xhtml">difok</html:code> parameter controls requirements for
usage of different characters during a password change.
Add <html:code xmlns:html="http://www.w3.org/1999/xhtml">difok=<html:i>NUM</html:i></html:code> after pam_cracklib.so to require differing
characters when changing passwords, substituting <html:i xmlns:html="http://www.w3.org/1999/xhtml">NUM</html:i> appropriately.
The DoD requirement is <html:code xmlns:html="http://www.w3.org/1999/xhtml">4</html:code>.
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">195</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Requiring a minimum number of different characters during password changes ensures that
newly changed passwords should not resemble previously compromised ones.
Note that passwords which are changed on compromised systems will still be compromised, however.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000750</ident>
              <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_cracklib_difok" complexity="low" disruption="low" reboot="false" strategy="configure">
var_password_pam_cracklib_difok="<sub idref="var_password_pam_cracklib_difok"/>"

if [ $(grep -c "difok=" /etc/pam.d/system-auth) != 0 ]; then
	sed -i "s/difok=[0-9]*/difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth
else
	sed -i "/password.*pam_cracklib.so/s/$/ difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep -c "difok=" /etc/pam.d/system-auth-ac) != 0 ]; then
		sed -i "s/difok=[0-9]*/difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth-ac
	else
		sed -i "/password.*pam_cracklib.so/s/$/ difok=$var_password_pam_cracklib_difok/" /etc/pam.d/system-auth-ac
	fi
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-var_password_pam_cracklib_difok:var:1" value-id="var_password_pam_cracklib_difok"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_cracklib_difok:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_cracklib_difok_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="accounts_password_pam_unix_remember" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit Password Reuse</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do not allow users to reuse recent passwords. This can
be accomplished by using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">remember</html:code> option for the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix</html:code> PAM
module.  In the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>, append <html:code xmlns:html="http://www.w3.org/1999/xhtml">remember=24</html:code> to the 
line which refers to the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix.so</html:code> module, as shown:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password sufficient pam_unix.so <html:i>existing_options</html:i> remember=24</html:pre>
The DoD and FISMA requirement is 24 passwords.</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">200</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000800</ident>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-password_history_retain_number:var:1" value-id="password_history_retain_number"/>
                <check-content-ref name="oval:ssg-accounts_password_pam_unix_remember:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_unix_remember_ocil:questionnaire:1"/>
              </check>
            </Rule>
          </Group>
        </Group>
        <Group id="authentication_failure_handling">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Authentication Failure Actions</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system should be configured to handle authentication 
failures so that password cracking attempts are mitigated.
</description>
          <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Locking out user accounts presents the
risk of a denial-of-service attack. The lockout policy
must weigh whether the risk of such a
denial-of-service attack outweighs the benefits of thwarting
password guessing attacks.</warning>
          <Rule id="accounts_password_pam_tally_deny" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Deny For Failed Password Attempts</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To configure the system to lock out accounts after a number of incorrect login
attempts using <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_faillock.so</html:code>:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Add the following lines immediately below the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix.so</html:code> statement in <html:code xmlns:html="http://www.w3.org/1999/xhtml">AUTH</html:code> section of
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">auth [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">auth required pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLO-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLO-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">44</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Locking out user accounts after a number of incorrect attempts
prevents direct password guessing attacks.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000460</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_password_pam_tally_deny" complexity="low" disruption="low" reboot="false" strategy="configure">
var_accounts_password_pam_tally_deny="<sub idref="var_accounts_password_pam_tally_deny"/>"

if [ $(grep auth.*required.*pam_tally2 /etc/pam.d/system-auth | grep -c "deny=") != 0 ]; then
	sed -i "/account.*required.*pam_tally/s/deny=[0-9]*/deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
elif [ $(grep -c "auth.*required.*pam_tally2" /etc/pam.d/system-auth) = 0 ]; then
	if [ $(grep -c "pam_tally.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i "s/pam_tally.so/pam_tally2.so/g" /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*include.*system-auth-ac" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth\s*include\s*system-auth-ac\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*pam_unix.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth.*pam_unix.so\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	elif [ $(grep -c "auth.*pam_deny.so" /etc/pam.d/system-auth) != 0 ]; then
		sed -i 's/\(auth.*pam_deny.so\)/auth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	else
		sed -i ':a;N;$!ba;s/\([\n]*[#]*[\s]*account\)/\nauth        required     pam_tally2.so\n\1/' /etc/pam.d/system-auth
	fi
	sed -i "/auth.*pam_tally/s/$/ deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
else
	sed -i "/auth.*pam_tally/s/$/ deny=${var_accounts_password_pam_tally_deny}/" /etc/pam.d/system-auth
fi
if [ ! -e /var/log/tallylog ]; then
	&gt;/var/log/tallylog
fi
chmod 640 /var/log/tallylog
chown root:root /var/log/tallylog
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-var_accounts_password_pam_tally_deny:var:1" value-id="var_accounts_password_pam_tally_deny"/>
              <check-content-ref name="oval:ssg-accounts_password_pam_tally_deny:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_password_pam_tally_deny_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="accounts_fail_delay" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Delay Between Failed Password Attempts</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Check the value of the FAIL_DELAY variable and the ability to use it.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLO-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLO-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">43</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Enforcing a delay between successive failed login attempts increases protection against automated 
password guessing attacks.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000480</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_fail_delay" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(grep -c ^FAIL_DELAY /etc/login.defs) != 0 ]; then
	sed -i 's/^FAIL_DELAY.*[0-9]*/FAIL_DELAY 4/' /etc/login.defs
else
	echo "FAIL_DELAY 4" | tee -a /etc/login.defs &amp;&gt;/dev/null
fi

if [ $(grep -c pam_faildelay.so /etc/pam.d/system-auth) != 0 ]; then
	if [ $(grep -c pam_faildelay.so.*delay\= /etc/pam.d/system-auth) != 0 ]; then
		sed -i '/pam_faildelay.so/s/\(delay=\)[0-9]*/\14000000/' /etc/pam.d/system-auth
	else
		sed -i '/pam_faildelay.so/s/$/ delay=4000000/' /etc/pam.d/system-auth
	fi
else
	sed -i '/auth.*include.*system-auth-ac/iauth        optional     pam_faildelay.so delay=4000000' /etc/pam.d/system-auth
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_fail_delay:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="set_password_hashing_algorithm">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Hashing Algorithm</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's default algorithm for storing password hashes in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/shadow</html:code> is SHA-512. This can be configured in several
locations.</description>
          <Rule id="set_password_hashing_algorithm_systemauth" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Password Hashing Algorithm in /etc/pam.d/system-auth</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
In <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</html:code>, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">password</html:code> section of
the file controls which PAM modules execute during a password change.
Set the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pam_unix.so</html:code> module in the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">password</html:code> section to include the argument <html:code xmlns:html="http://www.w3.org/1999/xhtml">sha512</html:code>, as shown below:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password    sufficient    pam_unix.so sha512 <html:i>other arguments...</html:i></html:pre>
This will help ensure when local users change their passwords, hashes for the new
passwords will be generated using the SHA-512 algorithm.
This is the default.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">803</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Using a stronger hashing algorithm makes password cracking attacks more difficult.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000590</ident>
            <fix system="urn:xccdf:fix:script:sh" id="set_password_hashing_algorithm_systemauth" complexity="low" disruption="low" reboot="false" strategy="disable">if [ $(grep "password.*pam_unix.so" /etc/pam.d/system-auth | egrep -c '(descrypt|bigcrypt|md5|sha256)') != 0 ]; then
	sed -i '/password.*pam_unix.so/s/\(descrypt\|bigcrypt\|md5\|sha256\)/sha512/' /etc/pam.d/system-auth
else
	sed -i '/password.*pam_unix.so/s/$/ sha512/' /etc/pam.d/system-auth
fi
if [ -e /etc/pam.d/system-auth-ac ]; then
	if [ $(grep "password.*pam_unix.so" /etc/pam.d/system-auth-ac | egrep -c '(descrypt|bigcrypt|md5|sha256)') != 0 ]; then
		sed -i '/password.*pam_unix.so/s/\(descrypt\|bigcrypt\|md5\|sha256\)/sha512/' /etc/pam.d/system-auth-ac
	else
		sed -i '/password.*pam_unix.so/s/$/ sha512/' /etc/pam.d/system-auth-ac
	fi
fi</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-set_password_hashing_algorithm_systemauth:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-set_password_hashing_algorithm_systemauth_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="accounts-session">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Secure Session Configuration Files for Login Accounts</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user logs into a Unix account, the system
configures the user's session by reading a number of files. Many of
these files are located in the user's home directory, and may have
weak permissions as a result of user error or misconfiguration. If
an attacker can modify or even read certain types of account
configuration information, they can often gain full access to the
affected user's account. Therefore, it is important to test and
correct configuration file permissions for interactive accounts,
particularly those of privileged users such as root or system
administrators.</description>
        <Value id="max_concurrent_login_sessions_value" operator="equals" type="number">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum concurrent login sessions</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum number of concurrent sessions by a user</description>
          <value>1</value>
          <value selector="1">1</value>
          <value selector="3">3</value>
          <value selector="5">5</value>
          <value selector="10">10</value>
          <value selector="15">15</value>
          <value selector="20">20</value>
        </Value>
        <Rule id="accounts_max_concurrent_login_sessions" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the Number of Concurrent Login Sessions Allowed Per User</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Limiting the number of allowed users and sessions per user can limit risks related to Denial of 
Service attacks. This addresses concurrent sessions for a single account and does not address 
concurrent sessions by a single user via multiple accounts.  The DoD requirement is 10.   To set the number of concurrent
sessions per user add the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/security/limits.conf</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">* hard maxlogins 10</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">54</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limiting simultaneous user logins can insulate the system from denial of service 
problems caused by excessive logins. Automated login processes operating improperly or 
maliciously may result in an exceptional number of simultaneous login sessions.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000450</ident>
          <fix system="urn:xccdf:fix:script:sh" id="accounts_max_concurrent_login_sessions" complexity="low" disruption="low" reboot="false" strategy="disable">
max_concurrent_login_sessions_value="<sub idref="max_concurrent_login_sessions_value"/>"

if [ $(grep -v "#" /etc/security/limits.conf | grep -c "maxlogins") = "0" ]; then
	echo "* hard maxlogins ${max_concurrent_login_sessions_value}" &gt;&gt;/etc/security/limits.conf
else
	sed -i 's/.*maxlogins.*/* hard maxlogins ${max_concurrent_login_sessions_value}/' /etc/security/limits.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-max_concurrent_login_sessions_value:var:1" value-id="max_concurrent_login_sessions_value"/>
            <check-content-ref name="oval:ssg-accounts_max_concurrent_login_sessions:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="root_paths">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that No Dangerous Directories Exist in Root's Path</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The active path of the root account can be obtained by
starting a new root shell and running:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># echo $PATH</html:pre>
This will produce a colon-separated list of
directories in the path.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Certain path elements could be considered dangerous, as they could lead
to root executing unknown or
untrusted programs, which could contain malicious
code.
Since root may sometimes work inside
untrusted directories, the <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character, which represents the
current directory, should never be in the root path, nor should any
directory which can be written to by an unprivileged or
semi-privileged (system) user.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
It is a good practice for administrators to always execute
privileged commands by typing the full path to the
command.</description>
          <Rule id="accounts_executable_dangerous_path_for_root" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Root's PATH Variable Only Includes Absolute Paths</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensure that none of the directories in root's executable path is equal to a single
<html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character, or
that it contains any instances that lead to relative path traversal, such as
<html:code xmlns:html="http://www.w3.org/1999/xhtml">..</html:code> or beginning a path without the slash (<html:code xmlns:html="http://www.w3.org/1999/xhtml">/</html:code>) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin</html:pre>
These empty elements have the same effect as a single <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Including these entries increases the risk that root could
execute code from an untrusted location.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000940</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_executable_dangerous_path_for_root:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="accounts_library_dangerous_path_for_root" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Root's LD_LIBRARY_PATH Variable Only Includes Absolute Paths</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Ensure that none of the directories in root's library path is equal to a single
<html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character, or
that it contains any instances that lead to relative path traversal, such as
<html:code xmlns:html="http://www.w3.org/1999/xhtml">..</html:code> or beginning a path without the slash (<html:code xmlns:html="http://www.w3.org/1999/xhtml">/</html:code>) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">LD_LIBRARY_PATH=:/lib
LD_LIBRARY_PATH=/lib:
LD_LIBRARY_PATH=/lib::/usr/lib</html:pre>
These empty elements have the same effect as a single <html:code xmlns:html="http://www.w3.org/1999/xhtml">.</html:code> character.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Including these entries increases the risk that root could
execute code from an untrusted location.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000945</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_library_dangerous_path_for_root:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="accounts_root_path_dirs_no_write" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Root's Path Does Not Include World or Group-Writable Directories</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
For each element in root's path, run:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -ld <html:i>DIR</html:i></html:pre>
and ensure that write permissions are disabled for group and
other.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000960</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-accounts_root_path_dirs_no_write:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="user_umask">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure that Users Have Sensible Umask Values</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The umask setting controls the default permissions
for the creation of new files.
With a default <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> setting of 077, files and directories
created by users will not be readable by any other user on the
system. Users who wish to make specific files group- or
world-readable can accomplish this by using the chmod command.
Additionally, users can make all their files readable to their
group by default by setting a <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> of 027 in their shell
configuration files. If default per-user groups exist (that is, if
every user has a default group whose name is the same as that
user's username and whose only member is the user), then it may
even be safe for users to select a <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> of 007, making it very
easy to intentionally share files with groups of which the user is
a member.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>

</description>
          <Value id="var_accounts_user_umask" operator="equals" type="string">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Sensible umask</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter default user umask</description>
            <value>027</value>
            <value selector="007">007</value>
            <value selector="022">022</value>
            <value selector="027">027</value>
            <value selector="077">077</value>
          </Value>
          <Rule id="accounts_umask" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure the Default Umask is Set Correctly</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To ensure the default umask for users is set properly,
add or correct the <html:code xmlns:html="http://www.w3.org/1999/xhtml">umask</html:code> setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/bashrc</html:code> to read
as follows:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">umask 077</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002560</ident>
            <fix system="urn:xccdf:fix:script:sh" id="accounts_umask" complexity="low" disruption="low" reboot="false" strategy="configure">
var_accounts_user_umask="<sub idref="var_accounts_user_umask"/>"

egrep -li ^[[:blank:]]*umask `find /etc /root /home/* -maxdepth 1 -type f 2&gt;/dev/null` | while read FILE; do
	sed -i "s/\([uU][mM][aA][sS][kK]\s*[=]*\s*\)[0-9]*/\1${var_accounts_user_umask}/" "${FILE}"
done

</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="var_accounts_user_umask"/>
              <check-content-ref name="oval:ssg-accounts_umask:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-accounts_umask_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="shells_file_references" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All User Login Shells Are In The Shells File</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To ensure all login shells are included in /etc/shells, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># for USHELL in `cut -d: -f7 /etc/passwd`; do if [ $(grep -c "${USHELL}" /etc/shells) == 0 ]; then echo "${USHELL} not in /etc/shells"; fi; done</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The shells file lists approved default shells. It helps provide layered defense 
to the security approach by ensuring users cannot change their default shell to an unauthorized 
unsecure shell.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002140</ident>
            <fix system="urn:xccdf:fix:script:sh" id="shells_file_references" complexity="low" disruption="low" reboot="false" strategy="configure">for USHELL in `cut -d: -f7 /etc/passwd | egrep -v '(/usr/bin/false|/bin/false|/dev/null|/sbin/nologin|/bin/sync|/sbin/halt|/sbin/shutdown)' | uniq`; do
	if [ "$(grep -c "${USHELL}" /etc/shells)" = "0" ]; then
		echo "${USHELL}" &gt;&gt; /etc/shells
	fi
done
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-shells_file_references:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="accounts-physical">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Protect Physical Console Access</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">It is impossible to fully protect a system from an
attacker with physical access, so securing the space in which the
system is located should be considered a necessary step. However,
there are some steps which, if taken, make it more difficult for an
attacker to quickly or undetectably modify a system from its
console.</description>
        <Group id="bootloader">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Boot Loader Password</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">During the boot process, the boot loader is
responsible for starting the execution of the kernel and passing
options to it. The boot loader allows for the selection of
different kernels - possibly on different partitions or media.
The default Red Hat Enterprise Linux boot loader for x86 systems is called GRUB.
Options it can pass to the kernel include <html:i xmlns:html="http://www.w3.org/1999/xhtml">single-user mode</html:i>, which
provides root access without any authentication, and the ability to
disable SELinux. To prevent local users from modifying the boot
parameters and endangering security, protect the boot loader configuration
with a password and ensure its configuration file's permissions
are set properly.
</description>
          <Rule id="bootloader_exists" selected="false" severity="high">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify /boot/grub/grub.conf Exists</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/boot/grub/grub.conf</html:code> should exist.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
GRUB is a versatile boot loader used by several platforms that 
can provide authentication for access to the system or boot loader.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008660</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-bootloader_exists:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="file_owner_grub_conf" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify /etc/grub.conf User Ownership</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code> should 
be owned by the <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> user to prevent destruction 
or modification of the file.

    To properly set the owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chown root /etc/grub.conf </html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Only root should be able to modify important boot parameters.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008760</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_owner_grub_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown root /etc/grub.conf /boot/grub/grub.conf</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_owner_grub_conf:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_owner_grub_conf_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_groupowner_grub_conf" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify /etc/grub.conf Group Ownership</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code> should 
be group-owned by the <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> group to prevent 
destruction or modification of the file.

    To properly set the group owner of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chgrp root /etc/grub.conf </html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">root</html:code> group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008780</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_groupowner_grub_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chown :root /etc/grub.conf</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_groupowner_grub_conf:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_groupowner_grub_conf_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_grub_conf" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify /boot/grub/grub.conf Permissions</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">File permissions for <html:code xmlns:html="http://www.w3.org/1999/xhtml">/boot/grub/grub.conf</html:code> should be set to 600, which
is the default.

    To properly set the permissions of <html:code xmlns:html="http://www.w3.org/1999/xhtml">/boot/grub/grub.conf</html:code>, run the command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo chmod 600 /boot/grub/grub.conf</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Proper permissions ensure that only the root user can modify important boot
parameters.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008720</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_grub_conf" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0600 /etc/grub.conf /boot/grub/grub.conf</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_grub_conf:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_grub_conf_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="file_permissions_extended_grub_conf" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify /boot/grub/grub.conf Extended ACLs</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system's boot loader configuration file(s) must 
not have extended ACLs.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Proper permissions ensure that only the root user can modify important boot
parameters.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008740</ident>
            <fix system="urn:xccdf:fix:script:sh" id="file_permissions_extended_grub_conf" complexity="low" disruption="low" reboot="false" strategy="configure">setfacl --remove-all /etc/grub.conf /boot/grub/grub.conf</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-file_permissions_extended_grub_conf:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-file_permissions_extended_grub_conf_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="bootloader_password" selected="false" severity="high">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Boot Loader Password</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The grub boot loader should have password protection
enabled to protect boot-time settings.
To do so, select a password and then generate a hash from it by running the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># /sbin/grub-md5-crypt</html:pre>
When prompted to enter a password, insert the following line into <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>
immediately after the header comments. (Use the output from <html:code xmlns:html="http://www.w3.org/1999/xhtml">grub-md5-crypt</html:code> as the
value of <html:b xmlns:html="http://www.w3.org/1999/xhtml">password-hash</html:b>):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password --md5 <html:b>password-hash</html:b></html:pre>
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008700</ident>
            <fix system="urn:xccdf:fix:script:sh" id="bootloader_password" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /tmp/GRUB.TMP ]; then
	/sbin/grub-md5-crypt &lt; /tmp/GRUB.TMP &amp;&gt; /tmp/GRUB.TMP.out
	md5crypt=`tail -n1 /tmp/GRUB.TMP.out`
	if [ -f /boot/grub/grub.conf ] &amp;&amp; [ ! -h /boot/grub/grub.conf ]; then
		if [ "$(grep -c '^password' /boot/grub/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /boot/grub/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /boot/grub/grub.conf
		fi
	fi
	if [ -f /etc/grub.conf ] &amp;&amp; [ ! -h /etc/grub.conf ]; then
		if [ "$(grep -c '^password' /etc/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /etc/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /etc/grub.conf
		fi
	fi
	rm -f /tmp/GRUB.TMP /tmp/GRUB.TMP.out
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-bootloader_password:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-bootloader_password_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="bootloader_password_hash" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set Boot Loader Password Hash</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The grub boot loader password should be protected by being hashed with an approved 
hash algorithm, such as md5.
To do so, select a password and then generate a hash from it by running the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># /sbin/grub-md5-crypt</html:pre>
When prompted to enter a password, insert the following line into <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>
immediately after the header comments. (Use the output from <html:code xmlns:html="http://www.w3.org/1999/xhtml">grub-md5-crypt</html:code> as the
value of <html:b xmlns:html="http://www.w3.org/1999/xhtml">password-hash</html:b>):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">password --md5 <html:b>password-hash</html:b></html:pre>
NOTE: To meet FISMA Moderate, the bootloader password MUST differ from the root password.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008710</ident>
            <fix system="urn:xccdf:fix:script:sh" id="bootloader_password_hash" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /tmp/GRUB.TMP ]; then
	/sbin/grub-md5-crypt &lt; /tmp/GRUB.TMP &amp;&gt; /tmp/GRUB.TMP.out
	md5crypt=`tail -n1 /tmp/GRUB.TMP.out`
	if [ -f /boot/grub/grub.conf ] &amp;&amp; [ ! -h /boot/grub/grub.conf ]; then
		if [ "$(grep -c '^password' /boot/grub/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /boot/grub/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /boot/grub/grub.conf
		fi
	fi
	if [ -f /etc/grub.conf ] &amp;&amp; [ ! -h /etc/grub.conf ]; then
		if [ "$(grep -c '^password' /etc/grub.conf)" = "0" ]; then
			sed -i "/timeout/apassword --md5 ${md5crypt}" /etc/grub.conf
		else
			sed -i "s/^password .*/password --md5 ${md5crypt}/" /etc/grub.conf
		fi
	fi
	rm -f /tmp/GRUB.TMP /tmp/GRUB.TMP.out
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-bootloader_password_hash:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-bootloader_password_hash_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Rule id="require_singleuser_auth" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Require Authentication for Single User Mode</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup. By default, no authentication
is performed if single-user mode is selected.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To require entry of the root password even if the system is
started in single-user mode, add or correct the following line in the
file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/inittab</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">~:S:wait:/sbin/sulogin</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">213</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000020</ident>
          <fix system="urn:xccdf:fix:script:sh" id="require_singleuser_auth" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q :S: /etc/inittab &amp;&amp; \
  sed -i "s/.*:S:.*/~:S:wait:\/sbin\/sulogin/g" /etc/inittab
if ! [ $? -eq 0 ]; then
    echo "~:S:wait:/sbin/sulogin" &gt;&gt; /etc/inittab
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-require_singleuser_auth:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-require_singleuser_auth_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="disable_ctrlaltdel_reboot" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
By default, the system includes the following line in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</html:code>
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</html:pre>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot.
In the GNOME graphical environment, risk of unintentional reboot from the
Ctrl-Alt-Del sequence is reduced because the user will be
prompted before any action is taken.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00580</ident>
          <fix system="urn:xccdf:fix:script:sh" id="disable_ctrlaltdel_reboot" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i 's/^.*:ctrlaltdel:.*\(shutdown\|reboot\).*/ca:nil:ctrlaltdel:\/usr\/bin\/logger -p security.info "Ctrl-Alt-Del was pressed"/' /etc/inittab
	</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-disable_ctrlaltdel_reboot:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-disable_ctrlaltdel_reboot_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="screen_locking">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Screen Locking</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When a user must temporarily leave an account
logged-in, screen locking should be employed to prevent passersby
from abusing the account. User education and training is
particularly important for screen locking to be effective, and policies
can be implemented to reinforce this.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Automatic screen locking is only meant as a safeguard for
those cases where a user forgot to lock the screen.</description>
          <Group id="gui_screen_locking">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure GUI Screen Locking</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default GNOME desktop, the screen can be locked
by choosing <html:b xmlns:html="http://www.w3.org/1999/xhtml">Lock Screen</html:b> from the <html:b xmlns:html="http://www.w3.org/1999/xhtml">System</html:b> menu.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">gconftool-2</html:code> program can be used to enforce mandatory
screen locking settings for the default GNOME environment.
The
following sections detail commands to enforce idle activation of the screen saver,
screen locking, a blank-screen screensaver, and an idle
activation time.

<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Because users should be trained to lock the screen when they
step away from the computer, the automatic locking feature is only
meant as a backup. The Lock Screen icon from the System menu can
also be dragged to the taskbar in order to facilitate even more
convenient screen-locking.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The root account cannot be screen-locked, but this should
have no practical effect as the root account should <html:i xmlns:html="http://www.w3.org/1999/xhtml">never</html:i> be used
to log into an X Windows environment, and should only be used to
for direct login via console in emergency circumstances.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
For more information about configuring GNOME screensaver, see
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://live.gnome.org/GnomeScreensaver">http://live.gnome.org/GnomeScreensaver</html:a>. For more information about
enforcing preferences in the GNOME environment using the GConf
configuration system, see <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://projects.gnome.org/gconf">http://projects.gnome.org/gconf</html:a> and
the man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">gconftool-2(1)</html:code>.</description>
            <Value id="inactivity_timeout_value" operator="equals" type="number">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Inactivity timeout</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
              <value>15</value>
              <value selector="5_minutes">5</value>
              <value selector="10_minutes">10</value>
              <value selector="15_minutes">15</value>
            </Value>
            <Rule id="gconf_gnome_screensaver_idle_delay" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Set GNOME Login Inactivity Timeout</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Run the following command to set the idle time-out value for
inactivity in the GNOME desktop to 15 minutes:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># gconftool-2 \
  --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type int \
  --set /apps/gnome-screensaver/idle_delay 15</html:pre>
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">PESL-1</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Setting the idle delay controls when the
screensaver will start, and can be combined with
screen locking to prevent access from passersby.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000500-2</ident>
              <fix system="urn:xccdf:fix:script:sh" id="gconf_gnome_screensaver_idle_delay" complexity="low" disruption="low" reboot="false" strategy="configure">gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15 &amp;&gt;/dev/null
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-inactivity_timeout_value:var:1" value-id="inactivity_timeout_value"/>
                <check-content-ref name="oval:ssg-gconf_gnome_screensaver_idle_delay:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-gconf_gnome_screensaver_idle_delay_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="gconf_gnome_screensaver_idle_activation_enabled" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">GNOME Desktop Screensaver Mandatory Use</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Run the following command to activate the screensaver
in the GNOME desktop after a period of inactivity:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/idle_activation_enabled true</html:pre>
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">PESL-1</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Enabling idle activation of the screen saver ensures the screensaver will
be activated after the idle delay.  Applications requiring continuous,
real-time screen display (such as network management products) require the
login session does not have administrator rights and the display station is located in a
controlled-access area.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000500</ident>
              <fix system="urn:xccdf:fix:script:sh" id="gconf_gnome_screensaver_idle_activation_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true &amp;&gt;/dev/null
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:ssg-gconf_gnome_screensaver_idle_activation_enabled:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-gconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="gconf_gnome_screensaver_lock_enabled" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Screen Lock Activation After Idle Period</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Run the following command to activate locking of the screensaver
in the GNOME desktop when it is activated:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \
  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
  --type bool \
  --set /apps/gnome-screensaver/lock_enabled true</html:pre>
</description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">PESL-1</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">57</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Enabling the activation of the screen lock after an idle period
ensures password entry will be required in order to
access the system, preventing access by passersby.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000500-3</ident>
              <fix system="urn:xccdf:fix:script:sh" id="gconf_gnome_screensaver_lock_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true &amp;&gt;/dev/null
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:ssg-gconf_gnome_screensaver_lock_enabled:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-gconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1"/>
              </check>
            </Rule>
          </Group>
          <Group id="console_screen_locking">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Console Screen Locking</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A console screen locking mechanism is provided in the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">screen</html:code> package, which is not installed by default.
</description>
            <Group id="smart_card_login">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Hardware Tokens for Authentication</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username/password.
In Red Hat Enterprise Linux servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
</description>
              <Rule id="smartcard_auth" selected="false" severity="medium">
                <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Smart Card Login</title>
                <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To enable smart card authentication, consult the documentation at:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:a href="https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html">https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</html:a></html:li></html:ul>
</description>
                <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
                <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
                <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">768</reference>
                <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Smart card login provides two-factor authentication stronger than
that provided by a username/password combination. Smart cards leverage a PKI
(public key infrastructure) in order to provide and verify credentials.
</rationale>
                <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN009120</ident>
                <check system="http://scap.nist.gov/schema/ocil/2">
                  <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-smartcard_auth_ocil:questionnaire:1"/>
                </check>
              </Rule>
            </Group>
          </Group>
        </Group>
      </Group>
      <Group id="accounts-banners">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Warning Banners for System Accesses</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Each system should expose as little information about
itself as possible.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
System banners, which are typically displayed just before a
login prompt, give out information about the service or the host's
operating system. This might include the distribution name and the
system kernel version, and the particular version of a network
service. This information can assist intruders in gaining access to
the system as it can reveal whether the system is running
vulnerable software. Most network services can be configured to
limit what information is displayed.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Many organizations implement security policies that require a
system banner provide notice of the system's ownership, provide
warning to unauthorized users, and remind authorized users of their
consent to monitoring.</description>
        <Value id="system_login_banner_text" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Login Banner Verbiage</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description>
          <value selector="usgcb_default">
-- WARNING --[\s\n]*This system is for the use of authorized users only. Individuals[\s\n]*using this computer system without authority or in excess of their[\s\n]*authority are subject to having all their activities on this system[\s\n]*monitored and recorded by system personnel. Anyone using this[\s\n]*system expressly consents to such monitoring and is advised that[\s\n]*if such monitoring reveals possible evidence of criminal activity[\s\n]*system personal may provide the evidence of such monitoring to law[\s\n]*enforcement officials.</value>
          <value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value>
          <value selector="dod_short">I\'ve read \&amp; consent to terms in IS user agreem\'t.</value>
        </Value>
        <Value id="ftp_login_banner_text" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Login Banner Verbiage</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description>
          <value selector="usgcb_default">
-- WARNING --[\s\n]*This system is for the use of authorized users only. Individuals[\s\n]*using this computer system without authority or in excess of their[\s\n]*authority are subject to having all their activities on this system[\s\n]*monitored and recorded by system personnel. Anyone using this[\s\n]*system expressly consents to such monitoring and is advised that[\s\n]*if such monitoring reveals possible evidence of criminal activity[\s\n]*system personal may provide the evidence of such monitoring to law[\s\n]*enforcement officials.</value>
          <value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value>
          <value selector="dod_short">I\'ve read \&amp; consent to terms in IS user agreem\'t.</value>
        </Value>
        <Value id="gui_login_banner_text" operator="equals" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Login Banner Verbiage</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enter an appropriate login banner for your organization. Please note that new lines must
be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\'.</description>
          <value selector="usgcb_default">
-- WARNING --[\s\n]*This system is for the use of authorized users only. Individuals[\s\n]*using this computer system without authority or in excess of their[\s\n]*authority are subject to having all their activities on this system[\s\n]*monitored and recorded by system personnel. Anyone using this[\s\n]*system expressly consents to such monitoring and is advised that[\s\n]*if such monitoring reveals possible evidence of criminal activity[\s\n]*system personal may provide the evidence of such monitoring to law[\s\n]*enforcement officials.</value>
          <value selector="dod_default">You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:[\s\n]*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.[\s\n]*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.[\s\n]*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.[\s\n]*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests[\s\n]+--[\s\n]+not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.[\s\n]*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.</value>
          <value selector="dod_short">I\'ve read \&amp; consent to terms in IS user agreem\'t.</value>
        </Value>
        <Rule id="banner_etc_issue" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Modify the System Login Banner</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To configure the system login banner:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/issue</html:code>. Replace the default text with a message
compliant with the local site policy or a legal disclaimer.

The DoD required text is either:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:code xmlns:html="http://www.w3.org/1999/xhtml">You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any
device attached to this IS), you consent to the following conditions: 
<html:br/>-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations. 
<html:br/>-At any time, the USG may inspect and seize data stored on this IS. 
<html:br/>-Communications using, or data stored on, this IS are not private, are subject 
to routine monitoring, interception, and search, and may be disclosed or used 
for any USG-authorized purpose. 
<html:br/>-This IS includes security measures (e.g., authentication and access controls) 
to protect USG interests -- not for your personal benefit or privacy. 
<html:br/>-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative
searching or monitoring of the content of privileged communications, or work
product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.</html:code>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
OR:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:code xmlns:html="http://www.w3.org/1999/xhtml">I've read &amp; consent to terms in IS user agreem't.</html:code>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECWM-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000400</ident>
          <fix system="urn:xccdf:fix:script:sh" id="banner_etc_issue" complexity="low" disruption="low" reboot="false" strategy="configure">
system_login_banner_text="<sub idref="system_login_banner_text"/>"

echo $system_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;amp;/\&amp;/g' -e 's/\\//g' -e 's/ - /\n- /g' &gt;/etc/issue
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-system_login_banner_text:var:1" value-id="system_login_banner_text"/>
            <check-content-ref name="oval:ssg-banner_etc_issue:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-banner_etc_issue_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ftp_enable_warning_banner" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Create Warning Banners for All FTP Users</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the vsftpd configuration file, which resides at <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</html:code>
by default. Add or correct the following configuration options:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">banner_file=/etc/issue</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECWM-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This setting will cause the system greeting banner to be used for FTP connections as well.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000410</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ftp_enable_warning_banner" complexity="low" disruption="low" reboot="false" strategy="configure">
ftp_login_banner_text="<sub idref="ftp_login_banner_text"/>"

if [ -e /etc/xinetd.d/gssftp ]; then
	if [ "`egrep -c '^(\s|\t)banner' /etc/xinetd.d/gssftp`" = "0" ]; then
		sed -i "/^}$/i\\\tbanner\t\t= /etc/issue" /etc/xinetd.d/gssftp
	else
		GSSFTP_BANNER_FILE="`egrep '^(\s|\t)banner' /etc/xinetd.d/gssftp | awk '{ print $3 }'`"
		echo $ftp_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;amp;/\&amp;/g' -e 's/\\//g' -e 's/ - /\n- /g' &gt;"${GSSFTP_BANNER_FILE}"
	fi
fi

if [ -e /etc/vsftpd/vsftpd.conf ]; then
	if [ "`egrep -c '^banner_file' /etc/vsftpd/vsftpd.conf`" = "0" ]; then
		echo "banner_file=/etc/issue" &gt;&gt; /etc/vsftpd/vsftpd.conf
	else
		VSFTPD_BANNER_FILE="`egrep '^banner_file' /etc/vsftpd/vsftpd.conf | awk -F= '{ print $2 }'`"
		echo $ftp_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;amp;/\&amp;/g' -e 's/\\//g' -e 's/ - /\n- /g' &gt;"${VSFTPD_BANNER_FILE}"
	fi
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-ftp_login_banner_text:var:1" value-id="ftp_login_banner_text"/>
            <check-content-ref name="oval:ssg-ftp_enable_warning_banner:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ftp_enable_warning_banner_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="gui_login_banner">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Implement a GUI Warning Banner</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In the default graphical environment, users logging
directly into the system are greeted with a login screen provided
by the GNOME Display Manager (GDM). The warning banner should be
displayed in this graphical environment for these users.
The following sections describe how to configure the GDM login
banner.
</description>
          <Rule id="banner_gui_enabled" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable GUI Warning Banner With Proper Text</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To enable displaying a login warning banner in the GNOME
Display Manager's login screen, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">sudo -u gdm gconftool-2 \
  --type bool \
  --set /apps/gdm/simple-greeter/banner_message_enable true</html:pre>
To set the text shown by the GNOME Display Manager
in the login screen, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">sudo -u gdm gconftool-2 \
  --type string \
  --set /apps/gdm/simple-greeter/banner_message_text \
  "Text of the warning banner here"</html:pre>
When entering a warning banner that spans several lines, remember
to begin and end the string with <html:code xmlns:html="http://www.w3.org/1999/xhtml">"</html:code>. This command writes
directly to the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/lib/gdm/.gconf/apps/gdm/simple-greeter/%gconf.xml</html:code>,
and this file can later be edited directly if necessary.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECWM-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
An appropriate warning message reinforces policy awareness during the logon
process and facilitates possible legal action against attackers.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000402</ident>
            <fix system="urn:xccdf:fix:script:sh" id="banner_gui_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">
gui_login_banner_text="<sub idref="gui_login_banner_text"/>"

gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gdm/simple-greeter/banner_message_enable true &amp;&gt;/dev/null
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gdm/simple-greeter/banner_message_text "$(echo $gui_login_banner_text | sed -e 's/\[\\s\\n\][+|*]/ /g' -e 's/\&amp;amp;/\&amp;/g' -e 's/\\//g' -e 's/ - /\n- /g')" &amp;&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-gui_login_banner_text:var:1" value-id="gui_login_banner_text"/>
              <check-content-ref name="oval:ssg-banner_gui_enabled:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-banner_gui_enabled_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="network">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Configuration and Firewalls</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most machines must be connected to a network of some
sort, and this brings with it the substantial risk of network
attack. This section discusses the security impact of decisions
about networking which must be made when configuring a system.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
This section also discusses firewalls, network access
controls, and other network security frameworks, which allow
system-level rules to be written that can limit an attackers' ability
to connect to your system. These rules can specify that network
traffic should be allowed or denied from certain IP addresses,
hosts, and networks. The rules can also specify which of the
system's network services are available to particular hosts or
networks.</description>
      <Group id="network_disable_unused_interfaces">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Unused Interfaces</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network interfaces expand the attack surface of the 
system.  Unused interfaces are not monitored or controlled, and 
should be disabled.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
If the system does not require network communications but still
needs to use the loopback interface, remove all files of the form
<html:code xmlns:html="http://www.w3.org/1999/xhtml">ifcfg-<html:i>interface</html:i></html:code> except for <html:code xmlns:html="http://www.w3.org/1999/xhtml">ifcfg-lo</html:code> from
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:pre>
If the system is a standalone machine with no need for network access or even
communication over the loopback device, then disable this service.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">network</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig network off</html:pre>
</description>
      </Group>
      <Group id="network_restrict_access">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Access to Network Configuration Changes</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The network configuration should only be allowed to be modified by 
authorized users.</description>
        <Rule id="sysconfig_networking_userctl_ifcfg" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network interfaces must not be configured to allow user control.</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configuration of network interfaces should be limited to privileged users.  
Manipulation of network interfaces may result in a Denial of Service or bypass of network 
security mechanisms.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003581</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sysconfig_networking_userctl_ifcfg" complexity="low" disruption="low" reboot="false" strategy="configure">find /etc/sysconfig/network-scripts/ -name ifcfg-* | while read FILE; do
	sed -i 's/^USERCTL=.*/USERCTL=no/' "${FILE}"
done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sysconfig_networking_userctl_ifcfg:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="network-kernel">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Kernel Parameters Which Affect Networking</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">sysctl</html:code> utility is used to set
parameters which affect the operation of the Linux kernel. Kernel parameters
which affect networking and have security implications are described here.
</description>
        <Group id="network_host_parameters">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Parameters for Hosts Only</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system is not going to be used as a router, then setting certain
kernel parameters ensure that the host will not perform routing
of network traffic.</description>
          <Rule id="sysctl_net_ipv4_conf_send_redirects" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for Sending ICMP Redirects for All Interfaces</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.send_redirects</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.conf.all.send_redirects = 0</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Sending ICMP redirects permits the system to instruct other systems
to update their routing information.  The ability to send ICMP redirects is
only appropriate for systems acting as routers.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003610</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_conf_send_redirects" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/sysctl -q -n -w net.ipv4.conf.all.send_redirects=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.send_redirects=0

if grep --silent ^net.ipv4.conf.all.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.send_redirects.*/net.ipv4.conf.all.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.send_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.send_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.send_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.send_redirects.*/net.ipv4.conf.default.send_redirects = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.send_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.send_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_conf_send_redirects:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_send_redirects_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_ip_forward" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for IP Forwarding</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.ip_forward=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.ip_forward = 0</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005600</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_ip_forward" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.ip_forward
#
/sbin/sysctl -q -n -w net.ipv4.ip_forward=0

#
# If net.ipv4.ip_forward present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv4.ip_forward = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.ip_forward /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 0/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.ip_forward to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.ip_forward = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_ip_forward:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_ip_forward_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="network_host_and_router_parameters">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Related Kernel Runtime Parameters for Hosts and Routers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Certain kernel parameters should be set for systems which are
acting as either hosts or routers to improve the system's ability defend
against certain types of IPv4 protocol attacks.</description>
          <Value id="sysctl_net_ipv4_conf_all_accept_source_route_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.accept_source_route</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trackers could be using source-routed packets to
generate traffic that seems to be intra-net, but actually was
created outside and has been redirected.</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_all_accept_redirects_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.accept_redirects</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_all_secure_redirects_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.secure_redirects</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent hijacking of routing path by only
allowing redirects from gateways known in routing
table.</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_all_log_martians_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.log_martians</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable so you don't Log Spoofed Packets, Source
Routed Packets, Redirect Packets</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_default_accept_source_route_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.accept_source_route</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IP source routing?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_default_accept_redirects_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.accept_redirects</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ICMP Redirect Acceptance?</description>
            <value>0</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_default_secure_redirects_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.secure_redirects</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log packets with impossible addresses to kernel
log?</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.icmp_echo_ignore_broadcasts</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignore all ICMP ECHO and TIMESTAMP requests sent to it
via broadcast/multicast</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.icmp_ignore_bogus_error_responses</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to prevent unnecessary logging</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_tcp_syncookies_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.tcp_syncookies</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to turn on TCP SYN Cookie
Protection</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_tcp_max_syn_backlog_value" operator="equals" type="string">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.tcp_max_syn_backlog</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to turn on TCP SYN Cookie
Protection</description>
            <value>1280</value>
            <value selector="recommended">1280</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_all_rp_filter_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.all.rp_filter</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable to enforce sanity checking, also called ingress
filtering or egress filtering. The point is to drop a packet if the
source and destination IP addresses in the IP header do not make
sense when considered in light of the physical interface on which
it arrived.</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Value id="sysctl_net_ipv4_conf_default_rp_filter_value" operator="equals" type="number">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv4.conf.default.rp_filter</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enables source route verification</description>
            <value>1</value>
            <value selector="enabled">1</value>
            <value selector="disabled">0</value>
          </Value>
          <Rule id="sysctl_net_ipv4_conf_accept_source_route" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for Accepting Source-Routed Packets for All Interfaces</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_source_route</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.conf.all.accept_source_route = 0</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting source-routed packets in the IPv4 protocol has few legitimate
uses. It should be disabled unless it is absolutely required.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003607</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_conf_accept_source_route" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_source_route=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_source_route=0

if grep --silent ^net.ipv4.conf.all.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_source_route to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_source_route = 0" &gt;&gt; /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.accept_source_route /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_source_route.*/net.ipv4.conf.default.accept_source_route = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_source_route to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_source_route = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_value:var:1" value-id="sysctl_net_ipv4_conf_all_accept_source_route_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_conf_accept_source_route:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_accept_source_route_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_conf_accept_redirects" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Kernel Parameter for Accepting ICMP Redirects for All Interfaces</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.accept_redirects</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.conf.all.accept_redirects = 0</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1503</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Accepting ICMP redirects has few legitimate
uses. It should be disabled unless it is absolutely required.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003609</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_conf_accept_redirects" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/sysctl -q -n -w net.ipv4.conf.all.accept_redirects=0
/sbin/sysctl -q -n -w net.ipv4.conf.default.accept_redirects=0

if grep --silent ^net.ipv4.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.accept_redirects.*/net.ipv4.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.accept_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.accept_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.accept_redirects.*/net.ipv4.conf.default.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.accept_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.accept_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_value:var:1" value-id="sysctl_net_ipv4_conf_all_accept_redirects_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_conf_accept_redirects:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_accept_redirects_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_conf_log_martians" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Kernel Parameter to Log Martian Packets</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.conf.all.log_martians</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.conf.all.log_martians = 1</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003611</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_conf_log_martians" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/sysctl -q -n -w net.ipv4.conf.all.log_martians=1
/sbin/sysctl -q -n -w net.ipv4.conf.default.log_martians=1

if grep --silent ^net.ipv4.conf.all.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.all.log_martians.*/net.ipv4.conf.all.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.all.log_martians to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.all.log_martians = 1" &gt;&gt; /etc/sysctl.conf
fi

if grep --silent ^net.ipv4.conf.default.log_martians /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.conf.default.log_martians.*/net.ipv4.conf.default.log_martians = 1/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv4.conf.default.log_martians to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.conf.default.log_martians = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_value:var:1" value-id="sysctl_net_ipv4_conf_all_log_martians_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_conf_log_martians:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_log_martians_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.icmp_echo_ignore_broadcasts</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.icmp_echo_ignore_broadcasts = 1</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignoring ICMP echo requests (pings) sent to broadcast or multicast
addresses makes the system slightly more difficult to enumerate on the network.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003603</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.icmp_echo_ignore_broadcasts
#
/sbin/sysctl -q -n -w net.ipv4.icmp_echo_ignore_broadcasts=1

#
# If net.ipv4.icmp_echo_ignore_broadcasts present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.icmp_echo_ignore_broadcasts = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.icmp_echo_ignore_broadcasts.*/net.ipv4.icmp_echo_ignore_broadcasts = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.icmp_echo_ignore_broadcasts to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:var:1" value-id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_tcp_syncookies" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Kernel Parameter to Use TCP Syncookies</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.tcp_syncookies</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.tcp_syncookies=1</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.tcp_syncookies = 1</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1092</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A TCP SYN flood attack can cause a denial of service by filling a
system's TCP connection table with connections in the SYN_RCVD state.
Syncookies can be used to track a connection when a subsequent ACK is received,
verifying the initiator is attempting a valid connection and is not a flood
source. This feature is activated when a flood condition is detected, and
enables the system to continue servicing valid connection requests.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003612</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_tcp_syncookies" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.tcp_syncookies
#
/sbin/sysctl -q -n -w net.ipv4.tcp_syncookies=1

#
# If net.ipv4.tcp_syncookies present in /etc/sysctl.conf, change value to "1"
#	else, add "net.ipv4.tcp_syncookies = 1" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_syncookies /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies = 1/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.tcp_syncookies to 1 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.tcp_syncookies = 1" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_tcp_syncookies_value:var:1" value-id="sysctl_net_ipv4_tcp_syncookies_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sysctl_net_ipv4_tcp_max_syn_backlog" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TCP backlog queue sizes must be set appropriately</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv4.max_syn_backlog</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv4.max_syn_backlog=1280</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv4.max_syn_backlog = 1280</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To provide some mitigation to TCP Denial of Service attacks, the TCP 
backlog queue sizes must be set to at least 1280 or in accordance with 
product-specific guidelines.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003601</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv4_tcp_max_syn_backlog" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Set runtime for net.ipv4.tcp_max_syn_backlog
#
/sbin/sysctl -q -n -w net.ipv4.tcp_max_syn_backlog=1280

#
# If net.ipv4.tcp_max_syn_backlog present in /etc/sysctl.conf, change value to "1280"
#	else, add "net.ipv4.tcp_max_syn_backlog = 1280" to /etc/sysctl.conf
#
if grep --silent ^net.ipv4.tcp_max_syn_backlog /etc/sysctl.conf ; then
	sed -i 's/^net.ipv4.tcp_max_syn_backlog.*/net.ipv4.tcp_max_syn_backlog = 1280/g' /etc/sysctl.conf
else
	echo -e "\n# Set net.ipv4.tcp_max_syn_backlog to 1280 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv4.tcp_max_syn_backlog = 1280" &gt;&gt; /etc/sysctl.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-export export-name="oval:ssg-sysctl_net_ipv4_tcp_max_syn_backlog_value:var:1" value-id="sysctl_net_ipv4_tcp_max_syn_backlog_value"/>
              <check-content-ref name="oval:ssg-sysctl_net_ipv4_tcp_max_syn_backlog:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_tcp_max_syn_backlog_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="network-wireless">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless Networking</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Wireless networking, such as 802.11
(WiFi) and Bluetooth, can present a security risk to sensitive or
classified systems and networks. Wireless networking hardware is
much more likely to be included in laptop or portable systems than
desktops or servers. 
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Removal of hardware provides the greatest assurance that the wireless
capability remains disabled. Acquisition policies often include provisions to
prevent the purchase of equipment that will be used in sensitive spaces and
includes wireless capabilities. If it is impractical to remove the wireless
hardware, and policy permits the device to enter sensitive spaces as long
as wireless is disabled, efforts should instead focus on disabling wireless capability
via software.</description>
        <Group id="wireless_software">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Wireless Through Software Configuration</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is impossible to remove the wireless hardware
from the device in question, disable as much of it as possible
through software. The following methods can disable software
support for wireless networking, but note that these methods do not
prevent malicious software or careless users from re-activating the
devices.</description>
          <Rule id="kernel_module_bluetooth_disabled" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Bluetooth Kernel Modules</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code> configuration file
to prevent the loading of the Bluetooth module:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">install net-pf-31 /bin/true
install bluetooth /bin/true</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007660</ident>
            <fix system="urn:xccdf:fix:script:sh" id="kernel_module_bluetooth_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">if [ -d /etc/modprobe.d/ ]; then
	echo "install bluetooth /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install bluetooth /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-kernel_module_bluetooth_disabled:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_bluetooth_disabled_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="network-ipv6">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IPv6</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for Internet Protocol
version 6. A major and often-mentioned improvement over IPv4 is its
enormous increase in the number of available addresses. Another
important feature is its support for automatic configuration of
many network settings.</description>
        <Group id="disabling_ipv6">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Support for IPv6 Unless Needed</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Despite configuration that suggests support for IPv6 has
been disabled, link-local IPv6 address auto-configuration occurs
even when only an IPv4 address is assigned. The only way to
effectively prevent execution of the IPv6 networking stack is to
instruct the system not to activate the IPv6 kernel module.
</description>
          <Rule id="kernel_module_ipv6_option_disabled" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IPv6 Networking Support Automatic Loading</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To prevent the IPv6 kernel module (<html:code xmlns:html="http://www.w3.org/1999/xhtml">ipv6</html:code>) from loading the
IPv6 networking stack, add the following line to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d/disabled.conf</html:code> (or another file in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">options ipv6 disable=1</html:pre>
This permits the IPv6 module to be loaded (and thus satisfy other modules that
depend on it), while disabling support for the IPv6 protocol.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
the vulnerability to exploitation.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007720</ident>
            <fix system="urn:xccdf:fix:script:sh" id="kernel_module_ipv6_option_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install ipv6 /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install ipv6 /bin/true" &gt;&gt; /etc/modprobe.conf
fi
chkconfig ip6tables off
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-kernel_module_ipv6_option_disabled:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="network_ipv6_disable_interfaces" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Interface Usage of IPv6</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable interface usage of IPv6, add or correct the following lines in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">NETWORKING_IPV6=no</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007700</ident>
            <fix system="urn:xccdf:fix:script:sh" id="network_ipv6_disable_interfaces" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(grep -c "^NETWORKING_IPV6" /etc/sysconfig/network) = 0 ]; then
	echo "NETWORKING_IPV6=no" | tee -a /etc/sysconfig/network &amp;&gt;/dev/null
else
	sed -i 's/NETWORKING_IPV6.*/NETWORKING_IPV6=no/' /etc/sysconfig/network
fi
chkconfig ip6tables off
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-network_ipv6_disable_interfaces:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
        <Group id="configuring_ipv6">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure IPv6 Settings if Necessary</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A major feature of IPv6 is the extent to which systems
implementing it can automatically configure their networking
devices using information from the network. From a security
perspective, manually configuring important configuration
information is preferable to accepting it from the network
in an unauthenticated fashion.</description>
          <Group id="disabling_ipv6_autoconfig">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Automatic Configuration</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the system's acceptance of router
advertisements and redirects by adding or correcting the following
line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network</html:code> (note that this does not disable
sending router solicitations):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6_AUTOCONF=no</html:pre>
</description>
            <Value id="sysctl_net_ipv6_conf_all_accept_redirects_value" operator="equals" type="string">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">net.ipv6.conf.default.accept_redirects</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Toggle ICMP Redirect Acceptance</description>
              <value>0</value>
              <value selector="enabled">1</value>
              <value selector="disabled">0</value>
            </Value>
            <Rule id="sysctl_net_ipv6_conf_all_accept_redirects" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Accepting IPv6 Redirects</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
                
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.accept_redirects</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.all.accept_redirects = 0</html:pre>
              </description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
An illicit ICMP redirect message could result in a man-in-the-middle attack.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007860</ident>
              <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv6_conf_all_accept_redirects" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Set runtime for net.ipv6.conf.all.accept_redirects
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.all.accept_redirects=0
fi

#
# If net.ipv6.conf.all.accept_redirects present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.all.accept_redirects = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.all.accept_redirects /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.all.accept_redirects.*/net.ipv6.conf.all.accept_redirects = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv6.conf.all.accept_redirects to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv6.conf.all.accept_redirects = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-export export-name="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_value:var:1" value-id="sysctl_net_ipv6_conf_all_accept_redirects_value"/>
                <check-content-ref name="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_ocil:questionnaire:1"/>
              </check>
            </Rule>
            <Rule id="sysctl_net_ipv6_conf_forwarding" selected="false" severity="medium">
              <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Accepting IPv6 Forwarding</title>
              <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
                
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.all.forwarding</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.all.forwarding=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.all.forwarding = 0</html:pre>
                
    To set the runtime status of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">net.ipv6.conf.default.forwarding</html:code> kernel parameter,
    run the following command:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">$ sudo sysctl -w net.ipv6.conf.default.forwarding=0</html:pre>
    If this is not the system's default value, add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysctl.conf</html:code>:
    <html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">net.ipv6.conf.default.forwarding = 0</html:pre>
              </description>
              <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
              <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
              <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Source-routed packets allow the source of the packet to suggest that 
routers forward the packet along a different path than configured on 
the router, which can be used to bypass network security measures. 
This requirement applies only to the forwarding of source-routed traffic, 
such as when IPv6 forwarding is enabled and the system is functioning as a router.
</rationale>
              <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007920</ident>
              <fix system="urn:xccdf:fix:script:sh" id="sysctl_net_ipv6_conf_forwarding" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Set runtime for net.ipv6.conf.all.forwarding
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.all.forwarding=0
fi

#
# If net.ipv6.conf.all.forwarding present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.all.forwarding = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.all.forwarding /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.all.forwarding.*/net.ipv6.conf.all.forwarding = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv6.conf.all.forwarding to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv6.conf.all.forwarding = 0" &gt;&gt; /etc/sysctl.conf
fi

#
# Set runtime for net.ipv6.conf.default.forwarding
#
if [ -e /proc/sys/net/ipv6/ ]; then
	/sbin/sysctl -q -n -w net.ipv6.conf.default.forwarding=0
fi
#
# If net.ipv6.conf.default.forwarding present in /etc/sysctl.conf, change value to "0"
#	else, add "net.ipv6.conf.default.forwarding = 0" to /etc/sysctl.conf
#
if grep --silent ^net.ipv6.conf.default.forwarding /etc/sysctl.conf ; then
	sed -i 's/^net.ipv6.conf.default.forwarding.*/net.ipv6.conf.default.forwarding = 0/g' /etc/sysctl.conf
else
	echo "" &gt;&gt; /etc/sysctl.conf
	echo "# Set net.ipv6.conf.default.forwarding to 0 per security requirements" &gt;&gt; /etc/sysctl.conf
	echo "net.ipv6.conf.default.forwarding = 0" &gt;&gt; /etc/sysctl.conf
fi
</fix>
              <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
                <check-content-ref name="oval:ssg-sysctl_net_ipv6_conf_forwarding:def:1" href="ssg-rhel5-oval.xml"/>
              </check>
              <check system="http://scap.nist.gov/schema/ocil/2">
                <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_forwarding_ocil:questionnaire:1"/>
              </check>
            </Rule>
          </Group>
          <Rule id="network_ipv6_default_gateway" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manually Assign IPv6 Router Address</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:code>, and add or correct
the following line (substituting your gateway IP as appropriate):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">IPV6_DEFAULTGW=2001:0DB8::0001</html:pre>
Router addresses should be manually set and not accepted via any
auto-configuration or router advertisement.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005570</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-network_ipv6_default_gateway:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="network-iptables">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">iptables and ip6tables</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A host-based firewall called Netfilter is included as
part of the Linux kernel distributed with the system. It is
activated by default. This firewall is controlled by the program
iptables, and the entire capability is frequently referred to by
this name. An analogous program called ip6tables handles filtering
for IPv6.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Unlike TCP Wrappers, which depends on the network server
program to support and respect the rules written, Netfilter
filtering occurs at the kernel level, before a program can even
process the data from the network packet. As such, any program on
the system is affected by the rules written.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
This section provides basic information about strengthening
the iptables and ip6tables configurations included with the system.
For more complete information that may allow the construction of a
sophisticated ruleset tailored to your environment, please consult
the references at the end of this section.</description>
        <Group id="iptables_activation">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Inspect and Activate Default Rules</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">View the currently-enforced iptables rules by running
the command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers</html:pre>
The command is analogous for the ip6tables program.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
If the firewall does not appear to be active (i.e., no rules
appear), activate it and ensure that it starts at boot by issuing
the following commands (and analogously for ip6tables):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service iptables restart</html:pre>
The default iptables rules are:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22 
5    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source       destination
1    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source       destination</html:pre>
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ip6tables</html:code> default rules are essentially the same.</description>
          <Rule id="service_iptables_enabled" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Verify iptables Enabled</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> service can be enabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig --level 2345 iptables on</html:pre>
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1118</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> service provides the system's host-based firewalling
capability for IPv4 and ICMP.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008520</ident>
            <fix system="urn:xccdf:fix:script:sh" id="service_iptables_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Enable iptables for all run levels
#
/sbin/chkconfig --level 0123456 iptables on

#
# Start iptables if not currently running
#
/sbin/service iptables start 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-service_iptables_enabled:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_iptables_enabled_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="ruleset_modifications">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Strengthen the Default Ruleset</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The default rules can be strengthened. The system
scripts that activate the firewall rules expect them to be defined
in the configuration files iptables and ip6tables in the directory
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig</html:code>. Many of the lines in these files are similar
to the command line arguments that would be provided to the programs
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/iptables</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">/sbin/ip6tables</html:code> - but some are quite
different.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The following recommendations describe how to strengthen the
default ruleset configuration file. An alternative to editing this
configuration file is to create a shell script that makes calls to
the iptables program to load in rules, and then invokes service
iptables save to write those loaded rules to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables.</html:code>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The following alterations can be made directly to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>.
Instructions apply to both unless otherwise noted. Language and address
conventions for regular iptables are used throughout this section;
configuration for ip6tables will be either analogous or explicitly
covered.</description>
          <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">The program <html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-securitylevel</html:code>
allows additional services to penetrate the default firewall rules
and automatically adjusts <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>. This program
is only useful if the default ruleset meets your security
requirements. Otherwise, this program should not be used to make
changes to the firewall configuration because it re-writes the
saved configuration file.</warning>
          <Rule id="iptables_timestamp_reject_rule" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Reject Incoming Timestamp Requests and Replies</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To reject incoming timestamp requests and replies,
add or correct the following line in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-I INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-I INPUT -p icmp -m icmp --icmp-type timestamp-reply -j DROP</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The processing of (ICMP) timestamp requests increases 
the attack surface of the system.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003602</ident>
            <fix system="urn:xccdf:fix:script:sh" id="iptables_timestamp_reject_rule" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(egrep -c '(--icmp-type 14|timestamp-reply) -j DROP')" = "0" ]; then
	/sbin/iptables -I INPUT -p ICMP --icmp-type timestamp-reply -j DROP
fi
if [ "$(egrep -c '(--icmp-type 13|timestamp-request) -j DROP')" = "0" ]; then
	/sbin/iptables -I INPUT -p ICMP --icmp-type timestamp-request -j DROP
fi
/sbin/iptables-save &gt; /etc/sysconfig/iptables
if [ "$(grep -c 'icmp-type 13' /etc/sysconfig/iptables)" != "0" ]; then
	sed -i 's/icmp-type 13/icmp-type timestamp-request/' /etc/sysconfig/iptables
fi
if [ "$(grep -c 'icmp-type 14' /etc/sysconfig/iptables)" != "0" ]; then
	sed -i 's/icmp-type 14/icmp-type timestamp-reply/' /etc/sysconfig/iptables
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-iptables_timestamp_reject_rule:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="iptables_input_reject_rule" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add Reject Rule for INPUT Chain.</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">:INPUT DROP [0:0]</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1109</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to <html:code xmlns:html="http://www.w3.org/1999/xhtml">DROP</html:code> implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008540</ident>
            <fix system="urn:xccdf:fix:script:sh" id="iptables_input_reject_rule" complexity="low" disruption="low" reboot="false" strategy="configure">/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
/sbin/iptables-save &gt; /etc/sysconfig/iptables</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-iptables_input_reject_rule:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-iptables_input_reject_rule_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="ip6tables_input_icmpv6_broadcast" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ignore ICMPv6 Echo Requests On a Broadcast Address.</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to ignore ICMPv6 echo requests 
on a broadcast address, add or correct the following line in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Responding to broadcast ICMP echo requests facilitates 
network mapping and provides a vector for amplification attacks.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007950</ident>
            <fix system="urn:xccdf:fix:script:sh" id="ip6tables_input_icmpv6_broadcast" complexity="low" disruption="low" reboot="false" strategy="configure">if [ ! -e /etc/sysconfig/ip6tables ] || [ "$(grep -c ^ /etc/sysconfig/ip6tables)" -lt "5" ]; then
	echo -e "*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [0:0]\nCOMMIT" | tee /etc/sysconfig/ip6tables &amp;&gt;/dev/null
	echo "-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP" | tee -a /etc/sysconfig/ip6tables &amp;&gt;/dev/null 
else
	echo "-A INPUT -p icmpv6 -d ff02::1 --icmpv6-type 128 -j DROP" | tee -a /etc/sysconfig/ip6tables &amp;&gt;/dev/null 
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-ip6tables_input_icmpv6_broadcast:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="system_access_control" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TCP Wrappers Must Be Configured To Grant/Deny Access To Hosts.</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the system to grant/deny access to hosts, ensure 
the following file exists:
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts.allow</html:code>:
In addition, make sure the following file is present and includes the following line:
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts.deny</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">ALL: ALL</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system's access control program is not configured with appropriate 
rules for allowing and denying access to system network resources, services may be 
accessible to unauthorized hosts.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006620</ident>
            <fix system="urn:xccdf:fix:script:sh" id="system_access_control" complexity="low" disruption="low" reboot="false" strategy="configure">if [ ! -e /etc/hosts.allow ]; then
	&gt;/etc/hosts.allow
	chmod 644 /etc/hosts.allow
	chown root:root /etc/hosts.allow
fi
if [ ! -e /etc/hosts.deny ]; then
	&gt;/etc/hosts.deny
	chmod 644 /etc/hosts.deny
	chown root:root /etc/hosts.deny
fi
if [ ! -e /var/log/host.access ]; then
	&gt;/var/log/host.access
	chmod 640 /var/log/host.access
	chown root:root /var/log/host.access
fi
if [ $(grep -c "ALL: ALL" /etc/hosts.deny) = 0 ]; then
	echo 'ALL: ALL: spawn /bin/echo Access denied on $(/bin/date) from %a for access to %d \(pid %p\)&gt;&gt;/var/log/host.access' | tee -a /etc/hosts.deny &amp;&gt;/dev/null
fi
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-system_access_control:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="network_ssl">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Transport Layer Security Support</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Support for Transport Layer Security (TLS), and its predecessor, the Secure
Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package
<html:code xmlns:html="http://www.w3.org/1999/xhtml">openssl</html:code>).  TLS provides encrypted and authenticated network
communications, and many network services include support for it.  TLS or SSL
can be leveraged to avoid any plaintext transmission of sensitive data.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
For information on how to use OpenSSL, see
<html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://www.openssl.org/docs/HOWTO/">http://www.openssl.org/docs/HOWTO/</html:a></html:b>.  Information on FIPS validation
of OpenSSL is available at <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://www.openssl.org/docs/fips/fipsvalidation.html">http://www.openssl.org/docs/fips/fipsvalidation.html</html:a></html:b>
and <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm</html:a></html:b>.

</description>
      </Group>
      <Group id="network_tunnels">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IP Tunnelling Support</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Support for creating IP encapsulated tunnels between 
a system and remote endpoints, to also include tunnelling 
ipv6 over ipv4, is available in Red Hat.
</description>
        <Rule id="ip_tunnels" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove IP Tunnels</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To remove IP tunnels, perform the following command for each IP tunnel:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ip tun del <html:code>tunnel</html:code></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007820</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ip_tunnels" complexity="low" disruption="low" reboot="false" strategy="configure">ip tunnel list | cut -d: -f1 | while read TUNNEL_INTERFACE; do ip tunnel del $TUNNEL_INTERFACE 2&gt;/dev/null; done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ip_tunnels:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="ip_6to4_tunnels" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove 6to4 IP Tunnels</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To remove 6to4 IP tunnels, perform the following command for each IP tunnel:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ip tun del <html:code>tunnel</html:code></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007780</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ip_6to4_tunnels" complexity="low" disruption="low" reboot="false" strategy="configure">ip tunnel list | cut -d: -f1 | while read TUNNEL_INTERFACE; do ip tunnel del $TUNNEL_INTERFACE 2&gt;/dev/null; done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ip_6to4_tunnels:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="ip_teredo" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Teredo Services</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To disable teredo services, perform the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ps ax | grep -i miredo | grep -v grep | awk ' { print $1 }' | xargs kill</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ip_teredo" complexity="low" disruption="low" reboot="false" strategy="configure">ps ax | grep -i miredo | grep -v grep | awk ' { print $1 }' | xargs kill
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ip_teredo:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="network-uncommon">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Uncommon Network Protocols</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The system includes support for several network
protocols which are not commonly used. Although security vulnerabilities 
in kernel networking code are not frequently
discovered, the consequences can be dramatic. Ensuring uncommon
network protocols are disabled reduces the system's risk to attacks
targeted at its implementation of those protocols.</description>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Although these protocols are not commonly used, avoid disruption
in your network environment by ensuring they are not needed
prior to disabling them.
</warning>
        <Rule id="kernel_module_dccp_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DCCP Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">dccp</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install dccp /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling DCCP protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007080</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_dccp_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install dccp /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
	echo "install dccp_ipv4 /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
	echo "install dccp_ipv6 /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install dccp /bin/true" &gt;&gt; /etc/modprobe.conf
	echo "install dccp_ipv4 /bin/true" &gt;&gt; /etc/modprobe.conf
	echo "install dccp_ipv6 /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_dccp_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_dccp_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_sctp_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SCTP Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sctp</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install sctp /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling SCTP protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007020</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_sctp_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install sctp /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install sctp /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_sctp_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_sctp_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_rds_disabled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable RDS Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Reliable Datagram Sockets (RDS) protocol is a transport
layer protocol designed to provide reliable high- bandwidth,
low-latency communications between nodes in a cluster.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rds</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install rds /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling RDS protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007480</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_rds_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install rds /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install rds /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_rds_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_tipc_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable TIPC Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">tipc</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install tipc /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling TIPC protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007540</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_tipc_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install tipc /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install tipc /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_tipc_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_appletalk_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable AppleTalk Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The AppleTalk suite of protocols is no longer in common use.  
Binding this protocol to the network stack increases the attack 
surface of the host.  Unprivileged local processes may be able 
to cause the system to dynamically load a protocol handler by 
opening a socket using the protocol.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">appletalk</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install appletalk /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">382</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling AppleTalk protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_appletalk_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -d /etc/modprobe.d/ ]; then
	echo "install appletalk /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install appletalk /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_appletalk_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_appletalk_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_bridge_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Network Bridging Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Some systems have the ability to bridge or switch frames 
(link-layer forwarding) between multiple interfaces.  This 
can be useful in a variety of situations but, if enabled when 
not needed, has the potential to bypass network partitioning and security.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">bridge</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install bridge /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1551</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling network bridging protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003619</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_bridge_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">if [ -d /etc/modprobe.d/ ]; then
	echo "install bridge /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install bridge /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_bridge_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_bridge_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="kernel_module_ieee1394_disabled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable IEEE1394 (Firewire) Support</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Firewire is a common computer peripheral interface. Firewire devices may 
include storage devices with the potential to install malicious software 
on a system or exfiltrate data.

To configure the system to prevent the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ieee1394</html:code>
kernel module from being loaded, add the following line to a file in the directory <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/modprobe.d</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml" xml:space="preserve">install ieee1394 /bin/true</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling IEEE1394 (Firewire) protects
the system against exploitation of any flaws in its implementation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008500</ident>
          <fix system="urn:xccdf:fix:script:sh" id="kernel_module_ieee1394_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">if [ -d /etc/modprobe.d/ ]; then
	echo "install ieee1394 /bin/true" &gt;&gt; /etc/modprobe.d/disabled_modules.conf
else
	echo "install ieee1394 /bin/true" &gt;&gt; /etc/modprobe.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-kernel_module_ieee1394_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-kernel_module_ieee1394_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="logging">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Syslog</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The syslog service has been the default Unix logging mechanism for
many years. It has a number of downsides, including inconsistent log format,
lack of authentication for received messages, and lack of authentication,
encryption, or reliable transport for messages sent over a network. However,
due to its long history, syslog is a de facto standard which is supported by
almost all Unix applications.
</description>
      <Group id="syslog_sending_messages">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Syslog Logs Sent To Remote Host</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If system logs are to be useful in detecting malicious
activities, it is necessary to send logs to a remote server. An
intruder who has compromised the root account on a machine may
delete the log entries which indicate that the system was attacked
before they are seen by an administrator.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
However, it is recommended that logs be stored on the local
host in addition to being sent to the loghost, especially if
<html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> has been configured to use the UDP protocol to send
messages over a network. UDP does not guarantee reliable delivery,
and moderately busy sites will lose log messages occasionally,
especially in periods of high traffic which may be the result of an
attack. In addition, remote <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> messages are not
authenticated in any way by default, so it is easy for an attacker to
introduce spurious messages to the central log server. Also, some
problems cause loss of network connectivity, which will prevent the
sending of messages to the central server. For all of these reasons, it is
better to store log messages both centrally and on each host, so
that they can be correlated if necessary.</description>
        <Rule id="syslog_remote_loghost" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Logs Sent To Remote Host</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To configure syslog to send logs to a remote log server,
open <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code> and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting <html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:i>loghost.example.com</html:i></html:code> appropriately.
The choice of protocol depends on the environment of the system; 
although TCP and RELP provide more reliable message delivery, 
they may not be supported in all environments.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To use UDP for log message delivery:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">*.* @<html:i>loghost.example.com</html:i></html:pre>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To use TCP for log message delivery:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">*.* @@<html:i>loghost.example.com</html:i></html:pre>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To use RELP for log message delivery:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">*.* :omrelp:<html:i>loghost.example.com</html:i></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005460</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-syslog_remote_loghost:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-syslog_remote_loghost_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="syslog_accepting_remote_messages">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure syslogd to Accept Remote Messages If Acting as a Log Server</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
By default, <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> does not listen over the network
for log messages. If needed, modules can be enabled to allow
the syslog daemon to receive messages from other systems and for the system
thus to act as a log server.
If the machine is not a log server, then lines concerning these modules
should remain commented out.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
</description>
        <Rule id="syslog_nolisten" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure syslog Does Not Accept Remote Messages Unless Acting As Log Server</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> daemon should not accept remote messages
unless the system acts as a log server.
To ensure that it is not listening on the network, ensure the following lines are
<html:i xmlns:html="http://www.w3.org/1999/xhtml">not</html:i> found in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ModLoad imtcp.so
$InputTCPServerRun <html:i>port</html:i>
$ModLoad imudp.so
$InputUDPServerRun <html:i>port</html:i>
$ModLoad imrelp.so
$InputRELPServerRun <html:i>port</html:i></html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Any process which receives messages from the network incurs some risk
of receiving malicious messages. This risk can be eliminated for
syslog by configuring it not to listen on the network.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005480</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-syslog_nolisten:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="log_rotation">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure All Logs are Rotated by logrotate</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/logrotate.d/syslog</html:code>. Find the first
line, which should look like this (wrapped for clarity):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
  /var/log/boot.log /var/log/cron {</html:pre>
Edit this line so that it contains a one-space-separated
listing of each log file referenced in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/syslog.conf</html:code>.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
All logs in use on a system must be rotated regularly, or the
log files will consume disk space over time, eventually interfering
with system operation. The file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/logrotate.d/syslog</html:code> is the
configuration file used by the <html:code xmlns:html="http://www.w3.org/1999/xhtml">logrotate</html:code> program to maintain all
log files written by <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code>. By default, it rotates logs weekly and
stores four archival copies of each log. These settings can be
modified by editing <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/logrotate.conf</html:code>, but the defaults are
sufficient for purposes of this guide.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Note that <html:code xmlns:html="http://www.w3.org/1999/xhtml">logrotate</html:code> is run nightly by the cron job
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.daily/logrotate</html:code>. If particularly active logs need to be
rotated more often than once a day, some other mechanism must be
used.</description>
        <Rule id="logrotate_rotate_all_files" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Logrotate Runs Periodically</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">logrotate</html:code> utility allows for the automatic rotation of 
log files.  The frequency of rotation is specified in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/logrotate.conf</html:code>, 
which triggers a cron task.  To configure logrotate to run daily, add or correct 
the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/logrotate.conf</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rotate log files <html:i>frequency</html:i>
daily</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Log files that are not properly rotated run the risk of growing so large
that they fill up the /var/log partition. Valuable logging information could be lost
if the /var/log partition becomes full.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002860</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-logrotate_rotate_all_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-logrotate_rotate_all_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="auditing">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System Accounting with auditd</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The audit service provides substantial capabilities
for recording system activities. By default, the service audits about
SELinux AVC denials and certain types of security-relevant events
such as system logins, account modifications, and authentication
events performed by programs such as sudo.
Under its default configuration, <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> has modest disk space
requirements, and should not noticeably impact system performance.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Government networks often have substantial auditing
requirements and <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> can be configured to meet these
requirements.
Examining some example audit records demonstrates how the Linux audit system
satisfies common requirements.  
The following example from Fedora Documentation available at 
<html:code xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html">http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages.html</html:a></html:code>
shows the substantial amount of information captured in a
two typical "raw" audit messages, followed by a breakdown of the most important
fields. In this example the message is SELinux-related and reports an AVC
denial (and the associated system call) that occurred when the Apache HTTP
Server attempted to access the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/www/html/file1</html:code> file (labeled with
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba_share_t</html:code> type):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm="httpd"
path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file

type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13 
a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
</html:pre>
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:code>msg=audit(1226874073.147:96)</html:code><html:ul><html:li>The number in parentheses is the unformatted time stamp (Epoch time)
for the event, which can be converted to standard time by using the
<html:code>date</html:code> command.
</html:li></html:ul></html:li><html:li><html:code>{ getattr }</html:code><html:ul><html:li>The item in braces indicates the permission that was denied. <html:code>getattr</html:code>
indicates the source process was trying to read the target file's status information.
This occurs before reading files. This action is denied due to the file being
accessed having the wrong label. Commonly seen permissions include <html:code>getattr</html:code>,
<html:code>read</html:code>, and <html:code>write</html:code>.</html:li></html:ul></html:li><html:li><html:code>comm="httpd"</html:code><html:ul><html:li>The executable that launched the process. The full path of the executable is
found in the <html:code>exe=</html:code> section of the system call (<html:code>SYSCALL</html:code>) message,
which in this case, is <html:code>exe="/usr/sbin/httpd"</html:code>.
</html:li></html:ul></html:li><html:li><html:code>path="/var/www/html/file1"</html:code><html:ul><html:li>The path to the object (target) the process attempted to access.
</html:li></html:ul></html:li><html:li><html:code>scontext="unconfined_u:system_r:httpd_t:s0"</html:code><html:ul><html:li>The SELinux context of the process that attempted the denied action. In
this case, it is the SELinux context of the Apache HTTP Server, which is running
in the <html:code>httpd_t</html:code> domain.
</html:li></html:ul></html:li><html:li><html:code>tcontext="unconfined_u:object_r:samba_share_t:s0"</html:code><html:ul><html:li>The SELinux context of the object (target) the process attempted to access.
In this case, it is the SELinux context of <html:code>file1</html:code>. Note: the <html:code>samba_share_t</html:code>
type is not accessible to processes running in the <html:code>httpd_t</html:code> domain.</html:li></html:ul></html:li><html:li> From the system call (<html:code>SYSCALL</html:code>) message, two items are of interest:
<html:ul><html:li><html:code>success=no</html:code>: indicates whether the denial (AVC) was enforced or not.
<html:code>success=no</html:code> indicates the system call was not successful (SELinux denied
access). <html:code>success=yes</html:code> indicates the system call was successful - this can
be seen for permissive domains or unconfined domains, such as <html:code>initrc_t</html:code>
and <html:code>kernel_t</html:code>.
</html:li><html:li><html:code>exe="/usr/sbin/httpd"</html:code>: the full path to the executable that launched
the process, which in this case, is <html:code>exe="/usr/sbin/httpd"</html:code>.
</html:li></html:ul>
</html:li></html:ul>
</description>
      <Rule id="service_auditd_enabled" selected="false" severity="medium">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable auditd Service</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service is an essential userspace component of
the Linux Auditing System, as it is responsible for writing audit records to
disk.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service can be enabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig --level 2345 auditd on</html:pre>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">169</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensuring the <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service is active ensures 
audit records generated by the kernel can be written to disk, or that appropriate
actions will be taken if other obstacles exist.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002660</ident>
        <fix system="urn:xccdf:fix:script:sh" id="service_auditd_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Enable auditd for all run levels
#
/sbin/chkconfig --level 0123456 auditd on

#
# Start auditd if not currently running
#
/sbin/service auditd start 1&gt;/dev/null
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-service_auditd_enabled:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="bootloader_audit_argument" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To ensure all processes can be audited, even
those which start prior to the audit daemon, add the argument
<html:code xmlns:html="http://www.w3.org/1999/xhtml">audit=1</html:code> to the kernel line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/grub.conf</html:code>, in the manner below:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</html:pre>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Each process on the system carries an "auditable" flag which
indicates whether its activities can be audited. Although <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code>
takes care of enabling this for all processes which launch after it
does, adding the kernel argument ensures it is set for every
process during boot.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00720</ident>
        <fix system="urn:xccdf:fix:script:sh" id="bootloader_audit_argument" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(grep -v '#' /boot/grub/grub.conf | grep kernel | grep -c audit=) = 0 ]; then
	sed -i '/^[ |\t]*kernel/s/$/ audit=1/' /boot/grub/grub.conf
else
	sed -i '/^[ |\t]*kernel/s/audit=./audit=1/' /boot/grub/grub.conf
fi
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-bootloader_audit_argument:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-bootloader_audit_argument_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Group id="configure_auditd_data_retention">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure auditd Data Retention</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The audit system writes data to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit/audit.log</html:code>. By default,
<html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of
data in total, and refuses to write entries when the disk is too
full. This minimizes the risk of audit data filling its partition
and impacting other services. This also minimizes the risk of the audit
daemon temporarily disabling the system if it cannot write audit log (which
it can be configured to do).

For a busy
system or a system which is thoroughly auditing system activity, the default settings
for data retention may be
 insufficient. The log file size needed will depend heavily on what types
of events are being audited. First configure auditing to log all the events of
interest. Then monitor the log size manually for awhile to determine what file
size will allow you to keep the required data for the correct time period.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Using a dedicated partition for <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/audit</html:code> prevents the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> logs from disrupting system functionality if they fill, and,
more importantly, prevents other activity in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var</html:code> from filling the
partition and stopping the audit trail. (The audit logs are size-limited and
therefore unlikely to grow without bound unless configured to do so.) Some
machines may have requirements that no actions occur which cannot be audited.
If this is the case, then <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> can be configured to halt the machine
if it runs out of space. <html:b xmlns:html="http://www.w3.org/1999/xhtml">Note:</html:b> Since older logs are rotated,
configuring <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> this way does not prevent older logs from being
rotated away before they can be viewed.

<html:i xmlns:html="http://www.w3.org/1999/xhtml">If your system is configured to halt when logging cannot be performed, make
sure this can never happen under normal circumstances! Ensure that
<html:code>/var/log/audit</html:code> is on its own partition, and that this partition is
larger than the maximum amount of data <html:code>auditd</html:code> will retain
normally.</html:i>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">138</reference>
        <Value id="var_auditd_num_logs" type="number">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Number of log files for auditd to retain</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for num_logs in /etc/audit/auditd.conf</description>
          <value>5</value>
          <value selector="5">5</value>
          <value selector="4">4</value>
          <value selector="3">3</value>
          <value selector="2">2</value>
          <value selector="1">1</value>
          <value selector="0">0</value>
        </Value>
        <Value id="var_auditd_max_log_file" type="number">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Maximum audit log file size for auditd</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for max_log_size in /etc/audit/auditd.conf</description>
          <value>6</value>
          <value selector="20">20</value>
          <value selector="10">10</value>
          <value selector="6">6</value>
          <value selector="5">5</value>
          <value selector="1">1</value>
        </Value>
        <Value id="var_auditd_max_log_file_action" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Action for auditd to take when log files reach their maximum size</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for max_log_file_action in /etc/audit/auditd.conf</description>
          <value>rotate</value>
          <value selector="ignore">ignore</value>
          <value selector="syslog">syslog</value>
          <value selector="suspend">suspend</value>
          <value selector="rotate">rotate</value>
          <value selector="keep_logs">keep_logs</value>
        </Value>
        <Value id="var_auditd_space_left_action" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Action for auditd to take when disk space just starts to run low</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for space_left_action in /etc/audit/auditd.conf</description>
          <value>email</value>
          <value selector="ignore">ignore</value>
          <value selector="syslog">syslog</value>
          <value selector="email">email</value>
          <value selector="exec">exec</value>
          <value selector="suspend">suspend</value>
          <value selector="single">single</value>
          <value selector="halt">halt</value>
        </Value>
        <Value id="var_auditd_admin_space_left_action" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Action for auditd to take when disk space just starts to run low</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for space_left_action in /etc/audit/auditd.conf</description>
          <value>single</value>
          <value selector="ignore">ignore</value>
          <value selector="syslog">syslog</value>
          <value selector="email">email</value>
          <value selector="exec">exec</value>
          <value selector="suspend">suspend</value>
          <value selector="single">single</value>
          <value selector="halt">halt</value>
        </Value>
        <Value id="var_auditd_disk_error_action" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Action for auditd to take when disk reports errors</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for disk_error_action in /etc/audit/auditd.conf</description>
          <value>single</value>
          <value selector="ignore">ignore</value>
          <value selector="syslog">syslog</value>
          <value selector="email">email</value>
          <value selector="exec">exec</value>
          <value selector="suspend">suspend</value>
          <value selector="single">single</value>
          <value selector="halt">halt</value>
        </Value>
        <Value id="var_auditd_disk_full_action" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Action for auditd to take when disk space is empty</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for disk_full_action in /etc/audit/auditd.conf</description>
          <value>single</value>
          <value selector="ignore">ignore</value>
          <value selector="syslog">syslog</value>
          <value selector="email">email</value>
          <value selector="exec">exec</value>
          <value selector="suspend">suspend</value>
          <value selector="single">single</value>
          <value selector="halt">halt</value>
        </Value>
        <Value id="var_auditd_action_mail_acct" type="string">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Account for auditd to send email when actions occurs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The setting for action_mail_acct in /etc/audit/auditd.conf</description>
          <value>root</value>
          <value selector="root">root</value>
          <value selector="admin">admin</value>
        </Value>
        <Rule id="auditd_data_retention_audit_storage_failure" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure auditd space_left Action on Low Disk Space</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service can be configured to take an action
when disk space <html:i xmlns:html="http://www.w3.org/1999/xhtml">starts</html:i> to run low. 
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/auditd.conf</html:code>. Modify the following line,
substituting <html:i xmlns:html="http://www.w3.org/1999/xhtml">ACTION</html:i> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">space_left_action = <html:i>ACTION</html:i></html:pre>
Possible values for <html:i xmlns:html="http://www.w3.org/1999/xhtml">ACTION</html:i> are described in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd.conf</html:code> man page.
These include:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li><html:code>ignore</html:code></html:li><html:li><html:code>syslog</html:code></html:li><html:li><html:code>email</html:code></html:li><html:li><html:code>exec</html:code></html:li><html:li><html:code>suspend</html:code></html:li><html:li><html:code>single</html:code></html:li><html:li><html:code>halt</html:code></html:li></html:ul>
Set this to <html:code xmlns:html="http://www.w3.org/1999/xhtml">email</html:code> (instead of the default,
which is <html:code xmlns:html="http://www.w3.org/1999/xhtml">suspend</html:code>) as it is more likely to get prompt attention. Acceptable values
also include <html:code xmlns:html="http://www.w3.org/1999/xhtml">suspend</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">single</html:code>, and <html:code xmlns:html="http://www.w3.org/1999/xhtml">halt</html:code>.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">143</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002730</ident>
          <fix system="urn:xccdf:fix:script:sh" id="auditd_data_retention_audit_storage_failure" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/audit/auditd.conf"
elif [ -e /etc/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/auditd.conf"
else
	exit
fi

if [ "$(grep -v "#" ${AUDITD_CONF_FILE} | grep -c space_left_action)" != "0" ]; then
	sed -i 's/space_left_action.*/space_left_action = syslog/' ${AUDITD_CONF_FILE}
else
	echo "space_left_action = syslog"&gt;&gt;${AUDITD_CONF_FILE}
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-var_auditd_space_left_action:var:1" value-id="var_auditd_space_left_action"/>
            <check-content-ref name="oval:ssg-auditd_data_retention_audit_storage_failure:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-auditd_data_retention_audit_storage_failure_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="auditd_data_retention_audit_processing_failure" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure auditd disk_error_action and disk_full_action on Storage Failures</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service can be configured to take an action
when the disk errors or becomes full. 
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/auditd.conf</html:code>. Add or modify the following lines,
substituting <html:i xmlns:html="http://www.w3.org/1999/xhtml">ACTION</html:i> appropriately:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">disk_error_action = <html:i>ACTION</html:i></html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">disk_full_action = <html:i>ACTION</html:i></html:pre>
Set this value to <html:code xmlns:html="http://www.w3.org/1999/xhtml">single</html:code> to cause the system to switch to single user
mode for corrective action. Acceptable values also include <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">exec</html:code>, and
<html:code xmlns:html="http://www.w3.org/1999/xhtml">halt</html:code>. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for <html:i xmlns:html="http://www.w3.org/1999/xhtml">ACTION</html:i> are described in the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd.conf</html:code> man page.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">139</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Administrators should be made aware of an inability to write to disk.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002719</ident>
          <fix system="urn:xccdf:fix:script:sh" id="auditd_data_retention_audit_processing_failure" complexity="low" disruption="low" reboot="false" strategy="configure">
var_auditd_disk_error_action="<sub idref="var_auditd_disk_error_action"/>"

if [ -e /etc/audit/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/audit/auditd.conf"
elif [ -e /etc/auditd.conf ]; then
	AUDITD_CONF_FILE="/etc/auditd.conf"
else
	exit
fi

grep -q ^disk_error_action ${AUDITD_CONF_FILE} &amp;&amp; \
  sed -i "s/disk_error_action.*/disk_error_action = $var_auditd_disk_error_action/g" ${AUDITD_CONF_FILE}
if ! [ $? -eq 0 ]; then
    echo "disk_error_action = $var_auditd_disk_error_action" &gt;&gt; ${AUDITD_CONF_FILE}
fi
grep -q ^disk_full_action ${AUDITD_CONF_FILE} &amp;&amp; \
  sed -i "s/disk_full_action.*/disk_full_action = $var_auditd_disk_error_action/g" ${AUDITD_CONF_FILE}
if ! [ $? -eq 0 ]; then
    echo "disk_full_action = $var_auditd_disk_error_action" &gt;&gt; ${AUDITD_CONF_FILE}
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-export export-name="oval:ssg-var_auditd_disk_error_action:var:1" value-id="var_auditd_disk_error_action"/>
            <check-content-ref name="oval:ssg-auditd_data_retention_audit_processing_failure:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-auditd_data_retention_audit_processing_failure_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="auditd_audispd_syslog_plugin_activated" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure auditd to use audispd's syslog plugin</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To configure the <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service to use the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> plug-in of the <html:code xmlns:html="http://www.w3.org/1999/xhtml">audispd</html:code> audit event multiplexor, set
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">active</html:code> line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audisp/plugins.d/syslog.conf</html:code> to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">yes</html:code>. Restart the <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> service:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service auditd restart</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECTB-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">136</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The auditd service does not include the ability to send audit
records to a centralized server for management directly. It does, however,
include a plug-in for audit event multiplexor (audispd) to pass audit records
to the local syslog server</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002870</ident>
          <fix system="urn:xccdf:fix:script:sh" id="auditd_audispd_syslog_plugin_activated" complexity="low" disruption="low" reboot="false" strategy="disable">
grep -q ^active /etc/audisp/plugins.d/syslog.conf &amp;&amp; \
  sed -i "s/active.*/active = yes/g" /etc/audisp/plugins.d/syslog.conf
if ! [ $? -eq 0 ]; then
    echo "active = yes" &gt;&gt; /etc/audisp/plugins.d/syslog.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-auditd_audispd_syslog_plugin_activated:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-auditd_audispd_syslog_plugin_activated_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="auditd_configure_rules">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure auditd Rules for Comprehensive Auditing</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditd</html:code> program can perform comprehensive
monitoring of system activity. This section describes recommended
configuration settings for comprehensive auditing, but a full
description of the auditing system's capabilities is beyond the
scope of this guide. The mailing list <html:i xmlns:html="http://www.w3.org/1999/xhtml">linux-audit@redhat.com</html:i> exists
to facilitate community discussion of the auditing system.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The audit subsystem supports extensive collection of events, including:
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Tracing of arbitrary system calls (identified by name or number)
on entry or exit.</html:li><html:li>Filtering by PID, UID, call success, system call argument (with
some limitations), etc.</html:li><html:li>Monitoring of specific files for modifications to the file's
contents or metadata.</html:li></html:ul>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Auditing rules at startup are controlled by the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>.
Add rules to it to meet the auditing requirements for your organization.
Each line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code> represents a series of arguments
that can be passed to <html:code xmlns:html="http://www.w3.org/1999/xhtml">auditctl</html:code> and can be individually tested
during runtime. See documentation in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/share/doc/audit-<html:i>VERSION</html:i></html:code> and
in the related man pages for more details.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
If copying any example audit rulesets from <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/share/doc/audit-VERSION</html:code>,
be sure to comment out the
lines containing <html:code xmlns:html="http://www.w3.org/1999/xhtml">arch=</html:code> which are not appropriate for your system's
architecture. Then review and understand the following rules,
ensuring rules are activated as needed for the appropriate
architecture.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
After reviewing all the rules, reading the following sections, and
editing as needed, the new rules can be activated as follows:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service auditd restart</html:pre>
</description>
        <Group id="audit_time_rules">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Records Events that Modify Date and Time Information</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate 
nefarious activities in log files, as well as to confuse network services that 
are highly dependent upon an accurate system time. All changes to the system 
time should be audited.</description>
          <Rule id="audit_rules_time_adjtimex" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record attempts to alter time through adjtimex</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_time_rules
-a exit,always -F arch=b32 -S adjtimex -k audit_time_rules</html:pre>
On a 64-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_time_rules
-a exit,always -F arch=b64 -S adjtimex -k audit_time_rules</html:pre>
The -k option allows for the specification of a key in string form that can 
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if 
desired, but is not required. See an example of multiple combined syscalls:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate 
nefarious activities in log files, as well as to confuse network services that 
are highly dependent upon an accurate system time (such as sshd). All changes 
to the system time should be audited.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-3</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_time_adjtimex" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S adjtimex '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S adjtimex ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S adjtimex ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_time_adjtimex:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_time_settimeofday" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record attempts to alter time through settimeofday</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_time_rules
-a exit,always -F arch=b32 -S settimeofday -k audit_time_rules</html:pre>
On a 64-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_time_rules
-a exit,always -F arch=b64 -S settimeofday -k audit_time_rules</html:pre>
The -k option allows for the specification of a key in string form that can 
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if 
desired, but is not required. See an example of multiple combined syscalls:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate 
nefarious activities in log files, as well as to confuse network services that 
are highly dependent upon an accurate system time (such as sshd). All changes 
to the system time should be audited.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-4</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_time_settimeofday" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S settimeofday '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S settimeofday ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S settimeofday ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_time_settimeofday:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_time_settimeofday_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_time_stime" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Attempts to Alter Time Through stime</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following line to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code> for both
32-bit and 64-bit systems:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_time_rules
-a always,exit -F arch=b32 -S stime -k audit_time_rules</html:pre>
Since the 64-bit version of the "stime" system call is not defined in the audit
lookup table, the corresponding "-F arch=b64" form of this rule is not expected
to be defined on 64-bit systems (the aforementioned "-F arch=b32" stime rule
form itself is sufficient for both 32-bit and 64-bit systems). The -k option
allows for the specification of a key in string form that can be used for
better reporting capability through ausearch and aureport. Multiple system
calls can be defined on the same line to save space if desired, but is not
required. See an example of multiple combined syscalls:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-5</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_time_stime" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k audit_time_rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S stime '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S stime ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
		# stime is not supported on 64-bit.
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_time_stime:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_time_stime_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_time_clock_settime" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Attempts to Alter Time Through clock_settime</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On a 32-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
On a 64-bit system, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
The -k option allows for the specification of a key in string form that can 
be used for better reporting capability through ausearch and aureport.
Multiple system calls can be defined on the same line to save space if 
desired, but is not required. See an example of multiple combined syscalls:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Arbitrary changes to the system time can be used to obfuscate 
nefarious activities in log files, as well as to confuse network services that 
are highly dependent upon an accurate system time (such as sshd). All changes 
to the system time should be audited.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-6</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_time_clock_settime:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Rule id="audit_rules_usergroup_creation" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Create User/Group Information</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, in order
to capture events that create accounts:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_account_creation
-w /usr/sbin/groupadd -p x -k audit_account_changes
-w /usr/sbin/useradd -p x -k audit_account_changes
-w /etc/group -p a -k audit_account_changes
-w /etc/passwd -p a -k audit_account_changes
-w /etc/gshadow -p a -k audit_account_changes
-w /etc/shadow -p a -k audit_account_changes
</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">18</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002750</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_usergroup_creation" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/useradd /usr/sbin/groupadd; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_creation" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
for FILE in /etc/group /etc/passwd /etc/gshadow /etc/shadow; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p a -k audit_account_creation" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wx]*a"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p a/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_usergroup_creation:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_usergroup_creation_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_usergroup_disabling" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Disable User Accounts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, in order
to capture events that disable accounts:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_account_disabling
-w /usr/bin/passwd -p x -k audit_account_disabling
</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1404</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002752</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_usergroup_disabling" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd"`" = "0" ]; then
	echo "-w /usr/bin/passwd -p x -k audit_account_changes" &gt;&gt;${AUDIT_RULES_FILE}
elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd -p [wa]*x"`" = "0" ]; then
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w /usr/bin/passwd -p "`" = "0" ]; then
		sed -i "s/\(-w \/usr\/bin\/passwd\)/\1 -p x/" ${AUDIT_RULES_FILE}
	else
		sed -i "s/\(-w \/usr\/bin\/passwd -p \)/\1x/" ${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_usergroup_disabling:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_usergroup_disabling_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_usergroup_modification" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify User/Group Information</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, in order
to capture events that modify account changes:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_account_changes
-w /usr/sbin/groupmod -p x -k audit_account_changes
-w /usr/sbin/usermod -p x -k audit_account_changes
-w /etc/group -p w -k audit_account_changes
-w /etc/passwd -p w -k audit_account_changes
-w /etc/gshadow -p w -k audit_account_changes
-w /etc/shadow -p w -k audit_account_changes
</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1403</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002751</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_usergroup_modification" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/usermod /usr/sbin/groupmod; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_changes" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
for FILE in /etc/group /etc/passwd /etc/gshadow /etc/shadow; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p w -k audit_account_changes" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xa]*w"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p w/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_usergroup_modification:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_usergroup_termination" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Terminate Users/Groups</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, in order
to capture events that terminate accounts:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_account_termination
-w /usr/sbin/groupdel -p x -k audit_account_termination
-w /usr/sbin/userdel -p x -k audit_account_termination
</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAT-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1405</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any
unexpected users, groups, or modifications should be investigated for
legitimacy.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002753</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_usergroup_termination" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

for FILE in /usr/sbin/userdel /usr/sbin/groupdel; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k audit_account_changes" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_usergroup_termination:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_usergroup_termination_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_sethostname" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Host Name</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_network_sethostname
-a exit,always -F arch=ARCH -S sethostname -k audit_network_modifications</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-7</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_sethostname" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_hostname"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`uname -p`" != "x86_64" ]; then
	echo "-a exit,always -F arch=b32 -S sethostname ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
else
	echo "-a exit,always -F arch=b64 -S sethostname ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_sethostname:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_sethostname_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_setdomainname" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Domain Name</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_network_setdomainname
-a exit,always -F arch=ARCH -S setdomainname -k audit_network_modifications</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-8</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_setdomainname" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_domainname"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`uname -p`" != "x86_64" ]; then
	echo "-a exit,always -F arch=b32 -S setdomainname ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
else
	echo "-a exit,always -F arch=b64 -S setdomainname ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_setdomainname:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_setdomainname_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_sched_setparam" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Scheduler Parameters</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_network_sethostname
-a exit,always -F arch=ARCH -S sched_setparam -k scheduler</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The scheduler parameters should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-9</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_sched_setparam" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_scheduler_parameters"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

# check for realtime capabilities
if [ `lsmod | grep -ic jiffies` = 0 ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S sched_setparam ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S sched_setparam ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_sched_setparam:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_sched_setparam_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_sched_setscheduler" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Scheduler Priorities</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting
ARCH to either b32 or b64 as appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># audit_network_sethostname
-a exit,always -F arch=ARCH -S sched_setscheduler -k scheduler</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The scheduler priorities should not be modified by anything other
than administrator action. Any change to network parameters should be
audited.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-10</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_sched_setscheduler" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k set_scheduler_setting"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

# check for realtime capabilities
if [ `lsmod | grep -ic jiffies` = 0 ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S sched_setscheduler ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S sched_setscheduler ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_sched_setscheduler:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_sched_setscheduler_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="audit_dac_actions">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file permission 
changes for all users and root.  Note that the "-F arch=b32" lines should be 
present even on a 64 bit system.  These commands identify system calls for 
auditing.  Even if the system is 64 bit it can still execute 32 bit system 
calls.  Additionally, these rules can be configured in a number of ways while 
still achieving the desired effect.  An example of this is that the "-S" calls 
could be split up and placed on separate lines, however, this is less efficient.
Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If your system is 64 bit then these lines should be duplicated and the 
arch=b32 replaced with arch=b64 as follows:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
    -a exit,always -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is 
attempting to gain access to information that would otherwise be disallowed. 
Auditing DAC modifications can facilitate the identification of patterns of 
abuse among both authorized and unauthorized users.</rationale>
          <Rule id="audit_rules_dac_modification_chmod" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - chmod</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S chmod -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S chmod  -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a 
number of ways while still achieving the desired effect.  Here the system calls 
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_chmod" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chmod '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chmod ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chmod ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_chmod:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_chmod_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_chown" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - chown</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S chown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S chown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a 
number of ways while still achieving the desired effect.  Here the system calls 
have been placed independent of other system calls.  Grouping these system 
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-4</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_chown" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S chown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S chown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S chown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_chown:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_chown_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fchmod" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchmod</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fchmod -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fchmod -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-2</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fchmod" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchmod '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchmod ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchmod ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fchmod:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchmod_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fchmodat" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchmodat</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-3</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fchmodat" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchmodat '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchmodat ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchmodat ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fchmodat:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchmodat_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fchown" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchown</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-5</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fchown" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fchown:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchown_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fchownat" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fchownat</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fchownat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fchownat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-6</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fchownat" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fchownat '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fchownat ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fchownat ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fchownat:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchownat_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fremovexattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fremovexattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-13</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fremovexattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fremovexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fremovexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fremovexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fremovexattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_fsetxattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - fsetxattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S fsetxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S fsetxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-10</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_fsetxattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S fsetxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S fsetxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S fsetxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_fsetxattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fsetxattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_lchown" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lchown</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file 
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-7</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_lchown" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lchown '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lchown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lchown ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lchown32 '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lchown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lchown32 ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_lchown:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lchown_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_lremovexattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lremovexattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S lremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S lremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-12</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_lremovexattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lremovexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lremovexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lremovexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_lremovexattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_lsetxattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - lsetxattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S lsetxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S lsetxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx"/>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-9</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_lsetxattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S lsetxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S lsetxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S lsetxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_lsetxattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_removexattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - removexattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S removexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S removexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-11</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_removexattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S removexattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S removexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S removexattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_removexattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_removexattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="audit_rules_dac_modification_setxattr" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Events that Modify the System's Discretionary Access Controls - setxattr</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
permission changes for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b32 -S setxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
If the system is 64 bit then also add the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=b64 -S setxattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod</html:pre>
</description>
            <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Note that these rules can be configured in a
number of ways while still achieving the desired effect.  Here the system calls
have been placed independent of other system calls.  Grouping these system
calls with others as identifying earlier in this guide is more efficient.
</warning>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002820-8</ident>
            <fix system="urn:xccdf:fix:script:sh" id="audit_rules_dac_modification_setxattr" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k perm_mod"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S setxattr '`" = "0" ]; then
	if [ "`uname -p`" = "x86_64" ]; then
		echo "-a exit,always -F arch=b64 -S setxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b32 -S setxattr ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-audit_rules_dac_modification_setxattr:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Rule id="audit_rules_login_events" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Attempts to Alter Logon and Logout Events</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
The audit system already collects login info for all users and root. To watch for attempted manual edits of
files involved in storing logon events, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-w /var/log/faillog -p wa -k logins 
-w /var/log/lastlog -p wa -k logins</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002800</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_login_events" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi
for FILE in /var/log/faillog /var/log/lastlog; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p wa -k audit_login_events" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [x]*\(wa\|aw\)"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p wa/" ${AUDIT_RULES_FILE}
		else
			if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xa]*w"`" = "0" ]; then
				sed -i "s/\(-w ${SED_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
			fi
			if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [xw]*a"`" = "0" ]; then
				sed -i "s/\(-w ${SED_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
			fi
		fi
	fi
done
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_login_events:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="audit_rules_audit_rules" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Record Attempts to Alter Audit Rules</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
To watch for attempted manual edits of audit rules, add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-w /etc/audit/audit.rules -p w -k audit_rules</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">347</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Manual editing of audit rules may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002760-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_audit_rules" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE}"`" = "0" ]; then
	echo "-w ${AUDIT_RULES_FILE} -p wa -k audit_rules_changes" &gt;&gt;${AUDIT_RULES_FILE}
elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [x]*\(wa\|aw\)"`" = "0" ]; then
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p "`" = "0" ]; then
		sed -i "s/\(-w ${AUDIT_RULES_FILE}\)/\1 -p wa/" ${AUDIT_RULES_FILE}
	else
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [xa]*w"`" = "0" ]; then
			sed -i "s/\(-w ${AUDIT_RULES_FILE} -p \)/\1w/" ${AUDIT_RULES_FILE}
		fi
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${AUDIT_RULES_FILE} -p [xw]*a"`" = "0" ]; then
			sed -i "s/\(-w ${AUDIT_RULES_FILE} -p \)/\1a/" ${AUDIT_RULES_FILE}
		fi
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_audit_rules:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="audit_rules_unsuccessful_file_creat" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Via creat</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system with either:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S creat -F success=0 -k access</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S creat -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S creat -F exit=-EACCES -k access</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002720</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_unsuccessful_file_creat" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S creat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S creat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S creat " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S creat -F success=0" &gt;&gt;/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S creat -F success=0" &gt;&gt;/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_unsuccessful_file_creat:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_creat_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_unsuccessful_file_ftruncate" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Via ftruncate</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system with either:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S ftruncate -F success=0 -k access</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S ftruncate -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S ftruncate -F exit=-EACCES -k access</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002720-5</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_unsuccessful_file_ftruncate" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S ftruncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S ftruncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S ftruncate " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S ftruncate -F success=0" &gt;&gt;/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S ftruncate -F success=0" &gt;&gt;/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_unsuccessful_file_ftruncate:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_ftruncate_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_unsuccessful_file_open" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Via open</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system with either:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S open -F success=0 -k access</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S open -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S open -F exit=-EACCES -k access</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002720-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_unsuccessful_file_open" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S open " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S open " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S open " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S open -F success=0" &gt;&gt;/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S open -F success=0" &gt;&gt;/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_unsuccessful_file_open:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_open_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_unsuccessful_file_openat" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Via openat</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system with either:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S openat -F success=0 -k access</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S openat -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S openat -F exit=-EACCES -k access</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002720-3</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_unsuccessful_file_openat" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S openat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S openat " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S openat " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S openat -F success=0" &gt;&gt;/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S openat -F success=0" &gt;&gt;/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_unsuccessful_file_openat:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_openat_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_unsuccessful_file_truncate" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) Via truncate</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect
unauthorized file accesses for all users and root. Add the following
to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system with either:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S truncate -F success=0 -k access</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S truncate -F exit=-EPERM -k access
-a exit,always -F arch=ARCH -S truncate -F exit=-EACCES -k access</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002720-4</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_unsuccessful_file_truncate" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	if [ "`grep " -S truncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EACCES'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F exit=-EACCES -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
	if [ "`grep " -S truncate " /etc/audit/audit.rules | grep -v '#' | grep -c '\-F exit=-EPERM'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F exit=-EPERM -k access" &gt;&gt;/etc/audit/audit.rules
		fi
	fi
elif [ -e /etc/audit.rules ]; then
	if [ "`grep " -S truncate " /etc/audit.rules | grep -v '#' | grep -c '\success=0'`" = "0" ]; then
		if [ "`uname -p`" != "x86_64" ]; then
			echo "-a exit,always -F arch=b32 -S truncate -F success=0" &gt;&gt;/etc/audit.rules
		else
			echo "-a exit,always -F arch=b64 -S truncate -F success=0" &gt;&gt;/etc/audit.rules
		fi
	fi
else
	exit
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_unsuccessful_file_truncate:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_truncate_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_file_deletion_events" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects File Deletion Events by User</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect file
deletion events for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002740</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_file_deletion_events" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k delete"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S unlink '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S unlink ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S unlink ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_file_deletion_events:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_file_deletion_events_rmdir" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Directory Deletion Events by User</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At a minimum the audit system should collect directory
deletion events for all users and root. Add the following to
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code>, setting ARCH to either b32 or b64 as
appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-a exit,always -F arch=ARCH -S rmdir -k delete</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Auditing directory deletions will create an audit trail for directories that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log directories to conceal their presence.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002740-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_file_deletion_events_rmdir" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k delete"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S rmdir '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S rmdir ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S rmdir ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_file_deletion_events_rmdir:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_rmdir_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="audit_rules_kernel_module_loading" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add the following to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/audit/audit.rules</html:code> in order
to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a exit,always -F arch=<html:i>ARCH</html:i> -S init_module -S delete_module -k modules</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002825-2</ident>
          <fix system="urn:xccdf:fix:script:sh" id="audit_rules_kernel_module_loading" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/audit/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit/audit.rules"
	AUDIT_TAG="-k modules"
elif [ -e /etc/audit.rules ]; then
	AUDIT_RULES_FILE="/etc/audit.rules"
	AUDIT_TAG=""
else
	exit
fi

if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S init_module '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S init_module ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S init_module ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi
if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c ' -S delete_module '`" = "0" ]; then
	if [ "`uname -p`" != "x86_64" ]; then
		echo "-a exit,always -F arch=b32 -S delete_module ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	else
		echo "-a exit,always -F arch=b64 -S delete_module ${AUDIT_TAG}" &gt;&gt;${AUDIT_RULES_FILE}
	fi
fi

for FILE in /sbin/insmod /sbin/rmmod /sbin/modprobe; do
	if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE}"`" = "0" ]; then
		echo "-w ${FILE} -p x -k modules" &gt;&gt;${AUDIT_RULES_FILE}
	elif [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p [wa]*x"`" = "0" ]; then
		SED_FILE="$(echo ${FILE} | sed 's/\//\\\//g')"
		if [ "`grep -v '#' ${AUDIT_RULES_FILE} | grep -c "\-w ${FILE} -p "`" = "0" ]; then
			sed -i "s/\(-w ${SED_FILE}\)/\1 -p x/" ${AUDIT_RULES_FILE}
		else
			sed -i "s/\(-w ${SED_FILE} -p \)/\1x/" ${AUDIT_RULES_FILE}
		fi
	fi
done
service auditd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-audit_rules_kernel_module_loading:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-audit_rules_kernel_module_loading_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
  </Group>
  <Group id="services">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Services</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux 5 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux 5 system and provides guidance about which
ones can be safely disabled.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Red Hat Enterprise Linux 5 provides a convenient minimal install option that essentially installs the bare necessities for a functional
system. When building Red Hat Enterprise Linux 5 systems, it is highly recommended to select the minimal packages and then build up
the system from there.
</description>
    <Group id="obsolete">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Obsolete Services</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section discusses a number of network-visible
services which have historically caused problems for system
security, and for which disabling or severely limiting the service
has been the best available guidance for some time. As a result of
this, many of these services are not installed as part of Red Hat Enterprise Linux 6
by default.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Organizations which are running these services should
switch to more secure equivalents as soon as possible.
If it remains absolutely necessary to run one of
these services for legacy reasons, care should be taken to restrict
the service as much as possible, for instance by configuring host
firewall software such as <html:code xmlns:html="http://www.w3.org/1999/xhtml">iptables</html:code> to restrict access to the
vulnerable service to only those remote hosts which have a known
need to use it.</description>
      <Group id="inetd_and_xinetd">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Xinetd</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">xinetd</html:code> service acts as a dedicated listener for some
network services (mostly, obsolete ones) and can be used to provide access
controls and perform some logging. It has been largely obsoleted by other
features, and it is not installed by default. The older Inetd service
is not even available as part of Red Hat Enterprise Linux 6.</description>
        <Rule id="service_xinetd_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable xinetd Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">xinetd</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig xinetd off</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The xinetd service provides a dedicated listener service for some programs,
which is no longer necessary for commonly-used network services. Disabling
it ensures that these uncommon services are not running, and also prevents
attacks against xinetd itself.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003700</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_xinetd_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable xinetd for all run levels
#
/sbin/chkconfig --level 0123456 xinetd off

#
# Stop xinetd if currently running
#
/sbin/service xinetd stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_xinetd_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="telnet">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Telnet</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The telnet protocol does not provide confidentiality or integrity
for information transmitted on the network. This includes authentication
information such as passwords. Organizations which use telnet should be
actively working to migrate to a more secure protocol.</description>
        <Rule id="service_telnetd_disabled" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable telnet Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
            
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">telnet</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig telnet off</html:pre>
          </description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">197</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The telnet protocol uses unencrypted network communication, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network. The telnet protocol is also
subject to man-in-the-middle attacks.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003850</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_telnetd_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable telnetd for all run levels
#
/sbin/chkconfig --level 0123456 telnetd off

#
# Stop telnetd if currently running
#
/sbin/service telnetd stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_telnetd_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_telnetd_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="r_services">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Rlogin, Rsh, and Rexec</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Berkeley r-commands are legacy services which
allow cleartext remote access and have an insecure trust
model.</description>
        <Rule id="package_rsh-server_removed" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Uninstall rsh-server Package</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh-server</html:code> package can be uninstalled with
the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># yum erase rsh-server</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh-server</html:code> package provides several obsolete and insecure
network services. Removing it
decreases the risk of those services' accidental (or intentional)
activation.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003845</ident>
          <fix system="urn:xccdf:fix:script:sh" id="package_rsh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">yum -y remove rsh-server --disablerepo=* 1&gt;/dev/null
</fix>
          <fix system="urn:xccdf:fix:script:puppet" id="package_rsh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">include remove_rsh-server

class remove_rsh-server {
  package { 'rsh-server':
    ensure =&gt; 'purged',
  }
}
</fix>
          <fix system="urn:redhat:anaconda:pre" id="package_rsh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable">
package -remove=rsh-server
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-package_rsh-server_removed:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-package_rsh-server_removed_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="service_rexec_disabled" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable rexec Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rexec</html:code> service, which is available with
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh-server</html:code> package and runs as a service through xinetd,
should be disabled.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rexec</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig rexec off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">EBRP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1435</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rexec service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003840</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_rexec_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable rexec for all run levels
#
/sbin/chkconfig --level 0123456 rexec off

#
# Stop rexec if currently running
#
/sbin/service rexec stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_rexec_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_rexec_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="service_rsh_disabled" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable rsh Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh</html:code> service, which is available with
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh-server</html:code> package and runs as a service through xinetd,
should be disabled.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig rsh off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">EBRU-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rsh service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003820</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_rsh_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable rsh for all run levels
#
/sbin/chkconfig --level 0123456 rsh off

#
# Stop rsh if currently running
#
/sbin/service rsh stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_rsh_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_rsh_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="service_rlogin_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable rlogin Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rlogin</html:code> service, which is available with
the <html:code xmlns:html="http://www.w3.org/1999/xhtml">rsh-server</html:code> package and runs as a service through xinetd,
should be disabled.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rlogin</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig rlogin off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rlogin service uses unencrypted network communications, which
means that data from the login session, including passwords and
all other information transmitted during the session, can be
stolen by eavesdroppers on the network.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003830</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_rlogin_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable rlogin for all run levels
#
/sbin/chkconfig --level 0123456 rlogin off

#
# Stop rlogin if currently running
#
/sbin/service rlogin stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_rlogin_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="no_rsh_trust_files" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove Rsh Trust Files</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The files <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/hosts.equiv</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">~/.rhosts</html:code> (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rm /etc/hosts.equiv</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ rm ~/.rhosts</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Trust files are convenient, but when
used in conjunction with the R-services, they can allow
unauthenticated access to a system.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002040</ident>
          <fix system="urn:xccdf:fix:script:sh" id="no_rsh_trust_files" complexity="low" disruption="low" reboot="false" strategy="disable">find -type f -name .rhosts -exec rm -f '{}' \;
rm /etc/hosts.equiv
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-no_rsh_trust_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-no_rsh_trust_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="rhosts_auth_pam_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove rhosts_auth Entries</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All pam files located within /etc/pam.d/ must not include rhosts_auth.
To remove these entries, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># sed -i '/.*rhosts_auth.*/d' /etc/pam.d/*</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">.rhosts files are used to specify a list of hosts permitted remote 
access to a particular account without authenticating. The use of such a mechanism 
defeats strong identification and authentication requirements.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002100</ident>
          <fix system="urn:xccdf:fix:script:sh" id="rhosts_auth_pam_files" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i '/.*rhosts_auth.*/d' /etc/pam.d/*
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-rhosts_auth_pam_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-rhosts_auth_pam_files_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="nis">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">NIS</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network Information Service (NIS), also known as 'Yellow
Pages' (YP), and its successor NIS+ have been made obsolete by
Kerberos, LDAP, and other modern centralized authentication
services. NIS should not be used because it suffers from security
problems inherent in its design, such as inadequate protection of
important authentication information.</description>
        <Rule id="service_ypbind_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable ypbind Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ypbind</html:code> service, which allows the system to act as a client in
a NIS or NIS+ domain, should be disabled.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ypbind</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig ypbind off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1435</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ypbind</html:code> service ensures the system is not acting
as a client in a NIS or NIS+ domain.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006400</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_ypbind_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable ypbind for all run levels
#
/sbin/chkconfig --level 0123456 ypbind off

#
# Stop ypbind if currently running
#
/sbin/service ypbind stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_ypbind_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="tftp">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TFTP Server</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
TFTP is a lightweight version of the FTP protocol which has
traditionally been used to configure networking equipment. However,
TFTP provides little security, and modern versions of networking
operating systems frequently support configuration via SSH or other
more secure protocols. A TFTP server should be run only if no more
secure method of supporting existing equipment can be
found.</description>
        <Rule id="service_tftp_disabled" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable tftp Service</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">tftp</html:code> service should be disabled.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">tftp</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig tftp off</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCSW-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Disabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">tftp</html:code> service ensures the system is not acting
as a TFTP server, which does not provide encryption or authentication.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005140</ident>
          <fix system="urn:xccdf:fix:script:sh" id="service_tftp_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">#
# Disable tftp for all run levels
#
/sbin/chkconfig --level 0123456 tftp off

#
# Stop tftp if currently running
#
/sbin/service tftp stop 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-service_tftp_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="tftpd_uses_secure_mode" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure tftp Daemon Uses Secure Mode</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If running the <html:code xmlns:html="http://www.w3.org/1999/xhtml">tftp</html:code> service is necessary, it should be configured
to change its root directory at startup. To do so, ensure
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/xinetd.d/tftp</html:code> includes <html:code xmlns:html="http://www.w3.org/1999/xhtml">-s</html:code> as a command line argument, as shown in
the following example (which is also the default):
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">server_args = -s /var/lib/tftpboot</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Using the <html:code xmlns:html="http://www.w3.org/1999/xhtml">-s</html:code> option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005080</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-tftpd_uses_secure_mode:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="base">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Base Services</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section addresses the base services that are installed on a
Red Hat Enterprise Linux 6 default installation which are not covered in other
sections. Some of these services listen on the network and
should be treated with particular discretion. Other services are local
system utilities that may or may not be extraneous. In general, system services
should be disabled if not required.</description>
      <Rule id="service_kdump_disabled" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable KDump Kernel Crash Analyzer (kdump)</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">kdump</html:code> service provides a kernel crash dump analyzer. It uses the <html:code xmlns:html="http://www.w3.org/1999/xhtml">kexec</html:code>
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">kdump</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig kdump off</html:pre>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless the system is used for kernel development or testing, there
is little need to run the kdump service.</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003510</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-service_kdump_disabled:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_kdump_disabled_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="service_yum-updatesd_disabled" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Automatic Updates</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
          
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">yum-updatesd</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig yum-updatesd off</html:pre>
        </description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1233</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System package management tools can obtain a list 
of updates and patches from a package repository and make this 
information available to the SA for review and action. Using a 
package repository outside of the organization's control presents 
a risk of malicious packages being introduced.</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008820</ident>
        <fix system="urn:xccdf:fix:script:sh" id="service_yum-updatesd_disabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Disable yum-updatesd for all run levels
#
/sbin/chkconfig --level 0123456 yum-updatesd off

#
# Stop yum-updatesd if currently running
#
/sbin/service yum-updatesd stop 1&gt;/dev/null
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-service_yum-updatesd_disabled:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_yum-updatesd_disabled_ocil:questionnaire:1"/>
        </check>
      </Rule>
    </Group>
    <Group id="cron_and_at">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Cron and At Daemons</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The cron and at services are used to allow commands to
be executed at a later time. The cron service is required by almost
all systems to perform necessary maintenance tasks, while at may or
may not be required on a given system. Both daemons should be
configured defensively.</description>
      <Group id="restrict_cron_users">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict cron to Authorized Users if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.allow</html:code> file contain lists of users who are allowed
to use cron to delay execution of processes. If this file exists and
if the corresponding file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/cron.deny</html:code> does not exist,
then only users listed in the relevant allow files can run the crontab
commands to submit jobs to be run at scheduled intervals.
On many systems, only the system administrator needs the ability to schedule
jobs. Note that even if a given user is not listed in <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron.allow</html:code>, cron jobs can
still be run as that user.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To restrict cron to only authorized users:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Remove the cron.deny file:<html:pre># rm /etc/cron.deny</html:pre></html:li><html:li>Edit <html:code>/etc/cron.allow</html:code>, adding one line for each user allowed to use the crontab command to create cron jobs.</html:li></html:ul>
</description>
        <Rule id="cron_access_controlled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Cron Must Control Access</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The cron service must control access to the execution of cron jobs.
This is accomplished defining the users allowed/denied in the cron.allow and cron.deny files. 
To confirm if these files exist, run the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -1l /etc/cron.allow
# ls -1l /etc/cron.deny</html:pre>
The cron facility allows users to execute recurring jobs on a regular and unattended basis.  
The cron.allow file designates accounts allowed to enter and execute jobs using the cron facility.  
If neither cron.allow nor cron.deny exists, then any account may use the cron facility.  
This may open the facility up for abuse by system intruders and malicious users.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN002960</ident>
          <fix system="urn:xccdf:fix:script:sh" id="cron_access_controlled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ ! -e [/etc/cron.allow ]; then
	&gt; /etc/cron.allow
	chown root:root /etc/cron.allow
	chmod 0600 /etc/cron.allow
fi
if [ ! -e [/etc/cron.deny ]; then
	SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/cron.deny) = 0 ]; then
			echo ${USER} | tee -a /etc/cron.deny &amp;&gt;/dev/null
		fi
	done
	chown root:root /etc/cron.deny
	chmod 0600 /etc/cron.deny
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-cron_access_controlled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="cron_system_accounts" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Cron Must Deny System Accounts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The cron service must deny system accounts (except for root) access to the execution of cron jobs. 
This includes all accounts with a UID less than 500, except for 0.
This is accomplished by listing all system users within the cron.deny file and ensuring that they are not listed in the cron.allow file. 
To confirm these conditions are met, run the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># cat /etc/passwd | awk -F: '{ print $1"|"$3 }' | grep -v "^root|" | while read ENTRY; do 
if [ $(echo $ENTRY | cut -d"|" -f2) -lt 500 ];then 
if [ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/cron.deny) = 0 ] || 
[ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/cron.allow) != 0 ]; then 
echo $ENTRY | cut -d"|" -f1; fi; fi; done</html:pre>
If any users are listed from the above command, then the listed user(s) does not meet the above requirements.
To centralize the management of privileged account crontabs, of the 
default system accounts, only root may have a crontab.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003060</ident>
          <fix system="urn:xccdf:fix:script:sh" id="cron_system_accounts" complexity="low" disruption="low" reboot="false" strategy="configure">SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/cron.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/cron.deny &amp;&gt;/dev/null
	fi
done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-cron_system_accounts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="restrict_at_users">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict at to Authorized Users if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.allow</html:code> file contain lists of users who are allowed
to use at to delay execution of processes. If this file exists and
if the corresponding file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/at.deny</html:code> does not exist,
then only users listed in the relevant allow files can run the at
commands to submit jobs to be run at scheduled intervals.
On many systems, only the system administrator needs the ability to schedule
jobs. Note that even if a given user is not listed in <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron.allow</html:code>, cron jobs can
still be run as that user. The <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron.allow</html:code> file controls only administrative access
to the crontab command for scheduling and modifying cron jobs.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
To restrict at to only authorized users:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Remove the <html:code>at.deny</html:code> file:<html:pre># rm /etc/at.deny</html:pre></html:li><html:li>Edit <html:code>/etc/at.allow</html:code>, adding one line for each user allowed to use the at command to create at jobs.</html:li></html:ul>
</description>
        <Rule id="at_access_controlled" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At Must Control Access</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The at service must control access to the execution of at jobs.
This is accomplished defining the users allowed/denied in the at.allow and at.deny files. 
To confirm if these files exist, run the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -1l /etc/at.allow
# ls -1l /etc/at.deny</html:pre>
The at facility allows users to execute recurring jobs on a regular and unattended basis.  
The at.allow file designates accounts allowed to enter and execute jobs using the at facility.  
If neither at.allow nor at.deny exists, then any account may use the at facility.  
This may open the facility up for abuse by system intruders and malicious users.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003280</ident>
          <fix system="urn:xccdf:fix:script:sh" id="at_access_controlled" complexity="low" disruption="low" reboot="false" strategy="configure">if [ ! -e [/etc/at.allow ]; then
	&gt; /etc/at.allow
	chown root:root /etc/at.allow
	chmod 0600 /etc/at.allow
fi
if [ ! -e [/etc/at.deny ]; then
	SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
			echo ${USER} | tee -a /etc/at.deny &amp;&gt;/dev/null
		fi
	done
	chown root:root /etc/at.deny
	chmod 0600 /etc/at.deny
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-at_access_controlled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="at_system_accounts" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At Must Deny System Accounts</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The at service must deny system accounts (except for root) access to the execution of at jobs. 
This includes all accounts with a UID less than 500, except for 0.
This is accomplished by listing all system users within the at.deny file and ensuring that they are not listed in the at.allow file. 
To confirm these conditions are met, run the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># cat /etc/passwd | awk -F: '{ print $1"|"$3 }' | grep -v "^root|" | while read ENTRY; do 
if [ $(echo $ENTRY | cut -d"|" -f2) -lt 500 ];then 
if [ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/at.deny) = 0 ] || 
[ $(grep -c "$(echo $ENTRY | cut -d"|" -f1)" /etc/at.allow) != 0 ]; then 
echo $ENTRY | cut -d"|" -f1; fi; fi; done</html:pre>
If any users are listed from the above command, then the listed user(s) does not meet the above requirements.
To centralize the management of privileged account at jobs, of the 
default system accounts, only root may have the ability to schedule at jobs.</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003320</ident>
          <fix system="urn:xccdf:fix:script:sh" id="at_system_accounts" complexity="low" disruption="low" reboot="false" strategy="configure">SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/at.deny &amp;&gt;/dev/null
	fi
done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-at_system_accounts:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="at_deny_nonempty" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">At.deny Must Either Not Exist Or Not Be Empty</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">On some systems, if there is no at.allow file and there is an empty at.deny file, 
then the system assumes everyone has permission to use the "at" facility.  
This could create an insecure setting in the case of malicious users or system intruders. 
To confirm these conditions are met, run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># ls -1l /etc/at.deny</html:pre>
If the above command returns with details about /etc/at.deny, then it exists.
If it exists, then run the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># cat /etc/at.deny</html:pre>
If no entries are returned, then configure the at.deny file with the default system accounts, excluding root.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003300</ident>
          <fix system="urn:xccdf:fix:script:sh" id="at_deny_nonempty" complexity="low" disruption="low" reboot="false" strategy="configure">SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
for USER in `echo $SYS_USER`; do
	if [ $(grep -c "^${USER}$" /etc/at.deny) = 0 ]; then
		echo ${USER} | tee -a /etc/at.deny &amp;&gt;/dev/null
	fi
done
sed -i '/^$/d' /etc/at.deny
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-at_deny_nonempty:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="ssh">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SSH Server</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SSH protocol is recommended for remote login and
remote file transfer. SSH provides confidentiality and integrity
for data exchanged between two systems, as well as server
authentication, through the use of public key cryptography. The
implementation included with the system is called OpenSSH, and more
detailed documentation is available from its website,
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.openssh.org">http://www.openssh.org</html:a>. Its server program is called <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd</html:code> and
provided by the RPM package <html:code xmlns:html="http://www.w3.org/1999/xhtml">openssh-server</html:code>.</description>
      <Group id="ssh_server">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenSSH Server if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system needs to act as an SSH server, then
certain changes should be made to the OpenSSH daemon configuration
file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>. The following recommendations can be
applied to this file. See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> man page for more
detailed information.</description>
        <Rule id="sshd_protocol_2" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allow Only SSH Protocol 2</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Only SSH protocol version 2 connections should be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Protocol 2</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
SSH protocol version 1 suffers from design flaws that
result in security vulnerabilities and
should not be used.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005500</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_protocol_2" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -c "^Protocol") != "0" ]; then
	sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/sshd_config
else
	echo "Protocol 2"&gt;&gt;/etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_protocol_2:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_protocol_2_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_disable_root_login" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable SSH Root Login</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line
in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PermitRootLogin no</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Permitting direct root login reduces auditable information about who ran
privileged commands on the system
and also allows direct attack attempts on root's password.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN001120</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_disable_root_login" complexity="low" disruption="low" reboot="false" strategy="disable">grep -q ^PermitRootLogin /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "PermitRootLogin no" &gt;&gt; /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_disable_root_login:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_enable_warning_banner" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable SSH Warning Banner</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To enable the warning banner and ensure it is consistent
across the system, add or correct the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Banner /etc/issue</html:pre>
Another section contains information on how to create an
appropriate system-wide warning banner.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECWM-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">48</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The warning message reinforces policy awareness during the logon process and
facilitates possible legal action against attackers.  Alternatively, systems
whose ownership should not be obvious should ensure usage of a banner that does
not provide easy attribution.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005550</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_enable_warning_banner" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q ^Banner /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/Banner.*/Banner \/etc\/issue/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Banner /etc/issue" &gt;&gt; /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_enable_warning_banner:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_use_approved_ciphers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Approved Ciphers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the ciphers to those algorithms which are FIPS-approved.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>
demonstrates use of FIPS-approved ciphers:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> contains a list of supported ciphers.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Approved algorithms should impart some level of confidence in their
implementation. These are also required for compliance.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005505</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_use_approved_ciphers" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q ^Ciphers /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" &gt;&gt; /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_use_approved_ciphers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_use_approved_ciphers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_no_cbc" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do Not Use CBC Mode</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Cipher-Block Chaining (CBC) mode of encryption as implemented 
in the SSHv2 protocol is vulnerable to chosen plain text attacks.
Counter (CTR) mode is preferred over CBC mode.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>
demonstrates use of FIPS-approved ciphers:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> contains a list of supported ciphers.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Approved algorithms should impart some level of confidence in their
implementation. These are also required for compliance.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005506</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_no_cbc" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q ^Ciphers /etc/ssh/sshd_config &amp;&amp; \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/sshd_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" &gt;&gt; /etc/ssh/sshd_config
fi
/sbin/service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_no_cbc:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_no_cbc_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_use_approved_macs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Approved Macs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code>
demonstrates use of FIPS-approved MACs:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Macs hmac-sha1</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">sshd_config(5)</html:code> contains a list of supported macs.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005507</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_use_approved_macs" complexity="low" disruption="low" reboot="false" strategy="disable">if [ $(cat /etc/ssh/sshd_config | grep -c "^MACs") = "0" ]; then
	echo "MACs hmac-sha1" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^MACs.*/MACs hmac-sha1/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_use_approved_macs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_gssapiauthentication" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable GSSAPIAuthentication</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">GSSAPIAuthentication should not be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">GSSAPIAuthentication no</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
GSSAPI authentication is used to provide additional authentication mechanisms 
to applications. Allowing GSSAPI authentication through SSH exposes the system&#8217;s 
GSSAPI to remote hosts, increasing the attack surface of the system.  GSSAPI 
authentication must be disabled unless needed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005524</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_gssapiauthentication" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -c "^GSSAPIAuthentication") = "0" ]; then
	echo "GSSAPIAuthentication no" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_gssapiauthentication:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_gssapiauthentication_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_printlastlog" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Display Login Details</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A user should be presented with details on the last attempted access 
to their account, upon logging in. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">PrintLastLog yes</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">52</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Providing users with feedback on when account accesses last occurred 
facilitates user recognition and reporting of unauthorized account use.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000452</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_printlastlog" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(grep -c '^session.*required.*pam_lastlog.so$' /etc/pam.d/sshd)" = "0" ]; then
	echo -e "session    required\tpam_lastlog.so" | tee -a /etc/pam.d/sshd &amp;&gt;/dev/null
elif [ "$(grep pam_lastlog /etc/pam.d/sshd | grep -c silent)" != "0" ]; then
	sed -i '/pam_lastlog/s/silent//' /etc/pam.d/sshd
fi
if [ $(cat /etc/ssh/sshd_config | grep -ic "^PrintLastLog") = "0" ]; then
	echo "PrintLastLog yes" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^PrintLastLog.*/PrintLastLog yes/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_printlastlog:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_printlastlog_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_users_groups" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Users/Groups</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Login access to the SSH server should be restricted to a 
list of allowed users or groups. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is to allow all users and groups access to login.  
The user/group restriction can be verified by ensuring that the following 
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">AllowedUsers</html:pre> or <html:pre xmlns:html="http://www.w3.org/1999/xhtml">AllowedGroups</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Restricting SSH logins to a limited group of users, such as system administrators, 
prevents password-guessing and other SSH attacks from reaching system accounts 
and other accounts not authorized for SSH access.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005521</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_users_groups" complexity="low" disruption="low" reboot="false" strategy="configure">echo "AllowGroups wheel" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_users_groups:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_users_groups_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_kerberosauthentication" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable KerberosAuthentication</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">KerberosAuthentication should not be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">KerberosAuthentication no</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Kerberos authentication for SSH is often implemented using GSSAPI.  
If Kerberos is enabled through SSH, the SSH daemon provides a means 
of access to the system's Kerberos implementation.  Vulnerabilities 
in the system's Kerberos implementation may then be subject to exploitation.  
To reduce the attack surface of the system, the Kerberos authentication 
mechanism within SSH must be disabled for systems not using this capability.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005526</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_kerberosauthentication" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -ic "^KerberosAuthentication") = "0" ]; then
	echo "KerberosAuthentication no" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^KerberosAuthentication.*/KerberosAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_kerberosauthentication:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_kerberosauthentication_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_strictmodes" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable StrictModes</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">StrictModes must be enabled. 
The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is not correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">StrictModes yes</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If other users have access to modify user-specific SSH configuration files, 
they may be able to log into the system as another user.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005536</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_strictmodes" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -c "^StrictModes") = "0" ]; then
	echo "StrictModes yes" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^StrictModes.*/StrictModes yes/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_strictmodes:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_strictmodes_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_privilegeseparation" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Privilege Separation</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">UsePrivilegeSeparation must be enabled. 
The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is not correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">UsePrivilegeSeparation yes</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECLP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
SSH daemon privilege separation causes the SSH process to drop root 
privileges when not needed, which would decrease the impact of 
software vulnerabilities in the unprivileged section.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005537</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_privilegeseparation" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -ic "^UsePrivilegeSeparation") = "0" ]; then
	echo "UsePrivilegeSeparation yes" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^UsePrivilegeSeparation.*/UsePrivilegeSeparation yes/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_privilegeseparation:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_privilegeseparation_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_rhostsrsaauthentication" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable RhostsRSAAuthentication</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">RhostsRSAAuthentication should not be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">RhostsRSAAuthentication no</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If SSH permits rhosts RSA authentication, a user may be able to log in based 
on the keys of the host originating the request and not any user-specific 
authentication.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005538</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_rhostsrsaauthentication" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -ic "^RhostsRSAAuthentication") = "0" ]; then
	echo "RhostsRSAAuthentication no" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^RhostsRSAAuthentication.*/RhostsRSAAuthentication no/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_rhostsrsaauthentication:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_rhostsrsaauthentication_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="sshd_compression" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Or Delay Compression</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Compression should not be
permitted prior to authentication. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> is not correct, and can be
verified by ensuring that either of the following
lines appear:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Compression no</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Compression delayed</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If compression is allowed in an SSH connection prior to authentication, 
vulnerabilities in the compression software could result in compromise 
of the system from an unauthenticated connection, potentially with root privileges.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005539</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sshd_compression" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/sshd_config | grep -ic "^Compression") = "0" ]; then
	echo "Compression delayed" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i 's/^Compression.*/Compression delayed/' /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sshd_compression:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_compression_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Group id="sshd_strengthen_firewall">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Strengthen Firewall Configuration if Possible</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the SSH server is expected to only receive connections from 
the local network, then strengthen the default firewall rule for the SSH service
to only accept connections from the appropriate network segment(s).
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Determine an appropriate network block, <html:code xmlns:html="http://www.w3.org/1999/xhtml">netwk</html:code>, and network mask, <html:code xmlns:html="http://www.w3.org/1999/xhtml">mask</html:code>, 
representing the machines on your network which will be allowed to access this SSH server.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Edit the files <html:code xmlns:html="http://www.w3.org/1999/xhtml">etc/sysconfig/iptables</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</html:code>
(if IPv6 is in use). In each file, locate the line:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</html:pre>
and replace it with:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">-A INPUT -s netwk/mask -m state --state NEW -p tcp --dport 22 -j ACCEPT</html:pre>
</description>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Restricting SSH access to only trusted network segments reduces exposure of the SSH 
server to attacks from unauthorized networks.</rationale>
          <Rule id="sshd_listen_addresses" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Assign Designated IP</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SSH daemon must only listen on management network addresses 
unless authorized for uses other than management. By default, all addresses are allowed.
The default setting in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</html:code> must be modified to include the specific IP address 
that the SSH server should be managed from, for example:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">ListenAddress 10.10.2.1</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">69</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SSH daemon should only listen on network addresses designated for management traffic.  
If the system has multiple network interfaces and SSH listens on addresses not designated 
for management traffic, the SSH service could be subject to unauthorized access.  
If SSH is used for purposes other than management, such as providing an SFTP service, 
the list of approved listening addresses may be documented.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005504</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sshd_listen_addresses" complexity="low" disruption="low" reboot="false" strategy="configure">MANAGEMENT_IP=$(/sbin/ifconfig | grep inet | grep -v 127.0.0.1 | cut -d: -f2 | awk '{ print $1}' | head -1)
if [ $(cat /etc/ssh/sshd_config | grep -ic "^ListenAddress") = "0" ]; then
	echo "ListenAddress ${MANAGEMENT_IP}" | tee -a /etc/ssh/sshd_config &amp;&gt;/dev/null
else
	sed -i "s/^ListenAddress.*/ListenAddress ${MANAGEMENT_IP}/" /etc/ssh/sshd_config
fi
service sshd restart 1&gt;/dev/null</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sshd_listen_addresses:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_listen_addresses_ocil:questionnaire:1"/>
            </check>
          </Rule>
          <Rule id="sshd_ipfiltering" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable SSH IP Filtering</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">IP filtering should be enabled for SSH in either /etc/hosts.allow or /etc/hosts.deny. 
By default, no IP filtering is configured. IP filtering for SSH can be
verified by ensuring that a line similar to the following appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">sshd:10.10.:spawn /bin/echo SSHD accessed on $(/bin/date) from %h&gt;&gt;/var/log/host.access</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECWM-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SSH daemon must be configured for IP filtering to provide a layered defence against connection 
attempts from unauthorized addresses.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005540</ident>
            <fix system="urn:xccdf:fix:script:sh" id="sshd_ipfiltering" complexity="low" disruption="low" reboot="false" strategy="configure">MANAGEMENT_IP=$(/sbin/ifconfig | grep inet | grep -v 127.0.0.1 | cut -d: -f2 | awk '{ print $1}' | head -1 | cut -d. -f1-2)
sed -i '/sshd/d' /etc/hosts.allow
echo "sshd: ${MANAGEMENT_IP}.: spawn /bin/echo SSHD accessed on \$(/bin/date) from %h&gt;&gt;/var/log/host.access" | tee -a /etc/hosts.allow &amp;&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-sshd_ipfiltering:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sshd_ipfiltering_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="ssh_client">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenSSH Client if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the system needs to utilize the SSH client, then
certain changes should be made to the OpenSSH client configuration
file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code>. The following recommendations can be
applied to this file. See the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ssh_config(5)</html:code> man page for more
detailed information.</description>
        <Rule id="ssh_protocol_2" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allow Only SSH Protocol 2</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Only SSH protocol version 2 connections should be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Protocol 2</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
SSH protocol version 1 suffers from design flaws that
result in security vulnerabilities and
should not be used.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005501</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ssh_protocol_2" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/ssh_config | grep -c "^Protocol") != "0" ]; then
	sed -i 's/^Protocol.*/Protocol 2/' /etc/ssh/ssh_config
else
	echo "Protocol 2"&gt;&gt;/etc/ssh/ssh_config
fi

</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ssh_protocol_2:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ssh_protocol_2_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ssh_use_approved_ciphers" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Approved Ciphers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the ciphers to those algorithms which are FIPS-approved.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code>
demonstrates use of FIPS-approved ciphers:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">ssh_config(5)</html:code> contains a list of supported ciphers.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Approved algorithms should impart some level of confidence in their
implementation. These are also required for compliance.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005510</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ssh_use_approved_ciphers" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q ^Ciphers /etc/ssh/ssh_config &amp;&amp; \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/ssh_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" &gt;&gt; /etc/ssh/ssh_config
fi

</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ssh_use_approved_ciphers:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ssh_use_approved_ciphers_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ssh_no_cbc" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do Not Use CBC Mode</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Cipher-Block Chaining (CBC) mode of encryption as implemented 
in the SSHv2 protocol is vulnerable to chosen plain text attacks.
Counter (CTR) mode is preferred over CBC mode.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code>
demonstrates use of FIPS-approved ciphers:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Ciphers aes128-ctr,aes192-ctr,aes256-ctr</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">ssh_config(5)</html:code> contains a list of supported ciphers.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Approved algorithms should impart some level of confidence in their
implementation. These are also required for compliance.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005511</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ssh_no_cbc" complexity="low" disruption="low" reboot="false" strategy="configure">grep -q ^Ciphers /etc/ssh/ssh_config &amp;&amp; \
  sed -i "s/Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/g" /etc/ssh/ssh_config
if ! [ $? -eq 0 ]; then
    echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" &gt;&gt; /etc/ssh/ssh_config
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ssh_no_cbc:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ssh_no_cbc_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ssh_use_approved_macs" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Only Approved Macs</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Limit the MACs to those hash algorithms which are FIPS-approved.
The following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code>
demonstrates use of FIPS-approved MACs:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">Macs hmac-sha1</html:pre>
The man page <html:code xmlns:html="http://www.w3.org/1999/xhtml">ssh_config(5)</html:code> contains a list of supported macs.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005512</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ssh_use_approved_macs" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/ssh_config | grep -c "^MACs") = "0" ]; then
	echo "MACs hmac-sha1" | tee -a /etc/ssh/ssh_config &amp;&gt;/dev/null
else
	sed -i 's/^MACs.*/MACs hmac-sha1/' /etc/ssh/ssh_config
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ssh_use_approved_macs:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ssh_use_approved_macs_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ssh_gssapiauthentication" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable GSSAPIAuthentication</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">GSSAPIAuthentication should not be
permitted. The default setting in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ssh/ssh_config</html:code> is correct, and can be
verified by ensuring that the following
line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">GSSAPIAuthentication no</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
GSSAPI authentication is used to provide additional authentication mechanisms 
to applications. Allowing GSSAPI authentication through SSH exposes the system&#8217;s 
GSSAPI to remote hosts, increasing the attack surface of the system.  GSSAPI 
authentication must be disabled unless needed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005525</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ssh_gssapiauthentication" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ssh/ssh_config | grep -c "^GSSAPIAuthentication") = "0" ]; then
	echo "GSSAPIAuthentication no" | tee -a /etc/ssh/ssh_config &amp;&gt;/dev/null
else
	sed -i 's/^GSSAPIAuthentication.*/GSSAPIAuthentication no/' /etc/ssh/ssh_config
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ssh_gssapiauthentication:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ssh_gssapiauthentication_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="xwindows">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">X Window System</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The X Window System implementation included with the
system is called X.org.</description>
      <Group id="disabling_xwindows">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable X Windows</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unless there is a mission-critical reason for the
system to run a graphical user interface, ensure X is not set to start
automatically at boot and remove the X Windows software packages.
There is usually no reason to run X Windows
on a dedicated server machine, as it increases the system's attack surface and consumes
system resources. Administrators of server systems should instead login via
SSH or on the text console.</description>
        <Rule id="xwindows_runlevel_setting" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable X Windows Startup By Setting Runlevel</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Setting the system's runlevel to 3 will prevent automatic startup
of the X server. To do so, ensure the following line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/inittab</html:code>
features a <html:code xmlns:html="http://www.w3.org/1999/xhtml">3</html:code> as shown:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">id:3:initdefault:</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005260</ident>
          <fix system="urn:xccdf:fix:script:sh" id="xwindows_runlevel_setting" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i 's/.*:initdefault:.*/id:3:initdefault:/' /etc/inittab</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-xwindows_runlevel_setting:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-xwindows_runlevel_setting_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="dhcp">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">DHCP</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Dynamic Host Configuration Protocol (DHCP) allows
systems to request and obtain an IP address and other configuration
parameters from a server.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
This guide recommends configuring networking on clients by manually editing
the appropriate files under <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig</html:code>.  Use of DHCP can make client 
systems vulnerable to compromise by rogue DHCP servers, and should be avoided 
unless necessary.  If using DHCP is necessary, however, there are best practices 
that should be followed to minimize security risk.
</description>
      <Group id="disabling_dhcp_client">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DHCP Client</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
DHCP is the default network configuration method provided by the system
installer, and common on many networks. Nevertheless, manual management
of IP addresses for systems implies a greater degree of management and
accountability for network activity.
</description>
        <Rule id="sysconfig_networking_bootproto_ifcfg" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable DHCP Client</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
For each interface on the system (e.g. eth0), edit
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:code> and make the
following changes:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li> Correct the BOOTPROTO line to read:
<html:pre>BOOTPROTO=static</html:pre>
</html:li><html:li> Add or correct the following lines, substituting the appropriate
values based on your site's addressing scheme:
<html:pre>NETMASK=255.255.255.0
IPADDR=192.168.1.2
GATEWAY=192.168.1.1</html:pre>
</html:li></html:ul>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
DHCP relies on trusting the local network. If the local network is not trusted,
then it should not be used.  However, the automatic configuration provided by
DHCP is commonly used and the alternative, manual configuration, presents an
unacceptable burden in many circumstances.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007840</ident>
          <fix system="urn:xccdf:fix:script:sh" id="sysconfig_networking_bootproto_ifcfg" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i 's/^BOOTPROTO=.*/BOOTPROTO="static"/' /etc/sysconfig/network-scripts/ifcfg-*</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-sysconfig_networking_bootproto_ifcfg:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="dhcp_client_configuration">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure DHCP Client if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If DHCP must be used, then certain configuration changes can
minimize the amount of information it receives and applies from the network,
and thus the amount of incorrect information a rogue DHCP server could
successfully distribute.  For more information on configuring dhclient, see the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">dhclient(8)</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhclient.conf(5)</html:code> man pages.  </description>
        <Rule id="dhcp_client_disable_ddns" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Do Not Use Dynamic DNS</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To prevent the DHCP client from transmitting system information, 
edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/dhclient.conf</html:code>, and add or correct the following global
option: <html:pre xmlns:html="http://www.w3.org/1999/xhtml">do-forward-updates false;</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Dynamic DNS updates transmit unencrypted information about a system 
including its name and address and should not be used unless needed.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007850</ident>
          <fix system="urn:xccdf:fix:script:sh" id="dhcp_client_disable_ddns" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/dhclient.conf ]; then
	if [ $(grep -c "do-forward-updates false;" /etc/dhclient.conf) = 0 ]; then
		echo "do-forward-updates false;" | tee -a /etc/dhclient.conf &amp;&gt;/dev/null
	fi
else
	echo "do-forward-updates false;" | tee /etc/dhclient.conf &amp;&gt;/dev/null
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-dhcp_client_disable_ddns:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="ntp">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Network Time Protocol</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network Time Protocol is used to manage the system
clock over a network. Computer clocks are not very accurate, so
time will drift unpredictably on unmanaged systems. Central time
protocols can be used both to ensure that time is consistent among
a network of machines, and that their time is consistent with the
outside world.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
If every system on a network reliably reports the same time, then it is much
easier to correlate log messages in case of an attack. In addition, a number of
cryptographic protocols (such as Kerberos) use timestamps to prevent certain
types of attacks. If your network does not have synchronized time, these
protocols may be unreliable or even unusable.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Depending on the specifics of the network, global time accuracy may be just as
important as local synchronization, or not very important at all. If your
network is connected to the Internet, using a
public timeserver (or one provided by your enterprise) provides globally
accurate timestamps which may be essential in investigating or responding to
an attack which originated outside of your network.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
A typical network setup involves a small number of internal systems operating as NTP
servers, and the remainder obtaining time information from those
internal servers.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
More information on how to configure the NTP server software,
including configuration of cryptographic authentication for
time data, is available at <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.ntp.org">http://www.ntp.org</html:a>.
</description>
      <Rule id="service_ntpd_enabled" selected="false" severity="medium">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the NTP Daemon</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
          
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> service can be enabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig --level 2345 ntpd on</html:pre>
        </description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enabling the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code> service ensures that the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpd</html:code>
service will be running and that the system will synchronize its time to
any servers specified. This is important whether the system is configured to be
a client (and synchronize only its own clock) or it is also acting as an NTP
server to other systems.  Synchronizing time is essential for authentication
services such as Kerberos, but it is also important for maintaining accurate
logs and auditing possible security breaches.  
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The NTP daemon offers all of the functionality of <html:code xmlns:html="http://www.w3.org/1999/xhtml">ntpdate</html:code>, which is now 
deprecated.  Additional information on this is available at 
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</html:a></rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000241</ident>
        <fix system="urn:xccdf:fix:script:sh" id="service_ntpd_enabled" complexity="low" disruption="low" reboot="false" strategy="configure">#
# Enable ntpd for all run levels
#
/sbin/chkconfig --level 0123456 ntpd on

#
# Start ntpd if not currently running
#
/sbin/service ntpd start 1&gt;/dev/null
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-service_ntpd_enabled:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="ntp_remote_server" selected="false" severity="medium">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify a Remote NTP Server</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify a remote NTP server for time synchronization, edit
the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for <html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre>
This instructs the NTP software to contact that remote server to obtain time
data.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1492</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Synchronizing with an NTP server makes it possible
to collate system logs from multiple sources or correlate computer events with
real time events.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000240</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ntp_remote_server:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ntp_remote_server_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="ntp_multiple_remote_servers" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify Additional Remote NTP Servers</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Additional NTP servers can be specified for time synchronization
in the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ntp.conf</html:code>.  To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
<html:em xmlns:html="http://www.w3.org/1999/xhtml">ntpserver</html:em>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">server <html:i>ntpserver</html:i></html:pre>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">160</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying additional NTP servers increases the availability of
accurate time data, in the event that one of the specified servers becomes
unavailable. This is typical for a system acting as an NTP server for
other systems.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000242</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ntp_multiple_remote_servers:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
    </Group>
    <Group id="mail">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail Server Software</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Mail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that machines are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">alternatives</html:code> program in Red Hat Enterprise Linux permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website, <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org">http://www.postfix.org</html:a>.
</description>
      <Rule id="mail_up_to_date" selected="false" severity="high">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail Server Software Updates</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rpm -q sendmail</html:pre>
The version indicated should be equal to or greater than the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">8.13.8-8</html:pre>
If postfix is installed, perform the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># rpm -q postfix</html:pre>
The version indicated should be equal to or greater than the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">2.3.3-6</html:pre>
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">VIVM-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1230</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SMTP service version on the system must be current to avoid exposing 
vulnerabilities present in unpatched versions.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004600</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-mail_up_to_date:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
      <Group id="mail_logging">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail Server Logging</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
It is important to ensure adequate logging of mail server connections so as to 
support detecting any unauthorized activity.
</description>
        <Rule id="mail_log_enabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Mail Server Logging</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
To ensure logging is enabled, perform the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">grep "mail\." /etc/syslog.conf</html:pre>
The output received should indicate either <html:code xmlns:html="http://www.w3.org/1999/xhtml">mail.crit</html:code> or <html:code xmlns:html="http://www.w3.org/1999/xhtml">mail.*</html:code>.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">126</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If informational and more severe SMTP service messages are not 
logged, malicious activity on the system may go unnoticed.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004460</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_log_enabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_log_level" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Mail Server Logging Level</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> and confirm that the following line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O LogLevel=9</html:pre>
If postfix is installed, this check is not applicable.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If Sendmail is not configured to log at level 9, system logs may not contain the 
information necessary for tracking unauthorized use of the sendmail service.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004440</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_log_level:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
      <Group id="mail_features">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mail Server Features</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Mail servers are used to send and receive email over the network.
Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
targets of network attack.
Ensure that machines are not running MTAs unnecessarily,
and configure needed MTAs as defensively as possible.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Very few systems at any site should be configured to directly receive email over the
network. Users should instead use mail client programs to retrieve email
from a central server that supports protocols such as IMAP or POP3.
However, it is normal for most systems to be independently capable of sending email,
for instance so that cron jobs can report output to an administrator.
Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
the local system to a central site MTA (or directly delivered to a local account),
but the system still cannot receive mail directly over a network.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
The <html:code xmlns:html="http://www.w3.org/1999/xhtml">alternatives</html:code> program in Red Hat Enterprise Linux permits selection of other mail server software
(such as Sendmail), but Postfix is the default and is preferred.
Postfix was coded with security in mind and can also be more effectively contained by
SELinux as its modular design has resulted in separate processes performing specific actions.
More information is available on its website, <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="http://www.postfix.org">http://www.postfix.org</html:a>.
</description>
        <Rule id="mail_debug_enabled" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Debug Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
From a terminal, type the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># telnet localhost 25</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># debug</html:pre>
If debug is disabled, one of the following errors should be returned:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">500 error code of "command unrecognised"</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">550 error code of "access denied"</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Debug mode is a feature present in older versions of sendmail which, 
if not disabled, may allow an attacker to gain access to a system 
through the sendmail service.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004620</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_debug_enabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_decode_active" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Decode Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Edit the file(s) <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/aliases</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">/usr/lib/aliases</html:code>, if either exist, 
to ensure that the <html:code xmlns:html="http://www.w3.org/1999/xhtml">decode:</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">uudecode:</html:code> entries do NOT include 
the file path to uudecode, such as the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">decode: |/usr/bin/uudecode</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">uudecode: |/usr/bin/uuencode -d</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1230</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
A common configuration for older Mail Transfer Agents (MTAs) is to include an alias for 
the decode user. All mail sent to this user is sent to the uudecode program, which automatically 
converts and stores files. By sending mail to the decode or the uudecode aliases present on some 
systems, a remote attacker may be able to create or overwrite files on the remote host. This 
could possibly be used to gain remote access.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004640</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_decode_active:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_expn_active" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable EXPN Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">PrivacyOptions</html:code> line appears and includes <html:code xmlns:html="http://www.w3.org/1999/xhtml">noexpn</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun</html:pre>
If postfix is installed, this check is not applicable.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SMTP EXPN function allows an attacker to determine if an account exists 
on a system, providing significant assistance to a brute force attack on user 
accounts. EXPN may also provide additional information concerning users on 
the system, such as the full names of account owners.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004660</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_expn_active:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_help_command" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Help Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/helpfile</html:code> to ensure that the file is empty.
If postfix is installed, this check is not applicable.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The HELP command should be disabled to mask version information.  The version 
of the SMTP service software could be used by attackers to target vulnerabilities 
present in specific software versions.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004540</ident>
          <fix system="urn:xccdf:fix:script:sh" id="mail_help_command" complexity="low" disruption="low" reboot="false" strategy="configure">&gt;/etc/mail/helpfile
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_help_command:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_vrfy_active" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable VRFY Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">PrivacyOptions</html:code> line appears and includes <html:code xmlns:html="http://www.w3.org/1999/xhtml">novrfy</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun</html:pre>
If postfix is installed, this check is not applicable.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The VRFY command allows an attacker to determine if an account exists 
on a system, providing significant assistance to a brute force attack 
on user accounts. VRFY may provide additional information about users 
on the system, such as the full names of account owners.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004680</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_vrfy_active:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_wiz_active" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable WIZ Command</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
From a terminal, type the following commands:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># telnet localhost 25</html:pre>
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># wiz</html:pre>
If wiz is disabled, the following error should be returned:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">500 error code of "command unrecognised"</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Very old installations of the Sendmail mailing system contained a feature whereby 
a remote user connecting to the SMTP port can enter the WIZ command and be given 
an interactive shell with root privileges.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004700</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_wiz_active:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_version_info" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Don't Display Version</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">SmtpGreetingMessage</html:code> line does not appear as:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O SmtpGreetingMessage=$j Sendmail $v/$Z; $b</html:pre>
If the above line appears, it should be changed to:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O SmtpGreetingMessage= Mail Server Ready ; $b</html:pre>
If postfix is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">smtpd_banner</html:code> line does not appear with <html:code xmlns:html="http://www.w3.org/1999/xhtml">$mail_version</html:code>. If so,
remove the <html:code xmlns:html="http://www.w3.org/1999/xhtml">$mail_version</html:code> entry or comment out the entire line to use 
the default value.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The version of the SMTP service can be used by attackers to plan an attack based 
on vulnerabilities present in the specific version.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004560</ident>
          <fix system="urn:xccdf:fix:script:sh" id="mail_version_info" complexity="low" disruption="low" reboot="false" strategy="configure">SENDMAIL_CONFIG=$(rpm -ql sendmail | grep sendmail.cf)
SENDMAIL_MAINCONF=$(rpm -ql sendmail | grep sendmail.mc)
if [ "$(rpm -q sendmail-cf &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ -e "${SENDMAIL_MAINCONF}" ]; then
		if [ "$(grep -c "^define(\`confSMTP_LOGIN_MSG" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "0,/^define/s/\(^define\)/define(\`confSMTP_LOGIN_MSG', \` Mail Server Ready ; $b')dnl\n\1/" "${SENDMAIL_MAINCONF}"
		elif [ "$(grep -c "^define(\`confSMTP_LOGIN_MSG', \` Mail Server Ready ; \$b')dnl" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "s/^define(\`confSMTP_LOGIN_MSG.*/define(\`confSMTP_LOGIN_MSG', \`Mail Server Ready ; \$b')dnl/" "${SENDMAIL_MAINCONF}"
		fi
		m4 "${SENDMAIL_MAINCONF}" &gt; "${SENDMAIL_CONFIG}"
	fi
else
	sed -i 's/O SmtpGreetingMessage=.*/O SmtpGreetingMessage= Mail Server Ready ; $b/' "${SENDMAIL_CONFIG}"
fi
service sendmail restart 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_version_info:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_forward_files" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Mail Forwarding</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">ForwardPath</html:code> line appears without any file path specified:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">0 ForwardPath</html:pre>
Perform a search on the system for any <html:code xmlns:html="http://www.w3.org/1999/xhtml">.forward</html:code> files by issuing the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># find / -name .forward</html:pre>
The above command should not return any results. If so, delete each file returned.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The .forward file allows users to automatically forward mail to another system. 
Use of .forward files could allow the unauthorized forwarding of mail and could 
potentially create mail loops which could degrade system performance.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004580</ident>
          <fix system="urn:xccdf:fix:script:sh" id="mail_forward_files" complexity="low" disruption="low" reboot="false" strategy="configure">SENDMAIL_CONFIG=$(rpm -ql sendmail | grep sendmail.cf)
SENDMAIL_MAINCONF=$(rpm -ql sendmail | grep sendmail.mc)
if [ "$(rpm -q sendmail-cf &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ -e "${SENDMAIL_MAINCONF}" ]; then
		if [ "$(grep -c 'confFORWARD_PATH' "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "0,/^define/s/\(^define\)/define(\`confFORWARD_PATH',\`')dnl\n\1/" "${SENDMAIL_MAINCONF}"
		elif [ "$(grep -c "define(\`confFORWARD_PATH',\`')dnl" "${SENDMAIL_MAINCONF}")" = "0" ]; then
			sed -i "s/define(\`confFORWARD.*/define(\`confFORWARD_PATH',\`')dnl/" "${SENDMAIL_MAINCONF}"
		fi
		m4 "${SENDMAIL_MAINCONF}" &gt; "${SENDMAIL_CONFIG}"
	fi
else
	sed -i 's/O ForwardPath.*/O ForwardPath/' "${SENDMAIL_CONFIG}"
fi
service sendmail restart 1&gt;/dev/null
for FILE in $(find /etc -name .forward -type f 2&gt;/dev/null); do
	rm -f ${FILE}
done
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_forward_files:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="mail_relaying_disabled" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Restrict Mail Relaying</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If sendmail is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.cf</html:code> to ensure that only the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">DaemonPortOptions</html:code> line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA</html:pre>
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/mail/sendmail.mc</html:code> to ensure that the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">promiscuous_relay</html:code> line does NOT appear:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">promiscuous_relay</html:pre>
If postfix is installed, perform the following checks:
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code> to ensure that only the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">inet_interfaces</html:code> line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">inet_interfaces = localhost</html:pre>
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/postfix/main.cf</html:code> to ensure that only the following
<html:code xmlns:html="http://www.w3.org/1999/xhtml">smtpd_client_restrictions</html:code> line appears:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">smtpd_client_restrictions = reject</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1305</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If unrestricted mail relaying is permitted, unauthorized senders could use this host 
as a mail relay for the purpose of sending SPAM or other unauthorized activity.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004710</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-mail_relaying_disabled:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="ldap">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP is a popular directory service, that is, a
standardized way of looking up information from a central database.
Red Hat Enterprise Linux 5 includes software that enables a system to act as both
an LDAP client and server.
</description>
      <Group id="openldap_client">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure OpenLDAP Clients</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This section provides information on which security settings are
important to configure in OpenLDAP clients by manually editing the appropriate
configuration files.  Red Hat Enterprise Linux 5 provides an automated configuration tool called
authconfig and a graphical wrapper for authconfig called
<html:code xmlns:html="http://www.w3.org/1999/xhtml">system-config-authentication</html:code>. However, these tools do not provide as
much control over configuration as manual editing of configuration files. The
authconfig tools do not allow you to specify locations of SSL certificate
files, which is useful when trying to use SSL cleanly across several protocols.
Installation and configuration of OpenLDAP on Red Hat Enterprise Linux 5 is available at
<html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html</html:a>.
</description>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">Before configuring any system to be an
LDAP client, ensure that a working LDAP server is present on the
network.</warning>
        <Rule id="ldap_client_start_tls" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure LDAP Client to Use TLS For All Transactions</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure LDAP to enforce TLS use. First, edit the file 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, and add or correct the following lines:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">ssl start_tls</html:pre>
Then review the LDAP server and ensure TLS has been configured.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The ssl directive specifies whether to use ssl or not. If
not specified it will default to no. It should be set to start_tls rather
than doing LDAP over SSL.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN007980</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ldap_client_start_tls" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(cat /etc/ldap.conf | grep -c '^ssl ')" = "0" ]; then
	echo "ssl start_tls" | tee -a /etc/ldap.conf &amp;&gt;/dev/null
else
	sed -i 's/^ssl .*/ssl start_tls/' /etc/ldap.conf
fi
if [ "$(cat /etc/ldap.conf | grep -c '^tls_ciphers ')" = "0" ]; then
	echo "tls_ciphers TLSv1" | tee -a /etc/ldap.conf &amp;&gt;/dev/null
else
	sed -i 's/^tls_ciphers .*/tls_ciphers TLSv1/' /etc/ldap.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ldap_client_start_tls:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ldap_client_start_tls_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ldap_client_tls_cert" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Certificate Directives for LDAP Use of TLS</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure a copy of a trusted CA certificate has been placed in
the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/pki/tls/CA/cacert.pem</html:code>. Configure LDAP to enforce TLS 
use and to trust certificates signed by that CA. First, edit the file 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, and add or correct either of the following lines:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">tls_cert /etc/pki/tls/CA</html:pre>
or
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">tls_cert /etc/pki/tls/CA/cacert.pem</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">185</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP can be used to provide user authentication and account information, 
which are vital to system security. Communication between an LDAP server and a host 
using LDAP requires authentication.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008000</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ldap_client_tls_cert" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i 's/ ldap//g' /etc/nsswitch.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ldap_client_tls_cert:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ldap_client_tls_cert_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ldap_client_tls_checkpeer" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Certificate Trust Validation</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure LDAP server connections have a valid trust path. 
Configure LDAP to enforce validation of LDAP server certificates for trust. 
First, edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, and add or correct the following line:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">tls_checkpeer yes</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">185</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The NSS LDAP service provides user mappings which are a vital component 
of system security.  Communication between an LDAP server and a host using LDAP for 
NSS require authentication.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008020</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ldap_client_tls_checkpeer" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ldap.conf | grep -c "^tls_checkpeer") = "0" ]; then
	echo "tls_checkpeer yes" | tee -a /etc/ldap.conf &amp;&gt;/dev/null
else
	sed -i 's/^tls_checkpeer.*/tls_checkpeer yes/' /etc/ldap.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ldap_client_tls_checkpeer:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ldap_client_tls_checkpeer_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ldap_client_tls_crlcheck" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Certificate Revocation Validation</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure LDAP server connections have a valid certificate that is not revoked. 
Configure LDAP to enforce validation of LDAP server certificates for revocation. 
First, edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, and add or correct the following line:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">tls_crlcheck all</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">185</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP can be used to provide user authentication and account information, which 
are vital to system security. Communication between an LDAP server and a host using LDAP 
requires authentication.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008040</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ldap_client_tls_crlcheck" complexity="low" disruption="low" reboot="false" strategy="configure">if [ $(cat /etc/ldap.conf | grep -c "^tls_crlcheck") = "0" ]; then
	echo "tls_crlcheck all" | tee -a /etc/ldap.conf &amp;&gt;/dev/null
else
	sed -i 's/^tls_crlcheck.*/tls_crlcheck all/' /etc/ldap.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ldap_client_tls_crlcheck:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ldap_client_tls_crlcheck_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="ldap_client_bindpw" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">LDAP Passwords Are Stored In Clear Text</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure the LDAP configuration does not include any passwords stored in clear text. 
Edit the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/ldap.conf</html:code>, and remove any lines that include the 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">bindpw</html:code> directive.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">196</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The authentication of automated LDAP connections between systems must 
not use passwords since more secure methods are available, such as PKI and Kerberos. 
Additionally, the storage of unencrypted passwords on the system is not permitted.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN008050</ident>
          <fix system="urn:xccdf:fix:script:sh" id="ldap_client_bindpw" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i '/bindpw/d' /etc/ldap.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-ldap_client_bindpw:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ldap_client_bindpw_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="nfs_and_rpc">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">NFS and RPC</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Network File System is a popular distributed filesystem for
the Unix environment, and is very widely deployed.  This section discusses the
circumstances under which it is possible to disable NFS and its dependencies,
and then details steps which should be taken to secure
NFS's configuration. This section is relevant to machines operating as NFS
clients, as well as to those operating as NFS servers.
</description>
      <Group id="disabling_nfs">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable All NFS Services if Possible</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If there is not a reason for the system to operate as either an
NFS client or an NFS server, follow all instructions in this section to disable
subsystems required by NFS.
</description>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">The steps in this section will prevent a machine
from operating as either an NFS client or an NFS server. Only perform these
steps on machines which do not need NFS at all.</warning>
        <Group id="removing_nfs_services">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove Services Used Only by NFS</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If NFS is not needed, remove the NFS client daemons portmap and rpcbind.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.</description>
          <Rule id="package_rpc_removed" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove portmap and rpcbind Packages</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">portmap</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcbind</html:code> packages can be uninstalled with
the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># yum erase portmap rpcbind</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">305</reference>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003815</ident>
            <fix system="urn:xccdf:fix:script:sh" id="package_rpc_removed" complexity="low" disruption="low" reboot="false" strategy="configure">yum -y remove portmap rpcbind --disablerepo=* 1&gt;/dev/null
</fix>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-package_rpc_removed:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-package_rpc_removed_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="disabling_nfs_services">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Services Used Only by NFS</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
All of these daemons run with elevated privileges, and many listen for network
connections. If they are not needed, they should be disabled to improve system
security posture.</description>
          <Rule id="service_rpc_disabled" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable portmap and rpcbind Services</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The rpcbind service increase the attack surface of 
the system and should only be used when needed.  The rpcbind service 
are used by a variety of services using Remote Procedure Calls (RPCs).

        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">rpcbind</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig rpcbind off</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN003810</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-service_rpc_disabled:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
        </Group>
      </Group>
      <Group id="nfs_configuring_all_machines">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure All Machines which Use NFS</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for all machines which
run NFS, whether they operate as clients or as servers.</description>
        <Group id="nfs_configuring_clients">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure NFS Clients</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS clients.</description>
          <Rule id="nfs_mount_option_nosuid_remote_filesystems" selected="false" severity="medium">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Mount Remote Filesystems with nosuid</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
              
	Add the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nosuid</html:code> option to the fourth column of
	<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/fstab</html:code> for the line which controls mounting of
	any NFS mounts.
	
            </description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECPA-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005900</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-nfs_mount_option_nosuid_remote_filesystems:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-nfs_mount_option_nosuid_remote_filesystems_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
        <Group id="nfs_configuring_servers">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure NFS Servers</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS servers.</description>
          <Rule id="nfs_no_anonymous" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specify UID and GID for Anonymous NFS Connections</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To specify the UID and GID for remote root users, edit the <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> file and add the following for each export:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">
anonuid=-1
anongid=-1
</html:pre>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">62</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005820</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-nfs_no_anonymous:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="nfs_enforce_host_access" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All Exports Must Define Allowed Targets</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When configuring NFS exports, ensure that each export line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> contains
a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
then that export is available to any remote host which requests it. All lines of the exports file should
specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
unknown or remote hosts will be denied.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Authorized hosts can be specified in several different formats:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>Name or alias that is recognized by the resolver</html:li><html:li>Fully qualified domain name</html:li><html:li>IP address</html:li><html:li>IP subnets in the format <html:code>address/netmask</html:code> or <html:code>address/CIDR</html:code></html:li></html:ul>
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The NFS access option limits user access to the specified level. 
This assists in protecting exported file systems.  If access is not restricted, 
unauthorized hosts may be able to access the system's NFS exports.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005840</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-nfs_enforce_host_access:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="nfs_use_root_squashing_all_exports" selected="false" severity="low">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Use Root-Squashing on All Exports</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Ensure that no line in <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code> contains the option <html:code xmlns:html="http://www.w3.org/1999/xhtml">no_root_squash</html:code>.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">EBRP-1</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If the NFS server allows root access to local file systems from remote hosts, this
access could be used to compromise the system.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005880</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-nfs_use_root_squashing_all_exports:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
          </Rule>
          <Rule id="nfs_no_insecure_locks_exports" selected="false" severity="high">
            <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Insecure File Locking is Not Allowed</title>
            <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default the NFS server requires secure file-lock requests,
which require credentials from the client in order to lock a file. Most NFS
clients send credentials with file lock requests, however, there are a few
clients that do not send credentials when requesting a file-lock, allowing the
client to only be able to lock world-readable files. To get around this, the
<html:code xmlns:html="http://www.w3.org/1999/xhtml">insecure_locks</html:code> option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the client
access to data for which it does not have authorization.
Remove any instances of the 
<html:code xmlns:html="http://www.w3.org/1999/xhtml">insecure_locks</html:code> option from the file <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/exports</html:code>.
</description>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
            <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
            <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">764</reference>
            <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Allowing insecure file locking could allow for sensitive data to be
viewed or edited by an unauthorized user.
</rationale>
            <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN000000-LNX00560</ident>
            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
              <check-content-ref name="oval:ssg-nfs_no_insecure_locks_exports:def:1" href="ssg-rhel5-oval.xml"/>
            </check>
            <check system="http://scap.nist.gov/schema/ocil/2">
              <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-nfs_no_insecure_locks_exports_ocil:questionnaire:1"/>
            </check>
          </Rule>
        </Group>
      </Group>
    </Group>
    <Group id="ftp">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP Server</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP is a common method for allowing remote access to
files. Like telnet, the FTP protocol is unencrypted, which means
that passwords and other data transmitted during the session can be
captured and that the session is vulnerable to hijacking.
Therefore, running the FTP server software is not recommended.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
However, there are some FTP server configurations which may
be appropriate for some environments, particularly those which
allow only read-only anonymous access as a means of downloading
data available to the public.</description>
      <Rule id="service_unencrypted_ftp_disabled" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable Unencrypted FTP Services</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
          
        The <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd</html:code> service can be disabled with the following command:
        <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo chkconfig vsftpd off</html:pre>
        </description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Running unencrypted FTP server software provides a network-based avenue
of attack, and should be disabled if not needed.
Furthermore, the FTP protocol is unencrypted and creates
a risk of compromising sensitive information.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004800</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-service_unencrypted_ftp_disabled:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-service_unencrypted_ftp_disabled_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="ftp_log_transactions" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable Logging of All FTP Transactions</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Add or correct the following configuration options within the <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd</html:code>
configuration file, located at <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</html:code>:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES</html:pre>
</description>
        <warning xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" category="general">If verbose logging to <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd.log</html:code> is done, sparse logging of downloads to <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/xferlog</html:code> will not also occur. However, the information about what files were downloaded is included in the information logged to <html:code xmlns:html="http://www.w3.org/1999/xhtml">vsftpd.log</html:code></warning>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-2</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECAR-3</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">130</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log
format. The default vsftpd log file is <html:code xmlns:html="http://www.w3.org/1999/xhtml">/var/log/vsftpd.log</html:code>.</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004980</ident>
        <fix system="urn:xccdf:fix:script:sh" id="ftp_log_transactions" complexity="low" disruption="low" reboot="false" strategy="configure">if [ -e /etc/xinetd.d/gssftp ]; then
	if [ "$(grep server_args /etc/xinetd.d/gssftp | grep -c " -l")" = "0" ]; then
		sed -i "/server_args/s/$/ -l/" /etc/xinetd.d/gssftp
	fi
fi
if [ -e /etc/vsftpd/vsftpd.conf ]; then
	if [ "$(grep -ic "^xferlog_enable=yes" /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		sed -i "s/xferlog_enable.*/xferlog_enable=yes/" /etc/xinetd.d/gssftp
	fi
fi
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ftp_log_transactions:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
        <check system="http://scap.nist.gov/schema/ocil/2">
          <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1"/>
        </check>
      </Rule>
      <Rule id="ftp_default_umask" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP Umask Must Be 077.</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
All FTP users must have a default umask of 077.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The umask controls the default access mode assigned to newly 
created files. An umask of 077 limits new files to mode 700 
or less permissive. Although umask is stored as a 4-digit 
number, the first digit representing special access 
modes is typically ignored or required to be zero (0).
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005040</ident>
        <fix system="urn:xccdf:fix:script:sh" id="ftp_default_umask" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(rpm -q krb5-workstation &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ "$(grep server_args /etc/xinetd.d/gssftp | grep -v "#" | grep -c "\-u 077")" = "0" ]; then
		sed -i '/server_args/s/$/ -u 077/' /etc/xinetd.d/gssftp
	fi
fi
if [ "$(rpm -q vsftpd &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ "$(grep -c local_umask /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		echo "local_umask=077" &gt;&gt; /etc/vsftpd/vsftpd.conf
	else
		sed -i '/local_umask/s/=.*/=077/' /etc/vsftpd/vsftpd.conf
	fi
	if [ "$(grep -c anon_umask /etc/vsftpd/vsftpd.conf)" = "0" ]; then
		echo "anon_umask=077" &gt;&gt; /etc/vsftpd/vsftpd.conf
	else
		sed -i '/anon_umask/s/=.*/=077/' /etc/vsftpd/vsftpd.conf
	fi
fi
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ftp_default_umask:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
      <Rule id="ftp_ftpusers_file_empty" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ftpusers File Contains Users</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The ftpusers file must contain account names not allowed to use FTP.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. 
If the file does not contain the names of all accounts not authorized to use FTP, then 
unauthorized use of FTP may take place.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004900</ident>
        <fix system="urn:xccdf:fix:script:sh" id="ftp_ftpusers_file_empty" complexity="low" disruption="low" reboot="false" strategy="configure">SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
if [ "$(rpm -q krb5-workstation &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/ftpusers ]; then
		&gt;/etc/ftpusers
		chmod 0640 /etc/ftpusers
		chown root:root /etc/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/ftpusers &amp;&gt;/dev/null
		fi
	done
fi
if [ "$(rpm -q vsftpd &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/vsftpd/ftpusers ]; then
		&gt;/etc/vsftpd/ftpusers
		chmod 0640 /etc/vsftpd/ftpusers
		chown root:root /etc/vsftpd/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/vsftpd/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/vsftpd/ftpusers &amp;&gt;/dev/null
		fi
	done
fi
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ftp_ftpusers_file_empty:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
      <Rule id="ftp_ftpusers_file_exists" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ftpusers File Exists</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The ftpusers file must exist.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The ftpusers file contains a list of accounts not allowed to use FTP to transfer files. 
If this file does not exist, then unauthorized accounts can utilize FTP.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN004880</ident>
        <fix system="urn:xccdf:fix:script:sh" id="ftp_ftpusers_file_exists" complexity="low" disruption="low" reboot="false" strategy="configure">SYS_USER=$(cat /etc/passwd | while read entry; do if [ "$(echo ${entry} | cut -d: -f3)" -lt "500" ]; then echo ${entry} | cut -d: -f1 ; fi; done)
if [ "$(rpm -q krb5-workstation &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/ftpusers ]; then
		&gt;/etc/ftpusers
		chmod 0640 /etc/ftpusers
		chown root:root /etc/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/ftpusers &amp;&gt;/dev/null
		fi
	done
fi
if [ "$(rpm -q vsftpd &amp;&gt;/dev/null; echo $?)" = "0" ]; then
	if [ ! -e /etc/vsftpd/ftpusers ]; then
		&gt;/etc/vsftpd/ftpusers
		chmod 0640 /etc/vsftpd/ftpusers
		chown root:root /etc/vsftpd/ftpusers
	fi
	for USER in `echo $SYS_USER`; do
		if [ $(grep -c "^${USER}$" /etc/vsftpd/ftpusers) = 0 ]; then
			echo ${USER} | tee -a /etc/vsftpd/ftpusers &amp;&gt;/dev/null
		fi
	done
fi
</fix>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ftp_ftpusers_file_exists:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
      <Rule id="ftp_anonymous_shell" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">FTP User Has Shell</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Anonymous FTP accounts must not have a functional shell.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-1</reference>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCD-2</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If an anonymous FTP account has been configured to use a functional shell, 
attackers could gain access to the shell if the account is compromised.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005000</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-ftp_anonymous_shell:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
      <Rule id="tftpd_user_shell" selected="false" severity="low">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">TFTP User Has Shell</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The TFTP daemon must be configured to vendor specifications, including 
a dedicated TFTP user account, a non-login shell such as /bin/false, 
and a home directory owned by the TFTP user.
</description>
        <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
        <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
        <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
If TFTP has a valid shell, it increases the likelihood someone could 
log on to the TFTP account and compromise the system.
</rationale>
        <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005120</ident>
        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
          <check-content-ref name="oval:ssg-tftpd_user_shell:def:1" href="ssg-rhel5-oval.xml"/>
        </check>
      </Rule>
    </Group>
    <Group id="smb">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Samba(SMB) Microsoft Windows File Sharing Server</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">When properly configured, the Samba service allows
Linux machines to provide file and print sharing to Microsoft
Windows machines. There are two software packages that provide
Samba support. The first, <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba-client</html:code>, provides a series of
command line tools that enable a client machine to access Samba
shares. The second, simply labeled <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba</html:code>, provides the Samba
service. It is this second package that allows a Linux machine to
act as an Active Directory server, a domain controller, or as a
domain member. Only the <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba-client</html:code> package is installed by
default.</description>
      <Group id="removing_samba">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove Samba if Possible</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Samba server must not be installed unless it provides an operational need.
</description>
        <Rule id="package_samba_removed" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remove samba and samba3x Packages</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba</html:code> and <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba3x</html:code> packages can be uninstalled with
the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># yum erase samba samba3x</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPD-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006060</ident>
          <fix system="urn:xccdf:fix:script:sh" id="package_samba_removed" complexity="low" disruption="low" reboot="false" strategy="configure">yum -y remove samba-common --disablerepo=* 1&gt;/dev/null
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-package_samba_removed:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-package_samba_removed_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
      <Group id="configuring_samba">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Samba if Necessary</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">All settings for the Samba daemon can be found in
<html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/samba/smb.conf</html:code>. Settings are divided between a
<html:code xmlns:html="http://www.w3.org/1999/xhtml">[global]</html:code> configuration section and a series of user
created share definition sections meant to describe file or print
shares on the system. By default, Samba will operate in user mode
and allow client machines to access local home directories and
printers. It is recommended that these settings be changed or that
additional limitations be set in place.</description>
        <Rule id="samba-swat_restricted" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Samba Web Administration Tool Must Be Restricted</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Samba Web Administration Tool (SWAT) must be 
restricted to the local host or require SSL.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">EBRP-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCT-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECCT-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1436</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
SWAT is a tool used to configure Samba.  It modifies Samba configuration, 
which can impact system security, and must be protected from unauthorized 
access.  SWAT authentication may involve the root password, which must be 
protected by encryption when traversing the network.
Restricting access to the local host allows for the use of SSH TCP 
forwarding, if configured, or administration by a web browser on 
the local system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006080</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-samba-swat_restricted:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="samba_hosts_option" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure hosts Option</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Samba increases the attack surface of the system and must be restricted to 
communicate only with systems requiring access.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">225</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures 
that the remote root user is mapped to a local account which 
has no permissions on the system.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006220</ident>
          <fix system="urn:xccdf:fix:script:sh" id="samba_hosts_option" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i 's/\(^\[global\]$\)/\1\n\n\thosts allow = 127./' /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-samba_hosts_option:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="samba_security_option" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure security Option</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Samba share authentication does not provide for individual user 
identification and must not be used.
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures 
that the remote root user is mapped to a local account which 
has no permissions on the system.</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006225</ident>
          <fix system="urn:xccdf:fix:script:sh" id="samba_security_option" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i '/^[#|;]/!s/\([ |\t]*security =\).*/\1 user/' /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-samba_security_option:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="samba_encrypt_passwords_option" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure encrypt passwords Option</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-1</reference>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAIA-2</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Samba must be configured to use encrypted passwords.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006230</ident>
          <fix system="urn:xccdf:fix:script:sh" id="samba_encrypt_passwords_option" complexity="low" disruption="low" reboot="false" strategy="configure">if [ "$(grep -c '^[ |\t]*encrypt passwords' /etc/samba/smb.conf)" = "0" ]; then
	sed -i 's/\(^\[global\]$\)/\1\n\n\tencrypt passwords = yes/' /etc/samba/smb.conf
else
	sed -i '/^[#|;]/!s/\(encrypt passwords =\).*/\1 yes/g' /etc/samba/smb.conf
fi
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-samba_encrypt_passwords_option:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
        <Rule id="samba_guest_ok_option" selected="false" severity="low">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure guest ok Option</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">366</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Guest access to shares permits anonymous access and is not permitted.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN006235</ident>
          <fix system="urn:xccdf:fix:script:sh" id="samba_guest_ok_option" complexity="low" disruption="low" reboot="false" strategy="configure">sed -i '/^[#|;]/!s/\(guest ok =\).*/\1 no/g' /etc/samba/smb.conf</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-samba_guest_ok_option:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
        </Rule>
      </Group>
    </Group>
    <Group id="snmp">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SNMP Server</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The Simple Network Management Protocol allows
administrators to monitor the state of network devices, including
computers. Older versions of SNMP were well-known for weak
security, such as plaintext transmission of the community string
(used for authentication) and usage of easily-guessable
choices for the community string.</description>
      <Group id="snmp_configure_server">
        <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SNMP Server</title>
        <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">If it is necessary to run the snmpd agent on the system, some best
practices should be followed to minimize the security risk from the
installation. The multiple security models implemented by SNMP cannot be fully
covered here so only the following general configuration advice can be offered:
<html:ul xmlns:html="http://www.w3.org/1999/xhtml"><html:li>use only SNMP version 3 security models and enable the use of authentication and encryption</html:li><html:li>write access to the MIB (Management Information Base) should be allowed only if necessary</html:li><html:li>all access to the MIB should be restricted following a principle of least privilege</html:li><html:li>network access should be limited to the maximum extent possible including restricting to expected network
addresses both in the configuration files and in the system firewall rules</html:li><html:li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
stations</html:li><html:li>ensure that permissions on the <html:code>snmpd.conf</html:code> configuration file (by default, in <html:code>/etc/snmp</html:code>) are 640 or more restrictive</html:li><html:li>ensure that any MIB files' permissions are also 640 or more restrictive</html:li></html:ul>
</description>
        <Rule id="snmpd_use_newer_protocol" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure SNMP Service to Use Only SNMPv3 or Newer </title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, removing any references to <html:code xmlns:html="http://www.w3.org/1999/xhtml">v1</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">v2c</html:code>, or <html:code xmlns:html="http://www.w3.org/1999/xhtml">com2sec</html:code>.  
Upon doing that, restart the SNMP service:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service snmpd restart</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCPP-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1435</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Earlier versions of SNMP are considered insecure, as they potentially allow 
unauthorized access to detailed system management information.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005305</ident>
          <fix system="urn:xccdf:fix:script:sh" id="snmpd_use_newer_protocol" complexity="low" disruption="low" reboot="false" strategy="configure">find / -xdev -name snmpd.conf 2&gt;/dev/null | xargs sed -i '/.*\(v1\|v2c\|community\|com2sec\).*/s/^/#/'
</fix>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-snmpd_use_newer_protocol:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-snmpd_use_newer_protocol_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="snmpd_not_default_password" selected="false" severity="high">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Default Password Is Not Used</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, remove default community strings <html:code xmlns:html="http://www.w3.org/1999/xhtml">public</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">private</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">snmp-trap</html:code>, <html:code xmlns:html="http://www.w3.org/1999/xhtml">password</html:code>.
Upon doing that, restart the SNMP service:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service snmpd restart</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IAAC-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">178</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Presence of the default SNMP password enables querying of different system
aspects and could result in unauthorized knowledge of the system.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005300</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-snmpd_not_default_password:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="snmpd_use_approved_hash" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Approved Hash Is Used</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, ensure every line beginning with <html:code xmlns:html="http://www.w3.org/1999/xhtml">createUser</html:code> 
includes <html:code xmlns:html="http://www.w3.org/1999/xhtml">SHA</html:code>, similar to the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405</html:pre>
Upon doing that, restart the SNMP service:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service snmpd restart</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1453</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SNMP service must use SHA-1 or a FIPS 140-2 approved successor for 
authentication and integrity.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005306</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-snmpd_use_approved_hash:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-snmpd_use_approved_hash_ocil:questionnaire:1"/>
          </check>
        </Rule>
        <Rule id="snmpd_use_approved_encryption" selected="false" severity="medium">
          <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Ensure Approved Encryption Is Used</title>
          <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Edit <html:code xmlns:html="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</html:code>, ensure every line beginning with <html:code xmlns:html="http://www.w3.org/1999/xhtml">createUser</html:code> 
includes <html:code xmlns:html="http://www.w3.org/1999/xhtml">AES</html:code>, similar to the following:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># createUser myuser SHA -l 0x0001020304050607080900010203040506070809 AES -l 0x00010203040506070809000102030405</html:pre>
Upon doing that, restart the SNMP service:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml"># service snmpd restart</html:pre>
</description>
          <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">DCNR-1</reference>
          <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">68</reference>
          <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The SNMP service must use AES or a FIPS 140-2 approved successor algorithm 
for protecting the privacy of communications.
</rationale>
          <ident system="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">GEN005307</ident>
          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
            <check-content-ref name="oval:ssg-snmpd_use_approved_encryption:def:1" href="ssg-rhel5-oval.xml"/>
          </check>
          <check system="http://scap.nist.gov/schema/ocil/2">
            <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-snmpd_use_approved_encryption_ocil:questionnaire:1"/>
          </check>
        </Rule>
      </Group>
    </Group>
  </Group>
  <Group id="srg_support" hidden="true">
    <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Documentation to Support DISA OS SRG Mapping</title>
    <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">These groups exist to document how the Red Hat Enterprise Linux
product meets (or does not meet) requirements listed in the DISA OS SRG, for
those cases where Groups or Rules elsewhere in scap-security-guide do
not clearly relate.
</description>
    <Rule id="met_inherently_generic" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Product Meets this Requirement</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
This requirement is a permanent not a finding. No fix is required.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">42</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">56</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">206</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1084</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">66</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">85</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">86</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">185</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">223</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">171</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">172</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1694</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">770</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">804</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">162</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">163</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">164</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">345</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">346</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1096</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1111</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1291</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">386</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">156</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">186</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1083</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1082</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1090</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">804</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1127</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1128</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1129</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1248</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1265</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1314</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1362</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1368</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1310</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1311</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1328</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1399</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1400</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1427</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1499</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1632</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1693</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1665</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1674</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Red Hat Enterprise Linux meets this requirement through design and implementation.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-met_inherently_generic_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="met_inherently_auditing" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Product Meets this Requirement</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
This requirement is a permanent not a finding. No fix is required.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">130</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">157</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">131</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">132</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">133</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">134</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">135</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">159</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">174</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The Red Hat Enterprise Linux audit system meets this requirement through design and implementation.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-met_inherently_auditing_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="met_inherently_nonselected" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Product Meets this Requirement</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
This requirement is a permanent not a finding. No fix is required.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">34</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">35</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">99</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">154</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">226</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">802</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">872</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1086</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1087</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1089</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1091</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1424</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1426</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1428</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1209</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1214</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1237</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1269</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1338</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1425</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1670</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Red Hat Enterprise Linux meets this requirement through design and implementation.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-met_inherently_nonselected_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="unmet_nonfinding_nonselected_scope" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
This requirement is NA. No fix is required.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">21</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">25</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">28</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">29</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">30</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">165</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">221</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">354</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">553</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">779</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">780</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">781</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1009</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1094</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1123</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1124</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1125</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1132</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1135</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1140</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1141</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1142</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1143</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1145</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1147</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1148</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1166</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1339</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1340</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1341</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1350</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1356</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1373</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1374</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1383</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1391</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1392</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1395</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1662</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-unmet_nonfinding_nonselected_scope_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="unmet_finding_nonselected" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Implementation of the Requirement is Not Supported</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
This requirement is a permanent finding and cannot be fixed. An appropriate
mitigation for the system must be implemented but this finding cannot be
considered fixed.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">20</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">31</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">52</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">144</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1158</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1294</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1295</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1500</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
RHEL6 does not support this requirement.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-unmet_finding_nonselected_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="unmet_nonfinding_scope" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guidance Does Not Meet this Requirement Due to Impracticality or Scope</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"> 
This requirement is NA. No fix is required.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">15</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">27</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">218</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">219</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">371</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">372</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">535</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">537</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">539</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1682</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">370</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">37</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">24</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1112</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1126</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1143</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1149</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1157</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1159</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1210</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1211</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1274</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1372</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1376</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1377</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1352</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1401</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1555</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1556</reference>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1150</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
The guidance does not meet this requirement.
The requirement is impractical or out of scope.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-unmet_nonfinding_scope_ocil:questionnaire:1"/>
      </check>
    </Rule>
    <Rule id="update_process" selected="false" severity="low">
      <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A process for prompt installation of OS updates must exist.</title>
      <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Procedures to promptly apply software updates must be established and
executed. The Red Hat operating system provides support for automating such a
process, by running the yum program through a cron job or by managing the
system and its packages through the Red Hat Network or a Satellite Server.
</description>
      <reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">1232</reference>
      <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
This is a manual inquiry about update procedure.
</rationale>
      <check system="http://scap.nist.gov/schema/ocil/2">
        <check-content-ref href="ssg-rhel5-ocil.xml" name="ocil:ssg-update_process_ocil:questionnaire:1"/>
      </check>
    </Rule>
  </Group>
</Benchmark>